Week 4 – Privilege Escalation, Antivirus Bypass, and Alternate Data Streams
This week, life happened and I didn’t get a whole lot done. But some progress is better than none.
I did manage to escalate a standard user’s privileges to local Administrator and disable Antivirus software. I also migrated the blog to a new host. If you are reading this, your DNS has updated and you are now seeing the new site. Welcome!
Yay! I successfully migrated the blog to a new host and platform. This was a lot less fun than hacking into stuff but it had to be done. It was up for renewal anyway and I really didn’t like that the free blog was serving advertisements to you that I couldn’t control.
So, new blog, new theme, and no more ads. But unfortunately, not much CEH progress.
I did do a few cool things that are worth talking about. Continue reading to hear more…
Alternate Data Streams
Alternate data streams are nothing new but every time I revisit the topic it reminds me never to take anything at face value. You shouldn’t either!
Here is a quick example of evil.exe being imbedded into test.txt
It still exists but both the name and size are not reflected in the directory.
One interesting note; when launching .bat from command line, it will run within the context of the command window you already have open. If you need to run it in another context, precede the command with “start”. This forces the command to launch a new process.
Privilege Escalation & Antivirus Bypass
These are very different subjects but I’m including them together because I did both with the same technique.
Looking around, I found a couple different ways to escalate privileges using the sticky keys or ease of access utility.
You can fine one very concise set of instructions by Carnal0wnage here.
A more detailed guide here also includes boot up options.
The Pluralsight tutorial I watched shows another method that uses startup repair with a command prompt to launch regedit from the repair screen. Then you can make registry modifications to get CMD to run for you as ‘local system’.
Here is the magical location: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
This section of the registry allows you to force a program to run something else. It is supposed to be for debugging but it seems like a great hacking technique…or just for practical jokes. Imagine if Internet Explorer launched every time you double-clicked Chrome!
If you create a new key here for Utilman.exe with the string value Debugger = CMD.exe, then CMD will run each time Utilman.exe is invoked.
Then, just boot up and click the ‘Ease of Access’ button at the log-in prompt.
You will get a command line that runs in the context of ‘local system’. Welcome to complete control of the system!
But wait…what if you add the .exe of your antivirus software to this registry and directed it to Notepad? Well, I tried it and the system boots up with no antivirus. Now I can run anything I want!
Here are the keys:
If you want to stop this from happening to your system, you can do two things.
First, make sure you password protect the BIOS and disable startup option for USB and DVD.
Next, encrypt the hard drive so access to file structure and registry hive is not available from a bootable disk.
Do both! Pulling the CMOS battery will get someone past the password. And inevitably, when managing hundreds or thousands of PCs, one will slip through the cracks and not get encrypted. That’s life. Do both anyway!
I only got about 4 hours of work done this week rather than the 8 hours I planned for but I’m still on track with 34 hours this month. At 8 hours per week, I should be at 32 hours at the end of week four.
I’m at 34 hours…doing fine!
How is your fun and career-improving effort going? Are you investing in your skills outside of work? Share a comment below.