HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
is equals to 1
.If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorer’s settings, we therefore have the power to run PyWSUS locally to intercept our own traffic and run code as an elevated user on our asset.Furthermore, since the WSUS service uses the current user’s settings, it will also use its certificate store. If we generate a self-signed certificate for the WSUS hostname and add this certificate into the current user’s certificate store, we will be able to intercept both HTTP and HTTPS WSUS traffic. WSUS uses no HSTS-like mechanisms to implement a trust-on-first-use type validation on the certificate. If the certificate presented is trusted by the user and has the correct hostname, it will be accepted by the service.
*.msi
files as NT AUTHORITY\SYSTEM.exploit/windows/local/always_install_elevated
Write-UserAddMSI
command from power-up to create inside the current directory a Windows MSI binary to escalate privileges. This script writes out a precompiled MSI installer that prompts for a user/group addition (so you will need GIU access):.msi
file in background:bash.exe
can also be found in C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe
nc.exe
to listen on a port it will ask via GUI if nc
should be allowed by the firewall).--default-user root
WSL
filesystem in the folder C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\
cmdkey
to list the stored credentials on the machine.runas
with the /savecred
options in order to use the saved credentials. The following example is calling a remote binary via an SMB share.runas
with a provided set of credential.%APPDATA%\Microsoft\Protect\{SID}
directory, where {SID} is the Security Identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it usingdir
from the cmd, but you can list it from PS).dpapi::masterkey
with the appropriate arguments (/pvk
or /rpc
) to decrypt it.dpapi::cred
with the appropiate /masterkey
to decrypt.
You can extract many DPAPI masterkeys from memory with the sekurlsa::dpapi
module (if you are root).HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
and in HKCU\Software\Microsoft\Terminal Server Client\Servers\
dpapi::rdg
module with appropriate /masterkey
to decrypt any .rdg files
You can extract many DPAPI masterkeys from memory with the Mimikatz sekurlsa::dpapi
module%systemroot%\system32\inetsrv\
directory.
If this file exists then it is possible that some credentials have been configured and can be recovered.