Basic Information
Before we delve into the techniques for privilege escalation, let's start with some basic information about Windows security elements that will be crucial throughout the process.1. Security Identifier (SID)
In Windows, the Security Identifier (SID) is a unique identifier for user and group accounts. Windows uses SIDs to identify principals for access control management. This means that when you're looking to exploit a system, understanding SIDs can be crucial.2. Access Token
An access token contains information about the user and the user's group memberships. It's used to control access to securable objects and operations.
3. Mandatory Integrity Control
Mandatory Integrity Control is a security feature that enforces mandatory access controls based on integrity levels. Understanding integrity levels is essential for privilege escalation.
4. User Account Control (UAC)
User Account Control is a security feature introduced in Windows to improve security. It helps protect the system from unauthorized changes.
5. Well-Known SIDs on Local Machines
3. Mandatory Integrity Control
Mandatory Integrity Control is a security feature that enforces mandatory access controls based on integrity levels. Understanding integrity levels is essential for privilege escalation.
4. User Account Control (UAC)
User Account Control is a security feature introduced in Windows to improve security. It helps protect the system from unauthorized changes.
5. Well-Known SIDs on Local Machines
- S-1-0-0: Nobody
- S-1-1-0: Everybody
- S-1-5-11: Authenticated Users
- S-1-5-18: Local System
- S-1-5-domainidentifier-500: Administrator
6. Integrity Levels
Understanding integrity levels is crucial. Here are the primary integrity levels you'll encounter:
- System: For SYSTEM (kernel, etc.)
- High: For elevated users
- Medium: For standard users
- Low: For very restricted rights, often used in sandboxed processes or for directories storing temporary data
Members of the "Remote Desktop Users" group can access the system using RDP, while members of the "Remote Management Users" group can access it with WinRM.
Situational Awareness
Before escalating privileges, you need to gather information about the system you're targeting. Here are the key elements to consider:
- Username and hostname
- Group memberships of the current user
- Existing users and groups
- Operating system, version, and architecture
- Network information
- Installed applications
- Running processes
Obtaining Username and Hostname
To get the current username and hostname, use the following commands:
whoami
hostname
To retrieve information about the group memberships of the current user, use:
whoami /groups
Existing Users and Groups
To display information about local users and groups, use the following commands:
Operating System Information
To gather information about the operating system, version, and architecture, use:
To display information about local users and groups, use the following commands:
- Display local users
Get-LocalUser
net user
- Get more information about a specific username
net user <username>
- Display local groups
Get-LocalGroup
- Display members of a specific group (e.g., adminteam)
Get-LocalGroupMember adminteam
To gather information about the operating system, version, and architecture, use:
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Network Information
To obtain network-related information, use these commands:
To obtain network-related information, use these commands:
- Show all interfaces
ipconfig /all
- Routing table
route print
- Active network connections
netstat -ano
Enumerating Firewall Status and Rules
Check the firewall status and rules with these commands:
Check the firewall status and rules with these commands:
- Listing the current profile for the firewall
netsh advfirewall show currentprofile
- Listing all the firewall rules
netsh advfirewall firewall show rule name=all
Installed Applications
Identifying installed applications can reveal potential vulnerabilities. Here are some commands to help with this:
Additionally, check the contents of the "Program Files" directories in both 32-bit and 64-bit, located in C:. Review the "Downloads" directory of your user to find more potential programs.
Identifying installed applications can reveal potential vulnerabilities. Here are some commands to help with this:
- x86 applications
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
- x64 applications
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
- Listing all installed applications installed by Windows Installer
wmic product get name, version, vendor
- Listing all installed security patches
wmic qfe get Caption, Description, HotFixID, InstalledOn
Additionally, check the contents of the "Program Files" directories in both 32-bit and 64-bit, located in C:. Review the "Downloads" directory of your user to find more potential programs.
Running Processes
Understanding the processes running on the system is essential. Here are some commands to help you with this:
Understanding the processes running on the system is essential. Here are some commands to help you with this:
Get-Process
Get-Process | Select-Object Path
Getting a list of running processes on the operating system and matching services can be done with the following command:
tasklist /SVC
Hidden in Plain View
Sometimes, sensitive information is hiding in plain view. Here are some commands to search for hidden data:
Searching for Password Manager Databases
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Searching for Sensitive Information in XAMPP Directory
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Searching for Text Files and Password Manager Databases in a User's Home Directory
Get-ChildItem -Path C:\Users\<username>\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
Running Commands as Another User
In some situations, you may need to run commands as another user. You can achieve this with:
In some situations, you may need to run commands as another user. You can achieve this with:
runas /user:<username> cmd
Information Goldmine: PowerShell
PowerShell history can reveal valuable information about past commands and activities. Here are some PowerShell commands to help you in this regard:Get the Command History of PowerShell
Get-History
Display the Path of the History File from PSReadline
(Get-PSReadlineOption).HistorySavePath
Enumerating Readable/Writable Files and Directories
Understanding which files and directories are writable can be essential for privilege escalation. Here's how to list them:
Listing All Writable Files and Directories
Understanding which files and directories are writable can be essential for privilege escalation. Here's how to list them:
Listing All Writable Files and Directories
accesschk.exe -uws "Everyone" "C:\Program Files"
Listing All Writable Files and Directories in a Specified Target Using PowerShell
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
Enumerating Unmounted Disks
Understanding the available drives is crucial. You can list all drives available for mounting with this command:
mountvol
Enumerating Device Drivers and Kernel Modules
Identifying device drivers and kernel modules can provide valuable insights. Here's how to list them:
Listing Loaded Drivers on Windows
Identifying device drivers and kernel modules can provide valuable insights. Here's how to list them:
Listing Loaded Drivers on Windows
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
Listing Driver Versions on Windows for a Specific Keyword (e.g., VMware)
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
Enumerating Binaries That AutoElevate
Understanding which binaries autoelevate can be crucial for privilege escalation. Here's how to query the AlwaysInstalledElevated registry:
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
If the AlwaysInstallElevated registry setting is enabled (set to 1) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer packages with elevated privileges. This can be exploited for privilege escalation.
In conclusion, privilege escalation in Windows requires a comprehensive understanding of the system and the techniques to enumerate its elements. By following these commands and techniques, you can gather the information needed to identify and exploit vulnerabilities for privilege escalation. Remember to always follow ethical hacking practices and obtain proper authorization before conducting any penetration testing.
In conclusion, privilege escalation in Windows requires a comprehensive understanding of the system and the techniques to enumerate its elements. By following these commands and techniques, you can gather the information needed to identify and exploit vulnerabilities for privilege escalation. Remember to always follow ethical hacking practices and obtain proper authorization before conducting any penetration testing.