search

Windows Privilege Escalation

Here are some techniques for achieving privilege escalation on Windows systems:

hashtag
Abusing SSH keys

  • Check if we have reading permissions on the SSH private keys of a user

#On the target machine
type C:\Users\$user\.ssh\$keyfile    #For a user
circle-info

Standard key files are called id_rsa

  • Copy the keys to a file, assign permissions to the file, and use it to log in using the key

#On our machine
nano $filename #Copy here the keys
chmod 600 $filename
ssh $username@$IP -i $filename
circle-info

Use chmod 600 id_rsa to assign restrictive permissions, and SSH does not block this method

  • When having writing permissions on the .ssh/ directory of a user, we can generate an SSH key with the current user and pass it to the system

ssh-keygen -f $keyfile
circle-info

This will generate the file with a private key for the user and a .pub file with a public key

  • Pass the public key to the authorized keys file of the root user

  • Use this to log in as the user using the key

hashtag
Abusing .bat files with full control permissions

In the situation where a .bat file (script file for Windows) is being executed on the system and it has full-control permissions, it's possible to abuse this to modify the content of the .bat file and execute commands with privileges arbitrarily

  • Try spawning a PowerShell from the CMD with any user we have access to

  • Find a .bat file, and check if it has full-control permissions. In case it has, check if it is calling any process and if any of them is still running

  • Download and import a Netcat executable for Windows

  • Set Netcat listener to catch the connection and replace the content of the .bat file with a command spawning the Netcat executable

circle-info

Then we just had to wait for the system to run the script again, now executing our payload

PreviousLinux Privilege EscalationNextTools and Utilities

Last updated