Skip to content

Privlege Esclation

Privilege Escalation

Privilege Escalation Awesome Scripts - For Windows and Linux

Windows

New version of Windows Privilege Escalation RottenPotato
PowerShell downgrade attack to inject shellcode straight into memory based on Matthew Graeber's powershell attacks and the powershell bypass technique
Automate DLLs that can be used for preloading attacks
Windows Privilege Escalation Fundamentals
https://www.youtube.com/watch?v=kMG8IsCohHA
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
Active Directory Assessment and Privilege Escalation Script
Source

Unquoted Service Paths

When a developer fails to enclose the file path in quotes. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability.

Example:

Running C:\Program Files\Some Folder\Service.exe without quotes tries to run
- C:\Program.exe
- C:\Program Files\Some.exe
- C:\Program Files\Some Folder\Service.exe

Command to Find Unquoted Service Paths:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Check to see if you have Modify or write permissions for the folder.:

icacls "C:\Program Files (x86)\Privacyware"

Metasploit Module:
use exploit/windows/local/trusted_service_path

Does not check permissions before trying service paths

Vulnerable Services

Similar to Unquoted Service Paths but for Services

Check Permissions of Services:

accesschk.exe -uwcqv "Authenticated Users" * /accepteula`

Check Properties of the Service:
sc qc PFNet

DLL Hijacking

When a DDL is loaded the application checks the following folders in order for the DLL. This can be used to add a dll somewhere closer to the top of the list which makes it possible to gain access to a process.

  1. The directory from which the application loaded
  2. 32-bit System directory (C:\Windows\System32)
  3. 16-bit System directory (C:\Windows\System)
  4. Windows directory (C:\Windows)
  5. The current working directory (CWD)
  6. Directories in the PATH environment variable (system then user)

If the executable tries to execute a DLL and you have write access to the current working directory or a PATH directory you have the ability to add a dll and have it be loaded by the application.

More Info

Vulnerable Programs

https://wadcoms.github.io/

Linux