DC PrivEsc

DPAPI Method

We can try looking for DPAPI credentials explained in this post.

*Evil-WinRM* PS C:\Users\Bob.Wood\APPDATA\roaming\microsoft\protect> dir


    Directory: C:\Users\Bob.Wood\APPDATA\roaming\microsoft\protect


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d---s-         8/22/2022   2:17 PM                S-1-5-21-1844305427-4058123335-2739572863-2761
*Evil-WinRM* PS C:\Users\Bob.Wood\APPDATA\roaming\microsoft\protect\S-1-5-21-1844305427-4058123335-2739572863-2761> gci -force


    Directory: C:\Users\Bob.Wood\APPDATA\roaming\microsoft\protect\S-1-5-21-1844305427-4058123335-2739572863-2761


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-         8/22/2022   2:17 PM            740 3ebf1d50-8f5c-4a75-9203-20347331bad8
-a-hs-          5/4/2022   4:49 PM            740 a8bd1009-f2ac-43ca-9266-8e029f503e11
-a-hs-          5/4/2022   4:49 PM            908 BK-WINDCORP
-a-hs-         8/22/2022   2:17 PM             24 Preferred

C:\users\bob.wood\AppData\Roaming\Microsoft\Credentials is empty, so no system level keys stored here.

To extract the DPAPI we need mimikatz. But it wont work.

Applocker is blocking it. Turns out we can bypass it by putting it in move \windows\system32\spool\drivers\color\ location. But it still gets blocked.

We can run this to see the AppLocker policy

With certutil -encode, I encoded the first two files.

This is what it looks like.

After getting them to my machine and decoding

We can also check the local Edge data

We need two files:

C:\users\bob.wood\AppData\local\Microsoft\Edge\User Data\Default\Login Data

C:\users\bob.wood\AppData\local\Microsoft\Edge\User Data\Local State.

The Local_State is a JSON file we can view. The reason we want this file is because there is a key in here

And the Login_Data is a database.

The passwords here are encrypted with the key that is also encrypted. We need to first extract the key

We saw this GUID before in /protect - 000001eb-0900-bd10-a8ac-f2ca4392668e

We already have this file. We can use pypykatz again to generate a prekey. It returns some prekeys

Now we can extract the Master Key

Now previously we saw the encrypted passwords inside logins table of the Login_Data db. We can now decrypt it. By feeding the Local_State, Login_Data and masterkey

Edge Chrome same thing.

We get bob.woodADM password smeT-Worg-wer-m024

I was able to authenticate and get a ticket

And we can WinRM

AppLocker Bypass Method

I ran the previous command again to read Applocker Policies, put it in a file and downloaded it to read.

Lets examine it.

We can see that it allows us to run .exe inside %WINDIR% directory, and S-1-1-0 means everyone. But it does have exceptions. There is a whole list.

There are some directories inside %WINDIR% that is world-writable for us to put files in. This github repo lists them. We can compare them to our exceptions list.

I put the exceptions in a list as is and then:

(?<=Path=")[^"]+ → Extracts text after Path=" but before the closing " .

Comparing them:

We see C:\windows\debug\wia is writable to us, we can test it.

I was able to download SharpChrome in this folder.

Via InstallUtil.exe

There is another method of doing it. On the exceptions we see %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe path is blocked. But there is another binary on a different path that we find if we search

PreviousEnumerationNextSoccer

Last updated