0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • Automated Enumeration
  • Windows Privilege Escalation
  • Discovery of Missing Patches
  • Metasploit
  • PowerShell
  • Privilege Escalation Table
  1. offensive security
  2. OSCP
  3. Module 17 (Antivirus Evasion)

Windows

Automated Enumeration

  • windows-privesc-check

  • waston

  • sherlock

  • powerSpliot/privesc/powerUp

  • windows-Exploit0Suggester

  • JAWS

  • WinPEAS

  • LinPEAS & linEnum

Windows Privilege Escalation

Code
Technique
Mitre

WPE-01

WPE-02

WPE-03

WPE-04

WPE-05

WPE-06

WPE-07

WPE-08

WPE-09

WPE-10

WPE-11

WPE-12

WPE-13

WPE-14

WPE-15

WPE-16

Discovery of Missing Patches

The discovery of missing patches can be identified easily either through manual methods or automatic. Manually this can be done easily be executing the following command which will enumerate all the installed patches.

wmic qfe get Caption,Description,HotFixID,InstalledOn
	
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" /C:"KB4018483"

Metasploit

post/windows/gather/enum_patches

PowerShell

  • MS10-015 : User Mode to Ring (KiTrap0D)

  • MS10-092 : Task Scheduler

  • MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow

  • MS13-081 : TrackPopupMenuEx Win32k NULL Page

  • MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference

  • MS15-051 : ClientCopyImage Win32k

  • MS15-078 : Font Driver Buffer Overflow

  • MS16-016 : ‘mrxdav.sys’ WebDAV

  • MS16-032 : Secondary Logon Handle

  • CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc

Privilege Escalation Table

The following table has been compiled to assist in the process of privilege escalation due to lack of sufficient patching.

Operating System
Description
Security Bulletin
KB
Exploit

Windows Server 2016

Windows Kernel Mode Drivers

3199135

Windows Server 2008 ,7,8,10 Windows Server 2012

Secondary Logon Handle

3143141

Windows Server 2008, Vista, 7

WebDAV

3136041

Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012

Windows Kernel Mode Drivers

3057191

Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8

Win32k.sys

3000061

Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012

AFD Driver

2975684

Windows XP, Windows Server 2003

Windows Kernel

2914368

Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012

Kernel Mode Driver

2778930

Windows Server 2008, 7

Task Scheduler

2305420

Windows Server 2003, Windows Server 2008, 7, XP

KiTrap0D

977165

Windows Server 2003, XP

NDProxy

2914368

Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012

Kernel Driver

3057839

Windows Server 2003, XP

AFD.sys

2592799

Windows Server 2003, XP

NDISTAPI

2566454

Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012

RPC

3067505

Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012

Hot Potato

3164038

Windows Server 2003, Windows Server 2008, 7, XP

Kernel Driver

3036220

Windows Server 2003, Windows Server 2008, 7, XP

AFD.sys

2503665

PreviousModule 17 (Antivirus Evasion)NextModule 18 (Privllege Escalation)

Last updated 10 months ago

There is also a PowerShell script which target to identify patches that can lead to privilege escalation. This script is called and it will check a system for the following:

Sherlock
Stored Credentials
NA
Windows Kernel
NA
DLL Injection
NA
Weak Service Permissions
NA
DLL Hijacking
NA
Hot Potato
NA
Group Policy Preferences
NA
Unquoted Service Path
NA
Always Install Elevated
NA
Token Manipulation
NA
Secondary Logon Handle
NA
Insecure Registry Permissions
NA
Intel SYSRET
NA
Print Spooler
NA
HiveNightmare
NA
Resource Based Constrained Delegation
NA
MS16-135
Exploit
Github
MS16-032
GitHub
ExploitDB
Metasploit
MS16-016
Github
MS15-051
GitHub
ExploitDB
Metasploit
MS14-058
GitHub
ExploitDB
Metasploit
MS14-040
Python
EXE
ExploitDB
Github
MS14-002
Metasploit
MS13-005
Metasploit
ExploitDB
GitHub
MS10-092
Metasploit
ExploitDB
MS10-015
Exploit
ExploitDB
GitHub
Metasploit
MS14-002
Exploit
ExploitDB
ExploitDB
Github
MS15-061
Github
MS11-080
EXE
Metasploit
ExploitDB
MS11-062
ExploitDB
MS15-076
Github
MS16-075
GitHub
PowerShell
HotPotato
MS15-010
GitHub
ExploitDB
MS11-046
EXE
ExploitDB
Metasploit – Patches Enumeration