Windows Privilege Escalation - Startup Apps

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys hackersploit here back again with another video welcome back to the penetration testing boot camp more specifically the windows privilege escalation series i apologize for the lack of uploads over the last two weeks you know sometimes i just have uh quite a lot of work that is on my plate that i needed to actually complete uh you know before i could actually resume uh but i do apologize for that uh and i'll be completing the windows privilege uh escalation series and then on wednesday we'll resume with the uh web app and testing series uh and that is going to be our primary focus so i think it's much smarter for me to actually finish one series and then move on to the other with that being said we only have like two videos left because i'll be covering uh you know token impersonation in one video and in this video we're exploring the process of how to elevate your privileges through startup apps right and uh more specifically the the permissions uh relative to the startup directory all right so if you have used a windows system you might be familiar with startup applications and the startup directory these are the um these are the programs or scripts that are you know that are essentially configured to run during a system startup so whenever a a user logs on uh you know that program is uh is essentially launched so um as you can see here uh it essentially gives us instructions regarding how we should go through it and in this case it says the first step of course is to utilize access check or the access check utility to essentially check whether the the built-in users group for unprivileged users can write files to the startup directory um so we're essentially checking whether we can make changes and therefore create a new startup item a startup menu item that will be executed whenever a user logs on once that is done uh within the privesque directory on the system there is a a visual basic script that has already been created that will automatically add as it says here we'll create a new shortcut to your reverse.exe executable in this startup directory so the this all revolves around this particular visual basic script of course firstly you need the permissions to create a new startup uh item and in this case we're essentially adding a shortcut to the uh to the actual uh you know reverse shell uh that we we have been able to generate with msf venom now if you are new to this series please uh i would recommend going through the first videos as it explains uh the general workflow of gaining access to the target system uh via rdp and then of course gaining access to the target system via a meterpreter session uh but with that being said let's actually get started with the first technique so uh as you can see i'm currently on the system here and i'll give that a couple of seconds there we are it's running windows server 2016 get use id we're currently the user here our user account just called user and privileges you can see you know this tells us that we are pretty much a non-privileged user okay so i'm currently within the c drive i'll navigate to the prives uh let's see if i can find it there we are and we should have the access check executable already transferred in for us so i'll just open up a shell here and uh we'll give that a couple of seconds after which we can uh we can execute access check so dir let me just make sure it's there again there we are uh so access check uh dot exe and i'll just copy the euler arguments here so we're just going to accept the euler and i'll just copy this here so again what we're trying to do firstly is identify whether we have the permissions or whether user accounts that are part of the built-in users group have the ability or the permissions required to write files or to make changes to the startup directory which is pretty much never the case in on a properly configured windows system so there we are let me just clear that out hopefully yeah there we are so i'll just type that in so i'll hit enter and you can see for this particular directory that the built-in users group has read and write permissions as well as all the other groups so the built-in administrator account there we are the built-in administrators group as well as the administrator's account also has permissions there all right so now that that is done let's take a look at the next step the next step will involve launching this visual basic script now the problem with this is uh i don't want to store my reverse shell.exe payload that i generated with ms7 msf venom in the private directory so i have the rdp session opened up on the target and i'm currently within the prevest directory and this is the visual basic script so let me just take you through it and show you what's going on so i'll just zoom in a little bit here so hopefully you'll be able to see what's going on so you can see that it creates an object called wscript.shell it then links the file um let's see if that's displayed there we are it's going to link the file so uh the the actual file will be called reverse dot link uh then it's going to set the link and uh you know it will use the object that we that was created there so all link dot target path is equal to c previous reverse dot exe and then old link save all right so if you want to modify this you can based on where you have stored your reverse.exe executable in my case i'll change this to the temp directory which i haven't created yet nor have i uploaded the actual what's it called the actual msf venom uh just one second that should allow me to save it as a visual basic script let me just say all files here and that is dot vbs uh let me if i can type that in correctly so there we are vbs save uh yeah i want to replace that i do not have the permissions to do so all right i guess we have to use the default configurations i that's actually quite weird because i'm logged in as a standard user i can execute but i can modify all right that's fine uh so don't save it's uh under the previous directory then so in this case we have no option which is really weird so we're already within this directory so i'll just terminate that channel and i'll give that a couple of seconds for for some reason this interpreter session is really slow um okay so i'll say upload and i've already generated it so i'll just say home kelly desktop or actually documents try hack me windows privesque and shell or reverse.exe right that's going to upload it for us and uh what's the name of it here again uh that is um reverse.exe yeah that's correct so i have the correct name specified there and we'll open up the shell again and we need to run c script and we just need to specify the actual create shortcut.vbs script there so i will essentially say cscript and that essentially allows us to execute visual basic scripts from within the command line so let enter so it looks like that is done what we can do now is we will need to start up a listener to receive the connection once uh you know reverse.exe is executed now the key thing to note here is if i log on as a you know an unprivileged user then i will receive a you know a reverse shell or meterpreter session with those privileges right so what we need to do we need to as it says here is we need to simulate an admin logon using rdp and the credentials that you previously extracted why rdp primarily because startup programs especially in the context of windows you know they really are tied into the wind log on process so what we can do is in this case we can try and simulate that there but before we do that let's set up the listener so i already have a handler resource file or resource script if you will so i'll say msf console r and rc that'll just set it up for me without any issues and we can then launch the command so i'll just wait for that to uh we'll try and authenticate with rdp once this is done so this will just automate the process of setting it up there we are that's the correct port and what we can do now is hit enter i'm just going to hit yes and there we are that's going to attempt to log on i believe we have to specify a password which in this case uh the lab doesn't actually you know it doesn't really tell us that we that this will be a an issue but you can see that uh do you trust this certificate yes or no failed to initialize nla that's fine but uh you know we actually need to specify the admin user's password which uh again that's one of the issues that i had with this particular task so as you can see it says here and i'm not really changing anything but uh start a list on kali and then simulate an admin log on using rdp and the credentials you previously extracted which you know we already know where it is uh or what these credentials are but i thought that was really strange of them to have to essentially utilize that technique um so let me just terminate that channel and uh we'll give this a couple of seconds there we are and what we'll do is uh let me just check and see whether we can identify the credentials previously for the admin user account now during one of the first videos within this series we actually were able to identify the admin password within the unattended.xml file if you're not familiar with that file uh this is a a configuration file that's used to essentially configure uh or for the configuration of uh you know in mass automated installations and i've already covered that but uh that file is typically stored under c windows panther and if i just cut out the content of unattend xml you can see that in this case it does provide us with the admin account username which is fairly simple and then of course the password which is encrypted in base64 now i already you know covered that process uh so you can see that uh in this case we actually have the hashes which we can crack however i'm just going to say vimpass.txt and let me just put that in there and we can use base64 base64 decode pass dot txt and the password is one two three right so we can essentially try and simulate that log on again um so did i terminate the rdp session with x3 rdp or our our desktop sorry my bad uh yeah so it's password one two three we'll wait for that to provide us with a session and hopefully that will uh essentially you know execute the reverse dot exe so password one two three hit enter there we are we log on successfully the autorun program should be executed or the shortcut rather or the link however you want to call it so let's see let's see i think there we are so it actually sends the stage and we should have admin privileges so we'll give this a couple of seconds now i did mention previously and actually have covered this in its own video how to bypass uac or user account control with uac me so you can actually check out that video i covered it separately because it's a really fantastic tool and set of utilities but if i say get use id you can see that we're currently admin however the privileges as you'll see are still the same and that means that we need to pretty much you know uh essentially uh bypass uac or find another way of obtaining uh anti-authority system privileges so that is how to elevate your privileges by essentially taking advantage of poorly configured startup directory permissions and i'm not as i said i'm not really a fan of this technique because it's very rare to find that on windows you can modify the startup programs because that's typically reserved for the for the administrator right and you know by default on windows the administrator account is disabled so it's going to be you know left over those permissions are going to be left over to the uh to another user account that is part of the local administrators group uh with that being said that's done so in the next video we are going to be tackling both token impersonation uh you know through rogue potato and through the prince and i'll be filling in with a few important things that you need to keep in mind so that's gonna be it for this video guys thank you very much for watching if you have any questions or suggestions let me know in the comments section if you want to reach out to me you can do so via twitter or the hackersplay discord server the link to both of those is in the description section if you'd like to support the channel you can do so via our patreon the link to that is also in the description and once again thank you for watching and i'll be seeing you in the next video a huge thank you to all of our patreons your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sits up doozy defean barry dustin um president michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music] you

Info

Channel: HackerSploit

Views: 11,761

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, weak registry permissions, privilege escalation registry, windows, privilege escalation, penetration testing, ethical hacking, windows privilege escalation oscp, windows privilege escalation tryhackme, windows privilege escalation powershell, pentesting, windows privilege escalation, windows privilege escalation script, windows privilege escalation tools, privesc, privilege escalation windows, privilege escalation attack

Id: CZWyp8AKeGk

Channel Id: undefined

Length: 14min 21sec (861 seconds)

Published: Tue Feb 22 2022