|
@@ -6,7 +6,7 @@ tags: [security, windows]
|
|
|
|
|
|
# Priviledge Escalation
|
|
|
|
|
|
-1) Information Gathering
|
|
|
+### 1) Information Gathering
|
|
|
|
|
|
Get as much information about the system as possible.
|
|
|
|
|
@@ -28,9 +28,9 @@ Detailed Commands to extract this information can be found in:
|
|
|
* wmic.md
|
|
|
|
|
|
|
|
|
-2) Check the Quick Fails
|
|
|
+### 2) Check the Quick Fails
|
|
|
|
|
|
-2.1) check the patches of the machine
|
|
|
+#### 2.1) check the patches of the machine
|
|
|
|
|
|
```
|
|
|
cmd> wmic qfe get Caption,Description,HotFixID,InstalledOn
|
|
@@ -41,11 +41,13 @@ cmd> wmic qfe get Caption,Description,HotFixID,InstalledOn
|
|
|
* cmd> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
|
|
|
```
|
|
|
|
|
|
--> windows privchecker script?
|
|
|
+**Windows exploit-checker script:**
|
|
|
|
|
|
-Metasploit-Module: post/multi/recon/local_exploit_suggester (Windows & Linux)
|
|
|
+* Metasploit-Module: post/multi/recon/local_exploit_suggester (Windows & Linux)
|
|
|
+* https://github.com/SecWiki/windows-kernel-exploits/tree/master/win-exp-suggester
|
|
|
|
|
|
-2.2) Mass rollout aka sysprep/unattended
|
|
|
+
|
|
|
+#### 2.2) Mass rollout aka sysprep/unattended
|
|
|
|
|
|
* for mass-rollout of windows machines, the tool sysprep is used
|
|
|
* its possible that the config files are still laying around somewhere
|
|
@@ -65,7 +67,7 @@ Powersploit-module: Get-UnattendedInstallFile
|
|
|
Metasploit-module: post/windows/gather/enum_unattend
|
|
|
```
|
|
|
|
|
|
-2.3) Passwords saved in Group Policy Preferences
|
|
|
+#### 2.3) Passwords saved in Group Policy Preferences
|
|
|
|
|
|
This is used to add local users via a domain account.
|
|
|
Passwords are encrypted with AES -> Key was published on MSDN ;)
|
|
@@ -80,7 +82,8 @@ Metasploit-module: post/windows/gather/credentials/gpp
|
|
|
```
|
|
|
|
|
|
|
|
|
-2.4) "AlwaysInstallElevated" Registry Key
|
|
|
+#### 2.4) "AlwaysInstallElevated" Registry Key
|
|
|
+
|
|
|
This registry key, if set, lets unpriviledged users install .msi Files as NT AUTHORITY\SYSTEM
|
|
|
Dafuq??
|
|
|
Check the following registry keys: (both must be checked, BUT! if HKLM is checked, you can enable the HKCU one yourself)
|
|
@@ -94,7 +97,7 @@ Powersploit-module: Get-RegistryAlwaysInstallElevated
|
|
|
Metasploit-module: exploit/windows/local/always_install_elevated
|
|
|
```
|
|
|
|
|
|
-2.5) Search FS for Password files/password configs
|
|
|
+#### 2.5) Search FS for Password files/password configs
|
|
|
|
|
|
The command below will search the file system for file names containing certain keywords. You can
|
|
|
specify as many keywords as you wish.
|
|
@@ -113,7 +116,7 @@ cmd> reg query HKLM /f password /t REG_SZ /s
|
|
|
cmd> reg query HKCU /f password /t REG_SZ /s
|
|
|
```
|
|
|
|
|
|
-2.6) Autologon - saved credentials
|
|
|
+#### 2.6) Autologon - saved credentials
|
|
|
|
|
|
You can save the credentials in the registry to automaticall login at windows start
|
|
|
|
|
@@ -122,9 +125,9 @@ Powersploit: Get-RegistryAutoLogon
|
|
|
```
|
|
|
|
|
|
|
|
|
-3) More cool Stuff!
|
|
|
+### 3) More cool Stuff!
|
|
|
|
|
|
-3.1 Unquoted Service Paths:
|
|
|
+#### 3.1) Unquoted Service Paths:
|
|
|
|
|
|
Get Services with a space in the Path an no quotes
|
|
|
|
|
@@ -134,7 +137,7 @@ Metasploit-module: exploit/windows/local/trusted_service_path
|
|
|
```
|
|
|
|
|
|
|
|
|
-3.2 Services, with file access:
|
|
|
+#### 3.2) Services, with file access:
|
|
|
|
|
|
Lookout for services, where the current user has access to the path of the binary
|
|
|
exploit: change binary to your own exe
|
|
@@ -145,7 +148,7 @@ Metasploit-module: [..]
|
|
|
```
|
|
|
|
|
|
|
|
|
-3.3 Services, with service access:
|
|
|
+#### 3.3) Services, with service access:
|
|
|
|
|
|
Lookout for services, where the current user has access to the service itself
|
|
|
exploit: change the path of the service executable to your own exe
|
|
@@ -155,9 +158,21 @@ Powersploit-module: Get-ModifiableService
|
|
|
Metasploit-module: [..]
|
|
|
```
|
|
|
|
|
|
-3.4 DLL Load order hijacking:
|
|
|
+#### 3.4) DLL Load order hijacking:
|
|
|
|
|
|
Search a executable which loads a dll from a path where you can write too, or
|
|
|
one that loads an dll from a path, where you have access to a path earlier in the load order
|
|
|
|
|
|
Example: file loads dll custom.dll which is in C:\Windows\System32
|
|
|
+
|
|
|
+
|
|
|
+### 4) Passwords
|
|
|
+
|
|
|
+There are the following passwords (stored) on a windows machine:
|
|
|
+
|
|
|
+* LM Hashes (old and unsafe, 2 * 7 Chars DES)
|
|
|
+* NTLM Hashes (since vista, md4(unicode(password))
|
|
|
+* DCC (Domain Cached Credentials) (mostly MsCacheV2 -> PBKDF2(...))
|
|
|
+* Plaintext (Service Passwords in the Registry)
|
|
|
+
|
|
|
+-> pretty much everything can be captured using mimikatz
|