Link to this headingPrivilege Escalation

Privilege Escalation Awesome Scripts - For Windows and Linux

Link to this headingWindows

New version of Windows Privilege Escalation RottenPotato
PowerShell downgrade attack to inject shellcode straight into memory based on Matthew Graeber’s powershell attacks and the powershell bypass technique
Automate DLLs that can be used for preloading attacks
Windows Privilege Escalation Fundamentals
Encyclopaedia Of Windows Privilege Escalation
Windows Privilege Escalation - a cheatsheet
Active Directory Assessment and Privilege Escalation Script
Source

Link to this headingUnquoted Service Paths

When a developer fails to enclose the file path in quotes. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability.

Example:

Running C:\Program Files\Some Folder\Service.exe without quotes tries to run

  • C:\Program.exe
  • C:\Program Files\Some.exe
  • C:\Program Files\Some Folder\Service.exe

Command to Find Unquoted Service Paths:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Check to see if you have Modify or write permissions for the folder.:

icacls "C:\Program Files (x86)\Privacyware"

Metasploit Module:
use exploit/windows/local/trusted_service_path

Does not check permissions before trying service paths

Link to this headingVulnerable Services

Similar to Unquoted Service Paths but for Services

Check Permissions of Services:

accesschk.exe -uwcqv "Authenticated Users" * /accepteula`

Check Properties of the Service:

sc qc PFNet

Link to this headingDLL Hijacking

When a DDL is loaded the application checks the following folders in order for the DLL. This can be used to add a dll somewhere closer to the top of the list which makes it possible to gain access to a process.

  1. The directory from which the application loaded
  2. 32-bit System directory (C:\Windows\System32)
  3. 16-bit System directory (C:\Windows\System)
  4. Windows directory (C:\Windows)
  5. The current working directory (CWD)
  6. Directories in the PATH environment variable (system then user)

If the executable tries to execute a DLL and you have write access to the current working directory or a PATH directory you have the ability to add a dll and have it be loaded by the application.

More Info

Link to this headingVulnerable Programs

curated list of offensive security tools and their respective commands

Link to this headingLinux