The Count's A-to-Z of Windows Privilege Escalation

we have to zero and thin clients desktop like in our Citrix Microsoft is lonely and the primary focus is from a motor to a higher privilege not possible

so for real this time what uh I run right water runs is is basically anything that starts off on right so you acting where you can control so many services or anything like that through through some techniques a couple tool there they can think of you can use enumeration already services and this is typically like in any kind of Travis situation is one of the first things all run it really like system several tools really these days don't buy a be anymore maybe yes exactly certain things that keep up water runs and their profit on that really so you almost always look alright

the binary replacement or planting so this is a really good it's really plastic on attack and obviously extensively so typical attack if you have physical access or anything we can do is that example box they're not use that extensively sometimes you'll be in a situation where they use convert or Holly the kinda mount mount the deer is trying to play around the hashes you know it's all those things largely it's a second set up just replace that HCC need of eighteen and upon login appreciate a few times get little come on pops popping up other binaries they might want to replace the things like services so anything that has stopped as a servicers it might not

also be a super high Cruiser presence that you're at but it might be something like that part of it domain service can use them laterally and also anything that pulled by a previous service so the way that Windows works is if you have a beginner process through through integrity level to see people by another process and these days there's something on Twitter followers Laurie determining levels typically far out of the same thing for Falls so super classic one basically your typical 1:08 NV MGS the SSD PD copies as an EM page actually pretty good things picked up because usually there will be sharing assignments and I paid community streams across and then extract the passwords

from afar like about the other houses other other devices or something like that maybe a bit with our company our community plans I like it I think it's a really good lifts up is typically a company that had database connection strings and in there you might they might have like si or a hyperlink to you don't be using your databases on another box right now on that database survive compromised other underlying operating system family use whatever credit that you found one hour or whatever the first place but then things like you know pops yes Swift you know settings like run will have passwords in order to win workstation tonight yes all right Gil attacks so we're talking about the

alarm objection every direction because that typically requires some privileges so I'll be manning talk about the oil hydrating evidently shoes there so as you can read up on this rain now that they're essentially what window special series of steps wings looking for a dll when it's called my apprentice and first of all I look in the current directory from where the applications women then

looking with system32 which has a local Julie whether do I have light access to and also we've got a system as well went abroad access to that but then windows as well same-sex situation but most likely or other access wide access to current working directory or potentially something apart and that's where there there is that there were things like presentation process Explorer and it would build run through but and from there you'll show this dll not Bauer's and I can find that you down the powerful okay do I have write access to whatever so II

so I didn't like it putting that off the spice thing where they no explains right so that I'll be able to create so just anything I mean happy always and and anything with misconfigurations like Tomcat compeletely is still around that it was about three weeks ago or four weeks ago so there was still a comic and I was difficult with holding to the net whatever from their little self seen with a big more objectives I'm plating which is really not forsaking the guy when I take over from so yeah so this is lives through misconfigurations slash exploits about the right all right there's one that

while permission so this one degree might default with Windows any kind of big school with this really sunny gate week now we're program quality though windows system32 directories are always kind of boxy really and generally most applications these days will install themself into those directories so having access but it kind of comes into its own is when they have like D Drive anything outside the default installation is going to be is potentially going to have write access to that same directory online and overwrite access as well as you can overwrite files if they're not use so this is good a check file for millions of positive comments there's a really good tool with licensed internal access check and

there's a piece which is coming up you can control to say I'm you look for files or angle directories this country can specify a user typically yourself defect and there's where I've been what took and so really the process that's being spawned another proven [Music]

[Music]

right the exploits are out from Srilanka or jennings involves the stuff he's going out with basically exploiting some big signing and actually configuration issues with policy so if you relate to this stuff like I am stick around the pipe losses only talk about it next and he's gonna basically go through some of the and the attack vectors there are good policy so one can only think I've too much into it I'll stick around at the site so h8

[Music]

this was actually very very surprised so it's a series of steps it's actually really really cool trying exactly the way you exploit the way that we dress up the maintenance names in the domain so you exhaust UDP ports and you force a local economy in their BIOS name service and then you fire up the base W had Roxy you pointed you started with a defender and if you went essentially the process yourself we're supposed to yourself and then you can call it and there's like a redirect there being real and potential still one of you press this and that process is always calculate

[Laughter]

so I give it just a little while ago and essentially build his own some backup in the way and I had images and I was fortunate enough that one of the phd's was actually a backup or the domain controller so what you can do is if you do contain mountainside disk manager a VHD and we just do is go in there and just grab some packages and once you do take that stuff offline and then crack all the hashes right so that was very important for me but there are some other victims as well just and that kids the rich we're boiling VMware images might be either in a coal state or hot sex you can potentially grab those into

results like many cats or by pumping through your I am ESX server part of mating habits and actually just to fix cracks and passwords or even if you just want to maybe plan

[Music]

so I think think this this situation you're in you're on a pen test for your engagement and you compromise Webster and if you if you have read access on the windows there's very little you can do it's not like Linux we get the shadow file cracking unless you go down the path of exploiting some like that Apache local file include the shell exec stuff which is good but you might not be in that kind of situations like every Apache so you can't go through some low class with my eye is locked they might have picked up session programs so if it deserves to be that that web servers will set off your content management system way to

upload arbitrary files and all those things you can actually upload CMD dot aspx conduct and then use that to gain access online on the line operators with them and then execute commands even things like even still you know they might be passing across new segment passwords and I still love grab that data they might be able to do might be able to reuse that somewhere else or target the privilege and then things like let's get our survey get connection strings see come on flying around inside BlogPaws and that might I've got to use those to target other database servers and we go down a half minutes later losers out break out it's got transactions so not every

engagement is going up in da all those looks very nice together one-sided so you might want to look at credit card data for example the right side yes I could get credit card data so to see the white bar any custom applications

yes so memory access there's been a part of research really recording section fantastic tool around as well Commodore what's their attack bit basically the reason why-y-y funding

because you have direct access to memory can delete portions of it so it sort of like Inception yeah so from there I wouldn't use that on that assessment there's a laptop and as I hey this thing's be left in the Train what can you do have a look and it just happened to be there's very own laptop had a firewire so you going somewhere and then used used to [ __ ] circulate actual hospital administrator okay

right so like I said with the images before we go back floating around scripts on a reason engagement there was a shortcut really cool Ivan had direct access to the Delaney attempt puppets ah really no mr. script but there's script was named Paul by certain user types within his organization which was mounting yet he didn't share and then it just happened to be that on that getting shared was like the crown jewels was great this was like the Pacific obtain an email those files and I was the target so that I'm kind of really good so have a look at any kind of any shortcuts that consists of also if your bank machine a smell balls application

in stores right so if you learn what was the situation you you go with my heart is pretty sees but we can do is actually installed every single tools available typically by default a default app Locker policy will automatically any MSI's because their whitelist it so just it's the what absolutely everything I've been one of those same finally happy no yes I things like the users sharing their their drives so like typically you may be in a dev environment you might have the dev team sharing like they see driving inside there they had my hair puff and everybody hire a server system so then you can kind of just why something in there like again to see if

data is be able to do that to that dry and then just fire up there with

[Music]

right so Citrix Citrix is a really cool environment we go through all the slides going to be part of this I'll take they are very copyright particular stuff out there is an environment whereby has access to it and a lot of people tend to use the root directory or Sikh temple seat n2z 10:12 as like their home drive or something right so there might be some really cool diverter Lynette I found in the past where just post that I compromised was like their job post of all the admin doing inside there I had a spreadsheet of the awareness of others offering as well as the troops and survival stuff so like through the Remote Desktop Services I think nothing

else like if they're not adequately locked down and the able to browse the local data that the previous user was

and white has something is collecting berries were research assistant pretty good so have a look around my father's closet okay this one obviously passwords so your default kind of things like hey I'm a new employee here he's a passive welcome one man who doesn't set up office doesn't depend on first log on there's always a good thing and you can test that conducted a just fall will see more than one password one client name or something like that but the bonus round to inside PXE boot anyway so deep seafood what is it speak pretty pretty good execution environment we basically remote remote mode images talk to your local store so what I've done in the past is fire up something

like VirtualBox or VMware reach the adapter connects to the network fire off make a fool of network you put there 12 hours and you did basically get a list of all their workstations servers and stuff like that they're presented which they want to roll out and I'll have you listen to partners work with this client I think they remember they have about six or seven digits on that and then from there you can double reasons I might joints it basic food halls you don't need to try to exploit you can cancel pop at together on a network you're already spontaneously optimizer that's a really good kind of okay and I want me to call some recommendations

that too much but you want to kind of attach them to get out what you think thank you anyone else

thank you our codes so the QR codes consent actually store a lot of data so so the scan QR code Victor things like

one equals one

right so how in any compact Amani infection as well can you break out all of the esophagus

I've never personally uses attack first are there is a really good paper down a little and this is using using QR codes as

all right so they're registering this is really cool key with other registry that you so this case and test monkey it's really useful and there's like there are some good touring out there but if you if you're in a situation where you might be message reminders about is that your state and having internet you what you're trying to do is just like run as one once really good always install elevators are really good people have a look at that faith if that means that you can install a messiah which is in an elevated fashion and is noticeably larger of the pack in the size that you're writing on that's why it's up people seem like it's up because not

really really much anymore there's a lot but a hot statement around and Canada Renaissance a food registry I don't want that one it kind of came that what's being like there I mean what where you have access to any kind of applications that are installed you want to have access to like the C Drive or like program for to see what access door things we do very very true you cannot you see that might attack service tech

services so just check what take that off so you've got everyone's use as well but levels default Windows registry permissions they want to check there are some really they can't have like how they started on its dying a system I started has a domain enjoying use not which might be was super hang to you than anything want another portion of the network and what privilege is doing right so if you have a situation where you trying to remake fringes on a service and you can't see what privileges it has the main things about - so that's probably a good target any comp generally of wedding backpacks remote services and also keep in mind when you're doing

this kind of stuff what other point is debatable today there's a service start and then qualifying so interesting like this thing is a female happy I guess AP starts up when you log in running as a hot proof and then even there that goes to cooling we minor to play off the Ryan calculate of the right leg pilot based on time that's cool in my laundry right and you might have access to

yeah right right so the tops of the puffs manager toss lists so have a look at what is playing this one I actually did use covering the way through longer so you have what web services are running this is attacks against the tacky [Music] basically also is a hot application let me enhance so this one is a real screenshot my client right so for instance in task manager you depress the top of a task manager in the command line you have two boys go back you extra column and receive the command line options in there she had - USA - P password whatever it also strong strength and then a a dynamic so - thank

you so this is a really good win right so then you do that I think it's going to target that database now it's that size you can easily borrow - not exactly break out of that far up right so I'm quite a service man

so this is an issue with this particular path simply have a D level - stuff works like alarm when it searches for when it's going through an executable and this is one build is actually exploiting spaces so it's windows like learning spaces so they put around quotes so if you have access to it a directory we can write where there's a space in the folder part doing and potentially the descent calling program of Sifl and have parties in your service but if that's inside Program Files and then you have eyes to see gone you can put programming on a x8 and I said the search pop is going to look at a

file and forge your file instead of going for the talk so the big stash is going to place and there's a really good one-liner that is on every since long security alright so this one's sorry good boy County coffee so it kind of this situation we need Prince I'm sorry but essentially windows locks fall veneering use volumes havoc puppy essentially you can use through people equality okay so what you can do is give all your shadow copy this command block there and copy entire system directory so then that would that would allow you to access things like the same balls which you typically you know want to use the tracking if your domain controller is really good attack to get this is how

you get the insidious about to fall but also when you come to stress the panics as well you know that annoyance way to trying to delete a fall and it's just not working we try to copy [ __ ] one things like database bars so you can copy a runny nose fall how many of you I'm not a nice access to the Donbass that right right

well if the bank operates do you know right so this is pretty interesting that because the situation really anything else gonna head for it internet cafe and you in the position we don't in clear the Wi-Fi password for that network that they're all using right so if you fire up your laptop around on a device and you have access to that sensor scans or maybe pocket on users our inception longer story and attentively get some hashes out and stuff like that but popular demand so that means suspects until a little while ago now mm big thing so it's a really good attack vector so essentially it's it exploits 9s SL w sauce Thanks and I have

been loyal seriously has not been one one network what I think W starts vegetable yes it's always interesting because them just set up in the works if they're sort of compasses right so this exploits the vulnerabilities are that and intransitive are competing stores right

right here so yeah so it kept emptiness so if you see from one category to PXE boot as well like in that example is authority control of image network ship they crack surpasses poplar hash actually really good now this tooling out there for this computers extract cognitive and their users esse debate and it's candy bit painful to install but that have a reputation problem not as comfortable and that's a really good boy who actually is it's a forensics tool used to extract the ends of the best things we just use it evil eyes right why

so when you launch with like to say SharePoint and take my pass they typically look of SMB see where that temp is stored that would drop you can potentially get the middle of it and then you can be injected running template instead and of course it's enabled and

[Music]

it's a resource that there's some people with do a lot better way than I do so there's a really good presentation it's coming color it's it's pretty old now it's still super relevant Breton volunteered at the assault the pity of anezka desk that's actually a really good look at that it really becoming explaining some of the things simple to keep an eye out off Econoline age at test monkeys Spectre office I'm security we were pretty girls has some awesome stuff Twitter fate to have a look at

[Applause]

yes just over yeah

you mentioned physical memory think what's using like say us because then DNA restricted I thought of it

I mean

okay give me your animal too late

[Applause]