Lateral Privilege Escalation with Privhunter
After breaching a network perimeter, I often end up with access to a domain-joined remote virtual desktop that is quite locked down. VMware Horizon, Citrix, or Azure Virtual Desktop are some examples. In these situations, it's great to have established a beachhead, but expanding influence can be cumbersome when I don't have local admin, PowerShell is blocked, and there's AV/EDR to deal with.
I've had great success with a laughably simple batch script I wrote for this purpose. It's a low-tech lateral privilege escalation tool which I call privhunter. It searches the network looking for a computer that allows access to the c$ share using the given credentials. This allows you to see if the given credentials have local admin somewhere so you can pivot. Granted, it can be loud, but it's also very effective in my experience. The tool just needs an input file of computer names or IP addresses and a credential set. (It can be difficult to export computer names without admin privileges but I'll show you a solution for that shortly.)
priv-hunter.bat <input-file> <domain> <username> <password>
You can download it here: https://github.com/jamesonhacking/priv-hunter/blob/master/priv-hunter.bat
Privhunter throws the credentials at every target host that is in the input file and you get real-time updates in the form of a sort of continuous 'net use' output displayed in the command prompt. As soon as a target appears in the 'net use' output with a c$ in the path, you know you've got a hit. Now you should be able to pivot via SMB or RDP, etc. to a machine where your creds have local admin privileges. (Note: There can be rare false positives if there is a custom configuration allowing access to c$ without admin privileges.)
At the time of writing this, privhunter is basically 6 lines of code, and yet it continues to make my life easier when expanding influence. I haven't really had a problem with defenders detecting it even after using it for dozens of pentests, though it wouldn't be difficult to detect with the proper effort.
Now let's talk about how to export a list of computers when you don't have local admin privs. If we had admin privs, we could do this with PowerShell. But we don't, so we're basically going to copy a Microsoft tool called ldifde (and its dependencies) from a server we control to the beachhead computer. To do this, spin up a cloud server. In my case, I used Server 2019 in AWS. Then copy the following files:
C:\Windows\System32\en-US\ldifde.dll.mui > someplace\en-US\ldifde.dll.mui
C:\Windows\System32\en-US\ldifde.exe.mui > someplace\en-US\ldifde.exe.mui
C:\Windows\System32\ldifde.dll > someplace\ldifde.dll
C:\Windows\System32\ldifde.exe > someplace\ldifde.exe
Place the .dll and .exe files in a parent directory. Then place the .mui files in a subdirectory called en-US. Now you're ready to go. Pull up a command line, navigate to the parent directory, and execute this:
ldifde -f computers.txt -r "(objectClass=computer)"
The output file will need some pruning, so bring it over to Linux and use something like this to extract the computer names:
grep cn: computers.txt | awk '{print $2}'
Once you have the cleaned up list, you can use it as an input file for privhunter. Now keep in mind, privhunter will accept an input file that has one target per line and that target can be a computer name or an IP address. But in these situations IP addresses can be harder to come by sometimes, so using ldifde to export computer names is often preferable.
Here's hoping you have some major fun and profit with privhunter during pentests as I have. Enjoy!