Thursday, January 24, 2013

I am an OSCP

Two months of woodsheding paid off and on Monday I received an email from offensive-security folks that I have passed the dreaded OSCP exam. My exam was scheduled on Friday early morning, by late saturday evening I had my passing score but I was stuck with privilege escalation on one box. I will write detailed review over the weekend. There are too many things to talk about. Met many interesting people and learned tons of stuff. This has been one of the greatest time of my life. 
Nothing beats offsec lab and folks at offsec are most professional and awesome people. I am proud to be associated with offsec. detailed review coming soon!!!

Friday, November 23, 2012

Windows Privilege Escalation

I am one week in OSCP labs and its brutal. Before signing up for the lab I had studied quite a bit on Linux privilege escalation and was quite confident about it but you are never too prepared for OSCP lab. Right at the start I was tasked to learn Windows Privilege Escalation... YES! NO! it can not be ignored. After some searching on the Interwebs. I came across this awesome post on windows privilege escalation via weak service permissions but the author had mostly shown examples in Powershell and AFAIK WMIC does not work on older Windows version for limited users. But to my surprise someone had actually posted the solution in the comments... but needed some refinement. So off I was learning cmd.exe command line, many times during this course I wondered if Microsoft engineers had held contest to come up with world's most ugly syntax. *shudder*
Anyway, I survived and managed to make a working albeit crude script. This Batch script outputs a text file which lists permissions on all user installed services. Rest of the procedure of exploiting this is explained in the original post mentioned above. Have fun!

@echo off
for /F "tokens=2" %%i in ('"sc query state= all | findstr SERVICE_NAME"') do @sc qc %%i | findstr BINARY_PATH_NAME | find /I /V "system32" >> usrsrvcs.txt
 for /F "tokens=3" %%b in (usrsrvcs.txt) do @icacls %%b >> srvperms.txt
del usrsrvcs.txt