├── Author └── Author.md ├── Privsecstuff ├── AboutPrivilegeescalation.md ├── Privilege escalation techniques.md ├── README.md ├── Real-timePrivilegeEscalationBugs.md ├── The accounts and names of windows privileges.md └── the blog posts.md └── README.md /Author/Author.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Privsecstuff/AboutPrivilegeescalation.md: -------------------------------------------------------------------------------- 1 | #### Privilege Escalation 2 | The adversary is trying to gain higher-level permissions. 3 | 4 | Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: • SYSTEM/root level • local administrator • user account with admin-like access • user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. 5 | -------------------------------------------------------------------------------- /Privsecstuff/Privilege escalation techniques.md: -------------------------------------------------------------------------------- 1 | #### Privilege escalation techniques 2 | 3 | Note: This is the most useful page you've ever seen to develop your privilege escalation skills 4 | 5 | 6 | ## Access Token Manipulation 7 | Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.[1] 8 | 9 | Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.[2] 10 | 11 | Access tokens can be leveraged by adversaries through three methods:[3] 12 | Token Impersonation/Theft - An adversary creates a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread. This is useful for when the target user has a non-network logon session on the system. 13 | 14 | 15 | Create Process with a Token - An adversary creates a new access token with DuplicateToken(Ex) and uses it with CreateProcessWithTokenW to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user. 16 | 17 | Make and Impersonate Token - An adversary has a username and password but the user is not logged onto the system. The adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread. 18 | 19 | Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. 20 | Metasploit’s Meterpreter payload allows arbitrary token manipulation and uses token impersonation to escalate privileges.[4] The Cobalt Strike beacon payload allows arbitrary token impersonation and can also create tokens. [5] 21 | 22 | ----------------------------------------------------------------------------------------------------------- 23 | 24 | ## Accessibility Features 25 | Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. 26 | 27 | Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1] 28 | 29 | Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\, and it must be protected by Windows File or Resource Protection (WFP/WRP). [2] The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods: 30 | 31 | For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. [3] 32 | 33 | For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges. [3] 34 | 35 | Other accessibility features exist that may also be leveraged in a similar fashion: [2] 36 | On-Screen Keyboard: C:\Windows\System32\osk.exe 37 | Magnifier: C:\Windows\System32\Magnify.exe 38 | Narrator: C:\Windows\System32\Narrator.exe 39 | Display Switcher: C:\Windows\System32\DisplaySwitch.exe 40 | App Switcher: C:\Windows\System32\AtBroker.exe 41 | 42 | 43 | ------------------------------------------------------------------------------------------------- 44 | 45 | 46 | ## File System Permissions Weakness 47 | Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. 48 | 49 | Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. 50 | 51 | 52 | Services 53 | 54 | Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable. 55 | 56 | 57 | 58 | Executable Installers 59 | 60 | Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors. [1] [2] 61 | 62 | ---------------------------------------------------------------- 63 | -------------------------------------------------------------------------------- /Privsecstuff/README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Privsecstuff/Real-timePrivilegeEscalationBugs.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Privsecstuff/The accounts and names of windows privileges.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | | The names of user's rights | | 4 | | - | - | 5 | | SeTrustedCredManAccessPrivilege | | 6 | | SeNetworkLogonRight | | 7 | | SeTcbPrivilege | | 8 | | SeMachineAccountPrivilege | | 9 | | SeIncreaseQuotaPrivilege | | 10 | | SeInteractiveLogonRight | | 11 | | SeRemoteInteractiveLogonRight | | 12 | | SeBackupPrivilege | | 13 | | SeChangeNotifyPrivilege | | 14 | | SeSystemtimePrivilege | | 15 | | SeTimeZonePrivilege | | 16 | | SeCreatePagefilePrivilege | | 17 | | SeCreateTokenPrivilege | | 18 | | SeCreateGlobalPrivilege | | 19 | | SeCreatePermanentPrivilege | | 20 | | SeCreateSymbolicLinkPrivilege | | 21 | | SeDebugPrivilege | | 22 | | SeDenyNetworkLogonRight | | 23 | | SeDenyBatchLogonRight | | 24 | -------------------------------------------------------------------------------- /Privsecstuff/the blog posts.md: -------------------------------------------------------------------------------- 1 | Have a fun! 2 | ------------------------------------------------------------------------------ 3 | 4 | 5 | Privilege escalation through Token Manipulation (by hacknpentest.com) 6 | * [Privilege escalation through Token Manipulation](https://hacknpentest.com/privilege-escalation-through-token-manipulation/) 7 | + + 8 | Windows 7 privilege escalation using UAC bypass (by Kapil Verma) 9 | * [Windows 7 privilege escalation using UAC bypass](https://medium.com/@kapilvermarbl/windows-7-privilege-escalation-using-uac-bypass-b08f5523b7de) 10 | 11 | 12 | Windows Privilege Escalation Fundamentals (by Fuzzysecurity.com) 13 | * [Windows Privilege Escalation Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html) 14 | 15 | 16 | Windows Privilege Escalation Scripts & Techniques (By Rahmat Nurfauzi) 17 | * [Windows Privilege Escalation Scripts & Techniques](https://medium.com/@rahmatnurfauzi/windows-privilege-escalation-scripts-techniques-30fa37bd194) 18 | 19 | 20 | 21 | Windows Privilege Escalation – an approach for penetration testers (By sec-consult.com) 22 | * [Windows Privilege Escalation – an approach for penetration testers](https://sec-consult.com/en/blog/2019/04/windows-privilege-escalation-an-approach-for-penetration-testers/) 23 | 24 | 25 | 26 | Windows Local Privilege Escalation (by hacktricks.xyz) 27 | * [Windows Local Privilege Escalation](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation 28 | ) 29 | 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | --------------------------------------------------------------------------------