killchain-compendium/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md

# Windows Privilege Escalation

## Links
* [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
* [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
* [JAWS](https://github.com/411Hall/JAWS)

## Account Types

* __Administrator__ local & domain
* __Standard__ local & domain
* __Guest__
* __System__

## Enumeration

### Users & Groups
```sh
whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta
```

### Files
* [powershell](../../../../enumeration/windows/powershell.md)

### System
```sh
hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
```
* Installed software
```sh
wmic product get name,version,vendor
```
* Services
```sh
wmic service list brief | findstr  "Running"
```

## Exploit

### DLL Hijacking
* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)

### Unquoted Service Path
* [unquoted service path](../../../../exploit/windows/docs/unqoted_path.md)

### Token Impersonation
* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
*  Hot Potato is best before Server 2019 and Windows 10 (version 1809)
* [Potatos](../../../../exploit/windows/docs/potatoes.md)

### Schedules Tasks
* `schtasks`
* `Autoruns64.exe`

### MSI Elevated Installer
* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)

### Search for Credentials
```sh
cmdkey /list
```
* Use found credentials
```sh
runas /savecred /user:<user> reverse_shell.exe
```
* Keys containing passwords
```
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```
second commit 2021-08-23 01:13:54 +02:00			`# Windows Privilege Escalation`

			`## Links`
			`* [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)`
			`* [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)`
			`* [JAWS](https://github.com/411Hall/JAWS)`
bump 2021-10-23 02:03:06 +02:00
			`## Account Types`

			`* __Administrator__ local & domain`
			`* __Standard__ local & domain`
			`* __Guest__`
			`* __System__`

			`## Enumeration`

			`### Users & Groups`
			```sh
			`whoami /priv`
			`net users`
			`net users <username>`
			`net localgroup`
			`net localgroup <groupname>`
			`query session`
			`qwinsta`
			```

			`### Files`
			`* [powershell](../../../../enumeration/windows/powershell.md)`

			`### System`
			```sh
			`hostname`
			`systeminfo \| findstr /B /C:"OS Name" /C:"OS Version"`
			```
			`* Installed software`
			```sh
			`wmic product get name,version,vendor`
			```
			`* Services`
			```sh
			`wmic service list brief \| findstr "Running"`
			```

			`## Exploit`

			`### DLL Hijacking`
			`* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)`

			`### Unquoted Service Path`
			`* [unquoted service path](../../../../exploit/windows/docs/unqoted_path.md)`

			`### Token Impersonation`
			* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
			`* Hot Potato is best before Server 2019 and Windows 10 (version 1809)`
			`* [Potatos](../../../../exploit/windows/docs/potatoes.md)`

			`### Schedules Tasks`
			* `schtasks`
			* `Autoruns64.exe`

			`### MSI Elevated Installer`
			`* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)`

			`### Search for Credentials`
			```sh
			`cmdkey /list`
			```
			`* Use found credentials`
			```sh
			`runas /savecred /user:<user> reverse_shell.exe`
			```
			`* Keys containing passwords`
			```
			`reg query HKLM /f password /t REG_SZ /s`
			`reg query HKCU /f password /t REG_SZ /s`
			```