Статья Windows LPE (Local Privilege Escalation [Bypas UAC 2018 slui.exe method] )

Всем доброго времени суток колеги.
Сегодня речь пойдет об относительно новом способе обхода User Account Control (UAC) и способе (LPE) — поднятия привилегий в системе Windows 8-10 x64 и x86 системах.
PS: Пишу сразу на двух форумах по этому :
CopyRights : MisterBert0ni aka DarkNode >>>

СОДЕРЖАНИЕ СТАТЬИ :

• Описания работы эксплоита
• Демонстрация работы эксплоита
• Вспомним про Web Delivery через PowerShell
• Вспомним про RegSVR способ подгрузки
• Похожие эксплоиты

Имя: Slui File Handler Hijak LPE
Дата публикации: 15.01.2018
Целевая ОС: Microsoft Windows
Патч: НЕТУ
Уязвимые версии: Windows 8-10 (x64 и x86)
Ссылка на сам експлоит

ПРИНЦИП РАБОТЫ ЭКСПЛОЙТА:

В операционной системе Windows версии 8-10 был обнаружен бинарный файл slui.exe — который является auto-elevated приложением ,так сказать — самоповышаемым.
Это дает возможность использовать обработчик файловых асоциаций для хайджекинга в привилегированый процесс.

Простыми словамя говоря:
Мы создаем в реестре Windows запись , которая скажет что при открытии всех *.EXE файлов — будет выполнятся наша команда или вредоносный файл, после чего запускаем slui.exe , соответственно вместо slui.exe запустится наш пейлоад от имени администратора.

Для того чтобы понять как это работает давайте приступим к практической части:
1) Допустим у нас сессия без повышеных привилегий

Windows privilege escalation exploit (exploit/windows/local/ms14_058_track_popup_menu) not working #4735

Comments

DrDinosaur commented Feb 9, 2015

Hi, I’m having troubles with exploit/windows/local/ms14_058_track_popup_menu.

Here is some info:

[nothing (no shell) comes back]

The win32k.sys product version on the target machine is 6.1.7601.17514.

The text was updated successfully, but these errors were encountered:

hdm commented Feb 9, 2015

As an side, we should look for patched versions of the DLL as well and alert on them:
https://support.microsoft.com/kb/3000061 (less than 6.1.7601.22823 on Win7 SP1)

nixawk commented Feb 10, 2015

Now we can get SYSTEM privilege, Thanks.

Host Name: NFS-001
OS Name: Microsoft Windows 7 Home Premium
OS Version: 6.1.7601 Service Pack 1 Build 7601

DrDinosaur commented Feb 10, 2015

OJ commented Feb 10, 2015

Nope, I haven’t changed anything.

DrDinosaur commented Feb 10, 2015

Then do you know why he might be having success and not I?

OJ commented Feb 10, 2015

His is x86 and yours is x64. You are setting DisabledPayloadHandler to true .

To avoid any issues can you please confirm the following:

• The payload is set to a Windows x64 payload.
• The target is set to 1 (for x64).
• You re-enable the handler for the payload, to make sure that it’s definitely the same handler as what is required by the payload.

And give it another go please?

DrDinosaur commented Feb 10, 2015

Ah, yes, that fixed it. Thank you. It turns out that DisabledPayloadHandler
was set to «true» and there was no actual handler waiting for the payload.
Silly to expect a shell without anything to catch it. In my slight defense,
however, Cobalt Strike set this automatically (by default) to «true.» This
was without me setting one of the listeners/payloads that you can always
have running in the background. Why this is, I have no idea. This is not
the default behavior when dealing with client side exploits, so I did not
notice the change. This will save me some time- thanks again.

On Mon, Feb 9, 2015 at 10:16 PM, OJ Reeves notifications@github.com wrote:

1. His is x86 and yours is x64.
2. You are setting DisabledPayloadHandler to true.

To avoid any issues can you please confirm the following:

• The payload is set to a Windows x64 payload.
• The target is set to 1 (for x64).
• You re-enable the handler for the payload, to make sure that it’s
  definitely the same handler as what is required by the payload.

And give it another go please?

—
Reply to this email directly or view it on GitHub
#4735 (comment)
.

Windows privilege escalation exploit

Windows — Privilege Escalation

Windows Version and Configuration

Extract patchs and updates

List all env variables

List all drives

Get current username

List user privilege

List logon requirements; useable for bruteforcing

Get details about a user (i.e. administrator, admin, current user)

List all local groups

Get details about a group (i.e. administrators)

List all network interfaces, IP, and DNS.

List current routing table

List the ARP table

List all current connections

List firewall state and current configuration

List firewall’s blocked ports

List all network shares

Enumerate antivirus on a box with WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

• With the GPO
• HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).

List AppLocker rules

Default powershell locations in a Windows system.

Example of AMSI Bypass.

Default Writeable Folders

EoP — Looting for passwords

SAM and SYSTEM files

The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.

Generate a hash file for John using pwdump or samdump2 .

Then crack it with john -format=NT /root/sam.txt .

Search for file contents

Search for a file with a certain filename

Search the registry for key names and passwords

Read a value of a certain sub key

Passwords in unattend.xml

Location of the unattend.xml files.

Display the content of these files with dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul .

Unattend credentials are stored in base64 and can be decoded manually with base64.

The Metasploit module post/windows/gather/enum_unattend looks for these files.

Get Cleartext Pass

Oneliner method to extract wifi passwords from all the access point.

Sticky Notes passwords

The sticky notes app stores it’s content in a sqlite db located at C:\Users\ \AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

Passwords stored in services

Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using SessionGopher

Password in Alternate Data Stream

EoP — Processes Enumeration and Tasks

What processes are running?

Which processes are running as «system»

Do you have powershell magic?

List installed programs

EoP — Incorrect permissions in services

A service running as Administrator/SYSTEM with incorrect file permissions might allow EoP. You can replace the binary, restart the service and get system.

Often, services are pointing to writeable locations:

Orphaned installs, not installed anymore but still exist in startup

PATH directories with weak permissions

Alternatively you can use the Metasploit exploit : exploit/windows/local/service_permissions

Note to check file permissions you can use cacls and icacls

icacls (Windows Vista +)
cacls (Windows XP)

You are looking for BUILTIN\Users:(F) (Full access), BUILTIN\Users:(M) (Modify access) or BUILTIN\Users:(W) (Write-only access) in the output.

Example with Windows 10 — CVE-2019-1322 UsoSvc

Prerequisite: Service account

Example with Windows XP SP1 — upnphost

If it fails because of a missing dependency, try the following commands.

EoP — Windows Subsystem for Linux (WSL)

With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don’t know the root password? No problem just set the default user to root W/ .exe —default-user root. Now start your bind shell or reverse.

Binary bash.exe can also be found in C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[. ]\bash.exe

Alternatively you can explore the WSL filesystem in the folder C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

EoP — Unquoted Service Paths

The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.

Metasploit exploit : exploit/windows/local/trusted_service_path

For C:\Program Files\something\legit.exe , Windows will try the following paths first:

EoP — Named Pipes

1. Find named pipes: [System.IO.Directory]::GetFiles(«\\.\pipe\»)
2. Check named pipes DACL: pipesec.exe
3. Reverse engineering software
4. Send data throught the named pipe : program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe

EoP — Kernel Exploitation

#Security Bulletin #KB #Description #Operating System

• MS17-017 [KB4013081] [GDI Palette Objects Local Privilege Escalation] (windows 7/8)
• CVE-2017-8464 [LNK Remote Code Execution Vulnerability] (windows 10/8.1/7/2016/2010/2008)
• CVE-2017-0213 [Windows COM Elevation of Privilege Vulnerability] (windows 10/8.1/7/2016/2010/2008)
• CVE-2018-0833 [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
• CVE-2018-8120 [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
• MS17-010 [KB4013389] [Windows Kernel Mode Drivers] (windows 7/2008/2003/XP)
• MS16-135 [KB3199135] [Windows Kernel Mode Drivers] (2016)
• MS16-111 [KB3186973] [kernel api] (Windows 10 10586 (32/64)/8.1)
• MS16-098 [KB3178466] [Kernel Driver] (Win 8.1)
• MS16-075 [KB3164038] [Hot Potato] (2003/2008/7/8/2012)
• MS16-034 [KB3143145] [Kernel Driver] (2008/7/8/10/2012)
• MS16-032 [KB3143141] [Secondary Logon Handle] (2008/7/8/10/2012)
• MS16-016 [KB3136041] [WebDAV] (2008/Vista/7)
• MS16-014 [K3134228] [remote code execution] (2008/Vista/7)
  .
• MS03-026 [KB823980] [Buffer Overrun In RPC Interface] (/NT/2000/XP/2003)

To cross compile a program from Kali, use the following command.

Check if these registry values are set to «1».

Then create an MSI package and install it.

Technique also available in :

• Metasploit : exploit/windows/local/always_install_elevated
• PowerUp.ps1 : Get-RegistryAlwaysInstallElevated , Write-UserAddMSI

EoP — Insecure GUI apps

Application running as SYSTEM allowing an user to spawn a CMD, or browse directories.

Example: «Windows Help and Support» (Windows + F1), search for «command prompt», click on «Click to open Command Prompt»

EoP — Evaluating Vulnerable Drivers

Look for vuln drivers loaded, we often don’t spend enough time looking at this:

Use the cmdkey to list the stored credentials on the machine.

Then you can use runas with the /savecred options in order to use the saved credentials. The following example is calling a remote binary via an SMB share.

Using runas with a provided set of credential.

EoP — Abusing Shadow Copies

If you have local administrator access on a machine try to list shadow copies, it’s an easy way for Privilege Escalation.

EoP — From local administrator to NT SYSTEM

EoP — Living Off The Land Binaries and Scripts

Living Off The Land Binaries and Scripts (and also Libraries) : https://lolbas-project.github.io/

The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

A LOLBin/Lib/Script must:

• Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft. Have extra «unexpected» functionality. It is not interesting to document intended use cases. Exceptions are application whitelisting bypasses
• Have functionality that would be useful to an APT or red team

EoP — Impersonation Privileges

Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files.

Privilege	Impact	Tool	Execution path	Remarks
SeAssignPrimaryToken	Admin	3rd party tool	«It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe»	Thank you Aurélien Chalot for the update. I will try to re-phrase it to something more recipe-like soon.
SeBackup	Threat	Built-in commands	Read sensitve files with robocopy /b	— May be more interesting if you can read %WINDIR%\MEMORY.DMP — SeBackupPrivilege (and robocopy) is not helpful when it comes to open files. — Robocopy requires both SeBackup and SeRestore to work with /b parameter.
SeCreateToken	Admin	3rd party tool	Create arbitrary token including local admin rights with NtCreateToken .
SeDebug	Admin	PowerShell	Duplicate the lsass.exe token.	Script to be found at FuzzySecurity
SeLoadDriver	Admin	3rd party tool	1. Load buggy kernel driver such as szkg64.sys 2. Exploit the driver vulnerability Alternatively, the privilege may be used to unload security-related drivers with ftlMC builtin command. i.e.: fltMC sysmondrv	1. The szkg64 vulnerability is listed as CVE-2018-15732 2. The szkg64 exploit code was created by Parvez Anwar
SeRestore	Admin	PowerShell	1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U	Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in «Program Files» using the same privilege.
SeTakeOwnership	Admin	Built-in commands	1. takeown.exe /f «%windir%\system32» 2. icalcs.exe «%windir%\system32» /grant «%username%»:F 3. Rename cmd.exe to utilman.exe 4. Lock the console and press Win+U	Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in «Program Files» using the same privilege.
SeTcb	Admin	3rd party tool	Manipulate tokens to have local admin rights included. May require SeImpersonate. To be verified.

Restore A Service Account’s Privileges

This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.

Meterpreter getsystem and alternatives