Windows Privilege Escalation

Topics

1. Introduction to the Windows Shells

2. Windows Permissions

3. Reverse Shells in Windows

4. SeImpersonatePrivilege Exploitation

5. On Cross Compilation

6. Windows Services

7. Weak Service Permissions

8. Unquoted Service Path

9. DLL Hijacking

10. Always Install Elevated

11. Files with Sensitive Data

12. Windows Hashes

13. Stored Credentials and the Windows Vault

14. Scheduled Task

15. Critical Registry Paths

16. Useful Tools

17. AMSI Bypass

MS Windows and Privilege Escalation

Microsoft Windows OS

Microsoft Windows is a proprietary operating system developed by Microsoft Corporation. Unlike open-source operating systems such as Linux, the source code for Windows is not publicly accessible, and modifications to its core components are restricted to Microsoft. This closed-source model ensures that Microsoft maintains full control over its development, updates, and security measures.

Windows has been the dominant operating system for personal computers since its initial release in 1985. Its user-friendly graphical interface, compatibility with a wide range of hardware, and extensive software ecosystem have contributed to its widespread adoption. Windows is designed for a variety of devices, including desktops, laptops, tablets, and servers, offering versatility across different use cases.

One of the standout features of Windows is its integration with enterprise environments. It includes tools like Active Directory for centralized user and device management, Group Policy for configuration enforcement, and PowerShell for automation and scripting. These features make Windows particularly appealing to businesses and IT professionals.

Despite its advantages, Windows is sometimes criticized for its security vulnerabilities, given its popularity as a target for malware and cyberattacks. Microsoft addresses these concerns through regular updates, enhanced built-in security features like Windows Defender, and the implementation of secure boot mechanisms.

Microsoft DOS History

• 1981 MS-DOS 1.0 was released August, 1981.

• 1982 MS-DOS 1.25 was released August, 1982.

• 1983 MS-DOS 2.0 was released March, 1983.

• 1984 Microsoft introduces MS-DOS 3.0 for the IBM PC AT and MS-DOS 3.1 for networks.

• 1986 MS-DOS 3.2 was released April, 1986. 1987 MS-DOS 3.3 was released April, 1987.

• 1988 MS-DOS 4.0 was released July, 1988. 1988 MS-DOS 4.01 was released November, 1988.

• 1991 MS-DOS 5.0 was released June, 1991.

• 1993 MS-DOS 6.0 was released August, 1993.

• 1993 MS-DOS 6.2 was released November, 1993.

• 1994 MS-DOS 6.21 was released March, 1994.

• 1994 MS-DOS 6.22 was released April, 1994.

Microsoft Windows History

• 1985 Windows 1.0

• 1990 Windows 3.0

• 1993 Windows NT

• 1995 Windows 95

• 2001 Windows XP

• 2006 Windows Vista

• 2009 Windows 7

• 2012 Windows 8

• 2014 Windows 10

• 2021 Windows 11

Privilege Escalation

Privilege escalation is a critical concept in cybersecurity that involves obtaining higher levels of access or privileges than those initially granted. It is often exploited by attackers to gain unauthorized control over a system, allowing them to perform actions that are typically restricted, such as accessing sensitive data, modifying system configurations, or executing arbitrary code.

Privilege escalation can be categorized into two main types:

1. Vertical Privilege Escalation In vertical privilege escalation (or privilege elevation), an attacker gains access to higher-level permissions, such as escalating from a standard user account to an administrator or root account. This often provides the attacker full control over the system. Techniques to achieve this include exploiting unpatched vulnerabilities, abusing misconfigurations, or leveraging credential theft.

2. Horizontal Privilege Escalation Horizontal privilege escalation involves gaining access to another user's account with similar privilege levels. For instance, an attacker might use stolen credentials or session hijacking techniques to impersonate another user, potentially accessing sensitive information or functions tied to that account.

Hardening OS

It is essential to harden systems by conducting regular audits using market-recognized checklists and frameworks, such as CIS, STIG Benchmarks, to ensure compliance with security best practices. This process should include the validation of system configurations, the implementation of least privilege access controls, continuous vulnerability assessments, and the application of security patches. Additionally, organizations should adopt automated tools to streamline compliance checks and integrate threat detection mechanisms to identify and respond to potential risks proactively.

Windows Hardening - HackTricks

Hardening Security Frameworks:

• CIS Benchmark
• STIG Benchmark

Lab Environment

​QuickEmu​

GitHub - quickemu-project/quickemu: Quickly create and run optimised Windows, macOS and Linux virtual machinesGitHub

https://github.com/quickemu-project/quickemu

Quickemu is a wrapper for the excellent QEMU that automatically "does the right thing" when creating virtual machines. No requirement for exhaustive configuration options. You decide what operating system you want to run and Quickemu takes care of the rest 🤖

Steps

• Installation 💾
• Create Linux virtual machines 🐧
• Create macOS virtual machines 🍏
• Create Windows virtual machines 🪟
• Advanced quickemu configuration 🔧

Windows Setup

Using Quickemu

quickget windows 11
quickemu --vm windows-11.conf --display spice

Labs and Practices

Background Information

• Windows Fundamentals Module 🏠 THM Room
• Intro To Offensive Security 🏠 THM Room
• Pentesting Fundamentals 🏠 THM Room
• eJPTv2 Ine Full Course 🗒️ eJPTv2 Notes

Concepts and Pratice

• Post Exploitation Basics 🏠 THM Room
• Sudo Security Bypass 🏠 THM Room
• Windows Privilege Escalation 🗒️ Hackersploit Article
• Windows Privesc Arena 🏠 THM Room
• Windows Privesc 🏠 THM Room
• Bypass UAC 🏠 THM Room
• Post-Exploitation Basics 🏠 THM Room

Resources

• Windows Privilege Escalation - Hexdump (YT) - EN 🇬🇧
• Windows Privilege Escalation for beginners - TCM (YT) - EN 🇬🇧
• Windows Privilege Escalation - HackTricks Blog
• GTFOBins
• Windows Privilege Escalation Methodology - Cheatsheet (Hexdump)

Cheatsheet

• 🗒️ My Cheatsheet
• 🗒️ Hexdump Cheatsheet