Tuesday is here and we are on the final module of the Jr Penetration Tester pathway.
Today we start the module Windows Privilege Escalation!
“Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands.”
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
“Windows allows us to use other users’ credentials”
cmdkey /list“The configuration of websites on IIS is stored in a file called web.config and can store passwords for databases or configured authentication mechanisms. Depending on the installed version of IIS, we can find web.config in one of the following locations”
- C:\inetpub\wwwroot\web.config
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString“While PuTTY won’t allow users to store their SSH password, it will store proxy configurations that include cleartext authentication credentials. To retrieve the stored proxy credentials, you can search under the following registry key for ProxyPassword with the following command”
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s“Note: Simon Tatham is the creator of PuTTY (and his name is part of the path), not the username for which we are retrieving the password. The stored proxy username should also be visible after running the command above.”
ID=db_admin;Password=098n0x35skjD3″ name=”THM-DB”
Flag – THM{WHAT_IS_MY_PASSWORD}
“Scheduled tasks can be listed from the command line using the schtasks command without any options. To retrieve detailed information about any of the services, you can use a command like the following one:”
schtasks /query /tn vulntask /fo list /v
“If our current user can modify or overwrite the “Task to Run” executable, we can control what gets executed by the taskusr1 user, resulting in a simple privilege escalation. To check the file permissions on the executable, we use” icacls
“As can be seen in the result, the BUILTIN\Users group has full access (F) over the task’s binary. This means we can modify the .bat file and insert any payload we like. For your convenience, nc64.exe can be found on C:\tools Let’s change the bat file to spawn a reverse shell
“We then start a listener on the attacker machine on the same port we indicated on our reverse shell”
“The next time the scheduled task runs, you should receive the reverse shell with taskusr1 privileges. While you probably wouldn’t be able to start the task in a real scenario and would have to wait for the scheduled task to trigger, we have provided your user with permissions to start the task manually to save you some time. We can run the task with the following command”
Flag – THM{TASK_COMPLETED}
“If the executable associated with a service has weak permissions that allow an attacker to modify or replace it, the attacker can gain the privileges of the service’s account trivially. To understand how this works, let’s look at a vulnerability found on Splinterware System Scheduler. To start, we will query the service configuration using sc“.
sc qc WindowsScheduler“We can see that the service installed by the vulnerable software runs as svcuser1 and the executable associated with the service is in C:\Progra~2\System~1\WService.exe We then proceed to check the permissions on the executable”
icacls C:\PROGRA~2\SYSTEM~1\WService.exe“And here we have something interesting. The Everyone group has modify permissions (M) on the service’s executable. This means we can simply overwrite it with any payload of our preference, and the service will execute it with the privileges of the configured user account.”
Let’s generate an exe-service payload using msfvenom and serve it through a python webserver!
“Once the payload is in the Windows server, we proceed to replace the service executable with our payload. Since we need another user to execute our payload, we’ll want to grant full permissions to the Everyone group as well”
“And finally, restart the service. While in a normal scenario, you would likely have to wait for a service restart, you have been assigned privileges to restart the service yourself to save you some time. Use the following commands from a cmd.exe command prompt”
Flag – THM{AT_YOUR_SERVICE}
“When the SCM tries to execute the associated binary, a problem arises. Since there are spaces on the name of the “Disk Sorter Enterprise” folder, the command becomes ambiguous, and the SCM doesn’t know which of the following you are trying to execute”
“This has to do with how the command prompt parses a command. Usually, when you send a command, spaces are used as argument separators unless they are part of a quoted string. This means the “right” interpretation of the unquoted command would be to execute C:\\MyPrograms\\Disk.exe and take the rest as arguments. Instead of failing as it probably should, SCM tries to help the user and starts searching for each of the binaries in the order shown in the table:”
- First, search for
C:\\MyPrograms\\Disk.exe. If it exists, the service will run this executable. - If the latter doesn’t exist, it will then search for
C:\\MyPrograms\\Disk Sorter.exe. If it exists, the service will run this executable. - If the latter doesn’t exist, it will then search for
C:\\MyPrograms\\Disk Sorter Enterprise\\bin\\disksrs.exe. This option is expected to succeed and will typically be run in a default installation.
“From this behaviour, the problem becomes evident. If an attacker creates any of the executables that are searched for before the expected service executable, they can force the service to run an arbitrary executable.“
While this sounds trivial, most of the service executables will be installed under C:\Program Files or C:\Program Files (x86) by default, which isn’t writable by unprivileged users. This prevents any vulnerable service from being exploited. There are exceptions to this rule: – Some installers change the permissions on the installed folders, making the services vulnerable. – An administrator might decide to install the service binaries in a non-default path. If such a path is world-writable, the vulnerability can be exploited.”
“In our case, the Administrator installed the Disk Sorter binaries under c:\MyPrograms. By default, this inherits the permissions of the C:\ directory, which allows any user to create files and folders in it. We can check this using icacls“
The BUILTIN\\Users group has AD and WD privileges, allowing the user to create subdirectories and files!
The process of creating an exe-service payload with msfvenom and transferring it to the target host is the same as before!
“Once the payload is in the server, move it to any of the locations where hijacking might occur. In this case, we will be moving our payload to C:\MyPrograms\Disk.exe. We will also grant Everyone full permissions on the file to make sure it can be executed by the service:”
“Once the service gets restarted, your payload should execute”
Flag – THM{QUOTES_EVERYWHERE}
“You might still have a slight chance of taking advantage of a service if the service’s executable DACL is well configured, and the service’s binary path is rightly quoted. Should the service DACL (not the service’s executable DACL) allow you to modify the configuration of a service, you will be able to reconfigure the service. This will allow you to point to any executable you need and run it with any account you prefer, including SYSTEM itself. To check for a service DACL from the command line, you can use Accesschk from the Sysinternals suite. For your convenience, a copy is available at C:\\tools. The command to check for the thmservice service DACL is -“
C:\tools\AccessChk> accesschk64.exe -qlc thmservice
Note - Agree to sysinternals pop up if this flags up when running command
“Here we can see that the BUILTIN\\Users group has the SERVICE_ALL_ACCESS permission, which means any user can reconfigure the service.”
“Before changing the service, let’s build another exe-service reverse shell and start a listener for it on the attacker’s machine”
“We will then transfer the reverse shell executable to the target machine and store it in C:\Users\thm-unpriv\rev-svc3.exe. Feel free to use wget to transfer your executable and move it to the desired location. Remember to grant permissions to Everyone to execute your payload”
“To change the service’s associated executable and account, we can use the following command (mind the spaces after the equal signs when using sc.exe)”
“Notice we can use any account to run the service. We chose LocalSystem as it is the highest privileged account available. To trigger our payload, all that rests is restarting the service”
Flag – THM{INSECURE_SVC_CONFIG}
We shall continue today (if we have time) or finish this off tomorrow but this post is getting rather large..
Until next time & don’t sleepwalk through life!
Chài-kiàn