Windows
Enumeration
PrivEscCheck
https://raw.githubusercontent.com/itm4n/PrivescCheck/master/Invoke-PrivescCheck.ps1
or:
PowerUp
Unquoted Service Paths
Common CVEs
CVE-2019-1388: Windows Privilege Escalation Through UAC
https://www.youtube.com/watch?v=3BQKpPNlTSo
Download & start hhupd.exe, get it to start a iexplore.exe in the uac dialog and start cmd.exe in the browsers save file dialog
Privilege Abuse
If privileges are disabled you can use AdjustTokenPrivileges. All these privileged are configured via "secpol.msc -> Local Policies -> User Rights Assignment".
SeBackupPrivilege/SeRestorePrivilege
These privileges allow unrestricted read/write access to every file on the system. They have to be activated first though for which you can use this ps-script:
SeImpersonatePrivilege
This privilege allows to impersonate the user connecting. This connection can happen via HTTP NTLM Auth, SMB or Named Pipes.
This was patched in August 2020 (spooler won't connect to your named pipe anymore, the underlying technique still works though).
This requires that the victim server can reach your box on port 135. You run the OxidResolver and use socat to port your port 135 to the OxidResolvers port. Then you can the exploit:
Useable if WinRM is not already is not running (Unpatched). Usage (don't quote path):
Bypassing UAC
There are lots of different ones out there, a good collection is UACME but it is getting detected very easily. In Covenant you can do:
Service Abuse
Check Permissions on a service:
For a payload that behaves like a real service use the following skeleton code (create a new c# console application):
Finally modify & restart the service:
Always Install Elevated
Create a MSI Installer in Visual Studio. Skeleton:
Set output type to WindowsApplication, add a new project to the solution (of type SetupWizard). Make sure it includes "primary output from <project>". Modify settings as you need. To make sure it gets installed right-click on the installer project: View->CustomActions. Then add a custom action to install that containts the primary output from before.
Finally run:
Restoring Service Privileges
Stealing Machine Account Hash from a Low Privileged Shell
Via Defender
Run Windows Defender vs. SMB share to get the machine account hash:
This hash can be cracked via crack.sh or if the target is a DC, we can pth to secretsdump (requires NT hash support (deprecated)).
Tools
Last updated