Windows Privilege Escalation
Source: From Tiberius course.
Date: 28th August 2021
Enumerate the basics
PrintSpoofer and Juicy Potato can be easy loot!
Insecure Service Permission
Check for if a user has SERVICE_CHANGE_CONGIF
or SERVICE_ALL_ACCESS
. That could be dangerous.
Find permissions on a service with accesschk.exe
accesschk is a Microsoft tool for auditing privileges on Objects and Services on a Windows system.
Check the permissions of the user "user" on "daclsvc" service.
-u
: supress error
-w
: show only object that have write access
-v
: verbose
-c
: Name is a Windows Service
-q
: Omit Banner
/accepteula
: This flag means that we accept the End User License Agreement (EULA), despite being a CLI application. See this: https://xor.cat/2017/09/05/sysinternals-accesschk-accepteula/
The first image shows that we can change the service configuration, start and stop the program with our user.
This second image show that the program is start on demand of the user, and that it runs with SYSTEM privileges. We also have the binary PATH of the program. Therefore, we can modify the binary path to a reverse shell executable of our own.
Changing BINARY_PATH_NAME
Conditions
To be able to write into the service PATH.
To be able to start/stop the service or to reboot the system.
Note: The xyntax is quite important.
Then, we can restart the service again to spawn a reverse shell.
Unquoted Service Path
Use automatic enumeration tool to identify unquoted service path
Conditions
To be able to write into the service PATH.
To be able to start/stop the service or to reboot the system.
The unquoted service path technique is about abusing the executing path of the file.
WinPEAS.exe
can help us identify this vulnerabilities on Windows system.
In this binary path below, we can notice that it is unquoted and that there is some space between some directories. Windows will check between each space to check if a executable exists. If it encounter one, it will execute it instead of the executable at the end of the path.
Here, we have to find a directory that is writable by our user. Then, put the executable in this directory and change its name for Windows to execute it. In the image below, we can see that everyone in the group Users can write in the "C:\Program Files\Unquoted Path Service"
Then we just need to copy the reverse.exe in this directory and name it Common.exe according to the full path of the Binary_PATH_Name found above.
Weak Registry Permissions
Description: Each service has its own Registry key that can be modified if misconfigured. This can allow an attacker to modify the ImagePath which is similar to modify the binary path of a service.
WinPEASany.exe can help us to identify Registry Entry that our user can modify. We can also note, using accesschk.exe, that the registry entry can be writable by NT AUTHORITY\INTERACTIVE group (which incudes all logged-on users) and that it can be START/STOP by our user.
With the following command, we can also note that the service runs with SYSTEM privilege.
This command will change the service regsvc Image Path to point to our executable (reverse shell).
Start the service with net start regsvc
.
Insecure Service Executables
Description: If the service executable can be modified by our user, we can just replace it with our own executable.
WinPEASany.exe can help us point out which executable can be modified by our user.
Using accesschk.exe, we can note that the Binary Path of this service is writable by everyone.
Then, we can just replace the executable with our reverse shell or payload executable. We can start the service to spawn the shell.
IMPORTANT NOTE: Do not forget to make a copy of the original executable.
Registry Autoruns
Description: This privesc technique is based on the fact that if a program that autorun can be overwritten, we can replace the original program with a executable of our own.
Note: In Windows 10, at restart, autoruns will run the executable with the privileges of the last user that logged in. So, we may need to wait for an admin to log in on the system to get our admin reverse shell.
Note 2: DO NOT FORGET to back up the original Autoruns executable.
Step 1: WinPEASany.exe can help us point out if there is an Autoruns program with Writable permission.
Another way to enumerate manually we can query the registry entry, then check with accesschk.exe if we can have Write permission.
Then, we can overwrite the AutoRuns executable.
In a real World Scenario wait for an admin to logged in... to spawn a reverse shell as admin.
Registry - AlwaysInstallElevated
Description: This technique is based on the fact that MSI files (packages files to install applications) can be set to run with elevated privileges. A malicious MSI file spawning a reverse shell can then be generated and executed with eleveted privileges.
Conditions for this technique to work (two keys needs to be set to 1):
We can also use WinPEASany to check if those two keys are setted to 1.
Create a MSI reverse shell: If we meet both conditions, we can create a reverse shell in MSI format.
Once the payload is transferred to the target machine and our listener set up, we can run the MSI executable with the command below to spawn a shell as SYSTEM.
Password - Registry
Description: Sometime, passwords can be stored in registry keys. WinPEASany.exe can help us find some creds.
We can also manually query registry keys. These two commands will search for any registry keys that contains the word password
. This can generate a lot of results.
Search for autologon credentials in registry keys
We can then try to use winexe programe to spawn a shell with the credentials we found.
In Kali use this:
If we want to spawn a SYSTEM shell we can slightly modify the command.
Password - Save Creds
Description: On Windows, the runas command allows user to run command as other user. Most of the time, the credentials of the user we want to run the command as are required. However, sometime the credentials are saved in the system.
WinPEASany.exe can help us find if a user has saved creds.
We can also do it manually:
In the image below, we can note that there is some creds saved for the admin user.
Then, we can run any command we want with the admin privileges. We execute the reverse shell executable with admin privileges.
Passwords - Configuration Files
Description: It can be worth to look for credentials in configuration files. The Unattend.xml file may be found on the system and contain some credentials.
We can search manually for .config files with the word password in some directories of interest.
Variants of password term
Examples:
Recursively search for files in the current directory with "pass" in the name or ending with .config.
Recursively search for files in the current directory that contain the word "password" and also end in either .xml, .ini. .txt.
WinPEASany.exe can also be useful.
Below, we see that the Unattend.xml file has been flagged and may contain some creds.
We can then use this creds found to spawn a reverse shell with the admin privileges using winexe on our Kali attacker machine.
Passwords mining
Few files that are likely to contains credentials
C:\sysprep.inf
C:\sysprep\sysprep.xml
C:\Windows\Panther\Unattend\Unattended.xml
SAM backup
C:\windows\System32\config\RegBack\SAM
C:\windows\repair\SAM
Software/Programs
C:\xampp\FileZillaFTP\FileZillaServer.xml
C:\xampp\phpMyAdmin\config.inc
C:\xampp\security\webdav.htpasswd
C:\Users\<username>\.AppData\roaming\...
Password mining - Lazagne.exe
From the official Github repo: The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. This project is still maintained.
Password - SAM and SYSTEM files
Description: The SAM file contains all NTLM hash of the user on the machine. However, we need the SYSTEM file to decypt the hash.
THe SAM and SYSTEM files are located in the C:\Windows\System32\config directory. The files are locked while Windows is running.
But back up of these two files can exists in C:\Windows\Repair OR C:\Windows\System32\config\RegBack
Step 1: Find SAM and SYSTEM file
We can use WinPEASany to help us flag backup of the SAM and SYSTEM file.
Step 2: Transfer the files from Windows on your Kali
Step 3: Dump the hashes.
Use this repo to dump the NTLM hashes
https://github.com/Tib3rius/creddump7
Note: The first part of the hash :
is LTM hash wich is deprecated. Use the second part (NTLM).
If a hash start with 316d, this could means that the user does not have a password set up or the user is disabled.
Then, we can crack the hash for the admin user and use the credentials with winexe to spawn a shell with admin privilege.
Password - Pass the Hash
Description: A modified version of winexe allows us to execute command as a user without the need of cracking the hash.
Once we got the hash of the user admin, we can pass it to path-winexe.
Note: We need to pass the entire hash (LM +NTLM)
Scheduled Tasks
Description: Some scripts may runs as SYSTEM or Admin on a regular basis. There is no easy way to enumerate scheduled tasks that runs as other users.
Important: Do not forget to backup the original script.
Use this commands to check for scheduled task that the user can see.
In Powershell:
If we can find a script that runs as SYSTEM and that is writable by our user, we can add our own code wait for the script to run.
For example, we can note that using accesschk, the CleanUp.ps1 script is writable by our user.
Add our own code
Insecure GUI Apps
Description: Some apps can be used with admin privileges. Often used to break out from Citrix Environment
Example: MS PAINT.
In Paint, click "File" and then "Open". In the open file dialog box, click in the navigation input and paste: file://c:/windows/system32/cmd.exe
Press Enter to spawn a command prompt running with admin privileges.
Startup apps
Description: The startup directory in Windows is intended to store shorcut for apps that start every time a user logs in. Thus, if we have write access to this directory, we can create a shortcut that point our reverse shell and wait for an admin to log. This will spawn us a reverse shell with admin privileges.
Step 1: Verify write permission on the startup directory
Step 2: To create a shortcut for our reverse shell executable.
use the one from Tiberius and modify it to suit your needs)
This script take our reverse shell, create a short cut and put it in the startUp directory.
Step 3: Wait for an admin to log in...
Token Impersonation
Description: Rogue Potato and PrintSpoofer are two exploit that abuse from seImpersonate and SeAssignPrimaryToken privilege of a service account.
The first step is to get a shell as an service account. There is multiple way of getting a shell as service account. Once, we get it, we can escalate our privilege with PrintSpoofer or Rogue Potato.
Rogue Potato
RoguePotato follows Rotten and JuicyPotato as these two exploits does not work anymore on the latest version of Windows. In the RoguePotato exploit, we need to peform a port forwarding on port 135 because this is were the OXID resolver is running. We can perform that on our Kali machine (attacker box) by doing so:
Then, we need to run our Service account shell. For the exploit to be successful the account service from which we get a shell needs to have the seImpersonateprivilege
and seAssignPrimaryToken
enabled.
We can verify this by doing so:
The, if we have the required permissions, we can run the RoguePotato exploit doing so:
Conditions to exploit are:
Need of a local service account shell on the target machine(can be spawn in different ways ex: IIS/MSSQL).
DCOM needs to be enabled
Our local service account needs to have the two privileges mentionned above.
The port 135 on our attack box needs to be available for port fowarding.
PrintSpoofer
Description: The PrintSpoofer technique is also based upon abusing of SeImpersonatePrivilege and SeAssignPrimaryToken. PrintSpoofer can be used even if DCOM is disabled on the target Windows server.
Works on Windows Server 2016, Windows Server 2019 and Windows 10. No port fowarding are requested. You need a first footstep on the machine with a Local Service shell or any other account with the SeImpersonatePrivilege
.
You can download the reverse shell and the PrintSpoofer exploit on the target machine and then:
GitHubRepo: https://github.com/itm4n/PrintSpoofer
Great article about PrintSpoofer Impersonate Privileges: https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
DLL Hijacking
Description: When a Windows application load an infected DLL instead of the legitimated one. If an application does not specify any dll path to load from, Windows has a safe search or unsafe search mode. This is the list in order of all directories that the application will look for the dll. If one of those directory is writable by our user, we can load a malicious .dll file (ex: reverse shell) that will be executed when the program is running.
Procmon by Windows can help us identify a DLL hijacking attack.
Great blog articles on DLL Hijacking: https://www.upguard.com/blog/dll-hijacking
Another great blog on DLL Hijacking: https://itm4n.github.io/windows-dll-hijacking-clarified/
https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
Windows Kernel Exploit
Google the old OS
Use Windows Exploit Suggester or Windows Exploit Suggester Next Generation.
Windows exploit suggester
Big repository of precompiled kernel exploits for Windows. 👍
Watson tool to find exploit Kernel: https://github.com/rasta-mouse/Watson
Others elements
Others resources
Payloads all the things on GitHub summarize a lot of Privilege Escalation tools for Windows: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
Great articles on Token Access Privilege: https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt
Last updated