Windows Privilege Escalation

Tools

• • Windows Exploit Suggester

    • [Blogpost] https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html
    • This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

    Windows Privesc Check 2.0

  • PowerUp

    • Windows Privilege Escalation through Powershell

  • ElevateKit

    • The Elevate Kit demonstrates how to use third-party privilege escalation attacks with Cobalt Strike's Beacon payload.

  • kernelpop

    • kernel privilege escalation enumeration and exploitation framework
  • BeRoot
  • Pompem
    • Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database
  • AccessChk
    • As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
  • AutoDane at BSides Cape Town
  • Auto DANE
    • Auto DANE attempts to automate the process of exploiting, pivoting and escalating privileges on windows domains.
• Misc Privilege Escalation
  • dtappgather-poc.sh
    • Exploit PoC reverse engineered from EXTREMEPARR which provides local root on Solaris 7 - 11 (x86 & SPARC). Uses a environment variable of setuid binary dtappgather to manipulate file permissions and create a user owned directory anywhere on the system (as root). Can then add a shared object to locale folder and run setuid binaries with an untrusted library file.
  • Privilege Escalation Using Keepnote
  • #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine

MORE TOOLS

• https://github.com/shjalayeri/sysret
  1. • Sysret Local exploit
  2. Cobalt Strike
  3. http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation
  4. https://github.com/AlessandroZ/BeRoot
  5. https://github.com/nettitude/PoshC2
  6. https://github.com/PowerShellMafia/PowerSploit
  7. https://github.com/AusJock/Privilege-Escalation
  8. https://github.com/foxglovesec/RottenPotato
  9. https://github.com/byt3bl33d3r/DeathStar Deathstar & Empire
  10. https://github.com/byt3bl33d3r/CrackMapExec
  11. https://github.com/samratashok/nishang

Windows Privilege check

1. https://github.com/pentestmonkey/windows-privesc-check
2. https://github.com/minisllc/red-team-scripts
3. https://github.com/dzonerzy/winescalation
4. https://github.com/pentestmonkey/windows-privesc-check
5. https://github.com/brianwrf/WinSystemHelper

Guide and walkthrough

• • • Windows Privilege Escalation Fundamentals
    • Windows Privilege Escalation Methods for Pentesters
    • Common Windows Privilege Escalation Vectors
    • Windows Privilege Escalation Cheat Sheet/Tricks
  • Specific Techniques
    • Group Policy Preferences
      • Exploiting Windows 2008 Group Policy Preferences
    • Intel SYSRET
      • Windows Kernel Intel x64 SYSRET Vulnerability + Code Signing Bypass Bonus
      • Windows Kernel Intel x64 SYSRET Vulnerability Exploit + Kernel Code Signing Bypass Bonus
    • Logic
      • Introduction to Logical Privilege Escalation on Windows - James Forshaw
      • Windows Logical EoP Workbook
    • PentestLab Windows PrivEsc Writeup List
      • Hot Potato
      • Always Install Elevated
      • Unquoted Service Path
      • Token Manipulation
      • Secondary Logon Handle
      • Insecure Registry Permissions
      • Intel SYSRET
      • Weak Service Permissions
    • NTLM-related
      • Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege
      • Windows: Local WebDAV NTLM Reflection Elevation of Privilege
      • Hot Potato
        • Hot Potato
          • Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP- > SMB relay) and NBNS spoofing.
        • SmashedPotato
    • Tokens
      • Abusing Token Privileges For LPE - drone/breenmachine
      • The Art of Becoming TrustedInstaller
        • There's many ways of getting the TI token other than these 3 techniques. For example as Vincent Yiu pointed out on Twitter if you've got easy access to a system token, say using Metasploit's getsystem command you can impersonate system and then open the TI token, it's just IMO less easy :-). If you get a system token with SeTcbPrivilege you can also call LogonUserExExW or LsaLogonUser where you can specify an set of additional groups to apply to a service token. Finally if you get a system token with SeCreateTokenPrivilege (say from LSASS.exe if it's not running PPL) you can craft an arbitrary token using the NtCreateToken system call.
      • Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM - @breenmachine
      • Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege
      • Social Engineering The Windows Kernel: Finding And Exploiting Token Handling Vulnerabilities - James Forshaw
      • Social Engineering The Windows Kernel: Finding And Exploiting Token Handling Vulnerabilities - James Forshaw - BHUSA2015
        • One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let's us access secured resources. The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges, or even compromise the kernel itself. This presentation is about finding and then exploiting the incorrect handling of tokens in the Windows kernel as well as first and third party drivers. Examples of serious vulnerabilities, such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally, I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
      • token_manipulation
        • Bypass User Account Control by manipulating tokens (can bypass AlwaysNotify)
      • Rotten Potato
        • Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM - foxglove security
        • Rotten Potato Privilege Escalation from Service Accounts to SYSTEM - Stephen Breen Chris Mallz - Derbycon6
        • RottenPotatoNG
          • New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
  • Obtaining System Privileges
    • The “SYSTEM” challenge
    • Writeup of achieving system from limited user privs.
    • All roads lead to SYSTEM
    • Alternative methods of becoming SYSTEM - XPN
  • Writeups
    • Analyzing local privilege escalations in win32k
      • This paper analyzes three vulnerabilities that were found in win32k.sys that allow kernel-mode code execution. The win32k.sys driver is a major component of the GUI subsystem in the Windows operating system. These vulnerabilities have been reported by the author and patched in MS08-025. The first vulnerability is a kernel pool overflow with an old communication mechanism called the Dynamic Data Exchange (DDE) protocol. The second vulnerability involves improper use of the ProbeForWrite function within string management functions. The third vulnerability concerns how win32k handles system menu functions. Their discovery and exploitation are covered.
    • Some forum posts on Win Priv Esc
    • Post Exploitation Using netNTLM Downgrade attacks - Fishnet/Archive.org
    • Old Privilege Escalation Techniques
    • How to own any windows network with group policy hijacking attacks
    • Windows 7 ‘Startup Repair’ Authentication Bypass
    • Windows Privilege Escalation Methods for Pentesters - pentest.blog
• Talks/Videos
  • Hacking windows through the Windows API; delves into windows api, how it can break itself
  • Sedating the Watchdog Abusing Security Products to Bypass Windows Protections - Tomer Bit - BSidesSF
  • Black hat talk on Windows Privilege Escalation
  • Level Up! - Practical Windows Privilege Escalation
  • Extreme Privelege Escalataion on Windows8 UEFI Systems
    • Slides
    • Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash”
  • The Travelling Pentester: Diaries of the Shortest Path to Compromise
  • Windows Privilege Escalation - Riyaz Walikar