In today’s Episode of Red-Teaming we will talk about Privilege Escalation a valuable Technique when trying to gain higher privileges on a machine, we want to achieve this Goal because we want UNRESTRICTED access onto the machine we are targeting. In this part the APT is trying to gain higher privileges on the Machine
There have been various great talks and blogs about this part of Red-Teaming they are well documented, and so many incredible tools that can be used to achieve this Goal. I will work with a few well known tools. Some of these are written for our famous PowerShell, others in C# and then with Python.
Let’s not go too far, by experience or CTF’s sometimes the passwords are in Plain Sight no need to use fancy exploitation methods or Capture Hashes and none of that sort. Why not just search a file named Passwords.xlsx. Yes these famous files do exist, they can be on the machine, on a share or even right on the Desktop. And let’s not forget these can be Word Documents, Text Files, or anything that can hold passwords.
But of course unless you have a Cheat Sheet with all these fancy commands to search for these files, why not use an already created awesome tool. That can search for these files in a fast manner and even faster if it’s an SSD.
First awesome tool in our list in its Gihub Repo it is said:
SauronEye is a search tool built to aid red teams in finding files containing specific keywords.
- Search multiple (network) drives
- Search contents of files
- Search contents of Microsoft Office files (.doc, .docx, .xls, .xlsx)
- Find VBA macros in old 2003 .xls and .doc files
- Search multiple drives multi-threaded for increased performance
- Supports regular expressions in search keywords
- Compatible with Cobalt Strike’s execute-assembly
It’s also quite fast, can do 50k files, totaling 1,3 TB on a network drive in under a minute (with realistic file filters). Searches a C:\ (on a cheap SATA SSD) in about 15 seconds.
Let’s work with this tool we have our shell and we will need to upload the Binary onto the machine (Yes!! Poor Opsec, but it’s just a Demo).
Let’s search for these password files
Oh yes, in just seconds it crawled the entire C:\ directory and its sub-directories and managed to found plenty of files, one is our Password.txt file that I moved to the Documents folder, what and amazing Tool. With that password we can use tools such as CrackMapExec to capture shells as Administrators
Another amazing tool.
SharpUp is a C# port of various PowerUp functionality. Currently, only the most common checks have been ported; no weaponize functions have yet been implemented.
This tool comes in an awesome package named GhostPack highly active and frequently updated to keep up with the .NET Framework incompatibilities.
The thought about this tool is that we can also use it’s PowerShell Brother in case .NET isn’t available or the proper version for it to run. If by any chance you downloaded the incorrect one but let’s focus on the C# one.
The syntax for this one is very simple:
And it finds 2 methods to Privesc which with a little more research we can actually see that its very simple since our User is already an Admin but the Shell isn’t running with High Privileges
Don’t forget to use the PowerShell version if you can’t get the C# to work
Aaaah the amazing tool for Active Directories and almost everything Windows. I won’t explain into detail about Responder since there is so much out there about this tool. But TL;DR is that Responder…… well Responds to LLLMNR, NBT-NS requests, by poisoning these requests when a user misspells or tries to access an non-existent Share responder will say “Yeah it’s Me!!”and with that it can Capture the NTLMv2 hashes.
Its very easy to use just have responder running on the local area network and wait for requests, Of Course recommended by the Creator a good Pentester always recons first using “-A” no need to respond to EVERY request just a few target machines, try to be as stealthy as you can.
[But were not trying to be stealthy here we want Admin!!! So let’s respond!!!]
And just like that
From here it’s just cracking this hash to grab a ClearText password, or you can use NtlmRelay…
More info here
Alright here is an interesting one and sometimes very difficult to work with, you Test and you Test , you are sure the exploit works in your Environment but when you use it live. Uh Oh the System Crashed, it didn’t work??!
Or just nothing happens. Even if this happens let’s imagine it all went fine!! Let me show the most current Example going on in the World right now on a Local privilege Escalation method.
Another amazing tool I stumbled upon Thank You Twitter. The creator loved the Windows-Exploit-Suggester by GDS Security but unfortunately it hasn’t been updated since 2017 so taking matters into his own hands BOOM, WESNG was born and has been using the latest information for exploits. Its very easy to use, on your regular shell grab the sysinfo.exe information save it onto a txt file and run the script with file as a parameter.
Then we use the following syntax
Aaah the talk of the moment, [I think…] a new vulnerability that grants us SYSTEM access this is the most recent I can find and will show you how its being exploited. Newest Exploit and it looks very simple to attack.
But how do we search for this vulnerability?, well there are a few methods we can check it by using the SMBGhost Scanner script by ollypwn.
Or we can search for the Patch and see if it was applied where you can find more info here
We can search with the PowerShell Cmdlet Get-Hotfix
Uh Oh not here.
As you noticed we seen various methods for gaining higher privileges we used Offensive Tool to do the recon and we also used in-house commands to check our environment as well to find vulnerable OS we did the easy thing in just searching for stored passwords in clear text if you been pentesting or just playing with CTF you will notice the phrase “Low hanging Fruit” And yeah, don’t break your head sometimes the answer is very simple (Believe me).
Happy Hacking and hope you love a little more Red- Team.