Requires an increase in the level of access rights. Basics of raising privileges in Windows

Increasing the privileges, perhaps, one of the key points on which the scenario of the further penters or attack depends. Very often at this stage, everything ends if it does not work "expand its powers." Therefore, today we will talk a little about how to enhance the user to increase their privileges not only before administrative, but also to systemic.

Introduction

Increasing privileges in Windows and Linux is somewhat different. Despite the fact that both operating systems are carrying the usual number of vulnerabilities, researchers note that a fully qualified Windows server is much more common than the updated to the current state of Linux. In addition, the time of the release of Windows patches is often less, which makes the increase in privileges on Windows tasks quite interesting and ambitious. It is for her that we devote our story.

Options

So, what are our opportunities to rise in the world of Windows? First of all, in recent times, there were enough vulnerabilities in the OS kernel, which makes the process of increasing the privileges simple enough, if there is a suitable solid on his hands. If you are using Metasploit, then just one team is enough to get a systemic shell. However, all this with high probability will successfully work only if the system is not fully proved. If all updates are installed on the machine, then, unlike Linux, it will not be possible to find SUID binaries, and environment variables are usually not transmitted to services or processes with higher privileges. What is the result of us?

From admin to the system, or what everyone knows

Usually, when mentioning increasing privileges, a method that uses the task scheduler immediately comes to mind. In Windows, you can add a task using two utilities: at and schtasks. The second will start the task on behalf of the user who added the task, while the first is on behalf of the system. The standard trick, about which you probably heard, allowing you to start a console with system rights:

AT 13:01 / Interactive CMD

The second thing that comes to mind is to add a service that will run the desired file / execute the command:

@echo off @break off title root cls echo creating service. SC CREATE EVIL BINPATH \u003d "CMD.EXE / K START" TYPE \u003d OWN TYPE \u003d INTERACT\u003e NUL 2\u003e & 1 ECHO STARTING SERVICE. SC START EVIL\u003e NUL 2\u003e & 1 ECHO STANDING BY ... PING 127.0.0.1 -N 4\u003e NUL 2\u003e & 1 ECHO REMOVING SERVICE. Echo. SC Delete Evil\u003e NUL 2\u003e & 1

The third method is the substitution of the C: \\ Windows \\ System32 \\ SETHC.exe system utility for, for example, CMD. If after this is heightened and press the SHIFT key several times, then the console will appear with system rights.

As for automated methods, Metasploit and its getSystem immediately comes to mind. An alternative option can be considered PSEXEC from SYSINTERNALS (PSEXEC -I -S -D cmd.exe).

We will go different way

All these methods have a general drawback: administrative privileges are needed. This means that we increase the privileges already from under a privileged account. In most cases, when you received admin rights, you have a bunch of options on your hands, how to rise even higher. So this is not a very difficult task. We will talk today about the methods of increasing the privileges who do not use any 0day vulnerability, believing that we have a regular system and on the hands of an ordinary non-dedicated user account.

Hunt for Credentials.

One of the reliable and stable ways to increase the privileges and consolidation in the system is to get passwords of administrators or users who have higher privileges. And here is the time to remember the automated software installation. If you manage the domain that includes an extensive park of cars, you definitely do not want to walk and install on each of them manually. Yes, and this time will take out so much that there is not enough for any other tasks. Therefore, unattended installations are used, which generate files containing admin passwords in the purest form. What is just a treasure for both pensets and intruders.

Unattended installes

In the case of an automated installation on the client, a unattended.xml file remains quite curious for us, which is usually either in% windir% \\ panther \\ unattend \\, or in% windir% \\ panther \\ and can store the administrator password in the open form. On the other hand, to get this file from the server, even no authentication is required. It is necessary to find only the "Windows Deployment Services" server. To do this, you can use the Auxiliary / Scanner / DCERPC / Windows_Deployment _services script from MetaSploit. And although Windows Deployment Services is not the only way to perform automated installations, the unattended.xml file is considered standard, so that its detection can be equated to success.

GPP.

XML security group policy settings (Group Policy Preference) often contain a set of encrypted credentials that can be used to add new users, creating a ball and so on. For happiness, the encryption method is documented, so you can easily get passwords in its pure form. Moreover, the Metasploit team has already done everything for you - it is enough to use the /post/windows/gather/credentials/gpp.rb module /postentials/gpp.rb. If you are interested in details, all the necessary information is available on this link.

Custom rights

Very often, the increase in privileges turns out to be a consequence of incorrectly configured custom rights. For example, when the domain user is a local administrator (or Power User) on the host. Or when domain users (or members of domain groups) are local admins on all hosts. In this case, you already really do not have to do anything. But such options are touched not so often.

AlwaysInstallevated.

Sometimes administrators allow us to install programs on their own independently, it is usually done through the following registry keys:

HKLM \\ Software \\ Policies \\ Microsoft \\ Windows \\ Installer \\ AlwaysInstallevated

HKCU \\ Software \\ Policies \\ Microsoft \\ Window S \\ Installer \\ AlwaysInstallevated

They indicate the system that any MSI file must be installed with elevated privileges (NT Authority \\ System). Accordingly, using the specially created file, you can again perform actions on behalf of the system and pump your privileges.

Metasploit includes a special EXPLOIT / Windows / LOCAL / ALWAYS_INSTALL_ELEVATED module, which creates an MSI file with a special executable file embedded in it, which is removed and executed by the installer with the system privileges. After executing the MSI file stops the installation (by calling a specially created VBS specially created) to prevent the operation in the system. In addition, if you start the installation with the / quiet key, the user will not even withdraw the error.

Missing autorun.

Very often it happens that the system stores a file entry that needs to be automatically started, even after the file itself has already shown in the summer. Maybe some service was incorrectly deleted - there is no executable file, and the registry entry remained, and at each start the system is unsuccessfully started to start, scoring the event log messages about Failach. This situation can also be used to expand your authority. First of all, you need to find all such orphaned records. For example, using the AutorunSC utility from SysInternals.

Autorunsc.exe -a | FINDSTR / N / R "FILE \\ NOT \\ FOUND"

After that, as you guessed, it will remain just like to slip into the place of the missing file of your candidate.

Magic Cavolek

Yeah, quotes can not only play a keen joke in SQL queries, allowing you to conduct an injection, but also help raise privileges. The problem is quite old and known since the NT times. The point is that the paths to executable files of some services are not framed by quotes (for example, imagepath \u003d c: \\ Program Files \\ Common Files \\ Network Associates \\ McShield \\ McShield.exe), while there are space characters on the way. In this case, if the attacker creates a file that will add new admins to the system or perform some other actions, and calls it C: \\ Program Files \\ COMMON.EXE, then with the subsequent startup of the service, it is common.exe that remains Part of the path will be perceived as an argument (arguments). It is clear that in the Program Files the unprivileged user can not put anything, but the executable service file may be in another directory, that is, the user will have the opportunity to slip its file.

In order to take advantage of this technique, it is necessary to find a vulnerable service (which will not use quotes on the way to your binary). This is done as follows:

WMIC Service Get Name, DisplayName, Pathname, StartMode | FindstR / I "AUTO" | FINDSTR / I / V "C: \\ Windows \\\\" | FindstR / I / V "" "

True, on XP it will require the privileges of the admin, so it is better to use the following method there: get a list of services - SC Query, then watch information for each service - SC QC Servicename.

All according to plan

Another mechanism that can help raise the rights and about which is usually forgotten, is the task scheduler. The Schtasks utility allows you to hang tasks for certain events. The most interesting for us is Onidle, Onlogon and OnStart. As the names follows, OnIDle will be executed every time the computer is simple, Onlogon and OnStart - when the user logins and when the system is started, respectively. Thus, each of the events can hang a separate task. For example, when starting a system to copy a malicious binary / keylogger / ... and run it. When logging in to the system - run credit card dumper. In short, everything is limited to your fantasy and the task.

Tricks with permissions

Permissions to file access - this is usually the first protective agent that prevents us from raising our privileges. It would be tempting just to rewrite any system file (for example, the same SETHC.exe mentioned at the very beginning of the article) and get the system privileges immediately. But all these are only dreams, in fact we have only permission to read it, which we have nothing to do with an even account. However, you should not hang my nose, because with permissions, too, not everything is so smooth - here, as elsewhere, there are our pitfalls, the knowledge of which allows you to make an impossible possible.

One of the system directories protected by this mechanism is particularly interesting from the point of view of privilege - Program Files. Unproved users access there ordered. However, sometimes it happens that during installation, installers incorrectly set rights to files, with the result that all users are full access to executable files. What follows from this - you already guessed.

Another limitations - the usual mortal is not allowed to write to the root of the system disk. However, for example, on XP when creating a new directory at the root of the disk, the Builtin \\ Users group receives file_append_data and file_write_data permissions (even if the owner of the folder is an administrator):

Builtin \\ Users: (OI) (Ci) R Builtin \\ Users: (CI) (Special Access :) File_APPend_Data Builtin \\ Users: (CI) (Special access :) file_write_data

On the "seven" occurs almost the same thing, only permissions receive a group of authenticated users. How does such behavior be transformed into a problem? Just some applications set themselves outside protected directory, which will make it easy to replace their executable files. For example, such an office happened to Metasploit Framework in the case of its multiplayer installation. This bug was pofixen in version 3.5.2, and the utility moved to Program Files.

How to look for such directories / files

The detection of a directory with incorrect permissions is half success. However, it must be found first. To do this, you can use the following two tools: Accesschk and CACLS / ICACLS. To find with the ACCESSCHK "Weak" directories, you will need these commands:

Accesschk.exe -uwdqs Users C: \\ Accesschk.exe -uwdqs "Authenticated Users" C: \\

To search for files with "weak" permissions are the following:

Accesschk.exe -uwqs Users C: \\ *. * Accesschk.exe -uwqs "Authenticated Users" C: \\ *. *

The same can be performed using CACLS / ICACLS:

CACLS "C: \\ Program Files" / T | findstr users.

Tricks with services

Another option, how to climb the system is higher, is to use the worldsonfiguration and service errors. As practice shows, not only files and folders can have incorrect permissions, but also services operating in the system. To discover such, you can use the Accesschk utility from the Mark Russinovich unsuitable for you:

Accesschk.exe -uwcqv *

It will be more welting to see the service_all_access permission for authenticated users or Power users. But also a big luck can also be considered the following:

• Service_change_config - we can change the executable service file;
• Write_dac - you can change permissions, which results in obtaining the resolution of service_change_config;
• Write_Owner - you can become the owner and change permissions;
• Generic_Write - inherits the resolution of service_change_config;
• Generic_all - inherits the resolution of the service_change_config.

If one (or several) is found from these permits for unprivileged users, the chances of increasing their privileges increase sharply.

How to raise?

Suppose you found the appropriate service, it's time to work on it. This will help the Console SC utility. To begin with, we receive complete information about the service you are interested in, let's say, this is Upnphost:

SC QC Upnphost.

With the help of the same utility, we repeal it:

SC Config Vulnsrv Binpath \u003d "Net User John Hello / Add && Net Localgroup Administrators John / Add" Type \u003d Interact SC Config UpnPhost OBJ \u003d ". \\ Localsystem" password \u003d ""

As you can see, the next time you start the service, instead of its executable file, the Net User John Hello / Add && Net Localgroup Administrators John / Add command is executed by adding John to the Hello password. It remains only to manually restart the service:

NET STOP UPNPHOST NET START UPNPHOST

That's all the magic.

That in the end

Once a long time ago, I read the article in the journal, in which the main techniques were given to increase the privileges in Windows. I didn't give her special significance then, but the theory in my head was deposited and once myself helped me very much. So, I hope, and you will find something new for myself, which will help once overcome the next barrier.

Parts of the article were described in detail the principle of operation of user account control. In this part, it will be about setting up the UAC when your computer works autonomously, that is, not included in the Active Directory domain. To configure user account control, the local security policy is used to be found in the Local Group Policy object editor.

There are 10 group policy settings responsible for configuring user account control. In order to change the policy settings, you need to open in the snap "Local Group Policy Editor" Node Computer Configuration \\ Windows Configuration \\ Security Settings \\ Local Policies \\ Security Settings. In this article, you will also find a way to configure each policy parameter by the system registry. The following table shows the default values \u200b\u200bfor each of the policy settings.

Settings for Group Policy Control Parameters Default Accounts:

Group Policy parameter	Default value
Account Control: Enable Approval Mode by the Administrator	Switched on
Accounting Monitoring: Detecting Application Installation and Raising Right Request	Switched on
Account control: Switching to a secure desktop when executing a request to increase right	Switched on
Account control: Request for Enhancing Administrators Administrators	Request consent for binary data not from Windows
Accounting Monitoring: Request for Rights Increased Users	Request credentials
Accounting Monitoring: Right only for UIAccess applications installed in a safe location	Switched on
Account control: Improving rights only for signed and verified executable files	Disabled
Accounting Monitoring: When writing to file or registry Virtualization to the user placement	Switched on
Account Control: Allow UIACcess applications to request an increase in rights without using a safe desktop	Disabled
Account Control: Using Administrator Approval Mode for Embedded Administrator Account	Disabled

The parameters of group policies that are related to user account control (UAC) are discussed in detail below:

All administrators work in the approval mode by the administrator

This policy setting determines the characteristics of all account control policies for the computer. Depends on this parameter whether the administrators account will be launched in the "administrator approval mode", that is, there will be dialogs with a request for an increase in authority. Disable this setting, roughly speaking, completely disables user account control functionality. When this policy changes, you must restart the computer. The default value is enabled.

Possible parameter values:

• Included. Administrator approval mode is enabled to allow the built-in administrator account and all other users who are members of the group. "Administrators", work in the administrator approval mode.
• Disabled. Approval mode by the administrator and all the relevant settings for account control policies will be disabled.

; Disable "EnableLua" \u003d DWORD: 00000000

Detection of installing applications and an increase in raising rights

This setting defines the application detection characteristics for a computer, checking whether the programs used to deploy applications or not. By default, if the user enters the working group, it is enabled.

Possible parameter values:

• Included (default for home). In the event that the application installation program detects the need to enhance the authority, the user is invited to enter the username and password of the administrator account. If the user enters the correct credentials, the operation continues with the relevant rights. The view of the request depends on which group it belongs to the user.
• Disabled (default for organization). When this setting is selected, the application installation program detection does not issue a request for an increase in authority. Usually this setting is applied in organizations, computers and users of which are included in the domain and to deploy applications to the delegated installation technologies (GROUP POLICY SOFTWARE INSTALL - GPSI). Accordingly, the need to detect the installer disappears.

Current Policy Settings with Registry:

; Disable "enableinstallerdetection" \u003d DWORD: 00000000

Switching to a secure desktop when executing a request to increase right

This policy parameter determines whether requests for an increase in authority will be displayed on the interactive desktop of the user or to a safe desktop when initiating the UAC request. The default value is enabled. When this policy changes, you must restart the computer.

Possible values \u200b\u200bParameters:

• Included. All requests for increasing rights are displayed on a safe desk, regardless of the parameters of the invitation behavior policy for administrators and ordinary users.
• Disabled. All requests for increasing rights are displayed on the interactive desktop user.

Current Policy Settings with Registry:

; Disable "PromptonSecureDesktop" \u003d DWORD: 00000000

Request for enhancing rights for administrators in the administrator

Current setting allows you to define the actions of the user who is included in the group "Administrators" When performing an operation that requires increased rights. The default value is set. "Request for consent for third-party binary files (not Windows)".

Possible parameter values:

• Enhance without request. Allows the privileged accounts to perform an operation that requires increasing rights, without confirming the consent or entering credentials. It is advisable to use this option only in environments with maximum user restrictions. When this setting is selected, custom powers will be identical to the administrator's built-in account.
• . For any operation that requires raising rights, a proposal to enter the name and password of the privileged user will be displayed on the secure desktop. If the correct credentials are entered, the operation will continue with the maximum available user rights.
• Request consent on a secure desktop. For any operation that requires raising rights, a proposal will be displayed on a secure desktop. "Allow" or "Prohibit". When choosing an option "Allow"The operation will continue with the maximum available user rights.
• Request credentials. For any operation that requires an increase in the authority, a proposal to enter the username and password of the administrator account will be displayed. When entering the right credentials, the operation will continue with elevated powers.
• Request consent. When this option is selected, for any operation that requires increasing the right, the user will be offered to choose Press the button: "Allow" or "Prohibit". Pressing the button "Allow"
• Request consent for third-party binary files (not Windows). When selecting this option, the selection will be displayed on the secure desktop: "Allow" or "Prohibit"In the event that the operation for an application of a third-party (not Microsoft) of the manufacturer requires increasing rights. Pressing the button "Allow"The operation will continue with the maximum available user privileges.

Current Policy Settings with Registry:

; Elevate without prompting "ConsentPromptBehaviorAdmin" \u003d dword: 00000000; prompt for credentials on the secure desktop, "ConsentPromptBehaviorAdmin" \u003d dword: 00000001; Request for consent to bezopsnom desktop; "ConsentPromptBehaviorAdmin" \u003d dword: 00000002; prompt for credentials; "ConsentPromptBehaviorAdmin" \u003d DWORD: 00000003; request consent; "consentpromptbehavioradmin" \u003d DWORD: 00000004; Request for binary data not from Windows; "ConsentpromptBehavioradmin" \u003d DWORD: 00000005

The behavior of the request for increasing rights for ordinary users

This policy parameter determines the actions performed when an ordinary user interacts with applications requiring rights increase. Default value - "Request for credentials on a secure desktop".

Possible parameter values:

• Request credentials. Using this parameter, the usual user is invited to select an administrator account and enter a password to execute follow-up. The operation will continue only if the credentials are entered correctly.
• Automatically prohibit requests for increasing rights. When this parameter is selected, an error message will be shown for a regular user in connection with the prohibition when performing an operation that requires an increase in authority. Organizations whose desktops are used by conventional users can choose this policy parameter to reduce the number of calls to support service.
• Request for credentials on a secure desktop. By selecting this parameter, the usual user is proposed to select an administrator account and enter a password to perform follow-up only on a secure desktop. The operation will continue only if the credentials are entered correctly.

Current Policy Settings with Registry:

; Automatically reject requests for improving the rights "ConsentpromptBehaviorUser" \u003d DWORD: 00000000; Cancellation request on a safe desktop "ConsentpromptBehaviorUser" \u003d DWORD: 00000001; Request for credentials "ConsentpromptBehaviorUser" \u003d DWORD: 00000003

Enhance the rights for uiaccess applications only when installing in safe places

The current policy parameter allows you to manage the location of the applications that request execution at the integrity level defining the user interface attribute of the user interface (UIACCESS) in the safe location of the file system. By default, this setting is enabled and at applications with special features, for the UIAccess attribute in the manifest, the value is set to True to control the widening request window. If applications have a false value, that is, if the attribute is lowered or no manifest for assembly, the application will not be able to access the secure user interface. Only the following folders are considered safe:

... \\ Program Files \\, including subfolders

... \\ Windows \\ System32 \\

... \\ Program Files (x86) \\, including subfolders for 64-bit versions of Windows

Possible parameter values:

• Included. The application will start with the UIACCESS integrity level only if it is in the secure file system folder.
• Disabled. The application will start with the UIAccess integrity level, even if it is not in the secure file system folder.

Current Policy Settings with Registry:

; Disable "enablesecureuiapaths" \u003d DWORD: 00000000

Improving rights only for signed and verified executable files

This setting of group account control policy allows you to determine whether to check the authentication of interactive applications with an open key infrastructure (Public Key Infrastructure PKI), which require an increase in authority. The PKI task is to define digital certificate issuing policies, issuing them and cancellation, storing information necessary for subsequent verification of the correctness of certificates. The applications that support PKI include: protected email, payments protocols, electronic checks, electronic information sharing, data protection in IP protocol networks, electronic forms and documents with electronic digital signature. If this check is enabled, the programs are initiated by checking the certificate path. The value of this default setting is disabled.

Possible parameter values:

• Included. Forcibly initiates the check of the PKI certificates, before executing this file. Basically, this setting is used in organizations with a domain, if the administrator placed PKI certificates in the repository of reliable publishers.
• Disabled. When installing this parameter, account monitoring does not initiate the verification of the PKI certificate verification chain before allowing the execution of this executable file.

Current Policy Settings with Registry:

; Disable "ValidateAdMincodeSignatures" \u003d DWORD: 00000000

If you fail to write to a file or registry, virtualization in the placement of the user

This parameter manages application recording failures to certain locations in the registry and file system. In the event that this setting is enabled, for outdated applications that try to read or write information using the protected system areas, account control virtualizes the registry and file system. Thanks to this configuration, the UAC allows you to reduce the danger of outdated applications that are executed on the name of the administrator and during execution write data to the% ProgramFiles% folder,% windir%; % WINDIR% \\ System32 or in the System Registry section of the HKLM \\ Software \\. The default value is enabled.

Possible parameter values:

• Included. Application entries are redirected during execution to user-defined location in the file system and registry.
• Disabled. Execution of applications that write data to safe location ends with an error, and will not be executed.

Current Policy Settings with Registry:

; Disable "enablevirtualization" \u003d DWORD: 00000000

Allow UIACCESS applications to request increased rights without using a safe desktop

This new policy parameter that appeared in Windows 7 and Windows Server 2008 R2 operating systems determines whether the UIAccess applications can automatically turn off the safe desk for requests for an increase in the authority used by the usual user. The default value is disabled.

Possible parameter values:

• Included. When this configuration is selected, the UIAccess program, including the Windows Remote Assistant, will automatically turn off the safe desktop to increase the authority. If the policy setting is "Accounting Monitoring: Switching to a secure desktop when executing the Right Enhancement request" is enabled, the offer will appear on the user's interactive desktop, and not on a safe desktop.
• Disabled. When this parameter is selected, a safe desktop can be disabled only by the user of the interactive desktop or by turning off the "Account Control Policy: Switching to a secure desktop when executing an increase in rights."

Current Policy Settings with Registry:

; Disable "enableuiadesktoptoggle" \u003d DWORD: 00000000

Approval Mode by the administrator for the built-in administrator account

This setting determines whether the user accounts are applied in the administrator's approval mode to the built-in account "Administrator". This embedded default account allows the user to log in in Windows XP compatibility mode, which allows you to run any applications with full administrator rights. By default, this policy parameter is disabled.

Possible parameter values:

• Included. When this parameter is selected, the administrator approval mode will be used for the administrator's integrated account. At the same time, any operation that requires increasing rights will be accompanied by a request for confirmation of the operation.
• Disabled. The built-in administrator account executes all applications with full administrator rights.

Current Policy Settings with Registry:

; Disable "FilteradministrateToKen" \u003d DWORD: 00000000

Conclusion

This article tells about all possible settings for monitoring user accounts. All ten safety policies are considered, which are responsible for all possible actions associated with UAC. In addition to setting up account control using Group Policy, there are also considered registry tweaks equivalent to them.

UAC(User Account Control) - Technology for monitoring accounts that appeared for the first time in Windows Vista. And older. This technology prohibits programs to perform actions requiring administrator rights. When executing a program of such actions, its work is suspended and the user is issued a window with a request to a secure desktop (in order to click on the OK programmatically). For example, if your program will need to make changes to the Registry section HKEY_LOCAL_MACHINE, she will need administrator rights.
To solve this problem, you can use the implementation of the Manifest file to the project, which the operating system will read and automatically determine the parameters you need to start.
Consider the implementation of the manifest file, in the application " Windows Form" To do this, open Visual Studio (in this example, the 2012 version is used) and create a project " Windows Form" Open " Solution Explorer."(Solutions Browser), which provides an ordered presentation of projects and their files, go to the menu" View» - « Observer solutions" Run the right mouse button in " Observing solutions»By project name and select from the context menu, item" Add» - « Create an item ...».

You will have a new window " Adding a new element - ...»Find the Visual C # element named" Manifest file application", Select it and click" Add».

IN " Observing solutions"You have a new item with the name of the manifest file. It will also be automatically open in the code editor.

To configure the rights required to execute an application, it is required to determine the level of security and describe the element " requestedExecutionLevel" This element has no subsidiary elements and has the following attributes:
1) Level.- Mandatory. Sets the security level required by the application. The following values \u200b\u200bare available for this attribute:

• asinvoker.- The application launches with parent process rights. This means that if the program is launched from the application that is already running with the administrator rights, it will automatically have the same rights. This mode is recommended Microsoft in most cases. Those. These are those programs that do not require administrator rights;
• highestavailable- The application starts with higher rights than the current user has. With such rights launches regedit.exe, mmc.exe;
• requiredMinistrator.- The full administrator rights are requested. Those. Required for applications that cannot work without administrator rights.

Installing applications " Clickonce.»It is possible only with the" AsInvoker "value. With any other value, the installation will be impossible.

2) uiaccess.- optional. An indication of whether the application requires access to secure elements of the user interface to implement special features. Available values \u200b\u200b" true."And" false", the default value" false". Value" true."We must have only signed applications and started from the folders" \\ Program Files \\ "and" \\ Windows \\ System32 \\ ". Most often, this is not necessary.
In order for the program to raise the right to the level of administrator, replace in the attribute " Level.»Default value" asinvoker." on the " requiredMinistrator.».

Connect the solution by clicking on the " F6" If you are all done correctly, then in the Windows Vista operating systems and older, the shield icon appears on the program executable program icon, meaning that this program requires an increase in rights.

To check the rights of your application, you can use the listing below.
String S \u003d New WindowsPrincipal (Windowsidentity.getCurrent ()). Isinrole (windowsBuiltinrole.administrator)? "Administrator": "Normal User"; If you have a console application, then for it the principle of action is the same.

In general, there are ways to help us achieve the goal of increasing privileges.

The starting point for this small article is an unprivileged shell (account). Perhaps we used exploit or conducted an attack and got this shell.

In principle, at the initial moment, we do not understand the car: what she does, what it is connected to, what level of privileges we have or even what is the operating system.

First, we need to get the information you need to understand where we are at all and what we have:

SystemInfo | FINDSTR / B / C: "OS name" / C: "OS version"
This team allows you to determine how it can be seen, the name and version of the OS. You can perform it without parameters, then the output of the command will be more complete, but it is enough for us.

• hostName - username.
• echo% UserName% - username.

Next, let's see which users are still on this host and receive more detailed information about your user.

• net Users - Other users
• net User1 - Detailed information on the user, where user1 is the name of your user.

Having received information about accounting, let's see information about the network interaction of this host.

First we look at the available interfaces and the routing table.

• iPCONFIG / ALL - information about available interfaces.
• rOUTE PRINT - Routing Table
• aRP -A - ARP Table Records

Next, let's see active network connections and firewall rules.

• netstat -No - active network connections.

-a - Run with this parameter will display all active TCP connections, as well as TCP and UDP ports listened to the system;
-n - the parameter allows you to show active TCP connections with addresses and port numbers;
-o - the same as the previous key, displays active TCP connections, but the processes' codes are added to the statistics, you can already determine exactly what application uses the connection.

• netsh Firewall Show State - Firewall Status
• netsh Firewall Show Config - Firewall Configuration

Finally, we will briefly consider what works on a compromised host: scheduled tasks, running processes, running services and installed drivers.

Schtasks / Query / Fo List / V
Where
/ Query - output of data on all scheduled tasks,
/ FO LIST - output to the list.
/ V - withdrawal details of the task.

The following command links running processes with running services.

Tasklist / SVC.
Where,
/ SVC - Display services for each process.

We will also see a list of Windows running services.

Net Start.
It is also useful to view information about the drivers of the compromise system.

DriverQuery.
Next, I want to mention, probably the most useful Windows command - WMIC. The WMIC command (Windows Management Instrumentation Command) is used to receive information about equipment and system, process management and their components, as well as changes to the settings using the Windows Management Toolbox features (Windows Management Instrumentation or WMI). Good description.

Unfortunately, some Windows configurations are not allowed to access WMIC if the user is not included in the administrators group (which is really a good idea). Any XP version did not allow WMIC access from an unprivileged account.

On the contrary, Windows 7 Professional and Windows 8 Enterprise by default allowed users with low privileges to use WMIC.

By custom - program parameters:

Before you go further, it is necessary to run on the collected information. It is also worth paying attention to the patches installed in the system, as any information about the holes in the system will give us an additional support to increase their privileges. At the HOTFIX number you can search for vulnerability to increase privileges.

Next, we will look at the automatic installation. If there is a need to install and set up a large fleet of machines, then as a rule, technical staff will not move from the machine to the machine to configure personal each. There are several solutions for automatic installation. It is not so important for us that it is for the methods and how they work, but it is important that they leave the configuration files that are used for the installation process containing many confidential information, such as the product key and administrator password. What interests us most is the administrator password that we can use to increase our privileges.

As a rule, these are the following directories:

• c: \\ sysprep.inf
• c: \\ sysprep \\ sysprep.xml
• % Windir% \\ panther \\ unattend \\ unattended.xml
• % Windir% \\ panther \\ unattended.xml

But it is worth checking the entire system.

These files contain passwords in the open form or encoding BASE64.
Examples:

Sysprep.inf - Password in the open form.

Sysprep.xml - password in Base64 encoding.

"

Unattended.xml - Password in Base64 encoding.

Also, for hosts connected to the domain, you can search the group.xml file, which contains an encrypted AES256 password, but which can be decrypted, because The key is posted on MSDN (https://msdn.microsoft.com/en-us/library/cc422924.aspx) and other sources. But this is if the policy of creating local users on hosts is used or, for example, the password task is a local administrator.

For example, I lies here:

Opening it, we are looking for the "CPASSWORD" parameter.

Next, you need to decrypt this sequence. We use, for example, Cryptool. First, we will decoding Base64.
Features BASE64 is that its length should be more than 4. Therefore, we consider blocks of 4, and if there are not enough characters in the last block, then the missing "\u003d" symbols.
I got 2 "\u003d".

We remove extra points that share signs and get a password.

In addition to the group.xml, here are several other policy preference files that may have an additional set of attributes "CPASSWORD":

• Services \\ Services.xml.
• Scheduledtasks \\ Scheduledtasks.xml
• Printers \\ printers.xml.
• Drives \\ drives.xml
• Datasources \\ Datasources.xml.

However, we all love automated solutions, so we can get to the finish line as quickly as possible. There are two main options, depending on the type of shell / access, which we have. There is a METASPLOIT module that can be executed through the set session (https://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp) or you can use Get-GPPSSWord, which is part of PowerSploit.

In order to be able to use it, we must verify that both registry entries are installed, and if so, we can get System Shell. Check:

REG QUERY HKLM \\ SOFTWARE \\ POLICIES \\ Microsoft \\ Windows \\ Installer \\ AlwaysInstallevated
REG QUERY HKCU \\ Software \\ Policies \\ Microsoft \\ Windows \\ Installer \\ AlwaysInstallevated
Metasploit includes a special EXPLOIT / Windows / LOCAL / ALWAYS_INSTALL_ELEVATED module, which creates an MSI file with a special executable file embedded in it, which is removed and executed by the installer with the system privileges. After executing the MSI file stops the installation to prevent the operation in the system. In addition, if you start the installation with the / quiet key, it will not even make an error.

Well, a few useful team searching on the system:

The command below will search in the file system file names containing certain keywords. You can specify any number of keywords.

DIR / S * PASS * \u003d\u003d * CRED * \u003d\u003d * VNC * \u003d\u003d * .config *
Search for specific types of files by keyword, this command can generate a lot of output.

FindStr / Si Password * .xml * .ini * .txt
Similarly, two commands below can be used for the GREP registry keywords in this case "password".

REG QUERY HKLM / F PASSWORD / T REG_SZ / S
REG QUERY HKCU / F PASSWORD / T REG_SZ / S
At the moment we already have enough to get systemic walked. But there is still a pair of director of the attack to obtain the desired result: we will look at Windows and permission for files and folders. Our goal here is to use weak permissions to increase session privileges.

We will check a lot of access rights, this will help accesschk.exe in this, which is a tool from Microsoft SysiNternals Suite. Microsoft SysInternals contains many excellent tools. The package can be downloaded from the Microsoft TechNet website (https://docs.microsoft.com/ru-ru/sysinternals/downloads/sysiNTERNALS-SUITE).

We can check the required privilege levels for each service using Accesschk.

We can see permissions that each user level.

Accesschk can automatically check if we have access to Windows service with a specific user level. As a rule, as a user with low privileges, we want to check "users". Make sure they checked to what groups of users you belong.

C as a name is the Windows service, such as SSDPSRV (specify "*" to display all services)
-d processing only directories
-e output only explicitly set integrity levels (only for Windows Vista)
-K as a name is specified by the Registry section, such as HKLM \\ SOFTWARE
-n output only objects that do not have access rules
-p as a name indicated the name or process identifier (PID), for example cmd.exe (specify as "*" to display all processes)
-Q Lower the headline
-r output only objects to which there is an access to reading
-s Recursive treatment
-V output detailed information
-w display only objects to which there is an entry

There is also another interesting team:

Autorunsc.exe -a | FINDSTR / N / R "FILE \\ NOT \\ FOUND"
Allows you to find an entry in the registry of the file that started automatically, but now there is no longer in the system. The recording could remain, if for example, the service was incorrectly deleted. Each time you launch, the system is unsuccessfully started to start this file. This situation can also be used to expand your authority. It is simply in place of this file you can substitute our.

First: replicate the results of the post written by Parvez from Greyhathacker; "Elevating Privileges by Exploiting Weak Folder Permissions" (http://www.greyhathacker.net/?p\u003d738).

This example is a special case of a DLL hijacking. Programs usually cannot function by ourselves, they have a lot of resources that they need to connect (mostly DLL, but also their own files). If the program or service downloads a file from the directory to which we have access to write, we can abuse it to run the shell with privileges under which the program works.

As a rule, Windows application will use predefined search paths to find DLL, and it will check these paths in a specific order. DLL Theft usually occurs by placing malicious DLLs one of these paths. This problem can be eliminated by specifying the application of absolute paths to the required DLL.

DLL search order:

1. Directory with which the application is running
2. 32-Bit System Directory (C: \\ Windows \\ System32)
3. 16-bit System Directory (C: \\ Windows \\ System)
4. Windows Directory (C: \\ Windows)
5. Working Work Directory (CWD)
6. Directories in The Path Environment of Variable (System Then User)

Sometimes applications are trying to download DLL files that are missing by car. This may occur for several reasons, for example, if the DLL library is required only for certain plug-in modules or components that are not installed. In this case, Parvez found that some Windows services are trying to download DLL libraries that do not exist in default installations.

Since DLL does not exist, we ultimately pass through all the search paths. As a user with a low privilege, we have a little chance to put a malicious DLL in n. 1-4, 5. But if we have access to write to any of the directories, then our chances of winning are great.

Let's see how it works in practice, for our example, we will use IkeExt (IPSec IKE and Authip key modules) service that tries to download wlbsctrl.dll.

Any catalog in "C: \\" will access the entry for authenticated users, it gives us a chance.

C: \\ Users \\ User1 \\ Desktop\u003e Accesschk.exe -DQV "C: \\ Python27"
C: \\ Python27 Medium Mandatory Level (Default) RW BUILTIN \\ Administrators FILE_ALL_ACCESS RW NT AUTHORITY \\ SYSTEM FILE_ALL_ACCESS R BUILTIN \\ Users FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE SYNCHRONIZE READ_CONTROL RW NT AUTHORITY \\ Authenticated Users FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE FILE_WRITE_ATTRIBUTES FILE_WRITE_EA DELETE SYNCHRONIZE READ_CONTROL
C: \\ Users \\ User1 \\ Desktop\u003e ICAcls "C: \\ Python27"
C: \\ Python27 Builtin \\ Administrators: (ID) F Builtin \\ Administrators: (OI) (CI) (IO) (ID) F NT Authority \\ System: (ID) F NT Authority \\ System: (OI) (CI) ( IO) (ID) F Builtin \\ Users: (OI) (Ci) (ID) R NT Authority \\ authenticated Users: (ID) C NT Authority \\ Authenticated Users: (OI) (CI) (IO) (ID) C
F - full access.
(OI) - Inheritance objects.
(Ci) - Inheritance containers.
(Io) - only inheritance.
(NP) - ban on the distribution of inheritance.
(I) - Inheritance of permits from the parent container.

Before proceeding to action, you need to check the state of the IKEEXT service. In this case, we can see that it is installed on "AUTO_START"!

SC qc ikeext
QueryServiceConfig SUCCESS SERVICE_NAME: IKEEXT TYPE: 20 WIN32_SHARE_PROCESS START_TYPE: 2 AUTO_START ERROR_CONTROL: 1 NORMAL BINARY_PATH_NAME: C: \\ Windows \\ system32 \\ svchost.exe -k netsvcs LOAD_ORDER_GROUP: TAG: 0 DISPLAY_NAME: IKE and AuthIP IPsec Keying Modules DEPENDENCIES: BFE SERVICE_START_NAME: Localsystem
Now we know that we have the necessary conditions, and we can create a malicious DLL and the shell interception!

We use MetaSploit -\u003e Msfvenom, this is for example.

After sending evil.dll to our target computer, all we need to do is rename it in WlbsCtrl.dll and move to "C: \\ Python27". As soon as it is done, we need to patiently wait for the reboot of the car (or we can try to reboot forcibly), and we will get a systemic shell.

Copy Evil.dll C: \\ Python27 \\ WlbsCtrl.dll
After that, it remains only to wait for the system reboot.

For our last example, we will look at the scheduled tasks. I will describe the principle, because Everyone can have different cases.

We find the process, service, an application running task scheduler from System.
Check the rights of access to the folder where our goal is.

Accesschk.exe -DQV "Path_K_seli"
It is clear that this is a serious configuration problem, but even worse the fact that any user has been checking the user (authenticated user) has access to this folder. In this example, we can simply overwrite a binary executable file file generated in MetaSploit.

You can encode additionally.

Now it remains only to load a malicious executable file and overwrite it to the folder of the executable file. As soon as it is done, we can safely go to bed and early in the morning to get a systemic walked.

These two examples should give us an idea of \u200b\u200bvulnerabilities that need to be sought when considering permits for files and folders. You will need time to learn all BinPath paths for Windows services, scheduled tasks and autorun tasks.

Finally, a pair of tips on using Accesschk.exe.

Find all weak permissions for folders on the disk.

Accesschk.exe -uwdqs Users C: \\ Accesschk.exe -uwdqs "Authenticated Users" C: \\
Find all weak permissions for files on the disk.

Accesschk.exe -uwqs Users C: \\ *. * Accesschk.exe -uwqs "Authenticated Users" C: \\ *. *
Look like that's it.

Many programs during startup require raising rights (shield icon at the icon), but in fact, for their normal administrator rights, it is not required (for example, you manually provided the necessary rights to users to the program catalog in ProgramFiles and the registry branches that are used by the program). Accordingly, when you start such a program from under a simple user if account control is enabled on the computer, the UAC request will appear and you will need to enter the administrator password. To get around this mechanism, many simply turn off UAC or provide the user to the administrator's right on the computer by adding it to a local administrators group. Naturally, both of these methods are unsafe.

Why the usual application may need administrator rights

Administrator rights may be required by the program to modify certain files (logs, configurations, etc.) in your own folder in C: \\ Program Files (x86) \\ SomeApp). By default, users have no rights to edit this directory, respectively, for the normal operation of such a program, administrator rights are needed. To solve this problem, you need to manually on the NTFS administrator to manually assign the right to change / write for the user (or group users) to the folder with the program.

Note. In fact, the practice of storing changing application data in its own directory in C: \\ Program Files is incorrect. It is more correct to store the application data in the user profile. But this is a question of the laziness and incompetence of developers.

Running a program that requires administrator right from normal user

We have already described before, as you can, using the RunasInvoker parameter. However, this method is not flexible. You can also use with the preservation of the Admin password / Savecred (also unsafe). Consider a simpler method of forced launch of any program without administrator rights (and without administering an admin) with the UAC (4,3 or 2 level) included.

For example, take the registry editing utility - regedit.exe (It is located in the C: \\ Windows \\ System32 directory). When the REGEDIT.EXE is started, the UAC window appears and, if you do not confirm the privilege, the registry editor does not start.

Create a file on the desktop rUN-AS-NON-Admin.Bat With the following text:

cMD / MIN / C "SET __COMPAT_LAYER \u003d RUNASInVoker && start" "% 1"

Now for forced to start the application without administrator rights and suppress the UAC request, simply drag the desired exe file to this BAT file on the desktop.

After that, the registry editor should start without the appearance of the UAC request. Opening the processes manager, and add a column Elevated (With a higher level of permissions), you will see that the system has a REGEDIT.exe process with a non-sensitive status (launched with user rights).

Try editing any parameter in the HKLM branch. How do you see access to registry editing in this branch (this user has no rights to write to the registry system branches). But you can add and edit keys in your own user registry branch - HKCU.

Similarly, you can run via BAT file and a specific application, it is enough to specify the path to the executable file.

rUN-APP-AS-NON-ADMIN.BAT

Set ApplicationPath \u003d "C: \\ Program Files \\ Myapp \\ TestApp.exe"
cMD / MIN / C "set __compat_layer \u003d runasinvoker && start" "% applicationpath%"

You can also add a context menu that adds to all applications that the launch is possible without increasing rights. To do this, create the next REG file and import it into the registry.

Windows Registry Editor Version 5.00

@ \u003d "CMD / MIN / C \\" set __compat_layer \u003d runasinvoker && start \\ "\\" \\ "% 1 \\" \\ ""

After that, to start any application without the admin rights, it is enough to select the item "" in the context menu.

Environment Variable __Compat_Layer and RunasInvoker

Environment Variable __Compat_layer Allows you to install different compatibility levels for applications (tab Compatibility In the EXE file properties). Using this variable, you can specify the compatibility settings with which you want to run the program. For example, to launch the application in compatibility mode with Windows 7 and the resolution of 640 × 480, set:

set __compat_layer \u003d win7rtm 640x480

Of the options of interest to us, the __compat_layer variable will highlight the following parameters:

• Runasinvoker - Starting an application with the privileges of the parent process without a UAC request.
• Runashighest. - Run an application with maximum rights available to the user (the UAC request appears if the user has administrator rights).
• Runasadmin. - Run an application with administrator rights (AUC request always appears).

Those. The RunasInvoker parameter does not provide administrator rights, and only blocks the appearance of the UAC window.