Windows Automated Scripts

Introduction

We have discussed manual escalation approaches to privilege escalation in windows, now in this, we will discuss and use some tools and scripts in order to escalate our privilege as a standard user

Powerup

PowerUp is a PowerShell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities.

Powerup checks for

  • Current privileges
  • Unquoted service paths
  • Service executable permissions
  • Service permissions
  • %PATH% for hijackable DLL locations
  • AlwaysInstallElevated registry key
  • Autologon credentials in registry
  • Modifidable registry autoruns and configs
  • Modifiable schtask files/configs
  • Unattended install files
  • Encrypted web.config strings
  • Encrypted application pool and virtual directory passwords
  • Plaintext passwords in McAfee SiteList.xml
  • Cached Group Policy Preferences .xml files
git clone //github.com/PowerShellMafia/PowerSploit.git
cd PowerSploit
ls
cd Privesc
ls

Load PowerShell in metasploit and then import the downloading script.

load powershell
powershell_import '/home/powesploit/Privesc/PowerUp.ps1'
powershell_execute Invoke-AllChecks

It will enumerate the target system and give you a valuable result

JAWS(Just Another Windows (Enum) Script) It does not only check for privilege escalation misconfiguration, but it also gathers information about the current situation.

It will enumerate target features for:

Current Features

  • Network Information (interfaces, arp, netstat)
  • Firewall Status and Rules
  • Running Processes
  • Files and Folders with Full Control or Modify Access
  • Mapped Drives
  • Potentially Interesting Files
  • Unquoted Service Paths
  • Recent Documents
  • System Install Files
  • AlwaysInstallElevated Registry Key Check
  • Stored Credentials
  • Installed Applications
  • Potentially Vulnerable Services
  • MuiCache Files
  • Scheduled Tasks

Known Issues

  • Output for firewall rules can sometimes be clipped.
  • When running from within a shell the script doesn’t always tell you its finished.
  • When running within some PowerShell reverse shells the running menu isn’t shown.

To Do

  • Add full directory listing with user-defined depth
  • Read SAM file permissions
  • Improve output
git clone //github.com/411Hall/JAWS.git

Upload jaws-enum.ps1 on the target system

And execute it in target shell

powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename EnumOutput.txt

Now open EnumOutput.txt file and you will find your result.

Sherlock

PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

Clone it from github in attack system

git clone //github.com/rasta-mouse/Sherlock.git

Load powershell in metasploit

load powershell

And execute it

powershell_import '/home/Desktop/Sherlock/Sherlock.ps1'
powershell_execute "find-allvulns"

Watson – Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities https://github.com/rasta-mouse/Watson

Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities.

Upload it to target system and execute it in order get results.

Windows Exploit Suggester - Next Generation

WES-NG is a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.

https://github.com/bitsadmin/wesng

  • Use syteminfo > sysinfo.txt command
  • And execute wes.py sysinfo.txt

And it will give you result

BeRoot: Windows Privilege Escalation Tool

BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. It has been added to the pupy project as a post exploitation module (so it will be executed in memory without touching the disk). It works on Linux, Windows and in Macintosh also.

git clone https://github.com/AlessandroZ/BeRoot.git

Upload it on target system and run it.

winPEAS(Windows Privilege Escalation Awesome Scripts)

It check for possible path to escalate privileges in windows system. It also come in .bat format in case you’re not allowed to execute .exe file then you can use .bat format of winPEAS to escalate your privileges. It will perform all action which supposed to perform in target in order to escalate your privileges.

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

winPEAS checklist

There is also a ‘linux tool LinPEAS’

LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix* hosts

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

LinPEAS Checklist

Conclusion

In this blog post we have leanred automated approaches to privilege escalation in windows systems. There are soo many tools and approaches for this purpose, use them according to your comfort.