As a penetration tester, it is essential to have a strong understanding of Windows privilege escalation. The process of escalating privileges allows a user or attacker to gain additional permissions on a system, enabling them to perform actions they would not typically have the authority to perform. In this guide, we will explore the various methods of Windows privilege escalation, including manual enumeration techniques and the use of tools. We will also discuss kernel exploits, which are a common method of gaining elevated privileges on a Windows system.
Section 1: Initial Enumeration
Before attempting to escalate privileges on a Windows system, it is necessary to conduct initial enumeration to gather information about the system. This information can include system details, user accounts, network information, and firewall settings.
1.1 System Enumeration
The first step in the enumeration process is to gather information about the system, including the operating system, system type, and hostname. This information can be obtained by running the following commands in the command prompt:
systeminfo systeminfo | findstr /B /C: "os name" /C: "os version" /C: "system type" hostname
Additional system information can be obtained by running the following command:
wmic qfe
This command provides details about installed software updates on the system.
To obtain information about the logical disks on the system, run the following command:
wmic logicaldisk
wmic logicaldisk get caption,description,providername1.2 User Enumeration
To escalate privileges on a Windows system, it is essential to have information about the user accounts on the system. User enumeration can be conducted by running the following commands:
whoami /priv
whoami /groups
net user
net user user1
net local group user1These commands provide information about the privileges, groups, and user accounts on the system.
1.3 Network Enumeration
Understanding the network configuration of the target system is crucial for conducting successful privilege escalation. Network enumeration can be conducted by running the following commands:
ipconfig
ipconfig /all
arp -a
route print
netstat -anoThese commands provide information about IP addresses, routes, active connections, and network interfaces on the system.
1.4 Password Hunting
Finding passwords or password hashes on a Windows system is an essential part of privilege escalation. Password hunting can be conducted by running the following commands:
findstr /si password *.txt *.ini *.config
findstr /spin "password" *.These commands search for passwords or password hashes in the system files.
1.5 Firewall and Antivirus
Firewalls and antivirus software can prevent or limit privilege escalation attempts. The following commands provide information about the firewall and antivirus settings on the system:
sc query windefend
sc queryex type= service
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config
Section 2: Escalation Types
There are several methods of escalating privileges on a Windows system, including registry escalation, DLL hijacking, and kernel exploits.
2.1 Registry Escalation
Registry escalation is a method of privilege escalation that involves modifying the Windows registry to gain elevated privileges. To accomplish this, you can find an entry in the registry that runs automatically with elevated privileges and modify it to run a malicious program that provides a reverse shell.
To perform registry escalation, download and install Autorun.exe in the lab environment and follow these steps:
- Open the command prompt and type: C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
- In Autoruns, click on the ‘Logon’ tab.
- From the listed results, notice the entry pointing to “C:\Program Files\Autorun Program\program.exe”.
- In the command prompt, type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu “C:\Program Files\Autorun Program”
- From the output, notice that the “Everyone” user group has “FILEALLACCESS” and Read and Write permission on the “program.exe” file.
- Create a malicious program.exe file that can give a reverse shell and place it in “C:\Program Files\Autorun Program”.
- Logoff and then log back on as an administrator user to simulate the privilege escalation effect.
2.2 DLL Hijacking
DLL hijacking is a method of privilege escalation that involves replacing a legitimate DLL file with a malicious one. To accomplish this, you need to find an application that loads a DLL file without specifying the full path and place a malicious DLL file in the same directory with the same name as the legitimate DLL file.
To perform DLL hijacking, follow these steps:
- Find an application that loads a DLL file without specifying the full path.
- Place a malicious DLL file in the same directory with the same name as the legitimate DLL file.
- Restart the application to load the malicious DLL file.
2.3 Kernel Exploits
Kernel exploits are a common method of gaining elevated privileges on a Windows system. These exploits take advantage of vulnerabilities in the Windows kernel to execute arbitrary code with elevated privileges.
To perform kernel exploits, follow these steps:
- Obtain a foothold on the target system.
- Run /post/multi/recon/local_exploit_suggester to check for available exploits.
- Run the selected exploit to gain elevated privileges.
TL;DR
Windows privilege escalation is a critical skill for penetration testers. By using manual enumeration techniques and tools, testers can gather information about the system, user accounts, and network configuration to identify vulnerabilities and escalate privileges. Kernel exploits are a common method of gaining elevated privileges on a Windows system and should be included in any penetration testing methodology.
Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems, and provide recommendations to remediate them.
“Join us on our journey of growth and development by signing up for our comprehensive courses.
