findingprivilegeescalations withstrace& sysinternals · 2021. 3. 9. · withstrace&...
TRANSCRIPT
![Page 1: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/1.jpg)
Finding Privilege Escalationswith strace & SysInternals
@ OWASP Stammtisch Stuttgart 06.11.2017
![Page 2: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/2.jpg)
• Diplom Mathematiker (FH)• Administrator – Developer – Architect – Penetration-Tester• Some 0days• Certificates: OSCP, OSWP, OSCE, ISO27001 Foundation• Founder of Ungeheuer IT UG (haftungsbeschränkt)
![Page 3: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/3.jpg)
Ungeheuer IT
• Sitz in Rülzheim (Between Karlsruhe and Mannheim)
• Any kind of Penetrationtests• Kunden aus den Bereichen
• Kommunen• Versicherungen• Banken• Industrie• Kritische Infrastrukturen
12:10
![Page 4: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/4.jpg)
Agenda
1. Some Basics2. Sysinternals & Procmon3. Strace
![Page 5: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/5.jpg)
Basics
![Page 6: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/6.jpg)
Basics
What is Privilege Escalation?
„Privilege escalation is the act of exploiting a bug, design flawor configuration oversight in an operating system or softwareapplication to gain elevated access to resources that arenormally protected from an application or user. The result is thatan application with more privileges than intended bythe application developer or system administrator canperform unauthorized actions.“Wikipedia
![Page 7: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/7.jpg)
Basics
You Start Here Your Target
![Page 8: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/8.jpg)
SysInternalsthe Windows part
![Page 9: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/9.jpg)
Sysinternals
What is Sysinternals?
Windows Sysinternals is a part of the Microsoft TechNet website which offers technical resources and utilities tomanage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.- Wikipedia
![Page 10: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/10.jpg)
Lots of nice toolsAccessChk AccessEnum AdExplorer AdInsight AdRestore
Autologon Autoruns BgInfo CacheSet ClockRes
Contig Coreinfo Ctrl2Cap DebugView Desktops
Disk2vhd DiskExt DiskMon DiskView Disk Usage (DU)
EFSDump FindLinks Handle Hex2dec Junction
LDMDump ListDLLs LiveKd LoadOrder LogonSessions
MoveFile NTFSInfo PendMoves PipeList PortMon
ProcDump Process Explorer Process Monitor PsExec PsFile
PsGetSid PsInfo PsPing PsKill PsList
PsLoggedOn PsLogList PsPasswd PsService PsShutdown
PsSuspend RAMMap RegDelNull Registry Usage (RU) RegJump
SDelete ShareEnum ShellRunas Sigcheck Streams
Strings Sync Sysmon TCPView VMMap
VolumeID WhoIs WinObj ZoomIt
![Page 11: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/11.jpg)
Lots of nice toolsAccessChk AccessEnum AdExplorer AdInsight AdRestore
Autologon Autoruns BgInfo CacheSet ClockRes
Contig Coreinfo Ctrl2Cap DebugView Desktops
Disk2vhd DiskExt DiskMon DiskView Disk Usage (DU)
EFSDump FindLinks Handle Hex2dec Junction
LDMDump ListDLLs LiveKd LoadOrder LogonSessions
MoveFile NTFSInfo PendMoves PipeList PortMon
ProcDump Process Explorer Process Monitor PsExec PsFile
PsGetSid PsInfo PsPing PsKill PsList
PsLoggedOn PsLogList PsPasswd PsService PsShutdown
PsSuspend RAMMap RegDelNull Registry Usage (RU) RegJump
SDelete ShareEnum ShellRunas Sigcheck Streams
Strings Sync Sysmon TCPView VMMap
VolumeID WhoIs WinObj ZoomIt
![Page 12: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/12.jpg)
ProcMon - GUI
![Page 13: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/13.jpg)
ProcMon - GUI
Name of theProcessexecuting
![Page 14: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/14.jpg)
ProcMon - GUI
Operation
![Page 15: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/15.jpg)
ProcMon - GUI
The relatedPath
![Page 16: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/16.jpg)
ProcMon - GUI
Result
![Page 17: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/17.jpg)
ProcMon
• It is also able to log during boot!
![Page 18: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/18.jpg)
ProcMon - Boot
![Page 19: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/19.jpg)
ProcMon
• But what can we do with it?
• We can find Privilege Escalations by combining• ... the %PATH% variable• ... errors in the ProcMon Log• ... a broken application
![Page 20: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/20.jpg)
ProcMon – Filter for PrivEsc!
![Page 21: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/21.jpg)
ProcMonPATH=C:\Windows;C:\Python27;C:\SomeFolder;C:\BrokenTool\bin
C:\Windows
C:\Python27
C:\BrokenTool\bin
C:\SomeFolder
Foo.exe
![Page 22: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/22.jpg)
ProcMonPATH=C:\Windows;C:\Python27;C:\SomeFolder;C:\BrokenTool\bin
C:\Windows
C:\Python27
C:\BrokenTool\bin
C:\SomeFolder
Foo.exe
Foo.exe (Malicious)
Shell
![Page 23: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/23.jpg)
Powershell is nice to us!
• Before it calls its own functions and methods it first searches in PATH!
![Page 24: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/24.jpg)
ProcMon - Demos
![Page 25: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/25.jpg)
Stracethe Linux part
![Page 26: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/26.jpg)
Strace
• Available on (almost) all Unix/Linux based systems(for AIX and Solaris there is truss)
• It traces system calls and signals• It is possible to attach to running processes• Can follow forked threads
![Page 27: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/27.jpg)
Simple strace call
![Page 28: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/28.jpg)
How to use it?
• Put some placeholder into the parameters and grep for them
![Page 29: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/29.jpg)
Strace - Demos
![Page 30: FindingPrivilegeEscalations withstrace& SysInternals · 2021. 3. 9. · withstrace& SysInternals @OWASP Stammtisch Stuttgart 06.11.2017 •Diplom Mathematiker (FH) •Administrator](https://reader036.vdocuments.site/reader036/viewer/2022090811/611c864a3ab7fa18180bed91/html5/thumbnails/30.jpg)
Only Local Priv Esc?
You can also check remote protocols for RCE!