Privilege Escalation
Local Privilege Escalation
Missing patches
Automated deployment and AutoLogon passwords in clear text
AlwaysInstallElevated (Any user can run MSI as SYSTEM)
Misconfigured Services
DLL Hijacking and more
NTLM Relaying a.k.a. Won't Fix
Tools for complete coverage
PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Privesc: https://github.com/enjoiz/Privesc
winPEAS: https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
Service Issues using PowerUp.p1
PowerUp.ps1 Invoke-AllChecks
Import-Module .\PowerUp.ps1
Invoke-AllChecksGet services with unquoted paths and a space in their name
Get services where the current user can write to its binary path or change arguments to the binary
Get the services whose configuration current user can modify
privesc.ps1
winPEAS-ng
Feature Abuse
Features abuse are awesome as there are seldom patches for them and they are not the focus of security teams!
One of my favorite features abuse is targeting enterprise applications which are not built keeping security in mind
On Windows, many enterprise applications need either Administrative privileges or SYSTEM privileges making them a great avenue for privilege escalation
Kerberoast
Offline cracking of service account passwords.
The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account. This makes it possible to request a ticket and do offline password attack
Because (non-machine) service account passwords are not frequently changed, this has become a very popular attack!
Request tickets one at a time to avoid chance of detection
Find user accounts used as Service accounts
Use Rubeus to list Kerberoast stats
Use Rubeus to request a TGS
Request tickets one at a time to avoid chance of detection
To avoid detections based on Encryption Downgrade for Kerberos EType (used by likes of MDI - 0x17 stands for rc4-hmac), look for Kerberoastable accounts that only support RC4_HMAC
Kerberoast all possible accounts
Crack ticket using John the Ripper
Targeted Kerberoasting - AS-REP
If a user's UserAccountControl settings have "Do not require Kerberos preauthentication" enabled i.e. Kerberos preauth is disabled, it is possible to grab user's crackable AS-REP and brute-force it offline
With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well
Enumerating accounts with Kerberos Preauth disabled
Force disable Kerberos Preauth:
Enumerate the permissions for RDPUsers on ACLs
Request encrypted AS-REP for offline brute-force
To enumerate all users with Kerberos preauth disabled and request a hash
Crack hashes offline with John The Ripper
Set SPN
With enough rights (GenericAll/GenericWrite), a target user's SPN can be set to anything (unique in the domain)
We can then request a TGS without special privileges. The TGS can then be "Kerberoasted"
Enumerate the permissions for RDPUsers on ACLs using PowerView:
Check if the user already has a SPN:
Set a SPN for the user (must be unique for the domain)
Kerberoast the user
Kerberos Delegation
Kerberos Delegation allows to "reuse the end-user credentials to access resources hosted on a different server"
This is typically useful in multi-tier service or applications where Kerberos Double Hop is required
For example, users authenticates to a web server and web server makes requests to a database server. The web server can request access to resources (all or some resources depending on the type of delegation) on the database server as the user and not as the web server's service account
Please note that, for the above example, the service account for web service must be trusted for delegation to be able to make requests as a user
A user provides credentials to the Domain Controller.
The DC returns a TGT.
The user requests a TGS for the web service on Web Server.
The DC provides a TGS.
The user sends the TGT and TGS to the web server
The web server service account use the user's TGT to request a TGS for the database server from the DC
The web server service account connects to the database server as the user
There are two types of Kerberos Delegation:
General/Basic or Unconstrained Delegation which allows the first hop server (web server in our example) to request access to any service on any computer in the domain
Constrained Delegation which allows the first hop server to request access only to specified services on specified computers. If the user is not using Kerberos authentication to authenticate to the first hop server, Windows offers Protocol Transition to transition the request to Kerberos
Please note that in both types of delegations, a mechanism is required to impersonate the incoming user and authenticate to the second hop server as the user
Unconstrained Delegation
When set for a particular service account, unconstrained delegation allows delegation to any service to any resource on the domain as a user
When unconstrained delegation is enabled, the DC places user's TGT inside TGS (Step 4 in the previous diagram). When presented to the server with unconstrained delegation, the TGT is extracted from TGS and stored in LSASS. This way the server can reuse the user's TGT to access any other resource as the user
This could be used to escalate privileges in case we can compromise thecomputer with unconstrained delegation and a Domain Admin connects to that machine
Discover domain computers which have unconstrained delegation enabled
Compromise the server(s) where Unconstrained delegation is enabled
We must trick or wait for a domain admin to connect a service on appsrv
Now, if the command is run again:
The DA token could be reused:
Printer Bug
How do we trick a high privilege user to connect to a machine with Unconstrained Delegation? The Printer Bug!
A feature of MS-RPRN which allows any domain user (Authenticated User) can force any machine (running the Spooler service) to connect to second a machine of the domain user's choice
We can force the evil-dc to connect to evil-srv by abusing the Printer bug
We can capture the TGT of evil-dc$ by using Rubeus on evil-srv:
And after that run MS-RPRN.exe (https://github.com/leechristensen/SpoolSample) on the student VM:
Copy the base64 encoded TGT, remove extra spaces (if any):
Once the ticket is injected, run DCSync:
If you are attacking from a Linux machine, check out Coercer (https://github.com/p0dalirius/Coercer) for other MS protocols that can be abused for coercion
Constrained Delegation
Constrained Delegation when enabled on a service account, allows access only to specified services on specified computers as a user.
A typical scenario where constrained delegation is used - A user authenticates to a web service without using Kerberos and the web service makes requests to a database server to fetch results based on the user's authorization.
To impersonate the user, Service for User (S4U) extension is used which provides two extensions:
Service for User to Self (S4U2self) - Allows a service to obtain a forwardable TGS to itself on behalf of a user.
Service for User to Proxy (S4U2proxy) - Allows a service to obtain a TGS to a second service on behalf of a user.
To impersonate the user, Service for User (S4U) extension is used which provides two extensions:
Service for User to Self (S4U2self) - Allows a service to obtain a forwardable TGS to itself on behalf of a user with just the user principal name without supplying a password. The service account must have the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - T2A4D UserAccountControl attribute.
Service for User to Proxy (S4U2proxy) - Allows a service to obtain a TGS to a second service on behalf of a user. Which second service? This is controlled by msDS-AllowedToDelegateTo attribute. This attribute contains a list of SPNs to which the user tokens can be forwarded.
with Protocol Transition
A user - Joe, authenticates to the web service (running with service account websvc) using a non-Kerberos compatible authentication mechanism.
The web service requests a ticket from the Key Distribution Center (KDC) for Joe's account without supplying a password, as the websvc account.
The KDC checks the websvc userAccountControl value for the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION attribute, and that Joe's account is not blocked for delegation. If OK it returns a forwardable ticket for Joe's account (S4U2Self).
The service then passes this ticket back to the KDC and requests a service ticket for the CIFS/dcorp-mssql.dollarcorp.moneycorp.local service.
The KDC checks the msDS-AllowedToDelegateTo field on the websvc account. If the service is listed it will return a service ticket for dcorp-mssql (S4U2Proxy).
The web service can now authenticate to the CIFS on evil-mssql as Joe using the supplied TGS.
To abuse constrained delegation in above scenario, we need to have access to the websvc account. If we have access to that account, it is possible to access the services listed in msDS-AllowedToDelegateTo of the websvc account as ANY user
Enumerate users and computers with constrained delegation enabled
Abusing with Kekeo
Either plaintext password or NTLM hash/AES keys is required. We already have access to websvc's hash from evil-srv
Using asktgt from Kekeo, we request a TGT
Using s4u from Kekeo, we request a TGS
Using mimikatz, inject the ticket:
Abusing with Rubeus
We can use the following command (We are requesting a TGT and TGS in a single command):
Another interesting issue in Kerberos is that the delegation occurs not only for the specified service but for any service running under the same account. There is no validation for the SPN specified.
This is huge as it allows access to many interesting services when the delegation may be for a non-intrusive service!
Abusing with Kekeo
Either plaintext password or NTLM hash is required. If we have access to evil-srv hash
Using asktgt from Kekeo, we request a TGT:
Using s4u from Kekeo_one (no SNAME validation):
Using mimikatz:
Abusing with Rubeus
We can use the following command (We are requesting a TGT and TGS in a single command):
After injection we can run DCSync
Resource-based Constrained Delegation
This moves delegation authority to the resource/service administrator.
Instead of SPNs on msDs-AllowedToDelegatTo on the front-end service like web service, access in this case is controlled by security descriptor of msDS-AllowedToActOnBehalfOfOtherIdentity (visible as PrincipalsAllowedToDelegateToAccount) on the resource/service like SQL Server service.
That is, the resource/service administrator can configure this delegation whereas for other types, SeEnableDelegation privileges are required which are, by default, available only to Domain Admins.
To abuse RBCD in the most effective form, we just need two privileges.
Write permissions over the target service or object to configure msDS-AllowedToActOnBehalfOfOtherIdentity.
Control over an object which has SPN configured (like admin access to a domain joined machine or ability to join a machine to domain - ms-DS-MachineAccountQuota is 10 for all domain users)
We already have admin privileges on student VMs that are domain joined machines.
Enumeration would show that the user 'ciadmin' has Write permissions over the evil-ws machine!
Using the ActiveDirectory module, configure RBCD on evil-ws for user machines:
Now, let's get the privileges of evil-ws$ by extracting its AES keys:
Use the AES key of evil-ws$ with Rubeus and access evil-ws as ANY user we want:
DNS Admins
It is possible for members of the DNSAdmins group to load an arbitrary DLL with the privileges of dns.exe (SYSTEM)
In case the DC also serves as DNS, this will provide escalation to DA
Requires privileges to restart the DNS service
Enumerate members of DNSAdmins group
Using DNSAdmins user, configure DLL using dnscmd.exe (needs RSAT DNS):
OR using DNSServer module (needs RSAT DNS):
Restart dns service
By default the mimilib.dll logs all DNS queries to C:\Windows\System32\kiwidns.log
Edit kdns.c to execute custom payload
Last updated