View
465
Download
25
Category
Preview:
Citation preview
Practical Windows Privilege Escalation
Andrew Smith
C:\>type disclaimer.txt
•The opinions expressed in this
presentation are mine and not
those of my employer.
C:\>whoami /all
•Andrew Smith
•@jakx_
•Penetration Tester
•OWASP
•Metasploit
•CTF
•Certs
C:\>whois you
What are you talking about?
•Relevant Windows Security Info
•PrivEsc tricks win7
•Limited user -> Local Admin
Why should I care?
•You wanna level up
•You wanna prevent level up
•Hack the planet!
•You like Mario?
Why should I care?
•"People designing defenses who have
never had them evaluated by a good
attacker is kind of like learning one of
those martial arts that look more like
dancing than fighting. They look nice,
but when you get into a fight your
dance kungfu isn’t going to help you
not get your ass kicked."
-Dan Guido
Windows Access Control
*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557%28v=vs.85%29.aspx
•Securable Objects
•Files
•Directories
•Services
•Registry Keys
•Named Pipes
Windows Access Control
*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379563%28v=vs.85%29.aspx
•Security Descriptor
•Discretionary Access Control List
(DACL)
•Access Control Entries (ACE)
Windows Access Control
*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379563%28v=vs.85%29.aspx
•Access Token
•Container of user
security info
•SID, groups,
privileges
•Tied to process or
thread
Windows Access Control
Windows Access Control
Access Token
Windows Access Control
Access Token
DACL
Windows Access Control
Access Token
DACL
AccessChk
Mandatory Integrity Control
*https://msdn.microsoft.com/en-us/library/bb625963.aspx
•Security feature post-Vista
•Assigns process Integrity Levels
•Indicates “trustworthiness” of
object
Windows Integrity Levels
*Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition
Windows Integrity Levels
Low Medium High SYSTEM
*https://msdn.microsoft.com/en-us/library/bb625963.aspx
Windows Integrity Levels
*https://msdn.microsoft.com/en-us/library/bb625963.aspx
Low Medium High SYSTEM
UAC Just ask nicely…
The Setup…
•Land on workstation as SKYNET\Luigi
via $method
•Want to escalate privileges
•Limited User -> Local Admin
•Marketing isnt Admin… right?
Time to Level Up!
•Admin somewhere else?
•Creds in files
•Exploit unpatched EoP bugs
•Exploit insecure configs/apps
•Weak Services DACLs
•Weak File DACLs
•AlwaysInstallEvelated
•DLLs
Somewhere Else?
•Luigi in “Domain Users” group
•1 box “Domain Users” in “Administrators”
Somewhere Else?
•Powerview•https://github.com/PowerShellMafia/PowerSploit/blob/m
aster/Recon/PowerView.ps1
• Find-LocalAdminAccess
Somewhere Else?
Creds in Files
•C:\users\luigi\Desktop\passwords.xls•C:\>dir /b /s web.config
•C:\>dir /b /s unattend.xml
•C:\>dir /b /s sysprep.inf
•C:\>dir /b /s sysprep.xml
•C:\>dir /b /s *pass*
•GPP
•\\mushroomkindgom\SYSVOL\????
Windows EoP Buggzz
•Enumerate missing patches•post/windows/gather/enum_patches
•post/multi/recon/local_exploit_suggester
•Pwn
Windows EoP Buggzz
•MS13-053
Weak Service Permissions
Accesschk.exe –qwcu “Authenticated Users” *
Accesschk.exe –qwcu “Users” *
Accesschk.exe –qwcu “Everyone” *
Weak Service Permissions
•Can we edit the service config?
•Can we edit the binary it points to?
Weak Service Permissions
•Demo
Weak File Permissions
•Look for writeable files
•Autoruns?
•Scheduled Tasks?
Accesschk.exe –qwsu “Authenticated Users” c:\
Accesschk.exe –qwsu “Users” c:\
Accesschk.exe –qwsu “Everyone” c:\
Weak File Permissions
•Story time
Weak File Permissions
•Story time
•Main app binary writeable “users”
Weak File Permissions
•Story time
•Main app binary writeable “users”
•Autorun on login
Weak File Permissions
Weak File Permissions
• “Nah bro, UAC”
Weak File Permissions
• Admin logs in
Weak File Permissions
• Admin logs in
• Backdoored binary auto-executes
Weak File Permissions
• Admin logs in
• Backdoored binary auto-executes
• Code execution at medium IL as admin
(UAC)
Weak File Permissions
•“One important thing to know is that UAC is
not a security boundary.”
*https://blogs.msdn.microsoft.com/e7/2009/02/05/update-on-uac/
AlwaysInstallElevated
•Group policy setting that makes installing
packages (.msi) convenient…
•..Any .msi…
•for everyone..
AlwaysInstallElevated
reg query
HKLM\SOFTWARE\Policies\Microsoft
\Windows\Installer /v
AlwaysInstallElevated
reg query
HKCU\SOFTWARE\Policies\Microsoft
\Windows\Installer /v
AlwaysInstallElevated
AlwaysInstallElevated
•Demo
DLL Hijacking
•Windows can dynamically load DLLs
•If full path not used/missing, Windows
executes DLL Search Order
•Eg.
•LoadLibrary(“ohnoes.dll”)
vs
•LoadLibrary(“c:\program files\ohnoes.dll”)
DLL Hijacking
1. The directory from which the application
loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories listed in the PATH
environment variable.
*https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
DLL Hijacking
1. The directory from which the application
loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory. (Exploitable)
6. The directories listed in the PATH
environment variable. (Exploitable)
*https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
DLL Hijacking
•Privileged app loads missing DLL +
controllable search path element = pwned
•Use Sysinternals Procmon
•Include “.dll”
•Include “NAME NOT FOUND”
•Include folder in path
DLL Hijacking
•Demo
Conclusions
•Know your network/apps
•Don’t run as admin
•UAC IS NOT A SECURITY BOUNDARY
•Patch your shit
•“Hack yourself first”
Tools
•Powerup•https://github.com/PowerShellMafia/PowerSploit/blob/master/Priv
esc/PowerUp.ps1
•Windows-privesc-check•https://github.com/pentestmonkey/windows-privesc-check
•Sysinternals Suite•https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
References/Resources
https://www.insomniasec.com/downloads/publications/WindowsPrivEsc.ppt
https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf
https://technet.microsoft.com/en-us/sysinternals/bb545027
http://www.greyhathacker.net/?p=738
Greyhat Hacking 4th edition
Windows Internals 6th edition
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607
Questions?
@jakx_
ajs@swordshield.com
Recommended