Initial Information Gathering
First step is to exploit a windows box remotely by using any exploit or to connect any service with credentials.
Initially we have to collect information about environment so that we can create few scenarios for privilege escalation.
Lets see what operating system we have:
1. systeminfo |findstr /B /C:”OS Name” /C:”OS Version”
Next we have to see the hostname and also user information on target.
Now we have basic information about other users accounts on the box and our own user’s information in little bit more detail. We can now see that hackerctf user is not a part of the localgroup Administrators.
1. net user
2. net user hackerctf
That is all we need to know about users and permissions for the moment. Next on our list is networking, what is the machine connected to and what rules does it impose on those connections.
First let’s have a look at the available network interfaces and routing table.
1. ipconfig /all
2. route print
Lets check what are the active network connections and the firewall rules.
1. netstat -ano
2. netsh firewall show config
Finally we will take a brief look at the what is running on the target windows box: scheduled tasks, running processes, started services and installed drivers.
1. schtasks /query /fo LIST /v
2. tasklist /svc
3. net start
Unfortunately some default configurations of windows do not allow access to WMIC unless the user is in the Administrators group (which is probably a really good idea). From my testing with VM’s I noticed that any version of XP did not allow access to WMIC from a low privileged account. Contrary, default installations of Windows 7 Professional and Windows 8 Enterprise allowed low privilege users to use WMIC and query the operating system without modifying any settings. This is exactly what we need as we are using WMIC to gather information about the target machine.
Typically these are the directories that contain the configuration files (however it is a good idea to check the entire OS):
The next thing we have to check for windows registry setting “AlwaysInstallElevated”, if this setting is enabled it allows users of any privilege level to install *.msi files as NT AUTHORITYSYSTEM. Using this we can create low privilege users but give them the ability to install programs as SYSTEM.
C:Usershackerctf>reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated C:Usershackerctf>reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated
Lets do a quick search on operating system, sometimes there is a high possibility to find a creds in registry or in a file that we can not normally check.
You can see the syntax for our searches below.
C:Usershackerctf> dir /s *pass* == *cred* == *vnc* == *.config*
C:Usershackerctf>reg query HKLM /f password /t REG_SZ /s
C:Usershackerctf>reg query HKCU /f password /t REG_SZ /s
We will search for Windows services if there is any service that can create a win situation for us. Generally new windows system like Windows 10 won’t contain vulnerable services. But we try all conditions to see if any vulnerable service is exploitable. Windows services are kind of like application shortcut’s, have a look at the example below.
Accesschk can automatically check if we have write access to a Windows service with a certain user level.
From above we have not privilege for write access on target service. If we can find a service where we have write access then we can simply edit the binary path and after that restarting service will gives us a higher privilege shell.