Local privilege escalation
Last updated
Last updated
The following note assumes that a low privilege shell could be obtained on the target.
To leverage a shell from a Remote Code Execution (RCE) vulnerability please refer to the [General] Shells note.
“The more you look, the more you see.” ― Pirsig, Robert M., Zen and the Art of Motorcycle Maintenance
The following commands can be used to grasp a better understanding of the current system:
| DOS | Powershell | WMI | |
|---|---|---|---|
Installed .NET framework
A number of tools may require the use of the .NET Framework, either for privileges escalation or post exploitation. The .NET Framework 4.8 will be the last version released of the .NET Framework (only security updates and reliability hotfixes will follow).
Each version of the .NET Framework contains the Common Language Runtime (CLR), used to execute managed code of .NET programs. A .NET programs should be build to target the CLR version associated with the .NET Framework installed on the (targeted) host. For instance, an utility can be build to target the .NET Framework 4.8 even if only the .NET Framework 4 is installed on the host the utility will be executed on.
The .NET Framework is installed by default on Windows, with a version depending on the Windows version:
*The .NET Framework version must be enabled (either through the Control Panel or, for Windows Server, through the Server Manager).
The version of the .NET Framework framework installed can be determined through registry key entries. Additionally, before .NET Framework 4.0, the installed .NET Framework version can be determined using the names of the folder in the \Windows\Microsoft.NET\Framework64\ directory. For later versions, the MSBuild.exe utility, packaged with the .NET framework, can be used to establish the precise version installed. If the execution of MSBuild.exe is blocked, the version can still be retrieved manually.
Before attempting a local privilege escalation, notably in a covert scenario, establishing a precise vision on the system security defense and supervision mechanisms may help evade detection.
Antivirus product
The Windows Security Center is a Windows component which, among other features, keep track of the antivirus products installed on the system and their status (monitoring mode and antivirus signatures update status). The Security Center consolidates the Windows Defender status as well as third party antivirus solutions by:
searching for registry keys and files provided to Microsoft by the antivirus software manufacturers
exposing a WMI provider on which antivirus software manufacturers can report their product status
Note that some Endpoint Detection and Response (EDR) solutions may not be registered in the SecurityCenter and can only be detected by listing the running processes or configured services.
The productState property can be parsed and converted to a human readable format using the following PowerShell code snippet:
Audit policies
The configured audit policies can be retrieved within the registry.
In particular, whether or not the command line is logged in process creation events (Security hive, 4688: A new process has been created) is of importance, as a process command line arguments may yield information about a tool function, compromised accounts or C2 servers, and be very able for the blue team.
Windows Event Forwarding
Windows Event Forwarding (WEF) is a Microsoft Windows component that forwards the chosen event logs to a Windows Event Collector (WEC) server, for back up or security monitoring.
The following registry key can be queried to retrieve information about a possible WEF subscription:
AppLocker
AppLocker is a Windows native feature, added in Windows 7 Enterprise, that allows, through the definition of rules, for the restriction and control of the files users can execute.
The configured AppLocker rules are stored in multiple locations within the registry and can also be retrieved using the Get-AppLockerPolicy PowerShell cmdlet.
Note that the appidsvc service must be running for AppLocker to be functional.
Additionally, the presence and size of the event logs hive Microsoft-Windows-AppLocker/EXE and DLL can also be a good indicator of whether or not AppLocker is enabled. If the log file is not present or is empty (the evtx file has a size of 68 Ko / 69 632 bytes) then AppLocker may not have been enabled and configured on the system.
For more information about AppLocker, refer to the Windows - Bypass AppLocker note.
Seatbelt
Seatbelt is a C# tool that can be used to enumerate a number of security mechanisms of the target such as the PowerShell restrictions, audit and Windows Event Forwarding settings, registered antivirus, firewall rules, installed patches and last reboot events, etc.
Seatbelt can also be used to gather interesting user data such as saved RDP connections files and putty SSH host keys, AWS/Google/Azure cloud credential files, browsers bookmarks and histories, etc.
Most of the enumeration process detailed below can be automated using scripts.
Personal preference: PEASS's WinPEAS.exe or WinPEAS.bat + PowerSploit's PowerUp.ps1 Invoke-PrivescAudit / Invoke-AllChecks + off-target Windows Exploit Suggester - Next Generation
To upload the scripts on the target, please refer to the [General] File transfer note.
Note that PowerShell scripts can be injected directly into memory using PowerShell DownloadString or through a meterpreter session:
Privilege Escalation Awesome Scripts SUITE (PEASS) - WinPEAS
WinPEAS checks the local privilege escalation vectors defined in the following checklist: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation.
Note that the winPEAS.exe executable requires the .NET 4.0 framework to function. Alternatively, the winPEAS.bat script may be used instead (with no coloring support and less optimization).
PowerSploit's PowerUp
The PowerSploit's PowerUp Invoke-PrivescAudit / Invoke-AllChecks and enjoiz's privesc.bat or privesc.ps1scripts run a number of configuration checks:
Clear text passwords in files or registry
Unquoted services path
Weak services permissions
"AlwaysInstallElevated" policy
Token privileges
...
The Invoke-PrivescAudit / Invoke-AllChecks cmdlets will run all the checks implemented by PowerSploit's PowerUp.ps1. The script can be either injected directly into memory as specified above or can be imported using the file.
Note that PowerUp is not actively maintained in the master branch of the PowerShellMafia's PowerSploit GitHub repository.
enjoiz privesc.bat / privesc.ps1
Both the batch and PowerShell versions of the enjoiz privilege escalation script require accesschk.exe to present on the targeted machine (on the script directory). The script takes one or multiple user group(s) as parameter to test the configuration for. To retrieve the user groups of the compromised user, the Windows built-in whoami /groups can be used.
Windows Exploit Suggester - Next Generation
The WES-NG script compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. Refer to the Unpatched system section below for a detailed usage guide of the script.
Physical access open up different ways to bypass user login screen and obtain NT AUTHORITY\SYSTEM access.
Hardened system
BIOS settings
The methods detailed below require to boot from a live CD/DVD or USB key. The possibility to do so may be disabled by BIOS settings. To conduct the attack below, an access to the BIOS or a reset to default settings must be accomplished.
Manufacturers may have defined a default BIOS password, some of which are listed on the following resource http://www.uktsupport.co.uk/reference/biosp.htm
Ultimately, BIOS settings can be reseted by removing the CMOS battery or using the motherboard Jumper. The system hard drive can also be plugged on another computer to extract the SAM base or carry out the process below.
Encrypted disk
The methods detailed below require an access to the Windows file system and will not work on encrypted partitions if the password to decrypt the file system is not known.
PCUnlocker
PCUnlocker is a password-unlocking software that can be used to reset lost Windows users password. it can be burn on a CD/DVD or installed on a bootable USB key.
The procedure to create a bootable USB key and reset local Windows users passwords is as follow:
Download Rufus and PCUnlocker
Create a bootable USK key using Rufus with the PCUnlocker ISO. If making an USB key for a computer with UEFI BIOS, pick the "GPT partition scheme for UEFI computer" option on Rufus
Boot on the USB Key thus created (boot order may need to be changed in BIOS)
From the PCUnlocker GUI, pick an account and click the "Reset Password" button to reset the password to
To create a bootable CD/DVD, simply use any CD/DVD burner with the PCUnlocker ISO and follow steps 3 & 4. If used on a Domain Controller, PCUnlocker can be used to reset Domain users password by updating the ntds.dit file.
utilman.exe
The utilman utility tool can be launched at the login screen before authentication as NT AUTHORITY\SYSTEM. By using a Windows installation CD/DVD, it is possible to replace the utilman.exe by cmd.exe to gain access to a CMD shell as SYSTEM without authentication.
The procedure to do so is as follow:
Download the Windows ISO corresponding to the attacked system and burn it to a CD/DVD
Boot on the thus created CD/DVD
Pick the "Repair your computer" option
Select the “Use recovery tools [...]" option, pick the operating system from the list and click "Next"
A command prompt should open, enter the following commands:
cd windows\system32
ren utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe
Remove the CD/DVD and boot the system normally.
On the login screen, press the key combination Windows Key + U
A command prompt should open with NT AUTHORITY\SYSTEM rights
Change a user password (net user ) or create a new user
Clear text passwords in files
The built-in findstr and dir can be used to search for clear text passwords stored in files. The keyword 'password' should be used first and the search broaden if needed by searching for 'pass'.
The meterpreter search command can be used in place of findstr if a meterpreter shell is being used.
The following files, if present on the system, may contain clear text or base64 encoded passwords and should be reviewed:
Cached credentials
Windows-based computers use multiple forms of password caching / storage: local accounts credentials, domain credentials, and generic credentials:
Domain credentials are authenticated by the Local Security Authority (LSA) and cached in the LSASS (Local Security Authority Subsystem) process.
Local accounts credentials are stored in the SAM (Security Account Manager) hive.
Generic credentials are defined programs that manage authorization and security directly. The generic credentials are cached in the Windows Credential Manager.
Local administrator or NT AUTHORITY\SYSTEM privileges are required to access the clear-text or hashed passwords. Refer to the [Windows] Post Exploitation note for more information on how to retrieve these credentials.
However, stored generic credentials may be directly usable. In particular, Windows credentials (domain or local accounts) cached as generic credentials in the Credential Manager, usually done using runas /savecred.
The cmdkey and rundll32.exe Windows built-ins can be used to enumerate the generic credentials stored on the machine. Saved Windows credentials be can used using runas.
Cached GPP passwords
GPP can be cached locally and may contain encrypted passwords that can be decrypted using the Microsoft public AES key.
The Get-CachedGPPPassword cmdlet, of the PowerSploit's PowerUp script, can be used to automatically retrieve the cached GPP XML files and extract the present passwords.
The following commands can be used to conduct the search manually:
The Ruby gpp-password script can be used to decrypt a GPP password:
Clear text password in registry
Passwords may also be stored in Windows registry:
Wifi passwords
The configured / memorized Wifi passwords on the target machine may be retrievable as an unprivileged user using the Windows built-in netsh:
Passwords in Windows event logs
If the compromised user can read Windows events logs, by being a member of the Event Log Readers notably, and the command-line auditing feature is enabled, the logs should be reviewed for sensible information.
Recently modified files
Recently modified files can be of interest and may contain sensitive information. For example, the lastly modified files in a product installation folder may correspond to the non default modifications and configuration.
The time of modification may also be of interest in a CTF scenarios.
Hidden files
To display only hidden files, the following command can be used:
Files of interest
The following files may contains sensible information:
Alternate data streams (ADS)
The NTFS file system includes support for ADS, allowing files to contain more than one stream of data. Every Windows file has at least one data stream, called by default :$DATA.
ADS do not appear in Windows Explorer, and their size is not included in the size of the file that hosts them. Moreover, only the main stream of a file is retained when copying to a FAT file system, attaching to a mail or uploading to a website. Because of these properties, ADS may be used by users or applications to store sensible information and the eventual ADS present on the system should be reviewed.
DOS and PowerShell built-ins as well as streams.exe from the Sysinternals suite and tools from http://www.flexhex.com/docs/articles/alternate-streams.phtml can be used to operate with ADS.
Note that the PowerShell cmdlets presented below are only available starting from PowerShell 3.
OS and Kernel version
The following commands or actions can be used to get the updates installed on the host:
Windows releases information:
Automatically compare the system patch level to public known exploits:
Installed software
The following commands can be used to enumerate the software installed on the local system:
Exploits detection tools
Windows Exploit Suggester - Next Generation (WES-NG)
-- Replace Windows-Exploit-Suggester --
The WES-NG Python script compares a target patch level, retrieved using systeminfo, and the Microsoft vulnerability database in order to detect potential missing patches on the target.
Windows-Exploit-Suggester (outdated)
Outdated: Microsoft replaced the Microsoft Security Bulletin Data Excel file, on which Windows-Exploit-Suggester is fully dependent, by the MSRC API. The Microsoft Security Bulletin Data Excel file has not been updated since Q1 2017, so later operating systems and vulnerabilities can no longer be assessed --
The windows-exploit-suggester script compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. It requires the systeminfo command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host. It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.
If the systeminfo command reveals 'File 1' as the output for the hotfixes, the output of wmic qfe list full should be used instead using the --hotfixes flag, along with the systeminfo:
Watson
Watson (replaces Sherlock) is a .NET tool designed to enumerate missing KBs and suggest exploits. Only works on Windows 10 (1703, 1709, 1803 & 1809) and Windows Server 2016 & 2019.
Watson must be compiled for the .NET version supported on the target.
Sherlock (outdated)
Outdated: Microsoft changed to rolling patches on Windows instead of hotfixes per vulnerability, making the detection mechanism of Sherlock non functional.
PowerShell script to find missing software patches for critical vulnerabilities that could be leveraged for local privilege escalation.
To download and execute directly into memory:
(Metasploit) Local Exploit Suggester (outdated)
The local_exploit_suggester module suggests local meterpreter exploits that can be used against the target, based on the architecture and platform as well as the available exploits in meterpreter.
Pre compiled exploits
A collection of pre compiled Windows kernel exploits can be found on the windows-kernel-exploits GitHub repository. Use at your own risk.
Compilers
mingw
An exploit in C can be compiled on Linux to be used on a Windows system using the cross-compiler mingw:
PyInstaller
If an exploit is only available as a Python script and Python is not installed on the target, PyInstaller can be used to compile a stand alone executable of the Python script:
PyInstaller should be used on a Windows operating system.
PrintNightmare (CVE-2021-1675)
On unpatched systems with the Print Spooler service running, the PrintNightmare vulnerability (CVE-2021-1675) can be leveraged, in addition to remote code execution, for local privilege escalation. The PrintNightmare vulnerability basically result in the execution of an arbitrary DLL under NT AUTHORITY\SYSTEM privileges. For more details on the PrintNightmare vulnerability, refer to the [L7] 135 - MSRPC note.
The status of the Print Spooler service on the local system can be retrieved using the following PowerShell cmdlets:
The nightmare-dll DLL creates a local user (using the Win32's NetUserAdd API) and add it to the local Administrators group (using the Win32's NetLocalGroupAddMembers API). It may be used as a DLL template for PrintNightmare exploitation. Alternatively, a payload DLL may be generated using, for example, msfvenom.
The CVE-2021-1675.ps1 PowerShell script can be used to locally elevate privileges by either:
using its embedded (Base64-encoded GZIPped) DLL to create a local user and add it to the local Administrators group
executing the specified DLL under NT AUTHORITY\SYSTEM privileges
Alternatively, the SharpPrintNightmare C# implementation can be used for local privilege escalation purposes (in addition to remote code execution):
CVE-2021-1675.ps1 and SharpPrintNightmare (in LPE mode) present the advantage of not relying on the RPC or SMB protocols as the AddPrinterDriverEx and EnumPrinterDrivers APIs are called directly.
Windows provides a mechanism which allows unprivileged users to install Windows installation packages, Microsoft Windows Installer Package (MSI) files, with NT AUTHORITY\SYSTEM privileges. This policy is known as AlwaysInstallElevated.
If activated, this mechanism can be leveraged to elevate privileges on the system by executing code through the MSI during the installation process as NT AUTHORITY\SYSTEM.
The Windows built-in req utility and the PowerUp PowerShell script can be used to check whether the AlwaysInstallElevated policy is enabled on the host by querying the associated registry key:
The policy can be abused to elevate privileges:
By executing a given binary or bat script through a specifically crafted MSI installer using the MSI Wrapper graphical application or msfvenom.
By adding a local user to the local Administrators group using the MSI installer embedded in the PowerUp's Write-UserAddMSI PowerShell cmdlet. The cmdlet will open a graphical interface to specify the user to be added.
Through a meterpreter session using the Metasploit's exploit/windows/local/always_install_elevated module. The module will prevent the installation from succeeding to avoid the registration of the program on the system.
Refer to the [General] File transfer note for file transfer techniques to upload the MSI on the targeted system.
In Windows NT operating systems, a Windows service is a computer program that operates in the background, similarly in concept to a Unix daemon.
A Windows service must conform to the interface rules and protocols of the Service Control Manager, the component responsible for managing Windows services. Windows services can be configured to start with the operating system, manually or when an event occur.
Vulnerabilities in a service configuration could be exploited to execute code under the privileges of the user starting the service, often NT AUTHORITY\SYSTEM.
Windows services enumeration
The Windows built-ins sc and wmic can be used to enumerate the services configured on the target system. The Windows built-in graphical utility services.msc can alternatively be used as well.
Weak services permissions
A weak service permissions vulnerability occurs when an unprivileged user can alter the service configuration so that the service runs an arbitrary specified command or executable.
The rights on the service are defined in each service's security descriptor, formatted according to the Security Descriptor Definition Language (SDDL) definition. The SDDL defines the System Access Control List and (SACL) and the Discretionary Access Control List (DACL):
Prefix of S: SACL which controls the auditing (what access will generate an auditing event).
Prefix of D: DACL which controls the actual permissions / rights over the services (and will govern the access to the service).
The SDDL uses Access Control Entry (ACE) strings in the DACL and SACL components of a security descriptor string. Each ACE in a security descriptor string is enclosed in parentheses in which an user account and their associated permissions / rights are represented.
The fields of the ACE are in the following order and are separated by semicolons (;).
In case of services, the fields ace_type, rights and account_sid are usually the only ones being set.
The ace_type field is usually either set to Allow (A) or Deny (D). The rights field is a string that indicates the access rights controlled by the ACE, usually composed of pair of letters each representing a specific permission. Finally, the account_sid represent the security principal assigned with the permissions and can either be a two letters known alias or a SID.
The following known aliases can be encountered:
The following permissions are worth mentioning in the prospect of local privilege escalation:
A more comprehensive list of the access rights for Windows services can be found in the official Microsoft documentation.
The accesschk tool, from the Sysinternals suite, and the Powershell PowerUp script can be used to list the services an user can exploit:
If the use of the tools above is not a possibility, the Windows built-in sc can be used to directly retrieve a service's security descriptor's DACL (but not the owner of the service nor the it's SACL):
The sc utility can, among others, also be used to alter a service configuration:
The Metasploit module exploit/windows/local/service_permissions can be used through an existing meterpreter session to automatically detect and exploit weak services permissions to execute a specified payload under NT AUTHORITY\SYSTEM privileges.
Unsecure NTFS permissions on service binaries
Permissive NTFS permissions on the service binary used by the service can be leveraged to elevate privileges on the system as the user running the service.
If available, the Windows utility wmic can be used to retrieve all services binary paths:
The Windows bullet-in icacls can be used to determine the NTFS permissions on the services binary:
Unquoted service binary paths
When a service path is unquoted, the Service Manager will try to find the service binary in the shortest path, moving up to the longest path until one works. For example, for the path C:\TEST\Service Folder\binary.exe, the space is treated as an optional path to explore for that service. The resolution process will first look into C:\TEST\ for the Service.exe binary and, if it exist, use it to start the service.
Here is Windows’ chain of thought for the above example:
Are they asking me to run "C:\TEST\Service.exe" Folder\binary.exe No, it does not exist.
Are they asking me to run "C:\TEST\Service Folder\Service_binary.exe" Yes, it does exist.
In summary, a service is vulnerable if the path to the executable contains spaces and is not wrapped in quote marks. Exploitation requires write permissions to the path before the quote mark. Note that unquoted path for services in C:\Program Files and C:\Program Files (x86) are usually not exploitable as unprivileged user rarely have write access in the C:\ root directory or in the standard program directories.
In the above example, if an attacker has write privilege in C:\TEST, he could create a C:\Service.exe and escalate its privileges to the level of the account that starts the service.
To find vulnerable services the wmic tool and the Powershell PowerUp script can be used as well as a manual review of each service metadata using sc queries:
The Metasploit module exploit/windows/local/trusted_service_path can be used through an existing meterpreter session to automatically detect and exploit unquoted service path to execute a specified payload under NT AUTHORITY\SYSTEM privileges.
Windows XP SP0 & SP1
On Windows XP SP0 and SP1, the Windows service upnphost is run by NT AUTHORITY\LocalService and grants the permission SERVICE_ALL_ACCESS to all Authenticated Users, meaning all authenticated users on the system can fully modify the service configuration. Du to the End-of-Life status of the Service Pack affected, the vulnerability will not be fixed and can be used as an universal privileges escalation method on Windows XP SP0 & SP1.
Generate new service binary
Add a local administrator user
The following C code can be used to add a local administrator user:
The C code above can be compiled on Linux using the cross-compiler mingw (refer to cross compilation above).
Reverse shell
The service can be leveraged to start a privileged reverse shell. Refer to the [General] Shells - Binary note.
Service restart
To restart the service:
If an error System error 1068 ("The dependency service or group failed to start."), the dependencies can be removed to fix the service:
Scheduled tasks are used to automatically perform a routine task on the system whenever the criteria associated to the scheduled task occurs. The scheduled tasks can either be run at a defined time, on repeat at set intervals, or when a specific event occurs, such as the system boot.
The scheduled tasks are exposed to the same kinds of misconfigurations flaws affecting the Windows services. However, note that the Windows GUI utility Task Scheduler, used to configure scheduled task, will always make use of quoted binary path, thus limiting the occurrence of unquoted scheduled task path.
The Windows built-in schtasks can be used to enumerate the scheduled tasks configured on the system or to retrieve information about a specific scheduled task.
The commands below can be chained to filter the enabled scheduled tasks name and action for NT AUTHORITY\SYSTEM, Administrator or the specified user:
The Windows bullet-in icacls can be used to determine the NTFS permissions on the scheduled tasks binary:
If the current user can modify the binary / script of a scheduled task run by another user, arbitrary command execution under the other user privileges can be achieved once the criteria associated to the scheduled task occurs.
Refer to the [General] Shells - Binary note for reverse shell binaries / scripts.
Use the following command to retrieve the current user account token privileges:
The following tokens can be exploited to gain SYSTEM access privileges:
SeAssignPrimaryPrivilege
SeBackupPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
For more and updated information on the aforementioned privileges, refer to the Priv2Admin GitHub repository.
Overview
The SeAssignPrimaryTokenPrivilege and the SeImpersonatePrivilege privileges allow, by design, to create a process under the security context of another user. The SeAssignPrimaryTokenPrivilege privilege can be exploited using the CreateProcessAsUser() Win32 API while the SeImpersonatePrivilege privilege can leveraged using the CreateProcessWithToken() Win32 API.
Exploits of the potato family (except RoguePotato) no longer work on Windows 10 build 1809 / Windows 2019 and later.
The process creation requires however a handle to a primary token of the user to impersonate. Multiple tools and techniques may be used to obtain a handle to a token of the NT AUTHORITY\SYSTEM account:
Local service accounts privileges reduction
The NT AUTHORITY\LOCAL SERVICE and NT AUTHORITY\NETWORK SERVICE are predefined local accounts notably used by the Service Control Manager. By default, the accounts are granted the SeImpersonatePrivilege privilege.
However, some Windows services executed as NT AUTHORITY\LOCAL SERVICE or NT AUTHORITY\NETWORK SERVICE will voluntarily limit their privileges and remove the SeImpersonatePrivilege from their access token. In such cases, the default privileges normally granted to the service accounts can be retrieved by creating a scheduled task; as the scheduled task process will have all the default privileges restored.
FullPowers can be used to automate this process:
Juicy Potato
Juicy Potato is an improved version of RottenPotatoNG and its usage is recommended.
As stated above, the specification of service CLSID is required by Juicy Potato. A list of services' CLSID that can be leveraged for privilege escalation is available on the tool GitHub repository: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
Rotten Potato x64 w/ Metasploit
On unpatched systems, RottenPotato can be used in combination with the Metasploit meterpreter's incognito module.
Tater
Tater is a PowerShell implementation of the Potato exploit and thus works similarly by targeting the BITS service.
RogueWinRM
Starting from Windows 10 1809 (and Windows Server 2019 if the WinRM service is not already started), RogueWinRM can be used to exploit the SeImpersonatePrivilege privilege.
PrintSpoofer
If the Print Spooler service is running locally (or can be started), PrintSpoofer can be used to exploit the SeImpersonatePrivilege privilege (tested on Windows 10 and Windows Server 2016 / 2019).
The LocalSystem account (associated with the NT AUTHORITY\SYSTEM SID) is used by the operating system and by services that run under Windows. It is an internal account, which does not show up in User Manager and cannot be added to any security groups. Executing code under the LocalSystem account may be needed in some circumstances (for example to leverage specific privileges associated with the LocalSystem account, such as the SeTcbPrivilege privilege).
The PsExec Microsoft signed tool can be used to elevate to LocalSystem from an administrator account (through a Windows service):
The Invoke-CommandAs PowerShell cmdlet can also be used to execute code as LocalSystem account (through a Scheduled Task):
If a meterpreter shell is being used, the getsystem command can be leveraged to the same end.
https://stackoverflow.com/questions/1331887/detect-antivirus-on-windows-using-c-sharp
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
https://ired.team/offensive-security/defense-evasion/av-bypass-with-metasploit-templates
https://www.elastic.co/fr/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation
https://docs.microsoft.com/fr-fr/windows/desktop/SecAuthZ/ace-strings
https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
http://www.alex-ionescu.com/publications/BlueHat/bluehat2016.pdf
https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-Linux-Vulnerabilities_Windows-Exploits--Escalating-Privileges-with-WSL.pdf
https://resources.infosecinstitute.com/windows-subsystem-linux/#gref
https://mspscripts.com/get-installed-antivirus-information-2/
https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/
https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/
https://itm4n.github.io/localservice-privileges/
https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights
| .NET Framework version | CLR version |
|---|---|
| Windows version / build | .NET Framework version |
|---|---|
| DOS | Powershell | WMI |
|---|---|---|
| NT Version | Build | Marketing name |
|---|---|---|
| Alias | Name |
|---|---|
| Ace's rights | Access right | Description |
|---|---|---|
| Tool(s) | Description | Technique limitation |
|---|---|---|
Basic info
net config workstation
Get-ComputerInfo
OS details
systeminfo
[environment]::OSVersion.Version
OS Architecture
echo %PROCESSOR_ARCHITECTURE%
[Environment]::Is64BitOperatingSystem
wmic os get osarchitecture
Hostname
hostname
$env:ComputerName
wmic computersystem get name
(PS) (Get-WmiObject Win32_ComputerSystem).Name
Fully qualified hostname
net config workstation | findstr /C:"Full Computer name"
[System.Net.Dns]::GetHostByName($env:computerName)
Drives
[System.IO.DriveInfo]::getdrives()
Get-PSDrive -PSProvider FileSystem
Curent Domain
echo %userdomain%
systeminfo | findstr "Domain"
$env:UserDomain (NetBIOS domain name)
$env:UserDomain (fully qualified domain name)
systeminfo | Select-String Domain
(PS) (Get-WmiObject Win32_ComputerSystem).Domain
Curent User
whoami /all
net user %username%
$env:UserName
(PS) (Get-WmiObject Win32_ComputerSystem).UserName
Local users
net users
net users <USERNAME>
Get-LocalUser
wmic USERACCOUNT list full
(PS) Get-WMIObject Win32_UserAccount -NameSpace "root\CIMV2" -Filter "LocalAccount='$True'"
Local groups
net localgroup
(Win10+) Get-LocalGroup
wmic group list full
Local groups' member(s)
net localgroup Administrators
net localgroup <GROUPNAME>
Get-LocalGroupMember -Name "<GROUPNAME>"
foreach ($group in Get-LocalGroup) { [PSCustomObject]@{ Group = $group.Name; User = (($group | Get-LocalGroupMember).Name | Out-String) } | fl }
Connected users
qwinsta
query user
Powershell version
Powershell $psversiontable
$psversiontable
Environement variables
set
Get-ChildItem Env: | ft Key,Value
Mounted disks
fsutil fsinfo drives
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}
wmic volume get DriveLetter,FileSystem,Capacity
Writable directories
dir /a-rd /s /b
Writable files
dir /a-r-d /s /b
Processes
tasklist /v
Get-Process | Ft Name,Id
wmic process get name,processid,executablepath,commandline,parentprocessid
(PS) Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
Processes command line
wmic process get Name,ProcessID,ExecutablePath
(PS) Get-WmiObject win32_process | Select Name,Handle,CommandLine | Format-List
TCP / UDP network connections
netstat -anob
Get-NetTCPConnection
User Account Control (UAC)
EnableLUA = 0x1 -> UAC is enabled (default since Windows Vista / Windows Server 2008).
LocalAccountTokenFilterPolicy = 0x1 -> UAC remote restrictions are disabled (non default).
FilterAdministratorToken = 0x1 -> UAC is enforced for the local built-in Administrator account RID 500 (non default).
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v FilterAdministratorToken
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA,LocalAccountTokenFilterPolicy,FilterAdministratorToken
.NET Framework 2.0
.NET Framework 3.0
.NET Framework 3.5
2
.NET Framework 4
.NET Framework 4.5 - 4.8
4
Windows Server 2022
.NET Framework 4.8
Windows 11
.NET Framework 4.8
Windows 10 (build 1903+)
.NET Framework 4.8
.NET Framework 3.5 SP1*
Windows Server 2019
Windows Server version 1803 / 1809
.NET Framework 4.7.2
Windows 10 (build 1803 / 1809)
.NET Framework 4.7.2
.NET Framework 3.5 SP1*
Windows Server version 1709
.NET Framework 4.7.1
Windows 10 (build 1709)
.NET Framework 4.7.1
.NET Framework 3.5 SP1*
Windows 10 (build 1703)
.NET Framework 4.7
.NET Framework 3.5 SP1*
Windows Server 2016
.NET Framework 4.6.2
Windows 10 (build 1607)
.NET Framework 4.6.2
.NET Framework 3.5 SP1*
Windows 10 (build 1511)
.NET Framework 4.6.1
.NET Framework 3.5 SP1*
Windows 10 (build 1507)
.NET Framework 4.6.0
.NET Framework 3.5 SP1*
Windows Server 2012 R2
.NET Framework 4.5.1
.NET Framework 3.5 SP1*
Windows Server 2012
.NET Framework 4.5
.NET Framework 3.5 SP1*
Windows 8.1
.NET Framework 4.5.1
.NET Framework 3.5 SP1*
Windows 8
.NET Framework 4.5
.NET Framework 3.5 SP1*
Windows 7
.NET Framework 3.5.1
Windows Server 2008 R2
.NET Framework 3.5.1
Windows Server 2008 SP2
.NET Framework 3.0 SP2*
.NET Framework 2.0 SP1
Windows Server 2008
Windows Server 2008 SP1
.NET Framework 3.0 SP1*
.NET Framework 2.0 SP1
Windows Vista SP1
.NET Framework 3.0 SP1*
.NET Framework 2.0 SP1
Windows Vista
.NET Framework 3.0*
.NET Framework 2.0
Windows Server 2003 (x86)
.NET Framework 2.0
.NET Framework 1.1
systeminfo Check content of C:\Windows\SoftwareDistribution\Download type C:\Windows\WindowsUpdate.log
Get-HotFix Get-WindowsUpdateLog
wmic qfe get HotFixID,InstalledOn,Description
3.1
528
Windows NT 3.1
3.5
807
Windows NT 3.5
3.51
1057
Windows NT 3.51
4.0
1381
Windows NT 4.0
5.0
2195
Windows 2000
5.1
2600
Windows XP
5.2
3790
Windows XP x64 Windows Server 2003 Windows Server 2003 R2
6.0
6000 6001
Windows Vista Windows Server 2008
6.1
7600
Windows 7 Windows Server 2008 R2
6.2
9200
Windows 8 Windows Server 2012
6.3
9600
Windows 8.1 Windows Server 2012 R2
10.0
10240 (TH1) / 10586 (TH2) 14393 (RS1) / 15063 (RS2) / 16299 (RS3) / 17134 (RS4) / 17763 (RS5)
Windows 10 Windows Server 2016
AN
Anonymous logon
AO
Account operators
AU
Authenticated users
BA
Built-in administrators
BG
Built-in guests
BO
Backup operators
BU
Built-in users
CA
Certificate server administrators
CG
Creator group
CO
Creator owner
DA
Domain administrators
DC
Domain computers
DD
Domain controllers
DG
Domain guests
DU
Domain users
EA
Enterprise administrators
ED
Enterprise domain controllers
IU
Interactively logged-on user
LA
Local administrator
LG
Local guest
LS
Local service account
NO
Network configuration operators
NS
Network service account
NU
Network logon user
PA
Group Policy administrators
PO
Printer operators
PS
Personal self
PU
Power users
RC
Restricted code
RD
Terminal server users
RE
Replicator
RS
RAS servers group
RU
Alias to allow previous Windows 2000
SA
Schema administrators
SO
Server operators
SU
Service logon user
SY
Local system
WD
Everyone
-
SERVICE_ALL_ACCESS
Include all service permissions, notably SERVICE_CHANGE_CONFIG.
CC
SERVICE_QUERY_CONFIG
Retrieve the service's current configuration from the SCM.
DC
SERVICE_CHANGE_CONFIG
Change the service configuration, notably grant the right to change the executable file associated with the service.
GA
GENERIC_ALL
Equivalent to all the generic access rights (read, write and execute access to the service).
GX
GENERIC_WRITE
Equivalent to SERVICE_QUERY_STATUS and SERVICE_CHANGE_CONFIG.
LC
SERVICE_QUERY_STATUS
Retrieve the service's current status from the SCM.
LO
SERVICE_INTERROGATE
Retrieve the service's current status directly from the service itself.
RC
READ_CONTROL
Read the security descriptor of the service.
RP
SERVICE_START
Start the service.
SW
SERVICE_ENUMERATE_DEPENDENTS
List the services that depend on the service.
WD
WRITE_DAC
Modify the DACL of the service in its security descriptor.
WO
WRITE_OWNER
Change the owner of the service in its security descriptor.
WP
SERVICE_STOP
Stop the service.
Potato family (Potato, RottenPotatoNG, Juicy Potato)
Induces the SYSTEM account to connect to a controlled RPC endpoint using the CoGetInstanceFromIStorage COM API function.
In Potato and RottenPotatoNG, the call was used to instantiate a COM Storage Object of the BITS local service. In Juicy Potato, an instance of the service specified in parameter, using its Class Identifier (CLSID), is requested.
Then the packets received by the controlled RPC endpoint are relayed to the MSRPC endpoint (on port TCP 135) until an NTLM authentication attempt of the SYSTEM account is received.
The NTLM authentication attempt is replayed using Windows API calls (AcquireCredentialsHandle and AcceptSecurityContext) to ultimately obtain a token for the SYSTEM account.
Restriction applied starting from the Windows 10 1809 and Windows Server 2019 operating system mitigate this attack.
Indeed the port contacted by the COM API function is now fixed to the MSRPC endpoint and can not longer be specified, resulting in an impossibility to intercept the NTLM authentication attempt.
Exploit the fact that upon starting the BITS service attempt an NTLM authentication to the WinRM service (on port 5985).
Similarly to the exploitation process of tools from the Potato family, the NTLM authentication attempt is relayed through Windows API calls to obtain a token for the SYSTEM account.
Requires that the WinRM service is not running (default configuration on Windows workstation operating systems, including Windows 10, but not on Windows server operating systems).
Induces the SYSTEM account to connect to a controlled named pipe using the RpcRemoteFindFirstPrinterChangeNotification(Ex) function of the Print System Remote Protocol exposed on the MS-RPRN MSRPC interface (also known as "Printer Bug").
Once the SYSTEM account is connected to the controlled named pipe, it can be impersonated using the ImpersonateNamedPipeClient Win32 API function.
Requires the Print Spooler service to be running (or startable by the current user) on the host.