Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Level Up! - Practical Windows Privilege Escalation

2,488 views

Published on

For attackers, obtaining access to a Windows workstation with limited privileges can really put a damper on your day. Low privileged access can be a roadblock for even the most skilled "undocumented administrators". Local administrator access to a windows machine within an active directory domain often results in the ability to compromise the whole domain. This talk will walk through how attackers and defenders can learn to identify and exploit practical Windows privilege escalation vectors on the Windows 7 OS.

Published in: Technology
  • Be the first to comment

Level Up! - Practical Windows Privilege Escalation

  1. 1. Practical Windows Privilege Escalation Andrew Smith
  2. 2. C:>type disclaimer.txt •The opinions expressed in this presentation are mine and not those of my employer.
  3. 3. C:>whoami /all •Andrew Smith •@jakx_ •Penetration Tester •OWASP •Metasploit •CTF •Certs
  4. 4. C:>whois you
  5. 5. What are you talking about? •Relevant Windows Security Info •PrivEsc tricks win7 •Limited user -> Local Admin
  6. 6. Why should I care? •You wanna level up •You wanna prevent level up •Hack the planet! •You like Mario?
  7. 7. Why should I care? •"People designing defenses who have never had them evaluated by a good attacker is kind of like learning one of those martial arts that look more like dancing than fighting. They look nice, but when you get into a fight your dance kungfu isn’t going to help you not get your ass kicked." -Dan Guido
  8. 8. Windows Access Control *https://msdn.microsoft.com/en- us/library/windows/desktop/aa379557%28v=vs.85%29.aspx •Securable Objects •Files •Directories •Services •Registry Keys •Named Pipes
  9. 9. Windows Access Control *https://msdn.microsoft.com/en- us/library/windows/desktop/aa379563%28v=vs.85%29.aspx •Security Descriptor •Discretionary Access Control List (DACL) •Access Control Entries (ACE)
  10. 10. Windows Access Control *https://msdn.microsoft.com/en- us/library/windows/desktop/aa379563%28v=vs.85%29.aspx •Access Token •Container of user security info •SID, groups, privileges •Tied to process or thread
  11. 11. Windows Access Control
  12. 12. Windows Access Control Access Token
  13. 13. Windows Access Control Access Token DACL
  14. 14. Windows Access Control Access Token DACL AccessChk
  15. 15. Mandatory Integrity Control *https://msdn.microsoft.com/en-us/library/bb625963.aspx •Security feature post-Vista •Assigns process Integrity Levels •Indicates “trustworthiness” of object
  16. 16. Windows Integrity Levels *Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition
  17. 17. Windows Integrity Levels Low Medium High SYSTEM *https://msdn.microsoft.com/en-us/library/bb625963.aspx
  18. 18. Windows Integrity Levels *https://msdn.microsoft.com/en-us/library/bb625963.aspx Low Medium High SYSTEM UAC Just ask nicely…
  19. 19. The Setup… •Land on workstation as SKYNETLuigi via $method •Want to escalate privileges •Limited User -> Local Admin •Marketing isnt Admin… right?
  20. 20. Time to Level Up! •Admin somewhere else? •Creds in files •Exploit unpatched EoP bugs •Exploit insecure configs/apps •Weak Services DACLs •Weak File DACLs •AlwaysInstallEvelated •DLLs
  21. 21. Somewhere Else? •Luigi in “Domain Users” group •1 box “Domain Users” in “Administrators”
  22. 22. Somewhere Else? •Powerview •https://github.com/PowerShellMafia/PowerSploit/blob/m aster/Recon/PowerView.ps1 • Find-LocalAdminAccess
  23. 23. Somewhere Else?
  24. 24. Creds in Files •C:usersluigiDesktoppasswords.xls •C:>dir /b /s web.config •C:>dir /b /s unattend.xml •C:>dir /b /s sysprep.inf •C:>dir /b /s sysprep.xml •C:>dir /b /s *pass* •GPP •mushroomkindgomSYSVOL????
  25. 25. Windows EoP Buggzz •Enumerate missing patches •post/windows/gather/enum_patches •post/multi/recon/local_exploit_suggester •Pwn
  26. 26. Windows EoP Buggzz •MS13-053
  27. 27. Weak Service Permissions Accesschk.exe –qwcu “Authenticated Users” * Accesschk.exe –qwcu “Users” * Accesschk.exe –qwcu “Everyone” *
  28. 28. Weak Service Permissions •Can we edit the service config? •Can we edit the binary it points to?
  29. 29. Weak Service Permissions •Demo
  30. 30. Weak File Permissions •Look for writeable files •Autoruns? •Scheduled Tasks? Accesschk.exe –qwsu “Authenticated Users” c: Accesschk.exe –qwsu “Users” c: Accesschk.exe –qwsu “Everyone” c:
  31. 31. Weak File Permissions •Story time
  32. 32. Weak File Permissions •Story time •Main app binary writeable “users”
  33. 33. Weak File Permissions •Story time •Main app binary writeable “users” •Autorun on login
  34. 34. Weak File Permissions
  35. 35. Weak File Permissions • “Nah bro, UAC”
  36. 36. Weak File Permissions • Admin logs in
  37. 37. Weak File Permissions • Admin logs in • Backdoored binary auto-executes
  38. 38. Weak File Permissions • Admin logs in • Backdoored binary auto-executes • Code execution at medium IL as admin (UAC)
  39. 39. Weak File Permissions •“One important thing to know is that UAC is not a security boundary.” *https://blogs.msdn.microsoft.com/e7/2009/02/05/upda te-on-uac/
  40. 40. AlwaysInstallElevated •Group policy setting that makes installing packages (.msi) convenient… •..Any .msi… •for everyone..
  41. 41. AlwaysInstallElevated reg query HKLMSOFTWAREPoliciesMicrosoft WindowsInstaller /v AlwaysInstallElevated reg query HKCUSOFTWAREPoliciesMicrosoft WindowsInstaller /v AlwaysInstallElevated
  42. 42. AlwaysInstallElevated •Demo
  43. 43. DLL Hijacking •Windows can dynamically load DLLs •If full path not used/missing, Windows executes DLL Search Order •Eg. •LoadLibrary(“ohnoes.dll”) vs •LoadLibrary(“c:program filesohnoes.dll”)
  44. 44. DLL Hijacking 1. The directory from which the application loaded. 2. The system directory. 3. The 16-bit system directory. 4. The Windows directory. 5. The current directory. 6. The directories listed in the PATH environment variable. *https://msdn.microsoft.com/en- us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
  45. 45. DLL Hijacking 1. The directory from which the application loaded. 2. The system directory. 3. The 16-bit system directory. 4. The Windows directory. 5. The current directory. (Exploitable) 6. The directories listed in the PATH environment variable. (Exploitable) *https://msdn.microsoft.com/en- us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
  46. 46. DLL Hijacking •Privileged app loads missing DLL + controllable search path element = pwned •Use Sysinternals Procmon •Include “.dll” •Include “NAME NOT FOUND” •Include folder in path
  47. 47. DLL Hijacking •Demo
  48. 48. Conclusions •Know your network/apps •Don’t run as admin •UAC IS NOT A SECURITY BOUNDARY •Patch your shit •“Hack yourself first”
  49. 49. Tools •Powerup •https://github.com/PowerShellMafia/PowerSploit/blob/master/Priv esc/PowerUp.ps1 •Windows-privesc-check •https://github.com/pentestmonkey/windows-privesc-check •Sysinternals Suite •https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
  50. 50. References/Resources https://www.insomniasec.com/downloads/publications/WindowsPrivEsc.ppt https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Service s_-_All_roads_lead_to_SYSTEM.pdf https://technet.microsoft.com/en-us/sysinternals/bb545027 http://www.greyhathacker.net/?p=738 Greyhat Hacking 4th edition Windows Internals 6th edition https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black- 26665607
  51. 51. Questions? @jakx_ ajs@swordshield.com

×