taibeihacker
Moderator
Not many people talk about serious Windows privilege escalation which is a shame. I think the reasons for this are probably (1) during pentesting engagements a low-priv shell is often all the proof you need for the customer, (2) in staged environments you often pop the Administrator account, (3) meterpreter makes you lazy (getsystem=lazy-fu), (4) build reviews to often end up being -- authenticated nessus scan, microsoft security baseline analyser.
Contrary to common perception Windows boxes can be really well locked down if they are configured with care. On top of that the patch time window of opportunity is small. So lets dig into the dark corners of the Windows OS and see if we can get SYSTEM.
It should be noted that I'll be using various versions of Windows to highlight any commandline differences that may exist. Keep this in mind as various OS/SP differences may exist in terms of commands not existing or generating slightly different output. I have tried to structure this tutorial so it will apply in the most general way to Windows privilege escalation.
Finally I want to give a shout out to my friend Kostas who also really loves post-exploitation, you really don't want him to be logged into your machine hehe.
Indispensable Resources:
Encyclopaedia Of Windows Privilege Escalation (Brett Moore) -here.
Windows Attacks: AT is the new black (Chris Gates Rob Fuller) -here.
Elevating privileges by exploiting weak folder permissions (Parvez Anwar) -here.
Initially we will want to quickly gather some essential information so we can get a lay of the land and asses our situation.
First let's find out what OS we are connected to:
C:\Windows\system32 systeminfo | findstr /B /C:'OS Name' /C:'OS Version'
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
Next we will see what the hostname is of the box and what user we are connected as.
C:\Windows\system32 hostname
b33f
C:\Windows\system32 echo %username%
user1
Now we have this basic information we list the other user accounts on the box and view our own user's information in a bit more detail. We can already see that user1 is not part of the localgroup Administrators.
C:\Windows\system32 net users
User accounts for \\B33F
-------------------------------------------------------------------------------
Administrator b33f Guest
user1
The command completed successfully.
C:\Windows\system32 net user user1
User name user1
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/11/2014 7:47:14 PM
Password expires Never
Password changeable 1/11/2014 7:47:14 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/11/2014 8:05:09 PM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
That is all we need to know about users and permissions for the moment. Next on our list is networking, what is the machine connected to and what rules does it impose on those connections.
First let's have a look at the available network interfaces and routing table.
C:\Windows\system32 ipconfig /all
Windows IP Configuration
Host Name . . b33f
Primary Dns Suffix .
Node Type . . Hybrid
IP Routing Enabled. No
WINS Proxy Enabled. No
Ethernet adapter Bluetooth Network Connection:
Media State . . Media disconnected
Connection-specific DNS Suffix .
Description . . Bluetooth Device (Personal Area Network)
Physical Address. . 0C-84-DC-62-60-29
DHCP Enabled. . Yes
Autoconfiguration Enabled . Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix .
Description . . Intel(R) PRO/1000 MT Network Connection
Physical Address. . 00-0C-29-56-79-35
DHCP Enabled. . Yes
Autoconfiguration Enabled . Yes
Link-local IPv6 Address . fe80:5cd4:9caf:61c0:ba6e%11(Preferred)
IPv4 Address. . 192.168.0.104(Preferred)
Subnet Mask . . 255.255.255.0
Lease Obtained. . Saturday, January 11, 2014 3:53:55 PM
Lease Expires . . Sunday, January 12, 2014 3:53:55 PM
Default Gateway . . 192.168.0.1
DHCP Server . . 192.168.0.1
DHCPv6 IAID . . 234884137
DHCPv6 Client DUID. 00-01-00-01-18-14-24-1D-00-0C-29-56-79-35
DNS Servers . . 192.168.0.1
NetBIOS over Tcpip. Enabled
C:\Windows\system32 route print
===========================================================================
Interface List
18.0c 84 dc 62 60 29 .Bluetooth Device (Personal Area Network)
13.00 ff 0c 0d 4f ed .TAP-Windows Adapter V9
11.00 0c 29 56 79 35 .Intel(R) PRO/1000 MT Network Connection
1....Software Loopback Interface 1
16.00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15.00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
19.00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
14.00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.104 266
192.168.0.104 255.255.255.255 On-link 192.168.0.104 266
192.168.0.255 255.255.255.255 On-link 192.168.0.104 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.104 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.104 266
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 58 :/0 On-link
1 306 :1/128 On-link
14 58 2001:/32 On-link
14 306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128
On-link
11 266 fe80:/64 On-link
14 306 fe80:/64 On-link
14 306 fe80:8d2:b4e:3f57:ff97/128
On-link
11 266 fe80:5cd4:9caf:61c0:ba6e/128
On-link
1 306 ff00:/8 On-link
14 306 ff00:/8 On-link
11 266 ff00:/8 On-link
===========================================================================
Persistent Routes:
None
# arp -A displays the ARP (Address Resolution Protocol) cache table for all available interfaces.C:\Windows\system32 arp -A
Interface: 192.168.0.104 ---0xb
Internet Address Physical Address Type
192.168.0.1 90-94-e4-c5-b0-46 dynamic
192.168.0.101 ac-22-0b-af-bb-43 dynamic
192.168.0.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
That brings us to the active network connections and the firewall rules.
C:\Windows\system32 netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING 1400
TCP 192.168.0.104:139 0.0.0.0:0 LISTENING 4
TCP [:]:135 [:]:0 LISTENING 684
TCP [:]:445 [:]:0 LISTENING 4
TCP [:]:5357 [:]:0 LISTENING 4
UDP 0.0.0.0:5355 *:* 1100
UDP 0.0.0.0:52282 *:* 976
UDP 0.0.0.0:55202 *:* 2956
UDP 0.0.0.0:59797 *:* 1400
UDP 127.0.0.
Contrary to common perception Windows boxes can be really well locked down if they are configured with care. On top of that the patch time window of opportunity is small. So lets dig into the dark corners of the Windows OS and see if we can get SYSTEM.
It should be noted that I'll be using various versions of Windows to highlight any commandline differences that may exist. Keep this in mind as various OS/SP differences may exist in terms of commands not existing or generating slightly different output. I have tried to structure this tutorial so it will apply in the most general way to Windows privilege escalation.
Finally I want to give a shout out to my friend Kostas who also really loves post-exploitation, you really don't want him to be logged into your machine hehe.
Indispensable Resources:
Encyclopaedia Of Windows Privilege Escalation (Brett Moore) -here.
Windows Attacks: AT is the new black (Chris Gates Rob Fuller) -here.
Elevating privileges by exploiting weak folder permissions (Parvez Anwar) -here.
Δt for t0 to t3 - Initial Information Gathering
The starting point for this tutorial is an unprivileged shell on a box. We might have used a remote exploit or a client-side attack and we got a shell back. Basically at time t0 we have no understanding of the machine, what it does, what it is connected to, what level of privilege we have or even what operating system it is.Initially we will want to quickly gather some essential information so we can get a lay of the land and asses our situation.
First let's find out what OS we are connected to:
C:\Windows\system32 systeminfo | findstr /B /C:'OS Name' /C:'OS Version'
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
Next we will see what the hostname is of the box and what user we are connected as.
C:\Windows\system32 hostname
b33f
C:\Windows\system32 echo %username%
user1
Now we have this basic information we list the other user accounts on the box and view our own user's information in a bit more detail. We can already see that user1 is not part of the localgroup Administrators.
C:\Windows\system32 net users
User accounts for \\B33F
-------------------------------------------------------------------------------
Administrator b33f Guest
user1
The command completed successfully.
C:\Windows\system32 net user user1
User name user1
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/11/2014 7:47:14 PM
Password expires Never
Password changeable 1/11/2014 7:47:14 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/11/2014 8:05:09 PM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
That is all we need to know about users and permissions for the moment. Next on our list is networking, what is the machine connected to and what rules does it impose on those connections.
First let's have a look at the available network interfaces and routing table.
C:\Windows\system32 ipconfig /all
Windows IP Configuration
Host Name . . b33f
Primary Dns Suffix .
Node Type . . Hybrid
IP Routing Enabled. No
WINS Proxy Enabled. No
Ethernet adapter Bluetooth Network Connection:
Media State . . Media disconnected
Connection-specific DNS Suffix .
Description . . Bluetooth Device (Personal Area Network)
Physical Address. . 0C-84-DC-62-60-29
DHCP Enabled. . Yes
Autoconfiguration Enabled . Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix .
Description . . Intel(R) PRO/1000 MT Network Connection
Physical Address. . 00-0C-29-56-79-35
DHCP Enabled. . Yes
Autoconfiguration Enabled . Yes
Link-local IPv6 Address . fe80:5cd4:9caf:61c0:ba6e%11(Preferred)
IPv4 Address. . 192.168.0.104(Preferred)
Subnet Mask . . 255.255.255.0
Lease Obtained. . Saturday, January 11, 2014 3:53:55 PM
Lease Expires . . Sunday, January 12, 2014 3:53:55 PM
Default Gateway . . 192.168.0.1
DHCP Server . . 192.168.0.1
DHCPv6 IAID . . 234884137
DHCPv6 Client DUID. 00-01-00-01-18-14-24-1D-00-0C-29-56-79-35
DNS Servers . . 192.168.0.1
NetBIOS over Tcpip. Enabled
C:\Windows\system32 route print
===========================================================================
Interface List
18.0c 84 dc 62 60 29 .Bluetooth Device (Personal Area Network)
13.00 ff 0c 0d 4f ed .TAP-Windows Adapter V9
11.00 0c 29 56 79 35 .Intel(R) PRO/1000 MT Network Connection
1....Software Loopback Interface 1
16.00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15.00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
19.00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
14.00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.104 266
192.168.0.104 255.255.255.255 On-link 192.168.0.104 266
192.168.0.255 255.255.255.255 On-link 192.168.0.104 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.104 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.104 266
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 58 :/0 On-link
1 306 :1/128 On-link
14 58 2001:/32 On-link
14 306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128
On-link
11 266 fe80:/64 On-link
14 306 fe80:/64 On-link
14 306 fe80:8d2:b4e:3f57:ff97/128
On-link
11 266 fe80:5cd4:9caf:61c0:ba6e/128
On-link
1 306 ff00:/8 On-link
14 306 ff00:/8 On-link
11 266 ff00:/8 On-link
===========================================================================
Persistent Routes:
None
# arp -A displays the ARP (Address Resolution Protocol) cache table for all available interfaces.C:\Windows\system32 arp -A
Interface: 192.168.0.104 ---0xb
Internet Address Physical Address Type
192.168.0.1 90-94-e4-c5-b0-46 dynamic
192.168.0.101 ac-22-0b-af-bb-43 dynamic
192.168.0.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
That brings us to the active network connections and the firewall rules.
C:\Windows\system32 netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING 1400
TCP 192.168.0.104:139 0.0.0.0:0 LISTENING 4
TCP [:]:135 [:]:0 LISTENING 684
TCP [:]:445 [:]:0 LISTENING 4
TCP [:]:5357 [:]:0 LISTENING 4
UDP 0.0.0.0:5355 *:* 1100
UDP 0.0.0.0:52282 *:* 976
UDP 0.0.0.0:55202 *:* 2956
UDP 0.0.0.0:59797 *:* 1400
UDP 127.0.0.