🪂Getting the Lay of the Land
Gathering network information is a crucial part of our enumeration. We cna look for dual-homed hosts to move to an internal network, gather information about the local domain, view the ARP cache for each interface and view other hosts the host has recently communicated with.
check Interface(s), IP Address(es), DNS Information >
check ARP Table >
check Routing Table >
Next step is to enumerate protections on the host that could be monitoring us or blockin our action such as blocking non-admin users from running cmd.exe
or powershell.exe
or other binaries and file types not needed for their day-to-day work. A popular solution offered by Microsoft is AppLocker. We can use the GetAppLockerPolicy cmdlet to enumerate the local, effective (enforced), and domain AppLocker policies.
We can start by Checking Windows Defender Status >
Then to get more informations, we can List AppLocker Rules
And finish of with a Test of AppLocker Policy
Initial Enumeration
We can escalate privileges to one of the following depending on the system configuration and what type of data we encounter
The highly privileged |
The built-in local |
Another local account that is a member of the local |
A standard (non-privileged) domain user who is part of the local |
A domain admin (highly privileged in the Active Directory environment) that is part of the local |
When we gain initial shell access to the host, it is vital to gain situational awareness and uncover details relating to the OS version, patch level, installed software, current privileges, group memberships, and more.
System Information
Looking at the system itself will give us a better idea of the exact operating system version, hardware in use, installed programs, and security updates. This will help us narrow down our hunt for any missing patches and associated CVEs that we may be able to leverage to escalate privileges.
We need to be familiar with Windows processes such as Session Manager Subsystem (smss.exe), Client Server Runtime Subsystem (csrss.exe), WinLogon (winlogon.exe), Local Security Authority Subsystem Service (LSASS), and Service Host (svchost.exe)
In this output we would need to be interested in the FileZilla
FTP server running and would attempt to enumerate the version to look for public vulnerabilities or misconfigurations such as FTP anonymous access
Display All Environment Variables
If the folder placed in the PATH is writable by your user, it may be possible to perform DLL Injections against other applications. Remember, when running a program, Windows looks for that program in the CWD (Current Working Directory) first, then from the PATH going left to right. This means if the custom path is placed on the left (before C:\Windows\System32), it is much more dangerous than on the right.
View Detailed Configuration Information
The systeminfo
command will show if the box has been patched recently and if it is a VM. If the box has not been patched recently, getting administrator-level access may be as simple as running a known exploit. The System Boot Time
and OS Version
can also be checked to get an idea of the patch level
If systeminfo
doesn't display hotfixes, they may be queriable with WMI using the WMI-Command binary with QFE
We can do this with PowerShell as well
Installed Programs
WMI can also be used to display installed software and after that Run LaZagne
to check if stored credentials for those applications are installed
with PowerShell:
Display Running Processes
The netstat command will display active TCP and UDP connections which will give us a better idea of what services are listening on which port(s) both locally and accessible to the outside.
User & Group Information
Logged-In Users
It is always important to determine what users are logged into a system
Current User
We always need to check what user context our account is running under first. Suppose we gain access as a service account. In that case, we may have privileges such as SeImpersonatePrivilege
, which can often be easily abused to escalate privileges using a tool such as Juicy Potato.
Current User Privileges
Current User Group Information
important to check if our user inherited any rights through their group membership? Are they privileged in the Active Directory domain environment
Get All Users
Knowing what other users are on the system is important as well. If we captured for a user bob
, and see a bob_adm
user in the local administrators group, it is worth checking for credential re-use
Get All Groups
Details About a Group
we may find a password or other interesting information stored in the group's description
Get Password Policy & Other Account Information
What service is listening on port 8080 (service name not the executable)?
Communication with Processes
The most common example of privesc through running services is discovering a web server like IIS or XAMPP running on the box, placing an aspx/php
shell on the box, and gaining a shell as the user running the web server and hopefully have the SeImpersonate
token, allowing for Rogue/Juicy/Lonely Potato
to provide SYSTEM permissions.
Display Active Network Connections
The main thing to look for with Active Network Connections are entries listening on loopback addresses (127.0.0.1
and ::1
) that are not listening on the IP Address (10.129.43.8
) or broadcast (0.0.0.0
, ::/0
). The reason for this is network sockets on localhost are often insecure due to the thought that "they aren't accessible to the network."
a common local privilege escalation vector is the Erlang Port
(25672) -> Erlang-arce blogpost from Mubix
Named Pipes
The other way processes communicate with each other is through Named Pipes. Pipes are essentially files stored in memory that get cleared out after being read.
the workflow looks like this:
Beacon starts a named pipe of \.\pipe\msagent_12
Beacon starts a new process and injects command into that process directing output to \.\pipe\msagent_12
Server displays what was written into \.\pipe\msagent_12
We can use the tool PipeList from the Sysinternals Suite to enumerate instances of named pipes.
Listing Named Pipes with Pipelist
PowerShell ->
we can use Accesschk to enumerate the permissions assigned to a specific named pipe by reviewing the Discretionary Access List (DACL), which shows us who has the permissions to modify, write, read, or execute a resource.
Reviewing LSASS Named Pipe Permissions
Named Pipes Attack Example
This WindscribeService Named Pipe Privilege Escalation is a great example. Using accesschk
we can search for all named pipes that allow write access with a command such as accesschk.exe -w \pipe\* -v
and notice that the WindscribeService
named pipe allows READ
and WRITE
access to the Everyone
group
Then we could leverage these lax permissions to escalate privileges on the host to SYSTEM.
Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe?
Last updated