This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
1. $ whoami Security researcher and pentester/red teamer for the Adaptive Threat Division of Veris Group Co-founder of the Veil-Framework #avlol www.veil-framework.com Shmoocon 14: AV Evasion with the Veil Framework co-wrote Veil-Evasion, wrote Veil-Catapult and Veil- PowerView BSides Austin 14: Wielding a Cortana BSides Boston 14: Pwnstaller 1.0 Defcon 14 (accepted): Post-Exploitation 2.0
2. tl;dr Why powershell? Why build this? Windows Service Vulnerabilities PowerUp service enumeration service abuse misc. methods Demo Questions 3. Why Powershell? Really need to say anything? Whitelisted, trusted execution, full .NET capabilities, can refrain from touching disk, etc. etc. etc. Use it, yo PowerSploit Posh-SecMod Veil-Powerview Nishang 4. Why build this? On a recent assessment, had to escalate privileges on a locked down workstation Kernel exploits wouldnt work, so fell back to vulnerable services Service binary had improper permissions Replacing the .exe and bouncing the box = no privs to local admin More or less did everything manually, wanted something a bit easier 5. Trusted Path Escalation Metasploit module: trusted_service_path.rb If a path is unquoted and has a space, there is ambiguity for the Windows API on how to interpret the final path I.E. C:ToolsCustom Toolsprogram.exe will be interpreted as C:ToolsCustom.exe first, then C:ToolsCustom Toolsprogram.exe If you have write access to the base path, money! 6. Vulnerable Service Permissions Also a Metasploit module: service_permissions.rb Check if the current user can modify the service itself Replace the binary path for the service with something like net user john password /add and bounce the service to add the user Repeat with net localgroup administrators john /add Can be done by hand with accesschk.exe and SC 7. Vulnerable EXE Permissions Check the permissions for each executable associated with running processes If you can write to the executable path for a service, replace the binary with something that adds a local admin (or pops a Meterpreter shell) If you cant bounce the service, bounce the box This is how we ended up escalating in the field 8. PowerUp Implements methods to easily enumerate and abuse misconfigured Windows services for the purposes of privilege escalation Have started to implement additional common Windows privesc vectors .dll hijacking, AlwaysInstallElevated, etc. http://www.harmj0y.net/blog/powershell/powerup/ https://github.com/HarmJ0y/PowerUp 9. Service Enumeration Get-ServiceUnquoted will find all services with unquoted paths and a space in the full path name Get-ServicePerms enumerates all services the current user has modification rights to Get-ServiceEXEPerms checks all associated service executables and returns any paths the user has write access to 10. Service Abuse Invoke-ServiceUserAdd enables/stops a service, reconfigures it to create a user and add them to the local admins, restarts, etc. Write-UserAddServiceBinary generates a precompiled C# service binary and binary patches in the service name, username/password and group to add a user to Can easily write the binary out to any unquoted paths Write-ServiceEXE writes a service binary out to a given service path, backing up the original .exe 11. Misc. Checks I Invoke-FindDLLHijack is a (kind of) port of Mandiants FindDLLHijack code Checks each running process and its loaded modules, and returns all hijackable locations, i.e. any base exe path + loaded module name that doesnt exist Invoke-FindPathDLLHijack finds potentially hijackable service .DLL locations from %PATH% Check out http://www.greyhathacker.net/?p=738 for more information 12. Misc. Checks II Get-RegAlwaysInstallElevated checks if the AlwaysInstallElevated registry key is enabled Write-UserAddMSI can then write out a MSI installer that prompts for a local admin to add Get-UnattendedInstallFiles finds unattended .xml install files that may have leftover credentials Get-RegAutoLogon extracts any auto logon credentials from the Windows registry Invoke-AllChecks will run all current privesc checks 13. Demo 14. Questions? Contact me: @harmj0y firstname.lastname@example.org Read more: http://www.harmj0y.net/blog/powershell/powerup/ Get PowerUp https://github.com/HarmJ0y/PowerUp Being integrated into Nishang