Windows
Enumeration
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
Get-Content .\PrivescCheck.ps1 | Out-String | IEX
.\Seatbelt.exe -group=all
Functionality
LOLBAS shows how to exploit vulnerabilities on known programs to perform privileged actions.
Privileges should be displayed possibly with privileged shell.
They should be activated with EnableAllTokenPrivs.ps1.
Hyper-V Administrators
See HERE for full list.
Feature that enables a consent prompt for elevated activities. When UAC is enabled, applications and tasks always run under the security context of a non-administrator account unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. UAC has various integrity levels ranging from low to high.
Check if UAC is enabled.
Check integrity levels. See HERE.
Compile UACMe with Visual Studio to get akagi.exe.
Check version and obtain Build
Search for the Key based on the Build number in the github
Misconfigurations & Weak Permissions
Windows misconfigurations and weak permissions are insecure system settings that allow low-privileged users to access, modify, or control resources in ways that can lead to privilege escalation.
Modifiable Service Binaries
Or with PowerUP (PowerSploit or Empire)
Or with SharpUp
Using icacls we can verify the vulnerability and see if we have full permissions to the directory.
At this point we can replace service binary with malicious binary generated with msfvenom.
Start Service.
If we have the SeShutdownPrivilege privilege and the service has StartMode set to Auto, we can also restart the machine with
Modifiable Services Path
With SharpUp
Next, we'll use AccessChk from the Sysinternals suite to enumerate permissions on the service.
We can use our permissions to change the binary path maliciously.
Start service.
Unquoted Service Paths
If the path of a binary file of a service contains one or more spaces and is not enclosed in quotes, it can be interpreted in various ways by Windows. It starts from left to right and stops at each space, adding .exe. So if we can put a binary file in one of these subdirectories and restart the service, then our binary will be executed.
Although it's not uncommon to find applications with unquoted service paths, it isn't often exploitable.
We can identify unquoted service binary paths using
Or with PowerUP (PowerSploit or Empire)
DLL Injection
We can:
Overwrite a DLL
Hijack the DLL search order
Exploit a missing DLL
The default DLL search order used by the system depends on whether Safe DLL Search Mode is activated. By default it is enabled.
With this mode enabled, applications search for necessary DLL files in the following sequence:
The directory from which the application is loaded.
The system directory.
The 16-bit system directory.
The Windows directory.
The current directory.
The directories that are listed in the PATH environment variable.
However, if it is disabled, the search order changes by moving "The current directory" from 5 to 2.
View service DLLs. See the permissions of those DLLs, whether they are editable and therefore overwritable, or whether they are missing.
Process Monitor (requires elevated privileges)
Process Explorer (it also shows DLLs used for each process)
Each DLL can have an optional entry point function called DllMain, which is executed when processes or threads attach the DLL. This function usually contains four cases called DLL_PROCESS_ATTACH, DLL_THREAD_ATTACH, DLL_THREAD_DETACH, DLL_PROCESS_DETACH.
Permissive Registry ACLs
It is also worth searching for weak service ACLs in the Windows Registry, with AccessChk from the Sysinternals suite
We can abuse this using
We can use WMIC to see what programs run at system startup. Suppose we have write permissions to the registry for a given binary or can overwrite a binary listed. In that case, we may be able to escalate privileges to another user the next time that the user logs in.
File
Search for sensitive information in different files
unattend.xml
Application Configuration Files
Look for readable configuration files in which passwords can be saved.
Dictionary Files
The user can add words to their dictionary to avoid the distracting red underline, including passwords.
PowerShell Credentials
Administrators often need to create automated scripts for users that also contain credentials. The credentials are encrypted and protected via DPAPI, which typically means they can only be decrypted by the same user on the same computer they were created on.
Example script
If we have gained command execution in the context of this user we can recover the cleartext credentials
StickyNotes
Copy them to your system and open them with DB Browser for SQLite, or with PSSQLite on the target
Password Managers
KeePass, 1Password, Thycotic, CyberArk, etc.
Crack with hashcat 13400.
VHDX & VMDK
We can get SYSTEM, SAM and SECURITY files.
Shares SMB
With netexec search for interesting files among the shares.
(try again if there are errors)
Password
Search for passwords saved in the system.
It searches for passwords.
laZagne.exe all
Extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials.
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Target <MACHINE, es.WINLPE-SRV01>
It searches for passwords and interesting file.
.\snaffler.exe -s -o snaffler.log [-i]
.\snaffler.exe -s -d <domain> -o snaffler.log [-i]
Browser
Retrieve cookies and saved logins from Google Chrome.
.\SharpChrome.exe logins /unprotect
Retrieve Chromium data, such as cookies, history and saved logins.
PowerShell script which uses reflection to load SharpChromium.
Import-Module .\Invoke-SharpChromium.ps1
Invoke-SharpChromium -Command "cookies <SITE>"
If we have a path error, copy the cookie file path that contains the database to the location SharpChromium is expecting.
Extract cookies from the Firefox cookies.SQLite database.
Copy and transfer the DB with cookies to the attacking machine.
copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .
Archived Passwords
Connect with RDP GUI or with runas
Autorun
Windows Autologon allows a system to automatically log on to a specific user account, without requiring manual input of the username and password at each startup.
The username and password are stored in the registry, in clear-text.
Autologon.exe from the Sysinternals suite encrypt the password as an LSA secret.
Putty
For Putty sessions utilizing a proxy connection, when the session is saved, the credentials are stored in the registry in clear text.
if we had admin privileges, we would be able to find it under the corresponding user's hive in HKEY_USERS.
DPAPI
The DPAPI (Data Protection API) is an internal component in the Windows system. It allows various applications to store sensitive data (e.g. passwords). The data are stored in the users directory and are secured by user-specific master keys derived from the users password.
IMPORTANT: Copy files well from windows (ex. use base64)
Extract Master Key
dpapi masterkey -file <MASTERKEY> -sid "<SUID>" -password '<USER_PASS>'
Extract Protected Data wit Master Key
dpapi credential -f <PROTECTED_FILE> -key <MASTERKEY>
Other tools like DonPAPI, dpapick, dpapilab and secretsdump.py.
Various
Variables
Check environment variables for sensitive information such as passwords or misconfiguration.
History
Often administrators clean the history only with Clear-History, but this is not enough as it only cleans the Get-History, but the history can be found with PSReadline.
With Event Viewer to search for events recorded by Script Block Logging.
Scheduled Tasks
Unfortunately, we cannot list out scheduled tasks created by other users (such as admins) because they are stored in C:\Windows\System32\Tasks.
Perform an analysis if there are files that can be the target of Scheduled Tasks by Administrator.
Vulnerable Service & Applications
Some services/applications may allow us to escalate to SYSTEM. Enumerate the installed applications carefully and check if they contain vulnerabilities.
Druva inSync 6.6.3
CVE-2020-5752 with Invoke-PowerShellTcp.ps1 (see Reverse Shell)
Used to manage and connect to remote systems using VNC, RDP, SSH, and similar protocols.
%USERPROFILE%\APPDATA\Roaming\mRemoteNG\confCons.xml (take password in <NODE>)
Use mRemoteNG-Decrypt
mremoteng_decrypt.py -s "<PASSWORD>"
mremoteng_decrypt.py -s "<PASSWORD>" -p <MasterPass> (try brute force MasterPass with wordlists and foreach)
Always Install Elevated
You can add /v AlwaysInstallElevated
Create msi payload with msfvenom and run it on target.
Or use Write-UserAddMSI in PowerUP (PowerSploit or Empire)
Citrix Breakout
It is possible to utilize windows dialog boxes (with features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, Print, etc.) as a means to bypass the restrictions imposed on users when browsing directories.
In File Name with All Files in File-Type.
With smbserver on the attacker
Due to the presence of restrictions within the File Explorer, direct file copying is not viable.
An alternative approach involves: right-clicking > run
Where the executable will open a terminal, as it is the following:
Alternative File System Editors like Q-Dir or Explorer++ can be employed as a workaround.
Similarly when the default Registry Editor is blocked by group policy, alternative Registry editors can be employed to bypass the standard group policy restrictions. Simpleregedit, Uberregedit and SmallRegistryEditor are examples of such GUI tools
Right-click on Shortcut > Properties > Target > C:\\Windows\System32\cmd.exe
Modify Existing Shortcut, also with .lnk file.
When script extensions such as .bat, .vbs, or .ps are configured to automatically execute their code using their respective interpreters, it opens the possibility of dropping a script that can serve as an interactive console.
New file "evil.bat" > Insert "cmd" > Save it > Run it
See resources1, resources2
Email
Searching through email in a Microsoft Exchange environment for specific terms.
Clipboard
Stealing the clipboard
Import-Module .\Invoke-Clipboard.ps1
Invoke-ClipboardLogger
Backup Program
In $env:RESTIC_PASSWORD is saved the password that is used for backup, if it is not present it will be requested each time.
restic.exe -r E:\restic init (init backup directory)
restic.exe -r E:\restic\ backup C:\FolderToBackup
--use-fs-snapshot to create a Volume Shadow Copy for files actively used
restic.exe -r E:\restic\ snapshots
restic.exe -r E:\restic\ restore <ID> --target C:\RestoreHere
Interacting with Users
Passive Traffic
Monitoring for Process Command Lines
When getting a shell as a user, there may be scheduled tasks or other processes being executed which pass credentials on the command line. This script captures process command lines every two seconds and compares the current state with the previous state, outputting any differences.
SCF
If there are public folders that are also accessed by other users and that we have write permissions to, we can insert an .scf file that is executed every time the folder containing it is opened.
Using SCFs no longer works on Server 2019 hosts.
LNK
We can get the same effect as SCF using a malicious .lnk file.
We can use various tools to generate a malicious .lnk file, such as Lnkbomb, or we can run this code.
Kernel
Exploit Kernel Level. Depends on Kernel Version and Operating System. May cause crashes!
Examine the installed update and search KB (Microsoft Knowledge Base ID number) in Update Catalog
PowerShell script to quickly find missing software patches.
Import-Module .\Sherlock.ps1
Find-AllVulns
Enumerate missing KBs and suggest exploits.
Windows Exploit Suggester.
Python script for detect potential missing patches.
python2.7 windows-exploit-suggester.py --update
Save systeminfo output from target windows system.
python2.7 windows-exploit-suggester.py --database <DB.xlsx> --systeminfo <SYSTEMINFO.txt>
See Windows-CVE section.
Last updated
Was this helpful?