Windows system user privilege levels:
- admin(local): user with the most privileges
- standard(local): access computer but only perform limited tasks; Can not make permanent or essential changes to the system
- guest: access to the system but not defined as a user
- standard(domain):active directory allows orgs to manage users. May have local admin privileges
- admin(domain): most privileged user. can edit, create and delete other users throughout the organization’s domain
Windows and its services use the “SYSTEM” acount to perform their tasks. Windows allows the grouping of users to facilitate their management
PrivEsc: A. enumerate the current user’s privileges and resources it can access B. If antivirus allows, run an automated enumeration script such as winPEAS or PowerUp.ps1 C. Different approach, checklist: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
User enumeration
‘whoami /priv’ - current user’s privileges
‘net users’ - list users
‘net user
System Info enumeration ‘systeminfo’ - overview of the target system ‘systeminfo | findstr /B /C:“OS Name” /C:“OS Version” /C:“Host Name”’ - returns OS name and version and host name
Search for files
‘findstr
Patch Level - microsoft releases regular pathes and updates, a missing critical patch can be easy to exploit ‘wmic qfe get Caption,Description,HotFixID,InstalledOn’ WMI - windows management instrumentation, manage operations on windows
Network connections ‘netstat -ano’ - list all listening ports -a: all active connections and listening ports on the system -n: prevent name resolution, do not attempt to resolve names using DNS -o: display the process ID
Scheduled Tasks - identify tasks run at predefined times and privileges associated ‘schtasks’ - used to query scheduled tasks ‘schtasks /query /fo LIST /v’
Drivers -additional software instaled to allow OS to interact with an external device -printers, web cams, keyboards, and USB sticks -drivers may not be updated as frequently -potential vector for priv esc ‘driverquery’ - list drivers installed on the system
Antivirus -antivirus software will not detect presence if the system is accessed without a trojan -check for antivirus before running scripts or other tools -two approches:
- Look for antivirus specifically
- list all running services -default antivirus installed on windows - Windows Defender ‘windefend’ ‘sc query windefend’ - search for windows defender ⇒ approch #1 ‘sc queryex type=service’ - list all service (overwhelming output) ⇒ approch #2
Enumeration Tools
- WinPEAS - enumerate target sys to uncover privEsc paths. -.bat script or executable -detected by windefend and disabled -redirect output to a file: winpeas.exe > outputfile.txt
- PowerUp - powershell script that searches common privEsc on the target sys -‘Invoke-AllChecks’ option will perform all possible checks ‘powershell.exe -nop -exec bypass’ ‘Import-Module .\PowerUp.ps1’ ‘Invoke-AllChecks’
- Windows Exploit Suggester - python script ‘windows-exploit-suggester.py -update’ - update database before running ‘windows-exploit-suggester.py —database 2021-09-21-mssb.xls —systeminfo sysinfo_output.txt’
- Metasploit ‘multi/recon/local_exploit_suggester’
Vulnerable Software -can provide various privEsc opportunities ‘wmic product get name,version,vendor’ - list software installed on system -wmic product maynot return all the installed programs so run ‘wmic service list brief’ to see list of all processes -list running processes: ‘wmic service list brief | findstr “Running”’
DLL Hijacking -effective technique to inject code into an application -dll files support the main function of the .exe file -execuable files that can not be run directly but launched by other applications -need and exe file to run dll script
Intro to DLL files -a single dll file can be used by many exe files or can be dedicated to a single exe -any app can have its own dll files or call windows dll files -missing dll file does not always result in an error -dll hijacking - replace a legitimate dll file with a malicious dll file that will be called by the exe and run
manipulating dll files -replace an existing file or creating a file in the location where the application is looking for it
SafeDllSearchMode - enabled, search order:
- directory from which app loaded
- sys directory use GetSystemDirectory function to get path to directory
- 16-bit sys direcotry, no function to obtain path, need to search
- Windows directory. use GetWindowsDirectory function to get path to directory
- current directory
- directories listed in env variable. specified by ‘App Paths’ registry key
SafeDllSearchMode - disabled, search order:
- directory from which app loaded
- current directory
- sys directory
- 16-bit sys directory
- windows directory
- directories listed in env variable
Finding DLL hijacking vulns -Process Monitor (ProcMon), require admin privileges
Creating malicious DLL file -example skeleton:
include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { if (dwReason == DLL_PROCESS_ATTACH) { system(“cmd.exe /k whoami > C:\Temp\dll.txt”); ExitProcess(0); } return TRUE; }
-boilerplate executes whoami and saves it as a dll.txt file -mingw compiler can be used to generate the DLL file with command: x86_64-w64-mingw32-gcc windows_dll.c -shared -o outpull.dll -install mingw compiler: apt install gcc-mingw-w64-x86-64 -move the dll file after compiled to the target folder
Unquoted service path -when a service starts in win, the OS has to find and run an exe file -if path is written between quotes, windows will go to exact location to launch the service.exe -if path is not written between quotes, windows will look for the shortest possible path -place a executable in a location the service is looking for an executable
-list services running on system ‘wmic service get name,displayname,pathname,startmode’
-check binary path of this service
‘sc qc
-check for privileges on folder path