Windows Privelege Escalation via Token Kidnapping
If you have access to a server as nt authority\network service (for example you uploaded ASP.NET shell) you can easily elevate your privileges to system.
You can download the binary here and compile it yourself, or you can use the one from sqlninja, which is located at /usr/share/sqlninja/apps/churrasco.exe. It is used by sqlninja in cases when we bruteforce sa password.
After uploading this binary to the server, you can elevate your privileges by using this command:
churrasco.bin "net user oscp oscp /add && net localgroup Administrators oscp /add"
Then you can create admin account.
You can read about this vulnerability on Microsoft website.
This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Getting Password Hashes from Domain Controller
There are two ways to get hashes from a remote server:
- You can inject some malicious code into
lsass.exe process and then go through process memory to get hashes;
- You can get the database with which
lsass.exe syncs and get hashes from it.
This post is about the second option.
User current password hashes as well as old password hashes are stored in ntds.dit file. This file is located at C:\Windows\NTDS by default (sometimes not).
File ntds.dit is a database file. A part of it (the most frequently used) is in the memory. lsass.exe can request this file if it needs to. If there are some changes, for example a password changed, lsass.exe pushes the changes into a log file, and then this file is copied into ntds.dit.
File ntds.dit consists of three tables and stores information about domain users. The file is locked by the operating system. To access it, we need to create a shadow copy of C: volume first. To do so we can use a standard windows utility — Volume Shadow Copy Service or VSS that is used for backups:
vssadmin.exe create shadow /for=C:
It will create a copy of volume C:. It is not locked so we can access files on it. Then we need to copy two files:
copy \\?\GLOBALROOT\Device\Harddisk...Copy1\Windows\NTDS\ntds.dit C:\
copy \\?\GLOBALROOT\Device\Harddisk...Copy1\Windows\system32\config\system
In order to decrypt hashes from ntds.dit we need to do the following:
- Decrypt the PEK with
bootkey (RC4);
- First round of hash decryption (with PEK and RC4);
- Second round of hash decryption (DES)
PEK is used to encrypt data in ntds.dit. This key is the same within a whole domain so it’s the same on every domain controller. PEK is stored in ntds.dit and encrypted by bootkey. bootkey can be collected from SYSTEM registry hive and it is different on all domain controllers.
I used secretdump.py, which is a part of impacket, to extract hashes automatically:
secretsdump.py -system system -ntds ntds.dit LOCAL -outputfile dump
If you want to dump password history use -history flag.
It is slow in the beginning, but eventually we will get three dump files: the files with plain text passwords, the file with NT/LM hashes and the file with Kerberos hashes.
aad3b435b51404eeaad3b435b51404ee in a column of the NTLM file indicates that there’s no LM hash and there’s only NTLM hash.
Getting Credentials from Unprotected Jenkins
Jenkins is a Continuous Integration server. Continuous Integration is the practice of running tests on a non-developer machine automatically every time someone pushes new code into the source repository.
Sometimes you can find Jenkins that is not password protected. This is dangerous because Jenkin instances have /script endpoing. This endpoint contains a textbox where you can paste a Groovy script. Groovy is a kind of a scripting language for Java.
Using the following Groovy code, you can get a list of files in / directory:
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'ls'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "$sout"
You can read /etc/passwd to find jenkins home directory. In most cases it is /var/lib/jenkins/.
There are 3 important files in Jenkins:
├── credentials.xml
├── secret.key
├── secret.key.not-so-secret
├── secrets
│ ├── hudson.util.Secret
│ └── master.key
...
Jenkins stores user credentials in credentials.xml encrypted. File master.key is used to encrypt hudson.util.Secret key, which in turn encrypts passwords in credentials.xml. Read about how it works here.
You can use /userContent endpoint to get these files from the server. This endpoint in linked to /var/lib/jenkins/. For decryption, use this script.
Writing JIT-spray Exploit
This is not a full guide. This is a small addition to “Writing JIT shellcode for fun and profit” article written by Alexey Sintsov. If you want to know how it works, it is better to start from there. It has complete description and you should be able to follow it step by step.
Environment
- Windows XP SP3 or Windows 7 SP1
- IE 8.0
- Adobe FlashPlayer ActiveX 9
- SWFTools to compile ActiveScript code.
emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object (to find vulnerable version of this library was the hardest part)
Description
First, we need find address of the function we are going to call later. In my case it’s system(). To find it we look at pep and get address of a loaded dll with this function, then we look for system() and get its address. After that, we can push vars (name of the function to be called). In my case, it was ‘notepad’. The stack was like:
push "eton"
push "dap"
We should use an exploit to run our ActiveX. I used vulnerability in emsmtp.dll. Make sure that version of the library you have is 6.0.1. We rewrite a return address or (in my case I rewrote SEH because it was easier for me).
However it didn’t work first. The main problem was that the address of the memory where we are supposed to jump was wrong. I needed to use mona — an extension for Immunity Debugger.
There’re also these useful commands:
!mona pc 14356!mona findmsp!mona find -s "123"
Working exploit you can find in my repo.