This document provides an overview of practical Windows privilege escalation techniques. It begins with introductions and disclaimers, then discusses Windows access control models and concepts like integrity levels. It proceeds to demonstrate potential escalation avenues like exploiting privileged access elsewhere on the network, extracting credentials from files, exploiting unpatched vulnerabilities, weak permissions on services/files, AlwaysInstallElevated policies, and DLL hijacking. The document emphasizes that privilege escalation is still possible even with UAC and provides tools and references for further information.

1. Practical Windows Privilege
Escalation
Andrew Smith

2. C:>type disclaimer.txt
•The opinions expressed in this
presentation are mine and not
those of my employer.

3. C:>whoami /all
•Andrew Smith
•@jakx_
•Penetration Tester
•OWASP
•Metasploit
•CTF
•Certs

4. C:>whois you

5. What are you talking about?
•Relevant Windows Security Info
•PrivEsc tricks win7
•Limited user -> Local Admin

6. Why should I care?
•You wanna level up
•You wanna prevent level up
•Hack the planet!
•You like Mario?

7. Why should I care?
•"People designing defenses who have
never had them evaluated by a good
attacker is kind of like learning one of
those martial arts that look more like
dancing than fighting. They look nice,
but when you get into a fight your
dance kungfu isn’t going to help you
not get your ass kicked."
-Dan Guido

8. Windows Access Control
*https://msdn.microsoft.com/en-
us/library/windows/desktop/aa379557%28v=vs.85%29.aspx
•Securable Objects
•Files
•Directories
•Services
•Registry Keys
•Named Pipes

9. Windows Access Control
*https://msdn.microsoft.com/en-
us/library/windows/desktop/aa379563%28v=vs.85%29.aspx
•Security Descriptor
•Discretionary Access Control List
(DACL)
•Access Control Entries (ACE)

10. Windows Access Control
*https://msdn.microsoft.com/en-
us/library/windows/desktop/aa379563%28v=vs.85%29.aspx
•Access Token
•Container of user
security info
•SID, groups,
privileges
•Tied to process or
thread

11. Windows Access Control

12. Windows Access Control
Access
Token

13. Windows Access Control
Access
Token
DACL

14. Windows Access Control
Access
Token
DACL
AccessChk

15. Mandatory Integrity Control
*https://msdn.microsoft.com/en-us/library/bb625963.aspx
•Security feature post-Vista
•Assigns process Integrity Levels
•Indicates “trustworthiness” of
object

16. Windows Integrity Levels
*Windows® Internals: Including Windows Server 2008 and
Windows Vista, Fifth Edition

17. Windows Integrity Levels
Low Medium High SYSTEM
*https://msdn.microsoft.com/en-us/library/bb625963.aspx

18. Windows Integrity Levels
*https://msdn.microsoft.com/en-us/library/bb625963.aspx
Low Medium High SYSTEM
UAC
Just ask nicely…

19. The Setup…
•Land on workstation as SKYNETLuigi
via $method
•Want to escalate privileges
•Limited User -> Local Admin
•Marketing isnt Admin… right?

20. Time to Level Up!
•Admin somewhere else?
•Creds in files
•Exploit unpatched EoP bugs
•Exploit insecure configs/apps
•Weak Services DACLs
•Weak File DACLs
•AlwaysInstallEvelated
•DLLs

21. Somewhere Else?
•Luigi in “Domain Users” group
•1 box “Domain Users” in “Administrators”

22. Somewhere Else?
•Powerview
•https://github.com/PowerShellMafia/PowerSploit/blob/m
aster/Recon/PowerView.ps1
• Find-LocalAdminAccess

23. Somewhere Else?

24. Creds in Files
•C:usersluigiDesktoppasswords.xls
•C:>dir /b /s web.config
•C:>dir /b /s unattend.xml
•C:>dir /b /s sysprep.inf
•C:>dir /b /s sysprep.xml
•C:>dir /b /s *pass*
•GPP
•mushroomkindgomSYSVOL????

25. Windows EoP Buggzz
•Enumerate missing patches
•post/windows/gather/enum_patches
•post/multi/recon/local_exploit_suggester
•Pwn

26. Windows EoP Buggzz
•MS13-053

27. Weak Service Permissions
Accesschk.exe –qwcu “Authenticated Users” *
Accesschk.exe –qwcu “Users” *
Accesschk.exe –qwcu “Everyone” *

28. Weak Service Permissions
•Can we edit the service config?
•Can we edit the binary it points to?

29. Weak Service Permissions
•Demo

30. Weak File Permissions
•Look for writeable files
•Autoruns?
•Scheduled Tasks?
Accesschk.exe –qwsu “Authenticated Users” c:
Accesschk.exe –qwsu “Users” c:
Accesschk.exe –qwsu “Everyone” c:

31. Weak File Permissions
•Story time

32. Weak File Permissions
•Story time
•Main app binary writeable “users”

33. Weak File Permissions
•Story time
•Main app binary writeable “users”
•Autorun on login

34. Weak File Permissions

35. Weak File Permissions
• “Nah bro, UAC”

36. Weak File Permissions
• Admin logs in

37. Weak File Permissions
• Admin logs in
• Backdoored binary auto-executes

38. Weak File Permissions
• Admin logs in
• Backdoored binary auto-executes
• Code execution at medium IL as admin
(UAC)

39. Weak File Permissions
•“One important thing to know is that UAC is
not a security boundary.”
*https://blogs.msdn.microsoft.com/e7/2009/02/05/upda
te-on-uac/

40. AlwaysInstallElevated
•Group policy setting that makes installing
packages (.msi) convenient…
•..Any .msi…
•for everyone..

41. AlwaysInstallElevated
reg query
HKLMSOFTWAREPoliciesMicrosoft
WindowsInstaller /v
AlwaysInstallElevated
reg query
HKCUSOFTWAREPoliciesMicrosoft
WindowsInstaller /v
AlwaysInstallElevated

42. AlwaysInstallElevated
•Demo

43. DLL Hijacking
•Windows can dynamically load DLLs
•If full path not used/missing, Windows
executes DLL Search Order
•Eg.
•LoadLibrary(“ohnoes.dll”)
vs
•LoadLibrary(“c:program filesohnoes.dll”)

44. DLL Hijacking
1. The directory from which the application
loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories listed in the PATH
environment variable.
*https://msdn.microsoft.com/en-
us/library/windows/desktop/ms682586%28v=vs.85%29.aspx

45. DLL Hijacking
1. The directory from which the application
loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory. (Exploitable)
6. The directories listed in the PATH
environment variable. (Exploitable)
*https://msdn.microsoft.com/en-
us/library/windows/desktop/ms682586%28v=vs.85%29.aspx

46. DLL Hijacking
•Privileged app loads missing DLL +
controllable search path element = pwned
•Use Sysinternals Procmon
•Include “.dll”
•Include “NAME NOT FOUND”
•Include folder in path

47. DLL Hijacking
•Demo

48. Conclusions
•Know your network/apps
•Don’t run as admin
•UAC IS NOT A SECURITY BOUNDARY
•Patch your shit
•“Hack yourself first”

49. Tools
•Powerup
•https://github.com/PowerShellMafia/PowerSploit/blob/master/Priv
esc/PowerUp.ps1
•Windows-privesc-check
•https://github.com/pentestmonkey/windows-privesc-check
•Sysinternals Suite
•https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx

50. References/Resources
https://www.insomniasec.com/downloads/publications/WindowsPrivEsc.ppt
https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Service
s_-_All_roads_lead_to_SYSTEM.pdf
https://technet.microsoft.com/en-us/sysinternals/bb545027
http://www.greyhathacker.net/?p=738
Greyhat Hacking 4th edition
Windows Internals 6th edition
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-
26665607

51. Questions?
@jakx_
ajs@swordshield.com