0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [master] 2 pages modified

Browse source
This commit is contained in:
CPol 2020-08-18 15:38:51 +00:00 committed by gitbook-bot
parent 074a808b69
commit 480e31d6bc
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 43 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
windows/checklist-windows-privilege-escalation.md
View file

@ -2,41 +2,51 @@
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
### [Vulnerable Kernel?](windows-local-privilege-escalation/#kernel-exploits)
### [System Info](windows-local-privilege-escalation/#system-info)
* [ ] Search for kernel **exploits using scripts** \(_post/windows/gather/enum\_patches, post/multi/recon/local\_exploit\_suggester, sherlock, watson_ \)
* [ ] Obtain [**System information**](windows-local-privilege-escalation/#system-info)\*\*\*\*
* [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)\*\*\*\*
* [ ] Use **Google to search** for kernel **exploits**
* [ ] Use **searchsploit to search** for kernel **exploits**
* [ ] Any [**vulnerable Driver**](windows-local-privilege-escalation/#vulnerable-drivers)?
* [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/#environment)?
* [ ] Passwords in [**PowerShell history**](windows-local-privilege-escalation/#powershell-history)?
* [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/#internet-settings)?
* [ ] [**Drives**](windows-local-privilege-escalation/#drives)?
* [ ] \*\*\*\*[**WSUS exploit**](windows-local-privilege-escalation/#wsus)?
* [ ] \*\*\*\*[**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)?
### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
* [ ] Check for **credentials** in[ **environment variables**](windows-local-privilege-escalation/#environment)\*\*\*\*
* [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)\*\*\*\*
* [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings
* [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)\*\*\*\*
* [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest)is active
* [ ] [**LSA Protection**](windows-local-privilege-escalation/#lsa-protection)?
* [ ] \*\*\*\*[**Credentials Guard**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
* [ ] [**Cached Credentials**](windows-local-privilege-escalation/#cached-credentials)?
* [ ] Check if any [**AV**](windows-local-privilege-escalation/#av)\*\*\*\*
* [ ] \*\*\*\*[**AppLocker Policy**](windows-local-privilege-escalation/#applocker-policy)?
* [ ] [**UAC**](windows-local-privilege-escalation/#uac)?
### \*\*\*\*[**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
* [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)\*\*\*\*
* [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/#privileged-groups)?
* [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
* [ ] What is[ inside the Clipboard](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
* [ ] [**Users Sessions**](windows-local-privilege-escalation/#logged-users-sessions)?
* [ ] Check[ **users homes**](windows-local-privilege-escalation/#home-folders) \(access?\)
* [ ] Check [**Password Policy**](windows-local-privilege-escalation/#password-policy)\*\*\*\*
* [ ] What is[ **inside the Clipboard**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
### [Network](windows-local-privilege-escalation/#network)
* [ ] Check **current** [network **information**](windows-local-privilege-escalation/#network)\*\*\*\*
* [ ] Check **hidden local services** restricted to the outside
### Vulnerable [Software ](windows-local-privilege-escalation/#software)or [Processes](windows-local-privilege-escalation/#running-processes)?
### [Running Processes](windows-local-privilege-escalation/#running-processes)
* [ ] Is any **unknown software running**?
* [ ] Is any software with **more privileges that it should have running**?
* [ ] Search for **exploits for running processes** \(specially if running of versions\)
* [ ] Can you **read any** interesting **process memory** \(where passwords could be saved\)?
* [ ] Have **write permissions** over the **binaries been** executed by the **processes**?
* [ ] Have **write permissions** over the **folder** of a binary been executed to perform a **DLL Hijacking**?
* [ ] What is[ **running** on **startup** or is **scheduled**](windows-local-privilege-escalation/#run-at-startup)? Can you **modify** the binary?
* [ ] Can you [**dump** the **memory**](windows-local-privilege-escalation/#memory-password-mining) ****of any **process** to extract **passwords**?
* [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/#file-and-folder-permissions)\*\*\*\*
* [ ] \*\*\*\*[**Memory Password mining**](windows-local-privilege-escalation/#memory-password-mining)\*\*\*\*
* [ ] \*\*\*\*[**Insecure GUI apps**](windows-local-privilege-escalation/#insecure-gui-apps)\*\*\*\*
### [Services](windows-local-privilege-escalation/#services)
@ -45,7 +55,13 @@
* [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-permissions)
* [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
### [DLL Hijacking](windows-local-privilege-escalation/#dll-hijacking)
### \*\*\*\*[**Applications**](windows-local-privilege-escalation/#applications)\*\*\*\*
* [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)\*\*\*\*
* [ ] \*\*\*\*[**Startup Applications**](windows-local-privilege-escalation/#run-at-startup)\*\*\*\*
* [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/#drivers)\*\*\*\*
### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking)
* [ ] Can you **write in any folder inside PATH**?
* [ ] Is there any known service binary that **tries to load any non-existant DLL**?

12
windows/windows-local-privilege-escalation/README.md
View file

@ -6,7 +6,7 @@ If you want to **know** about my **latest modifications**/**additions**, **join
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
## Windows version
## System Info
### Version info enumeration
@ -580,6 +580,16 @@ driverquery.exe /fo table
driverquery /SI
```
## PATH DLL Hijacking
If you have **write permissions inside a folder present on PATH** you could be able to hijack a DLL loaded by a process and **escalate privileges**.
Check permissions of all folders inside PATH:
```bash
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
```
## Network
### Shares