HackTricks

HT Training HT Cloud HT Tools Sponsor Linkedin X

≡

HT Training Cloud HT HT Tools Sponsor Linkedin X

Translations ▾

Afrikaans Chinese English French German Greek Hindi Italian Japanese Korean Polish Portuguese Serbian Spanish Swahili Turkish Ukrainian

📚

☀

☾

<<

Checklist - Local Windows Privilege Escalation

Tip

Nauči i vežbaj AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Nauči i vežbaj GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Nauči i vežbaj Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Pregledaj kompletan HackTricks Training katalog za assessment tracks (ARTA/GRTA/AzRTA) i Linux Hacking Expert (LHE).

Podrži HackTricks

Pogledaj pretplatničke planove!

Pridruži se 💬 Discord grupi, telegram grupi, prati @hacktricks_live na X/Twitter, ili pogledaj LinkedIn stranicu i YouTube kanal.

Deli hacking trikove slanjem PR-ova u HackTricks i HackTricks Cloud github repozitorijume.

Najbolji alat za traženje Windows lokalnih privilege escalation vektora: WinPEAS

System Info

Pribavi System information
Pretraži kernel exploits using scripts
Koristi Google za pretragu kernel exploits
Koristi searchsploit za pretragu kernel exploits
Zanimljive informacije u env vars?
Lozinke u PowerShell history?
Zanimljive informacije u Internet settings?
Drives?
WSUS exploit?
Third-party agent auto-updaters / IPC abuse
AlwaysInstallElevated?

Logging/AV enumeration

Proveri podešavanja Audit i WEF
Proveri LAPS
Proveri da li je WDigest aktivan
LSA Protection?
Credentials Guard?
Cached Credentials?
Proveri da li postoji bilo koji AV
AppLocker Policy?
UAC
Admin Protection / UIAccess silent elevation?
Secure Desktop accessibility registry propagation (RegPwn)?
User Privileges
Proveri current user privileges
Da li si member of any privileged group?
Proveri da li imaš aktivirane bilo koje od ovih tokena: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
Proveri da li imaš SeManageVolumePrivilege za čitanje raw volumena i zaobilaženje file ACLs
Users Sessions?
Proveri users homes (pristup?)
Proveri Password Policy
Šta je inside the Clipboard?

Network

Proveri current network information
Proveri hidden local services ograničene na spoljašnji pristup

Running Processes

Binarni fajlovi procesa file and folders permissions
Memory Password mining
Insecure GUI apps
Ukradi kredencijale iz interesting processes preko ProcDump.exe ? (firefox, chrome, etc …)

Services

Možeš li da modify any service?
Možeš li da modify binary koji izvršava bilo koji service?
Možeš li da modify registry bilo kog service?
Možeš li da iskoristiš bilo koji unquoted service binary path?
Service Triggers: enumeriraj i okini privilegovane servise

Applications

Write permissions on installed applications
Startup Applications
Vulnerable Drivers

DLL Hijacking

Možeš li da write in any folder inside PATH?
Da li postoji neki poznat service binary koji tries to load any non-existant DLL?
Možeš li da write u bilo koji binaries folder?

Network

Enumeriraj mrežu (shares, interfaces, routes, neighbours, …)
Obrati posebnu pažnju na mrežne servise koji slušaju na localhost (127.0.0.1)

Windows Credentials

Winlogon kredencijali
Windows Vault kredencijali koje možeš da iskoristiš?
Zanimljivi DPAPI credentials?
Lozinke sačuvanih Wifi networks?
Zanimljive informacije u saved RDP Connections?
Lozinke u recently run commands?
Lozinke u Remote Desktop Credentials Manager?
Postoji AppCmd.exe? Kredencijali?
SCClient.exe? DLL Side Loading?

Files and Registry (Credentials)

Putty: Creds i SSH host keys
SSH keys in registry?
Lozinke u unattended files?
Bilo koji backup SAM & SYSTEM?
Ako je prisutan SeManageVolumePrivilege, pokušaj raw-volume čitanje za SAM, SYSTEM, DPAPI materijal i MachineKeys
Cloud credentials?
Fajl McAfee SiteList.xml?
Cached GPP Password?
Lozinka u IIS Web config file?
Zanimljive informacije u web logs?
Da li želiš da od korisnika ask for credentials?
Zanimljivi files inside the Recycle Bin?
Drugi registry containing credentials?
Unutar Browser data (dbs, history, bookmarks, …)?
Generic password search u fajlovima i registry
Tools za automatsko traženje lozinki

Leaked Handlers

Imaš li pristup bilo kom handleru procesa koji je pokrenuo administrator?

Pipe Client Impersonation

Proveri da li možeš da ga zloupotrebiš

References

Project Zero - Bypassing Administrator Protection by Abusing UI Access
MDSec - RIP RegPwn

Tip

Nauči i vežbaj AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Nauči i vežbaj GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Nauči i vežbaj Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Pregledaj kompletan HackTricks Training katalog za assessment tracks (ARTA/GRTA/AzRTA) i Linux Hacking Expert (LHE).

Podrži HackTricks

Pogledaj pretplatničke planove!

Pridruži se 💬 Discord grupi, telegram grupi, prati @hacktricks_live na X/Twitter, ili pogledaj LinkedIn stranicu i YouTube kanal.

Deli hacking trikove slanjem PR-ova u HackTricks i HackTricks Cloud github repozitorijume.