Privilege Escalation
Windows Privilege Esclation
Checking token privileges
Or
Tokens
Each user logged onto the system holds an access token with security information for that logon session. The system creates an access token when the user logs on. Every process executed on behalf of the user has a copy of the access token. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current
📢 Found interesting token? →
Systeminfo
Check if the Windows version has any known vulnerability (check also the patches applied). From: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#system-info
Finding exploits
Find Exploits for version:
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
PowerShell history
PowerShell saves a history of specified commands in AppData which may lead to interesting data or information.
Find groups and users
You should check if any of the groups where you belong have interesting permissions
Commands to do so
Privileged group?
📢 If you **belongs to some privileged group you may be able to escalate privileges**. Learn about privileged groups and how to abuse them to escalate privileges here: [Privileged Groups](https://www.notion.so/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges)
Backup Operators group?
Using BackupOperatorToDA, we can exploit the group remotely.
Unquoted service path
If the path to an executable is not inside quotes, Windows will try to execute every ending before a space. For example, for the path C:\Program Files\Some Folder\Service.exe Windows will try to execute:
To list all unquoted service paths (minus built-in Windows services)
Installed software
Check permissions of the binaries (maybe you can overwrite one and escalate privileges) and of the folders (DLL).
Winlogon Credentials
List autologon credentials:
Credentials to other account
We can use RunasC.exe to execute commands with their credentials and send us a shell https://github.com/antonioCoco/RunasCs
BloodHound
Got access to at least one domain account? Then you can use BloodHound to list possible PE paths.
BloodHound.py
It is recommended to use BloodHound.py first before running a script or executable (SharpHound) on the system. https://github.com/fox-it/BloodHound.py. We can use this script remotely.
SharpHound.exe
We can use SharpHound to gather information locally with Sharphound:
Automatic scan (winpeas)
We can use https://github.com/carlospolop/PEASS-ng to automatically scan the system for possible misconfigurations.
Firefox credentials trough profiles
From the programfiles on the target, can be detriment that FireFox is installed. It is possible that the user nikk37 has a firefox profile with a db key. With this key we can decrypt any saved credentials. The path for the profile is default in “%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\” for Windows.
You need two files:
Then decrypt the passwords in logins.json with the key4.db with https://github.com/lclevy/firepwd
SQL server locally
If sqlcmd is available, we can use this to connect to a database running locally.
Check is sqlcmd is available
Connecting to db using credentials
Finding tables
Dumping tables
Listing files recursively (finding creds in files)
We can list files recursively in order to find credentials stored in for example, php files:
gMS accounts (gMSAs)
https://notes.qazeer.io/active-directory/exploitation-gms_accounts
Listing Windows Defender Exclusions:
Exporting SAM and SYSTEM for hashes:
Disable Windows Defender
Last updated