search

Windows

  1. Check user (whoami) and groups (net user <username>)

  2. Run winPEAS with fast, searchfast, and cmd options.

  3. Run Seatbelt & other script as well (PowerUP.ps1, SharpUp, etc)

  4. If your scripts are failing and you don't know why, you can always run the manual commands from this source, and other Windows PrivEsc cheatsheets

LogoWindows - Privilege Escalation - Internal All The Thingsswisskyrepo.github.iochevron-right

Strategy:

Spend some time and read over the result of your enumeration.

if WinPEAS or other tool finds something interesting, make a note of it.

Avoid rabbit holes by creating a checklist of things you need for the priviledge escalation method to work.

Have a quick look around for files in user's desktop and other common location (ex: C:\ and C:\Program Files), Read through interesting files that you find, as they may contain useful information that could help escalate priviledge.

circle-info

Have a good look at admin processes, enumerate their versions and search for exploits.

check for internal port that you might be able to forward to your attacking machine.

Try things that don't have many steps firs:

  • registry exploit, services, etc.

If you still don't have an admin shell, re-read your full enumeration dumps and highlight anything that seems odd. This might be a process or file name you aren't familiar with or even a username.

At this stage you can also start to think about Kernel Exploit.

hashtag
Registry Exploits

Requirement to success:

  • AutoRuns --> .\winPEASany.exe quite applicationinfo

    • search for Autorun Application(T1010)

    • check FilePerms: Everyone

    • ability to restart

  • AlwaysInstallElevated

    • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated must set to 1.

    • reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstalElevated must set to 1.

hashtag
AutoRuns

Change the Program.exe to the reverseShell.exe. then restart the computer to get the application run in the

manual check:

hashtag
AlwaysInstallElevated

execute the reverse shell:

hashtag
Service Exploits

Requirement to success:

hashtag
Passwords

Requirement to success:

.\winPEASany.exe quite filesinfo userinfo -> search for AutoLogon credentials(T1012)

login to other user in windows:

hashtag
SaveCred

hashtag
Password in Configuration

search for --> possible known files that can contain creds(T1083&T1081)

or use this cmd command to find the creds:

hashtag
SAM/SYSTEM Locations

file location:

or use winPEAS

search for --> possible known files that can contain creds(T1083&T1081)

copy file SAM and SYSTEM to kali linux.

hashtag
Scheduled Tasks

Requirement to success:

hashtag
Insecure GUI Apps

Requirement to success:

hashtag
Startup Apps

Requirement to success:

hashtag
Installed Apps

Requirement to success:

hashtag
Hot Potato

Requirement to success:

Windows 7,8,10, Server 2008, Server 2012

https://github.com/foxglovesec/Potato/tree/master/source/Potato/Potato/bin/Releasearrow-up-right

hashtag
Juicy Potato

Requirement to success:

  • usually a service account

  • whoami /priv -> SeImpersonatePrivilege Enabled

https://github.com/ohpe/juicy-potatoarrow-up-right https://jlajara.gitlab.io/Potatoes_Windows_Privescarrow-up-right

circle-info

Make sure the CLSID is the right one. If stuck, check this out --> https://www.youtube.com/watch?v=CW4mI5BkP9E&t=7090sarrow-up-right

hashtag
Port Forwarding

Requirement to success:

hashtag
Kernel Exploits

Requirement to success:

PreviousLinuxNextPost Exploit

Last updated