This blog post highlights some good techniques to use when restricted to testing an up-to-date Windows system with low-level user privileges (no local admin) through a Remote Desktop Protocol (RDP) connection.
At the start of this engagement, I faced the common task of needing to escalate privileges after acquiring low-level access to a Windows system. However, this is an organization that took steps to diversify their system configuration, hardened the OS, applied security patches, hardened group policies, etc. After some general information gathering, it seemed the system was not vulnerable to common privilege escalation techniques that I was aware of.
While some good approaches to this situation might be to proxy through an RDP connection with tools like proxychains (https://0x00sec.org/t/a-brief-introduction-to-proxychains/418) or something fancier like SocksOverRDP (https://github.com/nccgroup/SocksOverRDP), another option when trying to avoid using PowerShell (due to higher security focus and detection rate) and evade existing security controls potentially is to leverage Microsoft Build Engine (MSBuild). This is not a new technique; Casey Smith (https://twitter.com/subtee) discovered that it’s possible to use a native Windows binary, MSBuild.exe, to compile and execute C# code stored in an XML file.
What is Microsoft Build Engine?
MSBuild is a tool used by Microsoft and Visual Studio for building applications. Don’t worry, Visual Studio is not required in order to use MSBuild. MSBuild is a native Microsoft binary and, in the context of this blog post, is not flagged by the anti-virus applications on the system in question and can be used to compile and execute inline C# code saved within an .xml file.
If the MSBuild.exe is not on the compromised system, it could be copied or downloaded and transferred to your compromised system via an HTTP server or a preferred and accessible file transfer service.
MSBuild Execution is Blocked:
When MSBuild is blocked by application whitelisting, a silly but sometimes successful technique to get around this is to copy MSBuild.exe to another name, such as notmsb.exe, and run this executable instead.
Another very good option is to use MSBuild without MSBuild.exe. See the repository for MSBuildAPICaller (https://github.com/rvrsh3ll/MSBuildAPICaller). See a demo of this technique here: https://s5.gifyu.com/images/msbuild_api.gif
What Can MSBuild.exe Help Me Accomplish?
Since I cannot execute my own code on this particular system without it being blocked by anti-virus, I attempted to build a test XML file and run it with MSBuild.exe.
GhostPack is Neat!
A toolset that has become very handy in utilizing this method is GhostPack (https://github.com/GhostPack). This is a collection of toolsets implemented in C#. Normally, if I were able to interact with this system from my testing machine with my own toolkit, I could use a tool such as Rubeus to pull down Service Principal Name (SPN) tickets for the domain to which the victim system is joined. Since I was unable to, GhostPack is going to provide me with the ability to use some of the same attack techniques that I would normally use from my testing system on the victim system instead.
There are several different ways to get the code you want into an XML file. Once you’ve compiled the desired tool (compile instructions within GhostPack repository), you can then run it with MSBuild. In this case, I was able to spin up a SimpleHTTPServer and transfer files to the victim machine. There is another repository called GhostBuild (https://github.com/bohops/GhostBuild) with pre-built XML files.
Copy it to a notepad file and save as an XML. In this case, I’ll call it ‘test.xml’.
Now, my hope is to get a foothold from one of these SPN accounts and at the same time, I can try running SharpUp (also part of the GhostPack) to see if there are any privilege escalation techniques I missed.
Nothing was found by SharpUp this time. In this case, an SPN account was recovered after the earlier Kerberoast attack, and this particular SPN account also turned out to be a Domain Admin. Such luck!
If I had escalated privileges on the victim machine beforehand, GhostPack also contains SafetyKatz and SharpDump. SharpDump is a port of PowerSploit’s Out-Minidump.ps1 functionality. Running SharpDump creates a minidump, compresses the dump to .gz format, and then deletes the minidump file.
Once I ran the minidump file on my own machine through Mimikatz, another Domain Admin/SPN account was listed with a valid NTLM hash. This led to another foothold on the domain.
Hopefully the technique discussed here using MSBuild to execute tools compiled in C# helps in future testing scenarios. Take a look at GhostPack and some of the other references below for more information.
GhostBuild (compiled binaries)