Windows Privilege escalation

5 minute read

Password Searching

Starting with a simple but really helpful method which is searching for files named with specific names like “Password” across the entire drive using the command

dir /b /a /s C:\ > cdir.txt 

Intersting files

install, backup, .bak, .log, .bat, .cmd, .vbs, .cnf, 
.conf, .ini, .xml, .txt, .gpg, .pgp, .p12, .der, .csr
.cer, id_rsa, id_dsa, .ovpn, vnc, ftp, ssh, vpn git, .kdbx, .db
unattended.xml
unattend.xml
Sysprep.inf
sysprep.xml
VARIABLES.DAT
setupinfo
setupinfo.bak
web.config
SiteList.xml
.aws\credentials
.azure\accessToken.json
.azure\azureProfile.json
gcloud\credentials.db
gcloud\legacy_credentials
gcloud\access_tokens.db

Word Search in the registry

reg query HKLM /f password "or any word" /c REG_SZ /s
reg query HKCU /f password "or any word" /c REG_SZ /s

Credential Manager

It’s a windows utility that is used to store some credentials in windows apps like email or domain or other things.

you can view it using the command…

cmdkey /list

Although you can’t view those saved credentials you can use the option “/savecred” to use that saved credentials.

So let us assume that the admin credentials are stored there, then you can use the following command to get an admin cmd.

runas /savecred /user:admin cmd.exe

Credential Prompt

you can also just show a prompt for the user asking for the credentials using the following PowerShell one-liner “Don’t forget to customize it for your target”

$Cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $Cred.GetNetworkCredential().Password

Unsecured Service Path

The service here is meant to be unsecured if its path name is unquoted and contains white space because windows once reach a white space in the string will treat the string before as the end of the path and will not continue until that string is not found, so you can use this trick to make it loads your executable as a service. “should have permission to write there” To enumerate services…

wmic service get name,displayname,pathname, startmode | findstr /i "auto" | findstr /i /v "c:windows\\" |findstr /i /v """

Unsecured Service Configuration

You can check the services that can be modified by a non-privileged user or group using the sysinternal tool “accesschk.exe”

accesschk.exe -accepteula -wu vc "users" *
accesschk.exe -accepteula -k vuqsw hklm\System\CurrentControlSet\Services

Unsecure File Permission

You can check for files that are writable by regular users

accesschk.exe -accepteula -wus "users" C:\*.* > result.txt 

PATH Hijacking

You can query the system PATH using the command

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"

If there is a controllable path in this list placed at the beginning of the search order you can make the system runs your own binaries instead of the actual ones.

Missing Tasks

IN Environment that relies on automating work using task schedular that is very common to find tasks linked with binaries that are not presented or deleted or whatever reason for it to be not there, you can use “autorunsc64.exe” from Sysinternals to check for them using the command…

autorunsc64.exe -a t | more

And once found one of those tasks you can view its details using the command…

 schtasks /query /tn "task name" /xml

Missing Services

The previously described problem in the Missing tasks section is also applied to Services.

autorunsc64.exe -a s | more

And once found one of those services you can view its details using the command…

sc qc "Service name"

DLL Hijacking

Once you are in the device then you have knowledge about the applications that are presented on this device, one way to find a way to escalate your privilege is to test the privileged applications used on the machine on your own machine looking for DLL hijacking vulnerabilities.

So What’s DLL hijacking vulnerability?!

Once an application starts it tries to load its needed libraries, the vulnerability here comes when the app search order is looking for that library in a place we control before the actual place of the library and we can easily spot that using the Sysinternals tool “Procmon” using a good filter will make the process goes quickly.”Don’t forget to implement the actual functionality needed by the application on your malicious dll to prevent the app from crashing”.

UAC bypass

UAC bypass methods usually result in hijacking the normal execution flow of an elevated application by spawning a malicious child process or loading a malicious module inheriting the elevated integrity level of the targeted application.

There is a Project on GitHub called “UACME” which is a great source always updated with new techniques and information about every technique, you just have to choose the right one for your situation. “Be careful from being detected by anti-virus products, for that you can take the logic of the code and implement that in your malware with your own evasion techniques to evade easy detection”.

AlwaysInstallElevated

AlwaysInstallElevated is used by windows installers to install msi files when it is set you can install msi files with elevated privileges. you can check if it’s enabled in two registry keys” both of them need to be set”.

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

you can use several tools like “MSI Wrapper” to create msi from your executable. And you can run it using the following command…

msiexec /quiet /qn /i "msi path"

Leaked handles

When a privileged process spawns a non-privileged child with “CreateProcessAsUser” API and set the “INHERIT” flag to true, the child can now use all the handles of the parent process and as we have the same privileges as the non-privileged process we can inject code to it and use those handles too. We can view the creation of new processes using Sysinternals tools like “Procmon” or “ApiMonitor”.

Admin to System

Creating Service

If you already have admin privileges and want to escalate to a system you can create a new service and query it to see what privileges it has, it may be assigned to the system privileges automatically. you can add and query services using the command…

sc create "service name" binpath="service path"
sc qc "service name"

Abusing Tokens

If you have admin privileges and need to have system privileges you can use the “SeDebug” privilege to extract Tokens from system processes “except protected processes” and create a new process with that tokens

Categories:

Updated: