Module 02

Win Attack Lab: Privilege Escalation

1. Introduction

After having established the initial connection to your Windows 10 client via RDP, we will first assess the situation on the machine. This should give you an idea about the available attack surface and possible options to escalate your privileges.

Your current user tmassie is a regular user on the machine and does not have local admin privileges.

2. Situational Awareness

1. Powersploit

The tool we are using to assess the local situation on the client is called PowerSploit. PowerSploit is a collection of PowerShell scripts which can be used in various stages of an attack. In this case, we are going to use the Privesc module to look for possible ways to escalate our privileges.

First, we need to start PowerShell with disabled execution policy. Start a new command line and enter the following command:

powershell -exec bypass

cd C:\temp\tools\PowerSploit\Privesc\

Import-Module .\Privesc.psd1

Invoke-AllChecks

1. Creating UserAdd MSI

In order to exploit the AlwaysInstallElevated registry key, we need to create an executable in the .msi format. You can create your own executable with the tools of your choice or you can simply run the abuse function suggested by PowerSploit:

Write-UserAddMSI

2. Running the exploit

After that we have a new user called backdoor which is part of the local Admin Group

Now we can start a cmd with elevated privileges:

whoami /groups

Take a look at the mandatory label!

3. Questions

1. Explain the vulnerability you used for privilege escalation.

2. Can you use the new user account to log on to another machine and why?

3. Explain if the cmd.exe was started in an elevated context and how you can tell that from the output of whoami /groups?

4. If yes, explain how you “bypassed” UAC?

5. How can you prevent such an attack?

4. Answers

1. On the target win10 Client a policy called AlwaysInstallElevated is set to 1. Any user can install msi packages with elevated system priviledges which is equivalent for granting full administrative rights and a massive security risk! The registry hives are located under:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

2. Login to another machine is not possible yet, because we only elevated our priviledges on the local machine.

3. With local admin privileges we are allowed to start cmd.exe in an elevated context. The mandatory label is set to high then. Otherwise mandatory level will be medium

4. It’s not really a bypass. We just used the admin credentials from our freshly created user backdoor. By playing a little bit we could find out another cool trick. With the tool psexec.exe and the parameters -s -i -d followed by cmd.exe we got a cmd prompt running under local system priviledges!

5. First mitigation in this case is to disable the AlwaysInstallElevated Registry hive