Small white diary 24:kali penetration Test (IV.)--exploitation of the right to exploit the loophole

instance of exploiting exploit rights

Premise: has penetrated into an XP or 2003 system

First, the experimental target vulnerability: ms11-080

Patch: Kb2592799

Vulnerability Information: https://technet.microsoft.com/library/security/ms11-080

1, the Searchsploit command to find the vulnerability "Note: Find the vulnerability of the command-line window to be able to fully display the title and path"

#有python和ruby两种漏洞利用代码, depending on your preference, this chapter chooses Python

2. Search by Sandi

View a description of exploit code

#通过Afd. sys file for right of reference

# # #使用32位系统, XP and 2003,eng: Indicates that the English version of the operating system may not be applicable in Chinese

Copy 18176.py to XP system "Note: XP needs to install Python environment"

Chinese version XP test

May appear blue screen, can not realize the right to raise!

1, using the English version of XP for this experiment

2, by modifying the code to enable it to support the Chinese version

#1. If the system patch is installed, first uninstall, then proceed

#2. If the system does not have the required compilation environment, you can first compile the code into EXE execution program

How do python scripts compile into EXE executable programs?

1. Download Pyinstaller "https://pypi.python.org/pypi/PyInstaller/2.1" "function: Convert other Python scripts to exe"

2, download Pywin32 "http://sourceforge.net/projects/pywin32/files/pywin32/Build%20219/"

Install Pywin32 First, then put the extracted pyinstaller into python27, put 18176.py into the Pyinstaller file, run in command line mode

#.. \python.exe Specifying the system path

#--onefile Integrating library files into generated EXE files

In order to prevent uploading to other systems, by the anti-virus software interception, first compression

Normal user cannot write in C drive, extract to temp file

Success, create your own administrator account, or elevate yourself to Administrator privileges

For example: #net User B b/add #net localgroup Administrators a/add

Second, the experimental target vulnerability: ms11-046

Implement DOS "blue screen, restart"

ms14-068 "Can elevate a normal user of a host in a domain to domain administrator rights"

In the enterprise environment, the domain environment manages the computer, can control the entire domain environment's computer through the Domain control Administrator account Authority, can even control to other resources "such as: financial system" # #微软在域方面的安全问题比较少

Build domain "domain: http://www.cnblogs.com/suizhikuo/articles/2117831.html"

You must use the server version of the operating system as domain control management "such as: 2003"

Http://www.poluoluo.com/server/200809/46996.html

# #需使用静态ip地址, and yourself as your own DNS server

Assigning domain account passwords to individuals, restricting operational resources

Kali Integration Vulnerability Script

# #生成票据文件

ms14-068.py-u [email protected]-s usersid-d dc.lab.com

TGT: Authentication file for domain environment

#发起会话请求, Get notes

Python 35474.py-u [email protected]-s s-1-5-21-1174131619-510335615-37023860181-1107-d 192.168.1.145

#域里面的SID-D To specify the domain controller name/IP "Unless Kali also specify the same DNS, you will need to write to the address"

Log on to the machine, copy the ticket file to XP

Right under the command line

Mimikatz.exe Log "Kerberos::P TC [EMAIL protected]" exit

"If an exception occurs, try restarting the solution"

# # #在客户端XP系统, not successful, need to be on Win7

Using Mimikatz

# #kali中若提示出现缺少库文件

Can be downloaded to this website Https://github.com/bidord/pykek

On the Linux platform, exploit the right

cve-2012-0056 "Http://cve.scap.org.cn/CVE-2012-0056.html"

/proc/pid/mem #proc目录为系统启动过程中生成的临时目录, storing a large number of memory directories

This vulnerability exists in Linux with kernel versions higher than 2.6.39 "the latest kernel version has been fixed"

Principle: "https://git.zx2c4.com/CVE-2012-0056/about/"

Target drone: Ubuntu11.10 "old Ubuntu (stopped updating): http://old-releases.ubuntu.com/releases/11.10/"

Copy 18411.c to Ubuntu system

scp/usr/share/exploitdb/platforms/linux/local/18411.c [Email protected]:/home/admin/

Authorize chmod, run./exp

# #ubuntu早期版本中, do not integrate GCC commands and need to be updated manually

sudo apt-cdrom add && sudo apt-get install gcc

# #当更新源找不到包, the available installation CD as the update source "CD-ROM comes with a variety of packages, but the version is not necessarily up-to-date"

Select the ISO file, mount to the MNT directory or media directory "sudo mount/dev/cdrom/media/cdrom" and specify the update source "sudo apt-cdrom add" via the Mount command

Small white diary 24:kali penetration Test (IV.)--exploitation of the right to exploit the loophole