Windows Privilege Escalation (AlwaysInstallElevated)

Hello Friends!! In this article, we are demonstrating the Windows privilege escalation method via the method of AlwaysInstallElevated policy. In penetration testing, when we spawn command shell as a local user, it is possible to exploit the vulnerable features (or configuration settings) of Windows Group policy, to further elevate them to admin privileges and gain the administrator access

Table of Content

  • Introduction
  • Lab setup
  • Spawn command shell as local user
  • Escalate privilege manually via .msi payload (MSfvenom)
  • Escalated privilege via Adding user Administrators Group (Msfvenom)
  • Escalate privilege via Post exploit (Metasploit)

Introduction

AlwaysInstallElevated Policy

As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. These MSI packages can be installed with elevated privileges for non-admin users

For this purpose, the AlwaysInstallElevated policy feature is used to install an MSI package file with elevated (system) privileges. This policy is enabled in the Local Group Policy editor; directs the Windows Installer engine to use elevated permissions when it installs any program on the system. This method can make a machine vulnerable posing a high-security risk because a non-administrator user can run installations with elevated privileges and access many secure locations on the computer.

Caution Note: This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting. Hence this should be used for the lab purposes only (and not in a Production environment)

Lab set-up

Victim’s Machine: Windows 7

Attacker’s machine: Kali Linux

To make this policy effective [i.e install a package with elevated (system) privileges], we need to ensure that victim machine is deliberately made vulnerable by enabling the AlwaysInstalledElevated Policy in the Computer Configuration and User Configuration folders of the Local Group Policy editor

For the Windows configuration 

Type gpedit.msc in the Run dialog box of the Start Menu in the Windows 7 machine and the Local Group Policy editor window prompt will open

  1. Change the settings of AlwaysInstalledElevated policy
  2. For the Computer configuration

Navigate to the below path in the Windows machine

Computer Configuration\Administrative Templates\Windows Components\Windows Installer

Enable the Always install with elevated privileges

For the User configuration 

Navigate to the below path in the Windows machine

User Configuration\Administrative Templates\Windows Components\Windows Installer

Enable the Always install with elevated privileges

This completes the lab set up on the Windows machine.N ow let’s proceed to our actual task.

Spawning Victim’s Machine

We need to compromise the Windows victim machine at least once to gain the meterpreter session. As you can observe that we already have a victim’s meterpreter session. Let’s open the msfconsole and check the existing current sessions

As we can see that there exists a session already with ID 1. Now let’s open the session 1 and extract the user details

As we can see that we are logged into this session with the username as raj.

Note: The existing user “raj” already exists in the Windows 7 victim machine and is a non-admin user

 

Now let’s open the command shell of the target machine

Upon executing the shell command, we would land into the user’s Downloads folder C:\Users\raj\Downloads

We will now run the registry query command on this command prompt so as to verify whether the Windows installer have elevated privileges or not, as per our settings configured earlier

As we can see from the output that the registry named “AlwaysInstallElevated” exists with a dword (REG_WORD) value of 0x1, which means that the AlwaysInstallElevated policy is enabled.

Privilege Escalation via .msi payload (1st Method)

Now let’s open a new terminal in Kali machine and generate an MSI Package file (1.msi ) utilizing the Windows Meterpreter payload as follows

On the existing Meterpreter session of the user, let’s upload our MSI file named 1.msi to the target machine as follows. Once it is uploaded successfully, we will then jump to the shell

Note: Before executing the MSI Package file, let’s start an MSF handler in another terminal window

(Refer to the commands for same, after the below screenshot)

Execute the MSI package file on the Windows command prompt

 

/quiet = Suppress any messages to the user during installation
/qn = No GUI
/i = Regular (vs. administrative) installation

In a parallel window, we opened a new handler before executing the .msi file

Finally, we got the meterpreter session using this exploit!!  Let’s have further look at the details of the user privileges we gained on this system

Fantastic!! We have rooted in the Local System account (NT AUTHORITY\SYSTEM) which has the highest level of privileges on the local system.

 

Adding user in Administrators Group (2nd Method)

In this method, we will choose a non-admin user from the existing list of users in the target machine and then try to elevate his privileges. Here we will send the relevant Windows commands (to the target machine), utilizing the windows/exec payload of the Metasploit.

First, let us check the details of existing users in the victim machine. Here we can select any user, lets; select a user named “raaz” who is a non-admin user

The verification that the user name “raaz” is in the Local Users group can be done by running the following in the command prompt

 

Generate an MSI package (2.msi ) with the windows/exec payload, that sends a command instructing to add local admin privileges for the user “raaz”, to the target machine.

Now let’s upload the MSI file 2.msi to the target machine as follows

Note: Before uploading the MSI file, press Ctrl+Z to exit out of the victim machine’s command shell

In the meterpreter shell type

Once the MSI file is uploaded successfully, we will take the command shell and execute the installer file

The verification that the user name “raaz” has been added into the local administrator group can be done by running the following in the command prompt

As we can see from the screenshot the user raaz is now a member of Local Administrators group

Awesome !! We have got the privileges of the non-admin user escalated via using the manual exploit.

 

Privilege Escalation via Metasploit Post Exploit (3rd Method)

In order to perform the Privilege escalation abusing the AlwaysInstalledElevated policy, we can also utilize the inbuilt exploit of the Metasploit module as follows :

Now let’s use this exploit

We got the meterpreter session using the in-built exploit as well !! Now let’s have further look at the details of the user privileges

Hurrah!! We have rooted in the Local System account (NT AUTHORITY\SYSTEM) which has the highest level of privileges on the local system

Note: We have shown one of the methodologies to elevate the privileges.T his lab can be performed in multiple ways, as there are many other methods of performing the Windows privilege escalation.

 Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing. Contact Here

Windows Privilege Escalation (Unquoted Path Service)

In this article, we are demonstrating Windows privilege escalation via Unquoted service Path.  In penetration testing when we spawn command shell as a local user, it is not possible to check restricted file or folder, therefore we need to escalated privileges to get administrators access.

Table of Content

  • Introduction
  • Lab setup
  • Spawn command shell as local user
  • Escalated privilege via Prepend-migrate
  • Escalated privilege via Adding user Administrators Group
  • Escalated privilege via RDP & Sticky_keys

Unquoted service Path Vulnerability

Introduction

The vulnerability is related to the path of the executable that has a space in the filename and the file name is not enclosed in quote tags (“”). Also, if it has writable permissions, then an attacker can replace the executable file with its malicious exe file, so as to escalate admin privileges.

Lab set-up

Victim’s Machine: Windows 7

Attacker’s machine: Kali Linux

First, we have downloaded and installed a Vulnerable application naming photodex proshow in our windows system, which we found under Exploit DB.

Spawning Victim’s Machine

We need to compromise the windows machine at least once to gain the meterpreter session. As you can observe we already have victim’s meterpreter session. Now let’s open the command shell from here.

As you can observe, we have shell access as local_user and to get cmd as administrator we need to escalate its privileges. Firstly we can enumerate out all the services that are running on the victim’s machine and discover those that are not bounded inside quotes tag with help of the following command:

So we have enumerated following path: C:\Program Files\Photodex\ProShow Producer\Scsiaccess.exe as you can see, there is not quotes tag around the path and also space in the filename.

Now let’s identify the folder permissions using the following command:

As you can observe it has writable permission for everyone which means user raj can overwrite this file.

Escalated privilege via Prepend-migrate

Now we can place any malicious exe file in the same folder that will give admin privilege when the service will be restarted, Windows will launch this executable instead of the genuine exe.

Open the terminal in kali Linux and type following command to generate exe payload using msfvenom.

Above command will create a malicious exe file on the Desktop and now send this file to the victim. The payload migrates its process if the current process gets killed; hence the attacker will not lose his session if the victim kills the current process ID of the payload from its system.

Now replace the genuine executable file from the malicious exe, here I have renamed genuine Scsiaccess.exe to Scsiaccess.exe.orginal and uploaded malicious Scsiaccess.exe in the same folder and then reboot the victim’s machine.

Simultaneously we have start multi/handler listener in a new terminal to catch the meterpreter session with admin privilege.

Yuppie!! And after some time we got a shell with admin privileges.

Escalated privilege via Adding user Administrators Group

After spawning a shell as local_user, we enumerated all username list with or without admin privileges. So we found user:raaz is not a member of the admin group.

So again we generated an exe file which will add user:raaz into administrators group. The name of our exe file will be same i.e. Scsiaccess.exe

Now repeat the above steps, replace the genuine executable file from the malicious exe file and reboot the host machine.

If you will notice the following image, you can observe that the user raaz has become a member of the Administrators group.

Escalated privilege via RDP & Sticky_keys

Generate an exe using msfvenom with similar name Scsiaccess.exe and then transfer into victim’s machine, meanwhile run multi handler with autorun script which will enable RDP service once the service gets restarted.

Similarly, we will set the autorun script to enable sticky_keys once the service restarts.

As you can observe from the below screenshot, another meterpreter session (session 3) got opened which has administrative rights. Now let’s connect to the victim’s host via RDP.

Now press shift_key 5 times continuously and you will get command prompt as administrator.

Source//www.exploit-db.com/exploits/24872/

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Exploiting Wildcard for Privilege Escalation

In this article, we will cover “Wildcard Injection” an interesting old-school UNIX hacking technique, which is still a successful approach for Post exploitation and even many security-related folks haven’t heard of it. Here you will get surprised after perceiving some UNIX tools like ‘tar’ or ‘chown’ can lead to full system compromise.

Table of content

  • Introduction
  • Wildcard
  • Wildcard wildness example 1
  • File hijacking example 2
  • Post Exploitation via tar (Phase I)
  • Tar Wildcard Injection (1st method)
  • Post Exploitation via tar (Phase II)
  • Tar Wildcard Injection (1st method)
  • Tar Wildcard Injection (2nd method)
  • Tar Wildcard Injection (3rd method)

Let’s Start!!!

Wildcard

The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken.

Some Wildcards character:

*     An asterisk matches any number of character in a filename, including none.

 ?     The question mark matches any single character.

[ ]   Brackets enclose a set of characters, any one of which may match a single character at that position.

 –     A hyphen used within [ ] denotes a range of characters.

~     A tilde at the beginning of a word expands to the name of your home directory. Append another user’s login name to the character, it refers to that user’s home directory.

1st Example

You might be aware of wildcard symbol and their traditional usage but here we are presenting wildcard wildness and for this, I would like to draw your attention towards below steps.

So as you can observe, here we have made a new directory “wild” on the desktop then with help of echo command we have created 3 files and written 1 line in each file.

Afterward, with help of cat command, we try to open all the above 3 files as shown:

However, the first two files opened normally and show the same information as written above. But the cat command failed to read information written inside –help file. Instead of showing “take help” while opening –help file it calls its own –help options from its own libraries & such type of trick is called Wildcard wildness.

File owner hijacking via Chown

Similarly again we try to do something roguish with help of chown command. As we know it is an abbreviation of change owner, which is used on Unix-like systems to modify the ownership of file system files, directories and it may only be changed by a super-user. Let say we have three users in our system.

Super-user (root) – perform an admin-level task such as run chown command.

Non-root-user1 (raj) – perform ordinary jobs such as create file

Non-root-user2 (aarti) – perform ordinary jobs such as create file

Mischief-user (Ignite) – perform the notorious task such as Chown file reference trick that can lead file owner hijacking.

In the following image, you can observe all the PHP file is owned by user: raj. Now when the user: ignite found all PHP file is own be user raj then he induces two PHP file himself in the same directory and uses file reference trick for file owner hijacking by executing below commands.

As you can notice, mostly file is owned by user: raj and the last two files are owned by user: ignite and when the super-user will be supposed to change ownership of all file having PHP extension with help of wildcard, then all files will indirectly come under the ownership of user: ignite.

As you can observe when root user run chown command to give ownership to all the PHP files to the user: aarti, an error occurred and as result, the all PHP file get seized by user: ignite automatically.

Conceptual Information:

If you have ever explored chown to read its optional switches then you will find the following option.

–reference=RFILE (use RFILE’s owner and group rather than specifying OWNER: GROUP values)

In our case user: ignite executed the following commands:

Then root user takes help of wildcard character for changing ownership. Thing is that wildcard character used in ‘chown’ command line took subjective ‘–reference=.my.php’ file and passed it to the chown command at the command line as an option.

Post Exploitation via tar (Phase I)

Lab-Setup

Likewise again we extend the wildness of wildcard character to the ultimate level and it was like a dynamic explosion in terms of system hacking.

Tar is a very common UNIX program for creating and extracting archives. And with help of it, we are going to take compress backup of any directory. For example, make a new directory and give ALL permission to it and then create some files.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html from inside /var/backups in every 1 minute.

Let’s verify the schedule is working or not by executing following command.

Tar Wildcard Injection (1st method)

Privilege Escalation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into the victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

On a new terminal generate netcat reverse shell malicious code for achieving netcat reverse connection by using msfvenom and enter the following command for that.

Copy the generated payload and paste inside the victim’s shell as described below.

nc -lvp 8888

Now paste above-copied payload as described below and ran the following commands inside the victim’s tty shell.

The above commands help the tar command to run the file shell.sh after the first file is archived. Since the tar command is running as root due to crontab, this has the effect of spawning a netcat shell and sending it to the attack platform on port 8888. And if you go back to the terminal window where the listener was on, you will have victim’s reverse connection in after 1 minute.

Conceptual Information:

If you have ever explored chown to read its optional switches then you will find the following option.

–checkpoint[=NUMBER] show progress messages every Numbers record (default 10)

–checkpoint-action=ACTION execute ACTION on each checkpoint

There is a ‘–checkpoint-action’ option, that will specify the program which will be executed when the checkpoint is reached. Mainly, this permits us to run an arbitrary command. Hence Options ‘–checkpoint=1’ and ‘–checkpoint-action=exec=sh shell.sh’ are handed to the ‘tar’ program as command line options.

Post Exploitation via tar (Phase II)

Lab Setup

There are multiple ways to take compressed backup and multi techniques can also be applied for privilege escalation. In this phase, with help of tar, we are going to take compress backup of a directory. For example, make a new directory whose backup you wish to take and give ALL permission to it and then create some files.

Now in other directory write a bash script for taking backup of /tmp/data with help of tar archive program.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

And after 1 minute you will notice the backup.tgz file is generated inside info directory.

Tar Wildcard Injection

Inject netcat reverse _shell  for Privilege Escalation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into the victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

Here we notice the target has scheduled a bash program script for every 1 minute and we know that cron job runs as root. The minute attacker read the program written inside the script.sh, he can apply the tar wildcard injection.

Again generate netcat reverse shell payload as done above.

And again repeat the above step as shown in the image.

Then get back to netcat shell for victim’s reverse connection and you will notice after 1 minute you get victim’s netcat session.

Hence, the target can be easily exploited if he makes usage tar archive program either by scheduling job via command or through bash script.

Tar Wildcard Injection (2nd method)

Exploit Sudoers file for Privilege Escalation

Basically, with help wildcard injection an attack wants to gain the highest privilege of the system, therefore, he will try to inject some malicious code with help of tar for root access. But there are multiple ways to obtain root access and hence you can apply the following techniques for privilege escalation.

Suppose you have victim’s machine as a non-root user and for privilege escalation either take root access or try to give sudo right to non-root user by adding him sudoers file. Thus you can take help of following commands.

With the help of above command we had tried to give root permission to the user: ignite and for 1 minute. After 1 minute passed we successfully owned the root account.

Tar Wildcard Injection (3rd method)

Privilege Escalation-Give SUID permission to system binaries

There are multiple ways for privilege escalation with help of tar injection but we are discussing very few methods among them. Suppose you have victim’s machine as the non-root user and for privilege escalation, you can try to enable SUID bit for any system binaries and likewise above again you can take help of the following command for obtaining root access.

We Hope, you people will enjoy these tricks while penetration testing.

Source: //www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Linux Privilege Escalation by Exploiting Cronjobs

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “Privilege Escalation by exploiting Cron Jobs” to gain root access of a remote host machine and also examine how a bad implement cron job can lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.

For details, you can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link1: Hack the Box Challenge: Europa Walkthrough

Link2: Hack the Milnet VM (CTF Challenge)

Table of content

  • Introduction
  • Cron job
  • Crontab syntax
  • Crontab File overwrite
  • Lab Setup (Ubuntu)
  • Exploiting cron job (Kali Linux)
  • Crontab Tar wildcard Injection
  • Lab Setup (Ubuntu)
  • Exploiting cron job (Kali Linux)

Let’s Start!!!

What is a cron job?

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

 

For example:  Inside crontab, we can add the following entry to print apache error logs automatically in every 1 hour.

Crontab File overwrite

Lab Setup for the Poorly configured cron job

 Objective: Set a new job with help of crontab to run a python script which will erase all data from in a particular directory.

Let assume “cleanup” is the directory whose data will be cleared automatically every two minutes. Thus we have saved some data inside /home/cleanup.

As you can observe from the given image some files are stored inside the cleanup directory.

Now write a python program in any other directory to delete data from inside /home/cleanup and give it all permission.

At last schedule a task with help of crontab to run cleanup.py for every 2 minutes.

Now let’s verify our objectives

Cool!! It is working, as you can see all file has been deleted after two minutes.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into the victim’s machine through ssh and access non-root user terminal. Execute the following command as shown below.

 From the above steps, we notice the crontab is running python script every two minutes now let’s exploit.

There so many methods to gain root access as in this method we enabled SUID bits /bin/dash. It is quite simple, first, open the file through some editor, for example, nanocleanup.py and replace “rm -r /tmp/*” from the following line as given below

After two minutes it will set SUID permission for /bin/dash and when you will run it will give root access.

Awesome!! We hit the Goal…………………

Crontab Tar Wildcard Injection

Lab Setup

Objective: schedule a task with help of crontab to take backup with tar archival program of HTML directory.

The directory should have executable permission whose backup you are going to take.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

Let’s verify the schedule is working or not by executing following command.

From given below image you can notice the html.tgz file has been generated after 1 minute.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into the victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

Execute the following command to grant sudo right to logged user and following post exploitation is known as wildcard injection.

Now after 1 minute it will grant sudo right to the user: ignite as you can confirm this with the given below image.

YUPPIEEEE!!! We have successfully obtained root access.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here