This is a collection of toolsets implemented in C#. Figure 1 – Successful Build GhostPack is Neat!Ī toolset that has become very handy in utilizing this method is GhostPack ( ). Since I cannot execute my own code on this particular system without it being blocked by anti-virus, I attempted to build a test XML file and run it with MSBuild.exe.
See a demo of this technique here: What Can MSBuild.exe Help Me Accomplish? See the repository for MSBuildAPICaller ( ). When MSBuild is blocked by application whitelisting, a silly but sometimes successful technique to get around this is to copy MSBuild.exe to another name, such as notmsb.exe, and run this executable instead.Īnother very good option is to use MSBuild without MSBuild.exe. If the MSBuild.exe is not on the compromised system, it could be copied or downloaded and transferred to your compromised system via an HTTP server or a preferred and accessible file transfer service. MSBuild is a native Microsoft binary and, in the context of this blog post, is not flagged by the anti-virus applications on the system in question and can be used to compile and execute inline C# code saved within an. Don’t worry, Visual Studio is not required in order to use MSBuild. MSBuild is a tool used by Microsoft and Visual Studio for building applications. This is not a new technique Casey Smith ( ) discovered that it’s possible to use a native Windows binary, MSBuild.exe, to compile and execute C# code stored in an XML file. While some good approaches to this situation might be to proxy through an RDP connection with tools like proxychains ( ) or something fancier like SocksOverRDP ( ), another option when trying to avoid using PowerShell (due to higher security focus and detection rate) and evade existing security controls potentially is to leverage Microsoft Build Engine (MSBuild). After some general information gathering, it seemed the system was not vulnerable to common privilege escalation techniques that I was aware of. However, this is an organization that took steps to diversify their system configuration, hardened the OS, applied security patches, hardened group policies, etc.
The Situation:Īt the start of this engagement, I faced the common task of needing to escalate privileges after acquiring low-level access to a Windows system. This blog post highlights some good techniques to use when restricted to testing an up-to-date Windows system with low-level user privileges (no local admin) through a Remote Desktop Protocol (RDP) connection. By Sarah Norris in Application Security Assessment, Security Testing & Analysis
0 kommentar(er)
