Windows Privilege Escalation

00:00

Windows privilege escalation

00:03

are learning objectives are to demonstrate how to use power up dot PS one, a power shell script to enumerate privilege escalation. Vulnerabilities

00:10

explain the various methods to escalate privileges in Windows.

00:15

So Windows privileged escalation was a huge weakness of mine

00:20

and it's basically the reason that I failed uh my second attempt at O S C P is I I didn't know if I got on a Windows box. Hypothetically, in my second attempt,

00:31

I had no idea what to do, I had no idea how to enumerate windows and how to escalate privileges properly and you're going to have to know how to escalate privileges on both Windows and Lennox boxes. But

00:44

Windows, for me was very, very tricky. I think that the updated pen 200 or P W. K materials do a very good job, a lot better than the older material and explaining how to escalate privileges and Windows.

00:57

Yeah,

00:59

so we need to look at some tools of the trade on how to enumerate Windows machines for privilege escalation vulnerabilities. One is access check dot e x c. This is not something that's installed in Windows by default. It's something you need to download onto your Cali box and then upload onto the Windows host.

01:18

So this checks for service permissions. The first thing you do is accept the end user license agreement and then you can start checking for service permissions. You can see here that I'm checking the service permissions for authenticated users. You can check the service permissions for everyone um or you can check the service uh,

01:34

permissions for whatever user you are then,

01:38

so what you want to look for when you do that is if you see service all access below the service name,

01:45

that means that you can edit the bin path of that service using sc which we'll talk about the next slide, but you'll configure the bin path to do something malicious. Like, let's say, add another user in the administrators group.

02:00

There's also W m I see that this is to check for unquoted service paths, unquoted service path or something you'll actually get to

02:07

exploit in the lab, hint there. I don't expect you to copy this down verbatim here. Obviously you can google this um and and get the full string that you can use in your own machine to test out.

02:21

Yeah.

02:23

Yeah.

02:24

So s C like I said, this starts stops and query services as well as configure services.

02:30

So you can do sc config the service and you can you can add that bin path. Like I said, that you could add uh evil user and and put them in the administrators group.

02:42

So the thing about sc is you can query but you may not have the ability to start or stop services if you get access denied, don't panic.

02:52

What you can do is you can shut hopefully you have permissions to shut down the system from the command line, so if you're in the command line that shut down forward slash art or restart it and you have to wait for the machine to restart.

03:05

But hopefully that service automatically executes at start and it will do that malicious thing, like add that user into the administrators group for you. So not all is lost when you do S E stop, RSC, start and you get access tonight.

03:23

So my favorite power shell script here, power up dot PS one.

03:28

It not only enumerates privilege escalation, vulnerabilities on Windows boxes, it also allows you to exploit them because it's Power Shell, it has a lot of versatility.

03:38

So it runs when you do invoke all checks, it runs all these checks for you, unquoted service paths, service executed an argument permissions, etcetera, etcetera.

03:49

But it does a whole lot of things in a very short amount of time.

03:54

So first you'll download the script and you put it on the Windows box and then you'll start up Power Shell, Power Shell with a few different flags here, then you'll import module power up to P. S. One. Sometimes after import module, I have to do the space and then dot forward slash power dot ps one

04:14

to get it into memory. And then you can do invoke all checks and that's what runs all the checks for you. All the enumeration checks for vulnerabilities. So what does that look like?

04:24

Here's an example checking service permissions, so that's from my power UP, invoke all checks

04:30

and it finds this service name, a look up service

04:33

the path for it

04:35

and the abuse function so I can copy this abuse function

04:41

and when I'm in power shell and what it does is very I had the verbose output so it finds the original path of the service which is Windows system

04:50

32 service host etc.

04:54

Okay, blah blah blah. Um and then it finds it that it's running. So what it does is it stops the service

05:00

that I'll execute this command in the bin path that I was talking about. Net user jOHN password 123 exclamation add. So is adding the jOHN user by starting stopping the service.

05:12

Now it's executing another command. Net local group administrators jOHN adds is adding jOHN to the administrators group

05:18

then it's starting the service again, it's restoring the regional been path and then

05:25

no one's the wiser. But now we have this new user named jOHN and we know their password and SMB is enabled in the box. So I use I am packets ps exact from my Cali box to then login with SMB

05:40

and right to the admin share and now I am system.

05:44

Yeah,

05:46

so unquoted service paths here again, I'm running power up

05:50

and I find this service named unquoted service hint there the abuse function is right service, binary service named unquoted service. So you'll see

06:02

I can get my pointer here. You'll see it makes this service e x E.

06:08

So to get this to work is you I need to change service dot e x E two unquoted. So the way that the unquoted service path vulnerabilities work is windows checks every single

06:20

line. So we'll first we'll check for temp then I'll check for unquoted then it will keep checking and if I name something because there's a space here, my name, something unquoted e x e

06:30

when it looks to that path and it's checking all those, you know, first 10th and unquoted it will find unquoted dot e x c and executed.

06:40

So that's what happened here is when I change service dot txt to unquoted dot txt I put it in the temp directory as in temp as unquoted dot e x c. And then I started to stop the service and then started the service and it added this user john and then again I'm using I impact as PS execs

06:58

to get in the box that way and become system.

07:03

It's also good to know how to exploit manually. So what I also did is I created an MSF venom payload

07:13

and you can see them and execute herbal. I call it evil dot txt. I should have called it unquoted dot txt because I'm creating an extra step for myself. But again I'm putting it in the temp directory

07:23

as unquoted at X. And this is of course a reverse shell here

07:28

On Port 443. So I have my listener up

07:30

and I stopped the service and then I start the service and you can see when I start the service, my reverse shell activates.

07:40

So give that a try in the lab to don't just use power up. Also try to figure it out manually.

07:46

Here's the guide for power up. Always good to read the guide. I know I hate reading guides but it's good to know how it works.

07:57

Here's some resources. So it's there are a lot of different vulnerabilities, privilege, escalation, vulnerabilities in Windows. These are just some resources. It's really good to know what your resources are

08:07

when you go to SCP. You know if if I'm trying to look for all my when I was privileged escalation resources, I I put them in one place and that's why I talked to note taking,

08:18

you know, make sure, you know where your resources are. And it's also it's not just finding these vulnerable, unquoted paths and things like that, but maybe there's a vulnerable, vulnerable version of Windows, kind of like a Colonel exploit for Lennox. Maybe you have a vulnerable version of Windows, which I don't really talk about here, but check these guides and they may give you

08:37

some help when it comes to versions of Windows.

08:41

You know, the newer version of Windows I don't think are as vulnerable. They don't have these, you know, quote unquote colonel, uh Colonel exploits or version exploits. Um but you know, if if you have more of a legacy box, maybe they do. And these guides will tell you about that

08:58

Medicine Post module. I talked about this as well. Local exploit suggestion. It used to be Windows exploit suggestions spelled wrong, but now it does Lennox as well. And that's why I talk about architecture being important and you'll see here collecting local exploits for x 86 windows.

09:15

If your uh, interpreter session was X 86, you wouldn't be able to enumerate things correctly and find the all the vulnerabilities.

09:24

Yeah.

09:26

So I found a privilege escalation module and I tried it and it worked. This doesn't always happen. Sometimes you'll try the first one, it won't work, you'll try the second one, third 1/4 1, they all won't work. May be the first one that you try DAS the box or or cause some issue.

09:41

Um, so what I typically do are a lot of resets when I do this. Obviously I don't do this. Ah, no SCP day, I do this in the labs. I would be very hesitant to use local exploit suggest er,

09:52

because then you've used the module up,

09:56

so use this sparingly.

09:58

Yeah,