4 - Windows Privesc

# Bonus Enum: Webserver Pillaging - *Check web config files and source code for vulns, hard-coded creds, etc.* - For IIS, review the following locations: ```powershell %windir%\System32\inetsrv\config #default IIS config files %windir%\System32\inetsrv\config\administration.config #default IIS config file c:\inetpub\wwwroot #default inet pub webroot ``` - For `xampp`, review the following locations: ```powershell c:\xampp\apache\config\ #default xampp apache config loc c:\xampp\htdocs\ #default xampp webroot ``` --- # Bonus: Reminders re: UAC and Execution Policy - NOTE: UAC may stop even admins from using elevated privs unless bypassed - NOTE: WHEN UPGRADING TO A POWERSHELL SESSION, REMEMBER TO BYPASS EXECUTION POLICY ```powershell Get-ExecutionPolicy -List #check execution policy powershell -ep bypass Set-ExecutionPolicy bypass -scope process ``` --- # Default Methodology ### 1. Perform basic manual enum once we have a foothold - Simple initial checks wrt user, groups, system, shares, and network ```powershell hostname echo %USERNAME% whoami /all systeminfo systeminfo | findstr /B /C:"Domain" #show whether host is domain joined net user #check users on host Get-LocalUser #show local user (including description fields) net localgroup #check all groups on system net localgroup administrators #check users in the admin group net accounts #check password policy net use #check mounted shares net share #check open shares on host ifconfig route print arp -a netstat -ano ``` - Review groups for current user - Run `whoami /groups` -> look for privileged groups - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/10 - Backup Operators Group|Backup Operators Group]] - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/11 - Event Log Readers Group|Event Log Readers Group]] - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/12 - DnsAdmins Group|DnsAdmins Group]] - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/13 - Hyper-V Admins Group|Hyper-V Admins Group]] - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/14 - Print Operators Group|Print Operators Group]] - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/15 - Server Operators Group|Server Operators Group]] - Review privs for current user - Run `whoami /priv` - NOTE: If we are in a privileged group like `BUILTIN/ADMINISTRATORS` but we are not seeing commensurate privs, most likely UAC is the culprit - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/7 - SeImpersonate & SeAssignPrimaryToken|SeImpersonate & SeAssignPrimaryToken]] --> Think: **Potato Attacks** - By default `nt authority\service account` has `SeImpersonatePrivilege` - See [[6 - CTFS/CPTS Prep/MEDIA (HTB)|MEDIA (HTB)]], [[6 - CTFS/CPTS Prep/JEEVES (HTB)|JEEVES (HTB)]] - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/8 - SeDebug|SeDebug]] > open a `meterpreter` session and migrate to PID running as SYSTEM - See [[6 - CTFS/CPTS Prep/POV (HTB)|POV (HTB)]] - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/9 - SeTakeOwnership|SeTakeOwnership]] - `SeMachineAccountPrivilege` > use `impacket-addcomputer` to add computer account - See [[6 - CTFS/CPTS Prep/AUTHORITY (HTB)|AUTHORITY (HTB)]] - `SeTcbPrivilege` > [CharminDoge/tcb-lpe](https://github.com/CharminDoge/tcb-lpe) - See [[6 - CTFS/CPTS Prep/MEDIA (HTB)|MEDIA (HTB)]] - Look over accessible dirs for anything unusual ```powershell dir /A C:\Users\<user>\ dir /A C:\Users\<user>\AppData\Roaming\ dir /A C:\ProgramData\ dir /A C:\inetpub\wwwroot\ ``` - Check powershell history ```powershell (Get-PSReadLineOption).HistorySavePath gc (Get-PSReadLineOption).HistorySavePath foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue} ``` - Check patches ```powershell wmic qfe ``` - Check status of protections ```powershell Get-MpComputerStatus #check Defender status REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA #check UAC status REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin #check UAC level ``` ### 2. Run automated enum scripts - winpeas - https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS - sharpup - https://github.com/GhostPack/SharpUp - seatbelt - https://github.com/GhostPack/Seatbelt - windows-exploit-suggester-ng ### 3. Check for weak file or service perms > See [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/17 - Weak Perms|Weak Perms]] - Permissive FS ACLs - Enumerate with `SharpUp.exe` - Confirm with `icacls` - Weak service perms - Enumerate with `SharpUp.exe` - Confirm with `Accesschk.exe` - Unquoted service path - Enumerate with: `wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """` - Permissive registry ACLS - Enumerate with with `Accesschk.exe` - Check for modifiable registry autorun binaries - Enumerate with `wmic` ### 4. Search for creds - Run `lazagne.exe` - Run `sessiongopher.ps1` - Extracts creds saved within `PuTTY`, `WinSCP`, `FileZilla`, `SuperPuTTY`, and `RDP` - Run `cmdkey /list` - Look for creds in `plum.sqlite` db for `StickyNotes` - Run `dir C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\` - Check for creds stored by browser - Enumerate with `SharpChrome.exe` - Review browser dictionary files - Check for password manager - Check for creds within emails with `MailSniper` - Check for cleartext password in registry - Autologon - Enumerate with `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"` - `PuTTY` - Enumerate with `reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions` - Check for powershell creds - For example, review `c:\scripts` - Review unattended installation files such as `unattended.xml` - Look for creds in [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/25 - Interacting with Users#Process Command Lines|Process Command Line]] - Check for wifi passwords - Check [[5 - CPTS/3 - CPTS Notes/6 - Password Attacks/10 - Attacking Windows Cred Mgr|Windows Cred Mgr]] - Check [[5 - CPTS/3 - CPTS Notes/6 - Password Attacks/9 - Attacking LSASS|LSASS]] access - Check [[5 - CPTS/3 - CPTS Notes/6 - Password Attacks/8 - Attacking SAM, SYSTEM, & SECURITY|LSA]] access ### 5. Search for other interesting files - Search file contents for "password" ```powrshell findstr /si password *.xml *.ini *.txt *.config findstr /spin "password" *.* select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password ``` - Search file names for "pass" ```powershell dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore ``` - Search for VHDX/VMDK files to mount ```powershell dir /S /B *.VHDX, *.VMDK 2>$null Get-ChildItem C:\ -Recurse -Include *.VHDX, *.VMDK -ErrorAction Ignore ``` ### 6. Check for scheduled tasks that we can modify - By default, we can only see tasks created by our user and default scheduled tasks that every Windows operating system has - We cannot list out scheduled tasks created by other users (such as admins) because they are stored in `C:\Windows\System32\Tasks` ```powershell schtasks /query /fo LIST /v Get-ScheduledTask | select TaskName,State ``` ### 7. Check for vulnerable apps and services - See [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/19 - Vulnerable Services|Vulnerable Services]] - Enumerate all services, binaries, and installed packages plus their versions - Search against `searchsploit` AND Google - NOTE: Watch for for `mRemoteNG`, `WinSCP`, `FileZilla`, `Druva` ```powershell wmic product get name #list installed programs Get-WmiObject -Class Win32_Product | select Name, Version #list installed programs dir C:\"Program Files" dir C:\"Program Files (x86)" ``` ### 8. Other Pillaging - Extract cookies from browser - Check clipboard - Attack backup servers like `restic` ### 9. Check to see if host is dual-homed - Run `ifconfig` ### 10. Check for services running on internal ports - Run `netstat -ano` - Focus on dbs ### 11. Attempt to enumerate shares and capture network traffic - Run `snaffler.exe` to enumerate SMB shares - If host has `wireshark.exe` or `tcpdump`, attempt to capture cleartext creds within network traffic - Use `PCredz` to automate extraction of creds from pcap file - Run `Responder` or `Inveigh` - See [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/2 - LLMNR & NBT-NS Poisoning|LLMNR & NBT-NS Poisoning]] ### 12. Check for potential DLL injection - See [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/20 - DLL Injection|DLL Injection]] ### 13. Misc Exploits - Check whether [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/27 - Misc Techniques#Always Install Elevated|Always Install Elevated]] is enabled - Check user description fields - CVE-2019-1388: Windows Certificate Dialog vuln - CVE-2019-15752: Docker Desktop CE vuln < 2.1.0.1 - Capture hashes with malicious `.lnk` file or SCF on file share ### 14. Look for kernel and OS exploits - NOTE: Use as a last resort because this may bork the target - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/18 - Kernel Exploits|Kernel Exploits]] - Note: Many kernel exploits from Windows 2000/XP up to Windows 10/Server 2016/2019 - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/29 - Windows Server|EOL Windows Server]] - Note: Windows Server 2008/2008 R2 is considered EOL as of 2020-01-14 - [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/30 - Windows Desktop|EOL Windows Desktop]] - Note: Windows 7 was considered EOL as of 2020-01-14