「白帽黑客成長記」Windows提權基本原理（上）

時間：2023-06-30 14:18:01 | 來源：網站運營

時間：2023-06-30 14:18:01 來源：網站運營

「白帽黑客成長記」Windows提權基本原理（上）：我們通常認為配置得當的Windows是安全的，事實真的是這樣嗎？今天讓我們跟隨本文作者一起深入了解Windows操作系統(tǒng)的黑暗角落，看看是否能得到SYSTEM權限。

作者將使用不同版本的Windows來強調任何可能存在的命令行差異，請牢記因為不同的操作系統(tǒng)和版本差異會在命令行中顯現(xiàn)，作者試圖構造本教程，以便它適用于Windows提權的最普遍的方式。

注：文章篇幅較長，閱讀用時約10分鐘。

必要文檔補充：

Encyclopaedia Of Windows Privilege Escalation (Brett Moore)

Windows Attacks: AT is the new black (Chris Gates & Rob Fuller)

Elevating privileges by exploiting weak folder permissions (Parvez Anwar)

譯者注：原文作者提到了meterpreter，我們可以把meterpreter比做sql注入利用的sqlmap，在得到meterpreter的shell后，可以輸入命令getsystem，自動完成提權。

在t0-t3階段，最初的信息收集方法

最開始是一個低權限的shell，這個shell可能是通過遠程代碼執(zhí)行、釣魚、反彈得到的。

在最開始的階段，我們要快速收集一些基本信息來評估我們的環(huán)境。

第一步，找到連接的操作系統(tǒng)。

C:/Windows/system32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"OS Name: Microsoft Windows 7 ProfessionalOS Version: 6.1.7601 Service Pack 1 Build 7601接下來，我們將看到主機名和連接上的對應用戶。

C:/Windows/system32> hostnameb33fC:/Windows/system32> echo %username%user1現(xiàn)在我們得到了一些基本信息，然后列出其他用戶的帳戶，并在更詳細的情況下查看用戶信息。

這里會看到user1不是本地組管理員。

C:/Windows/system32> net usersUser accounts for //B33F-------------------------------------------------------------------------------Administrator b33f Guestuser1The command completed successfully.C:/Windows/system32> net user user1User name user1Full NameCommentUser's commentCountry code 000 (System Default)Account active YesAccount expires NeverPassword last set 1/11/2014 7:47:14 PMPassword expires NeverPassword changeable 1/11/2014 7:47:14 PMPassword required YesUser may change password YesWorkstations allowed AllLogon scriptUser profileHome directoryLast logon 1/11/2014 8:05:09 PMLogon hours allowed AllLocal Group Memberships *UsersGlobal Group memberships *NoneThe command completed successfully.以上是我們目前需要了解的關于用戶和權限的全部內容。接下來我們要討論的是網絡信息，連接的設備，以及相應規(guī)則。

首先看一下可用的網絡接口和路由表。

C:/Windows/system32> ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : b33f Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Bluetooth Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network) Physical Address. . . . . . . . . : 0C-84-DC-62-60-29 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : YesEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-56-79-35 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::5cd4:9caf:61c0:ba6e%11(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.0.104(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Saturday, January 11, 2014 3:53:55 PM Lease Expires . . . . . . . . . . : Sunday, January 12, 2014 3:53:55 PM Default Gateway . . . . . . . . . : 192.168.0.1 DHCP Server . . . . . . . . . . . : 192.168.0.1 DHCPv6 IAID . . . . . . . . . . . : 234884137 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-14-24-1D-00-0C-29-56-79-35 DNS Servers . . . . . . . . . . . : 192.168.0.1 NetBIOS over Tcpip. . . . . . . . : EnabledC:/Windows/system32> route print===========================================================================Interface List 18...0c 84 dc 62 60 29 ......Bluetooth Device (Personal Area Network) 13...00 ff 0c 0d 4f ed ......TAP-Windows Adapter V9 11...00 0c 29 56 79 35 ......Intel(R) PRO/1000 MT Network Connection 1...........................Software Loopback Interface 1 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface===========================================================================IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.0.0 255.255.255.0 On-link 192.168.0.104 266 192.168.0.104 255.255.255.255 On-link 192.168.0.104 266 192.168.0.255 255.255.255.255 On-link 192.168.0.104 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.104 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.104 266===========================================================================Persistent Routes: NoneIPv6 Route Table===========================================================================Active Routes: If Metric Network Destination Gateway 14 58 ::/0 On-link 1 306 ::1/128 On-link 14 58 2001::/32 On-link 14 306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128 On-link 11 266 fe80::/64 On-link 14 306 fe80::/64 On-link 14 306 fe80::8d2:b4e:3f57:ff97/128 On-link 11 266 fe80::5cd4:9caf:61c0:ba6e/128 On-link 1 306 ff00::/8 On-link 14 306 ff00::/8 On-link 11 266 ff00::/8 On-link===========================================================================Persistent Routes: Nonearp -A顯示了所有可用接口的arp(地址解析協(xié)議)緩存表。

C:/Windows/system32> arp -AInterface: 192.168.0.104 --- 0xb Internet Address Physical Address Type 192.168.0.1 90-94-e4-c5-b0-46 dynamic 192.168.0.101 ac-22-0b-af-bb-43 dynamic 192.168.0.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static這就使我們了解了活動網絡連接和防火墻規(guī)則。

C:/Windows/system32> netstat -anoActive Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4 TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING 1400 TCP 192.168.0.104:139 0.0.0.0:0 LISTENING 4 TCP [::]:135 [::]:0 LISTENING 684 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:5357 [::]:0 LISTENING 4 UDP 0.0.0.0:5355 *:* 1100 UDP 0.0.0.0:52282 *:* 976 UDP 0.0.0.0:55202 *:* 2956 UDP 0.0.0.0:59797 *:* 1400 UDP 127.0.0.1:1900 *:* 2956 UDP 127.0.0.1:65435 *:* 2956 UDP 192.168.0.104:137 *:* 4 UDP 192.168.0.104:138 *:* 4 UDP 192.168.0.104:1900 *:* 2956 UDP 192.168.0.104:5353 *:* 1400 UDP 192.168.0.104:65434 *:* 2956 UDP [::]:5355 *:* 1100 UDP [::]:52281 *:* 976 UDP [::]:52283 *:* 976 UDP [::]:55203 *:* 2956 UDP [::]:59798 *:* 1400 UDP [::1]:1900 *:* 2956 UDP [::1]:5353 *:* 1400 UDP [::1]:65433 *:* 2956 UDP [fe80::5cd4:9caf:61c0:ba6e%11]:1900 *:* 2956 UDP [fe80::5cd4:9caf:61c0:ba6e%11]:65432 *:* 2956以下兩個netsh命令是在不同操作系統(tǒng)的命令示例。

netsh firewall命令只能從XP SP2和以上版本運行。

C:/Windows/system32> netsh firewall show stateFirewall status:-------------------------------------------------------------------Profile = StandardOperational mode = EnableException mode = EnableMulticast/broadcast response mode = EnableNotification mode = EnableGroup policy version = Windows FirewallRemote admin mode = DisablePorts currently open on all network interfaces:Port Protocol Version Program-------------------------------------------------------------------No ports are currently open on all network interfaces.C:/Windows/system32> netsh firewall show configDomain profile configuration:-------------------------------------------------------------------Operational mode = EnableException mode = EnableMulticast/broadcast response mode = EnableNotification mode = EnableAllowed programs configuration for Domain profile:Mode Traffic direction Name / Program-------------------------------------------------------------------Port configuration for Domain profile:Port Protocol Mode Traffic direction Name-------------------------------------------------------------------ICMP configuration for Domain profile:Mode Type Description-------------------------------------------------------------------Enable 2 Allow outbound packet too bigStandard profile configuration (current):-------------------------------------------------------------------Operational mode = EnableException mode = EnableMulticast/broadcast response mode = EnableNotification mode = EnableService configuration for Standard profile:Mode Customized Name-------------------------------------------------------------------Enable No Network DiscoveryAllowed programs configuration for Standard profile:Mode Traffic direction Name / Program-------------------------------------------------------------------Enable Inbound COMRaider / E:/comraider/comraider.exeEnable Inbound nc.exe / C:/users/b33f/desktop/nc.exePort configuration for Standard profile:Port Protocol Mode Traffic direction Name-------------------------------------------------------------------ICMP configuration for Standard profile:Mode Type Description-------------------------------------------------------------------Enable 2 Allow outbound packet too bigLog configuration:-------------------------------------------------------------------File location = C:/Windows/system32/LogFiles/Firewall/pfirewall.logMax file size = 4096 KBDropped packets = DisableConnections = Disable最后，我們將簡要地看一下在這個設備上的運行內容，比如計劃任務、運行進程、啟動服務和安裝的驅動程序。

這將顯示所有調度任務的詳細輸出，下面您可以看到單個任務的示例輸出。

C:/Windows/system32> schtasks /query /fo LIST /vFolder: /Microsoft/Windows DefenderHostName: B33FTaskName: /Microsoft/Windows Defender/MP Scheduled ScanNext Run Time: 1/22/2014 5:11:13 AMStatus: ReadyLogon Mode: Interactive/BackgroundLast Run Time: N/ALast Result: 1Author: N/ATask To Run: c:/program files/windows defender/MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScanStart In: N/AComment: Scheduled ScanScheduled Task State: EnabledIdle Time: Only Start If Idle for 1 minutes, If Not Idle Retry For 240 minutesPower Management: No Start On BatteriesRun As User: SYSTEMDelete Task If Not Rescheduled: EnabledStop Task If Runs X Hours and X Mins: 72:00:00Schedule: Scheduling data is not available in this format.Schedule Type: DailyStart Time: 5:11:13 AMStart Date: 1/1/2000End Date: 1/1/2100Days: Every 1 day(s)Months: N/ARepeat: Every: DisabledRepeat: Until: Time: DisabledRepeat: Until: Duration: DisabledRepeat: Stop If Still Running: Disabled[..Snip..]# tasklist命令顯示了正在運行的進程以及啟動服務。C:/Windows/system32> tasklist /SVCImage Name PID Services========================= ======== ============================================System Idle Process 0 N/ASystem 4 N/Asmss.exe 244 N/Acsrss.exe 332 N/Acsrss.exe 372 N/Awininit.exe 380 N/Awinlogon.exe 428 N/Aservices.exe 476 N/Alsass.exe 484 SamSslsm.exe 496 N/Asvchost.exe 588 DcomLaunch, PlugPlay, Powersvchost.exe 668 RpcEptMapper, RpcSssvchost.exe 760 Audiosrv, Dhcp, eventlog, HomeGroupProvider, lmhosts, wscsvcsvchost.exe 800 AudioEndpointBuilder, CscService, Netman, SysMain, TrkWks, UxSms, WdiSystemHost, wudfsvcsvchost.exe 836 AeLookupSvc, BITS, gpsvc, iphlpsvc, LanmanServer, MMCSS, ProfSvc, Schedule, seclogon, SENS, ShellHWDetection, Themes, Winmgmt, wuauservaudiodg.exe 916 N/Asvchost.exe 992 EventSystem, fdPHost, netprofm, nsi, WdiServiceHost, WinHttpAutoProxySvcsvchost.exe 1104 CryptSvc, Dnscache, LanmanWorkstation, NlaSvcspoolsv.exe 1244 Spoolersvchost.exe 1272 BFE, DPS, MpsSvcmDNSResponder.exe 1400 Bonjour Servicetaskhost.exe 1504 N/Ataskeng.exe 1556 N/Avmtoolsd.exe 1580 VMToolsdwm.exe 1660 N/Aexplorer.exe 1668 N/Avmware-usbarbitrator.exe 1768 VMUSBArbServiceTPAutoConnSvc.exe 1712 TPAutoConnSvc[..Snip..]C:/Windows/system32> net startThese Windows services are started: Application Experience Application Information Background Intelligent Transfer Service Base Filtering Engine Bluetooth Support Service Bonjour Service COM+ Event System COM+ System Application Cryptographic Services DCOM Server Process Launcher Desktop Window Manager Session Manager DHCP Client Diagnostic Policy Service Diagnostic Service Host Diagnostic System Host Distributed Link Tracking Client Distributed Transaction Coordinator DNS Client Function Discovery Provider Host Function Discovery Resource Publication Group Policy Client[..Snip..]# DRIVERQUERY有時是有用的，因為一些第三方驅動，即使是信譽良好的公司，也比瑞士奶酪上的洞多。這是可能的，因為ring0的利用是在大多數人的專長技能之外。C:/Windows/system32> DRIVERQUERYModule Name Display Name Driver Type Link Date============ ====================== ============= ======================1394ohci 1394 OHCI Compliant Ho Kernel 11/20/2010 6:01:11 PMACPI Microsoft ACPI Driver Kernel 11/20/2010 4:37:52 PMAcpiPmi ACPI Power Meter Drive Kernel 11/20/2010 4:47:55 PMadp94xx adp94xx Kernel 12/6/2008 7:59:55 AMadpahci adpahci Kernel 5/2/2007 1:29:26 AMadpu320 adpu320 Kernel 2/28/2007 8:03:08 AMAFD Ancillary Function Dri Kernel 11/20/2010 4:40:00 PMagp440 Intel AGP Bus Filter Kernel 7/14/2009 7:25:36 AMaic78xx aic78xx Kernel 4/12/2006 8:20:11 AMaliide aliide Kernel 7/14/2009 7:11:17 AMamdagp AMD AGP Bus Filter Dri Kernel 7/14/2009 7:25:36 AMamdide amdide Kernel 7/14/2009 7:11:19 AMAmdK8 AMD K8 Processor Drive Kernel 7/14/2009 7:11:03 AMAmdPPM AMD Processor Driver Kernel 7/14/2009 7:11:03 AMamdsata amdsata Kernel 3/19/2010 9:08:27 AMamdsbs amdsbs Kernel 3/21/2009 2:35:26 AMamdxata amdxata Kernel 3/20/2010 12:19:01 AMAppID AppID Driver Kernel 11/20/2010 5:29:48 PMarc arc Kernel 5/25/2007 5:31:06 AM[..Snip..]


在t4階段，神秘藝術之WMIC

WMIC（Windows Management Instrumentation Command-Line，Windows管理工具命令行），是Windows最有用的命令行工具之一。

WMIC對于信息收集和滲透是非常實用的，而且輸出內容有很多值得期待的地方。全面解釋WMIC的使用將需要一個教程，由于格式化的問題，WMIC有些輸出將很難顯示。

下面列出兩個文章，對于WMIC是非常值得閱讀的：

• Command-Line Ninjitsu (SynJunkie)
• Windows WMIC Command Line (ComputerHope)

一些默認配置的Windows并不允許訪問WMIC，除非是用戶在Windows的管理組，從虛擬機測試來看，任何版本的Windows XP的低權限用戶并不能訪問WMIC。相反的，默認配置的Windows 7專業(yè)版和Windows 8企業(yè)版允許低權限的用戶訪問WMIC并查詢操作系統(tǒng)版本。

這正是我們所需要的，因為我們正在使用WMIC來收集關于目標機的信息。關于WMIC的選項，列出了下面可用的命令行：

C:/Windows/system32> wmic /?[global switches] The following global switches are available:/NAMESPACE Path for the namespace the alias operate against./ROLE Path for the role containing the alias definitions./NODE Servers the alias will operate against./IMPLEVEL Client impersonation level./AUTHLEVEL Client authentication level./LOCALE Language id the client should use./PRIVILEGES Enable or disable all privileges./TRACE Outputs debugging information to stderr./RECORD Logs all input commands and output./INTERACTIVE Sets or resets the interactive mode./FAILFAST Sets or resets the FailFast mode./USER User to be used during the session./PASSWORD Password to be used for session login./OUTPUT Specifies the mode for output redirection./APPEND Specifies the mode for output redirection./AGGREGATE Sets or resets aggregate mode./AUTHORITY Specifies the for the connection./?[:<BRIEF|FULL>] Usage information.For more information on a specific global switch, type: switch-name /?The following alias/es are available in the current role:ALIAS - Access to the aliases available on the local systemBASEBOARD - Base board (also known as a motherboard or system board) management.BIOS - Basic input/output services (BIOS) management.BOOTCONFIG - Boot configuration management.CDROM - CD-ROM management.COMPUTERSYSTEM - Computer system management.CPU - CPU management.CSPRODUCT - Computer system product information from SMBIOS.DATAFILE - DataFile Management.DCOMAPP - DCOM Application management.DESKTOP - User's Desktop management.DESKTOPMONITOR - Desktop Monitor management.DEVICEMEMORYADDRESS - Device memory addresses management.DISKDRIVE - Physical disk drive management.DISKQUOTA - Disk space usage for NTFS volumes.DMACHANNEL - Direct memory access (DMA) channel management.ENVIRONMENT - System environment settings management.FSDIR - Filesystem directory entry management.GROUP - Group account management.IDECONTROLLER - IDE Controller management.IRQ - Interrupt request line (IRQ) management.JOB - Provides access to the jobs scheduled using the schedule service.LOADORDER - Management of system services that define execution dependencies.LOGICALDISK - Local storage device management.LOGON - LOGON Sessions.MEMCACHE - Cache memory management.MEMORYCHIP - Memory chip information.MEMPHYSICAL - Computer system's physical memory management.NETCLIENT - Network Client management.NETLOGIN - Network login information (of a particular user) management.NETPROTOCOL - Protocols (and their network characteristics) management.NETUSE - Active network connection management.NIC - Network Interface Controller (NIC) management.NICCONFIG - Network adapter management.NTDOMAIN - NT Domain management.NTEVENT - Entries in the NT Event Log.NTEVENTLOG - NT eventlog file management.ONBOARDDEVICE - Management of common adapter devices built into the motherboard (system board).OS - Installed Operating System/s management.PAGEFILE - Virtual memory file swapping management.PAGEFILESET - Page file settings management.PARTITION - Management of partitioned areas of a physical disk.PORT - I/O port management.PORTCONNECTOR - Physical connection ports management.PRINTER - Printer device management.PRINTERCONFIG - Printer device configuration management.PRINTJOB - Print job management.PROCESS - Process management.PRODUCT - Installation package task management.QFE - Quick Fix Engineering.QUOTASETTING - Setting information for disk quotas on a volume.RDACCOUNT - Remote Desktop connection permission management.RDNIC - Remote Desktop connection management on a specific network adapter.RDPERMISSIONS - Permissions to a specific Remote Desktop connection.RDTOGGLE - Turning Remote Desktop listener on or off remotely.RECOVEROS - Information that will be gathered from memory when the operating system fails.REGISTRY - Computer system registry management.SCSICONTROLLER - SCSI Controller management.SERVER - Server information management.SERVICE - Service application management.SHADOWCOPY - Shadow copy management.SHADOWSTORAGE - Shadow copy storage area management.SHARE - Shared resource management.SOFTWAREELEMENT - Management of the elements of a software product installed on a system.SOFTWAREFEATURE - Management of software product subsets of SoftwareElement.SOUNDDEV - Sound Device management.STARTUP - Management of commands that run automatically when users log onto the computer system.SYSACCOUNT - System account management.SYSDRIVER - Management of the system driver for a base service.SYSTEMENCLOSURE - Physical system enclosure management.SYSTEMSLOT - Management of physical connection points including ports, slots and peripherals, and proprietary connections points.TAPEDRIVE - Tape drive management.TEMPERATURE - Data management of a temperature sensor (electronic thermometer).TIMEZONE - Time zone data management.UPS - Uninterruptible power supply (UPS) management.USERACCOUNT - User account management.VOLTAGE - Voltage sensor (electronic voltmeter) data management.VOLUME - Local storage volume management.VOLUMEQUOTASETTING - Associates the disk quota setting with a specific disk volume.VOLUMEUSERQUOTA - Per user storage volume quota management.WMISET - WMI service operational parameters management.For more information on a specific alias, type: alias /?CLASS - Escapes to full WMI schema.PATH - Escapes to full WMI object paths.CONTEXT - Displays the state of all the global switches.QUIT/EXIT - Exits the program.For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?為了簡化操作，我已經創(chuàng)建了一個腳本，可以在目標機器上使用WMIC提取以下信息：流程、服務、用戶帳號、用戶組、網絡接口、硬盤信息、網絡共享信息、安裝Windows補丁、程序在啟動運行、安裝的軟件列表、操作系統(tǒng)、時區(qū)信息。

通過各種標志和參數來提取有價值的信息，如果有人想要添加到列表中，請在下面留下評論。使用內置的輸出特性，腳本將把所有結果寫入可讀的html文件。

腳本地址：

http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar

輸出頁面：

http://www.fuzzysecurity.com/tutorials/files/Win7.html

以上是今天的內容，大家看懂了嗎？下期我們將繼續(xù)分享Windows提權基本原理的相關內容，請大家及時關注。