Level Up! - Practical Windows Privilege Escalation

Practical Windows Privilege
Escalation
Andrew Smith

C:>type disclaimer.txt
•The opinions expressed in this
presentation are mine and not
those of my employer.

C:>whoami /all
•Andrew Smith
•@jakx_
•Penetration Tester
•OWASP
•Metasploit
•CTF
•Certs

What are you talking about?
•Relevant Windows Security Info
•PrivEsc tricks win7
•Limited user -> Local Admin

Why should I care?
•You wanna level up
•You wanna prevent level up
•Hack the planet!
•You like Mario?

Why should I care?
•"People designing defenses who have
never had them evaluated by a good
attacker is kind of like learning one of
those martial arts that look more like
dancing than fighting. They look nice,
but when you get into a fight your
dance kungfu isn’t going to help you
not get your ass kicked."
-Dan Guido

Windows Access Control
*https://msdn.microsoft.com/en-
us/library/windows/desktop/aa379557%28v=vs.85%29.aspx
•Securable Objects
•Files
•Directories
•Services
•Registry Keys
•Named Pipes

•Security Descriptor
•Discretionary Access Control List
(DACL)
•Access Control Entries (ACE)

•Access Token
•Container of user
security info
•SID, groups,
privileges
•Tied to process or
thread

Access
Token

Access
Token
DACL

Access
Token
DACL
AccessChk

Mandatory Integrity Control
*https://msdn.microsoft.com/en-us/library/bb625963.aspx
•Security feature post-Vista
•Assigns process Integrity Levels
•Indicates “trustworthiness” of
object

Windows Integrity Levels
*Windows® Internals: Including Windows Server 2008 and
Windows Vista, Fifth Edition

Low Medium High SYSTEM

Low Medium High SYSTEM
UAC
Just ask nicely…

The Setup…
•Land on workstation as SKYNETLuigi
via $method
•Want to escalate privileges
•Limited User -> Local Admin
•Marketing isnt Admin… right?

Time to Level Up!
•Admin somewhere else?
•Creds in files
•Exploit unpatched EoP bugs
•Exploit insecure configs/apps
•Weak Services DACLs
•Weak File DACLs
•AlwaysInstallEvelated
•DLLs

Somewhere Else?
•Luigi in “Domain Users” group
•1 box “Domain Users” in “Administrators”

Somewhere Else?
•Powerview
•https://github.com/PowerShellMafia/PowerSploit/blob/m
aster/Recon/PowerView.ps1
• Find-LocalAdminAccess

Creds in Files
•C:usersluigiDesktoppasswords.xls
•C:>dir /b /s web.config
•C:>dir /b /s unattend.xml
•C:>dir /b /s sysprep.inf
•C:>dir /b /s sysprep.xml
•C:>dir /b /s *pass*
•GPP
•mushroomkindgomSYSVOL????

Windows EoP Buggzz
•Enumerate missing patches
•post/windows/gather/enum_patches
•post/multi/recon/local_exploit_suggester
•Pwn

Windows EoP Buggzz
•MS13-053

Weak Service Permissions
Accesschk.exe –qwcu “Authenticated Users” *
Accesschk.exe –qwcu “Users” *
Accesschk.exe –qwcu “Everyone” *

•Can we edit the service config?
•Can we edit the binary it points to?

•Demo

Weak File Permissions
•Look for writeable files
•Autoruns?
•Scheduled Tasks?
Accesschk.exe –qwsu “Authenticated Users” c:
Accesschk.exe –qwsu “Users” c:
Accesschk.exe –qwsu “Everyone” c:

•Story time

•Story time
•Main app binary writeable “users”

•Story time
•Main app binary writeable “users”
•Autorun on login

• “Nah bro, UAC”

• Admin logs in

• Admin logs in
• Backdoored binary auto-executes

• Admin logs in
• Backdoored binary auto-executes
• Code execution at medium IL as admin
(UAC)

•“One important thing to know is that UAC is
not a security boundary.”
*https://blogs.msdn.microsoft.com/e7/2009/02/05/upda
te-on-uac/

AlwaysInstallElevated
•Group policy setting that makes installing
packages (.msi) convenient…
•..Any .msi…
•for everyone..

reg query
HKLMSOFTWAREPoliciesMicrosoft
WindowsInstaller /v
reg query
HKCUSOFTWAREPoliciesMicrosoft
WindowsInstaller /v

DLL Hijacking
•Windows can dynamically load DLLs
•If full path not used/missing, Windows
executes DLL Search Order
•Eg.
•LoadLibrary(“ohnoes.dll”)
vs
•LoadLibrary(“c:program filesohnoes.dll”)

DLL Hijacking
1. The directory from which the application
loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories listed in the PATH
environment variable.
us/library/windows/desktop/ms682586%28v=vs.85%29.aspx

DLL Hijacking
1. The directory from which the application
loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory. (Exploitable)
6. The directories listed in the PATH
environment variable. (Exploitable)
us/library/windows/desktop/ms682586%28v=vs.85%29.aspx

DLL Hijacking
•Privileged app loads missing DLL +
controllable search path element = pwned
•Use Sysinternals Procmon
•Include “.dll”
•Include “NAME NOT FOUND”
•Include folder in path

Conclusions
•Know your network/apps
•Don’t run as admin
•UAC IS NOT A SECURITY BOUNDARY
•Patch your shit
•“Hack yourself first”

Tools
•Powerup
•https://github.com/PowerShellMafia/PowerSploit/blob/master/Priv
esc/PowerUp.ps1
•Windows-privesc-check
•https://github.com/pentestmonkey/windows-privesc-check
•Sysinternals Suite
•https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx

References/Resources
https://www.insomniasec.com/downloads/publications/WindowsPrivEsc.ppt
https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Service
s_-_All_roads_lead_to_SYSTEM.pdf
https://technet.microsoft.com/en-us/sysinternals/bb545027
http://www.greyhathacker.net/?p=738
Greyhat Hacking 4th edition
Windows Internals 6th edition
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-
26665607

Questions?
@jakx_
ajs@swordshield.com

Level Up! - Practical Windows Privilege Escalation

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Level Up! - Practical Windows Privilege Escalation (20)

Recently uploaded (20)

Level Up! - Practical Windows Privilege Escalation