Windows Privilege Escalation - Paiet/SEC-335 GitHub Wiki

  • Use an existing vulnerability to escalate privileges
    • exploit-db
      • http://www.exploit-db.com
      • searchsploit
        • searchsploit windows 2003 Privilege
        • 37755.c TCP/IP IOCTL Privilege Escalation
        • i686-w64-mingw32-gcc 37755.c -o Net.exe
          • Fix compilation errors
        • Copy Net.exe to target machine
        • Open command prompt
        • Attempt to add a user
        • Run Net.exe
          • whoami
          • Add user
    • Service/Script Permission Misconfiguration
      • Look for services or scripts that are run by an administrator but have full control set for the "Everyone" group
        • Check permissions with icacls
        • Look for Everyone:(CI)(F)
        • Demo of Scheduled Task
          • Task is created by admin
          • Task runs a script with misconfigured permissions
            • Everyone is given full-control of a batch file called by the scheduled task
          • User1 is able to edit batch file, adding their user account to local administrators group
          • Next time scheduled task is run, User1 is added to admin group
          • Check administrators group members to verify