Roadmapping Privilege Escalation in Windows Systems

[harlan4096]

Securing Your Assets against Privilege Escalation Attacks

And the award for the most confusing cybersecurity phrase out there goes to “privilege escalation”, a term which, as balking as it might sound, is oftentimes confused with obtaining higher privileges via a veto-like, sysadmin-controlled process. Since we like nothing more than to sink our teeth into something like this, today’s article won’t be an article, but long-winded disambiguation of privilege escalation. So, what is privilege escalation, how many types of privilege escalations are there, and, most importantly why is this bad? Stick around to find the answer to these questions and more. Enjoy!

What is Privilege Escalation?

Let’s talk about the elephant in the room – privilege escalation. So, in cyber-lingo, privilege escalation is a malicious attempt at gaining unauthorized access to sensitive information by taking over a user’s account that has the necessary privileges to view or commit modifications to the said information.

Let’s break this down a bit – let’s say that user A, who’s working for company XYZ, has been given access to a financial database. Because user A is a finance officer, he’s been cleared to perform a set of company-defined operations on the financial database (e.g., read, write, open, but not delete). Fellow B, who’s in no way affiliated to XYZ, wishes to tap into the company’s financial database for whatever nefarious purpose.

Using various TTPs, B successfully takes over user A’s account and gains access to the database. This a great example of a vertical privilege escalation. You’ve guessed – there’s also a horizontal privilege escalation. So, how do you set them apart? Well, in vertical privilege escalation, you’re dealing with the ‘accountphage’ type of behavior.

Basically, you chew the user out of his or her account. Horizontal privilege escalations are a bit more challenging compared to vertical ones since they require a deep understanding of how operating systems work.

Wait! Isn’t that prerequisite for both ops? Yes and no – of course, you’ll need some tech background to figure out how account takeover tools work and identify the backdoors and vulnerability that would enable you, as the hacker, to perform the said operation. In vertical P.E., you don’t need to elevate rights (i.e. obtain the credentials necessary to access another informational class) because the account you’re about to take over has all the credentials necessary to access that particularly sensitive area.

Anyway, in horizontal privilege escalation, you will need to take over and, at the same time, elevate those privileges. No doubt some ‘Mission Impossible’ right there, but very doable if you have the right tools. In most case HEP cases, the attacker would rely on phishing or spearphishing to infiltrate the victim’s machine and hacking tools such as Metasploit to gain SYSTEM-level (root) access. And that’s where the fun begins.

So far, we’ve covered the whats and whys. Let’s tackle the hows. One word – vulnerabilities. OS-embedded vulnerabilities, hidden backdoors, or even user permission misconfigurations can facilitate the threat actor’s entry.

Please keep in mind that there’s no such thing as an operating system with zero vulnerabilities – Linux has them, macOS has them, and the list goes on; won’t even bother talking about Windows. To make things even worse than they already are, some tools are fine-tuned to sniff out these vulnerabilities. And yes, most of them are legitimate.

To recap: we have two types of privilege escalation – vertical and horizontal. In VPE (vertical privilege escalation), the attacker aims at taking over an account that has higher privileges. On the other hand, in HPE (horizontal privilege escalation) the hacker will first take over an account and then try to gain system-level rights. Both types of operations are achieved by taking advantage of existing operating system vulnerabilities.

With that out of way, let’s now talk about some of the common and common privilege escalation attacks.
croscreen id=15807

Privilege Escalation Attacks and Ways of Countering Them

Finally, we’ve arrived at the fun part – chalking up the list of privilege escalation attacks. Any favorite? Hit the comments section and let me know. Also, if there’s an attack I’ve missed, leave the name in the comment and I’ll get back to you. Without further ado, here’s what you’re up against.
 

---

Windows Sticky-Key attack

---

I’ll kick it off with my all-time favorite privilege escalation attack – Sticky Keys for sticky fingers. For those of you who don’t know what sticky keys are, try pressing the “Shift” key five times. You get a short beep and a screen pops up asking you to configure ‘sticky’ behavior. Pretty useful for users who can’t work their way around key combos, but very frustrating if you’re into gaming. Hint: enable autorun the game’s menu.

Anyway, regarding this particular attack, its beauty lies in its simplicity – you really don’t need that computer-native to carry it out. Here’s the gig: using the ‘enable sticky keys feature’ you can bypass normal endpoint auth and gain system-level privileges. Sounds crazy, but it really works, and here’s how to do it.

Please note that what I’m about to show you is for educational purposes only! You can try it out on your personal machine, but please refrain from doing this on your work machine or whatever.

Step 1. Get access to a machine. To pull off this trick, you will need to have PHYSICAL access to the machine. Also, make sure that the ‘practice’ machine can boot to or from a repair disk.

Step 2. Make a copy of the sethc.exe file. This particular file will pop up in the task manager every time you invoke the sticky keys function. Make a local backup of the file because you’ll need to fix the backdoor later. To do that, fire up your Command Prompt and type in the following command:

Copy c:\windows\system32\sethc.exe c:\

This will make a copy of the sethc.exe file on your C partition.

Step 3. Replace sethc.exe with cmd.exe. Once you’re done with the backup part (see step 2), type in the following command in the same CMD window:

Copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

Don’t need to confirm the operation. The </y> argument pre-approves it.

Step 4. Restart your machine. After your machine has booted up, mash the “SHIFT” key five times. If everything’s done right, a CMD window should appear on your screen. But it’s not just any CMD window – it’s THE (magic) CMD window that grants you system-level privileges.

Go ahead and knock yourself out; from here, you can create a (fake) admin account, install a secret backdoor, and much more.
...

Continue Reading