BeRoot is a post exploitation tool to check common Windows misconfigurations to find a way to escalate our privilege. It will be added to the pupy project as a post exploitation module (so it will be executed in memory without touching the disk).
Except one method, this tool is only used to detect and not to exploit. If something is found, templates could be used to exploit it. To use it, just create a test.bat file located next to the service / DLL used. It should execute it once called. Depending on the Redistributable Packages installed on the target host, these binaries may not work.
Download the compiled version by clicking here.
Also Read chntpw – Windows Password, Account Forensics & Change User Password
All detection methods are described on the following document.
Consider the following file path:
C:\Program Files\Some Test\binary.exe
If the path contains spaces and no quotes, Windows would try to locate and execute programs in the following order:
C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\binary.exe
Following this example, if “C:\” folder is writable, it would be possible to create a malicious executable binary called “Program.exe“. If “binary.exe” run with high privilege, it could be a good way to escalate our privilege.
Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.
The vulnerable path runs as:
Consider the following file path:
C:\Program Files\Some Test\binary.exe
If the root directory of “binary.exe” is writable (“C:\Program Files\Some Test”) and run with high privilege, it could be used to elevate our privileges.
Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.
How to exploit:
This techniques affects the following Windows version:
6.0 => Windows Vista / Windows Server 2008
6.1 => Windows 7 / Windows Server 2008 R2
6.2 => Windows 8 / Windows Server 2012
On a classic Windows installation, when DLLs are loaded by a binary, Windows would try to locate it using these following steps:
- Directory where the binary is located
- C:\Windows\System32
- C:\Windows\System
- C:\Windows\
- Current directory where the binary has been launched
- Directory present in %PATH% environment variable
If a directory on the %PATH% variable is writable, it would be possible to realize DLL hijacking attacks. Then, the goal would be to find a service which loads a DLL not present on each of these path. This is the case of the default “IKEEXT” service which loads the inexistant “wlbsctrl.dll“.
How to exploit: Create a malicious DLL called “wlbsctrl.dll” (use the DLL template) and add it to the writable path listed on the %PATH% variable. Start the service “IKEEXT“. To start the IKEEXT service without high privilege, a technic describe on the french magazine MISC 90 explains the following method:
Create a file as following:
C:\Users\bob\Desktop>type test.txt
[IKEEXTPOC]
MEDIA=rastapi
Port=VPN2-0
Device=Wan Miniport (IKEv2)
DEVICE=vpn
PhoneNumber=127.0.0.1
Use the “rasdial” binary to start the IKEEXT service. Even if the connection failed, the service should have been started.
C:\Users\bob\Desktop>rasdial IKEEXTPOC test test /PHONEBOOK:test.txt
For French user, I recommend the article written on the MISC 90 which explain in details how it works.
This vulnerability has been corrected by Microsoft with MS16-075, however many servers are still vulnerable to this kind of attack.
Here are some explaination (not in details):
How to exploit: BeRoot realize this exploitation, change the “-c” option to execute custom command on the vulnerable host.
beRoot.exe -c "net user Zapata LaLuchaSigue /add"
beRoot.exe -c "net localgroup Administrators Zapata /add"
AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. To allow it, two registry entries have to be set to 1:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
How to exploit: create a malicious msi binary and execute it.
This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts including Administrator accounts. These files are available on these following path:
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\Panther\unattend.xml
How to exploit: open the unattend.xml file to check if passwords are present on it. Should looks like:
<UserAccounts>
<LocalAccounts>
<LocalAccount>
<Password>
<Value>RmFrZVBhc3N3MHJk</Value>
<PlainText>false</PlainText>
</Password>
<Description>Local Administrator</Description>
<DisplayName>Administrator</DisplayName>
<Group>Administrators</Group>
<Name>Administrator</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
Credits : Alessandro ZANNI
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…