Windows Privilege Escalation (privesc) Resources

I have obtained a standard user account on Windows. Now what?

This is a common question I see people inquire about frequently on the Discord/Slack/Mattermost servers I hang out on. This includes people working on CTF exercises (Hack the Box), OSCP/PWK studies, and just pentesting in general. The answer, of course, is that you need to enumerate the system and find a way to become Admin.

The methodology for how you actually do this depends on a lot, all depending on your specific environment and circumstances.

Windows Privilege Escalation to the Rescue

Here are some useful resources on what to do next in your given situation, after you have succesfully exploited your way onto a Windows box, but before you have the system administrator role. I collected these links, snippets, and exploits during my OSCP studies, saving them in this massive OneNote notebook. Rather than letting them sit there where no one but me can access them, I thought I’d share.

Some of these get pretty detailed, and some of them have links to yet even more resources on this topic.

Have fun…this rabbit hole runs deep!

Privesc Resources

Updated 11.11.18: A new resource I came across that looks pretty awesome:

Windows-Privilege-Escalation-Guide
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Elevating privileges by exploiting weak folder permissions
http://www.greyhathacker.net/?p=738/

Encyclopedia of Windows Privesc (video)
https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.be

Windows Privesc Fundamentals
http://www.fuzzysecurity.com/tutorials/16.html

Windows Privesc Cheatsheet
https://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html

Windows Privesc Check
A script that automates the checking of common vulnerabilities that can be exploited to escalate your privileges:
http://pentestmonkey.net/tools/windows-privesc-check

Common Windows Privesc Vectors
https://www.toshellandback.com/2015/11/24/ms-priv-esc/

Windows Post-Exploitation Command List
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf

WCE and Mimikatz in Memory over Meterpreter
https://justinelze.wordpress.com/2013/03/25/wce-and-mimikatz-in-memory-over-meterpreter/

Windows Privesc – includes tips and more resource links, on Github
https://github.com/togie6/Windows-Privesc

Do you have any Windows Privesc resources you think should go here? Comment below and I will add them.

Microsoft Windows has Free Virtual Machines

Wish I had know about these earlier. Microsoft offers free Windows virtual machines for VirtualBox, VMWare, and others. You can choose from Windows 7, Windows 8, or Windows 10 (a few different flavors of each). They last 90 days before expiring, but you can snapshot them right after you install them to make it easy to reset that 90 days by rolling back to the snapshot.

Officially, these are for testing out the Edge browser, but you can also use them for whatever else 😉

Check them out here:

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

 

 

Snagit Charges for “Upgrade”

lipstick on a pig photo
Look! This pig has lipstick.

I am completely fine with paying for software that I really like and that serves a purpose for me. However, if you are a software company that is going to use the ‘paid upgrade’ model of charging customers to upgrade to the next major version of your product, make sure the next major version contains new features worth paying for.

In the case of TechSmith’s Snagit, they have failed to provide anything of real value in their latest release (version 3.0 for Mac, or 12.0 for Windows), yet they are asking for $24.95 to upgrade to the latest version.

I paid for version 2 of Snagit for my Mac (that’s version 11 for you Windows users), and I really enjoyed using it. It became a tool in my arsenal that I relied heavily upon for doing quick screen shots and adding text, notes, arrows, and more.

Then one day a couple of weeks ago the updater ran and I was suddenly looking at a trial version of Snagit 3.0. And it said it was going to expire unless I paid the discounted upgrade fee of $24.95.

Aggravated, I hoped to have my mood changed and be wowed by version 3.0. So I tested it out for a few days. I quickly found that it had a nicer look and feel about it, but other than that, there were no noticeable enhancements or actual upgrades to the product. It was the same product with about one new feature related to the video clipping tool — something I could care less about. And that new feature was only a new arrow selector of some sort. Not impressed.

Jason Eagleston, the “Snagit Product Owner” at TechSmith even admits in their self-congratulatory release video that “with this release we had a focus on updating the way Snagit looks and feels, partially to bring that consistency across all the Techsmith things that you are going to interact with, but ultimately it’s only focused on getting your content to be the most prominent thing on the screen.”

Hmm…I only interact with one Techsmith product, so why should this be a feature worth paying for? And how is it not the most prominent thing on my screen if I’m currently using it in the first place?

A couple of more employees in the video go on to talk about how much nicer the product will be to use, and that they really wanted people to feel like they were using something current and not outdated. So it really isn’t about an upgrade, it’s about a change of clothes.

The whole video is about them admitting that their product didn’t look that great, so they spent a lot of effort making it look better (or “flatter,” as they say in the video, which is supposed to be something we should like), and now they want their customers to pay for that. No real tool enhancements or additions, just a subjective improvement to the design. For $24.95? No thanks.

For those of you looking for a free alternative to Snagit, check out Skitch. With or without Evernote, it’s a nice tool that does just about everything Snagit does for screen capturing.

Photo by Darin Barry

Backing Up Tons of Email

MailStore HomeI have about a dozen email accounts I try to manage locally with Thunderbird.  By and large, things run pretty smoothly until I need to move it all, as I did recently when upgrading from XP to Vista.

I have been a big fan of MozBackup in the past, but as my email accounts grew and I had more and more email stored in folders, MozBackup started taking a long time to process it all.  After my move to Vista, I realized I had over 2GB of mail backed up, and restoring it from Mozbackup didn’t work.  It recreated all my accounts and folders, but all the folders were empty.

After the initial panic faded, I found some forum threads discussing the manual opening of MozBackup archives and restoration of email.  I finally got it all back, but it wasn’t without more than a few sweat bullets hitting the keyboard.

Since this episode, I have been looking for something to put my mind at ease in regards to email storage, backup, and even reduction. I don’t know why I had never heard of it, but I stumbled across MailStore, which offers a free home version called, get this, MailStore Home.

MailStore Home will back up and archive email from many different clients, including Outlook, Thunderbird, Exchange, GMail, Yahoo mail, and others. At first I thought it was too good to be true, but after installing it I was quickly impressed with the simplicity and ease of use.

I had soon archived my two biggest email accounts, and even burned them to DVD through the MailStore application itself. Knowing DVD’s aren’t indestructible, I also backed up the archive using Carbonite (another of my favorite apps).

Going back into a MailStore archive is very easy, and it lets you read email, open, and even search mail and contents of attachments.

Once I was convinced that I had succesfully archived and backed up all my email, I was able to go through my Inboxes and delete over 1GB of email.  Hopefully, this will allow MozBackup to run more smoothly, if I ever really need it again in the first place.

If you find yourself with an unweildy inbox and a nagging feeling that you haven’t done anything to back it  up, go grab MailStore Home now.

mailStore Home: http://www.mailstore.com/en/mailstore-home.aspx

Apple Attacks On The Rise?

We here at Geekamongus are by no means partial to one operating system over another.  We love Macs, we love Linux, we love Solaris, and we love those other guys.  Seriously, in no way do we ever intend on taking sides, and articles such as this one are not to be mistaken as an attack upon a particular vendor, nor should they be misconstrued as a statement proclaiming that we prefer other platforms.

That said, some news items of late have raised a few eyebrows upon the foreheads of the security-minded regarding Apple and their operating system, OS X.  For example, there seems to be a new variant of an OS X trojan out there, according to the folks at macnn.com.

Judging by the responses from the opinionated users at the bottom of that article, the Mac fan base may be smart enough to avoid such malicious software.  Cynicism aside, it is clear there is an entirely untapped user base upon which Phishing attacks may be starting to prey.  One must consider the fact that people who have used Macs their whole lives may not be as familiar with such vulnerabilities, where web sites attempt to trick you into downloading a plugin with ulterior motives in mind, and that they could be more easily fooled into taking the bait.  Heck, it would seem the folks at Apple could use some tutelage about Microsoft viruses too.

Seeing as Apple still considers themselves to be rather impervious to viruses, trojans, worms, and their ilk, I don’t forsee this getting better any time soon, even though they did briefly post a note about using antivirus software on their website.  One thing Microsoft users have going for them is that they are by-and-large more aware of common Internet vulnerabilities because they run into them more often, and they must take steps to avoid them.  Some may even have received training in the workplace or from a geeky neice or nephew.

Granted, OS X is based upon a relatively secure Unix kernel and the Apple marketshare is much smaller than that of Microsoft.  That can certainly help when talking about the prevention of spreading traditional viruses, trojans, and worms.  However, when a user is unaware and clicks “OK” to download and install seemingly legitimate plugin, all bets are off.  And who know what evil is brewing in the basements of evildoing jerkfaces to target OS X itself in ways which Windows users are unfamiliar with.

Setting up Samba Shares on RedHat Enterprise 5

My goal was to set up a network share on a RHEL5 server using Samba, so that our Windows users could access the shared folder from their desktops.  It was difficult to find any information on doing this and nothing else, such as setting up Samba as a domain controller, which I was not interested in.  Sometimes Google gives you more than you want.

If you are running RedHat Enterprise 5, and are interested in setting up Samba shares for Windows users to access, read on.  This may work for other flavors of Linux, and older versions of RHEL, but I can’t vouch for that.

First, make sure the correct Samba packages are installed:

#> rpm -qa |grep sambasamba-client-3.0.28-1.el5_2.1samba-3.0.28-1.el5_2.1samba-common-3.0.28-1.el5_2.1system-config-samba-1.2.39-1.el5

If these are not installed, use yum to grab them and install them.

You may need to open ports in the system firewall so that all of this will work.  The ports that need to be open for Samba to work are:

139 and 445

It’s easiest to do this from your RedHat gui (System > Administration > Security Level and Firewall).

Next, set up the smb service to run at boot time:

#> chkconfig smb on

In RedHat, this will also cause the nmb service to run, which is fine.

Now, start Samba:

#> service smb start

Now, create the directory you want to share.  For this example, I will make it simple:

#> mkdir /dv1

Set permissions accordingly.  In my scenario, I wanted our developers to all be able to access this directory from Windows, and they were all part of the ‘developers’ group on my RedHat server, so I set the permissions like so:

#> chown developers.developers /dv1#> chmod 755 /dv1

In order to get Samba to share this directory, I had to add the appropriate policies for SELinux, which are mentioned in the smb.conf file.  Assuming you are running SELinux (it’s default with RedHat Enterprise 5), these can be added at the command line.

Since you created a new directory that will be shared with Samba (the ‘dv1’ directory you created earlier), a label must be set for that as well.  Using ‘dv1’ as the directory name, run this:

To set a label use the following:

#>  chcon -t samba_share_t /dv1

Now to configure the Samba configuration file.  Always make a backup of the original before editing any config file!

#> cp /etc/samba/smb.conf /etc/samba/smb.conf.orig

To edit the config file, do this:

#> nano /etc/samba/smb.conf

Under [global] settings, uncomment the necessary lines and make changes so that it looks something like this:

workgroup = YourWindowsWorkgroupNameserver string = YourRedhatServerNamenetbios name = YourRedhatServerNamehosts allow = 127.0.0.1 192.168.1.

Leave everything else in that section the way it is.

Note:  the 192.168.1.  address needs to be that of your local network.

Then under Standalone Server Options:

    security = user
    passdb backend = tdbsam

I commented out all Printer sharing crap since I didn’t use any of that.

Lastly, under Share Definitions:

[homes]
        comment = Home Directories
        browseable = no
        writeable = yes
;       valid users = %S
;       valid users = MYDOMAIN%S
;[printers]
;       comment = All Printers
;       path = /var/spool/samba
;       browseable = no
;       guest ok = no
;       writeable = no
;       printable = yes
[dv1]
        comment = My dog has fleas
        path = /dv1/
        valid users = user1,user2,user3
        public = no
        writeable = yes
        create mask = 0765

Obviously, swap out user1,user2,user3 with the users who will be accessing this share.  You put the username for the RedHat box you are on, not the Windows username (unless it’s the same).

Save the file and go back to the command line. Test it out by running this:

#> testparm

You shouln’t see any error reported.  If all is good, run this:

#> service smb restart

You will see smb and nmb stop and restart.  There should be no errors or “FAILED” notices.

Assuming your users already have accounts on your RedHat box, you need to add them to Samba like so:

#> smbpasswd -a username
New SMB password:
Retype new SMB password:

I set a temporary password here, then ask them to change it next time they log into the server at the command line by running this:

#> smbpasswd

It will prompt them for their old password (the temporary one you just gave them), and for the new one.

Once all that is done and you have set your own Samba password, you should be able to do this from Windows:

Go to Start and select Run.  Type in the hostname of your RedHat server (which you specified in the smb.conf file) like so:

\YourRedhatServerName

You will be prompted for a username and password, and you should enter the RedHat server login name and the Smaba password that you just created.

If all goes well, a window will appear which shows the dv1 directory.  You can now drag, drop, copy, and paste to and from this folder as if it were on your Windows machine!

The Biggest Shot In The Foot Ever?

For the last few weeks, the techie blogs have been circulating stories about how Microsoft Windows Vista can be installed and used for free for 120 days. You see, Microsoft gives you 30 days to try it out for nothing, but then they will disarm it and require you to purchase a license to continue using it.

Someone found out that Microsoft had built in a way to extend that 30 trial to 120 days through a little registry tweak.

Well, now someone has figured out how to extend it indefinitely, not by hacking or cracking the operating system, but by using the built-in tools that Microsoft included in the operating system.

From DailyCupOfTech.com:

“It appears that crackers need not break Windows Vista activation because Microsoft has done it for them! Brian Livingston of Window Secrets writes in Microsoft allows bypass of Vista activation about how to allow you to keep your Vista box running indefinitely without activating it.”

It is likely that MS will try and fix this through some future patch, but what will they break in doing so? They obviously had a need to provide this functionality for some reason.

Now that I’ve abandoned Winders on the home desktop completely for RedHat Fedora linux, this makes me chuckle. However, maybe I’ll give it a shot and see what happens!

Windows Free – Update 1

After about 4 hours of using Ubuntu Linux, I ditched it and installed Fedora Core 4. The main reason was that Ubuntu does not have a root user. This may seem odd to experienced Linux folks, but the intentions behind it are good. Unless you know what you are doing, you can completely hose a Linux operating system as the root user. So, in order to become as user-friendly as possible for Linux newbies, they require you to use ‘sudo’ for everything in Ubuntu.

To me, this was a slowdown. I decided to go with what I am most familiar with, and that is the RedHat-based Fedora Core 4.

More on my venture to discard Windows from my life will soon follow.

Windows Free!

I got fed up. Fed up with a bogged down operating system. I got tired of viruses, spyware, licenses, etc etc etc.

Tonight I made the switch.

No, not to Apple. To Linux. Full-time, full-on Linux. Ubuntu, to be exact.

Within two hours I was up and running a smooth desktop, playing music from my iTunes library, browsing with Firefox, checking all my email in Thunderbird, and enjoying the feeling of being free from Windows.

The remarkable thing is that almost all of my USB devices work. My webcam does not, but a quick lookup found a tutorial on setting it up. Transferring all of my files was easy too. I just mounted my WinXP hard drive and whammo – it’s all accessible.

It’s still very early to tell how well I will adjust to this in my day-to-day working environment at home, so I will report back here on the matter in a week or two.

clicky