Windows Privilege Escalation
Topics
Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass
MS Windows and Privilege Escalation
Microsoft Windows OS
Microsoft Windows is a proprietary operating system developed by Microsoft Corporation. Unlike open-source operating systems such as Linux, the source code for Windows is not publicly accessible, and modifications to its core components are restricted to Microsoft. This closed-source model ensures that Microsoft maintains full control over its development, updates, and security measures.
Windows has been the dominant operating system for personal computers since its initial release in 1985. Its user-friendly graphical interface, compatibility with a wide range of hardware, and extensive software ecosystem have contributed to its widespread adoption. Windows is designed for a variety of devices, including desktops, laptops, tablets, and servers, offering versatility across different use cases.
One of the standout features of Windows is its integration with enterprise environments. It includes tools like Active Directory for centralized user and device management, Group Policy for configuration enforcement, and PowerShell for automation and scripting. These features make Windows particularly appealing to businesses and IT professionals.
Despite its advantages, Windows is sometimes criticized for its security vulnerabilities, given its popularity as a target for malware and cyberattacks. Microsoft addresses these concerns through regular updates, enhanced built-in security features like Windows Defender, and the implementation of secure boot mechanisms.
Microsoft DOS History
1981 MS-DOS 1.0 was released August, 1981.
1982 MS-DOS 1.25 was released August, 1982.
1983 MS-DOS 2.0 was released March, 1983.
1984 Microsoft introduces MS-DOS 3.0 for the IBM PC AT and MS-DOS 3.1 for networks.
1986 MS-DOS 3.2 was released April, 1986. 1987 MS-DOS 3.3 was released April, 1987.
1988 MS-DOS 4.0 was released July, 1988. 1988 MS-DOS 4.01 was released November, 1988.
1991 MS-DOS 5.0 was released June, 1991.
1993 MS-DOS 6.0 was released August, 1993.
1993 MS-DOS 6.2 was released November, 1993.
1994 MS-DOS 6.21 was released March, 1994.
1994 MS-DOS 6.22 was released April, 1994.
Microsoft Windows History
1985 Windows 1.0
1990 Windows 3.0
1993 Windows NT
1995 Windows 95
2001 Windows XP
2006 Windows Vista
2009 Windows 7
2012 Windows 8
2014 Windows 10
2021 Windows 11
Privilege Escalation
Privilege escalation is a critical concept in cybersecurity that involves obtaining higher levels of access or privileges than those initially granted. It is often exploited by attackers to gain unauthorized control over a system, allowing them to perform actions that are typically restricted, such as accessing sensitive data, modifying system configurations, or executing arbitrary code.
Privilege escalation can be categorized into two main types:
Vertical Privilege Escalation In vertical privilege escalation (or privilege elevation), an attacker gains access to higher-level permissions, such as escalating from a standard user account to an administrator or root account. This often provides the attacker full control over the system. Techniques to achieve this include exploiting unpatched vulnerabilities, abusing misconfigurations, or leveraging credential theft.
Horizontal Privilege Escalation Horizontal privilege escalation involves gaining access to another user's account with similar privilege levels. For instance, an attacker might use stolen credentials or session hijacking techniques to impersonate another user, potentially accessing sensitive information or functions tied to that account.
Hardening OS
It is essential to harden systems by conducting regular audits using market-recognized checklists and frameworks, such as CIS, STIG Benchmarks, to ensure compliance with security best practices. This process should include the validation of system configurations, the implementation of least privilege access controls, continuous vulnerability assessments, and the application of security patches. Additionally, organizations should adopt automated tools to streamline compliance checks and integrate threat detection mechanisms to identify and respond to potential risks proactively.
Windows Hardening - HackTricks
Hardening Security Frameworks:
Lab Environment
QuickEmu
Quickemu is a wrapper for the excellent QEMU that automatically "does the right thing" when creating virtual machines. No requirement for exhaustive configuration options. You decide what operating system you want to run and Quickemu takes care of the rest 🤖
Steps
Windows Setup
Using Quickemu
Labs and Practices
Background Information
Windows Fundamentals Module 🏠 THM Room
Intro To Offensive Security 🏠 THM Room
Pentesting Fundamentals 🏠 THM Room
eJPTv2 Ine Full Course 🗒️ eJPTv2 Notes
Concepts and Pratice
Post Exploitation Basics 🏠 THM Room
Sudo Security Bypass 🏠 THM Room
Windows Privilege Escalation 🗒️ Hackersploit Article
Windows Privesc Arena 🏠 THM Room
Windows Privesc 🏠 THM Room
Bypass UAC 🏠 THM Room
Post-Exploitation Basics 🏠 THM Room
Resources
Windows Privilege Escalation Methodology - Cheatsheet (Hexdump)
Cheatsheet
Last updated