Scribd
Upload
75 views37 pages

Windows Privilege Escalation

The document discusses Windows privilege escalation, detailing the process of gaining higher-level access to systems and its implications for individuals, companies, and governments. It covers various methods attackers use to escalate privileges, including unquoted service paths, misconfigured services, DLL hijacking, and credential theft. The document also outlines steps for privilege escalation and includes practical demonstrations of these techniques.

Uploaded by

andy roines
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
75 views37 pages

Windows Privilege Escalation

The document discusses Windows privilege escalation, detailing the process of gaining higher-level access to systems and its implications for individuals, companies, and governments. It covers various methods attackers use to escalate privileges, including unquoted service paths, misconfigured services, DLL hijacking, and credential theft. The document also outlines steps for privilege escalation and includes practical demonstrations of these techniques.

Uploaded by

andy roines
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 37

WINDOWS PRIVILEGE ESCALATION

SALMAN ABULATIF
WHOAMI?
AGENDA

 Part 2
 Part 1  Practical Demonstration

 KILLCHAIN  Part 3
 INTRODUCTION – WHY SHOULD YOU CARE?  Automated Tools
 UNDERSTANDING PRIVILEGES IN A SYSTEM  HackTheBox Machine
 TWO TYPES OF PRIVILEGE ESCALATION  Recap
 HOW ATTACKERS ESCALATE PRIVILEGES?
 STEPS TO ESCALATE PRIVILEGE
 INFORMATION GATHERING
KILL CHAIN

https://kravensecurity.com/top-5-cyber-kill-chain-challenges/
INTRODUCTION – WHY SHOULD YOU CARE?

 What is Privilege Escalation?


• The process of gaining higher-level access to a system than originally permitted.
• Often used by attackers to gain full control of a system.
 Why is it dangerous?
• Can lead to data theft, malware installation, full system takeover, or espionage.
 Who is affected?
• Individuals: Personal devices can be hacked.
• Companies: Cybercriminals can breach business systems.
• Governments: State-sponsored hacking and cyberwarfare.
UNDERSTANDING PRIVILEGES IN A SYSTEM

 What are user privileges?


 Users have specific permissions (e.g., reading files, running apps).
 Admin/root users have full control over the system.

 Common privilege levels:


 Regular User – Limited access (e.g., can’t install software).
 Admin (Windows) / Root (Linux) – Can install, modify, and access all data.
 System/Kernel (Highest Level) – Full system control.

 Goal of Privilege Escalation:


Attackers want to move from User => Admin => Root/System Control.
TWO TYPES OF PRIVILEGE ESCALATION

 1️⃣Vertical Privilege Escalation


 2️⃣Horizontal Privilege Escalation

https://delinea.com/blog/linux-privilege-
escalation
HOW ATTACKERS ESCALATE PRIVILEGES?

 Unquoted Service Path


 Misconfigured Services (Weak permissions in Windows services).
 DLL Hijacking (Injecting malicious DLLs into trusted processes).
 Autologon Credentials In Registry
 Credential Theft (Dumping credentials using Mimikatz).
 Password Mining
 Powershell History
STEPS TO ESCALATE PRIVILEGE

Information Gathering

Vulnerability Discovery

Exploitation
INFORMATION GATHERING
WHOAMI
SYSTEMINFO
NET
TASKLIST
SC
IPCONFIG
ROUTE
NETSTAT
DISCOVERY AND EXPLOITATION

https://github.com/sagishahar/lpeworkshop
UNQUOTED SERVICE PATH

 What is it?
 Windows does not handle spaces properly in service paths that are not enclosed in quotes.
 If the service path contains spaces (e.g., C:\Program Files\MyApp Service\service.exe), Windows
may try executing unintended files.
 An attacker with write access to a directory in the path can drop a malicious executable, leading to
privilege escalation.
 Impact
 The attacker can execute arbitrary code as SYSTEM, gaining full control over the machine.
 Common in misconfigured third-party applications.
DEMONSTRATION
wmic service get name,displayname,pathname | findstr /i "C:\Program Files"

sc qc unquotedsvc
MISCONFIGURED SERVICES

 What is it?
 Some services allow standard users to modify their executable, configuration, or permissions.
 Attackers can replace service binaries or modify the startup type, leading to privilege escalation.

 Impact
 Attackers can gain SYSTEM privileges by replacing the service executable.
 They can modify the service startup type to execute their malicious code on boot.
DEMONSTRATION
accesschk64.exe -uwcv Everyone *

accesschk64.exe -uwcv daclsvc


sc config daclsvc binPath="C:\Users\user\Desktop\shell.exe"
DLL HIJACKING

 What is it?
 When a program searches for a missing DLL, it looks in certain directories in a specific order.
 If the DLL is missing and the attacker has write access to one of these directories, they can insert a
malicious DLL, which the application will load instead.
 Impact
 Attackers can execute arbitrary code under the privileges of the affected process.
 If exploited in a privileged process, the attacker can escalate to SYSTEM or Administrator.
DEMONSTRATION

 Sperate Walkthrough (Part 3)


CREDENTIAL THEFT
AUTO LOGON

 What is it?
 Windows allows users to store autologon credentials in the registry for automatic login.
 These credentials are stored in plaintext and can be retrieved by anyone with read access.

 Impact
 Attackers can steal Administrator credentials if autologon is enabled.
 This allows them to log in as a privileged user without needing a password.
DEMONSTRATION
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
PASSWORD MINING

 What is it?
 Many applications and scripts store credentials in plaintext in configuration files, scripts, and
registry keys.
 Attackers search for these credentials to gain unauthorized access.

 Impact
 Attackers can obtain hardcoded credentials to access critical systems.
 These credentials can be used for further privilege escalation or lateral movement.
DEMONSTRATION

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\BWP123F42


POWERSHELL HISTORY

 What is it?
 PowerShell logs command history in a file (ConsoleHost_history.txt).
 If users run sensitive commands (e.g., entering passwords or connecting to remote servers),
attackers can extract them.
 Impact
 Attackers can retrieve saved passwords, API keys, or admin commands.
 This can lead to privilege escalation, credential theft, or unauthorized system access.
DEMONSTRATION
type C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
ConsoleHost_history.txt
THANK YOU

You might also like