Kontrolelys - Plaaslike Windows Privilege Escalation

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Blaai deur die volledige HackTricks Training-katalogus vir die assesseringsroetes (ARTA/GRTA/AzRTA) en Linux Hacking Expert (LHE).

Ondersteun HackTricks

• Kyk na die intekenplanne!
• Sluit aan by die 💬 Discord-groep, die telegram-groep, volg @hacktricks_live op X/Twitter, of kyk na die LinkedIn-bladsy en YouTube-kanaal.
• Deel hacking tricks deur PRs in te stuur na die HackTricks en HackTricks Cloud github repos.

Beste tool om te kyk vir Windows local privilege escalation vectors: WinPEAS

System Info

• Verkry System information
• Soek vir kernel exploits using scripts
• Gebruik Google to search vir kernel exploits
• Gebruik searchsploit to search vir kernel exploits
• Interessante info in env vars?
• Wachtwoorde in PowerShell history?
• Interessante info in Internet settings?
• Drives?
• WSUS exploit?
• Third-party agent auto-updaters / IPC abuse
• AlwaysInstallElevated?

Logging/AV enumeration

• Gaan Audit en WEF instellings na
• Gaan LAPS na
• Gaan na of WDigest aktief is
• LSA Protection?
• Credentials Guard?
• Cached Credentials?
• Gaan na of enige AV
• AppLocker Policy?
• UAC
• Admin Protection / UIAccess silent elevation?
• Secure Desktop accessibility registry propagation (RegPwn)?
• User Privileges
• Gaan current gebruiker se privileges na
• Is jy member of any privileged group?
• Gaan na of jy enige van hierdie tokens geaktiveer het: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
• Gaan na of jy SeManageVolumePrivilege het om raw volumes te lees en file ACLs te omseil
• Users Sessions?
• Gaan users homes na (toegang?)
• Gaan Password Policy na
• Wat is inside the Clipboard?

Network

• Gaan current network information na
• Gaan hidden local services na wat tot die buitekant beperk is

Running Processes

• Processes binaries file and folders permissions
• Memory Password mining
• Insecure GUI apps
• Steel credentials met interesting processes via ProcDump.exe ? (firefox, chrome, etc …)

Services

• Kan jy enige service modify?
• Kan jy die binary wat deur enige service executed word, modify?
• Kan jy die registry van enige service modify?
• Kan jy voordeel trek uit enige unquoted service binary path?
• Service Triggers: inventariseer en aktiveer privileged services

Applications

• Write permissions on installed applications
• Startup Applications
• Vulnerable Drivers

DLL Hijacking

• Kan jy in enige folder binne PATH write?
• Is daar enige bekende service binary wat probeer om enige nie-bestaande DLL te laai?
• Kan jy in enige binaries folder write?

Network

• Inventariseer die netwerk (shares, interfaces, routes, neighbours, …)
• Kyk veral na network services wat op localhost (127.0.0.1) luister

Windows Credentials

• Winlogon credentials
• Windows Vault credentials wat jy kan gebruik?
• Interessante DPAPI credentials?
• Wachtwoorde van gestoorde Wifi networks?
• Interessante info in saved RDP Connections?
• Wachtwoorde in recently run commands?
• Remote Desktop Credentials Manager wachtwoorde?
• AppCmd.exe exists? Credentials?
• SCClient.exe? DLL Side Loading?

Files and Registry (Credentials)

• Putty: Creds en SSH host keys
• SSH keys in registry?
• Wachtwoorde in unattended files?
• Enige SAM & SYSTEM rugsteun?
• As SeManageVolumePrivilege teenwoordig is, probeer raw-volume reads vir SAM, SYSTEM, DPAPI material, en MachineKeys
• Cloud credentials?
• McAfee SiteList.xml file?
• Cached GPP Password?
• Wachtwoord in IIS Web config file?
• Interessante info in web logs?
• Wil jy die gebruiker ask for credentials?
• Interessante files inside the Recycle Bin?
• Ander registry containing credentials?
• Binne Browser data (dbs, history, bookmarks, …)?
• Generic password search in files and registry
• Tools om outomaties na wachtwoorde te soek

Leaked Handlers

• Het jy toegang tot enige handler van ’n proses wat deur administrator uitgevoer word?

Pipe Client Impersonation

• Gaan na of jy dit kan abuse

References

• Project Zero - Bypassing Administrator Protection by Abusing UI Access
• MDSec - RIP RegPwn

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Blaai deur die volledige HackTricks Training-katalogus vir die assesseringsroetes (ARTA/GRTA/AzRTA) en Linux Hacking Expert (LHE).

Ondersteun HackTricks

• Kyk na die intekenplanne!
• Sluit aan by die 💬 Discord-groep, die telegram-groep, volg @hacktricks_live op X/Twitter, of kyk na die LinkedIn-bladsy en YouTube-kanaal.
• Deel hacking tricks deur PRs in te stuur na die HackTricks en HackTricks Cloud github repos.