Shulou(Shulou.com)06/02 Report--

This article is to share with you about how to use SCCM and Viewfinity to carry out empowerment experiments. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

SCCM Software Center

The system Central configuration Manager (SCCM) allows administrators to publish software installers to Software Center, or users who are currently logged in, and more often run with NT Authority\ System privileges. For more information about SCCM deployment types, see here.

Depending on how the installer commands are deployed, malicious users may use these whitelisted installers to elevate privileges on their computers. In general, this would be possible if the user was allowed to interact with the installer. The following is an example of a scenario.

You can see that the application "Flowdock" released by Software Center is available for installation and is marked "Attended Install".

The installer runs and allows us to set the installation path, which is (usually) essential for this attack. Because if the program is installed to Program Files, low-privileged users will not be able to write to the installation directory. On the contrary, if we can control the installation path, we can change the installation path to a location where we have sufficient permissions. Here, I choose to install the program on my desktop.

Continue the installation process until you see the interface of the finish button. Next, we start PowerShell.

Back up the flowdock.exe program in PowerShell and copy the cmd.exe to flowdock.exe. Then, we select the "Launch Flowdock" check box to complete the installation.

After cmd.exe starts, we type the whoami command, and we can see that I am currently running with NT Authority\ System privileges.

Viewfinity

When I was testing for a customer, I didn't find anything after using tools such as owerUp for initial exploration. So I decided to start looking at it manually. Based on past experience, the first thing I look at is the currently running process. Maybe I can find a 0day because I have enough time and patience to test these services one by one. After browsing, a Viewfinity process caught my attention. This is a rights management software that is somewhat different from Software Center because it can be used for blacklists, whitelists and privilege escalation.

At first, I didn't know about the software, and when I browsed the file system, I saw an executable file called vf_elevate.exe. After some research, I found the configuration file and tried to figure out how the program worked. The following figure is a screenshot of the configuration file.

Because groups and permissions are referenced in multiple locations, XML is difficult to navigate, so I decided to trust the program group name. I downloaded Sysinternals Process Explorer and the version of Wireshark referenced in the configuration file. Here, I did not use the method described in the SCCM above. Instead, as usual, install Wireshark and start it immediately.

Through Process Explorer, we can see that the Integrity Level of the process is high, which means that it has full administrator privileges, but it is still running as a low-privileged user. This is different from the way Software Center behaves. I'm not sure what mechanism Viewfinity uses to elevate privileges (if you know, you can tell me on Twitter).

When messing with Wireshark, I tried almost all the possibilities, such as using the open or export dialog box to start cmd. I have found that anything started from these dialogs will run at the medium level and will not inherit the permissions of Wireshark. Fortunately, there is a Lua scripting console built into Wireshark. I started cmd with Lua, and I can see that its process startup level is high, which is equivalent to getting a shell with administrator privileges.

To verify my current running identity, I created a user and added them to the local administrators group.

Using the net user command to view the list of users, you can see that the newly created user has been successfully added to the administrators group.

Thank you for reading! This is the end of the article on "how to use SCCM and Viewfinity to experiment with empowerment". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.