Window Privilege Escalation via Automated Script
We all know that, after compromising the victim’s machine we have a low-privileges shell that we want to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this article we will discuss what comes under privilege escalation and how an attacker can identify that low-privileges shell can be escalated to higher-privileged shell.
Table of Content
- Introduction
- Vectors of Privilege Escalation
- Windows-Exploit-Suggester
- Windows Gather Applied Patches
- Sherlock
- JAWS – Just Another Windows (Enum) Script
- PowerUp
Introduction
Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he try to gather critical information related to system such as hidden password and weak configured services or applications and etc. All these information help the attacker to make the post exploit against machine for getting higher-privileged shell.
Vectors Privilege Escalation
Following information are considered as critical Information of Windows System:
- Version of operating system
- Any Vulnerable package installed or running
- Files and Folders with Full Control or Modify Access
- Mapped Drives
- Potentially Interesting Files
- Unquoted Service Paths
- Network Information (interfaces, arp, netstat)
- Firewall Status and Rules
- Running Processes
- AlwaysInstallElevated Registry Key Check
- Stored Credentials
- DLL Hijacking
- Scheduled Tasks
There are several script use in Penetration testing for quickly identify potential privilege escalation vectors on Windows systems and today we are going to elaborate each script which is working smoothly.
Windows-Exploit-suggester
If you have victim’s low-privilege meterpreter or command session then use can use Exploit-Suggester.
This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It’s important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options.
use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > set lhost 192.168.1.107
msf post(local_exploit_suggester) > set session 1
msf post(local_exploit_suggester) > exploit
As you can observe it has suggested some post exploits against which the target is vulnerable and that can provide higher-privilege shell.
Windows Gather Applied Patches
This module will attempt to enumerate which patches are applied to a windows system based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.
use post/windows/gather/enum_patches
msf post(enum_patches) > set session 1
msf post(enum_patches) > exploit
As you can observe it has also shown that the target is possibly vulnerable to recommended exploit that can provide higher-privilege shell.
Sherlock
It is a PowerShell script to quickly find the missing software patches for local privilege escalation vulnerabilities. It also as similar as above post exploit as gives suggestion the target is possibly vulnerable to recommended exploit that can provide higher-privilege shell.
Download it from git hub with help of following command and execute when you have victim’s meterpreter session at least once.
git clone https://github.com/rasta-mouse/Sherlock.git
Since this script should be execute in power shell therefore load power shell and then import the downloading script.
load powershell
powershell_import '/root/Desktop/Sherlock/Sherlock.ps1'
powershell_execute “find-allvulns”
The above command will show that the target is possibly vulnerable to recommended exploit that can be used to achieve higher-privilege shell.
JAWS – Just Another Windows (Enum) Script
JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so ‘should’ run on every Windows version since Windows 7.
Current Features
- Network Information (interfaces, arp, netstat)
- Firewall Status and Rules
- Running Processes
- Files and Folders with Full Control or Modify Access
- Mapped Drives
- Potentially Interesting Files
- Unquoted Service Paths
- Recent Documents
- System Install Files
- AlwaysInstallElevated Registry Key Check
- Stored Credentials
- Installed Applications
- Potentially Vulnerable Services
- MuiCache Files
- Scheduled Tasks
git clone https://github.com/411Hall/JAWS.git
Once you have meterpreter shell, upload the downloaded script and use command shell to run the uploaded script
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
It will store the critical information into a text file named as “JAWS-Enum.txt”
As said the JAWS-Enum.txt file must have been stored the vector that can lead to privilege escalation, let’s open it and figure out the result.
In the following image you can observe it has shown all user name and IP configuration.
In this image we can clearly observe the result of NetStat.
In this image we can clearly observe the result of running process and services.
In this image we can clearly observe all install program and patches.
In this image we can clearly observe the folder with full control and Modify Access and hence many more information can be extracted by running this script.
PowerUp
PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.
Current Feature
Service Enumeration:
- Get-ServiceUnquoted : – returns services with unquoted paths that also have a space in the name.
- Get-ModifiableServiceFile :- returns services where the current user can write to the service binary path or its config.
- Get-ModifiableService : – returns services the current user can modify.
- Get-ServiceDetail :- returns detailed information about a specified service.
Service Abuse:
- Invoke-ServiceAbuse : – modifies a vulnerable service to create a local admin or execute a custom command.
- Write-ServiceBinary : – writes out a patched C# service binary that adds a local admin or executes a custom command.
- Install-ServiceBinary :- replaces a service binary with one that adds a local admin or executes a custom command.
- Restore-ServiceBinary :- restores a replaced service binary with the original executable.
DLL Hijacking:
- Find-ProcessDLLHijack : – finds potential DLL hijacking opportunities for currently running processes
- Find-PathDLLHijack :- finds service %PATH% DLL hijacking opportunities
- Write-HijackDll : – writes out a hijackable DLL
Registry Checks:
- Get-RegistryAlwaysInstallElevated :- checks if the AlwaysInstallElevated registry key is set
- Get-RegistryAutoLogon :- checks for Autologon credentials in the registry
- Get-ModifiableRegistryAutoRun :- checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns.
Now use following command to download it from git hub as said above powerUp is the module of powersploit therefore we need to download package of powersploit.
git clone https://github.com/PowerShellMafia/PowerSploit.git
cd PowerSploit
ls
cd Privesc
ls
Again
load power shell and then import the downloading script.
load powershell
powershell_import '/root/Desktop/PowerSploit/Privesc/PowerUp.ps1'
powershell_execute Invoke-AllChecks
The above comand will show that the target is possibly vulnerable to recommended exploit that can be used to achieve higher-privilege shell.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
The post Window Privilege Escalation via Automated Script appeared first on Hacking Articles.
from Hacking Articles https://ift.tt/2N08Z5w