Windows提权

本文是基于micropoor文章中的(其实很多文章都是借鉴的)，渗透其实很大程度都在互相学习，在不断的学习中保持自己的风格，并且有自己的想法，从而自成一系。持续学习，保持好奇心，是渗透测试人员最需要具备的一点

微软安全响应中心

微软安全公告貌似比较旧了，不过基本都有exp可供使用

Windows本地提权，最直接的方式就是通过Windows补丁信息判断系统是否存在相应的漏洞

systeminfo

cmd执行该命令，可以获取目标的操作系统类型(Windows Server xxxx或者Windows xp,7,8,10)，操作系统的版本、系统架构的类型(x64或者x86)，以及系统的补丁信息

从systeminfo中获取很多有用的信息：

获取目标系统的类型，比如：Windows Server 2008 R2，后续会根据该特征寻找相应的exp
获取系统架构的类型，如：x64，后续所有使用的exp或者其他payload都会根据该参数进行合理选择，保持兼容性
补丁信息，Windows本地提权很大程度上都会依赖该信息，进而选择合适的exp进行渗透
其他信息，有些systeminfo信息中还会存在一些关键字，比如阿里云的标识，从而判断该服务器位于云上

一把梭

systeminfo>1.txt&(for %i in (KB977165 KB2160329 KB2503665 KB2592799 KB2707511 KB2829361 KB2850851 KB3000061   KB3045171 KB3077657 KB3079904 KB3134228 KB3143141  KB3141780) do @type 1.txt|@find /i  "%i"|| @echo %i you can hack)&del /f /q /a 1.txt

一条cmd命令，直接判断是否存在漏洞，不过这种方式，在实战中貌似并不太好，因为很多补丁存在包含关系，如：大版本补丁中可能已经包含小版本补丁，因此存在误报的可能

提权建议

在线提权辅助
local_exploit_suggester

msf自动根据systeminfo给出提权建议

msf5 > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
msf5 post(multi/recon/local_exploit_suggester) > exploit -j

一一比对

此处暂时不区分x86和x64

Windows 2000

漏洞编号	补丁编号	描述
MS15-077	KB3077657	ATM
MS08-068	KB957097	Remote Code Execution
MS08-067	KB958644	Remote Code Execution
MS08-066
MS06-040	KB921883	Remote Code Execution
MS05-039	KB899588	PnP Service
MS03-026	KB823980	Buffer Overrun In RPC Interface

Windows 2003

漏洞编号	补丁编号	描述	备注
MS17-010	KB4013389	Windows Kernel Mode Drivers
MS15-076	KB3067505	RPC
MS15-077	KB3077657	ATM
MS15-061	KB3057839	Kernel Driver
MS15-051	KB3057191	Windows Kernel Mode Drivers
MS15-010	KB3036220	Kernel Driver
MS14-070	KB2989935	Kernel Driver
MS14-068	KB3011780	Domain Privilege Escalation
MS14-058	KB3000061	Win32k.sys
MS14-040	KB2975684	AFD Driver
MS14-002	KB2914368	NDProxy
MS13-053	KB2850851	win32k.sys
MS13-046	KB2840221	dxgkrnl.sys
MS13-005	KB2778930	Kernel Mode Driver
MS12-020	KB2671387	RDP
MS11-080	KB2592799	AFD.sys
MS11-062	KB2566454	NDISTAPI
MS11-046	KB2503665	AFD.sys
MS11-011	KB2393802	kernel Driver
MS10-048	KB2160329	win32k.sys	SP2
MS10-015	KB977165	KiTrap0D
MS08-067	KB958644	Remote Code Execution
MS08-066
MS08-025	KB941693	Win32.sys
MS06-040	KB921883	Remote Code Execution
MS05-039	KB899588	PnP Service
MS03-026	KB823980	Buffer Overrun In RPC Interface

Windows Server 2008

漏洞编号	补丁编号	描述	备注
CVE-2017-8464		LNK Remote Code Execution Vulnerability
CVE-2017-0213		Windows COM Elevation of Privilege Vulnerability
MS17-010	KB4013389	Windows Kernel Mode Drivers
MS16-075	KB3164038	Hot Potato
MS16-034	KB3143145	Kernel Driver
MS16-032	KB3143141	Secondary Logon Handle
MS16-016	KB3136041	WebDAV
MS15-076	KB3067505	RPC
MS15-077	KB3077657	ATM
MS15-061	KB3057839	Kernel Driver
MS15-051	KB3057191	Windows Kernel Mode Drivers
MS15-010	KB3036220	Kernel Driver
MS15-015	KB3031432	Kernel Driver
MS15-001	KB3023266	Kernel Driver
MS14-068	KB3011780	Domain Privilege Escalation
MS14-058	KB3000061	Win32k.sys
MS14-040	KB2975684	AFD Driver
MS13-053	KB2850851	win32k.sys
MS13-046	KB2840221	dxgkrnl.sys
MS13-005	KB2778930	Kernel Mode Driver
MS12-042	KB2972621	Service Bus
MS12-020	KB2671387	RDP
MS11-046	KB2503665	AFD.sys
MS11-011	KB2393802	kernel Driver
MS10-092	KB2305420	Task Scheduler
MS10-059	KB982799	ACL-Churraskito
MS10-048	KB2160329	win32k.sys	2008 2008 SP2 2008 R2
MS10-015	KB977165	KiTrap0D
MS10-012	KB971468	SMB Client Trans2 stack overflow	2008 R2
MS09-050	KB975517	Remote Code Execution
MS09-012	KB959454	Chimichurri
MS08-067	KB958644	Remote Code Execution
MS08-025	KB941693	Win32.sys

Windows 2010

漏洞编号	补丁编号	描述
CVE-2017-8464		LNK Remote Code Execution Vulnerability
CVE-2017-0213		Windows COM Elevation of Privilege Vulnerability

Windows Server 2012

漏洞编号	补丁编号	描述	备注
MS16-075	KB3164038	Hot Potato
MS16-034	KB3143145	Kernel Driver
MS16-032	KB3143141	Secondary Logon Handle
MS15-097	KB3089656	remote code execution
MS15-076	KB3067505	RPC
MS15-077	KB3077657	ATM
MS15-061	KB3057839	Kernel Driver
MS15-051	KB3057191	Windows Kernel Mode Drivers
MS15-015	KB3031432	Kernel Driver	2012/RT/2012 R2
MS15-001	KB3023266	Kernel Driver
MS14-068	KB3011780	Domain Privilege Escalation
MS14-058	KB3000061	Win32k.sys
MS14-040	KB2975684	AFD Driver
MS13-046	KB2840221	dxgkrnl.sys
MS13-005	KB2778930	Kernel Mode Driver
MS12-042	KB2972621	Service Bus

Windows Server 2016

漏洞编号	补丁编号	描述
CVE-2017-8464		LNK Remote Code Execution Vulnerability
CVE-2017-0213		Windows COM Elevation of Privilege Vulnerability
MS16-135	KB3199135	Windows Kernel Mode Drivers

xp

漏洞编号	补丁编号	描述	备注
MS17-010	KB4013389	Windows Kernel Mode Drivers
MS15-077	KB3077657	ATM
MS14-002	KB2914368	NDProxy
MS13-053	KB2850851	win32k.sys
MS12-020	KB2671387	RDP
MS11-080	KB2592799	AFD.sys
MS11-062	KB2566454	NDISTAPI
MS11-046	KB2503665	AFD.sys
MS11-011	KB2393802	kernel Driver
MS10-048	KB2160329	win32k.sys	XP SP2 XP SP3
MS10-015	KB977165	KiTrap0D
MS08-068	KB957097	Remote Code Execution
MS08-067	KB958644	Remote Code Execution
MS08-066
MS08-025	KB941693	Win32.sys
MS06-040	KB921883	Remote Code Execution
MS05-039	KB899588	PnP Service
MS03-026	KB823980	Buffer Overrun In RPC Interface

vista

漏洞编号	补丁编号	描述	备注
MS16-016	KB3136041	WebDAV
MS15-077	KB3077657	ATM
MS13-053	KB2850851	win32k.sys
MS13-046	KB2840221	dxgkrnl.sys
MS11-011	KB2393802	kernel Driver
MS10-059	KB982799	ACL-Churraskito
MS10-048	KB2160329	win32k.sys	Vista SP1 & Vista SP2
MS09-050	KB975517	Remote Code Execution
MS09-012	KB959454	Chimichurri
MS08-067	KB958644	Remote Code Execution
MS08-025	KB941693	Win32.sys

Win7

漏洞编号	补丁编号	描述
MS17-017	KB4013081	GDI Palette Objects Local Privilege Escalation
CVE-2017-8464		LNK Remote Code Execution Vulnerability
CVE-2017-0213		Windows COM Elevation of Privilege Vulnerability
MS17-010	KB4013389	Windows Kernel Mode Drivers
MS16-075	KB3164038	Hot Potato
MS16-034	KB3143145	Kernel Driver
MS16-032	KB3143141	Secondary Logon Handle
MS16-016	KB3136041	WebDAV
MS15-076	KB3067505	RPC
MS15-077	KB3077657	ATM
MS15-061	KB3057839	Kernel Driver
MS15-051	KB3057191	Windows Kernel Mode Drivers
MS15-010	KB3036220	Kernel Driver
MS15-015	KB3031432	Kernel Driver
MS15-001	KB3023266	Kernel Driver
MS14-068	KB3011780	Domain Privilege Escalation
MS14-058	KB3000061	Win32k.sys
MS14-040	KB2975684	AFD Driver
MS13-053	KB2850851	win32k.sys
MS13-046	KB2840221	dxgkrnl.sys
MS13-005	KB2778930	Kernel Mode Driver
MS12-042	KB2972621	Service Bus
MS12-020	KB2671387	RDP
MS11-046	KB2503665	AFD.sys
MS11-011	KB2393802	kernel Driver
MS10-092	KB2305420	Task Scheduler
MS10-065	KB2267960	FastCGI
MS10-059	KB982799	ACL-Churraskito
MS10-048	KB2160329	win32k.sys
MS10-015	KB977165	KiTrap0D
MS10-012	KB971468	SMB Client Trans2 stack overflow
MS09-012	KB959454	Chimichurri

Win8

漏洞编号	补丁编号	描述	备注
MS17-017	KB4013081	GDI Palette Objects Local Privilege Escalation
CVE-2017-8464		LNK Remote Code Execution Vulnerability	Win8.1
CVE-2017-0213		Windows COM Elevation of Privilege Vulnerability	Win8.1
MS16-111	KB3186973	kernel api	Win8.1
MS16-098	KB3178466	Kernel Driver	Win8.1
MS16-075	KB3164038	Hot Potato
MS16-034	KB3143145	Kernel Driver
MS16-032	KB3143141	Secondary Logon Handle
MS15-097	KB3089656	remote code execution	Win8.1
MS15-076	KB3067505	RPC
MS15-077	KB3077657	ATM
MS15-061	KB3057839	Kernel Driver
MS15-051	KB3057191	Windows Kernel Mode Drivers
MS15-010	KB3036220	Kernel Driver
MS15-015	KB3031432	Kernel Driver	Win8 Win8.1
MS15-001	KB3023266	Kernel Driver
MS14-068	KB3011780	Domain Privilege Escalation
MS14-058	KB3000061	Win32k.sys
MS14-040	KB2975684	AFD Driver
MS13-005	KB2778930	Kernel Mode Driver

Win10

漏洞编号	补丁编号	描述	备注
CVE-2017-8464		LNK Remote Code Execution Vulnerability
CVE-2017-0213		Windows COM Elevation of Privilege Vulnerability
MS16-111	KB3186973	kernel api	Windows 10 10586 (32/64)
MS16-034	KB3143145	Kernel Driver
MS16-032	KB3143141	Secondary Logon Handle

iis

漏洞编号	补丁编号	描述	备注
MS10-065	KB2267960	FastCGI	IIS 5.1, 6.0, 7.0, and 7.5
MS09-020	KB970483	IIS 6.0	IIS 5.1 and 6.0

others

漏洞编号	补丁编号	描述	备注
MS05-039	KB899588	PnP Service	Win 9X/ME/NT
MS03-026	KB823980	Buffer Overrun In RPC Interface	NT

exp

从上述方法获知目标可能存在的漏洞，这时需要进行提权行动，目前有两种方法：

meterpreter

当攻击者获取到目标的一个meterpreter shell时，可直接利用msf进行渗透，直接使用msf自带的提权模块

手动

自行上传提权exp并执行

此处提供目前公开的exp：

https://github.com/SecWiki/windows-kernel-exploits
https://github.com/WindowsExploits/Exploits
https://github.com/AusJock/Privilege-Escalation