This document provides an overview of practical Windows privilege escalation techniques. It begins with introductions and disclaimers, then discusses Windows access control models and concepts like integrity levels. It proceeds to demonstrate potential escalation avenues like exploiting privileged access elsewhere on the network, extracting credentials from files, exploiting unpatched vulnerabilities, weak permissions on services/files, AlwaysInstallElevated policies, and DLL hijacking. The document emphasizes that privilege escalation is still possible even with UAC and provides tools and references for further information.
5. What are you talking about?
•Relevant Windows Security Info
•PrivEsc tricks win7
•Limited user -> Local Admin
6. Why should I care?
•You wanna level up
•You wanna prevent level up
•Hack the planet!
•You like Mario?
7. Why should I care?
•"People designing defenses who have
never had them evaluated by a good
attacker is kind of like learning one of
those martial arts that look more like
dancing than fighting. They look nice,
but when you get into a fight your
dance kungfu isn’t going to help you
not get your ass kicked."
-Dan Guido
38. Weak File Permissions
• Admin logs in
• Backdoored binary auto-executes
• Code execution at medium IL as admin
(UAC)
39. Weak File Permissions
•“One important thing to know is that UAC is
not a security boundary.”
*https://blogs.msdn.microsoft.com/e7/2009/02/05/upda
te-on-uac/
43. DLL Hijacking
•Windows can dynamically load DLLs
•If full path not used/missing, Windows
executes DLL Search Order
•Eg.
•LoadLibrary(“ohnoes.dll”)
vs
•LoadLibrary(“c:program filesohnoes.dll”)
44. DLL Hijacking
1. The directory from which the application
loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories listed in the PATH
environment variable.
*https://msdn.microsoft.com/en-
us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
45. DLL Hijacking
1. The directory from which the application
loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory. (Exploitable)
6. The directories listed in the PATH
environment variable. (Exploitable)
*https://msdn.microsoft.com/en-
us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
46. DLL Hijacking
•Privileged app loads missing DLL +
controllable search path element = pwned
•Use Sysinternals Procmon
•Include “.dll”
•Include “NAME NOT FOUND”
•Include folder in path