### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
If you want to **know** about my **latest modifications**/**additions**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
## Windows version exploits
Check if the Windows version has any known vulnerability \(check also the patches applied\).
```bash
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
```
```bash
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches
```
_post/windows/gather/enum\_patches
post/multi/recon/local\_exploit\_suggester_
[_watson_](https://github.com/rasta-mouse/Watson)
__[_winpeas_](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) _\(Winpeas has watson embedded\)_
[Windows known vulnerabilities PoCs.](https://github.com/nomi-sec/PoC-in-GitHub)
### Vulnerable Drivers
Look for possible third party weird/vulnerable drivers
```text
driverquery
```
## Enumeration
### Environment
Any credential/Juicy info saved in the env variables?
```text
set
dir env:
```
### LAPS
**LAPS** allows you to **manage the local Administrator password** \(which is **randomised**, unique, and **changed regularly**\) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.
When using LAPS, 2 new attributes appear in the computer objects of the domain: _ms-msc-AdmPwd_ and _ms-mcs-AdmPwdExpirationTime._ These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes...
### Audit Settings
These settings decide what is being **logged**, so you should pay attention
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
```
## Users & Groups
You should check if any of the groups where you belong have interesting permissions
```bash
# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges
# PS
Get-WmiObject -Class Win32_UserAccount
```
### Get the content of the clipboard
```bash
powershell -command "Get-Clipboard"
```
## Token manipulation
**Learn more** about what is a **token** in this page: [Windows Tokens](../credentials.md#access-tokens).
Take a look to **available privileges**, some of them can give you SYSTEM privileges. Take a look to [this amazing paper](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt).
### SeImpersonatePrivilege \(3.1.1\)
Any process holding this privilege can **impersonate** \(but not create\) any **token** for which it is able to gethandle. You can get a **privileged token** from a **Windows service** \(DCOM\) making it perform an **NTLM authentication** against the exploit, then execute a process as **SYSTEM**. Exploit it with [juicy-potato](https://github.com/ohpe/juicy-potato), [RogueWinRM ](https://github.com/antonioCoco/RogueWinRM)\(needs winrm enabled\), [SweetPotato](https://github.com/CCob/SweetPotato), [PrintSpoofer](https://github.com/itm4n/PrintSpoofer).
### SeAssignPrimaryPrivilege \(3.1.2\)
It is very similar to **SeImpersonatePrivilege**, it will use the **same method** to get a privileged token.
Then, this privilege allows **to assign a primary token** to a new/suspended process. With the privileged impersonation token you can derivate a primary token \(DuplicateTokenEx\).
With the token, you can create a **new process** with 'CreateProcessAsUser' or create a process suspended and **set the token** \(in general, you cannot modify the primary token of a running process\).
### SeTcbPrivilege \(3.1.3\)
If you have enabled this token you can use **KERB\_S4U\_LOGON** to get an **impersonation token** for any other user without knowing the credentials, **add an arbitrary group** \(admins\) to the token, set the **integrity level** of the token to "**medium**", and assign this token to the **current thread** \(SetThreadToken\).
### SeBackupPrivilege \(3.1.4\)
This privilege causes the system to **grant all read access** control to any file \(only read\).
Use it to **read the password hashes of local Administrator** accounts from the registry and then use "**psexec**" or "**wmicexec**" with the hash \(PTH\).
This attack won't work if the Local Administrator is disabled, or if it is configured that a Local Admin isn't admin if he is connected remotely.
You can **abuse this privilege** with: [https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1](https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1) or with [https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug](https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug)
### SeRestorePrivilege \(3.1.5\)
**Write access** control to any file on the system, regardless of the files ACL.
You can **modify services**, DLL Hijacking, set **debugger** \(Image File Execution Options\)… A lot of options to escalate.
### SeCreateTokenPrivilege \(3.1.6\)
This token **can be used** as EoP method **only** if the user **can impersonate** tokens \(even without SeImpersonatePrivilege\).
In a possible scenario, a user can impersonate the token if it is for the same user and the integrity level is less or equal to the current process integrity level.
In this case, the user could **create an impersonation token** and add to it a privileged group SID.
### SeLoadDriverPrivilege \(3.1.7\)
**Load and unload device drivers.**
You need to create an entry in the registry with values for ImagePath and Type.
As you don't have access to write to HKLM, you have to **use HKCU**. But HKCU doesn't mean anything for the kernel, the way to guide the kernel here and use the expected path for a driver config is to use the path: "\Registry\User\S-1-5-21-582075628-3447520101-2530640108-1003\System\CurrentControlSet\Services\DriverName" \(the ID is the **RID** of the current user\).
So, you have to **create all that path inside HKCU and set the ImagePath** \(path to the binary that is going to be executed\) **and Type** \(SERVICE\_KERNEL\_DRIVER 0x00000001\).
[**Learn how to exploit it here.**](../active-directory-methodology/privileged-accounts-and-token-privileges.md#seloaddriverprivilege)\*\*\*\*
### SeTakeOwnershipPrivilege \(3.1.8\)
This privilege is very similar to **SeRestorePrivilege**.
It allows a process to “**take ownership of an object** without being granted discretionary access” by granting the WRITE\_OWNER access right.
First, you have to **take ownership of the registry key** that you are going to write on and **modify the DACL** so you can write on it.
### SeDebugPrivilege \(3.1.9\)
It allows the holder to **debug another process**, this includes reading and **writing** to that **process' memory.**
There are a lot of various **memory injection** strategies that can be used with this privilege that evade a majority of AV/HIPS solutions.
### Check privileges
```text
whoami /priv
```
## Network
Check for **restricted services** from the outside
```bash
netstat -ano #Opened ports?
```
More[ commands for network enumeration here](../basic-cmd-for-pentesters.md#network)
## Software
Check all the installed software, maybe you can overwrite some binary or perform some DLL Hijacking by creating a DLL in the same folder.
```bash
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
#### Checking permissions of the folders of the processes binaries \(dll injection\)
```bash
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
You can create a memory dump of a running process using **procdump** from sysinternals. Services like FTP have the credentials in clear text in memory, try to dump the memory and read the credentials.
**Take into account that the service upnphost depends on SSDPSRV to work \(for XP SP1\)**
### **Modify service binary path**
If the group "Authenticated users" has **SERVICE\_ALL\_ACCESS** in a service, then it can modify the binary that is being executed by the service. To modify it and execute **nc** you can do:
**To detect and exploit** this vulnerability you can use _exploit/windows/local/service\_permissions_
### Services binaries weak permissions
Check if you can modify the binary that is executed by a service.
You can get every binary that is executed by a service using **wmic** \(not in system32\) and check your permissions using **icacls**:
```bash
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt
for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"
```
You can also use **sc** and **icacls**:
```bash
sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt
```
### Services registry permissions
You should check if you can modify any service registry.
You can **check** your **permissions** over a service **registry** doing:
```bash
reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services
#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a
Check if **Authenticated Users** or **NT AUTHORITY\INTERACTIVE** have FullControl. In that case you can change the binary that is going to be executed by the service.
Programs usually can't function by themselves, they have a lot of resources they need to hook into \(mostly DLL's but also proprietary files\). If a **program or service loads a file from a directory we have write access to**, we can abuse that to **pop a shell with the privileges the program runs with**.
**In order to learn more about how to** [**discover and exploit Dll Hijacking vulnerabilities read this**](dll-hijacking.md)**.**
I have created this plugin to **automatically execute every metasploit POST module that searches for credentials** inside the victim.
### Credentials manager / Windows vault
From [https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault](https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault)
The Windows Vault stores user credentials for servers, websites and other programs that **Windows** can **log in the users automaticall**y. At first instance, this might look like now users can store their Facebook credentials, Twitter credentials, Gmail credentials etc., so that they automatically log in via browsers. But it is not so.
Windows Vault stores credentials that Windows can log in the users automatically, which means that any **Windows application that needs credentials to access a resource** \(server or a website\) **can make use of this Credential Manager**& Windows Vault and use the credentials supplied instead of users entering the username and password all the time.
Unless the applications interact with Credential Manager, I don't think it is possible for them to use the credentials for a given resource. So, if your application wants to make use of the vault, it should somehow **communicate with the credential manager and request the credentials for that resource** from the default storage vault.
Note that mimikatz, lazagne, [credentialfileview](https://www.nirsoft.net/utils/credentials_file_view.html), [VaultPasswordView](https://www.nirsoft.net/utils/vault_password_view.html), or from [Empire Powershells module](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/dumpCredStore.ps1).
### DPAPI
In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.
**DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets**, or in the case of system encryption, using the system's domain authentication secrets.
The DPAPI keys used for encrypting the user's RSA keys are stored under `%APPDATA%\Microsoft\Protect\{SID}` directory, where {SID} is the [Security Identifier](https://en.wikipedia.org/wiki/Security_Identifier) of that user. **The DPAPI key is stored in the same file as the master key that protects the users private keys**. It usually is 64 bytes of random data. \(Notice that this directory is protected so you cannot list it using`dir` from the cmd, but you can list it from PS\).
Write-Verbose 'No application pool or virtual directory passwords were found.'
$False
}
}
else {
Write-Verbose 'Appcmd.exe does not exist in the default location.'
$False
}
$ErrorActionPreference = $OrigError
}
```
### SSH keys in registry
SSH private keys can be stored inside the registry key `HKCU\Software\OpenSSH\Agent\Keys` so you should check if there is anything interesting in there:
If you find any entry inside that path it will probably be a saved SSH key. It is stored encrypted but can be easily decrypted using [https://github.com/ropnop/windows\_sshagent\_extract](https://github.com/ropnop/windows_sshagent_extract).
More information about this technique here: [https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/)
### SCClient / SCCM
Check if `C:\Windows\CCM\SCClient.exe` exists .
Installers are **run with SYSTEM privileges**, many are vulnerable to **DLL Sideloading \(Info from** [**https://github.com/enjoiz/Privesc**](https://github.com/enjoiz/Privesc)**\).**
Use the **Mimikatz**`dpapi::rd`g module with appropriate `/masterkey` to **decrypt any .rdg files**
You can **extract many DPAPI masterkeys** from memory with the Mimikatz `sekurlsa::dpapi` module
### Ask for credentials
You can always **ask the user to enter his credentials of even the credentials of a different user** if you think he can know them \(notice that **asking** the client directly for the **credentials** is really **risky**\):
Before KB2928120 \(see MS14-025\), some Group Policy Preferences could be configured with a custom account. This feature was mainly used to deploy a custom local administrator account on a group of machines. There were two problems with this approach though. First, since the Group Policy Objects are stored as XML files in SYSVOL, any domain user can read them. The second problem is that the password set in these GPPs is AES256-encrypted with a default key, which is publicly documented. This means that any authenticated user could potentially access very sensitive data and elevate their privileges on their machine or even the domain. This function will check whether any locally cached GPP file contains a non-empty "cpassword" field. If so, it will decrypt it and return a custom PS object containing some information about the GPP along with the location of the file.
Search in ****_**C:\ProgramData\Microsoft\Group Policy\history**_ or in _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** \(previous to W Vista\)_ for these files:
* Groups.xml
* Services.xml
* Scheduledtasks.xml
* DataSources.xml
* Printers.xml
* Drives.xml
**To decrypt the cPassword:**
```bash
#To decrypt these passwords you can decrypt it using
You should also look inside the home folder for files called _\*password\*_ or _\*credential\*_ ot something similar.
#### Credentials in the RecycleBin
You should also check the Bin to look for credentials inside it
To **recover passwords** saved by several programs you can use: [http://www.nirsoft.net/password\_recovery\_tools.html](http://www.nirsoft.net/password_recovery_tools.html)
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s #Check the values saved in each session, user/password could be there
reg query "HKCU\Software\OpenSSH\Agent\Key"
# Search for passwords inside all the registry
reg query HKLM /f password /t REG_SZ /s #Look for registries that contains "password"
reg query HKCU /f password /t REG_SZ /s #Look for registries that contains "password"
```
[Extract openssh keys from registry.](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/)
The tool [SessionGopher](https://github.com/Arvanaghi/SessionGopher) search for **sessions**, **usernames** and **passwords** of several tools that save this data in clear text \(PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP\)
```text
Invoke-SessionGopher -Thorough
```
### Browsers History
You should check for dbs where passwords from **Chrome or Firefox** are stored.
Also check for the history, bookmarks and favourites of the browsers so maybe some **passwords are** stored there.
**If** these 2 registers are **enabled** \(value is **0x1**\), then users of any privilege can **install** \(execute\) **`*.msi`** files as NT AUTHORITY\**SYSTEM**.
And if `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer` is equals to 1.
Then, **it is exploitable.** If the last registry is equals to 0, then, the WSUS entry will be ignored.
You can use: [Wsuxploit](https://github.com/pimps/wsuxploit) - This is a MiTM weaponized exploit script to inject 'fake' updates into non-SSL WSUS traffic.
Check if you can modify some config file to read some special file or if you can modify some binary that is going to be executed by an Administrator account \(schedtasks\).
A way to find weak folder/files permissions in the system is doing:
Imagine that **a process running as SYSTEM open a new process** \(`OpenProcess()`\) with **full access**. The same process **also create a new process** \(`CreateProcess()`\) **with low privileges but inheriting all the open handles of the main process**.
Then, if you have **full access to the low privileged process**, you can grab the **open handle to the privileged process created** with `OpenProcess()` and **inject a shellcode**.
[Read this example for more information about **how to detect and exploit this vulnerability**.](leaked-handle-exploitation.md)
[Read this **other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions \(not only full access\)**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/).
## Named Pipe Client Impersonation
A `pipe` is a block of shared memory that processes can use for communication and data exchange.
`Named Pipes` is a Windows mechanism that enables two unrelated processes to exchange data between themselves, even if the processes are located on two different networks. It's very similar to client/server architecture as notions such as `a named pipe server` and a named `pipe client` exist.
When a **client writes on a pipe**, the **server** that created the pipe can **impersonate** the **client** if it has **SeImpersonate** privileges. Then, if you can find a **privileged process if going to write on any pipe that you can impersonate**, you could be able to **escalate privileges** impersonating that process after it writes inside your created pipe. [**You can read this to learn how to perform this attack**](named-pipe-client-impersonation.md)**.**
## From Administrator Medium to High Integrity Level / UAC Bypass
\*\*\*\*[**Learn here**](../credentials.md#uac) **about what are the "integrity levels" in Windows, what is UAC and how to**[ **bypass it**](../credentials.md#uac)**.**
## **From High Integrity to System**
### **New service**
If you are already running on a High Integrity process, the **pass to SYSTEM** can be easy just **creating and executing a new service**:
From a High Integrity process you could try to e**nable the AlwaysInstallElevated registry entries** and **install** a reverse shell using a _**.msi**_ wrapper.
[More information about the registry keys involved and how to install a _.msi_ package here.](./#alwaysinstallelevated)
### From SeDebug + SeImpersonate to Full Token privileges
If you have those token privileges \(probably you will find this in an already High Integrity process\), you will be able to **open almost any process** \(not protected processes\) with the SeDebug privilege, **copy the token** of the process, and create an **arbitrary process with that token**.
Using this technique is usually **selected any process running as SYSTEM with all the token privileges** \(_yes, you can find SYSTEM processes without all the token privileges_\).
**You can find an** [**example of code executing the proposed technique here**](sedebug-+-seimpersonate-copy-token.md)**.**
### **Named Pipes**
This technique is used by meterpreter to escalate in `getsystem`. The technique consists on **creating a pipe and then create/abuse a service to write on that pipe**. Then, the **server** that created the pipe using the **`SeImpersonate`** privilege will be able to **impersonate the token** of the pipe client \(the service\) obtaining SYSTEM privileges.
If you want to [**learn more about name pipes you should read this**](./#named-pipe-client-impersonation).
If you want to read an example of [**how to go from high integrity to System using name pipes you should read this**](from-high-integrity-to-system-with-name-pipes.md).
### Dll Hijacking
If you manages to **hijack a dll** being **loaded** by a **process** running as **SYSTEM** you will be able to execute arbitrary code with those permissions. Therefore Dll Hijacking is also useful to this kind of privilege escalation, and, moreover, if far **more easy to achieve from a high integrity process** as it will have **write permissions** on the folders used to load dlls.
**You can** [**learn more about Dll hijacking here**](dll-hijacking.md)**.**
#### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
#### PS
\*\*\*\*[**PowerSploit-Privesc\(PowerUP\)**](https://github.com/PowerShellMafia/PowerSploit) -- Check for misconfigurations and sensitive files \([check here]()\). Detected.
[**JAWS**](https://github.com/411Hall/JAWS) ****-- Check for some possible misconfigurations and gather info \([check here]()\).
[**privesc** ](https://github.com/enjoiz/Privesc)-- Check for misconfigurations
[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) ****-- It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. Use **-Thorough** in local.
[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) ****-- Extracts crendentials from Credential Manager. Detected.
[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) ****-- Spray gathered passwords across domain
[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) ****-- Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool.
[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock) ~~****~~-- Search for known privesc vulnerabilities \(DEPRECATED for Watson\)
[~~**WINspect**~~](https://github.com/A-mIn3/WINspect) ~~****~~-- Local checks **\(Need Admin rights\)**
#### Exe
[**Watson**](https://github.com/rasta-mouse/Watson) ****-- Search for known privesc vulnerabilities \(needs to be compiled using VisualStudio\) \([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson)\)
[**SeatBelt**](https://github.com/GhostPack/Seatbelt) ****-- Enumerates the host searching for misconfigurations \(more a gather info tool than privesc\) \(needs to be compiled\) **\(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**\)**
[**LaZagne**](https://github.com/AlessandroZ/LaZagne) ****-- Extracts credentials from lots of softwares \(precompiled exe in github\)
[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) ~~****~~-- Check for misconfiguration \(executable precompiled in github\). Not recommended. It does not works well in Win10.
[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations \(exe from python\). Not recommended. It does not works well in Win10.
#### Bat
\*\*\*\*[**winPEASbat** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)-- Tool created based in this post \(it does not need accesschk to work properly but it can use it\).
#### Local
[**Windows-Exploit-Suggester**](https://github.com/GDSSecurity/Windows-Exploit-Suggester) -- Reads the output of **systeminfo** and recommends working exploits \(local python\)
[**Windows Exploit Suggester Next Generation**](https://github.com/bitsadmin/wesng) -- Reads the output of **systeminfo** andrecommends working exploits \(local python\)
#### Meterpreter
_multi/recon/local\_exploit\_suggestor_
You have to compile the project using the correct version of .NET \([see this](https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions/)\). To see the installed version of .NET on the victim host you can do:
```text
C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line
