search
HomeGitHubPortfolioTwitter/XMediumCont@ct

5.1.1 - Feature Abuse

hashtag
Feature Abuse

Some functionality of a web site, possibly even security features, may be abused to cause unexpected behavior.

On Windows, some enterprise applications need either Administrative privileges or SYSTEM privileges, making them a wonderful avenue for privilege escalation.

Others techniques are presente here here: Windows Privilege Escalationarrow-up-right

hashtag
Jenkins

An older version of Jenkins (before 2.x) is an example of vulnerable enterprise application.

This versions contains numerous plugins, and if you've Admin access, you can go to: http://<jenkins_server>/script and execute custom scripts via console.

Without Admin access is possible to add or edit build steps in the build configuration, eg. adding "Execute Windows Batch Command" and enter: powershell -c <command> that permits to download and execute scripts.

hashtag
Example of usage

Exploit a service and elevate privileges to local administrator

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
powershell
. C:\AD\Tools\PowerUp.ps1
Invoke-AllChecks
#Evaluate services with "CanRestart: True" and "Check: Modifiable Services" or "Unquoted Service Paths"
#Utilize the AbuseFunction command indicated

Identify a machine in the domain where student has local administrative access

Using privileges of a user on Jenkins <ip:8080>, get admin privileges

Refers to Learning Object 5 lab

Previous5.1 - Privilege EscalationNext5.1.2 - Relaying

Last updated