windows-local-privesc.md 4.6 KB
title: Windows Priviledge Escalation ~ Details categories: [cheatsheets]
Get as much information about the system as possible.
For example:
- users
- groups
- hostname
- windows version
- firewall rules
- networking settings
- services
- scheduled tasks
- tasklist
Detailed Commands to extract this information can be found in:
- windows-administration.md
- wmic.md
cmd> wmic qfe get Caption,Description,HotFixID,InstalledOn
// Important: check the kbid for known windows priviledge escalation vulnerabilities
// eg: KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11-080 (KB2592799)
// Grep the wmic output for those KB Numbers, and hope they are not in there...
* cmd> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
Windows exploit-checker script:
- Metasploit-Module: post/multi/recon/local_exploit_suggester (Windows & Linux)
- https://github.com/SecWiki/windows-kernel-exploits/tree/master/win-exp-suggester
- for mass-rollout of windows machines, the tool sysprep is used
- its possible that the config files are still laying around somewhere
-> contain passwords, licence keys...
Paths to look-out:
C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
// Modules
Powersploit-module: Get-UnattendedInstallFile
Metasploit-module: post/windows/gather/enum_unattend
This is used to add local users via a domain account. Passwords are encrypted with AES -> Key was published on MSDN ;)
Following locations:
\domain\SYSVOL\...\Groups.xml // Modules Powersploit-module: Get-CachedGPPPassword Metasploit-module: post/windows/gather/credentials/gpp
This registry key, if set, lets unpriviledged users install .msi Files as NT AUTHORITY\SYSTEM Dafuq?? Check the following registry keys: (both must be checked, BUT! if HKLM is checked, you can enable the HKCU one yourself)
cmd> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
cmd> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
// Modules
Powersploit-module: Get-RegistryAlwaysInstallElevated
Metasploit-module: exploit/windows/local/always_install_elevated
The command below will search the file system for file names containing certain keywords. You can specify as many keywords as you wish.
cmd> dir /s *pass* == *cred* == *vnc* == *.config*
Search certain file types for a keyword, this can generate a lot of output.
cmd> findstr /si password *.xml *.ini *.txt
Similarly, the two commands below can be used to grep the registry for keywords, in this case "password".
cmd> reg query HKLM /f password /t REG_SZ /s
cmd> reg query HKCU /f password /t REG_SZ /s
You can save the credentials in the registry to automaticall login at windows start
Powersploit: Get-RegistryAutoLogon
Get Services with a space in the Path an no quotes
Powersploit-module: Get-ServiceUnquoted
Metasploit-module: exploit/windows/local/trusted_service_path
Lookout for services, where the current user has access to the path of the binary exploit: change binary to your own exe
Powersploit-module: Get-ModifiableServiceFile
Metasploit-module: [..]
Lookout for services, where the current user has access to the service itself exploit: change the path of the service executable to your own exe
Powersploit-module: Get-ModifiableService
Metasploit-module: [..]
Search a executable which loads a dll from a path where you can write too, or one that loads an dll from a path, where you have access to a path earlier in the load order
Example: file loads dll custom.dll which is in C:\Windows\System32
There are the following passwords (stored) on a windows machine:
- LM Hashes (old and unsafe, 2 * 7 Chars DES)
- NTLM Hashes (since vista, md4(unicode(password))
- DCC (Domain Cached Credentials) (mostly MsCacheV2 -> PBKDF2(...))
- Plaintext (Service Passwords in the Registry)
-> pretty much everything can be captured using mimikatz