Windows

Cheatsheet

Windows Privilege Escalation Guidewww.absolomb.com

Vulnerabilities for Privesc

MS16-032 (Secondary Logon to Address Elevation of Privilege)

Microsoft Security Bulletin MS16-032 - ImportantMicrosoftLearn

Rapid7Rapid7

This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

You can test it on Hack the box "Grandpa": - OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition - OS Version: 5.2.3790 Service Pack 2 Build 3790 - Hotfix(s): N/A

MS15-051 (Windows Kernel-Mode Drivers Could Allow Elevation of Privilege)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on locally and runs arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users.

Microsoft Security Bulletin MS15-051 - ImportantMicrosoftLearn

windows-kernel-exploits/MS15-051 at master · SecWiki/windows-kernel-exploitsGitHub

You can test it on Hack the box "Bastard": - OS Name: Microsoft Windows Server 2008 R2 Datacenter - OS Version: 6.1.7600 N/A Build 7600 - Hotfix(s): N/A

MS14-070 (TCP/IP Could Allow Elevation of Privilege)

Microsoft Security Bulletin MS14-070 - ImportantMicrosoftLearn

Rapid7Rapid7

A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys can allow a local attacker to trigger a NULL pointer dereference by using a specially crafted IOCTL. This flaw can be abused to elevate privileges to SYSTEM.

You can test it on Hack the box "Granny": - OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition - OS Version: 5.2.3790 Service Pack 2 Build 3790 - Hotfix(s): Q147222

MS10-015 (Windows Kernel Could Allow Elevation of Privilege)

Microsoft Security Bulletin MS10-015 - ImportantMicrosoftLearn

Rapid7Rapid7

This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.

You can test it on Hack the box "Devel": - OS Name: Microsoft Windows 7 Enterprise - OS Version: 6.1.7600 N/A Build 7600 - Hotfix(s): N/A

Tools

Windows Exploit Suggester

GitHub - strozfriedberg/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHub

Local Exploit Suggester with MSF

Sherlock.ps1 > Find-AllVulns

GitHub - rasta-mouse/Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.GitHub

PowerSploit > PowerUp.ps1> Invoke-AllChecks

Mimikaz

Understanding Guide to MimikatzHacking Articles