Windows

CVE

https://github.com/MzHmO/Exploit-Street

SeImpersonate

TL/DR

• Use DeadPotato rigth now

• Use Sweet Potato to rule them all - Sweet Potato

If you do not want to use Sweet Potato:

• If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato

• If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato

Enable token's privilege

Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
using System.ComponentModel;
public class TokenPriv {
    [DllImport("advapi32.dll", SetLastError=true)]
    public static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);
    [DllImport("kernel32.dll")]
    public static extern IntPtr GetCurrentProcess();
    [DllImport("advapi32.dll", CharSet=CharSet.Unicode, SetLastError=true)]
    public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid);
    [DllImport("advapi32.dll", SetLastError=true)]
    public static extern bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges, ref TOKEN_PRIVILEGES NewState, UInt32 BufferLength, IntPtr PreviousState, IntPtr ReturnLength);
    public const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
    public const UInt32 TOKEN_QUERY = 0x0008;
    [StructLayout(LayoutKind.Sequential)]
    public struct LUID { public UInt32 LowPart; public Int32 HighPart; }
    [StructLayout(LayoutKind.Sequential)]
    public struct LUID_AND_ATTRIBUTES { public LUID Luid; public UInt32 Attributes; }
    [StructLayout(LayoutKind.Sequential)]
    public struct TOKEN_PRIVILEGES { public UInt32 PrivilegeCount; public LUID_AND_ATTRIBUTES Privileges; }
    public const UInt32 SE_PRIVILEGE_ENABLED = 0x2;
    public static void EnablePrivilege(string priv) {
        IntPtr hProc = GetCurrentProcess();
        IntPtr hToken;
        if(!OpenProcessToken(hProc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken)) throw new Win32Exception(Marshal.GetLastWin32Error());
        LUID luid;
        if(!LookupPrivilegeValue(null, priv, out luid)) throw new Win32Exception(Marshal.GetLastWin32Error());
        TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();
        tp.PrivilegeCount = 1;
        tp.Privileges = new LUID_AND_ATTRIBUTES();
        tp.Privileges.Luid = luid;
        tp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
        if(!AdjustTokenPrivileges(hToken, false, ref tp, (UInt32)Marshal.SizeOf(tp), IntPtr.Zero, IntPtr.Zero))
            throw new Win32Exception(Marshal.GetLastWin32Error());
        int err = Marshal.GetLastWin32Error();
        if(err != 0)
            throw new Win32Exception(err);
    }
}
"@ -PassThru

# Enable SeDebugPrivilege
[TokenPriv]::EnablePrivilege("SeDebugPrivilege")
Write-Host "Try again: whoami /priv"

Service Binary Hijacking

When using a network logon such as WinRM or a bind shell, Get-CimInstance and Get-Service will result in a "permission denied" error when querying for services with a non-administrative user. Using an interactive logon such as RDP solves this problem.

Get a list of all installed Windows services

The icacls.exe utility outputs the corresponding principals and their permission mask. The most relevant permissions and their masks are listed below:

In order to execute the binary through the service, we need to restart it. We can use the net stop command to stop the service.

If we do not have permission to manually restart the service, we must consider another approach. If the service Startup Type is set to "Automatic", we may be able to restart the service by rebooting the machine.

Check StartMode:

In order to issue a reboot, our user needs to have the privilege SeShutDownPrivilege assigned

Using PowerUp.ps1

Get Modifiable services and abuse:

Service DLL Hijacking

The following listing shows the standard search order

Find process with missing dll

use procmon from sysinternals to check for missing dlls (“NAME NOT FOUND”)

Make sure you have enough rights to write your dll to this directory

Build malicious DLL

The provided comments from Microsoft state that DLL_PROCESS_ATTACH is used when a process is loading the DLL. Since the target service binary process in our example tries to load the DLL, this is the case we need to add our code to.

revshell

To fix build problems sudo apt install mingw-w64

Deliver dll and trigger its load

Unquoted Service Paths

When Windows starts the service, it will use the following order to try to start the executable file due to the spaces in the path and lack of quotes.

Enumerate running and stopped services

it shows a stopped service named GammaService. The unquoted service binary path contains multiple spaces and is therefore potentially vulnerable to this attack vector

Let's enter this command in cmd.exe instead of PowerShell to avoid escaping issues for the quote in the second findstr command. Alternatively, we could use Select-String in PowerShell.

The output of this command only lists services that are potentially vulnerable to our attack vector, such as GammaService.

check if we can start and stop the identified service as steve with Start-Service and Stop-Service.

Next, let's list the paths Windows uses to attempt locating the executable file of the service.

Deliver your binary to one of this paths and restart the service

Using PowerUp.ps1

Scheduled Tasks

Show scheduled tasks:

Check permissions on file from scheduled task:

UAC Bypass

To perform manual enumeration and identify whether a Windows workstation has enabled UAC, you can use the following command from a command prompt:

Tool Enumeration

To run the SharpUp tool and perform an enumeration if the UAC feature is enabled, you can execute the following command with appropriate argument:

PS history

BSOD