Windows Local Privesc Notes

This is a basic rundown of a simple series of things to check for and some common commands to get it done. This can be done in tandem with automated tools like WinPEAS.

Note that this stuff is for local privesc -- Domain privesc is a whole topic on it's own.

Are components exploitable?

Basic idea here is to check for whether there's any application or kernel exploits you can take advantage of.

  • enum installed programs (are any vulnerable to local privesc sploits?)
    • Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
    • Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
  • enum sysinfo (is kernel exploitable?)
    • systeminfo
    • no really...

Are permissions misconfigured?

Here the idea is to see if there's something you can write to that's run from an elevated context, like a service or scheduled task etc. If so, you can usually drop a shell in place instead and get a win that way.

  • enum services
    • Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
    • writable binaries?
      • icacls "C:\path\to\binary.exe"
      • If yes, make a binary that launches a revshell or something.
    • unquoted service path?
      • Get-CimInstance -ClassName win32_service | Select Name,State,PathName
        • Look for paths that lack encapsulating quotes and check the write perms for interceding directories in the path.
        • Put malware in the way if something like this is available.
    • can I start/stop services?
  • enum scheduled tasks
    • schtasks /query /fo LIST /v
    • do scheduled tasks have writable binaries/scripts?
  • enum user groups
    • get-localgroup
    • get-localgroupmember [groupname]
    • do perms let me create privileged users?

Is critical information exposed?

More or less, looking for plaintext creds or hashes in unintended places like commandline history, password management DBs or flat files used by applications.

  • enum running processes
    • tasklist
    • get-process
    • get-process -fileversioninfo
    • Are there exposed creds in any command lines? E.g. mysql -u root -p QwE123rfww -h 192.168.13.14
  • look for "loose change" -- i.e. find kdbx, txt, ini, etc for like passwords and suchlike.
    • Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
      • replace *kdbx with whatever file type you think will have cool stuff in it.
  • look at powershell history file
    • (Get-PSReadlineOption).HistorySavePath
  • Listening network connections?
    • netstat -ano