Windows Privilege Escalation
Overview
Configuring proper access roles & privileges is essential for an operating system to work seamlessly without getting breached. But attackers often try to discover any misconfiguration or glitch in the operating system to gain access to sensitive data. The most well-known technique used by cybercriminals to gain access to sensitive OS information is via privilege escalation.
All of the privilege escalations boil down to appropriate enumeration. We will dig deep into system enumeration and popular enumeration scripts. We will also look into some well-known Windows privilege escalation techniques cybercriminals use to escalate privileges.
Introduction
Privilege escalation is a cyber-attack where the cybercriminal tries to exploit flaws within the system to gain unauthorized high-privileged access into a system. The system can be an operating system like Windows, web application, network system, server, etc. Privilege escalation becomes possible because of design flaws, oversight in OS configuration, or even if attackers exploit human behavior. Through this technique, attackers dig deeper into a system grid, looking for high-value assets. Attackers often perform privilege escalation through appropriate enumeration techniques. According to Beyond Trust's report, the elevation of privilege or privilege escalation was the #1 vulnerability, which accounts for 49 percent of all vulnerabilities in 2021. Without further delay, let us jump into the basic understanding of system enumeration.
Basic Enumeration of the System
Enumeration is extracting the system's valid usernames, MAC addresses, system names, share systems, directory structures & names, network status, hosts, primary servers, firewall state, OS updates, and other system configurations. Enumeration helps in reconnaissance and helps us understand what could happen if an attacker enumerates the operating system. System enumeration plays a significant role in penetration testing, exposing potential security flaws in a system.
Let us explore some basic enumeration techniques that one can use manually.
Basics System Information
These commands check the basic system information.
User Info / Who am I?
This command help in checking the user information in the system.
What Users/Local Groups are on the Machine?
This command lists all the user/local groups on the system.
Network-Related Checks
This command fetches all the network-related information associated with the system.
Detailed Info About a Specific User. Check If the User has Privileges.
This command fetches details about the specific user having privileges.
Analyze Domain Groups
This command analyzes domain groups.
Firewall Status/State
This command fetches the firewall status of the system.
View Members of Domain Group
This command helps in viewing the members of the domain group.
Look for Clear Text Passwords
This command looks for clear text passwords.
Look for All the Different Strings in Config Files.
This command looks for all the different strings in configuration files.
Identify All Passwords in Different Files.
This command helps in identifying all passwords in different files.
Check how Well Patched is the System.
This command checks how well your system is patched.
Check Registry for Passwords
VNC
This command checks for virtual network computing.
SNMP Parameters
This command checks the SNMP parameters.
Windows Autologin
This command checks the auto-login in Windows
Search for Password in Registry
This command searches for the passwords in the registry.
Some of the Popular Scripts Available for Enumeration
For performing a comprehensive privilege escalation, conducting a proper enumeration in the target operating system is essential. Recalling and accomplishing enumeration might slow the entire enumeration process. Thus, in this section, we will closely look at some well-known enumeration scripts for Windows.
WinPEAS
winPEAS was created by Carlos Polop and this tool helps extract all forms of data, such as domain name details, system information, services running, number of users, network status, browser details, files, and event analysis from a Windows operating system. It has color representation for different privileges and active users.
PowerUp
PowerUp is another robust and quick-performing Windows enumeration tool authored by harmj0y. PowerUp delivers a clearinghouse of all well-known Windows privilege escalation vectors that rely significantly on system misconfiguration. If anyone runs the "Invoke-AllChecks" command within this tool, it will output all identifiable vulnerabilities & their specifications for any misuse functions. It also has an HTMLReport flag that will create a COMPUTER.username.html file in the form of a report.
Watson
Watson is another well-known script & a . NET-based tool that enumerates missing KBs and recommends ethical hackers to exploit Privilege Escalation vulnerabilities that it can identify in the Windows system. It supports specific Windows 10 builds (1507, 1511, 1607, 1703, 1709, 1803, 1809, etc.) and Windows servers like 2016 & 2019. It can also reveal information like system information, network status, services running, etc.
Seatbelt
Seatbelt enumeration script was authored by RastaMouse. It uses C# that performs many security-oriented host surveys and safety checks. These surveys & safety checks are suitable for both offensive and defensive security. It renders a wide array of system enumeration, such as antivirus checks, audit policies, browser history, directory checks, registry checking, Windows detail, and many more.
Powerless
Powerless Windows enumeration tool got designed with OSCP labs. It comprises a cluster of myriad Windows privilege escalation checks assembled from various sources. It uses native Windows binaries present in nearly every Windows version and edition. For performing Windows enumeration with this tool, PowerShell is not necessary.
JAWS (Just Another Windows (Enum) Script)
JAWS (Just Another Windows (Enum) Script) is another well-known Windows enumeration script that helps security professionals and hackers quickly recognize possible vectors of privilege escalation on Windows systems. It runs on top of PowerShell 2.0. It can enumerate and extract network information, firewall status, file and folder access, service path, system installation files, stored credentials, recent documents, and many more.
Windows Privilege Escalation Techniques
Privilege escalation is the technique wherein a malicious attacker tries to exploit design flaws, human errors, misconfiguration, vulnerabilities, code weaknesses, or any other system error within an operating system. By gaining elevated access to resources, that would usually remain inaccessible to low-privilege users - attackers can obtain sensitive information, leak them, change the security configuration, or even deploy/execute backdoors and malware into the system.
There are two different types of privilege escalation. In horizontal privilege escalation, the attacker remains on the same level but starts to access (maliciously) & control multiple accounts having the same privilege. Often, hackers steal data from other accounts and sell them for monetary benefit. The other is the vertical privilege, wherein the hacker tries to compromise other accounts or use vulnerabilities to change the account configuration from lower to higher access privilege. One straightforward scenario is when a general user gets administrative access & rights to a web app.
Here are some popular & recognized Windows privilege escalation techniques that hackers can use to elevate their access rights and concessions.
Stored Credentials
Attackers can search for stored credentials like usernames, passwords, login information, etc. Hackers can search for these details in the Windows registry. Once you find those credentials within the system, you can check whether Remote Desktop Protocol (RDP) is exploitable. The user has to be in the Remote Desktop Users group. Hackers and pen testers can also run PowerShell scripts as the user. Here is the PowerShell script:
Windows Kernel Exploitation:
In this Windows privilege escalation technique, the attacker tries to uncover unpatched OS vulnerabilities. Attackers and hackers can find this beneficial if Windows is not updated. Attackers can use the Watson script (mentioned in the previous section) to check for Kernel exploitation vulnerabilities. You can also use WinPEAS to exploit the vulnerabilities. If you find any exploitable bug, you can download the exploitable from this repository.
DLL Hijacking:
Every Windows program looks for DLL (Dynamic Link Library) files. If your operating system does not find a particular DLL file while executing an application, then DLL hijacking becomes possible, escalating the privilege. In this method, hackers inject malicious code within an application by exploiting the missing DLL files. Only Microsoft operating systems are susceptible to DLL hijacking. By replacing the missing DLL file with an infected one and placing it within the application's search parameters, hackers can call the infected file as and when the application loads. Through this, they can activate various malicious operations like Windows privilege escalations and backdoors. To accomplish your DLL hijacking attack, you must know the pre-defined search path an application looks for while executing. Here are some pre-defined search paths (in particular order) apps and programs uses to find DLLs that hackers can exploit.
- The directory or folder from where the application or program loads
- System 32's directory (usually the C:\Windows\System32)
- System directory for 64-bit (usually the C:\Windows\System)
- The Windows directory within the operating system's drive (usually the C:\Windows)
- The current/present working directory (CWD/PWD)
- Directories residing within the PATH environment variables
Unquoted Service Paths
When we start the operating system, the Windows OS will search for binaries to run them. If the binary path has an unquoted path service, Windows does not know where the binary is and starts looking for it in all folders. Hackers can exploit this misconfiguration if they encounter any of these three situations:
- When the service path contains space(s)
- When the service path remains unquoted
- When we have the "write" permission for any intermediary folders For example: `C:\Program Files\Unquoted Path \Common Files\services.ex
Weak Folder Permissions: Weak folder permissions are those situations wherein a user when attains "write" permission in a folder that any app or the Windows operating system uses. In such a situation, the user gets control to replace the binary with a malicious one. As the application runs the malicious code, the user gets higher privileges. Hackers often create these payloads or download them from malicious repositories.
Weak Service Permissions:
Services created by the operating system sometimes have weak permission. It might happen due to inefficient coding or security loopholes. It often leads to Windows privilege escalation. Users can leverage such unwanted permissions to modify the service configuration, that is, to change the "binPath" by exploiting it with a malicious binary. Let us consider a situation wherein a group of "Authenticated users" gets SERVICE_ALL_ACCESS permission for the services. The users of that group can modify the binary executed by the service. One example is when users can modify the config and restart the service for executing the payload. sc config daclsvc binpath = "C:\Users\user\Desktop\shell.exe"
Weak Registry Permission:
Windows registry is a hierarchical repository of data containing settings & configurations about various apps and hardware that run or gets installed within the Windows system. In the Windows operating system, services have registry keys located at HKLM\SYSTEM\CurrentControlSet\Services\<service name>. Users with full authentication and privilege can access any of these services and change their binary to malfunction a system, app, or service.
Always Install Elevated:
Windows allows any low-privileged user to install Windows Installer Package (MSI) with the system's high privileges using the "AlwaysInstallElevated" group policy. Cybercriminals can use MSI executables by generating a msfvenom payload as an MSI format. Once they install the payload (msiexec /quiet /qn /I C:\Windows\Temp\setup.msi), it will start exploiting the system providing more privileges and resource accessibility.
Modifiable Autorun:
As we all know, we can modify the path to Autorun. If users replace the file with a payload, they can execute it effortlessly with an elevated privilege. Often such elevated privilege requires someone in the Admin group to log in & run a file that requires elevated privileges. Thus, a modifiable Autorun file is a great companion for hackers.
Tater / Hot Potato:
Hot Potato is another popular Windows privilege escalation technique that takes benefit of general flaws in Windows. It helps to gain privilege escalation in default configurations such as NTLM relay and NBNS spoofing. This technique works on Windows 7, 8, 10, and server editions like 2008, 2012, etc. Often enterprises rely on account privileges to prevent the network from attacks. The hot potato technique exploits that to target network attacks.
Token Manipulation:
Attackers can modify access tokens for operating under a different user to perform severe actions and bypass access controls. Hackers often manage to compromise a service running on your system like SQL, Apache, MySQL, etc. Attackers can also leverage built-in Windows API functions for copying access tokens from any existing process. It is known as token stealing. Hackers mostly perform this in network-based services. One can use tools like rotten potato & juicy potato to exploit and escalate the privileges.
Conclusion
- We hope this article has given a crisp idea of primary enumeration. It also highlights some manual tricks to perform enumeration for Windows privilege escalation.
- Then we encountered some well-known scripts available online for enumeration.
- Lastly, we saw several privilege escalation techniques that make Windows privilege escalation possible.