Windows post exploitation

In order to understand if we can hijack a service binary we need to view the name, state and path of the service binaries for each service that’s running and to understand if we have restart privileges or the ability to stop and start the service. This is where some trial and error may come in to play and it’s important to track what you’ve attempted so you don’t repeat efforts.

Dynamic Link Libraries contain code and resources for other programs to use, saving duplications. These are called shared objects on Linux. In this approach, we’re replacing the DLL or hijacking the search order. Windows first searches the following: The directory from which the application loaded. The system directory The 16-bit system directory The Windows Directory The current directory The directories that are listed in the PATH environment variable If we don’t have permissions to alter the binary, we might be able to replace a DLL.

We can explore unquoted service paths, when we have write permissions inside an applications directory. If the service path contains spaces but doesn’t have quotes, then this may be something we can abuse by replacing the binary with one that has quotes in the correct path. This way, our binary will run instead of the unquoted one. Windows checks them in this order: C:\Program.exe C:\Program Files\my.exe C:\Program Files\My Program\my.exe C:\Program Files\My Program\my service\my.

It’s worth noting that kernel exploits should be noted but not executed on normal tests as they come with a high risk of crashing the system. First, you need to run systeminfo command to find all the information about the system. You’re looking for the OS version, architecture, and the hotfixes that have been installed on the system. systeminfo # returns system information including OS, architecture and hotfixes wmic qfe get Caption,Description,HotFixID,InstalledOn # gathers more information about the hotfixes installed on the host Each hotfix has a KB number, which you’ll need to individually Google to help you to understand which exploits won’t work due to being patched.

Once you’ve completed Windows Enumeration, you’ll likely have a good idea of where to go and what to explore further. Privilege escalation comes with many approaches and can be as simple as locating another user’s credentials but in this context, we’re speaking in more technical terms. This article works through the basics of understand each attack vector that could lead to becoming SYSTEM. Scheduled Tasks With this approach, we’re looking to understand what scheduled tasks are set up, wwhen they’re next running and who the task runs as.

There are two main privileges to abuse for privilege escalation: SeImpersonatePrivilege - this means that the account has the ability to impersonate another client after authentication. SeShutdownPrivilege - this means the user can restart the system You can check privileges with the following command: whoami /priv # displays the current user's privileges You’re ideally looking for SeImpersonatePrivilege or SeShutdownPrivilege as these can lead to privilege escalation: SeImpersonatePrivilege This privilege is generally vulnerable to exploitation using PrintSpoofer or the Potato exploits.

In order to leverage this approach to privilege escalation, we’re looking to understand what scheduled tasks are set up, when they’re next running and who the task runs as. We also need to understand if we can edit the file that the scheduled task runs because there’s our opportunity, where we’ll either add an admin user or try to get a reverse shell. Get-ScheduledTask # uses powershell to get scheduled tasks schtasks /query /fo LIST /v # lists all scheduled tasks, the list can be enormous so it might take a while to pick through.

In order to identify exploits for applications that are installed on the system, we need to know what applications are installed: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname # shows installed applications Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname,version # shows installed applications and version information Once you have a list of these applications, you can run searches for them based on this information. One of the best places to search is searchsploit, which comes with Kali:

Once you’ve successfully exploited a machine and have your foothold, it’s time to enumerate the inside to understand how you might escalate privileges or move laterally. Our upcoming WinDeBeest script will handle a lot of this enumeration for you and direct you to the appropriate places on the website. Even if an approach looks likely to work, it’s not guaranteed, that’s just the nature of penetration testing. Sometimes it’s a case of working through many different possibilities and sets of information, hunting for files and planning lateral movements to eventually get to SYSTEM.