这阻止了 Kerberos Relay,在一定程度上缓解了本地提权,但攻击者仍然可以寻找其他本地触发 SYSTEM 网络认证的方式(比如 Change-Lockscreen[4]),再次恢复利用链。总结
这篇文章结束,我们的Windows 域环境下的本地提权系列研究暂时也就告一段落了,感谢大家的阅读,我们下次再见。 参考资料
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory[5]
Windows Exploitation Tricks: Relaying DCOM Authentication[6]
Bypassing UAC in the most Complex Way Possible![7]
Change-Lockscreen[8] 引用链接
[1] NTLM Relay: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#case-study-2-windows-1020162019-lpe
[2] 文中: https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-relaying.html
[3] 创建 SCM 连接的方式进行本地 ST 利用: https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html
[4] Change-Lockscreen: https://github.com/nccgroup/Change-Lockscreen
[5] Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#case-study-2-windows-1020162019-lpe
[6] Windows Exploitation Tricks: Relaying DCOM Authentication: https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-relaying.html
[7] Bypassing UAC in the most Complex Way Possible!: https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html
[8] Change-Lockscreen: https://github.com/nccgroup/Change-Lockscreen