Windows
Manual Enumation Cheatsheet: PayloadAllTheThings
Network info
Protections (Antivirus, ...)
Windows Defender:
AppLocker
Test AppLocker policy
Initial Enumeration
Running applications
Envarinment Variables
Configuration information (OS Version, Patch dates, ...)
HotFixes for known CVE's
Check restart time to also know the last update (possibly)
Other possible command instead of systeminfo
Installed Programs
LaZagne to check for saved credentials
Display Running Processes
We may find a vulnerable service only accessible to the local host (when logged on to the host) that we can exploit to escalate privileges.
Logged in users
Current User
Current User Privileges
Current User Group Information
Get All Users
Get All Groups
Details about a group
Get Password Policy and Other Account Information
Listing Named Pipes
pipelist is from sysinternals, or powershell:
Another tool from sysinternals again accesschk
PrivescCheck Script
Building powershell -ep bypass -c ". .\build\Build.ps1; Invoke-Build"
remember the dot sourcing!
Dangerous Permissions
Further information can be found here.
SeImpersonate or SeAssignPrimaryToken
JuicyPotato can be used to exploit the SeImpersonate
or SeAssignPrimaryToken
privileges via DCOM/NTLM reflection abuse.
Example of JuicyPotato from a MSSQL shell:
-l
is the COM server listening port, -p
is the program to launch (cmd.exe), -a
is the argument passed to cmd.exe, and -t
is the createprocess
call. We are telling the tool to try both the CreateProcessWithTokenW and CreateProcessAsUser functions, which need SeImpersonate
or SeAssignPrimaryToken
privileges respectively.
JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM
level access. This blog post goes in-depth on the PrintSpoofer
tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
Example using PrintSpoofer from a MSSQL shell:
Both the above examples need to enable xp_cmdshell. Impacket's MSSQL tool does this by simply running the command enable_xp_cmdshell
SeDebugPrivilege
We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory. A good candidate is the Local Security Authority Subsystem Service (LSASS) process, which stores user credentials after a user logs on to a system.
we can load this in Mimikatz
using the sekurlsa::minidump
command. After issuing the sekurlsa::logonPasswords
commands, we gain the NTLM hash of the local administrator account logged on locally.
Suppose we are unable to load tools on the target for whatever reason but have RDP access. In that case, we can take a manual memory dump of the LSASS
process via the Task Manager by browsing to the Details
tab, choosing the LSASS
process, and selecting Create dump file
.
Mimikats commands:
Transfer this PoC script over to the target system. Next we just load the script and run it with the following syntax [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,"")
. Note that we must add a third blank argument ""
at the end for the PoC to work properly.
The PoC script has received an update. Please visit its GitHub repository and review its usage. https://github.com/decoder-it/psgetsystem
First, open an elevated PowerShell console (right-click, run as admin, and type in the credentials for the jordan
user). Next, type tasklist
to get a listing of running processes and accompanying PIDs.
SeTakeOwnershipPrivilege
SeTakeOwnershipPrivilege grants a user the ability to take ownership of any "securable object", meaning Active Directory objects, NTFS files/folders, printers, registry keys, services, and processes.
Abusing this privilege is a bit of an edge case. Still, it is worth understanding in-depth, especially since we may also find ourselves in a scenario in an Active Directory environment where we can assign this right to a specific user that we can control and leverage it to read a sensitive file on a file share.
Last updated