NTUSTISC - AD Note - Lab(利用弱點)

[TOC]

Lecture Video: 2022/05/04 AD 安全1

Background

• Internet Information Services(IIS)

  IIS是縮寫，全稱Internet Information Services ( IIS,互聯網信息服務 ),是由微軟公司提供的基於運行Microsoft Windows的互聯網基本服務。

  IIS是指World Wide Web server服務，IIS是一種Web（網頁）服務組件，專業的說，IIS可以賦予一部主機電腦一組以上的IP地址，而且還可以有一個以上的域名作為Web網站。做過服務器配置的都應該知道IIS。制作好了網站怎麽才能讓別人瀏覽，就是通過網站服務器來實現的。IIS只是網站服務器的一種而已。

  簡單來說：

  Internet Information Service（IIS）是windows開設web網頁服務的組件，用來搭載網站運行程序的平台的。還能提供FTP，SMTP等服務。

  在UNIX或Linux平台上，Apache就是網站服務器。 而對於Windows NT/2000來說，IIS就是標準的網站服務器。

  IIS是一種服務，是Windows 2000 Server系列的一個組件。不同於一般的應用程序，它就像驅動程序一樣是操作系統的一部分，具有在系統啟動時被同時啟動的服務功能。 如果想知道如何在win10啟用IIS或是建置網站server，可以看這個影片¹

• 一般權限(就像前面的lab那樣)
  • 取得網域使用者資訊
  • Scan Port
  • Check Group Policy Object
• 高權限好處
  • Dump Password or Hash
  • Turn off Defender
  • Check the other users’ info
• 本地特出使用者
  • ==NT Authority\System==(本地端真正的最高權限使用者)
  • NT Authority\Network Service
  • NT Authority\Local Service
  • NT Authority\IUSR
• 提權方法
  • 利用弱點(通常是直接用Windows CVE直接打看看)，可參考²
  • Hijack Token
  • Guess Password 就像前面環境觀察中提到的一樣，可以從Active Directory Users and Computers的description中看看有沒有密碼的提示，或是查看$ net user變更密碼的時間是哪時候，然後考慮爆破
    • Local Admin比Domain Admin好拿
    • 通常是固定密碼
      • 所有主機都相同
      • 可能很多人知道
      • 弱密碼
      • 系統初始化包
    • Solution: 可以參考本機系統管理員密碼解決方案(LAPS)
  • 管理服務
  • 錯誤配置

Lab Time - 本地提權

==利用弱點==

1 2 3 4 5

$ git clone https://github.com/bitsadmin/wesng.git --depth 1 $ cd wesng $ python wes.py --update $ systeminfo.exe > systeminfo.txt # 這條指令是windows內建的指令，所以一定要在cmd中操作 $ python wes.py systeminfo.txt

:::spoiler Result

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321

python wes.py systeminfo.txt Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ ) [+] Parsing systeminfo output [+] Operating System - Name: Windows 11 for x64-based Systems - Generation: 11 - Build: 5 - Version: None - Architecture: x64-based - Installed hotfixes (3): KB5028948, KB5029263, KB5028756 [+] Loading definitions - Creation date of definitions: 20230901 [+] Determining missing patches [!] Found vulnerabilities! Date: 20211214 CVE: CVE-2019-0887 KB: KB5008215 Title: Remote Desktop Services?Remote Code Execution Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Remote Code Execution Exploit: n/a Date: 20211214 CVE: CVE-2020-0655 KB: KB5008215 Title: Remote Desktop Services?Remote Code Execution Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Remote Code Execution Exploit: n/a Date: 20211216 CVE: CVE-2021-43216 KB: KB5008215 Title: Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Information Disclosure Exploit: n/a Date: 20211215 CVE: CVE-2021-43217 KB: KB5008215 Title: Windows Encrypting File System (EFS) Remote Code Execution Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Critical Impact: Remote Code Execution Exploit: n/a Date: 20211214 CVE: CVE-2021-43219 KB: KB5008215 Title: DirectX Graphics Kernel File Denial of Service Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Denial of Service Exploit: n/a Date: 20211214 CVE: CVE-2021-43222 KB: KB5008215 Title: Microsoft Message Queuing Information Disclosure Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Information Disclosure Exploit: n/a Date: 20211214 CVE: CVE-2021-43224 KB: KB5008215 Title: Windows Common Log File System Driver Information Disclosure Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Information Disclosure Exploit: n/a Date: 20211214 CVE: CVE-2021-43226 KB: KB5008215 Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-43227 KB: KB5008215 Title: Storage Spaces Controller Information Disclosure Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Information Disclosure Exploit: n/a Date: 20211214 CVE: CVE-2021-43228 KB: KB5008215 Title: SymCrypt Denial of Service Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Denial of Service Exploit: n/a Date: 20211214 CVE: CVE-2021-43229 KB: KB5008215 Title: Windows NTFS Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-43230 KB: KB5008215 Title: Windows NTFS Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-43231 KB: KB5008215 Title: Windows NTFS Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-43232 KB: KB5008215 Title: Windows Event Tracing Remote Code Execution Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Remote Code Execution Exploit: n/a Date: 20211214 CVE: CVE-2021-43233 KB: KB5008215 Title: Remote Desktop Client Remote Code Execution Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Critical Impact: Remote Code Execution Exploit: n/a Date: 20211214 CVE: CVE-2021-43234 KB: KB5008215 Title: Windows Fax Service Remote Code Execution Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Remote Code Execution Exploit: n/a Date: 20211214 CVE: CVE-2021-43235 KB: KB5008215 Title: Storage Spaces Controller Information Disclosure Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Information Disclosure Exploit: n/a Date: 20211216 CVE: CVE-2021-43236 KB: KB5008215 Title: Microsoft Message Queuing Information Disclosure Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Information Disclosure Exploit: n/a Date: 20211214 CVE: CVE-2021-43237 KB: KB5008215 Title: Windows Setup Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-43238 KB: KB5008215 Title: Windows Remote Access Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-43239 KB: KB5008215 Title: Windows Recovery Environment Agent Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-43240 KB: KB5008215 Title: NTFS Set Short Name Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-43246 KB: KB5008215 Title: Windows Hyper-V Denial of Service Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Denial of Service Exploit: n/a Date: 20211214 CVE: CVE-2021-43247 KB: KB5008215 Title: Windows TCP/IP Driver Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211216 CVE: CVE-2021-43248 KB: KB5008215 Title: Windows Digital Media Receiver Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-41333 KB: KB5008215 Title: Windows Print Spooler Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-43207 KB: KB5008215 Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211214 CVE: CVE-2021-43880 KB: KB5008215 Title: Windows Mobile Device Management Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211216 CVE: CVE-2021-43883 KB: KB5008215 Title: Windows Installer Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a Date: 20211216 CVE: CVE-2021-43893 KB: KB5008215 Title: Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability Affected product: Windows 11 for x64-based Systems Affected component: Microsoft Severity: Important Impact: Elevation of Privilege Exploit: n/a [-] Missing patches: 1 - KB5008215: patches 30 vulnerabilities [I] KB with the most recent release date - ID: KB5008215 - Release date: 20211216 [+] Done. Displaying 30 of the 30 vulnerabilities found.

:::

Reference

1. 【網站伺服器 IIS】Windows 10 IIS 安裝與啟用 ASP.NET 網站設定  ↩

2. Day32 - Windows 提權(3)-Windows Exploit Suggester ↩