Windows Privilege Escalation

Windows Privilege Escalation

Navigation

Sections in This Note


Windows Access Tokens

Windows access tokens are a core element of the authentication process on Windows and are created and managed by the Local Security Authority Subsystem Service (LSASS).

Privileges required for a successful impersonation attack:

We can use the incognito module to display a list of available tokens that we can impersonate.

Windows File System Vulnerabilities

Alternate Data Streams

Alternate Data Streams (ADS) is an NTFS (New Technology File System) file attribute, designed to provide compatibility with the macOS HFS (Hierarchical File System).

Windows Credential Dumping

Visual Diagram

flowchart TD
A[Access]-->B[Privileges]
B-->C[Patch Level]
C-->D[Services/Tasks]
D-->E[Credentials]
E-->F[Escalation Path]

Migrated from Unsorted Notes — Windows Privilege Escalation

Windows Privilege Escalation

Privilege escalation is the process of exploiting vulnerabilities or misconfigurations in systems to elevate privileges from one user to another, typically to administrative or root access. It's a vital element of the attack life cycle and a major determinant in the overall success of a penetration test.

After gaining an initial foothold, you'll need to elevate your privileges to perform tasks requiring administrative privileges.


Migrated from Unsorted Notes — Windows Kernel Exploit

Windows Kernel Exploit

A kernel is a computer program that is the core of an operating system and has complete control over every resource and hardware on a system. It acts as a translation layer between hardware and software and facilitates communication between the two.

Windows NT is the kernel that comes pre-packaged with all versions of Microsoft Windows. It has two main modes of operation:

This process differs based on the version of Windows targeted and the kernel exploit used.


Migrated from Unsorted Notes — Tools

Tools

Windows-Exploit-Suggester: Compares a target's patch level against the Microsoft vulnerability database to detect potential missing patches. Notifies the user of public exploits and Metasploit modules available for missing bulletins.
https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Windows-Kernel-Exploits: Collection of Windows kernel exploits sorted by CVE.
https://github.com/SecWiki/windows-kernel-exploits

Privilege escalation process (after getting a meterpreter session):

shell
systeminfo
# copy the system info and save as .txt file

Using Windows Exploit Suggester:

cd windows-enum/Windows-Exploit-Suggester
ls
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database (downloaded database name) --systeminfo ~/desktop/(systeminfo txt file)

Then find the suggested kernel exploit on https://github.com/SecWiki/windows-kernel-exploits, download it, and upload it to the temp folder.

Powered by Forestry.md