Windows PE

Before learning the techniques to conduct Privilege escalation on a Windows system, it is important to understand some of the fundamentals of the operating system.

Privilege is the permission that a user or an user account may have in order to perform system-related operations

For exercising privilege, an user is assigned an access token after successful authentication.

In order to uniquely identify tokens they are assigned a security identifier or SID. These SIDs are generated and maintained by Windows Local Security Authority.

Additionally, there are integrity mechanisms that assign integrity levels to application processes and securable objects. This describes the level of trust the OS has in running applications. There are 4 integrity levels,

• System integrity process : System Rights

• High integrity process : administrative rights

• Medium integrity process : standard user rights

• Low integrity process : restricted rights

User Account Control (UAC) is an access control system that forces applications and tasks to run in the context of a non-administrative account until an administrator authorizes elevated access. It also blocks the installation or running of unauthorized applications. There are 2 modes in this : credential prompt and consent prompt. The credential prompt as the name suggests the user is asked to authenticate with administrator credentials for the process to continue. In consent prompt the user is simply intimated and an approval is sought to continue with the action.

Insecure File Permissions

In this method a user exploits a service or an application that can be modified by any user due to incorrect file permissions and the service runs as a nt authority/system.

We can get the list of installed applications along with the install path using the following command in a powershell window,

Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

Once an application is identified we can gather more informaton using the following command,

icacls "Path of the application executable"

We can use the icacls permission mask to determine whether the executable has incorrect file permission.

As the next step, a malicious executable can be created and be made to replace this service.

We can either restart the application or if the user has no permission to restart, then we can check whether the appllcation is set to auto start on reboot using the following command,

wmic service where caption="App Name" get name, caption, state, startmode

If the current user has the permission to restart the OS, then the same can be done using the following command,

shutdown /r /t 0 

Unquoted Service Paths

This is an interesting exploit that simply depends on whether the executable path is quoted or unquoted. All services are mapped to an executable mostly installed within "Program Files/". Now if the developer does not use quotes to enclose the installation path, then the installation path is open to intrepretation and Windows will try all different combinations to reach the executable.

For e.g. if the executable path is in an unquoted location as "C:\Program Files\new programs\test.exe", then the OS will try the following combinations,

• Progam.exe

• Program Files\new.exe

• Program Files\new programs\test.exe

So all you have to do is place the malicious file in one of the locations and restart the system if the service is in auto start mode on Windows boot up.

Windows Kernel Vulnerabilities

Kernel drivers are also vulnerable to privilege escalation just as how we can bypass UAC. In order to be able to exploit kernel vulnerabilities we have to be able to get all info about the OS and its version.

We can get the OS related info using the following command,

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

With the information gathered we can look for kernel vulnerabilities or third party driver exploits. We can get the drivers list using the following command,

driverquery /v

From the listed drivers we can look for vulnerabilities in them and exploit to elevate privilege.

Finding Autoelevate Process

Once you gain access to a shell in a Windows machine and if the user of that shell belongs to a local administrator group, then you can look for a process that is set for Autoelevate to bypass UAC. Strings can be used for searching for such process. Ensure that you have the correct version of strings based on the architecture of the computer in which it will be executed.

You can then use the following command to look for processes that have auto elevate set,

strings -s *.exe | findstr /i "<autoElevate>true</autoElevate>"

From the listed processes you can look for the most common ones for which exploits are already available such as event viewer.exe - explained here.