mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
95 lines
5.8 KiB
Markdown
95 lines
5.8 KiB
Markdown
|
# Checklist - Local Windows Privilege Escalation
|
|||
|
|
|||
|
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
|
|||
|
|
|||
|
### [Vulnerable Kernel?](windows-local-privilege-escalation/#kernel-exploits)
|
|||
|
|
|||
|
* [ ] Search for kernel **exploits using scripts** \(_post/windows/gather/enum\_patches, post/multi/recon/local\_exploit\_suggester, sherlock, watson_ \)
|
|||
|
* [ ] Use **Google to search** for kernel **exploits**
|
|||
|
* [ ] Use **searchsploit to search** for kernel **exploits**
|
|||
|
* [ ] Any [**vulnerable Driver**](windows-local-privilege-escalation/#vulnerable-drivers)?
|
|||
|
|
|||
|
### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
|
|||
|
|
|||
|
* [ ] Check for **credentials** in[ **environment variables**](windows-local-privilege-escalation/#environment)\*\*\*\*
|
|||
|
* [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)\*\*\*\*
|
|||
|
* [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings
|
|||
|
* [ ] Check if any [**AV**](windows-local-privilege-escalation/#av)\*\*\*\*
|
|||
|
|
|||
|
### \*\*\*\*[**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
|
|||
|
|
|||
|
* [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)\*\*\*\*
|
|||
|
* [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
|
|||
|
* [ ] What is[ inside the Clipboard](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
|
|||
|
|
|||
|
### [Network](windows-local-privilege-escalation/#network)
|
|||
|
|
|||
|
* [ ] Check **current** [network **information**](windows-local-privilege-escalation/#network)\*\*\*\*
|
|||
|
* [ ] Check **hidden local services** restricted to the outside
|
|||
|
|
|||
|
### Vulnerable [Software ](windows-local-privilege-escalation/#software)or [Processes](windows-local-privilege-escalation/#running-processes)?
|
|||
|
|
|||
|
* [ ] Is any **unknown software running**?
|
|||
|
* [ ] Is any software with **more privileges that it should have running**?
|
|||
|
* [ ] Search for **exploits for running processes** \(specially if running of versions\)
|
|||
|
* [ ] Can you **read any** interesting **process memory** \(where passwords could be saved\)?
|
|||
|
* [ ] Have **write permissions** over the **binaries been** executed by the **processes**?
|
|||
|
* [ ] Have **write permissions** over the **folder** of a binary been executed to perform a **DLL Hijacking**?
|
|||
|
* [ ] What is[ **running** on **startup** or is **scheduled**](windows-local-privilege-escalation/#run-at-startup)? Can you **modify** the binary?
|
|||
|
* [ ] Can you [**dump** the **memory**](windows-local-privilege-escalation/#memory-password-mining) ****of any **process** to extract **passwords**?
|
|||
|
|
|||
|
### [Services](windows-local-privilege-escalation/#services)
|
|||
|
|
|||
|
* [ ] [Can you **modify any service**?](windows-local-privilege-escalation/#permissions)
|
|||
|
* [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/#modify-service-binary-path)
|
|||
|
* [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-permissions)
|
|||
|
* [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
|
|||
|
|
|||
|
### [DLL Hijacking](windows-local-privilege-escalation/#dll-hijacking)
|
|||
|
|
|||
|
* [ ] Can you **write in any folder inside PATH**?
|
|||
|
* [ ] Is there any known service binary that **tries to load any non-existant DLL**?
|
|||
|
* [ ] Can you **write** in any **binaries folder**?
|
|||
|
|
|||
|
### [Credentials](windows-local-privilege-escalation/#credentials)
|
|||
|
|
|||
|
* [ ] [**Windows Vault**](windows-local-privilege-escalation/#windows-vault) credentials that you could use?
|
|||
|
* [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)?
|
|||
|
* [ ] [**Wifi netoworks**](windows-local-privilege-escalation/#wifi)?
|
|||
|
* [ ] \*\*\*\*[**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
|
|||
|
* [ ] [**Credentials inside "known files"**](windows-local-privilege-escalation/#credentials-inside-files)? Inside the Recycle Bin? At home?
|
|||
|
* [ ] [**Registry with credentials**](windows-local-privilege-escalation/#inside-the-registry)?
|
|||
|
* [ ] Inside [**Browser data**](windows-local-privilege-escalation/#browsers-history) \(dbs, history, bookmarks....\)?
|
|||
|
* [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/#appcmd-exe)? Credentials?
|
|||
|
* [ ] [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)? DLL Side Loading?
|
|||
|
* [ ] [**Cloud credentials**](windows-local-privilege-escalation/#cloud-credentials)?
|
|||
|
|
|||
|
### [AlwaysInstallElevated](windows-local-privilege-escalation/#alwaysinstallelevated)
|
|||
|
|
|||
|
* [ ] Is this **enabled**?
|
|||
|
|
|||
|
### [Is vulnerable WSUS?](windows-local-privilege-escalation/#wsus)
|
|||
|
|
|||
|
* [ ] Is it **vulnerable**?
|
|||
|
|
|||
|
### [Write Permissions](windows-local-privilege-escalation/#write-permissions)
|
|||
|
|
|||
|
* [ ] Are you able to **write files that could grant you more privileges**?
|
|||
|
|
|||
|
### Any [open handler of a privileged process or thread](windows-local-privilege-escalation/#leaked-handlers)?
|
|||
|
|
|||
|
* [ ] Maybe the compromised process is vulnerable.
|
|||
|
|
|||
|
### [UAC Bypass](windows-local-privilege-escalation/#check-uac)
|
|||
|
|
|||
|
* [ ] There are several ways to bypass the UAC
|
|||
|
|
|||
|
|
|||
|
|
|||
|
If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
|
|||
|
|
|||
|
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%283%29.png)
|
|||
|
|
|||
|
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
|||
|
|