zoukankan      html  css  js  c++  java
  • 通过系统自带的MSI安装包来提权账号

    Windows environments provide a group policy setting which allows a regular user to install a Microsoft Windows Installer Package (MSI) with system privileges. This can be discovered in environments where a standard user wants to install an application which requires system privileges and the administrator would  like to avoid to give temporary local administrator access to a user.

    From the security point of view this can be abused by an attacker in order to escalate his privileges to the box to SYSTEM.

    Identification

    Lets assume that we have already compromised a host inside the network and we have a Meterpreter session.

    get-uid-shell-metasploit

    Meterpreter Session – Normal user

    The easiest method to determine if this issue exist on the host is to query the following registry keys:

    reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
    reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
    registry-queries-always-install-elevated

    Query the registry to identify the issue

    Privilege Escalation with Metasploit

    The easiest and the fastest way to escalate privileges is via the Metasploit Framework which contains a module that can generate an MSI package with a simple payload that it will be executed as SYSTEM on the target host and it will be removed automatically to prevent the installation of being registered with the operating system.

    Metasploit Module - Always-Install-Elevated

    Exploitation of Always Install Elevated with Metasploit

    Generate MSI Package with PowerSploit

    PowerSploit framework contains a script that can discover whether this issue exist on the host by checking the registry entries and another one that can generate an MSI file that will add a user account into the local administrators group.

    PowerSploit - Always Install Elevated

    PowerSploit – Always Install Elevated

    User-Add - Adding an Account as Local Admin

    Adding an account into Administrators group

    The verification that this user has been added into the local administrator group can be done by running the “net localgroup administrators” command from the command prompt.

    net-localgroup-administrators

    Verification that the “backdoor user has been created

    Conclusion

    Metasploit Framework can be used as well to generate MSI files however the payload will be executed under the privileges of the user running it which in most of the cases it shouldn’t be the administrator. Therefore the PowerSploit script was the only reliable solution to escalate privileges properly.

    In order to mitigate this issue the following settings should be disabled from the GPO:

    Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Installer
    User ConfigurationAdministrative TemplatesWindows ComponentsWindows Installer
    GPO-Always Install With Elevated Privileges

    GPO -Always Install With Elevated Privileges Setting

    GPO-User - Always Install with elevated privileges

    GPO – Always Install with Elevated Privileges Setting

  • 相关阅读:
    5 粘包现象与解决方案
    4 Socket代码实例
    协程与多路io复用epool关系
    基于selector的socket并发
    基于select类型多路IO复用,实现简单socket并发
    协程实现多并发socket,跟NGINX一样
    利用协程实现简单爬虫
    协程
    进程池pool
    进程锁 Lock
  • 原文地址:https://www.cnblogs.com/backlion/p/7326842.html
Copyright © 2011-2022 走看看