<aside> 📌 Summary

</aside>

16 - Windows Privilege Escalation

1 - Enumerating Windows

1 - Understanding Windows Privileges and Access Control Mechanisms

• Windows Privileges: Refers to permissions for system-related local operations on Windows. Control mechanisms like SID, access token, Mandatory Integrity Control, and User Account Control (UAC) are used for granting/denying operations.

• SID: Unique value identifying entities (users/groups). Comprised of parts like "S", "R", "X", and "Y".

• Access Token: Created after user authentication, contains security context (user/group SIDs, privileges). Impersonation tokens allow different security context for threads.

• Mandatory Integrity Control: Uses integrity levels to control access to objects. Processes run on four levels: System, High, Medium, Low.

  

  Figure 1: Different Integrity Levels of PowerShell

• UAC: Protects OS by running most tasks with standard user privileges. Admin user has two tokens: standard user token and admin token with UAC consent prompt for privileged operations.

2 - Situational Awareness

• Obtain situational awareness on a compromised Windows system before attempting privilege escalation.

• Essential information to gather includes username, hostname, group memberships, OS details, network info, installed apps, and running processes.

• Use commands like whoami, net user, Get-LocalUser, systeminfo, ipconfig, route print, netstat, and Get-Process.

  whoami /groups
  Get-LocalGroup
  Get-LocalGroupMember adminteam
  ipconfig /all
  route print
  netstat -ano
  Get-Process | select-object Processname, id
  Get-ItemProperty "HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*" | select displayname
  Get-ItemProperty "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*" | select displayname
  

• Identify privileged users, potential attack vectors, installed apps, and active connections.

• Summarize the gathered info to formulate actionable vectors for privilege escalation.

3 - Hidden in Plain View

Always look for files with sweet infos insides :

Get-ChildItem -Path C:\\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\\Users\\dave\\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
runas /user:backupadmin cmd

4 - Information Goldmine PowerShell

Get-History # often cleared
(Get-PSReadlineOption).HistorySavePath # less common to be cleared
type C:\\Users\\dave\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt