Jump to content
Sign in to follow this  
Followers 0
schuydorsey

Help with Windows Priv. Escalation Techniques

By schuydorsey, in Tutorials and Further study

Recommended Posts

schuydorsey    51

schuydorsey
Posted

I have been researching more on Windows Priv. escalation techniques and not finding a lot of great resources. I did find this link and it was a GREAT start.

http://www.netspi.com/blog/2009/10/05/windows-privilege-escalation-part-1-local-administrator-privileges/

I was wondering if anyone had any examples of some of them he mentions, specifically 3, 5 and 6.

Some of the techniques like using the AT command and overwriting SYSTEM called executables with cmd.exe seem to require remote desktop access; I'm more interested in techniques that can be done without remote desktop access but only through command line. (especially since in a lot of scenarios, only Administrators will have RDP access anyway).

Thanks in advance!

Share this post

Link to post

robertray    41

robertray
Posted

Here is one example from the top of my head.

I have found that the DB2 command line tool has been installed under a priv account.

Using ! then the command has executed the command under that process.

Share this post

Link to post

schuydorsey    51

schuydorsey
Posted

As in db2cmd.exe ?

Share this post

Link to post

schuydorsey    51

schuydorsey
Posted

What are the best practices to search a Windows box for these installed under a priv account? Is there a way to list all exe's that run under a priv account?

Share this post

Link to post

robertray    41

robertray
Posted

Hmm I dont know about a tool off the top of my head from a low priv account.

But process explorer will allow you to enumerate process user IDs when ran as an admin.

You could investigate in defaults in advance. My view would be that many dont follow the principal of least priv, its a lot of work and takes a fair bit of time to get right. Which admin ever has time?

You would probably also need an idea of what are the default permissions to registry and file system locations.

Share this post

Link to post

schuydorsey    51

schuydorsey
Posted

Here is a Windows command to list all processes running under system. :)

tasklist /fi "username eq system"

Share this post

Link to post

ps_2700    0

ps_2700
Posted (edited)

Hello schuydorsey

Regarding to your link, it is interesting.

1. I am quite certain that you have ever played "migrate" command in metasploit. This command can escalate your limited account to privilege one by dll injection to the high-privileged process.

2. In window, not only Administrators group, but also

the "Remote Desktop Users" group could use MS Remote Desktop.

3. For the command

> tasklist /fi "USERNAME eq SYSTEM"

,if you need more information you could use WMIC feature supporting all window platforms.

> wmic process list /?

> wmic process list full

Edited by ps_2700

Share this post

Link to post

schuydorsey    51

schuydorsey
Posted

Ah thanks for the info. I didn't know about wmic.

Also for the migrate command in Meterpreter, I didn't know it could elevate your privileges. I thought you could only migrate to processes of the same user/permission level. Good to know!

  • Like 1

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Tutorials and Further study
×