Windows Privilege Escalation – Kernel Exploits

Introduction

The kernel is a component of the operating system that sits at the core of it, it has complete control over everything that occurs in the system. Because of this, exploiting vulnerabilities in the kernel will pretty much always result in a full system compromise.

Kernel exploits affect a certain version of a kernel or operating system and they are generally executed locally on the target machine in order to escalate privileges to system.

April 24, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – DLL Hijacking

Introduction

DLLs (Dynamic Link Library) are libraries that contain code and procedures used by Windows programs. They are similar to EXE files as they are based on the Portable Executable (PE) file format although they cannot be executed directly. They are similar to .so (Shared Library) files in Unix.

DLL hijacking is a method of injecting malicious code into a given service or application by loading an evil DLL, often replacing the original one, that will be executed when the service starts. This is possible due to the way some Windows applications search and load DLLs, more specifically, if the path to a service’s DLL isn’t already loaded or stored in the system, Windows will start looking for it in the environment path, an attacker can therefore place the malicious DLL in a directory that is part of it to trigger the malicious code.

March 31, 2021 | by Stefano Lanaro | 6 Comments

CTF Walkthroughs, Hack The Box

Hack The Box – Fuse Walkthrough

Introduction

This was an intermediate Windows machine that involved crawling a username and password from a web application to access RPC, through which a password stored in a printer’s description can be found in order to obtain remote access to the box, and exploiting a known vulnerability with the SeLoadDriverPrivilege permission to escalate privileges to SYSTEM.

March 25, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, Hack The Box

Hack The Box – CronOS Walkthrough

Introduction

This was an intermediate Linux machine that involved exploiting an SQL injection vulnerability to gain access to a traceroute page affected by a remote command vulnerability in order to obtain a reverse shell, and exploiting a PHP function used in a cron hob to gain root-level code execution and therefore a root shell.

March 23, 2021 | by Stefano Lanaro

CTF Walkthroughs, TryHackMe

TryHackMe – HackPark Walkthrough

Introduction

This was a fairly easy Windows machine that involved bruteforcing credentials to authenticate into the BlogEngine web application, exploiting a remote code execution vulnerability affecting it to gain remote access and an insecure service file permission vulnerability in the Splinterware System Scheduler application to escalate privileges to SYSTEM.

March 18, 2021 | by Stefano Lanaro | 5 Comments

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Scheduled Tasks

Introduction

Windows operating systems, like most systems, have a way of scheduling the launch of programs or scripts based on certain time intervals to help automate recurring tasks. This can often become weaknesses and allow attackers to escalate privileges to root if improperly configured.

This guide will go through the main methods used to exploit scheduled tasks.

March 3, 2021 | by Stefano Lanaro | 2 Comments

Buffer Overflow, Guides, Stack Buffer Overflow

Complete Guide to Stack Buffer Overflow (OSCP Preparation)

Introduction

Stack buffer overflow is a memory corruption vulnerability that occurs when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer, therefore overflowing to a memory address that is outside of the intended data structure.

This will often cause the program to crash, and if certain conditions are met, it could allow an attacker to gain remote control of the machine with privileges as high as the user running the program, by redirecting the flow execution of the application to malicious code.

The purpose of this guide is to teach the basics of stack buffer overflow, especially for students preparing for the OSCP certification exam.

February 10, 2021 | by Stefano Lanaro | 12 Comments

Buffer Overflow, Guides, Stack Buffer Overflow

Stack Buffer Overflow – Exploiting SLMail 5.5

Introduction

This guide will demonstrate the various steps involved in exploiting the remote buffer overflow vulnerability that is present in the Seattle Lab Mail (SLMail) 5.5 POP3 application, in order to gain remote access to a vulnerable machine.

A POC along with the vulnerable software can be found at this link.

February 7, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, TryHackMe

TryHackMe – Alfred Walkthrough

Introduction

This was an easy Windows box that involved authenticating to Jenkins using common credentials, executing commands through the Groovy scripting language used in the script console to gain remote access and using token impersonation to escalate privileges to SYSTEM.

It also involved switching from a normal shell to a Meterpreter shell and migrating from a user level process to a SYSTEM level process.

February 6, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – AlwaysInstallElevated Policy

Introduction

The Windows installer is a utility which through the use MSI packages can install new software. The AlwaysInstallElevated is a Windows policy that allows unprivileged users to install software through the use of MSI packages using SYSTEM level permissions, which can be exploited to gain administrative access over a Windows machine.

This option is equivalent to granting full SYSTEM rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting.

February 3, 2021 | by Stefano Lanaro | Leave a comment