Privilege Escalation

Windows Privilege Esclation

Checking token privileges

whoami /all

Or

whoami /priv

Tokens

Each user logged onto the system holds an access token with security information for that logon session. The system creates an access token when the user logs on. Every process executed on behalf of the user has a copy of the access token. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current

📢 Found interesting token? →

Abusing Tokens - HackTricksbook.hacktricks.xyz

Systeminfo

Check if the Windows version has any known vulnerability (check also the patches applied). From: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#system-info

Finding exploits

Find Exploits for version:

https://github.com/AonCyberLabs/Windows-Exploit-Suggester

PowerShell history

PowerShell saves a history of specified commands in AppData which may lead to interesting data or information.

Find groups and users

You should check if any of the groups where you belong have interesting permissions

Commands to do so

Privileged group?

📢 If you **belongs to some privileged group you may be able to escalate privileges**. Learn about privileged groups and how to abuse them to escalate privileges here: [Privileged Groups](https://www.notion.so/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges)

Backup Operators group?

Using BackupOperatorToDA, we can exploit the group remotely.

GitHub - mpgn/BackupOperatorToDA: From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain ControllerGitHub

Unquoted service path

If the path to an executable is not inside quotes, Windows will try to execute every ending before a space. For example, for the path C:\Program Files\Some Folder\Service.exe Windows will try to execute:

• To list all unquoted service paths (minus built-in Windows services)

Installed software

Check permissions of the binaries (maybe you can overwrite one and escalate privileges) and of the folders (DLL).

Winlogon Credentials

List autologon credentials:

Credentials to other account

We can use RunasC.exe to execute commands with their credentials and send us a shell https://github.com/antonioCoco/RunasCs

BloodHound

Got access to at least one domain account? Then you can use BloodHound to list possible PE paths.

BloodHound.py

It is recommended to use BloodHound.py first before running a script or executable (SharpHound) on the system. https://github.com/fox-it/BloodHound.py. We can use this script remotely.

SharpHound.exe

We can use SharpHound to gather information locally with Sharphound:

Automatic scan (winpeas)

We can use https://github.com/carlospolop/PEASS-ng to automatically scan the system for possible misconfigurations.

Firefox credentials trough profiles

From the programfiles on the target, can be detriment that FireFox is installed. It is possible that the user nikk37 has a firefox profile with a db key. With this key we can decrypt any saved credentials. The path for the profile is default in “%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\” for Windows.

You need two files:

Then decrypt the passwords in logins.json with the key4.db with https://github.com/lclevy/firepwd

SQL server locally

If sqlcmd is available, we can use this to connect to a database running locally.

Check is sqlcmd is available

Connecting to db using credentials

Finding tables

Dumping tables

Listing files recursively (finding creds in files)

We can list files recursively in order to find credentials stored in for example, php files:

gMS accounts (gMSAs)

https://notes.qazeer.io/active-directory/exploitation-gms_accounts

Listing Windows Defender Exclusions:

Exporting SAM and SYSTEM for hashes:

Disable Windows Defender