level up! - practical windows privilege escalation

Practical Windows Privilege Escalation

Andrew Smith

C:\>type disclaimer.txt

•The opinions expressed in this

presentation are mine and not

those of my employer.

C:\>whoami /all

•Andrew Smith

•@jakx_

•Penetration Tester

•OWASP

•Metasploit

•CTF

•Certs

C:\>whois you

What are you talking about?

•Relevant Windows Security Info

•PrivEsc tricks win7

•Limited user -> Local Admin

Why should I care?

•You wanna level up

•You wanna prevent level up

•Hack the planet!

•You like Mario?

Why should I care?

•"People designing defenses who have

never had them evaluated by a good

attacker is kind of like learning one of

those martial arts that look more like

dancing than fighting. They look nice,

but when you get into a fight your

dance kungfu isn’t going to help you

not get your ass kicked."

-Dan Guido

Windows Access Control

*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557%28v=vs.85%29.aspx

•Securable Objects

•Files

•Directories

•Services

•Registry Keys

•Named Pipes



•Security Descriptor

•Discretionary Access Control List

(DACL)

•Access Control Entries (ACE)



•Access Token

•Container of user

security info

•SID, groups,

privileges

•Tied to process or

thread


Access Token


Access Token

DACL


Access Token

DACL

AccessChk

Mandatory Integrity Control

*https://msdn.microsoft.com/en-us/library/bb625963.aspx

•Security feature post-Vista

•Assigns process Integrity Levels

•Indicates “trustworthiness” of

object

Windows Integrity Levels

*Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition


Low Medium High SYSTEM




Low Medium High SYSTEM

UAC Just ask nicely…

The Setup…

•Land on workstation as SKYNET\Luigi

via $method

•Want to escalate privileges

•Limited User -> Local Admin

•Marketing isnt Admin… right?

Time to Level Up!

•Admin somewhere else?

•Creds in files

•Exploit unpatched EoP bugs

•Exploit insecure configs/apps

•Weak Services DACLs

•Weak File DACLs

•AlwaysInstallEvelated

•DLLs

Somewhere Else?

•Luigi in “Domain Users” group

•1 box “Domain Users” in “Administrators”

Somewhere Else?

•Powerview•https://github.com/PowerShellMafia/PowerSploit/blob/m

aster/Recon/PowerView.ps1

• Find-LocalAdminAccess

Somewhere Else?

Creds in Files

•C:\users\luigi\Desktop\passwords.xls•C:\>dir /b /s web.config

•C:\>dir /b /s unattend.xml

•C:\>dir /b /s sysprep.inf

•C:\>dir /b /s sysprep.xml

•C:\>dir /b /s *pass*

•GPP

•\\mushroomkindgom\SYSVOL\????

Windows EoP Buggzz

•Enumerate missing patches•post/windows/gather/enum_patches

•post/multi/recon/local_exploit_suggester

•Pwn

Windows EoP Buggzz

•MS13-053

Weak Service Permissions

Accesschk.exe –qwcu “Authenticated Users” *

Accesschk.exe –qwcu “Users” *

Accesschk.exe –qwcu “Everyone” *


•Can we edit the service config?

•Can we edit the binary it points to?


•Demo

Weak File Permissions

•Look for writeable files

•Autoruns?

•Scheduled Tasks?

Accesschk.exe –qwsu “Authenticated Users” c:\

Accesschk.exe –qwsu “Users” c:\

Accesschk.exe –qwsu “Everyone” c:\


•Story time


•Story time

•Main app binary writeable “users”


•Story time

•Main app binary writeable “users”

•Autorun on login


• “Nah bro, UAC”


• Admin logs in


• Admin logs in

• Backdoored binary auto-executes


• Admin logs in

• Backdoored binary auto-executes

• Code execution at medium IL as admin

(UAC)


•“One important thing to know is that UAC is

not a security boundary.”

*https://blogs.msdn.microsoft.com/e7/2009/02/05/update-on-uac/

AlwaysInstallElevated

•Group policy setting that makes installing

packages (.msi) convenient…

•..Any .msi…

•for everyone..


reg query

HKLM\SOFTWARE\Policies\Microsoft

\Windows\Installer /v


reg query

HKCU\SOFTWARE\Policies\Microsoft

\Windows\Installer /v



•Demo

DLL Hijacking

•Windows can dynamically load DLLs

•If full path not used/missing, Windows

executes DLL Search Order

•Eg.

•LoadLibrary(“ohnoes.dll”)

vs

•LoadLibrary(“c:\program files\ohnoes.dll”)

DLL Hijacking

1. The directory from which the application

loaded.

2. The system directory.

3. The 16-bit system directory.

4. The Windows directory.

5. The current directory.

6. The directories listed in the PATH

environment variable.

*https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx

DLL Hijacking

1. The directory from which the application

loaded.

2. The system directory.

3. The 16-bit system directory.

4. The Windows directory.

5. The current directory. (Exploitable)

6. The directories listed in the PATH

environment variable. (Exploitable)

*https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx

DLL Hijacking

•Privileged app loads missing DLL +

controllable search path element = pwned

•Use Sysinternals Procmon

•Include “.dll”

•Include “NAME NOT FOUND”

•Include folder in path

DLL Hijacking

•Demo

Conclusions

•Know your network/apps

•Don’t run as admin

•UAC IS NOT A SECURITY BOUNDARY

•Patch your shit

•“Hack yourself first”

Tools

•Powerup•https://github.com/PowerShellMafia/PowerSploit/blob/master/Priv

esc/PowerUp.ps1

•Windows-privesc-check•https://github.com/pentestmonkey/windows-privesc-check

•Sysinternals Suite•https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx

References/Resources

https://www.insomniasec.com/downloads/publications/WindowsPrivEsc.ppt

https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf

https://technet.microsoft.com/en-us/sysinternals/bb545027

http://www.greyhathacker.net/?p=738

Greyhat Hacking 4th edition

Windows Internals 6th edition

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607

Questions?

@jakx_

[email protected]

level up! - practical windows privilege escalation

Technology