Windows

Introduction

This section contains a set of techniques that can be used to perform privilege escalation on Windows systems.

Tools

This subsection contains valuable tools to identify potential privilege escalation vectors.

Note: Some tools require compilation, but you can download them already compiled in this link.

• Local Exploit Suggester: Metasploit module (post/multi/recon/local_exploit_suggester) for meterpreter enumerates the system looking for potential privilege escalation vectors.

• JAWS: Identifies potential privilege escalation vectors. It is written in PowerShell2.0 so it can be used on Windows 7 and above.

• WinPAES: General Windows enumeration and privilege escalation vectors.

• SeatBelt: Performs a number of "security checks": AMSIProviders, Antivirus, Sysmon, WindowsDefender, WindowsEventForwarding, McAfeeConfigs, InterstingProcesses (Needs compilation). Compiled here.

Seatbelt.exe -group=system
# runs the following commands:
#        AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
#        AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints,
#        CredGuard, DNSCache, DotNet, EnvironmentPath,
#        EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings,
#        LAPS, LastShutdown, LocalGPOs, LocalGroups,
#        LocalUsers, LogonSessions, LSASettings, McAfeeConfigs,
#        NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
#        OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
#        Processes, PSSessionSettings, RDPSessions, RDPsettings,
#        SCCM, Services, Sysmon, TcpConnections,
#        TokenPrivileges, UAC, UdpConnections, UserRightAssignments,
#        WifiProfile, WindowsAutoLogon, WindowsDefender, WindowsEventForwarding,
#        WindowsFirewall, WMI, WMIEventConsumer, WMIEventFilter,
#        WMIFilterBinding, WSUS

• SharUp: Tool that performs security checks. (Needs compilation). Compiled here.

• ProcMon: Tool used to check for missing DLLs in a process/service.

• AutoRuns: GUI tool that displays the machine's autoruns.

• PowerUp: Tool for privilege escalation based on failures in the Windows configuration. (It gets hanging quite often)

SeImpersonatePrivilege

In this subsection, you will find how to exploit the Windows privilege SeImpersonatePrivilege in order to become an Administrator. Nonetheless, there are more Windows privileges that you can use to become an Administrator, as you can see in the following list.

Depending on the Windows version, you will need to use different exploits. In order to obtain the Windows version execute the following command.

• If the machine is either Windows 7, 8, 10 or Windows Server 2008 and 2012, try Hot Potato.

• If the machine is either < Windows 10 1809 or < Windows Server 2019, try Juicy Potato.

• If the machine is either >= Windows 10 1809 or >= Windows Server 2019, try Rogue Potato.

• For more updated versions, try PrintSpoofer.

Hot Potato

1. Download the exploit.

2. Generate a reverse shell.

3. Set a listening port.

4. Execute the exploit.

Hot Potato (PowerShell)

There is a version of Hot Potato for PowerShell called Tater.

Juicy Potato

1. Download the exploit

2. Execute the exploit.

This is the default command, although it does not usually work.

Depending on the OS version, it is necessary to use CLSIDs. These can be found in this repository.

Rogue Potato

This exploit is more complicated and requires more steps. Thus, here you have different PoCs that you can try to escalate privileges.

• PoC1

• PoC2

PrintSpoofer

1. Download the exploit.

2. Execute it

Windows Services

Windows systems can contain installed services that are being executed by privileged accounts. However, they can have misconfigurations that allow an attacker to escalate privileges.

Furthermore, look for service permissions like SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS, SERVICE_STOP, SERVICE_START because they will help you modify the service configuration files, and if you have the last two permissions, you could restart a service executing the file you have overwritten.

Finally, in this subsection, you will find techniques to exploit services misconfigurations to escalate privileges.

General commands

These commands are used to retrieve or modify information about services.

Weak Windows Service Permissions

This technique consists of modifying the attribute binpath of services, with the purpose of executing a different executable or command at the service startup.

There are several tools that can help you to identify Weak Service Permissiones:

• AccessChk

  • u: Suppress warning and errors.

  • w: Shows objects with write access

  • c: Display service name

  • v: Verbose

• PowerUp

• Get-ServiceAcl

• SharpUp

After enumerating the services whose attribute BINARY_PATH_NAME is modifiable, edit the binpath by the file or command you want to be executed.

Then, restart the service.

Weak Service Binary Permissions

This vulnerability is similar to the previous one, but instead of weak permissions on the service, it is on the service binary itself so that it can be overwritten.

• SharpUp

• PowerUp

Unquoted Service Path

Suppose the binary service path is not enclosed on quotes and contains white spaces. An attacker could place an executable in an upper directory within the binary path, being executed before the actual executable.

For example, the binary path C:\Program Files\Proof of Concept\Vuln Service\executable.exe would be executed in the following order.

So, if an attacker can create files in one of the upper directories, it will gain code execution.

To obtain the vulnerable services to Unquoted Service Path there are two options.

For the following examples we will use the example service called "unquotedsvc".

• WMIC

• PowerUp

Then, with the command Get-Acl '<DIR>' | fl you can see which users have access to the folder.

• ShapUp

All the system users have full control so that the file common.exe can be added to the folder Common Files .

Finally, the malicious file will be executed once the service "unquotedsvc" is restarted.

DLL Hijacking

DLLs are libraries containing code and data with the property of being used concurrently by several programs. If an attacker can overwrite some of the DLLs of a service, it could obtain code execution.

Using PowerUp you can obtain libraries on which you have write permissions. In this case is C:\Temp\wlbsctrl.dll.

To replace the DLL you need to create another DLL, which can be found at the following link, replacing the command you want to execute.

Then, you need to execute the following commands to compile the library.

Finally, overwrite the DLL and restart the service:

Search for credentials

A pentester can search for credentials stored in registry or windows files with the following commands.

In addition, credentials can also be found in the following:

Files

Registry

RunAs

Cached credentials of domain users for a specific machine may be found in the session of a compromised user.

The following command is used to list the cached credentials:

Finally, in order to use the stored credential we need to execute the following command:

Always Install Elevated

This policy allows any user to use elevated permissions for installing any program on the system. Thus, an attacker can create a malicious installer that would be executed with higher privileges gaining privilege escalation.

There are two options for detecting whether we can employ this privilege escalation.

• PowerUP

• Checking the registry values.

To exploit this configuration create a *.msi document with msfvenom and install it on the remote machine.

Note: It is possible that if you install the file using winexec it may not work because the user does not have permission to run it remotely. To fix this, you should use a remote desktop and run the manually generated installer.

Delegation Tokens

The meterperer module incognito on merterpreter allows the attacker to extract available Delegation Tokens.

Token Kidnapping

If an attacker has gained execution of code on a service with the ability to impersonate users or has access to the accounts "NETWORK SERVICE" or "LOCAL SERVICE", it could escalate privileges with churrasco.

CVE-2019-1388 (hhupd)

An elevation of privilege vulnerability exists in the Windows certificate dialog box when it does not properly enforce user privileges, also known as the "Windows certificate dialog box elevation of privilege vulnerability". To exploit this vulnerability follow this video.

Kernel Exploits

In order to exploit Kernel vulnerabilities on windows, it is necessary to know if there are any patches or hotfixes already installed on the victim's system.

It is also important, to check the system architecture. Which can be obtained as follows:

Vanilla PowerShell is run on 32-bit so 64-bit exploits will not work, for this you need to use 64-bit PowerShell found at:

Exploit listing

In this listing, you will find a set of compiled exploits, ready to be executed.

For the OSCP, you can use this listing, that contains a subset of exploits to escalate privileges.

Suggested tools

There are different tools capable of finding which exploits work for the version of Windows under attack.

Windows Exploit Suggester

Windows Exploit Suggester detects possible missing patches on the target. It also notifies the user if public exploits and Metasploit modules are available for missing bulletins. (Requires Python2.7).

In order to use the tool, it is necessary to run systeminfo on the victim machine and copy it to a file on the attacking machine.

Watson

Watson lists Windows HotFixes and suggests exploits for privilege escalation. However, it requires prior compilation.

Nonetheless, you can download the compiled version here.

Sherlock

Sherlock quickly finds missing windows patches to escalate privileges, but it takes a while to finish.

References

• Potatoes - Windows Privilege Escalation

• Always Install Elevated

• Windows PrivEsc Arena [TryHackeMe]

• Windows PrivEsc [TryHackMe]

• Token kidnapping

• Windows Privilege Escalation Fundamentals

• Windows - Privilege Escalation [PayloadAllTheThings]