Jump to content
Sign in to follow this  
schuydorsey

Help with Windows Priv. Escalation Techniques

Recommended Posts

schuydorsey

I have been researching more on Windows Priv. escalation techniques and not finding a lot of great resources. I did find this link and it was a GREAT start.

http://www.netspi.com/blog/2009/10/05/windows-privilege-escalation-part-1-local-administrator-privileges/

I was wondering if anyone had any examples of some of them he mentions, specifically 3, 5 and 6.

Some of the techniques like using the AT command and overwriting SYSTEM called executables with cmd.exe seem to require remote desktop access; I'm more interested in techniques that can be done without remote desktop access but only through command line. (especially since in a lot of scenarios, only Administrators will have RDP access anyway).

Thanks in advance!

Share this post


Link to post
robertray

Here is one example from the top of my head.

I have found that the DB2 command line tool has been installed under a priv account.

Using ! then the command has executed the command under that process.

Share this post


Link to post
schuydorsey

As in db2cmd.exe ?

Share this post


Link to post
schuydorsey

What are the best practices to search a Windows box for these installed under a priv account? Is there a way to list all exe's that run under a priv account?

Share this post


Link to post
robertray

Hmm I dont know about a tool off the top of my head from a low priv account.

But process explorer will allow you to enumerate process user IDs when ran as an admin.

You could investigate in defaults in advance. My view would be that many dont follow the principal of least priv, its a lot of work and takes a fair bit of time to get right. Which admin ever has time?

You would probably also need an idea of what are the default permissions to registry and file system locations.

Share this post


Link to post
schuydorsey

Here is a Windows command to list all processes running under system. :)

tasklist /fi "username eq system"

Share this post


Link to post
ps_2700

Hello schuydorsey

Regarding to your link, it is interesting.

1. I am quite certain that you have ever played "migrate" command in metasploit. This command can escalate your limited account to privilege one by dll injection to the high-privileged process.

2. In window, not only Administrators group, but also

the "Remote Desktop Users" group could use MS Remote Desktop.

3. For the command

> tasklist /fi "USERNAME eq SYSTEM"

,if you need more information you could use WMIC feature supporting all window platforms.

> wmic process list /?

> wmic process list full

Edited by ps_2700

Share this post


Link to post
schuydorsey

Ah thanks for the info. I didn't know about wmic.

Also for the migrate command in Meterpreter, I didn't know it could elevate your privileges. I thought you could only migrate to processes of the same user/permission level. Good to know!

  • Like 1

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×