/WHOAMIA minimal, responsive, and powerful Jekyll theme for presenting professional writing. 2024-01-18T23:45:54+08:00 WHOAMI / Jekyll © 2024 WHOAMI /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png WinT - 2023 第七届“强网杯”决赛 RPC 本地提权 Review2024-01-18T23:26:00+08:00 2024-01-18T23:43:05+08:00 /posts/wint-2024-qwb-finals-rpc-local-privilege-escalation-review/ WHOAMI 前两天强网杯 Final RealWorld 有一个 Windows RPC 本地提权的题目,比赛结束后找朋友要了附件简单复现了一下。不过这个题当时好像还有不少非预期,还有的师傅说看我 “Creating Windows Access Tokens With God Privilege” 这篇博客解出来了,但我确实没发现这道题跟 God Privilege 有什么联系。 Introduction BabyTrust We surely don’t trust anonymous nowadays, we only trust ourselves. 题目中给出了一台 Windows Server 2022 虚拟机和两个附件(server.exe 和 hello.exe)。server.exe 在虚拟机上注册了一个 RPC 服务并以服务的形式自动运行。选手需要对目标 ... AD CS - New Ways to Abuse ManageCA Permissions2023-12-03T19:15:00+08:00 2024-01-18T23:30:09+08:00 /posts/ad-cs-new-ways-to-abuse-manageca-permissions/ WHOAMI TL;DR This report documents a local elevation of privilege vulnerability in Active Directory Certificate Services (AD CS). The vulnerability is caused by a race condition vulnerability when Certsrv creates CRL files. Any standard user with a ManageCA ACL on the CA can publish CRL Distribution Points (CDPs) and move arbitrary files to a restricted directory (for example, C:\Windows\System32). A... Revisiting a Abuse of Read-Only Domain Controllers (RODCs)2023-11-27T16:48:00+08:00 2023-12-01T23:44:05+08:00 /posts/revisiting-a-abuse-of-read-only-domain-controllers/ WHOAMI TL;DR 由于 RODC 通常被视为不具备与可写 DC 相同级别的访问权限,因此在许多环境中,可能会牵涉到利用 RODC 提升权限的情况。在某些情景下,有可能从只读域控制器升级为完全可写的域控制器。 本文涵盖了 Active Directory 环境中使用只读域控制器时可能发生的错误配置情况,并使红队和蓝队更好地了解和检查 RODC 配置是否存在问题。 Read-Only Domain Controller 只读域控制器(Read-Only Domain Controller,RODC)是 Windows Server 操作系统中的一种新型域控制器。通过 RODC,组织可以在无法保证物理安全性的地方轻松部署域控制器。RODC 托管 Active Directory 域服务(AD DS)数据库的只读分区。 在 Windows Server 2008 发布之前,如果用户必须通... S4UTomato - Escalate Service Account To LocalSystem via Kerberos2023-08-02T19:32:00+08:00 2023-11-27T16:53:46+08:00 /posts/escalate-service-account-to-localSystem-via-kerberos/ WHOAMI Traditional Potatoes 熟悉 “Potato” 系列提权的朋友应该知道,它可以将服务账户权限提升至本地系统权限。“Potato” 早期的利用思路几乎都是相同的:利用 COM 接口的一些特性,欺骗 NT AUTHORITY\SYSTEM 账户连接并验证到攻击者控制的 RPC 服务器。然后通过一系列 API 调用对这个认证过程执行中间人(NTLM Relay)攻击,并为 NT AUTHORITY\SYSTEM 账户在本地生成一个访问令牌。最后窃取这个令牌,并使用 CreateProcessWithToken() 或 CreateProcessAsUser() 函数传入令牌创建新进程,以获取 SYSTEM 权限。 How About Kerberos 在 Windows 域环境中,SYSTEM、NT AUTHORITY\NETWORK SERVICE 和 Micro... Revisiting a UAC Bypass By Abusing Kerberos Tickets2023-07-29T22:32:00+08:00 2023-07-30T21:12:06+08:00 /posts/revisiting-a-uac-bypass-by-abusing-kerberos-tickets/ WHOAMI Background The inspiration for this article comes from James Forshaw (@tiraniddo) who presented a topic titled “Taking Kerberos To The Next Level” at BlackHat USA 2022. In his presentation, he demonstrated the abuse of Kerberos tickets to bypass User Account Control (UAC) and also wrote a blog post titled “Bypassing UAC in the most Complex Way Possible!” to explain the underlying principles. T...