Below you will find my brain-dump on how UAC works and the bypasses (or 1).
Different Levels - for security right
So process run in different levels for security reasons. Thus if a process gets popped, it shouldn't necessarily mean straight to Local Admin. Same premise of popping Apache; you become www-data with minimal rights.
So what are these levels.
System - I believe I was told this is not a 'level' but transcends the levels.
High Integrity - basically admin rights
Medium Integrity - Standard user
Low - Restricted
This is relevant when you get a shell as a user who is local admin, because you type hashdump in Meterpreter and cannot dump the hash. It is annoying as an attacker, but Windows is basically like 'lol you can't execute admin actions as a medium integrity'. You have to explicitly state that you want to execute an administrative task (hence that annoying UAC PLEASE SELECT ACCEPT pop-up).
This annoying pop up was designed initially in Vista... EVERY process that needed admin rights caused a UAC pop-up. It was annoying to everyone, I am sure you remember Vista.
So in the later versions of windows. The Microsoft peeps decided that some applications could automatically elevate themselves, thus gaining admin rights without annoying the user...... This sounds great until it was realised that the way this happens, could be manipulated to execute a DLL of an attackers choice. Thus the UAC bypass.
This is my summary, but obviously I have to give credit to here:
https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/
In Short:
Using DLL hijacking to force a DLL chosen by the attacker to be loaded can allow one to bypass UAC. It is called Leo's Bypass Attack and uses sysprep.exe. When sysprep.exe ran it would look for a DLL called CRYPTBASE.dll, if you supplied it in an area that it found before the REAL dll, it would load the first dll, thus allowing High integrity. Pretty Cool huh, its an awesome trick.
The cool part is in lateral movement!
So that is awesome on that system. The cooler part I think is when you want to move laterally. If you can connect to another system, that high integrity token goes with it to the next system.
So in essence, which named the bounceback UAC bypass (haha) is the idea of using this idea to get high integrity on your current system without DLL hijacking on that system (again mentione din the blog post above). You may have a normal user (not local admin) on a system, cannot find ways to priv esc or bypass uac, but on another system you do have local admin. So in a nutshell you connect over to that system as that user, gain the high integrity token and then connect BACK to the original system, gaining local admin on the original system.
I thought that was pretty cool.
Just a nice brain dump of what I 'remembered' from reading the post.
Cheers
Haydn
Haydn
No comments:
Post a Comment