Local privilege escalation
The following note assumes that a low privilege shell could be obtained on the target.
To leverage a shell from a Remote Code Execution (RCE) vulnerability please refer to the [General] Shells
note.
“The more you look, the more you see.” ― Pirsig, Robert M., Zen and the Art of Motorcycle Maintenance
Basic enumeration
The following commands can be used to grasp a better understanding of the current system:
Basic info
net config workstation
Get-ComputerInfo
OS details
systeminfo
[environment]::OSVersion.Version
OS Architecture
echo %PROCESSOR_ARCHITECTURE%
[Environment]::Is64BitOperatingSystem
wmic os get osarchitecture
Hostname
hostname
$env:ComputerName
wmic computersystem get name
(PS) (Get-WmiObject Win32_ComputerSystem).Name
Fully qualified hostname
net config workstation | findstr /C:"Full Computer name"
[System.Net.Dns]::GetHostByName($env:computerName)
Drives
[System.IO.DriveInfo]::getdrives()
Get-PSDrive -PSProvider FileSystem
Curent Domain
echo %userdomain%
systeminfo | findstr "Domain"
$env:UserDomain
(NetBIOS domain name)
$env:UserDomain
(fully qualified domain name)
systeminfo | Select-String Domain
(PS) (Get-WmiObject Win32_ComputerSystem).Domain
Curent User
whoami /all
net user %username%
$env:UserName
(PS) (Get-WmiObject Win32_ComputerSystem).UserName
Local users
net users
net users <USERNAME>
Get-LocalUser
wmic USERACCOUNT list full
(PS) Get-WMIObject Win32_UserAccount -NameSpace "root\CIMV2" -Filter "LocalAccount='$True'"
Local groups
net localgroup
(Win10+) Get-LocalGroup
wmic group list full
Local groups' member(s)
net localgroup Administrators
net localgroup <GROUPNAME>
Get-LocalGroupMember -Name "<GROUPNAME>"
foreach ($group in Get-LocalGroup) { [PSCustomObject]@{ Group = $group.Name; User = (($group | Get-LocalGroupMember).Name | Out-String) } | fl }
Connected users
qwinsta
query user
Powershell version
Powershell $psversiontable
$psversiontable
Environement variables
set
Get-ChildItem Env: | ft Key,Value
Mounted disks
fsutil fsinfo drives
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}
wmic volume get DriveLetter,FileSystem,Capacity
Writable directories
dir /a-rd /s /b
Writable files
dir /a-r-d /s /b
Processes
tasklist /v
Get-Process | Ft Name,Id
wmic process get name,processid,executablepath,commandline,parentprocessid
(PS) Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
Processes command line
wmic process get Name,ProcessID,ExecutablePath
(PS) Get-WmiObject win32_process | Select Name,Handle,CommandLine | Format-List
TCP
/ UDP
network connections
netstat -anob
Get-NetTCPConnection
User Account Control (UAC)
EnableLUA
= 0x1
-> UAC
is enabled (default since Windows Vista
/ Windows Server 2008
).
LocalAccountTokenFilterPolicy
= 0x1
-> UAC
remote restrictions are disabled (non default).
FilterAdministratorToken
= 0x1
-> UAC
is enforced for the local built-in Administrator
account RID
500 (non default).
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v FilterAdministratorToken
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA,LocalAccountTokenFilterPolicy,FilterAdministratorToken
Installed .NET framework
A number of tools may require the use of the .NET Framework
, either for privileges escalation or post exploitation. The .NET Framework 4.8
will be the last version released of the .NET Framework
(only security updates and reliability hotfixes will follow).
Each version of the .NET Framework
contains the Common Language Runtime (CLR)
, used to execute managed code
of .NET
programs. A .NET
programs should be build to target the CLR
version associated with the .NET Framework
installed on the (targeted) host. For instance, an utility can be build to target the .NET Framework 4.8
even if only the .NET Framework 4
is installed on the host the utility will be executed on.
.NET Framework 2.0
.NET Framework 3.0
.NET Framework 3.5
2
.NET Framework 4
.NET Framework 4.5 - 4.8
4
The .NET Framework
is installed by default on Windows, with a version depending on the Windows version:
Windows Server 2022
.NET Framework 4.8
Windows 11
.NET Framework 4.8
Windows 10 (build 1903+)
.NET Framework 4.8
.NET Framework 3.5 SP1
*
Windows Server 2019
Windows Server version 1803 / 1809
.NET Framework 4.7.2
Windows 10 (build 1803 / 1809)
.NET Framework 4.7.2
.NET Framework 3.5 SP1
*
Windows Server version 1709
.NET Framework 4.7.1
Windows 10 (build 1709)
.NET Framework 4.7.1
.NET Framework 3.5 SP1
*
Windows 10 (build 1703)
.NET Framework 4.7
.NET Framework 3.5 SP1
*
Windows Server 2016
.NET Framework 4.6.2
Windows 10 (build 1607)
.NET Framework 4.6.2
.NET Framework 3.5 SP1
*
Windows 10 (build 1511)
.NET Framework 4.6.1
.NET Framework 3.5 SP1
*
Windows 10 (build 1507)
.NET Framework 4.6.0
.NET Framework 3.5 SP1
*
Windows Server 2012 R2
.NET Framework 4.5.1
.NET Framework 3.5 SP1
*
Windows Server 2012
.NET Framework 4.5
.NET Framework 3.5 SP1
*
Windows 8.1
.NET Framework 4.5.1
.NET Framework 3.5 SP1
*
Windows 8
.NET Framework 4.5
.NET Framework 3.5 SP1
*
Windows 7
.NET Framework 3.5.1
Windows Server 2008 R2
.NET Framework 3.5.1
Windows Server 2008 SP2
.NET Framework 3.0 SP2
*
.NET Framework 2.0 SP1
Windows Server 2008
Windows Server 2008 SP1
.NET Framework 3.0 SP1
*
.NET Framework 2.0 SP1
Windows Vista SP1
.NET Framework 3.0 SP1
*
.NET Framework 2.0 SP1
Windows Vista
.NET Framework 3.0
*
.NET Framework 2.0
Windows Server 2003 (x86)
.NET Framework 2.0
.NET Framework 1.1
*The .NET Framework
version must be enabled (either through the Control Panel
or, for Windows Server, through the Server Manager
).
The version of the .NET Framework
framework installed can be determined through registry key entries. Additionally, before .NET Framework 4.0
, the installed .NET Framework
version can be determined using the names of the folder in the \Windows\Microsoft.NET\Framework64\
directory. For later versions, the MSBuild.exe
utility, packaged with the .NET
framework, can be used to establish the precise version installed. If the execution of MSBuild.exe
is blocked, the version can still be retrieved manually.
Defense and supervision scouting
Before attempting a local privilege escalation, notably in a covert scenario, establishing a precise vision on the system security defense and supervision mechanisms may help evade detection.
Antivirus product
The Windows Security Center
is a Windows component which, among other features, keep track of the antivirus products installed on the system and their status (monitoring mode and antivirus signatures update status). The Security Center
consolidates the Windows Defender
status as well as third party antivirus solutions by:
searching for registry keys and files provided to Microsoft by the antivirus software manufacturers
exposing a WMI provider on which antivirus software manufacturers can report their product status
Note that some Endpoint Detection and Response (EDR)
solutions may not be registered in the SecurityCenter
and can only be detected by listing the running processes or configured services.
The productState
property can be parsed and converted to a human readable format using the following PowerShell code snippet:
Audit policies
The configured audit policies can be retrieved within the registry.
In particular, whether or not the command line is logged in process creation events (Security
hive, 4688: A new process has been created
) is of importance, as a process command line arguments may yield information about a tool function, compromised accounts or C2 servers, and be very able for the blue team.
Windows Event Forwarding
Windows Event Forwarding (WEF)
is a Microsoft Windows component that forwards the chosen event logs to a Windows Event Collector (WEC)
server, for back up or security monitoring.
The following registry key can be queried to retrieve information about a possible WEF
subscription:
AppLocker
AppLocker
is a Windows native feature, added in Windows 7 Enterprise, that allows, through the definition of rules, for the restriction and control of the files users can execute.
The configured AppLocker
rules are stored in multiple locations within the registry and can also be retrieved using the Get-AppLockerPolicy
PowerShell cmdlet.
Note that the appidsvc
service must be running for AppLocker
to be functional.
Additionally, the presence and size of the event logs hive Microsoft-Windows-AppLocker/EXE and DLL
can also be a good indicator of whether or not AppLocker
is enabled. If the log file is not present or is empty (the evtx file has a size of 68 Ko / 69 632 bytes) then AppLocker
may not have been enabled and configured on the system.
For more information about AppLocker
, refer to the Windows - Bypass AppLocker
note.
Seatbelt
Seatbelt
is a C# tool that can be used to enumerate a number of security mechanisms of the target such as the PowerShell restrictions, audit and Windows Event Forwarding settings, registered antivirus, firewall rules, installed patches and last reboot events, etc.
Seatbelt
can also be used to gather interesting user data such as saved RDP connections files and putty SSH host keys, AWS/Google/Azure cloud credential files, browsers bookmarks and histories, etc.
Local privilege escalation enumeration scripts
Most of the enumeration process detailed below can be automated using scripts.
Personal preference: PEASS's WinPEAS.exe
or WinPEAS.bat
+ PowerSploit's PowerUp.ps1
Invoke-PrivescAudit
/ Invoke-AllChecks
+ off-target Windows Exploit Suggester - Next Generation
To upload the scripts on the target, please refer to the [General] File transfer
note.
Note that PowerShell scripts can be injected directly into memory using PowerShell DownloadString
or through a meterpreter
session:
Privilege Escalation Awesome Scripts SUITE (PEASS) - WinPEAS
WinPEAS
checks the local privilege escalation vectors defined in the following checklist: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
.
Note that the winPEAS.exe
executable requires the .NET 4.0 framework to function. Alternatively, the winPEAS.bat
script may be used instead (with no coloring support and less optimization).
PowerSploit's PowerUp
The PowerSploit's PowerUp Invoke-PrivescAudit
/ Invoke-AllChecks
and enjoiz's privesc.bat
or privesc.ps1
scripts run a number of configuration checks:
Clear text passwords in files or registry
Unquoted services path
Weak services permissions
"AlwaysInstallElevated" policy
Token privileges
...
The Invoke-PrivescAudit
/ Invoke-AllChecks
cmdlets will run all the checks implemented by PowerSploit's PowerUp.ps1
. The script can be either injected directly into memory as specified above or can be imported using the file.
Note that PowerUp
is not actively maintained in the master branch of the PowerShellMafia
's PowerSploit
GitHub repository.
enjoiz privesc.bat / privesc.ps1
Both the batch and PowerShell versions of the enjoiz
privilege escalation script require accesschk.exe
to present on the targeted machine (on the script directory). The script takes one or multiple user group(s) as parameter to test the configuration for. To retrieve the user groups of the compromised user, the Windows built-in whoami /groups
can be used.
Windows Exploit Suggester - Next Generation
The WES-NG
script compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. Refer to the Unpatched system
section below for a detailed usage guide of the script.
Physical access privileges escalation
Physical access open up different ways to bypass user login screen and obtain NT AUTHORITY\SYSTEM
access.
Hardened system
BIOS settings
The methods detailed below require to boot from a live CD/DVD or USB key. The possibility to do so may be disabled by BIOS settings. To conduct the attack below, an access to the BIOS or a reset to default settings must be accomplished.
Manufacturers may have defined a default BIOS password, some of which are listed on the following resource http://www.uktsupport.co.uk/reference/biosp.htm
Ultimately, BIOS settings can be reseted by removing the CMOS battery or using the motherboard Jumper. The system hard drive can also be plugged on another computer to extract the SAM base or carry out the process below.
Encrypted disk
The methods detailed below require an access to the Windows file system and will not work on encrypted partitions if the password to decrypt the file system is not known.
PCUnlocker
PCUnlocker
is a password-unlocking software that can be used to reset lost Windows users password. it can be burn on a CD/DVD or installed on a bootable USB key.
The procedure to create a bootable USB key and reset local Windows users passwords is as follow:
Download
Rufus
andPCUnlocker
Create a bootable USK key using
Rufus
with thePCUnlocker
ISO. If making an USB key for a computer with UEFI BIOS, pick the "GPT partition scheme for UEFI computer" option on RufusBoot on the USB Key thus created (boot order may need to be changed in BIOS)
From the
PCUnlocker
GUI, pick an account and click the "Reset Password" button to reset the password to
To create a bootable CD/DVD, simply use any CD/DVD burner with the PCUnlocker
ISO and follow steps 3 & 4. If used on a Domain Controller, PCUnlocker
can be used to reset Domain users password by updating the ntds.dit
file.
utilman.exe
The utilman
utility tool can be launched at the login screen before authentication as NT AUTHORITY\SYSTEM. By using a Windows installation CD/DVD, it is possible to replace the utilman.exe
by cmd.exe
to gain access to a CMD shell as SYSTEM without authentication.
The procedure to do so is as follow:
Download the Windows ISO corresponding to the attacked system and burn it to a CD/DVD
Boot on the thus created CD/DVD
Pick the "Repair your computer" option
Select the “Use recovery tools [...]" option, pick the operating system from the list and click "Next"
A command prompt should open, enter the following commands:
cd windows\system32
ren utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe
Remove the CD/DVD and boot the system normally.
On the login screen, press the key combination Windows Key + U
A command prompt should open with NT AUTHORITY\SYSTEM rights
Change a user password (net user ) or create a new user
Sensible content
Clear text passwords in files
The built-in findstr
and dir
can be used to search for clear text passwords stored in files. The keyword 'password' should be used first and the search broaden if needed by searching for 'pass'.
The meterpreter
search
command can be used in place of findstr
if a meterpreter
shell is being used.
The following files, if present on the system, may contain clear text or base64 encoded passwords and should be reviewed:
Cached credentials
Windows-based computers use multiple forms of password caching / storage: local accounts credentials, domain credentials, and generic credentials:
Domain credentials are authenticated by the Local Security Authority (LSA) and cached in the LSASS (Local Security Authority Subsystem) process.
Local accounts credentials are stored in the SAM (Security Account Manager) hive.
Generic credentials are defined programs that manage authorization and security directly. The generic credentials are cached in the Windows Credential Manager.
Local administrator or NT AUTHORITY\SYSTEM
privileges are required to access the clear-text or hashed passwords. Refer to the [Windows] Post Exploitation
note for more information on how to retrieve these credentials.
However, stored generic credentials may be directly usable. In particular, Windows credentials (domain or local accounts) cached as generic credentials in the Credential Manager, usually done using runas /savecred
.
The cmdkey
and rundll32.exe
Windows built-ins can be used to enumerate the generic credentials stored on the machine. Saved Windows credentials be can used using runas
.
Cached GPP passwords
GPP can be cached locally and may contain encrypted passwords that can be decrypted using the Microsoft public AES key.
The Get-CachedGPPPassword
cmdlet, of the PowerSploit
's PowerUp
script, can be used to automatically retrieve the cached GPP XML files and extract the present passwords.
The following commands can be used to conduct the search manually:
The Ruby gpp-password
script can be used to decrypt a GPP password:
Clear text password in registry
Passwords may also be stored in Windows registry:
Wifi passwords
The configured / memorized Wifi passwords on the target machine may be retrievable as an unprivileged user using the Windows built-in netsh
:
Passwords in Windows event logs
If the compromised user can read Windows events logs, by being a member of the Event Log Readers
notably, and the command-line auditing feature is enabled, the logs should be reviewed for sensible information.
Recently modified files
Recently modified files can be of interest and may contain sensitive information. For example, the lastly modified files in a product installation folder may correspond to the non default modifications and configuration.
The time of modification may also be of interest in a CTF
scenarios.
Hidden files
To display only hidden files, the following command can be used:
Files of interest
The following files may contains sensible information:
Alternate data streams (ADS)
The NTFS file system includes support for ADS, allowing files to contain more than one stream of data. Every Windows file has at least one data stream, called by default :$DATA
.
ADS do not appear in Windows Explorer, and their size is not included in the size of the file that hosts them. Moreover, only the main stream of a file is retained when copying to a FAT file system, attaching to a mail or uploading to a website. Because of these properties, ADS may be used by users or applications to store sensible information and the eventual ADS present on the system should be reviewed.
DOS and PowerShell built-ins as well as streams.exe
from the Sysinternals suite and tools from http://www.flexhex.com/docs/articles/alternate-streams.phtml can be used to operate with ADS.
Note that the PowerShell cmdlets presented below are only available starting from PowerShell 3
.
Unpatched system
OS and Kernel version
The following commands or actions can be used to get the updates installed on the host:
systeminfo Check content of C:\Windows\SoftwareDistribution\Download type C:\Windows\WindowsUpdate.log
Get-HotFix Get-WindowsUpdateLog
wmic qfe get HotFixID,InstalledOn,Description
Windows releases information:
3.1
528
Windows NT 3.1
3.5
807
Windows NT 3.5
3.51
1057
Windows NT 3.51
4.0
1381
Windows NT 4.0
5.0
2195
Windows 2000
5.1
2600
Windows XP
5.2
3790
Windows XP x64 Windows Server 2003 Windows Server 2003 R2
6.0
6000 6001
Windows Vista Windows Server 2008
6.1
7600
Windows 7 Windows Server 2008 R2
6.2
9200
Windows 8 Windows Server 2012
6.3
9600
Windows 8.1 Windows Server 2012 R2
10.0
10240 (TH1) / 10586 (TH2) 14393 (RS1) / 15063 (RS2) / 16299 (RS3) / 17134 (RS4) / 17763 (RS5)
Windows 10 Windows Server 2016
Automatically compare the system patch level to public known exploits:
Installed software
The following commands can be used to enumerate the software installed on the local system:
Exploits detection tools
Windows Exploit Suggester - Next Generation (WES-NG)
-- Replace Windows-Exploit-Suggester --
The WES-NG
Python script compares a target patch level, retrieved using systeminfo
, and the Microsoft vulnerability database in order to detect potential missing patches on the target.
Windows-Exploit-Suggester (outdated)
Outdated: Microsoft replaced the Microsoft Security Bulletin Data Excel file, on which Windows-Exploit-Suggester is fully dependent, by the MSRC API. The Microsoft Security Bulletin Data Excel file has not been updated since Q1 2017, so later operating systems and vulnerabilities can no longer be assessed --
The windows-exploit-suggester
script compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit
modules available for the missing bulletins. It requires the systeminfo
command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host. It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.
If the systeminfo
command reveals 'File 1' as the output for the hotfixes, the output of wmic qfe list full
should be used instead using the --hotfixes flag, along with the systeminfo
:
Watson
Watson
(replaces Sherlock
) is a .NET tool designed to enumerate missing KBs and suggest exploits. Only works on Windows 10 (1703, 1709, 1803 & 1809) and Windows Server 2016 & 2019.
Watson
must be compiled for the .NET version supported on the target.
Sherlock (outdated)
Outdated: Microsoft changed to rolling patches on Windows instead of hotfixes per vulnerability, making the detection mechanism of Sherlock
non functional.
PowerShell script to find missing software patches for critical vulnerabilities that could be leveraged for local privilege escalation.
To download and execute directly into memory:
(Metasploit) Local Exploit Suggester (outdated)
The local_exploit_suggester
module suggests local meterpreter
exploits that can be used against the target, based on the architecture and platform as well as the available exploits in meterpreter
.
Pre compiled exploits
A collection of pre compiled Windows kernel exploits can be found on the windows-kernel-exploits
GitHub repository. Use at your own risk.
Compilers
mingw
An exploit in C can be compiled on Linux to be used on a Windows system using the cross-compiler mingw
:
PyInstaller
If an exploit is only available as a Python script and Python is not installed on the target, PyInstaller
can be used to compile a stand alone executable of the Python script:
PyInstaller
should be used on a Windows operating system.
PrintNightmare (CVE-2021-1675)
On unpatched systems with the Print Spooler
service running, the PrintNightmare
vulnerability (CVE-2021-1675
) can be leveraged, in addition to remote code execution, for local privilege escalation. The PrintNightmare
vulnerability basically result in the execution of an arbitrary DLL
under NT AUTHORITY\SYSTEM
privileges. For more details on the PrintNightmare
vulnerability, refer to the [L7] 135 - MSRPC
note.
The status of the Print Spooler
service on the local system can be retrieved using the following PowerShell cmdlets:
The nightmare-dll DLL
creates a local user (using the Win32
's NetUserAdd
API) and add it to the local Administrators
group (using the Win32
's NetLocalGroupAddMembers
API). It may be used as a DLL
template for PrintNightmare
exploitation. Alternatively, a payload DLL
may be generated using, for example, msfvenom
.
The CVE-2021-1675.ps1
PowerShell script can be used to locally elevate privileges by either:
using its embedded (Base64-encoded GZIPped)
DLL
to create a local user and add it to the localAdministrators
groupexecuting the specified
DLL
underNT AUTHORITY\SYSTEM
privileges
Alternatively, the SharpPrintNightmare
C#
implementation can be used for local privilege escalation purposes (in addition to remote code execution):
CVE-2021-1675.ps1
and SharpPrintNightmare
(in LPE
mode) present the advantage of not relying on the RPC
or SMB
protocols as the AddPrinterDriverEx
and EnumPrinterDrivers
APIs are called directly.
AlwaysInstallElevated policy
Windows provides a mechanism which allows unprivileged users to install Windows installation packages, Microsoft Windows Installer Package (MSI)
files, with NT AUTHORITY\SYSTEM
privileges. This policy is known as AlwaysInstallElevated
.
If activated, this mechanism can be leveraged to elevate privileges on the system by executing code through the MSI
during the installation process as NT AUTHORITY\SYSTEM
.
The Windows built-in req
utility and the PowerUp
PowerShell script can be used to check whether the AlwaysInstallElevated
policy is enabled on the host by querying the associated registry key:
The policy can be abused to elevate privileges:
By executing a given binary or
bat
script through a specifically craftedMSI
installer using theMSI Wrapper
graphical application ormsfvenom
.By adding a local user to the local
Administrators
group using theMSI
installer embedded in thePowerUp
'sWrite-UserAddMSI
PowerShell cmdlet. The cmdlet will open a graphical interface to specify the user to be added.Through a
meterpreter
session using theMetasploit
'sexploit/windows/local/always_install_elevated
module. The module will prevent the installation from succeeding to avoid the registration of the program on the system.
Refer to the [General] File transfer
note for file transfer techniques to upload the MSI on the targeted system.
Services misconfigurations
In Windows NT operating systems, a Windows service is a computer program that operates in the background, similarly in concept to a Unix daemon.
A Windows service must conform to the interface rules and protocols of the Service Control Manager
, the component responsible for managing Windows services. Windows services can be configured to start with the operating system, manually or when an event occur.
Vulnerabilities in a service configuration could be exploited to execute code under the privileges of the user starting the service, often NT AUTHORITY\SYSTEM
.
Windows services enumeration
The Windows built-ins sc
and wmic
can be used to enumerate the services configured on the target system. The Windows built-in graphical utility services.msc
can alternatively be used as well.
Weak services permissions
A weak service permissions vulnerability occurs when an unprivileged user can alter the service configuration so that the service runs an arbitrary specified command or executable.
The rights on the service are defined in each service's security descriptor, formatted according to the Security Descriptor Definition Language (SDDL)
definition. The SDDL
defines the System Access Control List and (SACL)
and the Discretionary Access Control List (DACL)
:
Prefix of S:
SACL
which controls the auditing (what access will generate an auditing event).Prefix of D:
DACL
which controls the actual permissions / rights over the services (and will govern the access to the service).
The SDDL
uses Access Control Entry (ACE)
strings in the DACL
and SACL
components of a security descriptor string. Each ACE
in a security descriptor string is enclosed in parentheses in which an user account and their associated permissions / rights are represented.
The fields of the ACE
are in the following order and are separated by semicolons (;).
In case of services, the fields ace_type
, rights
and account_sid
are usually the only ones being set.
The ace_type
field is usually either set to Allow (A)
or Deny (D)
. The rights
field is a string that indicates the access rights controlled by the ACE
, usually composed of pair of letters each representing a specific permission. Finally, the account_sid
represent the security principal assigned with the permissions and can either be a two letters known alias or a SID
.
The following known aliases can be encountered:
AN
Anonymous logon
AO
Account operators
AU
Authenticated users
BA
Built-in administrators
BG
Built-in guests
BO
Backup operators
BU
Built-in users
CA
Certificate server administrators
CG
Creator group
CO
Creator owner
DA
Domain administrators
DC
Domain computers
DD
Domain controllers
DG
Domain guests
DU
Domain users
EA
Enterprise administrators
ED
Enterprise domain controllers
IU
Interactively logged-on user
LA
Local administrator
LG
Local guest
LS
Local service account
NO
Network configuration operators
NS
Network service account
NU
Network logon user
PA
Group Policy administrators
PO
Printer operators
PS
Personal self
PU
Power users
RC
Restricted code
RD
Terminal server users
RE
Replicator
RS
RAS servers group
RU
Alias to allow previous Windows 2000
SA
Schema administrators
SO
Server operators
SU
Service logon user
SY
Local system
WD
Everyone
The following permissions are worth mentioning in the prospect of local privilege escalation:
-
SERVICE_ALL_ACCESS
Include all service permissions, notably SERVICE_CHANGE_CONFIG
.
CC
SERVICE_QUERY_CONFIG
Retrieve the service's current configuration from the SCM.
DC
SERVICE_CHANGE_CONFIG
Change the service configuration, notably grant the right to change the executable file associated with the service.
GA
GENERIC_ALL
Equivalent to all the generic access rights (read, write and execute access to the service).
GX
GENERIC_WRITE
Equivalent to SERVICE_QUERY_STATUS
and SERVICE_CHANGE_CONFIG
.
LC
SERVICE_QUERY_STATUS
Retrieve the service's current status from the SCM.
LO
SERVICE_INTERROGATE
Retrieve the service's current status directly from the service itself.
RC
READ_CONTROL
Read the security descriptor of the service.
RP
SERVICE_START
Start the service.
SW
SERVICE_ENUMERATE_DEPENDENTS
List the services that depend on the service.
WD
WRITE_DAC
Modify the DACL of the service in its security descriptor.
WO
WRITE_OWNER
Change the owner of the service in its security descriptor.
WP
SERVICE_STOP
Stop the service.
A more comprehensive list of the access rights for Windows services can be found in the official Microsoft documentation.
The accesschk
tool, from the Sysinternals
suite, and the Powershell
PowerUp
script can be used to list the services an user can exploit:
If the use of the tools above is not a possibility, the Windows built-in sc
can be used to directly retrieve a service's security descriptor's DACL
(but not the owner of the service nor the it's SACL
):
The sc
utility can, among others, also be used to alter a service configuration:
The Metasploit
module exploit/windows/local/service_permissions
can be used through an existing meterpreter
session to automatically detect and exploit weak services permissions to execute a specified payload under NT AUTHORITY\SYSTEM privileges.
Unsecure NTFS permissions on service binaries
Permissive NTFS permissions on the service binary used by the service can be leveraged to elevate privileges on the system as the user running the service.
If available, the Windows utility wmic
can be used to retrieve all services binary paths:
The Windows bullet-in icacls
can be used to determine the NTFS
permissions on the services binary:
Unquoted service binary paths
When a service path is unquoted, the Service Manager will try to find the service binary in the shortest path, moving up to the longest path until one works. For example, for the path C:\TEST\Service Folder\binary.exe, the space is treated as an optional path to explore for that service. The resolution process will first look into C:\TEST\ for the Service.exe binary and, if it exist, use it to start the service.
Here is Windows’ chain of thought for the above example:
Are they asking me to run "C:\TEST\Service.exe" Folder\binary.exe No, it does not exist.
Are they asking me to run "C:\TEST\Service Folder\Service_binary.exe" Yes, it does exist.
In summary, a service is vulnerable if the path to the executable contains spaces and is not wrapped in quote marks. Exploitation requires write permissions to the path before the quote mark. Note that unquoted path for services in C:\Program Files
and C:\Program Files (x86)
are usually not exploitable as unprivileged user rarely have write access in the C:\
root directory or in the standard program directories.
In the above example, if an attacker has write privilege in C:\TEST, he could create a C:\Service.exe and escalate its privileges to the level of the account that starts the service.
To find vulnerable services the wmic
tool and the Powershell
PowerUp
script can be used as well as a manual review of each service metadata using sc
queries:
The Metasploit
module exploit/windows/local/trusted_service_path
can be used through an existing meterpreter
session to automatically detect and exploit unquoted service path to execute a specified payload under NT AUTHORITY\SYSTEM
privileges.
Windows XP SP0 & SP1
On Windows XP SP0 and SP1, the Windows service upnphost
is run by NT AUTHORITY\LocalService
and grants the permission SERVICE_ALL_ACCESS
to all Authenticated Users
, meaning all authenticated users on the system can fully modify the service configuration. Du to the End-of-Life status of the Service Pack affected, the vulnerability will not be fixed and can be used as an universal privileges escalation method on Windows XP SP0 & SP1.
Generate new service binary
Add a local administrator user
The following C code can be used to add a local administrator user:
The C code above can be compiled on Linux using the cross-compiler mingw
(refer to cross compilation above).
Reverse shell
The service can be leveraged to start a privileged reverse shell. Refer to the [General] Shells - Binary
note.
Service restart
To restart the service:
If an error System error 1068
("The dependency service or group failed to start."), the dependencies can be removed to fix the service:
Scheduled tasks & statup commands
Scheduled tasks are used to automatically perform a routine task on the system whenever the criteria associated to the scheduled task occurs. The scheduled tasks can either be run at a defined time, on repeat at set intervals, or when a specific event occurs, such as the system boot.
The scheduled tasks are exposed to the same kinds of misconfigurations flaws affecting the Windows services. However, note that the Windows GUI utility Task Scheduler
, used to configure scheduled task, will always make use of quoted binary path, thus limiting the occurrence of unquoted scheduled task path.
The Windows built-in schtasks
can be used to enumerate the scheduled tasks configured on the system or to retrieve information about a specific scheduled task.
The commands below can be chained to filter the enabled scheduled tasks name and action for NT AUTHORITY\SYSTEM
, Administrator
or the specified user:
The Windows bullet-in icacls
can be used to determine the NTFS permissions on the scheduled tasks binary:
If the current user can modify the binary / script of a scheduled task run by another user, arbitrary command execution under the other user privileges can be achieved once the criteria associated to the scheduled task occurs.
Refer to the [General] Shells - Binary
note for reverse shell binaries / scripts.
Token Privileges abuse
Vulnerable privileges
Use the following command to retrieve the current user account token privileges:
The following tokens can be exploited to gain SYSTEM access privileges:
SeAssignPrimaryPrivilege
SeBackupPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
For more and updated information on the aforementioned privileges, refer to the Priv2Admin GitHub repository.
SeAssignPrimaryPrivilege / SeImpersonatePrivilege
Overview
The SeAssignPrimaryTokenPrivilege
and the SeImpersonatePrivilege
privileges allow, by design, to create a process under the security context of another user. The SeAssignPrimaryTokenPrivilege
privilege can be exploited using the CreateProcessAsUser()
Win32 API while the SeImpersonatePrivilege
privilege can leveraged using the CreateProcessWithToken()
Win32 API.
Exploits of the potato family (except RoguePotato) no longer work on Windows 10 build 1809
/ Windows 2019
and later.
The process creation requires however a handle to a primary token of the user to impersonate. Multiple tools and techniques may be used to obtain a handle to a token of the NT AUTHORITY\SYSTEM
account:
Induces the SYSTEM
account to connect to a controlled RPC
endpoint using the CoGetInstanceFromIStorage COM
API function.
In Potato
and RottenPotatoNG
, the call was used to instantiate a COM Storage Object
of the BITS
local service. In Juicy Potato
, an instance of the service specified in parameter, using its Class Identifier (CLSID)
, is requested.
Then the packets received by the controlled RPC
endpoint are relayed to the MSRPC
endpoint (on port TCP 135) until an NTLM
authentication attempt of the SYSTEM
account is received.
The NTLM
authentication attempt is replayed using Windows API calls (AcquireCredentialsHandle
and AcceptSecurityContext
) to ultimately obtain a token for the SYSTEM
account.
Restriction applied starting from the Windows 10 1809
and Windows Server 2019
operating system mitigate this attack.
Indeed the port contacted by the COM
API function is now fixed to the MSRPC
endpoint and can not longer be specified, resulting in an impossibility to intercept the NTLM authentication attempt.
Exploit the fact that upon starting the BITS
service attempt an NTLM
authentication to the WinRM
service (on port 5985).
Similarly to the exploitation process of tools from the Potato family, the NTLM
authentication attempt is relayed through Windows API calls to obtain a token for the SYSTEM
account.
Requires that the WinRM
service is not running (default configuration on Windows workstation operating systems, including Windows 10
, but not on Windows server operating systems).
Induces the SYSTEM
account to connect to a controlled named pipe
using the RpcRemoteFindFirstPrinterChangeNotification(Ex)
function of the Print System Remote Protocol
exposed on the MS-RPRN
MSRPC
interface (also known as "Printer Bug").
Once the SYSTEM
account is connected to the controlled named pipe
, it can be impersonated using the ImpersonateNamedPipeClient
Win32 API function.
Requires the Print Spooler
service to be running (or startable by the current user) on the host.
Local service accounts privileges reduction
The NT AUTHORITY\LOCAL SERVICE
and NT AUTHORITY\NETWORK SERVICE
are predefined local accounts notably used by the Service Control Manager
. By default, the accounts are granted the SeImpersonatePrivilege
privilege.
However, some Windows services executed as NT AUTHORITY\LOCAL SERVICE
or NT AUTHORITY\NETWORK SERVICE
will voluntarily limit their privileges and remove the SeImpersonatePrivilege
from their access token. In such cases, the default privileges normally granted to the service accounts can be retrieved by creating a scheduled task; as the scheduled task process will have all the default privileges restored.
FullPowers can be used to automate this process:
Juicy Potato
Juicy Potato
is an improved version of RottenPotatoNG
and its usage is recommended.
As stated above, the specification of service CLSID
is required by Juicy Potato
. A list of services' CLSID
that can be leveraged for privilege escalation is available on the tool GitHub repository: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
Rotten Potato x64 w/ Metasploit
On unpatched systems, RottenPotato
can be used in combination with the Metasploit
meterpreter
's