Skip to content

Windows Workstation Privesc

Check user groups and privileges

whoami
whoami /all
whoami /priv
whoami /groups
net user <username> # Get info about a specific user

Cached credentials

- mimikatz

Check running processes, pay attention to admin

- tasklist /V
- Most application exploits are the same as other misconfigurations (weak folder configurations, unquoted service paths, etc)

Open ports

  • netstat -an
    • Ports listening on local host
    • Ones not listed during nmap scan/firewalled

Installed programs/applications

  • List applications that are installed by the Windows Installer
    • wmic product get name, version, vendor

Insecure Services

  • AllAccess, Start
    • Change binpath

Startup Apps/autorun

See: Startup Apps See: [Auto]

Important if we can reboot the box

Privilege Abuse

See: Privilege Abuse

  • SeLoadDriverPrivilege
  • SeImpersonatePrivilege
  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
    • https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

Article on exploiting privileges: https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

Always Install Elevated

See Always Install Elevated

  • HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
    • reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  • HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
    • reg query HKLM\software\policies\microsoft\windows\installer /v alwaysinstallelevated
  • Create msi reverse shell and execute it
    • msiexec /qn /i shell.msi

Abuse GUI Program running as admin

  • Inside application open file: file://c:/windows/system32/cmd.exe
    • Might get admin command prompt

Look for exploits for 3rd party drivers

Enumerate drivers
driverquery /v
Enumerate drivers
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object‘DisplayName’, ‘Start Mode’, Path
Enumerate Driver Versions
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName,DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Search the registry for keys and values that contain "password"

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\software\microsoft\windows nt\currentversion\winlogon"
reg query "HKCU\software\simontatham\putty\sessions" /s
reg query HKLM\System\ControlSet001\Control\CurrentPass
reg query HKLM\System\ControlSet002\Control\CurrentPass
HKLM\System\CurrentControlSet\Control\CurrentPass

Scheduled Tasks

schtasks /query /fo LIST /v