0x00 Local Privilege Escalation

️1. Introduction

️2. Different system default accounts

windows: user, Administrator, System

linux: User, Root

️3, windows privilege escalation

1) The administrator is elevated to system

(1) View information under the command line:

Change password command: net user username *

View existing user accounts in the current system: net user

View the basic information of the current account: net user username

View information on the graphical interface - computer management

Local user - user - group account

(2) Privilege Escalation Method 1//win xp /2003

a. Task Manager to view the processes of users with different privileges

b, command: at time

When the time comes to execute a cmd command, the executed cmd command is the system permission, which can be viewed with whoami, or viewed in the task manager.

But this method can only execute the at command once every time, and you need to find a way to keep the permissions in the system all the time.

c, the system opened with the previous commandIn the permission window, kill the current desktop environment (explorer process), and then start the desktop environment with the system account. At this time, the desktop environment is all under the system permission.

//At this point, the entire desktop environment is already system permissions.

(2) Privilege Escalation Method 2 //win7/8 system

Command: sc to create a service, as follows

//cmd /K start refers to creating a new cmd window service

sc Create service name binPath (specify to execute a command) = "cmd /K start" type = "own" type (start type) = interact (interactive)

View created system service

Start the created system service: sc start service name

//The system account will be called to start

The service started at this time (the new cmd window) is already the system permission.

(3) Method 3 of Privilege Escalation

wintools:Sysinternals suite

https://technel.microsoft.com/en-us/sysinternals/bb545027

2) Injection process privilege escalation

//Idea: Find a process running with sysytem privileges and inject yourself into this process

(1) Tool Download: Process Injector

http://www.tarasco.org/security/Process_Injector/

(2) Use of injection tools:

a, pinjector.exe -l (to view injectable processes)

b. Find a process with system permissions to inject.

//Inject the 656 port process, execute the cmd command, and specify the port as 555. When someone uses nc and other tools to link the 555 port, the cmd will be handed over to the other party, similar to the way of using nc for remote shell.

c, how to use port 555 after listening:

Use na in kali to connect to port 555 of the win system

View permissions, get system permissions: