Post Exploitation - Windows
Two types of privilege escalation:
- Vertical
- Horizontal
Information Gathering
Find out OS Name and Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
ver
Hostname:
hostname
Username:
whoami
echo %username
Check user privilege (check if belong to admin group):
net user [user]
Network:
ipconfig /all
Searching for Password in Configuration files
Clear-text passwords
c:\unattend.txt
c:\sysprep.ini - [Clear Text]
c:\sysprep\sysprep.xml - [Base64]
The command below will search the file system for file names containing certain keywords
dir /s *pass* == *cred* == *vnc* == *.config*
Search certain file types for a keyword, this can generate a lot of output.
findstr /si password *.xml *.ini *.txt
Similarly the two commands below can be used to grep the registry for keywords, in this case "password".
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Discovery of Missing Patches
By CMD
wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" /C:"KB4018483"
By Metasploit
use post/windows/gather/enum_patches
By PowerShell (Sherlock)
PS C:\Users\User > Find-AllVulns
Tools
PowerUp
Privilege Escalation Table (Due to lack of sufficient patching)
| OS | Description | Security Bulletin | KB | Exploit |
|---|---|---|---|---|
| Windows Server 2016 | Windows Kernel Mode Drivers | MS16-135 | 3199135 | ExploitGithub |
| Windows Server 2008 ,7,8,10 Windows Server 2012 | Secondary Logon Handle | MS16-032 | 3143141 | GitHubExploitDBMetasploit |
| Windows Server 2008, Vista, 7 | WebDAV | MS16-016 | 3136041 | Github |
| Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012 | Windows Kernel Mode Drivers | MS15-051 | 3057191 | GitHubExploitDBMetasploit |
| Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8 | Win32k.sys | MS14-058 | 3000061 | GitHubExploitDBMetasploit |
| Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 | AFD Driver | MS14-040 | 2975684 | PythonEXEExploitDBGithub |
| Windows XP, Windows Server 2003 | Windows Kernel | MS14-002 | 2914368 | Metasploit |
| Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 | Kernel Mode Driver | MS13-005 | 2778930 | MetasploitExploitDBGitHub |
| Windows Server 2008, 7 | Task Scheduler | MS10-092 | 2305420 | MetasploitExploitDB |
| Windows Server 2003, Windows Server 2008, 7, XP | KiTrap0D | MS10-015 | 977165 | ExploitExploitDBGitHubMetasploit |
| Windows Server 2003, XP | NDProxy | MS14-002 | 2914368 | ExploitExploitDBExploitDBGithub |
| Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 | Kernel Driver | MS15-061 | 3057839 | Github |
| Windows Server 2003, XP | AFD.sys | MS11-080 | 2592799 | EXEMetasploitExploitDB |
| Windows Server 2003, XP | NDISTAPI | MS11-062 | 2566454 | ExploitDB |
| Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 | RPC | MS15-076 | 3067505 | Github |
| Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 | Hot Potato | MS16-075 | 3164038 | GitHubPowerShellHotPotato |
| Windows Server 2003, Windows Server 2008, 7, XP | Kernel Driver | MS15-010 | 3036220 | GitHubExploitDB |
| Windows Server 2003, Windows Server 2008, 7, XP | AFD.sys | MS11-046 | 2503665 | EXEExploitDB |
Privilege Escalation Exploit
| Exploit-DB | Vul Name | MS# | 2000 | XP | 2003 | 2008 | Vista | 7 |
|---|---|---|---|---|---|---|---|---|
| 271 | Lsasrv.dll | MS04-011 | SP2/3/4 | SP0/1 | - | - | - | - |
| 350 | Util Manager | MS04-019 | SP2/3/4 | - | - | - | - | - |
| 351 | POSIX | MS04-020 | SP4 | - | - | - | - | - |
| 352 | Univ lang. Util Mgr | MS04-019 | SP2/3/4 | - | - | - | - | - |
| 355 | Univ lang. Util Mgr | MS04-019 | SP2/3/4 | - | - | - | - | - |
| 1149 | PnP Service | MS05-039 | SP4 | SP2 | SP1 | - | - | - |
| 1197 | keybd_event | - | all | all | all | - | - | - |
| 1198 | CSRSS | MS05-018 | SP3/4 | SP1/2 | - | - | - | - |
| 1407 | Kernel APC | MS05-055 | SP4 | - | - | - | - | - |
| 1911 | Mrxsmb.sys | MS06-030 | all | SP2 | - | - | - | - |
| 2412 | Windows Kernel | MS06-049 | SP4 | - | - | - | - | - |
| 3220 | Print spool service | - | - | All | - | - | - | - |
| 5518 | win32k.sys | MS08-025 | SP4 | SP2 | SP1/SP2 | SP0 | SP0/SP1 | - |
| 6705 | Churrasco | MS09-012 | - | - | All | - | - | - |
| 6705 | Churraskito | - | - | All | All | - | - | - |
| 21923 | Winlogon NetDDE | - | All | All | - | - | - | - |
| 11199 | KiTrap0D/vdmallowed | MS10-015 | All | All | All | All | All | All |
| 14610 | Chimichurri | MS10-059 | - | - | - | All | All | SP0 |
| 15589 | Task Scheduler | MS10-092 | - | - | - | SP0/SP1/SP2 | SP1/SP2 | SP0 |
| 18176 | AFD.Sys | MS11-080 | - | SP3 | SP3 | - | - | - |
| MS13-005 | ||||||||
| MS13-081 | ||||||||
| MS14-058 | ||||||||
| MS14-068 | ||||||||
| MS14-070 | ||||||||
| MS15-051 | ||||||||
| MS15-052 |