Gavin's Blog HomeArchivesTags
Study Notes - 2021/04/23

Automated Enumeration

windows automated enumeration tool:

1
c:\Tools\privilege_escalation\windows-privesc-check-master>windows-privesc-check2.exe

-h help
–dump dump output
-G list groups

Linux: 

1
./unix-privesc-check standard > output.txt

Windows privilege escalation examples

Windoes privilege and integrity levels

Access token assigned to a user
security id (sid) unique to each object including access token, user account, group account.
Integrity mechanism:

From Windows Vista onward, processes run on four integrity levels:
• System integrity process: SYSTEM rights
• High integrity process: administrative rights
• Medium integrity process: standard user rights
• Low integrity process: very restricted rights often used in sandboxed processes

User account control (UAC)

Even logged in as admin, we are operating at Medium integrity level, to switch, specifying run as administrator:

1
powershell.exe Start-Process cmd.exe -Verb runAs

run cmd.exe in as administrator
credential prompt and consent prompt

User account control bypass

allows an administrator user to bypass UAC by silently elevating our integrity level from medium to high.

leverage an interesting UAC bypass based on fodhelper.exe 

1
C:\Windows\System32\fodhelper.exe

In order to gather detailed information regarding the fodhelper integrity level and the permissions required to run this process, we will inspect its application manifest

dump the manifest of fohelper.exe:

1
2
cd C:\Tools\privilege_escalation\SysinternalsSuite
sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe
1
2
3
4
5
6
7
<requestedPrivileges>
    <requestedExecutionLevel
        level="requireAdministrator"
    />
</requestedPrivileges>

<autoElevate>true</autoElevate>
Author: Gavin Cui
Link: https://gavincrz.github.io/2021/04/24/Study-Notes-2021-04-23/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
Study NotesPenetration Testing