Privilege Escalation

Red-Team
1

In today’s Episode of Red-Teaming we will talk about Privilege Escalation a valuable Technique when trying to gain higher privileges on a machine, we want to achieve this Goal because we want UNRESTRICTED access onto the machine we are targeting. In this part the APT is trying to gain higher privileges on the Machine

There have been various great talks and blogs about this part of Red-Teaming they are well documented, and so many incredible tools that can be used to achieve this Goal. I will work with a few well known tools. Some of these are written for our famous PowerShell, others in C# and then with Python.

1.- Files

Let’s not go too far, by experience or CTF’s sometimes the passwords are in Plain Sight no need to use fancy exploitation methods or Capture Hashes and none of that sort. Why not just search a file named Passwords.xlsx. Yes these famous files do exist, they can be on the machine, on a share or even right on the Desktop. And let’s not forget these can be Word Documents, Text Files, or anything that can hold passwords.

1024×527 57.5 KB

But of course unless you have a Cheat Sheet with all these fancy commands to search for these files, why not use an already created awesome tool. That can search for these files in a fast manner and even faster if it’s an SSD.

2.- Tools

Sauron Eye

First awesome tool in our list in its Gihub Repo it is said:

SauronEye is a search tool built to aid red teams in finding files containing specific keywords.

Features :

  • Search multiple (network) drives
  • Search contents of files
  • Search contents of Microsoft Office files (.doc, .docx, .xls, .xlsx)
  • Find VBA macros in old 2003 .xls and .doc files
  • Search multiple drives multi-threaded for increased performance
  • Supports regular expressions in search keywords
  • Compatible with Cobalt Strike’s execute-assembly

It’s also quite fast, can do 50k files, totaling 1,3 TB on a network drive in under a minute (with realistic file filters). Searches a C:\ (on a cheap SATA SSD) in about 15 seconds.

Let’s work with this tool we have our shell and we will need to upload the Binary onto the machine (Yes!! Poor Opsec, but it’s just a Demo).

Let’s search for these password files

976×520 5.74 MB

Oh yes, in just seconds it crawled the entire C:\ directory and its sub-directories and managed to found plenty of files, one is our Password.txt file that I moved to the Documents folder, what and amazing Tool. With that password we can use tools such as CrackMapExec to capture shells as Administrators

SharpUp

Another amazing tool.

SharpUp is a C# port of various PowerUp functionality. Currently, only the most common checks have been ported; no weaponize functions have yet been implemented.

This tool comes in an awesome package named GhostPack highly active and frequently updated to keep up with the .NET Framework incompatibilities.

The thought about this tool is that we can also use it’s PowerShell Brother in case .NET isn’t available or the proper version for it to run. If by any chance you downloaded the incorrect one but let’s focus on the C# one.

The syntax for this one is very simple:

Sharpup.exe audit

And it finds 2 methods to Privesc which with a little more research we can actually see that its very simple since our User is already an Admin but the Shell isn’t running with High Privileges

Don’t forget to use the PowerShell version if you can’t get the C# to work

¯_(ツ)_/¯

1016×796 237 KB

Responder

Aaaah the amazing tool for Active Directories and almost everything Windows. I won’t explain into detail about Responder since there is so much out there about this tool. But TL;DR is that Responder…… well Responds to LLLMNR, NBT-NS requests, by poisoning these requests when a user misspells or tries to access an non-existent Share responder will say “Yeah it’s Me!!”and with that it can Capture the NTLMv2 hashes.

Its very easy to use just have responder running on the local area network and wait for requests, Of Course recommended by the Creator a good Pentester always recons first using “-A” no need to respond to EVERY request just a few target machines, try to be as stealthy as you can.

[But were not trying to be stealthy here we want Admin!!! So let’s respond!!!]

814×186 62.9 KB

And just like that

756×376 124 KB

From here it’s just cracking this hash to grab a ClearText password, or you can use NtlmRelay…

More info here

3.- Exploitation

Alright here is an interesting one and sometimes very difficult to work with, you Test and you Test , you are sure the exploit works in your Environment but when you use it live. Uh Oh the System Crashed, it didn’t work??!

Or just nothing happens. Even if this happens let’s imagine it all went fine!! Let me show the most current Example going on in the World right now on a Local privilege Escalation method.

WesNg

Another amazing tool I stumbled upon Thank You Twitter. The creator loved the Windows-Exploit-Suggester by GDS Security but unfortunately it hasn’t been updated since 2017 so taking matters into his own hands BOOM, WESNG was born and has been using the latest information for exploits. Its very easy to use, on your regular shell grab the sysinfo.exe information save it onto a txt file and run the script with file as a parameter.

812×872 239 KB

Then we use the following syntax

wes.py SYSINFO.TXT

860×320 102 KB

SMBGhost

Aaah the talk of the moment, [I think…] a new vulnerability that grants us SYSTEM access this is the most recent I can find and will show you how its being exploited. Newest Exploit and it looks very simple to attack.

1024×743 7.98 MB

But how do we search for this vulnerability?, well there are a few methods we can check it by using the SMBGhost Scanner script by ollypwn.

Or we can search for the Patch and see if it was applied where you can find more info here

We can search with the PowerShell Cmdlet Get-Hotfix

Uh Oh not here.

As you noticed we seen various methods for gaining higher privileges we used Offensive Tool to do the recon and we also used in-house commands to check our environment as well to find vulnerable OS we did the easy thing in just searching for stored passwords in clear text if you been pentesting or just playing with CTF you will notice the phrase “Low hanging Fruit” And yeah, don’t break your head sometimes the answer is very simple (Believe me).

Happy Hacking and hope you love a little more Red- Team.

8 Likes
2

It’s a nice tool overview, but none of this tools or commands would be suitable in a Red Teaming context, since each of it would be easily detected by EDR :frowning: They are only usable in a regular pentest context.

3 Likes
3

Oh yes, absolutely please do have in mind these are basic and just beginner red team, nothing crazy advanced, running in memory using Impacket or working with a C2 techniques. Just entry level tools that people may find helpful to research more advanced techniques. Even using all the PowerSploit Tools is a great entry level to get a grasp for better techniques (Entry Level Red Team Of Course).

1 Like
4

Great, but is there a way to exploit this without it being detected? Maybe a second article?

1 Like
5

Yes their are ways to probably exploit without detection, please be aware these techniques are meant for beginners I am not demonstrating how to be stealthy just techniques for red teaming. You may find various great references or tools for avoiding detection. And a second article probably in the future.

1 Like
6

This topic was automatically closed after 121 days. New replies are no longer allowed.