applocker

All posts tagged applocker

Walkthrough of privilege escalation techniques on a windows machine.

Bypassing Applocker

First of all a couple of words about Window’s Applocker. Applocker is an application whitelisting solution of Windows, so with the usage of it certain *.exe files or *.msi packages can be blocked. The default rules of Applocker are:

  • All members of the local Administrators group can run apps
  • All members of the Everyone group can run apps which are located in the Windows folder
  • All members of the Everyone group can run apps that are located in the Program Files folder

If AppLocker is configured with these default AppLocker rules, it can be easily bypassed by placing the executable into the directory of “C:\Windows\System32\spool\drivers\color”. Let’s get “whoami.exe” from our Kali Windows repository and upload it to the victim computer first and run to check whether it asks for further permissions.

Let’s answer the first question by checking the history of Powershell.

What is the first flag?

Kerberoasting

Kerberoasting is a post-exploitation attack that abuses the Kerberos protocol to obtain password hashes of Active Directory accounts with Service Principal Name (SPN) values which is the mapping between service and account. Ticket Granting Service (TGS) tickets from which the service account password hash can be extracted can be stolen from memory or by network traffic sniffing. Thus any request of a TGS for an SPN by a user may contain the password hash of the service account and as such capturing them makes it possible to offline crack and obtain the password. So, first let’s try to find users with SPN requests.

What user is that for?

We can see that there is an SPN for a user, so we are in a position to make use of the Kerberoasting script of Empire. We can try to download it directly to our target machine, but it has no public internet connection.

So, let’s download it to our Kali and get it from there.

Ok, now let’s try to get the SPN ticket using the Kerberoast script.

Now let’c crack the hash with Hashcat using the code 13100 as this is a Kerberos 5 TGS-REP etype 23 hash.

What is the users password in plain text?

Now all we have to do is just RDP into the machine with the credentials gathered.

What is his flag?

Privilege Escalation

Now we still have only user privileges, so let’s get another PowerShell script to examine the Windows machine to find potential weak points and get admin rights.

The script has identified a couple of ways to elevate our privileges, one of them would be a UAC bypass and another one is an unattended path option.

The unattended path is about an unattended install file which is mainly a corporation program installation method. Let’s check out the file first and then decoding the Base64 type encoding.

What is the decoded password?

We also can decode the Base64 code in our attacker machine if PowerShell not available.

Now, that we know the admin password, all we need to do is just remoting into the machine with these credentials and get the admin flag.

Thanks for reading and as always, any feedback is most welcome.