Window Privilege Escalation
Taking notes from Tib3rius's Window Privilege Escalation course
Last updated
Taking notes from Tib3rius's Window Privilege Escalation course
Last updated
Finding and using kernel exploit is usually a simple process.
Enumerate Windows version / patch level (system info)
Find matching exploits (Google, ExplitDB, Github)
Compile and run
Beware though, as Kernel exploits can often be unstable and may be one-shot or cause a system crash.
Window exploit suggester :
https://github.com/bitsadmin/wesng
Precompiled Kernal Exploit :
https://github.com/SecWiki/windows-kernel-exploits
Waston:
https://github.com/rasta-mouse/Watson
You can use accesschk.exe to check the user account's permissions on the "daclsvc" service:
sc qc daclsvc
Listen with netcat in your local machine and execute it,
net start daclsvc
First, we need to check we have the permission to start the service
Second , we need to check write permission on each directory where the binary exists path.
Create reverse.exe executable and copy to this directory and rename it common.exe:
Listen with netcat on port 53 and execute it, running with SYSTEM privileges:
net start unquotedsvc
Query the "regsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).
sc qc regsvc
Using accesschk.exe, note that the registry entry for the regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users):
Check we can start the SERVICE nor not.
Overwrite the ImagePath registry key to point to the reverse.exe executable you created:
Listen with netcat on port 53 and execute it.
net start regsvc
If you see file permission is writable by everyone:
sc qc filepermsvc
You can check with accesschk.exe and check also we can start service or not
Create the reverse.exe and replace the filepermservice.exe with it.
Listen with netcat on port 53 and execute this command. We will get reverse shell.
net start filepermsvc
In real world, don't forget to backup the original file.
Check the service is running as SYSTEM PRIVILEGE.
sc qc dllsvc
In real world, you can copy the executable file to your machine and check with procmon what path is missing dll file.
Generate reversell with msfvenom
Find missing .dll file path which is writable for us and move this file to that directory
Listen with netcat , stop the service and start the service back.
To list the registry for AutoRun executables:
Using accesschk.exe, note that one of the AutoRun executables must be writable by everyone:
Copy the reverse.exe executable you created and overwrite the AutoRun executable with it:
Start a listener on your localhost and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges. You should not have to authenticate to trigger it
rdesktop 10.10.21.39
In real world, don't forget to backup the original program you overwrite.
Query the registry for AlwaysInstallElevated keys:
Note both keys are must be set to 1 (0x1)as in picture.If not, the exploit will not work.
On Linux, generate a reverse shell Windows Installer (reverse.msi) using msfvenom.
Transfer the reverse.msi file to the directory on Windows .Start a listener on Kali and then run the installer to trigger a reverse shell running with SYSTEM privileges:
msiexec /quiet /qn /i reverse.msi
The registry can be searched for keys and values that contain the word "password":
reg query HKLM /f password /t REG_SZ /s
If you want to save some time, query this specific key to find admin AutoLogon credentials:
On Kali, use the winexe command to spawn a command prompt running with the admin privileges (update the password with the one you found):
List any saved credentials:
cmdkey /list
Note that credentials for the "admin" user are saved. If they aren't, run the C:\PrivEsc\savecred.bat script to refresh the saved credentials.Start a listener on Kali and run the reverse.exe executable using runas with the admin user's saved credentials:
The SAM and SYSTEM files can be used to extract user password hashes. Locat at:
C:\Windows\System32\config directory. The files are locked while windows is running.
Backups files may exist in the C:\Windows\Repair or C:\Windows\System32\config\RegBack directories.
Transfer the SAM and SYSTEM files to your Kali VM:
You can dump the password hashed with this tool.
When you get the hashes, you don't need to crack , you can use that hashes to spawn a shell.
Windows can be configured to run tasks at specific times, periodically (eg. every 5 mins ,same as crontab in linux) or when triggered by some event (eg. a user login).
Check out permission to this script, if we can have writable or not.
Copy our reverse shell to this directory and listen with netcat
Open AdminPaint in your desktop and check it is runing as system privilege or not
When it is running as admin , click on open file in mspaint app, and open cmd.exe
Type this file://c:/windows/system32/cmd.exe and it will pop up a command prompt as system privilege.
Each user can define apps that start when they login, by placing shortcuts to them in a speific directory.
Windows also has a startup directory for apps that should start for all users:
If we can create files in this directory, we can use our reverse shell and escalate privileges when an admin login.
Check we have writable files to the Startup directory
Run the C:\PrivEsc\CreateShortcut.vbs script which is create a new shortcut to your reverse.exe in the StartUp directory:
cscript C:\PrivEsc\CreateShortcut.vbs
When the user logout and login back as admin user, it will connect to our listener.
In Exploit-DB
It will show us what app is vulnerable to local privilege escalation, you only need to check in your machine the vulnerable app installed or not . tasklist /V
Hot Potato is the name of an attack that users a spoofing attack along with an NTLM relay attack to gain SYSTEM Privileges.This attack tricks windows into authenticating as the SYSTEM user to a fake HTTP server using NTLM . The NTLM credentials then get relayed to SMB in roder to gain command execution.
This attack works on Windows 7,8, early versions of Window 10 and their server counterparts.
Token impersonation is a technique you can use as local admin to impersonate another user logged on to a system. This is very useful in scenarios where you are local admin on a machine and want to impersonate another logged on user, e.g a domain administrator.
In metasploit
You can file CLID in here , CLSID is must be valid for the version of window we are using.
Will be update for more.
