DAY 13 - Privilege Escalation

[Networking] Privilege Escalation in a mini-CTF requiring both Windows skills

To RDP from linux to windows

xfreerdp /u:<username> /p:<password> /v:<ip address>

There is always a risk and reward in escalating privileges.

<aside> 💡 Major levels of user privileges in Windows :

Domain Administrators - Highest possible level of domain specific access, GOD MODE privileges in a single domain.

(Enterprise Admins even greater than that, when put multiple domains together they form a forest and an enterprise admin has administrative access to entire forest)

Service Accounts - Accounts specific to one single running service running on a machine (can have admins privileges also, depends on how its set up)

There can be a local admin and a domain admin, the local admin of a machine will only have access to the admin privileges to that specific machine

There can also be a local user and a domain user on a machine, local user has user access to that only one local machine and a domain user is when an entire domain together and you have user level access to that domain.

</aside>

<aside> 💡 Windows Privilege Escalation Vectors : (can be used in certain circumstances and is not a one size fits all, sometimes user’s access level can also be very good)

LEADUP

L - Lazy Administrator (found the creds laying around somewhere or too many accounts with admin privileges and we found their creds)

E - Exploits (kernel exploit or some vulnerability found in OS)

A - Access Token manipulation (every user on a windows machine has a access token, when they log in and use different processes they cash this token granting them access, sometimes forging this or duplicating this token is token manipulation OR granting a malicious process the same privileges as a regular user/admin)

D - DLL Hijacking (DLL are small apps that launch the main apps, it supports their execution. Other programs can grab these dll files without intent and if the dll is used in some higher privilege level than our current user, then we can inject malicious code and this could allow us to launch a shell with a higher privilege level.)

U - User Access Control Manipulation/Bypass (Having an administrative level account but not using admin level context to do their actions)

P - Patch Level (If older OS and not patched against kernel level exploits, maybe able to escalate privileges)

Other methods include Unquoted Service Path, Always Install Elevated,

</aside>

<aside> 💡 Not a silver bullet so in some cases, we need to combine two or more vectors to achieve the desired result.

</aside>

<aside> 💡 Enumeration (Initial Information Gathering), first step in penetration testing engagement.

</aside>

<aside> 💡 WMIC (Windows Management Instrumentation Console), built in tool to manage and administer windows machines.

</aside>

Questions ➖

1 - net users

2 - systeminfo

3, 4 - wmic service list | findstr ”Backup”

5 - netcat on local machine and saving a .bat file with malicious code to get shell on target machine and running a backup job for that .bat file with Iperius

6, 7 - Explore directories after getting a shell