Local Privilege Escalation

A page which sums up ways to elevate privileges locally on Windows machines as I gradually discover new ones

Access Tokens vectors

Everytime a user logs in into our Windows system, it is granted an access token for this logon session. And everytime a process is executed on behalf on this user, a copy of said token is assigned to it. The token identifies the user, its groups, and its privileges. It also contains a Security Identifier (SID) that is used to identify the current logon session.

All of the aforementionned information can be consulted via a simple whoami /all ;

Local Admin

Services vectors

net start
wmic service list brief
sc query
Get-Service

Check service permissions

sc qc [name of the service]

Unquoted Service Path

List all unquoted service paths via powershell :

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v """ #Not only auto services

#Other way
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
	for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
		echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
	)
)

LOLBAS

LOLBAS (short for Living Off the Land Binary And Scripts) are a collection of 135+ binaries and script that be can be abused by an attacker in a Windows environment during the post-exploitation phase : https://lolbas-project.github.io/#

PreviousUseful powershell commands NextCredentials on Windows

Last updated 4 years ago

Was this helpful?