Windows
A list of Privilege Escalation Techniques for Windows.
Local Privesc Scanner
winPEAS
winPEAS is a script that search for possible paths to escalate privileges on Windows hosts.
Github: https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
PrivescCheck
This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.
Windows Exploit Suggester - Next Generation (WES-NG)
WES-NG is a tool based on the output of Windows' systeminfo
utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 11, including their Windows Server counterparts, is supported.
Automatic privesc tools
PowerUP
PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.
Github: PowerUP
β οΈ This tool is no longer supported
Sherlock
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
Github: Sherlock
β οΈ This tool is no longer supported
Watson
Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
Github: Watson
β οΈ This tool is no longer supported
Impersonation
JuicyPotatoNG
Allow a Windows Service Accounts to privesc to NT AUTHORITY\SYSTEM when SeImpersonate
or SeAssignPrimaryToken
privilege are enabled.
Harvesting passwords
Unattended windows installations
Unattended windows installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:
Credentials could be stored in these files.
Powershell history
From cmd:
From PowerShell:
Windows saved credentials
Use the following command to list the saved credentials:
If you see some saved credentials you can run a new shell as this user:
IIS configuration
You might find IIS configuration files in the following locations:
You can search for "connectionString" to find some database credentials in the config file.
PuTTY proxy credentials
To retrieve the stored proxy credentials, you can search under the following registry key for ProxyPassword with the following command:
Missconfigurations
Scheduled tasks
Look for scheduled task that either lost its binary or it's using a binary you can modify.
List scheduled tasks:
See the details of a task:
The program executed by the task will be listed under "Task To Run:". If you can modify this binary, you can run code as the user running the task (listed under "Run as User:"). You can use icacls
to check the file permissions.
In this example you can see that the groups who have "(F)" are the groups which have full access to the file. If you are in one of these groups, you can replace it by your payload to execute the code you want, just keep the name used in the scheduled task.
Always Install Elevated
You need to check that two regirsty keys are set to know if the machine is exploitable. You can check them with the following commands:
If both are set, the machine is epxloitable. By using msfvenom
you can generate a msi payload that will exploit the vulnerability.
Then start a metasploit handler on your attack machine, set the payload to be the same as the one use with msfvenom. Then drop your payload on the vulnerable machine and execute it by using the following command:
Insecure permissions on service executable
If the executable associated with a service has weak permissions that allow an you to modify or replace it, you can gain the privileges of the service's account trivially.
First check the services details to see which binary the service is using and account used to running the service:
β οΈ If you are in a Powershell shell use sc.exe as sc is an alias to "Set-Content"
The "SERVICE_START_NAME" is the user used to run the service and the "BINARY_PATH_NAME" is the path of the binary ran by the service. You can use icacls
to check the file permissions.
In this example you can see that Everyone has the modify permissions "(M)". You can replace it by your payload to execute the code you want, just keep the path used in the service. Make sure that you generate a correct service binary, to do so yo ucan use msfvenom:
Then start a metasploit handler with the correct payload on your attacking machine, drop the payload on the vulnearble machine and replace the binary used by the service by your payload:
Then restart the service.
Unquoted service paths
It the binary path used by a service is not quoted, windows will split the path on the spaces and try to execute them.
Example: BINARY_PATH_NAME : C:\foo bar\foo.exe
Windows will try to execute first C:\foo.exe
and if it doesn't work C:\foo bar\foo.exe
. So if you have the permissions to create files in foo.exe
you can run code as the service's account. You can check this by using icacls
.
Make sure that you generate a correct service binary, to do so yo ucan use msfvenom:
Then start a metasploit handler with the correct payload on your attacking machine, drop the payload on the vulnearble machine and replace the binary used by the service by your payload:
Then restart the service.
Insecure service permissions
If you can modify a service's configuration you can just edit the binary used and put the path to your payload. To check if you have the permissions to edit it you can use accesschk:
Here we can see that the BUILTIN\\Users
group has the SERVICE_ALL_ACCESS permission, which means any user can reconfigure the service.
Make sure that you generate a correct service binary, to do so yo ucan use msfvenom:
Then start a metasploit handler with the correct payload on your attacking machine, drop the payload on the vulnearble machine and replace the binary used by the service by your payload:
Edit the service's configuration:
The
obj
parameter is used to chose which account will run the service
Then restart the service:
Windows privileges
First run an terminal as administrator to enable all your privileges. Then check which privileges you have enabled:
Then check the Priv2Admin repo to see what theses privileges enable you to do.
Resources
PayloadsAllTheThings - Windows Privesc
Last updated