Windows

  1. Check user (whoami) and groups (net user <username>)

  2. Run winPEAS with fast, searchfast, and cmd options.

  3. Run Seatbelt & other script as well (PowerUP.ps1, SharpUp, etc)

  4. If your scripts are failing and you don't know why, you can always run the manual commands from this source, and other Windows PrivEsc cheatsheets

LogoWindows - Privilege Escalation - Internal All The Thingsswisskyrepo.github.io

Strategy:

Spend some time and read over the result of your enumeration.

if WinPEAS or other tool finds something interesting, make a note of it.

Avoid rabbit holes by creating a checklist of things you need for the priviledge escalation method to work.

Have a quick look around for files in user's desktop and other common location (ex: C:\ and C:\Program Files), Read through interesting files that you find, as they may contain useful information that could help escalate priviledge.

Have a good look at admin processes, enumerate their versions and search for exploits.

check for internal port that you might be able to forward to your attacking machine.

Try things that don't have many steps firs:

  • registry exploit, services, etc.

If you still don't have an admin shell, re-read your full enumeration dumps and highlight anything that seems odd. This might be a process or file name you aren't familiar with or even a username.

At this stage you can also start to think about Kernel Exploit.

Registry Exploits

Requirement to success:

  • AutoRuns --> .\winPEASany.exe quite applicationinfo

    • search for Autorun Application(T1010)

    • check FilePerms: Everyone

    • ability to restart

  • AlwaysInstallElevated

    • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated must set to 1.

    • reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstalElevated must set to 1.

AutoRuns

Change the Program.exe to the reverseShell.exe. then restart the computer to get the application run in the

manual check:

AlwaysInstallElevated

execute the reverse shell:

Service Exploits

Requirement to success:

Passwords

Requirement to success:

.\winPEASany.exe quite filesinfo userinfo -> search for AutoLogon credentials(T1012)

login to other user in windows:

SaveCred

Password in Configuration

search for --> possible known files that can contain creds(T1083&T1081)

or use this cmd command to find the creds:

SAM/SYSTEM Locations

file location:

or use winPEAS

search for --> possible known files that can contain creds(T1083&T1081)

copy file SAM and SYSTEM to kali linux.

Scheduled Tasks

Requirement to success:

Insecure GUI Apps

Requirement to success:

Startup Apps

Requirement to success:

Installed Apps

Requirement to success:

Hot Potato

Requirement to success:

Windows 7,8,10, Server 2008, Server 2012

https://github.com/foxglovesec/Potato/tree/master/source/Potato/Potato/bin/Release

Juicy Potato

Requirement to success:

  • usually a service account

  • whoami /priv -> SeImpersonatePrivilege Enabled

https://github.com/ohpe/juicy-potato https://jlajara.gitlab.io/Potatoes_Windows_Privesc

Make sure the CLSID is the right one. If stuck, check this out --> https://www.youtube.com/watch?v=CW4mI5BkP9E&t=7090s

Port Forwarding

Requirement to success:

Kernel Exploits

Requirement to success:

PreviousLinuxNextPost Exploit

Last updated