Application of BruteForce in Windows Privilege Escalation

Category: Tag:

The webshell that you have won over all your hardships results in either the www-data user or the networkservice authority. If you want to expand the attack point, raising the authority is the only way to go, and it is also the key to success in the post-infiltration stage. Windows privilege escalation, my commonly used methods include DB command execution privilege escalation, kernel exp privilege escalation, dll hijacking privilege escalation, path unquoted service privilege escalation, abuse of high-privilege token privilege escalation, and third-party software privilege escalation. Each method has different applicable scenarios, and usually requires multiple measures to be used together to achieve the goal.

I am accustomed to start with DB first. Regardless of whether the site/database is separated, the web must have DB. On the one hand, DB has its own command execution module, on the other hand, DB often runs with system privileges. Then, once the DB is taken, it is equivalent to gaining the ability to execute commands with system privileges, realizing privilege escalation in disguise. To enter the DB, the most intuitive way is to log in with the correct account/password. The account/password is usually located in web.config. If there is a webshell, there is web.config, and if there is web.config, there is a DB account/password. If there is a little more With little luck, I found the password of the SA account. Basically, you are halfway through. Now, use the SA account to enter the DB’s xp_cmdshell module to execute the command “whoami”, and get the error message “Call to CreateProcess failed, error code: 5”. Obviously, the administrator has disabled the DB’s command execution function (the module is still accessible). Later, I tried the remaining attack models one by one, but there was no result.

It is impossible to give up. Now that you have a DB SA account, why not try to log in to the OS administrator account with the same password? First find web.config. Because the web is connected to multiple DBs, multiple DB information appears in the configuration file:

After deduplication, 5 passwords are obtained: victim@2014, victim, victim2015, sf0618@sf0618, xtepxscm. How to verify? Use administrator as the user name, the above five passwords as the password dictionary, and use hydra to break RDP, which is convenient and quick.

Unfortunately, the target environment did not expose 3389 to the public network, well, only port forwarding.

Port forwarding takes about three steps. First, establish port correspondence on your VPS, then connect to the forwarding port on the VPS on the attacker, and finally forward on the webshell. Specifically: The first step is to use sSocks ( to establish the correspondence between ports 3388 and 3389 on the VPS to achieve traffic intercommunication:

The second step is to connect to port 3388 of the VPS from the attacker, and try administrator/victim@2014 for the first time. It is recommended to use freerdp instead of rdesktop, because freerdp supports remote and local connection waiting, text copy and paste, and mount remote file systems:

The third step is to immediately perform port forwarding in the Trojan Horse. You may need to click start several times in a row:

Note that the entire process is sensitive to the sequence of steps. After the rcsocks port on the VPS is mapped, you can ignore it. First execute xfreerdp on the attacker to keep the session, and then forward the 3389 of the intranet on the webshell.

If you see the following error, it means the account or password is wrong:

Try the remaining four passwords one by one, all failed.

There are 6 other members in the administrators group, so try 5 × 6 times:

I can try it in more than ten minutes, but there is no result. Try again the common weak passwords? God, it’s not a question of whether you’re tired or not, even if it’s just a weak password for top100, manual verification is completely impossible! I need automation.

Automation, the first idea that comes to mind, try to use hydra to break the RDP of the local loop Hydra officially no longer supports windows, so I have to build executable programs with source code in cygwin. I packaged hydra.exe and related dependencies into a separate directory, separated from the cygwin environment, and can run hydra.exe normally on the command line:

However, after setting the IP to, the breach of RDP always fails. It turns out that RDP prohibits logging in from This road is nowhere.

The second idea is to encapsulate the three steps mentioned above into a script, call xfreerdp to log in remotely (using the user name and password as a dictionary), and call curl to drive webshell port forwarding. About half an hour, I wrote a bash script to verify its function, and found that even with the correct password, it is not 100% successful. Why? As mentioned earlier, the function of forwarding port traffic on the webshell is not stable. You need to try several times in a row. Calling curl several times may solve this problem, but it’s hard to say how many times it is appropriate. I always feel that this remote verification method is not only troublesome, but also inefficient. I have to think of a better idea.

The third idea is that I want tools that are efficient, non-dependent, high-precision, and small. Well, the win32 native program directly bruteforces the passwords of all OS users locally on the target machine. This tool must be able to help me find the answer to are you admin?, so I named it ruadmin. Basically, I gave ruadmin several core capabilities: efficient and accurate verification of account and password, automatic acquisition of OS account, built-in high hit rate and weak password, green, no dependency, no killing, full version system compatible with NT architecture.

In terms of efficiently verifying account and password, call LogonUser() without any network protocol and directly verify locally:

It can even verify accounts with empty passwords. In addition, one account corresponds to one brute force thread, which further improves efficiency:

To automatically obtain OS accounts, call NetUserEnum() to obtain all user accounts including hidden accounts (such as yangyangwithgnu$):

If you think it takes too long to crack all accounts, you have two options. One is to use –user to specify a single account, and the other is to use –one-quit to tell ruadmin to end as long as any account is broken.

For the built-in weak passwords with high hit rate, I integrated a dictionary of common weak passwords into ruadmin. The dictionary contains nearly 4W entries such as common weak passwords:


You can specify your own dictionary file with –passwds-file.

It is implemented in pure win32, without any dependencies; no malicious code is used, and no AV alarm is triggered; regardless of the platform, both x64 and x86 can run; at the same time, when generating executable files, I set the VS project to project-properties- configuration properties-general-general-platform toolset-vs2015-windows xp (v140_xp), in this way, ruadmin can support client system winXP~win10, server system server_2003~server_2016.

Go back to the previous target environment and see how I use ruadmin to achieve privilege escalation.

Upload ruadmin. There is a webshell to upload files, but what we upload is not a normal file, but an executable program, so we have to clean up the obstacles for the operation of the program as much as possible. From experience, there are two suggestions: one is to upload a directory, temporary files may be generated when the program is running, so the uploaded directory should have read and write permissions, such as C:\Windows\Temp\ or %temp% is a choice; The second is the file name. The response of AV should be taken into consideration. Do not use exp, agent, xxxx, info, hack, admin and other obvious offensive words for the basic name. It can be randomized (for example, mneo is good) ), in terms of extension, first change it to txt on the attacker, and then change back to exe after the upload is successful. Even if the target environment prohibits rename, use the extension that is not associated with any open program (for example, *.128), windows It is allowed to use files like *.128 directly in the command line. Specifically, I changed ruadmin.exe to amneo.128, entered the File Manager module of webshell, set the upload directory to C:\Windows\Temp\, and selected the attacker file amneo.128 to upload:

Use built-in password to brute force. Enter the CmdShell module of webshell and run amneo.128 directly without any command line options:

ruadmin uses the default option, using 39526 dictionary entries to brute force the 8 operating system accounts automatically obtained. After half a minute, it shows that no password is found.

Use the password in web.config to brute force. Obviously, the built-in dictionary is invalid. I have analyzed that the web.config contains multiple DB passwords: victim@2014, victim, victim2015, sf0618@sf0618, xtepxscm, I write it into p0.txt on the target, and specify p0 .txt as a password dictionary file, still to no avail after running:

Use social engineering password brute force. I have to remake a dictionary with social engineering style according to the type of the target. A simple analysis found that the domain name of the website contains victim, and victim@2014 and victim2015 have appeared in the password of DB. Then, I can reasonably guess that the administrator password is composed of victim, special characters, and year. However, victim has uppercase and lowercase, There are more than ten special characters, and the year is uncertain. There are too many permutations and combinations. You must find a tool to automatically generate them based on rules. For the generation of password dictionary, I recommend two tools hashcat and crunch. Here, we take hashcat as an example. Yes, hashcat supports generating a password dictionary based on rules. The rule base is located in hashcat/rules:

Among them, dive.rule contains the rules I need. I regard victim@2014, victim, victim2015, sf0618@sf0618, xtepxscm as basic information and store it in base.txt as input, let dive.rule imitate and learn to generate a similar password dictionary and save it to passwds.txt:

There are 260,000 dictionaries generated, and 8 accounts on the target, it is necessary to enumerate 268446 × 8 times. When executing a long time-consuming command through webshell, the page will report a timeout error and the program running result cannot be displayed normally. , Redirect the command execution result to the text:

About ten minutes later, the volume of foo.txt reaches about 1,000, indicating that the command has been executed. Check foo.txt:

Successfully broke the passwords of two administrator accounts.

Log in to the remote desktop as an administrator to achieve privilege escalation. After using the webshell on the target, rcsocks on the VPS, and xfreerdp on the attacker to forward the RDP port of the internal network to the public network, enter administrator/Victim@2017 to successfully log in to the target:

Some environments limit the source IP of RDP, even if port forwarding is done, you cannot log in. It doesn’t matter, since I have the administrator’s password, as long as I find the su command on linux, I can execute any command as an administrator. Runas on windows has this function, but it cannot use the password as a command line parameter, so use the open source version cpau ( cpau/). What order should be executed? According to everyone’s preference, I will directly bounce a meterpreter with administrator authority. Run cpau:

Among them, I renamed cpau.exe to asdf.64, and tybdf.16 is the rebound payload generated by msfvenom. The meterpreter of the administrator will be obtained soon:

Of course, ruadmin is not perfect. You need to understand two shortcomings in order to assess whether you have a working environment. First, for the environment where the trial and error lock account strategy is enabled, ruadmin may cause the account to be locked, which may affect the business. I suggest you use –user to specify an ordinary account to test whether the system has enabled the account lock strategy first, and then do it The next step is to plan; secondly, the password authentication mechanism used by ruadmin will cause a large number of login failure logs to be generated, which may attract the attention of administrators and AVs.

Judging from the recent results of putting ruadmin into actual combat, the results are very good! Regarding privilege escalation, most attackers also use DB command execution and kernel exp. More powerful people will look at files storing plaintext passwords and find services with configuration flaws. Even more powerful people will steal privileged tokens and attack master keys. Local brute force with low thresholds is rarely included in the “orthodox” “In the list of power escalation techniques, there are probably two reasons for this: one is that I did not think about this consciousness at all, and at most use hydra to remotely defeat the RDP; the other is that there is this consciousness, but lacks such awareness as ruadmin that does not rely on anything. Local brute force tool for the agreement. In order to achieve the right escalation and break through this high-yield method, you should at least try.



There are no reviews yet.

Be the first to review “Application of BruteForce in Windows Privilege Escalation”

Your email address will not be published. Required fields are marked *