Windows privilege escalation by Dhruv Shah

Preview:

Click to see full reader

Citation preview

Windows Privilege Escalation

Because gaining shell to the system is just not enough

C:\> type disclaimer.txt

• The opinions expressed in this presentation are mine and not those of my employer.

• Dhruv Shah• @snypter• http://security-geek.in

http://security-geek.in/

What are we here for ?

• Different scenarios leading to privilege escalation

• Design issues , implementation flaws, untimely system updates , permission issues etc

• We ain’t talking about overflows here , just logics and techniques

Flavours are we looking at ?

• Windows XP• Windows 7 • Windows 2003

Two Types of Escalation

• Admin to System– Easy , not much effort needed

• User to System– Here is where the real deal lies in

Admin to System

( Piece of Cake )

• The famous “at” command

• “psexec” anyone ?

Demo

System Privilege using “at”

Pass the Hash

• Managed to get the user hash• Password is complex will take long time to

crack via rainbowtables• Boom Boom Pow.

Abusing Scheduled Tasks

• Admin creates a scheduler task with System privileges

Abusing Scheduled Tasks

• Sadly the file to be executed is accessible by everyone

Demo

Creds in Files

• C:\users\victim\Desktop\password.xls• C:\>dir /b /s web.config• C:\>dir /b /s unattend.xml• C:\>dir /b /s sysprep.inf• C:\>dir /b /s sysprep.xml• C:\>dir /b /s *pass*• Registries are also a good place to have a look

at

Weak Directory Permissions

Lets have some fun

Demo

Abusing Service misconfigurations

• Possible attack vectors ?– Editing the service config– Editing the binary path

Todays Discusssion – Unquoted Service path Vulnerability

Unquoted Service Path

Unquoted Service Path

• c:\program*files\sub*dir\program*name• c:\program.exe files\sub dir\program name• c:\program files\sub.exe dir\program name• c:\program files\sub dir\program.exe name

Unquoted Service Path

Unquoted Service Path

Demo

Editing Service Binaries

• What are service binaries ? • How do we exploit them ?

• Lets exploit upnphost of the Windows system a default servcice that runs

Editing Service Binaries

Editing Service Binaries

Editing Service Binaries

Demo

Thank you

• Questions ?

Recommended

Credential Assessment - Mapping Privilege Escalation at Scale
Technology
Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating
Documents
Privilege Escalation via Client Management Software · for privilege escalation attacks within corporate networks. November 21, 2015 Matthias Deeg | BSidesVienna 0x7DF 5. Common Security
Documents
A. Cervoise antoine.cervoise@devoteam · Server allows privilege escalation (PHP vulnerability) Attack 1 CMS allows le upload !Code execution PHP allows privilege escalation !Root
Documents
Towards Taming Privilege-Escalation Attacks on Androidbugiel/publications/pdfs/bugiel12-ndss.… · Towards Taming Privilege-Escalation Attacks on Android Sven Bugiel 1, Lucas Davi
Documents
A framework for on-device privilege escalation …...2011/06/16  · 2011-06-12 Android Exploit Framework 1 A framework for on-device privilege escalation exploit execution on Android
Documents
Security Bulletin - July 2019€¦ · Linux kernel Local Privilege Escalation Vulnerability ( CVE-2019-12817 ) Linux Kernel is prone to a local privilege-escalation vulnerability
Documents
SIMPLE%TECHNICS%OF PRIVILEGE%ESCALATION% · Kamil Stawiarski – Simple technics of privilege escalation in Oracle Database 11.2.0.3!! 2! Environmentdescription% • OS!I!Oracle!Linux!Server!release!6.3!x64!
Documents
Hunting for Privilege Escalation in Windows Environment · Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions on a system
Documents
CSW2017 Privilege escalation on high-end servers due to implementation gaps in CPU Hot-Add flow
Internet
Extreme Privilege Escalation on Windows 8/UEFI · PDF fileExtreme Privilege Escalation on Windows 8/UEFI Systems ... The King's Gambit, ... Extreme Privilege Escalation
Documents
in Windows OS Escalation Privilege - University of …arnold/427/15s/csc427/indepth/privilege... · “sudo” is “runas” to run with privileges Types of Accounts: Local User
Documents
ENCYCLOPAEDIA OF WINDOWS PRIVILEGE ESCALATION
Documents
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps
Documents
Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating
Documents
PowerUp - Automating Windows Privilege Escalation
Technology
Controlled Privilege Escalation in Linux/UNIX … · Controlled Privilege Escalation in Linux/UNIX ... or a "guest" admin might be empowered to ... In Solaris 8, Sun introduced RoleBased
Documents
Differentiate among various systems’ security threats: Privilege escalation Virus Worm Trojan Spyware Spam Adware Rootkits Botnets
Documents
Preventing Privilege Escalation
Documents
Extreme Privilege Escalation on Windows 8/UEFI Systems
Documents