powerup - automating windows privilege escalation
DESCRIPTION
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.TRANSCRIPT
Automating Windows Privilege Escalation
Will@harmj0y
Veris GroupAdaptive Threat Division
$ whoami
Security researcher and pentester/red teamer for the Adaptive Threat Division of Veris Group
Co-founder of the Veil-Framework #avlol www.veil-framework.com Shmoocon ‘14: AV Evasion with the Veil Framework co-wrote Veil-Evasion, wrote Veil-Catapult and Veil-
PowerView
BSides Austin ‘14: Wielding a Cortana
BSides Boston ’14: Pwnstaller 1.0
Defcon ’14 (accepted): Post-Exploitation 2.0
tl;dr
Why powershell?
Why build this?
Windows Service Vulnerabilities
PowerUp service enumeration service abuse misc. methods
Demo
Questions
Why Powershell?
Really need to say anything?
Whitelisted, trusted execution, full .NET capabilities, can refrain from touching disk, etc. etc. etc.
Use it, yo’ PowerSploit Posh-SecMod Veil-Powerview Nishang
Why build this?
On a recent assessment, had to escalate privileges on a locked down workstation
Kernel exploits wouldn’t work, so fell back to vulnerable services Service binary had improper permissions Replacing the .exe and bouncing the box = no
privs to local admin
More or less did everything manually, wanted something a bit easier
Windows Service Vulnerabilities
Trusted Path Escalation
Metasploit module: trusted_service_path.rb
If a path is unquoted and has a space, there is ambiguity for the Windows API on how to interpret the final path
I.E. C:\Tools\Custom Tools\program.exe will be interpreted as C:\Tools\Custom.exe first, then C:\Tools\Custom Tools\program.exe
If you have write access to the base path, money!
Vulnerable Service Permissions
Also a Metasploit module: service_permissions.rb
Check if the current user can modify the service itself
Replace the binary path for the service with something like “net user john password /add” and bounce the service to add the user
Repeat with “net localgroup administrators john /add”
Can be done by hand with accesschk.exe and SC
Vulnerable EXE Permissions
Check the permissions for each executable associated with running processes
If you can write to the executable path for a service, replace the binary with something that adds a local admin (or pops a Meterpreter shell)
If you can’t bounce the service, bounce the box
This is how we ended up escalating in the field
Escalation Automation With Powershell
PowerUp
Implements methods to easily enumerate and abuse misconfigured Windows services for the purposes of privilege escalation
Have started to implement additional common Windows privesc vectors .dll hijacking, AlwaysInstallElevated, etc.
http://www.harmj0y.net/blog/powershell/powerup/
https://github.com/HarmJ0y/PowerUp
Service Enumeration
Get-ServiceUnquoted will find all services with unquoted paths and a space in the full path name
Get-ServicePerms enumerates all services the current user has modification rights to
Get-ServiceEXEPerms checks all associated service executables and returns any paths the user has write access to
Service Abuse
Invoke-ServiceUserAdd enables/stops a service, reconfigures it to create a user and add them to the local admins, restarts, etc.
Write-UserAddServiceBinary generates a precompiled C# service binary and binary patches in the service name, username/password and group to add a user to Can easily write the binary out to any
unquoted paths
Write-ServiceEXE writes a service binary out to a given service path, backing up the original .exe
Misc. Checks I
Invoke-FindDLLHijack is a (kind of) port of Mandiant’s FindDLLHijack code Checks each running process and its loaded
modules, and returns all hijackable locations, i.e. any base “exe path + loaded module name” that doesn’t exist
Invoke-FindPathDLLHijack finds potentially hijackable service .DLL locations from %PATH% Check out
http://www.greyhathacker.net/?p=738 for more information
Misc. Checks II
Get-RegAlwaysInstallElevated checks if the AlwaysInstallElevated registry key is enabled Write-UserAddMSI can then write out a MSI
installer that prompts for a local admin to add
Get-UnattendedInstallFiles finds unattended .xml install files that may have leftover credentials
Get-RegAutoLogon extracts any auto logon credentials from the Windows registry
Invoke-AllChecks will run all current privesc checks
Demo
Questions?
Contact me: @harmj0y [email protected]
Read more: http://www.harmj0y.net/blog/powershell/power
up/
Get PowerUp https://github.com/HarmJ0y/PowerUp Being integrated into Nishang